AT&T’s Sealed Documents Exposed as Domestic Surveillance Controversy Heats Up

Wired News has waded into the middle of the controversial court case involving AT&T’s alleged participation in the National Security Agency’s domestic surveillance operations.

An anonymous source provided the news organization with a copy of documents pertaining to the case that the judge had ordered sealed.

However, Wired News determined that the ruling and gag order — made at AT&T’s request — only applied to Electronic Frontier Foundation, its representatives and its technical experts.

Wired News Editor-in-Chief Evan Hansen noted that the court explicitly rejected AT&T’s motion to include the EFF’s primary witness in the case, former AT&T employee Mark Klein, in the gag order. The court also declined AT&T’s request to compel the EFF to return the documents.

The documents include an affidavit by Klein, eight pages of AT&T documents marked “proprietary,” and several pages of news clippings and other public information related to government-surveillance issues.

From Trade Secrets to Espionage?

The EFF brought this suit against AT&T in January based on documents produced by Klein that showed AT&T cooperated with the government in its eavesdropping program, in violation of telecom laws requiring warrants or court orders for such data.

The documents were sealed because of their potential to reveal AT&T’s trade secrets — not because they were classified.

“We think that claim was very thin,” Hansen told the E-Commerce Times. “Given the level of scrutiny this case has received, we thought it was time to give the public a chance to review them.”

The claim marks a very important distinction between the AT&T case and other national security cases currently being litigated, in light of recent comments by Attorney General Alberto Gonzalez, who said on this past weekend’s round of talk shows that any reporter revealing classified information should be prosecuted. He also said there is justification for using telephone records to identify reporters’ sources.

“We went into a huddle after that,” Hansen reported. “We have determined, though, that his comments didn’t apply to us.”

State Secrets Privilege

The U.S. government still wants the suit dropped, not surprisingly. It has filed a motion to dismiss it on the grounds of State Secrets Privilege, a power the government can invoke to stop civil litigation that touches upon issues of national security.

“It has been used increasingly over the past decade to shut down cases,” Hansen noted. In recent years it has been extended very liberally, he said, to rope in or shut down sensitive proceedings.

Thefull text of the documents published by Wired News can be viewed online.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

TechNewsWorld Channels

Linux Security Study Reveals When, How You Patch Matters

Computer security only happens when software is kept up to date. That should be a basic tenet for business users and IT departments.

Apparently, it isn’t. At least for some Linux users who ignore installing patches, critical or otherwise.

A recent survey sponsored by TuxCare, a vendor-neutral enterprise support system for commercial Linux, shows companies fail to protect themselves against cyberattacks even when patches exist.

Results reveal that some 55 percent of respondents had a cybersecurity incident because an available patch was not applied. In fact, once a critical or high priority vulnerability was found, 56 percent took five weeks to one year on average to patch the vulnerability.

The goal of the study was to understand how organizations are managing security and stability in the Linux suite of products. Sponsored by TuxCare, the Ponemon Institute in March surveyed 564 IT staffers and security practitioners in 16 different industries in the United States.

Data from respondents shows that companies take too long to patch security vulnerabilities, even when solutions already exist. Regardless of their inaction, many of the respondents noted that they felt a heavy burden from a wide range of cyberattacks.

This is a fixable issue, noted Igor Seletskiy, CEO and founder of TuxCare. It is not because the solution does not exist. Rather, it is because it is difficult for businesses to prioritize future problems.

“The people building the exploit kits have gotten really, really good. It used to be 30 days was best practice [for patching], and that is still an ideal best practice for a lot of regulations,” TuxCare President Jim Jackson, told LinuxInsider.

Main Takeaways

The survey results expose the misconception that the Linux operating system is not rigorous and foolproof without intervention. So unaware users often don’t even activate a firewall. Consequently, many of the pathways for intrusion result from vulnerabilities that can be fixed.

“Patching is one of the most important steps an organization can take to protect themselves from ransomware and other cyberattacks,” noted Larry Ponemon, chairman and founder of Ponemon Institute.

Patching vulnerabilities is not just limited to the kernel. It needs to extend to other systems like libraries, virtualization, and database back ends, he added.

In November 2020, TuxCare launched the company’s first extended lifecycle support service for CentOS 6.0. It was wildly successful right off the bat, recalled Jackson. But what continues to trouble him is new clients coming for extended lifecycle support who had not done any patching.

“I always ask the same question. What have you been doing for the last year and a half? Nothing? You haven’t patched for a year. Do you realize how many vulnerabilities have piled up in that time?” he quipped.

Labor-Intensive Process

Ponemon’s research with TuxCare uncovered the issues organizations have with achieving the timely patching of vulnerabilities. That was despite spending an average of $3.5 million annually over 1,000 hours weekly monitoring systems for threats and vulnerabilities, patching, documenting, and reporting the results, according to Ponemon.

“To address this problem, CIOs and IT security leaders need to work with other members of the executive team and board members to ensure security teams have the resources and expertise to detect vulnerabilities, prevent threats, and patch vulnerabilities in a timely manner,” he said.

The report found that respondents’ companies that did patch spent considerable time in that process:

  • The most time spent each week patching applications and systems was 340 hours.
  • Monitoring systems for threats and vulnerabilities took 280 hours each week.
  • Documenting and/or reporting on the patch management process took 115 hours each week.

For context, these figures relate to an IT team of 30 people and a workforce of 12,000, on average, across respondents.

Boundless Excuses Persist

Jackson recalled numerous conversations with prospects who repeat the same sordid tale. They mention investing in vulnerability scanning. They look at the vulnerability report the scanning produced. Then they complain about not having enough resources to actually assign somebody to fix the things that show up on the scan reports.

“That’s crazy!” he said.

Another challenge companies experience is the ever-present whack-a-mole syndrome. The problem gets so big that organizations and their senior managers just do not get beyond being overwhelmed.

Jackson likened the situation to trying to secure their homes. A lot of adversaries lurk and are potential break-in threats. We know they are coming to look for the things you have in your house.

So people invest in an elaborate fence around their property and monitor cameras to try to keep an eye on every angle, every possible attack vector, around the house.

“Then they leave a couple of windows open and the back door. That is kind of akin to leaving vulnerabilities unpatched. If you patch it, it is no longer exploitable,” he said.

So first get back to the basics, he recommended. Make sure you do that before you spend on other things.

Automation Makes Patching Painless

The patching problem remains serious, according to Jackson. Perhaps the only thing that is improving is the ability to apply automation to manage much of that process.

“Any known vulnerability we have needs to be mitigated within two weeks. That has driven people to automation for live patching and more things so you can meet tens of thousands of workloads. You can’t start everything every two weeks. So you need technologies to get you through that and automate it,” he explained as a workable solution.

Jackson said he finds the situation getting better. He sees more people and organizations becoming aware of automation tools.

For example, automation can apply patches to open SSL and G and C libraries, while services are using them without having to bounce the services. Now database live patching is available in beta that allows TuxCare to apply security patches to Maria, MySQL, Mongo, and other kinds of databases while they’re running.

“So you do not have to restart the database server or any of the clients they use. Continuing to drive awareness definitely helps. It seems like more people are becoming aware and realizing they need that kind of a solution,” said Jackson.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Security

Canonical Lets Loose Ubuntu 22.04 LTS ‘Jammy Jellyfish’

Credit: Canonical

Canonical’s Ubuntu 22.04 LTS, aka “Jammy Jellyfish,” is now generally available with features that raise the bar for open source — from cloud, to edge, to IoT and workstations.

The desktop version is one of the biggest LTS releases from Ubuntu with respect to visual and feature changes. This major upgrade to GNOME 42 brings changes to the desktop itself in terms of layout, appearance, and how things work.

If the Ubuntu desktop is your only connection to Canonical’s infrastructure, you can expect some mild and minor hands-on adjustments. If you deal with the rest of Ubuntu’s enterprise world, you will find a lot more hardcore improvements in security and performance for IoT and cloud computing connections.

Canonical announced the new release on Thursday, detailing features that bring significant leaps forward in cloud confidential computing, real-time kernel for industrial applications, and enterprise Active Directory, PCI-DSS, HIPAA, FIPS, and FedRAMP compliance.

The new desktop release, however, comes without the anticipated new installer, which uses flutter, an open-source user interface, noted Oliver Smith, Canonical’s program manager for the Ubuntu desktop. The flutter element is not fully ready for deployment. Instead, Canonical will release a build of 22.04 that does feature the new installer later in the update cycle.

“I think when you are dealing with something that we want to support for five years, and we were expecting a huge amount of adoption, we just did not feel that we would have the opportunity to test across all the different sort of ranges of hardware and use cases that we wanted to get (for) confidence to go live out of the box,” Smith explained.

“It is evolving a lot in the background, but just the timing did not quite work out for this release.”

Ubuntu Desktop Still in Focus

The range of use cases that involve Ubuntu Server, IoT, and cloud OS installations, is not making the Ubuntu desktop edition less significant, according to Mark Shuttleworth, CEO of Canonical. He denied the Ubuntu desktop itself is less important now than other enterprise factors in response to a reporter’s question Tuesday during a virtual presentation.

“Our mission is to be a secure, reliable, and consistent open-source platform everywhere,” he said. “Ubuntu 22.04 LTS unlocks innovation for industries with demanding infrastructure security requirements, such as telecommunications and industrial automation, underpinning their digital transformation.”

So the desktop is sort of central to Ubuntu’s narrative, Shuttleworth added. It is also central to the kind of innovation work a lot of the company’s developers do within Intel.

“For example, [improvements] enable the same sorts of high-end capabilities whether those are battery life or performance capabilities on Linux that they achieve on platforms like Windows,” he said. “Those are really important.”

In terms of resources, Canonical has about 60 people working with its various partners — Dell, HP, Lenovo — and the industry supply chain on the desktop. Plus, another 20 engineers or so work on core desktop capabilities, he noted.

Ubuntu Adoption Grows Deep

Ubuntu is deeply integrated into public clouds and optimized for performance, security, and ease of use. A key new capability is confidential computing, which greatly improves data protection and privacy in leading public clouds without requiring any changes to existing application deployments.

Ubuntu is the only Linux distribution supporting Azure confidential VMs, according to Vikas Bhatia, head of product for Azure Confidential Computing at Canonical. To ensure great performance on Arm, Canonical also optimized Ubuntu 22.04 LTS images for AWS Graviton.

On AWS, Ubuntu is available from EC2, with multiple images including support for the latest Graviton chips, all the way to containers. This includes the latest Arm servers, Ampere A1, that provide high-performing and cost-effective solutions for all types of workloads, he said.

Other Major Ubuntu Plaudits

Innovators on Raspberry Pi get the first long-term support release with Ubuntu Desktop support on the Raspberry Pi 4. The entire recent Raspberry Pi device portfolio is supported for the very first time, from the new Raspberry Pi Zero 2W to the Raspberry Pi 4, said Eben Upton, CEO of Raspberry Pi Trading.

“It is great to see a certified Ubuntu Desktop release that includes support for the 2 GB Raspberry Pi 4, giving developers all over the world access to the most affordable development desktop environment,” he said.

Ubuntu WSL (Windows Subsystem for Linux) delivers deep integration with native Windows development environments like Visual Studio Code and Docker Desktop across a shared file system. Users mix Windows and Linux commands to create efficient workflows for data science, web development, and IT systems management. Users of Ubuntu WSL can upgrade to 22.04 LTS directly.

For Windows and macOS developers, Multipass provides Ubuntu 22.04 LTS VMs on-demand with full cloud-init for cloud prototyping at home. Multipass gains Apple M1 support, making it the best way to drive development for new ARM cloud instances, according to Canonical. Multipass has also added support for Docker workflows to unify the developer experience for cloud and cloud-native applications.

For shared development environments, multi-user LXD offers per-user project segregation. This addition restricts specific user permissions so multiple people can safely share the same LXD cluster.

Foundation for Data-Sensitive Workloads

Ubuntu is the platform of choice to run Microsoft SQL Server on Azure with enterprise-grade support, noted Canonical. SQL Server on Ubuntu Pro LTS for Azure offers scalability and performance.

It also gives business-critical SQL Server workloads access to comprehensive open-source security on Azure. Nvidia virtual GPU (vGPU) software drivers are generally available now.

Data scientists can natively install Nvidia vGPU Software 14.0 and benefit from highly-performant GPU resources across multiple virtual machines simultaneously. This allows data scientists to use parallel, isolated advanced AI/ML workloads to help ensure that the underlying hardware resources are used efficiently.

“Enterprises, data scientists and developers building AI solutions require integrated systems and software that easily support MLOps workflows,” said Manuvir Das, vice president of Enterprise Computing at Nvidia.

“Organizations can now run Nvidia AI on Ubuntu to help solve some of humanity’s biggest challenges with new products and systems that simplify operations, boost safety, and improve communication,” Das added.

Other Ubuntu Strengths

The Ubuntu 22.04 LTS base image is available on Docker Hub along with a Canonical-maintained portfolio of secure and stable LTS application container images. Existing LTS Docker images on Ubuntu will receive new long-term supported 22.04-based tracks.

These include MySQL, PostgreSQL, and Nginx. The open-source applications portfolio is expanding further, focusing on Observability and Big Data, with new Grafana Loki, Apache Kafka, and Apache Cassandra container images.

“Ubuntu plays an essential role on Docker Hub, as one of the most popular Docker Official Images,” said Webb Stevens, senior vice president of Secure Software Supply chain at Docker.

Real-Time Kernel, Too

Canonical also reported that the Ubuntu 22.04 LTS real-time kernel is available in beta.

Designed to meet telco network transformation needs for 5G, the real-time kernel delivers performance, guaranteed ultra-low latency, and security for critical infrastructure. This new kernel also serves latency-sensitive use cases in industrial automation and robotics. It handles real-time applications like Cloud RAN,” said Dan Lynch, marketing director at Intel.

“The real-time kernel in Ubuntu 22.04 LTS leverages the acceleration from Intel hardware, allowing us to compete on even terms with the biggest network equipment providers,” said Radoslaw Adamczyk, technical lead at IS-Wireless, which develops and delivers mobile networks in the OpenRAN model.

That offers the ability to have one platform for the whole stack, from bare metal with MaaS to Ubuntu OS, LXD VM and Microk8s on the edge. Ubuntu 22.04 LTS adds Rust for memory-safe systems-level programming. It also moves to OpenSSL v3, with new cryptographic algorithms for elevated security.

Desktop Highlights

Ubuntu’s default GNOME desktop gains significant usability, battery, and performance improvements with the GNOME 42 upgrade featuring GNOME power profiles and streamlined workspace transitions alongside significant optimizations which can double the desktop frame rate on Intel and Raspberry Pi graphics drivers.

GNOME 42 brings a horizontal workspace view alongside the horizontal application view. The changes in will require some muscle memory changes to get used to updated and new applications.

Expect lots of new looks. Some of the notable upgrades involve changes to the base color scheme and the Jammy Jellyfish default wallpaper.

File Manager has a more compact look, and new screenshot tools changes how you do captures.

Available for Download

Ubuntu 22.04 LTS Jammy Jellyfish is available now on Ubuntu Downloads and major public clouds.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Operating Systems