Sen. Lindsey Graham (R-SC) demanded to know why the FBI wasn’t tracking the Boston bombing suspect’s web traffic during an appearance on Fox News this morning, possibly validating civil liberties activist fears that the attack would lead to calls for further digital surveillance:

“If you Google terrorists you will find the older brother on the web, Youtube videos of him declaring war on us, saying we’re a Christian nation. We’re infidels. How could the FBI after the interview in 2011 not pick up that traffic where this guy is visiting radical web sites?“

The type of tracking Graham suggests the FBI should have been doing goes far beyond what the law allows in situations like Tamerlan Tsarnaev’s because when the FBI interviewed him in 2011, no evidence of foreign or domestic terror links was found. While the FBI has petitioned internet service providers (ISPs) to retain records retain records of consumers browsing histories for law enforcement purposes for years, there are technical barriers and a subpoena or warrant would be required for most types of data retained in such a system under current statute. In fact, for ISPs to keep logs of actual URLs of web sites visited by consumers, they would need to use deep packet inspection (DPI) — a method of data processing that examines packets sent across networks to determine how to process or reroute the information that can also be used to determine the content of web traffic. While it has legitimate network management uses, it has been abused by repressive regimes as a cost effective way to snoop on citizens and its use by ISPs to collect web traffic content information on all consumers would likely violate the Wiretap Act.

This is not the first time the tragedy in Boston has been used to question internet related national security practices. Rep. Mike McCaul (R-TX) then invoked the tragedy to argue for the passage of Cyber Intelligence Sharing and Protection Act of 2013 (CISPA), a controversial bill with privacy gaps many civil liberties organizations believe could lead to increased digital surveillance, saying the proposal would protect from Americans from “digital bombs.”

Activist group Demand Progress cited McCaul’s remark among a number of other concerns in a recent petition calling for the protection of civil liberties in the wake of the Boston tragedy. But activist groups aren’t alone in worrying about over reaching responses to this type of tragedy: A Washington Post poll released Monday showed 48 percent said they thought the government “will go too far” in compromising constitutional rights to investigate terrorism.

These fears may be rooted in the government reaction to the 9/11: The USA Patriot Act was passed forty-five days after the attack, giving law enforcement new authority to monitor phone and email communications, financial records, and track online activities in order to fight terrorism. However, many of the provisions have been used against American citizens in ordinary criminal complaints. Several provisions of the bill were extended for four more years in 2011.

The New York Times also revealed in 2005 that President Bush secretly authorized the National Security Agency (NSA) to eavesdrop on Americans and others inside country without court-approved warrants as part of anti-terrorist investigations shortly after 9/11. At least one former NSA analyst source claimed the NSA had “access to all Americans’ communications — faxes, phone calls, and their computer communications” and particularly targeted journalists for surveillance. Court cases challenging the legality of the original program and it’s Foreign Intelligence Security Act (FISA) based successor have as of yet been unsuccessful at getting a court to rule on the issue.

As to other claims made by Sen. Graham, ThinkProgress was unable to find any videos of Tamerlan Tsarnaev declaring war on America, although it appears he did start a Youtube account after his FBI interview and travels to Dagestan that featured playlists of extremist content. Sen. Graham has also called for younger brother Dzhokhar Tsarnaev to be tried as an “enemy combatant” despite that fact that he is a U.S. citizen, bypassing the normal judicial system.

The House started considering the controversial Cyber Intelligence Sharing and Protection Act of 2013 (CISPA) on Wednesday and is expected to vote today — just two days since the White House threatened to veto the bill after it passed out of the House Intelligence Committee by an 18-2 vote in a closed session last week. Now a passionate policy debate is taking place about the importance of protecting civil liberties while solving a very real problem: How to allow government to provide threat intelligence information to victims of cyber attacks.

CISPA was reintroduced in February to immediate backlash from civil liberties groups, with the petition site cispaisback.org warning “the bill that would end our online privacy — is back in Congress despite public outrage and warnings from experts.” Only Reps. Jan Schakowsky (D-IL) and Adam Schiff (D-CA) voted against the proposal in committee citing the same privacy concerns and issues related to maintaining civilian control over private sector data that led the White House kill a similar proposal after it passed the House in 2012 with a veto threat much like the one currently employed.

By most assessments, privacy protections and regulatory definitions in CISPA have some gaping holes — even many security experts agree. And given the track record of government transparency surrounding surveillance tech, privacy and civil liberty advocates are understandably suspicious. The relationship between the civil liberties community, government, and telecommunications companies remains tainted by the Bush-era National Security Agency warrantless wiretapping program which led to legislation giving retroactive immunity to companies that cooperated. Clapper v. Amnesty, a case questioning the constitutionality of the wiretaps, was dismissed earlier this year due to lack of proper standing — leaving the question of their legality unresolved. So when faced with a broadly written law that could involve the NSA, it was no surprise that progressive and libertarian groups alike came out in opposition to CISPA after it was reintroduced this legislative cycle. And it looks like their concerns have have not been mitigated.

Read more

While it has long been internet common sense to be cautious on adult content sites, the BBC reports even some of the most trusted names in the online porn industry are serving malicious ads:

“The data showed that xhamster.com – listed by monitoring firm Alexa as the 46th most popular site on the internet – had malvertising on 1,067 out of 20,986 pages (5%) screened in the past 90 days[...] According to Alexa’s statistics, the average user of xhamster.com would look at 10.3 individual pages – meaning a potential 42% risk of stumbling across harmful adverts in each viewing session.

Another site, pornhub.com, was found to have dangerous advertising on 12.7% of its pages.”

The malware isn’t actually hosted by the porn sites, rather embedded ads on the sites were discovered installing harmful files without users’ knowledge. Because of the way online ad space is often bought and resold or repackaged numerous times, it’s often unclear exactly who is placing the “malvertising” — which is exactly how the people behind the ads like it.

The report continues a trend of online advertising increasingly being a method used to distribute malicious code. In fact, Cisco’s annual 2013 Security Report claimed internet users are 182 times more likely to be infected with malware by clicking on online ads than merely visiting a porn site. Although there are ad-blocking services that can help mitigate this risk, only around 10 percent of internet users actively deploy them.

CNNMoney posted an ominously titled column “Shodan: The scariest search engine on the Internet” yesterday about a search application that discovers unprotected technology connected to the internet that was promptly aggregated by other outlets like FastCompany – but not until the last third of the article did the author mention two key facts: Shodan has existed for three years and is “almost exclusively used for good.”

Make no mistake, the things Shodan can uncover are scary: It’s essentially a way find technology currently online that was never intended to be networked in the first place, or networked with such laughably thin security protocols like using default admin logins and passwords that it’s child’s play to compromise — with the vulnerable tech ranging from the seemingly mundane like home printers and garage doors to the sort of things you really don’t want to be connected to the outside world, such as citywide traffic systems and nuclear command and control centers.

And as we move closer to a world where everything from our refrigerators to our pacemakers are connected to the Internet in one way or another, these problems will only multiply: An “Internet of things” that lacks security built into the devices that join together to create that network could potentially put everyone at risk. The issue is that these vulnerabilities exist in the first place, not that Shodan can uncover them — as previous coverage of Shodan by Dave Maass in San Diego CityBeat* notes:

“The fact that somebody is basically shining a flashlight into a dark room shouldn’t be the part people are afraid of,” says Dan Tentler, a San Diego-based information-security consultant. “The part people should be afraid of is the fact that some genius decided to take, for example, a five-megawatt hydroelectric plant in France, put its control computer on the Internet and allowed everybody that knew about the IP address to connect to it and make changes to this dam, with no encryption or authentication to speak of.”

As with almost all technological developments, Shodan is neutral. In fact, the bad guys have a vested interest in keeping these types of vulnerabilities quiet so their exploitation will go unnoticed. With Shodan, security experts have a simpler way of identifying what networks are at risk and potentially taking them offline or improving security thus bettering the entire system. And security experts does mean hackers: While the word has taken on a lot of negative connotations in the media, hacking is a process of discovering vulnerabilities that is neutral. Just as it’s questionable to call Shodan scary because the things it uncovers are settling, decrying the process of hacking and all people that do it because they reveal problems with systems is equally objectionable.

There are certainly bad hackers, but there are also good hackers: Just ask Peiter Zatko (better known as Mudge) who spent the last few years as a program manager at the Defense Advanced Research Projects Agency (DARPA) focusing on cybersecurity projects. When he left last week he tweeted that he didn’t know which was neater: “getting Office of SecDef highest award, OR the positive use of ‘hackers’ in the letter!”

As tensions continue to rise on the Korean peninsula, internet hactivist collective Anonymous has joined the fray — and appears to have been very successful at penetrating North Korea’s superficial cybersecurity defenses. ReadWrite reports:

“On Tuesday, the group claimed to have stolen 15,000 passwords from the communist nation as part of what it calls Operation North Korea. Late Wednesday, as tensions rose in Kaesong over the North’s closure and seizure of a industrial park it shares with the South, along with repeated declarations of nuclear launch, Anonymous advanced its own chess pieces. The hackers allegedly seized control of North Korea’s official Twitter and Flickr accounts, in the process defacing several related websites, and making the autocratic nation look extremely unprepared for cyber attack.”

The primary North Korean propaganda site Uriminzokkiri.com also appears to be down, possibly as the result of a distributed denial of service (DDoS) attack — all with demands that Kim Jong Un step down in favor of a direct democracy regime, cease “making nukes and nuke-threats,” and allow citizens access to the open internet. All very admirable goals, although it’s highly unlikely North Korean citizens are aware of their regime’s internet embarrassment because of that very lack of internet access: Although the country did briefly open up mobile data access for tourists earlier this year, a policy it reversed very quickly, most North Koreans only have access to the nation’s intranet, Kwangmyong, if anything at all.

Security analysts are skeptical of claims that the group has infiltrated the Kwangmyong, and as others have noted, managing to gain control of social media accounts and taking down the propaganda website are more likely to result in punishments for the lower level North Korean operatives in charge of maintaining those resources than cause the regime to topple.

While Anonymous’s actions certainly demonstrate that North Korea’s cyber defense strategies on superficial sites leave something to be desired, there is also a risk that it could tip the balance of a very delicate diplomatic situation. As ThinkProgress has noted previously, the current situation may be more serious than the saber rattling status quo of Korean peninsular relations recent years: North Korea recently announced an end to the 1953 Armistice Agreement and pledged to attack the U.S. and its allies in the region. While the exact nature of the military threat North Korea poses is debatable, one of the few things that is certain is that the sheer unpredictability of the nation represents a very real threat to global security.

As amusing as Anonymous’s attacks on the country may be, hitting North Korea with the digital equivalent of pocket sand might only serve to anger the regime, possibly even making them blink in a way that is bad for everyone involved.

The Associated Press reports foreign visitors to North Korea will have the ability to purchase access to 3G data service on their mobile devices as early as next week:

“Koryolink, a joint venture between Korea Post & Telecommunications Corporation and Egypt’s Orascom Telecom Media and Technology Holding SAE, informed foreign residents in Pyongyang on Friday that it will launch a third generation, or 3G, mobile Internet service no later than March 1.”

This freedom for foreign visitors is in stark contrast to the digital isolation that defines its citizens lives: the only networked access available to the general public is the closed intranet known as “Kwangmyong” started in 2000 — although “central party, national security units, and some Cabinet-level government organizations, as well as foreign diplomatic missions, joint ventures, and foreign individuals staying in Pyongyang can have ‘full but monitored’ access” to the real world wide web.

Google’s Eric Schmidt noted the restricted nature of North Korean’s access to communication technology following his visit last year — as well as how the infrastructure of these closed systems could be easily modified to allow a more democratic information experience:

“There is a 3G network that is a joint venture with an Egyptian company called Orascom. It is a 2100 Megahertz SMS-based technology network, that does not, for example, allow users to have a data connection and use smart phones. It would be very easy for them to turn the Internet on for this 3G network. Estimates are that are about a million and a half phones in the DPRK with some growth planned in the near future.

There is a supervised Internet and a Korean Intranet. (It appeared supervised in that people were not able to use the internet without someone else watching them). There’s a private intranet that is linked with their universities. Again, it would be easy to connect these networks to the global Internet.”

Despite the highly questionable ethics of financially supporting a regime that holds as many as 200,000 people in political prison camps “rife with torture, rape and slave labor” and recently conducted yet another nuclear test much to the dismay of the international community, North Korea claims to be experiencing a tourism boom. While those tourists will undoubtedly appreciate being able to check Facebook on their iPhones during their visit, thousands of North Koreans remain under a regime that denies them the most basic of human rights, let alone real internet access.