Meet the guy who taught US intelligence agencies how to make the most of the ad tech ecosystem, "the largest information-gathering enterprise ever conceived by man."

How the Pentagon Learned to Use Targeted Ads to Find Its Targets—and Vladimir Putin

Republicans who run elections are split over whether to keep working with the Cybersecurity and Infrastructure Security Agency to fight hackers, online falsehoods, and polling-place threats.

The meeting between top US election officials and their cybersecurity partners from the federal government almost went off without a hitch. Then Mac Warner spoke up.

Warner, West Virginia’s Republican secretary of state, didn’t have a mundane logistical question for the government representatives, who were speaking at the winter meeting of the National Association of Secretaries of State in Washington, DC, on February 8. Instead, Warner lambasted the officials for what he said was their agencies’ scheme to suppress the truth about US president Joe Biden’s son Hunter during the 2020 election and then cover their tracks.

“When we have our own federal agencies lying to the American people, that’s the most insidious thing that we can do in elections,” Warner told the officials from the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), who watched him impassively from the stage. “You all need to clean up your own houses.”

Neither of the officials responded to Warner, and the NASS meeting—a semiannual confab for the nation’s election administrators that deals with everything from mail-in voting to cyber threats—quickly moved on to other business. But Warner, who attended an election-denier rally after Biden’s 2020 victory and is now running for governor on a far-right platform, isn’t a fringe voice in the GOP. His impassioned speech reflected a growing right-wing backlash to the election security work of agencies like CISA and the FBI—one that now threatens the partnership that the federal government has been painstakingly building with state leaders over the eight years since Russia interfered in the 2016 election.

CISA plays a critical role in helping states run secure elections, but its work alerting social media companies to misinformation has earned it special contempt from conservatives. While most GOP secretaries of state are holding their fire about CISA’s efforts to combat online lies, Democrats and nonpartisan experts worry that that could change in the coming years. With national Republicans increasingly turning against CISA—investigating its activities and voting to slash its budget—the agency’s partnerships with GOP leaders in the states are more vulnerable than ever before.

“The hard and necessary work of securing our elections should not be a partisan issue,” says US representative Chris Deluzio, a Pennsylvania Democrat and former cyber policy scholar. “So I am very concerned that some Republican secretaries of state might undermine that work just to serve their selfish partisan interests.”

Stumbling Into Controversy

The federal program that earned Warner’s wrath began as a response to the rampant mis- and disinformation that has spread online since the 2016 election.

Determined to avoid another contest marred by viral false claims about voting processes, CISA in 2018 began coordinating conversations with social media companies and other federal agencies about the best ways to counter dangerous and destabilizing lies. During the 2020 election, through a process known as “switchboarding,” CISA alerted social media firms to complaints from state and local election officials about online misinformation, such as posts advertising incorrect voting times and locations.

It was in this spirit that FBI officials met with Twitter and Facebook executives in the lead-up to Election Day 2020 and advised them to be wary of Russian disinformation operations involving fake documents. That warning later led both companies to suppress posts about a controversial _New York Post_ story about the contents of a laptop belonging to Hunter Biden.

Silicon Valley’s response to the Hunter Biden laptop story outraged conservatives, who began accusing tech companies and their federal partners of conspiring to censor speech in an effort to rig the election. In subsequent investigations, CISA found itself squarely in the crosshairs. The agency had already earned the ire of former president Donald Trump and his allies for reassuring the public about the integrity of the 2020 election, but the new controversy practically made it a pariah on the right.

In June 2023, a House Judiciary Committee report blasted CISA as “the nerve center of the federal government’s domestic surveillance and censorship operations on social media.” A few months later, a federal appeals court partially affirmed a district judge’s ruling that placed limits on CISA’s ability to communicate with tech companies, finding that the agency’s work to fight disinformation “likely violated the First Amendment.”

Stunned by the intense backlash, CISA stopped working with social media platforms to combat mis- and disinformation. The FBI, too, scaled back its interactions with those companies, halting briefings about foreign interference activities. “The symbiotic relationship between the government and the social media companies has definitely been fractured,” a US official told NBC News.

CISA has staunchly avoided acknowledging the reality that its reputation has been damaged.

“CISA’s election security mission is stronger than ever,” says Cait Conley, a senior adviser to director Jen Easterly who oversees the agency’s election work. “We remain engaged with election officials in all 50 states and will continue to conduct all of our work in an apolitical and nonpartisan manner.”

A GOP Split

As the controversies have eroded CISA’s bipartisan brand, Republicans who run elections have split into two camps over whether to keep working with the agency to fight hackers, online falsehoods, and polling-place threats.

West Virginia’s Warner is the indisputable flag-bearer of the anti-CISA camp. “I’ve pulled away from them,” he tells WIRED at the NASS conference, a few hours after venting his frustrations to the federal officials. “I’m not attending their briefings, because I haven’t found anything useful out of them.”

Warner says he’s proud of the “tremendous advances” that federal and state officials have made together on election security since 2016, but he warns that CISA and the FBI will continue losing conservatives’ trust until they investigate their roles in the controversies of 2020. “I’ve brought this to the attention of CISA officials,” he says, “and there’s no effort there to do this.”

Warner argues that CISA’s warnings about foreign disinformation, AI-powered deep fakes, and death threats to election officials are “distractions from the real threat to American democracy” posed by censorship.

It remains unclear how many of Warner’s colleagues agree with him. But when WIRED surveyed the other 23 Republican secretaries who oversee elections in their states, several of them said they would continue working with CISA.

“The agency has been beneficial to our office by providing information and resources as it pertains to cybersecurity,” says JoDonn Chaney, a spokesperson for Missouri’s Jay Ashcroft.

South Dakota’s Monae Johnson says her office “has a good relationship with its CISA partners and plans to maintain the partnership.”

But others who praised CISA’s support also sounded notes of caution.

Idaho’s Phil McGrane says CISA is doing “critical work … to protect us from foreign cyber threats.” But he also tells WIRED that the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), a public-private collaboration group that he helps oversee, “is actively reviewing past efforts regarding mis/disinformation” to determine “what aligns best” with CISA’s mission.

Mississippi’s Michael Watson says that “statements following the 2020 election and some internal confidence issues we’ve since had to navigate have caused concern.” As federal and state officials gear up for this year’s elections, he adds, “my hope is CISA will act as a nonpartisan organization and stick to the facts.”

CISA’s relationships with Republican secretaries are “not as strong as they’ve been before,” says John Merrill, who served as Alabama’s secretary of state from 2015 to 2023. In part, Merrill says, that’s because of pressure from the GOP base. “Too many conservative Republican secretaries are not just concerned about how the interaction with those federal agencies is going, but also about how it’s perceived … by their constituents.”

Free Help at Risk

CISA’s defenders say the agency does critical work to help underfunded state and local officials confront cyber and physical threats to election systems.

The agency’s career civil servants and political leaders “have been outstanding” during both the Trump and Biden administrations, says Minnesota secretary of state Steve Simon, a Democrat.

Others specifically praised CISA’s coordination with tech companies to fight misinformation, arguing that officials only highlighted false claims and never ordered companies to delete posts.

“They’re just making folks aware of threats,” says Arizona’s Democratic secretary of state, Adrian Fontes. The real “bad actors,” he says, are the people who “want the election denialists and the rumor-mongers to run amok and just spread out whatever lies they want.”

If Republican officials begin disengaging from CISA, their states will lose critical security protections and resources. CISA sponsors the EI-ISAC, which shares information about threats and best practices for thwarting them; provides free services like scanning election offices’ networks for vulnerabilities, monitoring those networks for intrusions and reviewing local governments’ contingency plans; and convenes exercises to test election officials’ responses to crises.

“For GOP election officials to back away from \[CISA\] would be like a medical patient refusing to accept free wellness assessments, check-ups, and optional prescriptions from one of the world’s greatest medical centers,” says Eddie Perez, a former director for civic integrity at Twitter and a board member at the OSET Institute, a nonprofit group advocating for improved election technology.

Worse, some CISA projects will become less effective as they lose participants. The EI-ISAC’s information-sharing initiative is only as valuable as the information that state and federal agencies submit to it.

Even if most states stick with CISA, it would only take a few holdouts to create systemic risk. “America's election security posture is only as strong as its weakest jurisdiction,” says David Levine, the senior elections integrity fellow at the German Marshall Fund’s Alliance for Securing Democracy.

Cautious Optimism Despite ‘Strain’

Election security experts and Democratic officials express cautious optimism that there won’t be a GOP exodus from CISA this year.

“I have faith Republican secretaries of state will continue to prioritize their voters and collaborate with CISA to ensure a secure 2024 election,” says Mississippi representative Bennie Thompson, the top Democrat on the House Homeland Security Committee.

Lawrence Norden, the senior director of the Brennan Center for Justice’s Elections and Government Program, notes that some of CISA’s new regional election security advisers “have worked in recent years as or for Republican officeholders,” giving them credibility with GOP leaders.

According to Minnesota’s Simon, “the vast majority of secretaries find these partnerships valuable.”

Still, Warner says some secretaries quietly support his pushback against CISA and other aspects of the Biden administration’s election security strategy. “There \[is a\] meeting of the minds by some of the secretaries, especially on the right, with some of these similar concerns,” he says, even if “they’re not as outspoken as I am.”

That shared skepticism of CISA means that, even after Warner leaves office next year, the agency will remain on precarious footing with some of its Republican partners. For now, CISA’s allies are left hoping that the agency’s time-tested bonds will prove stronger than pressures from conservative activists.

“You can have strain in some areas of a relationship and still have a strong relationship,” says Arizona’s Fontes. “That’s what being a grown-up is about. And I think most of us are doing that pretty well.”

How a Right-Wing Controversy Could Sabotage US Election Security

A student investigation at the University of Waterloo uncovered a system that scanned countless undergrads without consent.

Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting face recognition data without their consent.

The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, “Invenda.Vending.FacialRecognitionApp.exe,” displayed after the machine failed to launch a face recognition application that nobody expected to be part of the process of using a vending machine.

"Hey, so why do the stupid M&M machines have facial recognition?" SquidKid47 pondered.

The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS.

Stanley sounded the alarm after consulting Invenda sales brochures that promised “the machines are capable of sending estimated ages and genders” of every person who used the machines—without ever requesting consent.

This frustrated Stanley, who discovered that Canada's privacy commissioner had years ago investigated a shopping mall operator called Cadillac Fairview after discovering some of the malls' informational kiosks were secretly “using facial recognition software on unsuspecting patrons.”

Only because of that official investigation did Canadians learn that “over 5 million nonconsenting Canadians” were scanned into Cadillac Fairview's database, Stanley reported. Where Cadillac Fairview was ultimately forced to delete the entire database, Stanley wrote that consequences for collecting similarly sensitive face recognition data without consent for Invenda clients like Mars remain unclear.

Stanley's report ended with a call for students to demand that the university “bar facial recognition vending machines from campus.”

A University of Waterloo spokesperson, Rebecca Elming, eventually responded, confirming to CTV News that the school had asked to disable the vending machine software until the machines could be removed.

Students told CTV News that their confidence in the university's administration was shaken by the controversy. Some students claimed on Reddit that they attempted to cover the vending machine cameras while waiting for the school to respond, using gum or Post-it notes. One student pondered whether “there are other places this technology could be being used” on campus.

Elming was not able to confirm the exact timeline for when the machines would be removed, other than telling Ars it would happen “as soon as possible.” Elming declined Ars' request to clarify if there are other areas of campus collecting face recognition data. She also wouldn't confirm, for any casual snackers on campus, when, if ever, students could expect the vending machines to be replaced with snack dispensers not equipped with surveillance cameras.

Invenda Claims Machines Are GDPR-Compliant

MathNEWS' investigation tracked down responses from companies responsible for smart vending machines on the University of Waterloo's campus.

Adaria Vending Services told MathNEWS that “what’s most important to understand is that the machines do not take or store any photos or images, and an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface—never taking or storing images of customers.”

According to Adaria and Invenda, students shouldn't worry about data privacy because the vending machines are “fully compliant” with the world's toughest data privacy law, the European Union's General Data Protection Regulation (GDPR).

“These machines are fully GDPR compliant and are in use in many facilities across North America,” Adaria's statement said. “At the University of Waterloo, Adaria manages last mile fulfillment services—we handle restocking and logistics for the snack vending machines. Adaria does not collect any data about its users and does not have any access to identify users of these M&M vending machines.”

A Vending Machine Error Revealed Secret Face Recognition Tech

Plus: Scammers try to dupe Apple with 5,000 fake iPhones, Avast gets fined for selling browsing data, and researchers figure out how to clone fingerprints from your phone screen.

Today marks two years since Russia launched its full-scale invasion of Ukraine. This week, we detailed the growing crisis in Eastern Ukraine, which is now littered with deadly mines. As it fights back the invading Russian forces, Ukraine’s government is working to develop new mine-clearing technology that could help save lives around the globe.

A leaked document obtained by WIRED has revealed the secret placement of gunshot-detection sensors in locations around the United States and its territories. According to the document, which ShotSpotter's parent company authenticated, the sensors, which are used by police departments in dozens of metropolitan areas in the United States, are largely located in low-income and minority communities, according to WIRED’s analysis, adding crucial context in a long-running debate over police use of the technology.

Speaking of leaks, WIRED this week obtained 15 years of messages posted to an internal system used by members of the US Congress. The House Intelligence Committee used the “Dear Colleagues” system to warn lawmakers of an “urgent matter”—something that has not happened since at least 2009. That urgent matter, which was quickly leaked to the press, turned out to be related to Russian military research of space-based weapons. But some sources say the matter wasn’t urgent at all, and the warning was instead an attempt by House Intelligence leadership to derail a vote on privacy reforms to a major US surveillance program.

On Tuesday, a coalition of law enforcement agencies led by the UK’s National Crime Agency disrupted the LockBit ransomware gang’s operation, seizing its infrastructure, dark-web leak site, and code used to carry out its attacks against thousands of institutions globally. Although ransomware attacks resulted in a record $1.1 billion in ransom payments last year, Anne Neuberger, a top US cyber official in the Biden administration, tells WIRED how the 2021 ransomware attack on Colonial Pipeline has transformed the ways American institutions defend against and respond to such attacks.

In dual wins for privacy this week, the Signal Foundation began its rollout of usernames for its popular end-to-end encrypted messaging app. The update will allow people to connect without having to reveal their phone numbers. Meanwhile, Apple began to future-proof its encryption for iMessage with the launch of PQ3, a next-generation encryption protocol designed to resist decryption from quantum computers.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Hundreds of documents linked to a Chinese hacking-for-hire firm were dumped online this week. The files belong to i-Soon, a Shanghai-based company, and give a rare glimpse into the secretive world of the industry that supports China’s state-backed hacking. The leak includes details of Chinese hacking operations, lists of victims and potential targets, and the day-to-day complaints of i-Soon staff.

“These leaked documents support TeamT5’s long-standing analysis: China's private cybersecurity sector is pivotal in supporting China’s APT attacks globally,” Che Chang, a cyber threat analyst at the Taiwan-based cybersecurity firm TeamT5, tells WIRED. Chang says the company has been tracking i-Soon since 2020 and found that it has a close relationship with Chengdu 404, a company linked to China’s state-backed hackers.

While the documents have now been removed from GitHub, where they were first posted, the identity and motivations of the person, or people, who leaked them remains a mystery. However, Chang says the documents appear to be real, a fact confirmed by two employees working for i-Soon, according to the Associated Press, which reported that the company and police in China are investigating the leak.

“There are around eight categories of the leaked files. We can see how i-Soon engaged with China's national security authorities, the details of i-Soon’s products and financial problems,” Chang says. “More importantly, we spotted documents detailing how i-Soon supported the development of the notorious remote access Trojan (RAT), ShadowPad,” Chang adds. The ShadowPad malware has been used by Chinese hacking groups since at least 2017.

Since the files were first published, security researchers have been poring over their contents and analyzing the documentation. Included were references to software to run disinformation campaigns on X, details of efforts to access communications data across Asia, and targets within governments in the United Kingdom, India, and elsewhere, according to reports by the _New York Times_ and the _The Washington Post_. The documents also reveal how i-Soon worked for China’s Ministry of State Security and the People’s Liberation Army.

According to researchers at SentinelOne, the files also include pictures of “custom hardware snooping devices,” such as a power bank that could help steal data and the company’s marketing materials. “In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work,” the researchers write. “The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.”

The Federal Trade Commission has fined antivirus firm Avast $16.5 for collecting and selling people’s web browsing data through its browser extensions and security software. This included the details of web searches and the sites people visited, which, according to the FTC, revealed people’s “religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.” The company sold the data through its subsidiary Jumpshot, the FTC said in an order announcing the fine.

The ban also places five obligations on Avast: not to sell or license browsing data for advertising purposes; to obtain consent if it is selling data from non-Avast products; delete information it transferred to Jumpshot and any algorithms created from the data; tell customers about the data it sold; and introduce a new privacy program to address the problems the FTC found. An Avast spokesperson said that while they “disagree with the FTC’s allegations and characterization of the facts,” they are “pleased to resolve this matter.”

Two Chinese nationals living in Maryland—Haotian Sun and Pengfei Xue—have been convicted of mail fraud and a conspiracy to commit mail fraud for a scheme that involved sending 5,000 counterfeit iPhones to Apple. The pair, who could each face up to 20 years in prison, according to the The Register, hoped Apple would send them real phones in return. The fake phones had “spoofed serial numbers and/or IMEI numbers” to trick Apple stores or authorized service providers into thinking they were genuine. The scam took place between May 2017 and September 2019 and would have cost Apple more than $3 million in losses, a US Department of Justice press release says.

Security researchers from the US and China have created a new side-channel attack that can reconstruct people’s fingerprints from the sounds they create as you swipe them across your phone screen. The researchers used built-in microphones in devices to capture the “faint friction sounds” made by a finger and then used these sounds to create fingerprints. “The attack scenario of PrintListener is extensive and covert,” the researchers write in a paper detailing their work. “It can attack up to 27.9 percent of partial fingerprints and 9.3 percent of complete fingerprints within five attempts.” The research raises concerns about real-world hackers who are attempting to steal people’s biometrics to access bank accounts.

A Mysterious Leak Exposed Chinese Hacking Secrets

The locations of microphones used to detect gunshots have been kept hidden from police and the public. A WIRED analysis of leaked coordinates confirms arguments critics have made against the technology.

Finding shell casings can be extremely difficult. A Los Angeles Police Department officer not authorized to speak to the media tells WIRED they’ve spent “hours” searching for bullet casings. Just because officers don’t find evidence of gunfire, they say, doesn’t mean it didn’t happen.

While SoundThinking says its alerts are reviewed by its Incident Review Center before being sent to the police, in Pasadena, officers who investigated ShotSpotter alerts reported that the suspected gunfire was sometimes something else entirely: a car backfiring, construction noise, or fireworks, Knock LA reported.

Chris Baumohl, an EPIC Law Fellow and coauthor of the petition to the DOJ, tells WIRED that our findings confirm what the nonprofit wrote in their petition in September: that ShotSpotter surveillance disproportionately occurs in communities of color. He also alleges that the technology primes police to go into minority communities believing that shots are fired, whether accurate or not. The result, Baumohl argues, is that community members are more likely to be picked up on bench warrants, misdemeanors, and for other reasons unrelated to guns.

In February, a leaked internal report from the State's Attorney’s Office in Illinois’ Cook County, where Chicago is located, found that nearly a third of arrests stemming from a ShotSpotter alert had nothing to do with a gun, Baumohl points out. On February 13, Chicago mayor Brandon Johnson, a vocal critic of ShotSpotter, said the city won't renew its contract with SoundThinking.

According to SoundThinking’s Chittum, the idea that police show up to ShotSpotter alerts ready to make arrests is speculation based on a few high-profile incidents. Instead, he argues that ShotSpotter provides law enforcement with accurate data to engage the community safely. “It allows police to knock on a door and tell residents, ‘Hey, we got a report of gunfire, we are just checking to see if everyone is OK. Did you hear anything? Did you see anything? If you do, please call us; we care, and we’ll come.’”

Ultimately, Chittum argues, ShotSpotter is simply a tool. When used correctly it can help police-community relations. “It’s up to the police to decide how they use it,” he says.

But what happens on the ground often paints a more complicated picture than what Chittum describes. WIRED reviewed body camera footage and police records of a 2022 ShotSpotter arrest in Cincinnati. According to the records, at 8:21 pm on New Year's Eve, police officers were dispatched to an area where two loud sounds were picked up by SoundThinking sensors. When the officers arrived, they quickly detained a tall man in a blue hoodie and black jacket who was standing near the corner where the technology had indicated gunfire.

According to police records, there were nine officers on the scene that night. Body camera footage shows one of the officers rifling through the man’s pockets as others milled around. Some pointed their flashlights at the ground or in the windows of parked cars. Others chatted, speculating about the potential whereabouts of bullet casings.

“I’m glad we could come out and help,” a sergeant watching the man being searched tells the officer standing next to him.

Police never found a bullet casing, gun, or bullet hole. They arrested the man anyway. After running his name through their on-car computer, they discovered he had warrants out for his arrest. He had failed to appear in court for traffic violations.

_Additional data analysis by Matt Casey, data science content lead at Snorkel AI, a firm that helps companies with AI projects and builds custom AI with its data development platform._

_Updated 2/23/2024, 12:15 pm EST to clarify that the list of sensors included in the document WIRED obtained may not include every ShotSpotter microphone._

Here Are the Secret Locations of ShotSpotter Gunfire Sensors

The US Congress was preparing to vote on a key foreign surveillance program last week. Then a wild Russian threat appeared.

A decision by US House Intelligence Committee (HPSCI) chair Mike Turner to sound the alarm over space-based Russian military research was far more extraordinary than previously reported.

A WIRED review of an internal messaging system used by the United States Congress shows that HPSCI rarely sends members invites to review classified documents and has not—in at least 15 years—alarmed lawmakers by announcing an “urgent” threat against the United States.

The Dear Colleague system is widely used by congressional committees and lawmakers individually to circulate internal memos, invites, and other announcements. This week, WIRED obtained all messages sent House-wide by HPSCI since 2009. Copies of Dear Colleague messages sent since then are backed up by the system. The source of the messages was granted anonymity because their disclosure was not authorized.

The messages reveal that only on a handful of occasions has HPSCI sent letters informing members of classified documents available for review. Of those, none had previously demanded “urgent” attention.

The urgency with which Turner and other HPSCI members characterized the disclosure—only later revealed to concern Russian military research—has been downplayed by fellow lawmakers and Biden administration officials. As a result, criticism has fallen on Turner over the announcement, which generated a slew of provocative headlines and gave life to vague concerns by US officials over the protection of classified sources and methods.

A _Washington Post_ headline that remains visible to users on Google wildly declares: “U.S. officials say Russia has deployed a nuclear weapon in space.” Covering the story for CNN, national security reporter Jim Sciutto was far more tempered, telling TV viewers: “This is something that Russia is experimenting with, looking into designing. This is not a clear and present danger.”

Democratic representative Seth Moulton, who serves on the Armed Services Committee, lambasted Turner during the same CNN segment, labeling him an “intelligence leaker.” Moulton added that two years had passed since he’d first been briefed on the Russian research. “I haven’t had a problem keeping it a secret,” he said.

WIRED reported on Friday that sources on Capitol Hill had begun accusing Turner and his Democratic counterpart on HPSCI, Jim Himes, of issuing the disclosure to influence a vote happening simultaneously to reauthorize a controversial surveillance program, Section 702 of the Foreign Intelligence Surveillance Act (FISA). Turner and Himes, after both signing the “Dear Colleague” message the night before, failed to appear at a Rules Committee hearing on Wednesday just as news of the Russian threat went viral.

House speaker Mike Johnson abruptly canceled the vote shortly after, under what sources describe as intense pressure from Turner.

HSCPI spokesperson Jeff Naft—who did not respond to an inquiry prior to WIRED’s story on Friday—later refuted the allegation, calling the implication of ties between the surveillance vote and the Russian intel “way off base.”

The spokesperson said it was a screenshot of HPSCI’s Dear Colleague letter—posted by reporters online less than a day after it was sent—that forced Turner to issue a press release about the supposed Russian threat.

Turner’s press release notably went further than HPSCI’s letter, pressing US president Joe Biden to personally “declassify all information” concerning the threat. The next day, Turner issued a second statement declaring he’d worked closely “with the Biden administration” before notifying Congress. Naft, the HPSCI spokesperson, clarified by email that Turner had worked with the Office of the Director of National Intelligence on the language describing the threat contained in the Dear Colleague letter. (Naft stressed Turner had “NEVER” stated he’d cooperated with the White House.)

Turner’s second statement added that HPSCI had voted 23–1 to make the disclosure. According to the committee’s own rules, a vote is not required to bring classified material to the attention of the chairmen and ranking members of other committees; only House-wide alerts require a vote. It is unclear which HPSCI member voted against the disclosure, as no official roll call was taken.

A senior congressional source tells WIRED the Dear Colleague letter was always destined to cause panic. It is widely understood that the letters are not a secure form of communication and are often disclosed to reporters and others working off the Hill.

Only four times in the past decade and a half, according to WIRED’s review of the system, has HPSCI used a Dear Colleague letter to draw attention to classified material—outside of routine budgetary concerns.

The first such message is dated March 2009 and pertains to two classified Central Intelligence Agency (CIA) reports. The subject of the reports is undeclared. A second letter was issued by HPSCI and signed by former congressperson Devin Nunes on January 10, 2017, informing members of a classified report on “Russian activities and intentions in the recent US election.”

Neither letter is marked urgent.

A third letter informing members about the option to review classified material is dated February 24, 2010; however, it makes clear the material was made available at the request of the intelligence community (IC). It is one of numerous letters in which HPSCI is seen lobbying on the spy agencies’ behalf—in this case, to support a renewal of the 9/11-era USA PATRIOT Act, today defunct due to a lack of support in Congress.

A plurality of HPSCI’s Dear Colleague letters are aimed at whipping support for bills that reauthorize or advance US spy powers. Others urge lawmakers to vote against legislation that would enhance Americans’ privacy protections. One such letter reads simply: “Don’t Handcuff the FBI and Intelligence Community.”

Six other letters are invitations to classified briefings held by intelligence agencies. HPSCI routinely acts as a mediator between the agencies and members of Congress, arranging briefings and other events on the intelligence community’s behalf.

HPSCI sent an additional three Dear Colleagues letters the morning after its “urgent” warning about Russia went out: Each asked members to support various amendments to a FISA bill during an upcoming vote that HPSCI’s chair was, simultaneously, working to get called off.

Sources told WIRED that Johnson’s decision to delay the vote on FISA came amid a sudden threat by Turner to kill the bill the moment it got to the floor. Turner was motivated to stop the bill’s progress at any cost, they said, due to the growing odds of a rival committee passing amendments of their own—to dramatically curtail the FBI’s domestic surveillance abilities.

_Updated 2/22/2024, 3:55 pm EST: Clarified the procedural requirements for bringing classified information to the attention of members of the House of Representatives._

Leak Reveals the Unusual Path of ‘Urgent’ Russian Threat Warning

Useful quantum computers aren’t a reality—yet. But in one of the biggest deployments of post-quantum encryption so far, Apple is bringing the technology to iMessage.

Apple is launching its first post-quantum protections, one of the biggest deployments of the future-resistant encryption technology to date.

Billions of medical records, financial transactions, and messages we send to each other are protected by encryption. It’s fundamental to keeping modern life and the global economy running relatively smoothly. However, the decades-long race to create vastly powerful quantum computers, which could easily crack current encryption, creates new risks.

While practical quantum computing technology may still be years or decades away, security officials, tech companies, and governments are ramping up their efforts to start using a new generation of post-quantum cryptography. These new encryption algorithms will, in short, protect our current systems against any potential quantum computing-based attacks.

Today Cupertino is announcing that PQ3—its post-quantum cryptographic protocol—will be included in iMessage. The update will launch in iOS and iPad OS 17.4 and macOS 14.4 after previously being deployed in the beta versions of the software. Apple, which published the news on its security research blog, says the change is the “most significant cryptographic security upgrade in iMessage history.”

“We rebuilt the iMessage cryptographic protocol from the ground up,” its blog post says, adding that the upgrade will fully replace its existing encryption protocols by the end of this year. You don’t need to do anything other than update your operating system for the new protections to be applied.

Quantum computing is serious business. Governments in the US, China, and Russia as well as tech companies such as Google, Amazon, and IBM are plowing billions into the (still) relatively nascent efforts to create quantum computers. If successful, the technologies could help unlock scientific breakthroughs in everything from drug design to creating longer-lasting batteries. Politicians are also vying to become quantum superpowers. The current quantum computing devices are still experimental and not practical for general use.

Unlike the computers we use today, quantum computers use qubits, which can exist in more than one state. (Current bits are either ones or zeroes). It means that quantum devices can store more information than traditional computers and perform more complex calculations, including potentially cracking encryption.

“Quantum computers, if deployed reliably and in a scalable manner, would have the potential to break most of today’s cryptography,” says Lukasz Olejnik, an independent cybersecurity and privacy researcher and consultant. This includes the encryption in the messaging apps that billions of people use every day. Most encrypted messaging apps using public key cryptography have used RSA, Elliptic Curve, or Diffie-Hellman algorithms.

Responding to the potential threat—which has been known about since the 1990s—intelligence and security agencies have become increasingly vocal about developing and deploying quantum-resistant cryptography. The National Institute of Standards and Technology in the US has been a driving force behind the creation of these new encryption types. Olejnik says tech companies are taking the quantum threat “very” seriously. “Much more serious than some older changes like switches between hash functions,” Olejnik says, adding that things are moving relatively fast given that post-quantum cryptography is still “very young” and there’s “no functional quantum computer on the horizon.”

Apple’s rollout of PQ3 in iMessage follows Signal in introducing post-quantum algorithms—the encrypted messaging app introduced its PQXDH specification in September, saying it is built on the Kyber algorithm. Proton, the creator of encrypted email and other apps, said around the same time that it is building quantum-safe PGP encryption for everyone to use.

In its blog post, Apple details how PQ3 has been built and how it operates. The company says PQ3 creates a new post-quantum encryption key as part of the public keys that phones and computers using iMessage create and transmit to Apple’s servers. The company is using the Kyber algorithm—the same approach as Signal—to do this and will generate the keys from the first message that is sent, even if the person receiving the message is offline.

Apple says its setup will apply its post-quantum protections to the creation of encryption keys and the exchange of messages, including if someone’s encryption key has been compromised by an attacker. “To best protect end-to-end encrypted messaging, the post-quantum keys need to change on an ongoing basis to place an upper bound on how much of a conversation can be exposed by any single, point-in-time key compromise—both now and with future quantum computers,” the company says in its blog post.

The post-quantum protections are an addition to its existing encryption, Apple says. It is using a “hybrid design” that combines its current elliptic curve cryptography (ECC) with the newer post-quantum protections. “Defeating PQ3 security requires defeating both the existing, classical ECC cryptography and the new post-quantum primitives,” Apple writes.

Apple says PQ3 has been externally assessed by a third-party security company, which it has not named, and also two groups of academics who have written papers analyzing the system. The company argues that its approach—as it is able to issue new quantum keys—has stronger protections than Signal’s current deployment. “We conclude that this protocol achieves strong security guarantees against an active network adversary who can selectively compromise parties and has quantum computing capabilities,” a research paper led by David Basin, a computer science professor at ETH Zurich, says of PQ3.

While there’s no guarantee that quantum technologies will ever develop enough to become useful, it’s likely that the next few years will see a steady drip of companies deploying and enhancing their post-quantum protocols. In part, this is to combat one of the biggest current fears around quantum computing: that countries and threat actors are gathering and hoarding encrypted data today with the plan to unlock its secrets if quantum technologies evolve.

Starting to deploy post-quantum encryption now—before functional quantum computers exist—has the potential to limit the impact of these so-called “harvest now, decrypt later” attacks. “We are seeing our adversaries do this—copying down our encrypted data and just holding on to it,” Dustin Moody, who leads post-quantum encryption standards in the US told _The New Yorker_ in 2022. “It’s definitely a real threat.”

Apple iOS 17.4: iMessage Gets Post-Quantum Encryption in New Update

Anne Neuberger, the Biden administration’s deputy national security adviser for cyber, tells WIRED about emerging cybersecurity threats—and what the US plans to do about them.

Anne Neuberger, a Top White House Cyber Official, Sees the 'Promise and Peril' in AI

We tested the end-to-end encrypted messenger’s new feature aimed at addressing critics’ most persistent complaint. Here’s how it works.

For nearly a decade, cybersecurity professionals and privacy advocates have recommended the end-to-end encrypted communications app Signal as the gold standard for truly private digital communications. Using it, however, has paradoxically required exposing one particular piece of private information to everyone you text or call: a phone number. Now, that's finally changing.

Today, Signal launched the rollout in beta of a long-awaited set of features it's describing simply as “phone number privacy.” Those features, which WIRED has tested, are designed to allow users to conceal their phone numbers as they communicate on the app and instead share a username as a less-sensitive method of connecting with one another. Rather than give your phone number to other Signal contacts as the identifier they use to begin a conversation with you, in other words, you can now choose to be discoverable via a chosen handle—or even to prevent anyone who does have your phone number from finding you on Signal.

You’ll now be able to set a unique username as a way for people to find you on Signal in addition to—or instead of—your phone number.

Courtesy of Signal

The use of phone numbers has long been perhaps the most persistent criticism of Signal's design. These new privacy protections finally offer a fix, says Meredith Whittaker, Signal's president. “We want to build a communications app that everyone in the world can easily use to connect with anyone else _privately_. That ‘privately’ is really in bold, underlined, in italics,” Whittaker tells WIRED. “So we're extremely sympathetic to people who might be using Signal in high-risk environments who say, 'The phone number is really sensitive information, and I don't feel comfortable having that disseminated broadly.'”

In the new features—which are available in beta now, but which Signal plans to roll out in a more final version in the coming weeks—Signal has made three changes, one setting that's now switched on by default and two that are opt-in features. First, by default, your phone number will no longer be visible in your Signal profile unless someone already has the number saved in their phone's address book. Second, you can now choose to create and share a unique username, or a QR code that contains it, with anyone you want to connect with. Mine, for instance, is Andy.01. (Once someone does start messaging you, a little confusingly, they'll see your chosen profile name instead of that username. That profile name, just as before in Signal, doesn't have to be unique, and the person you're interacting with can also change it in their own view of you in the app.)

New settings in Signal allow you to change both the visibility and discoverability of your phone number. Your number’s visibility will be turned off by default. Turning off its discoverability, a more drastic measure, will be left as an opt-in setting for higher risk users.

Courtesy of Signal

The third new feature, which is not enabled by default and which Signal recommends mainly for high-risk users, allows you to turn off not just your number's visibility but its discoverability. That means no one can find you in Signal unless they have your username, even if they already know your number or have it saved in their address book. That extra safeguard might be important if you don't want anyone to be able to tie your Signal profile to your phone number, but it will also make it significantly harder for people who know you to find you on Signal.

The new phone number protections should now make it possible to use Signal to communicate with untrusted people in ways that would have previously presented serious privacy risks. A reporter can now post a Signal username on a social media profile to allow sources to send encrypted tips, for instance, without also sharing a number that allows strangers to call their cell phone in the middle of the night. An activist can discreetly join an organizing group without broadcasting their personal number to people in the group they don't know.

In the past, using Signal without exposing a private number in either of those situations would have required setting up a new Signal number on a burner phone—a difficult privacy challenge for people in many countries that require identification to buy a SIM card—or with a service like Google Voice. Now you can simply set a username instead, which can be changed or deleted at any time. (Any conversations you've started with the old username will switch over to the new one.) To avoid storing even those usernames, Signal is also using a cryptographic function called a Ristretto hash, which allows it to instead store a list of unique strings of characters that encode those handles.

Amid these new features designed to calibrate exactly who can learn your phone number, however, one key role for that number hasn't changed: There's still no way to avoid sharing your phone number with Signal itself when you register. The fact that this requirement persists even after Signal's upgrade will no doubt rankle some critics who have pushed Signal's developers to better cater to users seeking more complete anonymity, such that even Signal's own staff can't see a phone number that might identify users or hand that number over to a surveillance agency wielding a court order.

Whittaker says that, for better or worse, a phone number remains a necessary requisite as the identifier Signal privately collects from its users. That's partly because it prevents spammers from creating endless accounts since phone numbers are scarce. Phone numbers are also what allow anyone to install Signal and have it immediately populate with contacts from their address book, a key element of its usability.

In fact, designing a system that prevents spam accounts and imports the user's address book _without_ requiring a phone number is “a deceptively hard problem,” says Whittaker. “Spam prevention and actually being able to connect with your social graph on a communications app—those are existential concerns,” she says. “That's the reason that you still need a phone number to register, because we still need a thing that does that work.”

The continued phone number requirement means Signal's privacy upgrade is a compromise, says Matthew Green, a professor of cryptography and computer science at Johns Hopkins University who has in the past consulted for both Google and Facebook in their implementation of Signal's open source encryption protocol. “It's a half solution,” says Green. “It's not a perfect solution.”

Green notes, however, that even if it doesn't satisfy the most die-hard privacy advocates, it represents a significant improvement for a much larger portion of Signal's hundreds of millions of users. “There’s a legitimate community of people who wanted to use Signal without giving other people their phone numbers, and they’re going to be very happy with this change. And then there's a more hardcore set of people who don’t want to ever give their number to Signal,” Green says. “I think getting a big set of people serviced is the right direction, and working on satisfying all the other people is something for Signal to keep working on.”

Signal doesn't currently have any road map toward dropping its use of phone numbers as a registration mechanism, Whittaker concedes—she says for now, there's no alternative that wouldn't sacrifice Signal's usability, which she argues would represent a net loss for privacy advocates. But she says that the new phone number privacy features are nonetheless Signal's careful attempt to solve the problem phone numbers represent without losing the qualities that have made Signal popular in the first place.

“It's really about staying true to our principles,” Whittaker says. “In more and more ways—in better and better ways—to fill that promise of easy, usable, private communications.”

_Correction: 2/20/24, 1:25 pm EST: Meredith Whittaker's professional title is president of the Signal Foundation._

Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private

LockBit’s website, infrastructure, and data have been seized by law enforcement—striking a huge blow against one of the world’s most prolific ransomware groups.

For the past four years, the LockBit ransomware group has been on an unrelenting rampage, hacking into thousands of businesses, schools, medical facilities, and governments around the world—and making millions in the process. A children’s hospital, Boeing, the UK’s Royal Mail, and sandwich chain Subway have all been recent victims.

But LockBit’s hacking campaign has come to a juddering halt. A sweeping law enforcement operation, led by police at the UK’s National Crime Agency (NCA) and involving investigators from 10 forces around the world, has infiltrated the ransomware group and taken its systems offline.

Graeme Biggar, the director general of the NCA, says the group has been “fundamentally disrupted.” The law enforcement operation, called Operation Cronos, has taken control of LockBit's infrastructure and administration system, seized its dark-web leak site, accessed its source code, seized around 11,000 domains and servers, and obtained details of the group's members. “As of today, LockBit is effectively redundant,” Biggar said at a press conference in London, appearing with law enforcement officials from the FBI and Europol. “We have hacked the hackers,” he says.

The action is one of the largest and potentially most significant ever taken against a cybercrime group. Biggar says the law enforcement officials consider LockBit, which is global in nature, to have been the “most prolific and harmful” ransomware group that has been active in recent years. It was responsible for 25 percent of attacks in the past year. “LockBit ransomware has caused losses of billions,” Biggar says of the overall costs of attacks and recovery.

In addition to the seizing of technical infrastructure, the law enforcement operations around LockBit also include arrests in Poland, Ukraine, and the United States, as well as sanctions for two alleged members of the group who are based in Russia. The group has members spread around the world, the officials said.

Nicole Argentieri, acting assistant attorney general at the US Department of Justice, says LockBit has received more than $120 million in ransomware payments, and that the action announced against the group is just the start of the clampdowns.

The law enforcement action against LockBit was first revealed when its ransomware website dropped offline on February 19 and was replaced by a holding page saying it had been seized by police. The LockBit group, which debuted as “ABCD” before changing its name, first appeared at the end of 2019. Since then, LockBit has rapidly attacked businesses and grown its name recognition within the cybercrime ecosystem. “LockBit has been a thorn in the side of businesses and governments for years, with well over 3,000 publicly known victims, and \[has been\] seemingly untouchable,” says Allan Liska, an analyst specializing in ransomware for cybersecurity firm Recorded Future. Lockbit’s long roster of victims include various US government organizations, ports, and automotive companies.

LockBit operates as a ransomware-as-a-service operation, with a core handful of members creating its malware and running its website and infrastructure. This core group licenses its code to “affiliates,” who launch attacks against companies, steal their data, and try to extort money from them. “LockBit is the last of the ‘open affiliate’ ransomware-as-a-service offerings, meaning anyone willing to cough up the cash can join their program with little or no vetting,” Liska says. “They likely have had hundreds of affiliates over the course of their run.”

Source

Wired