Archive for the ‘NSA’ Category

Kafka and the Foreign Intelligence Surveillance Court (FISA)

Sunday, May 24th, 2015

Quiz: Just how Kafkaesque is the court that oversees NSA spying? by Alvaro Bedoya and Ben Sobel.

From the post:

When Edward Snowden first went public, he did it by leaking a 4-page order from a secret court called the Foreign Intelligence Surveillance Court, or FISA court. Founded in 1978 after the Watergate scandal and investigations by the Church Committee, the FISA court was supposed to be a bulwark against secret government surveillance. In 2006, it authorized the NSA call records program – the single largest domestic surveillance program in American history.

“The court” in Franz Kafka’s novel The Trial is a shadowy tribunal that tries (and executes) Josef K., the story’s protagonist, without informing him of the crime he’s charged with, the witnesses against him, or how he can defend himself. (Worth noting: The FISA court doesn’t “try” anyone. Also, it doesn’t kill people.)

Congress is debating a bill that would make the FISA court more transparent. In the meantime, can you tell the difference between the FISA court and Kafka’s court?

After you finish the quiz, if you haven’t read The Trial by Franz Kafka, you should.

I got 7/11. What’s your score?

The FISA court is an illusion of due process that has been foisted off on American citizens.

To be fair, the number of rejected search or arrest warrants in regular courts is as tiny as the number of rejected applications in FISA court. (One study reports 1 rejected search warrant out of 1,748. Craig D. Uchida, Timothy S. Bynum, Search Warrants, Motions to Suppress and Lost Cases: The Effects of the Exclusionary Rule in Seven Jurisdictions, 81 J. Crim. L. & Criminology 1034 (1990-1991), at page: 1058)

However, any warrant issued by a regular court, including the affidavit setting forth “probable cause” becomes public. Both the police and judicial officers know the basis for warrants will be seen by others, which encourages following the rules for probable cause.

Contrast that with the secret warrants and the basis for secret warrants from the FISA court. There is no opportunity for the public to become informed about the activities of the FISA courts or the results of the warrants that it issues. The non-public nature of the FISA court deprives voters of the ability to effectively voice concerns about the FISA court.

The only effective way to dispel the illusion that secrecy is required for the FISA court is for there to be massive and repetitive leaks of FISA applications and opinions. Just like with the Pentagon Papers, the sky will not fall and the public will learn the FISA court was hiding widespread invasions of privacy based on the thinnest tissues of fantasy from intelligence officers.

If you think I am wrong about the FISA court, name a single government leak that did not reveal the government breaking the law, attempting to conceal incompetence or avoid accountability. Suggestions?

Simple Math Defeats NSA

Sunday, May 10th, 2015

The simple math problem that blows apart the NSA’s surveillance justifications by Ryan Cooper.

From the post:

Here’s a question about death and probability, done first by Cory Doctorow. Suppose one out of every million people is a terrorist (if anything, an overestimate), and you’ve got a machine that can determine whether someone is a terrorist with 99.9 percent accuracy. You’ve used the machine on your buddy Jeff Smith, and it gives a positive result. What are the odds Jeff is a terrorist?

Try to figure it out, or at least guess, before you read on.

Similar conclusion to Begging National Security Questions #1 where out of 10,295,642,951 airline passengers screened from 2002 – 2015, the TSA has yet to catch a single terrorist. Not one.

Perhaps critics (I’m one) of the NSA are asking the wrong questions.

Surely NSA staff mathematicians know the problems both formal and practical with the surveillance activities at the NSA. Even the political appointees at DHS have noticed a drought of ten years without a single terrorist. Their competitors at the FBI coerce the mentally ill into terrorist suspects.

What if the debate over the justifications for surveillance is a distraction? While we sally back and forth over statistics, methodologies, legal issues, etc., the real drivers for the activity are elsewhere?

Since the NSA budget is top-secret, let’s look at the Department of Homeland Security budget, from 2002 to 2015. I used the budget-in-brief documents from DHS Budget. (I didn’t see any machine readable files. Let me know if there are other sources with machine readable files. Thanks!)

Total DHS Budgets by Year:

2002 $20 billion
2003 $38 billion
2004 $36 billion
2005 $40 billion
2006 $41 billion
2007 $43 billion
2008 $46 billion
2009 $51 billion
2010 $55 billion
2011 $56 billion
2012 $57 billion
2013 $59 billion
2014 $60 billion
2015 $61 billion
2016 $65 billion
Total $628 billion

The self-professed justification of the DHS can be found in the first paragraph if its Budget-in-Brief for 2016:

The Department of Homeland Security’s (DHS) ultimate mission is to secure the Nation from the many threats we face. This requires the dedication of nearly a quarter million employees with responsibilities that range from facilitating the efficient flow of commerce; preventing terrorism; protecting our national leaders; securing and managing the border; enforcing and administering immigration laws; and preparing for and responding to disasters. Our duties are wide-ranging, but our goal is quite clear—keep America safe.

It is an article of faith, dogma, inerrant truth, at least for the DHS that America faces many threats. No amount of evidence can shake their faith in that proposition.

Why not take a non-refutation approach? Just bypass the bass intoning of “America faces many threats,” and jump to what is being done to respond to those threats?

I hate conceding factual falsehoods but more effective engagement on budget waste may (no guarantees) lead to less surveillance and more useful spending of federal funds.

First, we need an image that captures the essence of the DHS budget. Here is my suggestion:

cookie-jar

Second, focus on the cookie part of the imagery. What cookies did your locality get last year from the DHS? Those cookies have more to do with the distribution of money than any attempt to “…keep American safe.” And no doubt some of those 250,000 DHS staff work in your community, shop in your stores, buy homes, etc. If you aren’t getting your share of the cookies, time to complain.

Third, mine the DHS budget for the many ineffectual programs (like the TSA) which have yet to produce a single terrorist. Go ahead and concede the fantasy of terrorists and even encourage it. Then you can ask: “OK, so if terrorists are lurking nearly everywhere, why haven’t you caught even one?”

I think there are a variety of factors driving DHS:

  • The government wants to be seen as doing something to prevent terrorism, even if their efforts are totally ineffectual. Such as feeling up little children at airports.
  • The DHS distributed jobs and purchases across the economy and that is viewed as a benefit (cookie) by many member of congress.
  • Preservation of the DHS as a department, which is its main rationale for continuing to exist. Going on fourteen (14) years without a single terrorist arrest by the TSA should be proof enough that the United States is a terrorist desert (except for the mentally ill entrapped by the FBI).

Let’s concede the terrorist fantasy and then cut the legs out from under DHS.

Debating Public Policy, On The Basis of Fictions

Sunday, May 3rd, 2015

Striking a Balance—Whistleblowing, Leaks, and Security Secrets by Cody Poplin.

From the post:

Last weekend, the New York Times published an article outlining the strength of congressional support for the CIA targeted killing program. In the story, the Times also purported to reveal the identities of three covert CIA operatives who now hold senior leadership roles within the Agency.

As you might expect, the decision generated a great deal of controversy, which Lawfare covered here and here. Later in the week, Jack Goldsmith interviewed Executive Editor of the New York Times Dean Baquet to discuss the decision. That conversation also prompted responses from Ben, Mark Mazzetti (one of the authors of the piece), and an anonymous intelligence community reader.

Following Times’ story, the Johns Hopkins University Center for Advanced Governmental Studies, along with the James Madison Project and our friends at Just Security, hosted an a timely conference on Secrecy, Openness and National Security: Lessons and Issues for the Next Administration. In a panel entitled Whistleblowing and America’s Secrets: Ensuring a Viable Balance, Bob Litt, General Counsel for the Office of the Director of National Security, blasted the Times, saying that the paper had “disgraced itself.”

However, the panel—which with permission from the Center for Advanced Governmental Studies, we now present in full—covered much more than the latest leak published in the Times. In a conversation moderated by Mark Zaid, the Executive Director of the James Madison Project, Litt, along with Ken Dilanian, Dr. Gabriel Schoenfeld, and Steve Vladeck, tackled a vast array of important legal and policy questions surrounding classified leak prosecutions, the responsibilities of the press, whistleblower protections, and the future of the Espionage Act.

It’s a jam-packed discussion full of candid exchanges—some testy, most cordial—that greatly raises the dialogue on the recent history of leaks, prosecutions, and future lessons for the next Administration.

Spirited debate but on the basis of known fictions.

For example, Bob Litt, General Counsel for the Office of the Director of National Security, poses a hypothetical question that compares an alleged suppression of information about the Bay of Pigs invasion to whether a news organization would be justified in leaking the details of plans to assassinate Osama bin Laden.

The premise of the hypothetical is flawed. It is based on an alleged statement by President Kennedy wishing the New York Times had published the details in their possession. One assumes so that public reaction would have prevented the ensuing disaster.

The story of President Kennedy suppressing a story in the New York Times about the Bay of Pigs is a myth.

Busting the NYTimes suppression myth, 50 years on reports:


Indeed, the Times’ purported spiking has been called the “symbolic journalistic event of the 1960s.”

Only the Times didn’t censor itself.

It didn’t kill, spike, or otherwise emasculate the news report published 50 years ago tomorrow that lies at the heart of this media myth.

That article was written by a veteran Times correspondent named Tad Szulc, who reported that 5,000 to 6,000 Cuban exiles had received military training for a mission to topple Fidel Castro’s regime; the actual number of invaders was about 1,400.

The story, “Anti-Castro Units Trained At Florida Bases,” ran on April 7, 1961, above the fold on the front page of the New York Times.

The invasion of the Bay of Pigs happened ten days later, April 17, 1961.

Hardly sounds like suppression of the story does it?

That is just one fiction that formed the basis for part of the discussion in this podcast.

Another fiction is that leaked national security information, take some of Edward Snowden‘s materials for example, were damaging to national security. Except that those who claim to know can’t say what information or how it was damaging.

Without answers to what information and how it was damaging to national security, their claims of “damage to national security” should go straight into the myth bin. The unbroken record of leaks shows illegal activity, incompetence, waste and avoidance of responsibility. None of those are in the national interest.

If the media does want to act in the “public interest,” then it should stop repeating unsubstantiated claims of damage to the “national interest,” by the security community. Repeated falsehoods does not make them useful for debates of public policy. When advanced such claims should be challenged and then excluded from further discussion without sufficient details for the public to reach their own conclusion about the claim.

Another myth in this discussion is the assumption that the media has a in loco parentis role vis-a-vis the public. That media representatives should act on the public’s behalf in determining what is or is not in the “public interest.” Complete surprise to me and I have read the Constitution more than once or twice.

I don’t remember seeing the media called out in the Constitution as guardians for a public too stupid to decide matters of public policy for itself.

That is the central flaw with national security laws and the rights of leakers and leakees. The government of the United States, for those unfamiliar with the Constitution, is answerable under the Constitution to the citizens of the United States. Not any branch of government or its agencies but to the citizens.

There are no exceptions to United States government being accountable to its citizens. Not one. To hold government accountable, its citizens need to know what government has been doing, to whom and why. The government has labored long and hard, especially its security services, to avoid accountability to its citizens. Starting shortly after its inception.

There should be no penalties for leakers or leakees. Leaks will cause hardships, such as careers ending due to dishonestly, incompetence, waste and covering for others engaged in the same. If you don’t like that, move to a country where the government isn’t answerable to its citizens. May I suggest Qatar?

New York Times Gets Stellarwind IG Report Under FOIA

Sunday, April 26th, 2015

New York Times Gets Stellarwind IG Report Under FOIA by Benjamin Wittes.

A big thank you! to Benjamin Wittes and the New York Times.

They are the only two (2) stories on the Stellarwind IG report, released Friday evening, that give a link to the document!

The NYT story with the document: Government Releases Once-Secret Report on Post-9/11 Surveillance by Charlie Savage.

The document does not appear at:

Office of the Director of National Intelligence (as of Sunday, 25 April 2015, 17:45 EST).

US unveils 6-year-old report on NSA surveillance by Nedra Pickler (Associated Press or any news feed that parrots the Associated Press).

Suggestion: Don’t patronize news feeds that refer to documents but don’t include links to them.

QUANTUM-type packet injection attacks [From NSA to Homework]

Wednesday, April 22nd, 2015

QUANTUM-type packet injection attacks

From the homework assignment:

CSE508: Network Security (PhD Section), Spring 2015

Homework 4: Man-on-the-Side Attacks

Part 1:

The MotS injector you are going to develop, named ‘quantuminject’, will capture the traffic from a network interface in promiscuous mode, and attempt to inject spoofed responses to selected client requests towards TCP services, in a way similar to the Airpwn tool.

Part 2:

The MotS attack detector you are going to develop, named ‘quantumdetect’, will capture the traffic from a network interface in promiscuous mode, and detect MotS attack attempts. Detection will be based on identifying duplicate packets towards the same destination that contain different TCP payloads, i.e., the observation of the attacker’s spoofed response followed by the server’s actual response. You should make every effort to avoid false positives, e.g., due to TCP retransmissions.

See the homework details for further requirements and resources.

If you need a starting point for “Man-on-the-Side Attacks,” I saw Bruce Schneier recommend: Our Government Has Weaponized the Internet. Here’s How They Did It by Nicholas Weaver.

You may also want to read: Attacking Tor: how the NSA targets users’ online anonymity by Bruce Schneier, but with caveats.

For example, Bruce says:

To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target’s browser to visit a Foxacid server.

In the academic literature, these are called “man-in-the-middle” attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of “man-on-the-side” attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a “race condition” between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

Have you heard the story of the mountain hiker who explained he was wearing sneakers instead of boots in case he and his companion were chased by a bear? The companion pointed out that no one can outrun a bear, to which the mountain hiker replied, “I don’t have to outrun the bear, I just have to outrun you.

A man-in-the-middle attack can be made from a privileged place on the Internet backbone, but that’s not a requirement. The only requirement is that my “FoxAcid” server has to respond more quickly than the website a user is attempting to contact. That hardly requires a presence on the Internet backbone. I just need to out run the packets from the responding site.

Assume I want to initiate a man-on-the-side attack against a user or organization at a local university. All I need do is obtain access to the university connection to the Internet, on the university side of the connection and by definition I am going to be faster than any site remote to the university.

So I would disagree with Bruce’s statement:

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a “race condition” between the NSA server and the legitimate website.

Anyone can do man-on-the-side attacks, the only requirement is being faster than the responding computer.

The NSA wanted to screw everyone on the Internet, hence the need to be on the backbone. If you are less ambitious, you can make do with far less expensive and rare resources.

Bearing Arms – 2nd Amendment and Hackers – The Constitution

Monday, March 23rd, 2015

All discussions of the right to bear arms in the United States start with the Second Amendment. But since words can’t interpret themselves for specific cases, our next stop is the United States Supreme Court.

One popular resource, The Constitution of the United States of America: Analysis and Interpretation (popularly known as the Constitution Annotated), covers the Second Amendment in a scant five (5) pages.

There is a vast sea of literature on the Second Amendment but there is one case that established the right to bear arms is an individual right and not limited to state militias.

In District of Columbia vs. Heller, 554 U.S. 570 (2008), Justice Scalia writing for the majority found that the right to bear arms was an individual right, for the first time in U.S. history.

The unofficial syllabus notes:

The prefatory clause comports with the Court’s interpretation of the operative clause. The “militia” comprised all males physically capable of acting in concert for the common defense. The Antifederalists feared that the Federal Government would disarm the people in order to disable this citizens’ militia, enabling a politicized standing army or a select militia to rule. The response was to deny Congress power to abridge the ancient right of individuals to keep and bear arms, so that the ideal of a citizens’ militia would be preserved. Pp. 22–28.

Interesting yes? Disarm the people in order to enable “…a politicized standing army (read NSA/CIA/FBI/DHS) or a select militia to rule.”

If citizens are prevented from owning hacking software and information, necessary for their own cybersecurity, have they not been disarmed?

Justice Scalia’s opinion is rich in historical detail and I will be teasing out the threads that seem most relevant to an argument that hacking tools and knowledge should fall under the right to bear arms under the Second Amendment.

In the mean time, some resources that you will find interesting/helpful:

District of Columbia v. Heller in Wikipedia is a quick read and a good way to get introduced to the case and the issues it raises. But only as an introduction, you would not perform surgery based on a newspaper report of a surgery. Yes?

A definite step up in analysis is SCOTUSblog, District of Columbia v. Heller. You will find twenty (20) blog posts on Heller, briefs and documents in the case, plus some twenty (20) briefs supporting the petitioner (District of Columbia) and forty-seven (47) briefs supporting the respondent (Heller). Noting that attorneys could be asked questions about any and all of the theories advanced in the various briefs.

Take this as an illustration of why I don’t visit SCOTUSblog as often as I should. I tend to get lost in the analysis and start chasing threads through the opinions and briefs. One of the many joys being that rarely you find anyone with a hand waving citation “over there, somewhere” as you do in CS literature. Citations are precise or not at all.

No, I don’t propose to drag you through all of the details even of Scalia’s majority opinion but just enough to frame the questions to be answered in making the claim that cyber weapons are the legitimate heirs of arms for purposes of the Second Amendment and entitled to the same protection as firearms.

Do some background reading today and tomorrow. I am re-reading Scalia’s opinion now and will let it soak in for a day or so before posting an outline of it relevant for our purposes. Look for it late on Wednesday, 25 March 2015.

PS: Columbia vs. Heller, 554 U.S. 570 (2008), the full opinion plus dissents. A little over one hundred and fifty (150) pages of very precise writing. Enjoy!

A Well Regulated Militia

Sunday, March 22nd, 2015

The NSA’s plan: improve cybersecurity by hacking everyone else by Trevor Timm.

From the post:

The National Security Agency want to be able to hack more people, vacuum up even more of your internet records and have the keys to tech companies’ encryption – and, after 18 months of embarrassing inaction from Congress on surveillance reform, the NSA is now lobbying it for more powers, not less.

NSA director Mike Rogers testified in front of a Senate committee this week, lamenting that the poor ol’ NSA just doesn’t have the “cyber-offensive” capabilities (read: the ability to hack people) it needs to adequately defend the US. How cyber-attacking countries will help cyber-defense is anybody’s guess, but the idea that the NSA is somehow hamstrung is absurd.

Like everyone else I like reading hacking stories, particularly the more colorful ones! But for me, at least until now, hacking has been like debugging core dumps, it’s an interesting technical exercise but not much more than that.

I am incurious about the gossip the NSA is sweeping up for code word access, but I am convinced that we all need a strong arm to defend our digital privacy and the right to tools to protect ourselves.

The dangers to citizens have changed since James Madison wrote in the Bill or Rights:

“A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.”

In 1789, oppression and warfare was conducted with muzzle loaders and swords. Guns are still a common means of oppression, but the tools of oppression have grown since 1789. Then there was no mass surveillance of phone traffic, bank accounts, camera feeds, not to mention harvesting of all network traffic. Now, all of those things are true.

Our reading of the Second Amendment needs to be updated to include computers, software developed for hacking, training for hackers and research on hacking. Knowing how to break encryption isn’t the same thing as illegally breaking encryption. It is a good way to test whether the promised encryption will exclude prying government eyes.

I’m not interested in feel good victories that come years after over reaching by the government. It’s time for someone to take up the gage that the NSA has flung down in the street. Someone who traffics in political futures and isn’t afraid to get their hands dirty.

The NRA has been a long term and successful advocate for Second Amendment rights. And they have political connections that would take years to develop. When was the last time you heard of the NRA winning symbolic victories for someone after they had been victimized? Or do you hear of victories by the NRA before their membership is harmed by legislation? Such as anti-hacking legislation.

Since the NRA is an established defender of the Second Amendment, with a lot of political clout, let’s work on expanding the definition of “arms” in the Second Amendment to include computers, knowledge of how to break encryption and security systems, etc.

The first step is to join the NRA (like everybody they listen to paying members first).

The second step is educate other NRA members and the public posed by unchecked government cyberpower. Current NRA members may die with their guns in hand but government snoops know what weapons they have, ammunition, known associates, and all of that is without gun registration. A machine pistol is a real mis-match against digital government surveillance. As in the losing side.

The third step is to start training yourself as a hacker. Setup a small network at home so you can educate yourself, off of public networks, about the weaknesses of hardware and software. Create or join computer clubs dedicated to learning hacking arts.

BTW, the people urging you to hack Y12 (a nuclear weapons facility), Chase and the White House are all FBI plants. Privately circulate their biometrics to other clubs. Better informants that have been identified than unknowns. Promptly report all illegal suggestions from plants. You will have the security agencies chasing their own tails.

Take this as a warm-up. I need to dust off some of my Second Amendment history. Suggestions and comments are always welcome.

Looking forward to the day when even passive government surveillance sets off alarms all over the net.

The Great SIM Heist

Friday, February 20th, 2015

The Great SIM Heist – How Spies Stole the Keys to the Encryption Castle by Jeremy Scahill and Josh Begley.

From the post:

AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

Read the original post to get an idea of the full impact of this heist.

Bottom line: Anything transmitted or stored electronically (phone, Internet, disk drive) should be considered as compromised.

How can people protect themselves when their government “protectors” are spying on them in addition to many others?

There isn’t a good answer to that last question but one needs to be found and soon.


Update: Mike Masnick says theft of SIM encryption keys demonstrates that any repository of backdoors will be a prime target for hackers, endangering the privacy of all users with those backdoors. Not a theoretical risk, the NSA and others have demonstrated the risk to be real. See: NSA’s Stealing Keys To Mobile Phone Encryption Shows Why Mandatory Backdoors To Encryption Is A Horrible Idea

Russian researchers expose breakthrough U.S. spying program

Tuesday, February 17th, 2015

Russian researchers expose breakthrough U.S. spying program by Joseph Menn.

From the post:

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)

Don’t have a sense for all thirty countries? Reuters has a visual to help with that:

Reuters-Equation-Infection

The Reuters report is great but if you want more technical details, see: Equation Group: The Crown Creator of Cyber-EspionageThe original Kaspersky report, and Equation: The Death Star of Malware Galaxy by GReAT (Kaspersky Labs’ Global Research & Analysis Team), which is an in depth review of the exploit.

There is a comment to the GReAT blog post that reads:

Ok, reading through NSA files that Der Spiegel released i found this:

http://www.spiegel.de/media/media-35661.pdf

This is a file that shows the job postings for NSA interns, you can find a NSA wiki link in the last page. And this is very interesting:

(TS//SI//REL) Create a covert storage product that is enabled from a hard drive firmware modification. The ideia would be to modify the firmware of a particular hard drive so that it normally only recognizes half of its available space. It would report this size back to the operating system and not provide any way to access the additional space.

This is a 2006 document, it took 8 years to finish this product, which is what kaspersky found.

So maybe you guys would easily find the malware if you revert the firmware to a state prior of this date.

Has anyone been collecting hard drive firmware? Another example of where “secret” code exposes users to dangers difficult to guard against.

Public open source code (whether “free” or not) should be a legal requirement for the distribution of software and/or devices with firmware. Just for security reasons alone.

BTW, anyone still in favor of “trusting” the intelligence community if they say your privacy is being respected?

I found the Reuters story because of a tweet by Violet Blue. I then tracked down the source documents for your convenience (I haven’t seen them in other accounts).

Intelligence Sharing, Crowd Sourcing and Good News for the NSA

Monday, February 16th, 2015

Lisa Vaas posted an entertaining piece today with the title: Are Miami cops really flooding Waze with fake police sightings?. Apparently an NBC affiliate (not FOX, amazing) tried its hand at FUD, alleging that Miami police officers were gaming Waze.

There is a problem with that theory, which Lisa points out quoting Julie Mossler, a spokes person for Waze:

Waze algorithms rely on crowdsourcing to confirm or negate what has been reported on the road. Thousands of users in Florida do this, both passively and actively, every day. In addition, we place greater trust in reports from heavy users and terminate accounts of those whose behavior demonstrate a pattern of contributing false information. As a result the Waze map will remain reliable and updated to the minute, reflecting real-time conditions.

Oops!

See Lisa’s post for the blow-by-blow account of this FUD attempt by the NBC affiliate.

However foolish an attempt to game Waze would be, it is a good example to promote the sharing of intelligence.

Think about it. Rather than the consensus poop that emerges as the collaboration of the senior management in intelligence agencies, why not share all intelligence between agencies between working analysts addressing the same areas or issues? Make the “crowd” people who have similar security clearances and common subject areas. And while contributions are trackable within a agency, to the “crowd,” everyone has a handle and their contributions on shared intelligence is voted up or down. Just like with Waze, people will develop reputations within the system.

I assume for turf reasons you could put handles on the intelligence so the participants would not know its origins as well, just until people started building up trust in the system.

Changing the cultures at the intelligence agencies, which hasn’t succeeded since 9/11, would require a more dramatic approach than has been tried to date. My suggestion is to give the Inspector Generals the ability to block promotions and/or fire people in the intelligence agencies who don’t actively promote the sharing of intelligence. Where “actively promotes” is measured by intelligence shared and not activities to plan to share intelligence, etc.

Unless and until there are consequences for the failure of members of the intelligence community to put the interests of their employers (in this case, citizens of the United States) above their own or that of their agency, the failure to share intelligence since 9/11 will continue.

PS: People will object that the staff in question have been productive, loyal, etc., etc. in the past. The relevant question is whether they have the skills and commitment that is required now? The answer to that last question is either yes or no. Employment is an opportunity to perform, not an entitlement.

Thank Snowden: Internet Industry Now Considers The Intelligence Community An Adversary, Not A Partner

Saturday, February 14th, 2015

Thank Snowden: Internet Industry Now Considers The Intelligence Community An Adversary, Not A Partner by Mike Masnick

From the post:

We already wrote about the information sharing efforts coming out of the White House cybersecurity summit at Stanford today. That’s supposedly the focus of the event. However, there’s a much bigger issue happening as well: and it’s the growing distrust between the tech industry and the intelligence community. As Bloomberg notes, the CEOs of Google, Yahoo and Facebook were all invited to join President Obama at the summit and all three declined. Apple’s CEO Tim Cook will be there, but he appears to be delivering a message to the intelligence and law enforcement communities, if they think they’re going to get him to drop the plan to encrypt iOS devices by default:


In an interview last month, Timothy D. Cook, Apple’s chief executive, said the N.S.A. “would have to cart us out in a box” before the company would provide the government a back door to its products. Apple recently began encrypting phones and tablets using a scheme that would force the government to go directly to the user for their information. And intelligence agencies are bracing for another wave of encryption.

Disclosure: I have been guilty of what I am about to criticize Mike Masnick about and will almost certainly be guilty of it in the future. That, however, does not make it right.

What would you say is being assumed in the Mike’s title?

Guesses anyone?

What if it read: U.S. Internet Industry Now Considers The U.S. Intelligence Community An Adversary, Not A Partner?

Does that help?

The trivial point is that the “Internet Industry” isn’t limited to the U.S. and Mike’s readership isn’t either.

More disturbing though is that the “U.S. (meant here descriptively) Internet Industry” at one point did consider the “U.S. (again descriptively) Intelligence Community” as a partner at one point.

That being the case and seeing how Mike duplicates that assumption in his title, how should countries besides the U.S. view the reliability (in terms of government access) of U.S. produced software?

That’s a simple enough question.

What is your answer?

The assumption of partnership between the “U.S. Internet Industry” and the “U.S. Intelligence Community” would have me running to back an alternative to China’s recent proposal for source code being delivered to the government (in that case China).

Rather than every country having different import requirements for software sales, why not require the public posting of commercial software source for software sales anywhere?

Posting of source code doesn’t lessen your rights to the code (see copyright statutes) and it makes detection of software piracy trivially easy since all commercial software has to post its source code.

Oh, some teenager might compile a copy but do you really think major corporations in any country are going to take that sort of risk? It just makes no sense.

As far as the “U.S. Intelligence Community” concerns, remember “The treacherous are ever distrustful…” The ill-intent of the world they see is a reflection of their own malice towards others. Or after years of systematic abuse, the smoldering anger of the abused.

National Security Strategy – February 2015

Sunday, February 8th, 2015

National Security Strategy – February 2015 by Barack Obama.

If you are not already following the U.S. Dept. of Fear (FearDept) on Twitter, you should be.

FearDept tweets that “terrorism” is mentioned fifty-three (53) times in thirty-five (35) pages.

Despite bold claims about our educational system, it is mentioned only sixteen (16) times. And the president doesn’t mention that LSU is facing a one-third (1/3) cut to its budget, damaging higher education in Louisiana in ways that won’t be easy to repair. Cutting Louisiana higher education by $300 million, putting it into perspective Louisiana isn’t the only state raising tuition and cutting state support for higher education, but it is one of the worst offenders.

If you want to know exactly how grim the situation is for education, see: States Are Still Funding Higher Education Below Pre-Recession Levels, which details how all fifty (50) states, save for Alaska and North Dakota, have cut funding for education. The report explores a variety of measures to illustrate the impact that funding cuts and tuition increases have had on education.

Unlike the extolling of the U.S. education system rhetoric in President Obama’s text, the report concludes:

States have cut higher education funding deeply since the start of the recession. These cuts were in part the result of a revenue collapse caused by the economic downturn, but they also resulted from misguided policy choices. State policymakers relied overwhelmingly on spending cuts to make up for lost revenues. They could have lessened the need for higher education funding cuts if they had used a more balanced mix of spending cuts and revenue increases to balance their budgets.

To compensate for lost state funding, public colleges have both steeply increased tuition and pared back spending, often in ways that may compromise the quality of the education and jeopardize student outcomes. Now is the time to renew investment in higher education to promote college affordability and quality.

Strengthening state investment in higher education will require state policymakers to make the right tax and budget choices over the coming years. A slow economic recovery and the need to reinvest in other services that also have been cut deeply means that many states will need to raise revenue to rebuild their higher education systems. At the very least, states must avoid shortsighted tax cuts, which would make it much harder for them to invest in higher education, strengthen the skills of their workforce, and compete for the jobs of the future.

The conclusions on education funding were based on facts. President Obama’s text is based on fantasies that support the military-industrial complex and their concubines.

Can you name a foreign terrorist attack on the United States other than 9/11? That’s what I thought. Unique events are not a good basis for policy making or funding.

Intelligence agencies tout transparency [Clapper? Eh?]

Thursday, February 5th, 2015

Intelligence agencies tout transparency by Josh Gerstein.

From:

A year and a half after Edward Snowden’s surveillance revelations changed intelligence work forever, the U.S. intelligence community is formally embracing the value of transparency. Whether America’s spies and snoopers are ready to take that idea to heart remains an open question.

On Tuesday, Director of National Intelligence James Clapper released a set of principles that amounts to a formal acknowledgement that intelligence agencies had tilted so far in the direction of secrecy that it actually undermined their work by harming public trust.

“The thought here was we needed to strategically get on the same page in terms of what we were trying to do with transparency,” DNI Civil Liberties Protection Officer Alex Joel told POLITICO Monday. “The intelligence community is by design focused on keeping secrets rather than disclosing them. We have to figure out how we can work with our very dedicated work force to be transparent while they’re keeping secrets.”

The principles (posted here) are highly general and include a call to “provide appropriate transparency to enhance public understanding about the IC’s mission and what the IC does to accomplish it (including its structure and effectiveness).” The new statement is vague on whether specific programs or capabilities should be made public. In addition, the principle on handling of classified information appears largely to restate the terms of an executive order President Barack Obama issued on the subject in 2009.

If I understand the gist of this story correctly, the Director of National Intelligence (DNI) James Clapper, the same James Clapper that lied to Congress about the NSA, wants regain the public’s trust. Really?

Hmmm, how about James Clapper and every appointed official in the security services resigning as a start. The second step would be congressional appointment of oversight personnel who can go anywhere, see any information, question anyone, throughout the security apparatus and report back to Congress. Those reports back to Congress can elide details where necessary but by rotating the oversight personnel, they won’t become captives of the agencies where they work.

BTW, the intelligence community is considering how it can release more information to avoid “program shock” from Snowden like disclosures. Not that they have released any such information but they are thinking about it. OK, I’m thinking about winning $1 million in the next lottery drawing. Doesn’t mean that it is going to happen.

Let’s get off the falsehood merry-go-round that Clapper and others want to keep spinning. Unless and until all the known liars are out of government and kept out of government, including jobs with security contractors, there is no more reason to trust our intelligence community any more than we would trust the North Korean intelligence community.

Perhaps more of a reason to trust the North Korean intelligence community because at least we know whose side they are on. As far as the DNI and the rest of the U.S. security community, hard to say whose side they are on. Booz Allen’s? NSA’s? CIA’s? Some other contractors? Certainly not on the side of Congress and not on the side of the American people, despite their delusional pretensions to the contrary.

No doubt there is a role for a well-functioning and accountable intelligence community for the United States. That in no way could be applied to our current intelligence community, which is is a collection of parochial silos more concerned with guarding their turf and benefiting their contractors than any semblance of service to the American people.

Congress needs to end the intelligence community as we know it and soon. In the not distant future, the DNI and not the President will be the decision maker in Washington.

What Happens if We #Sunset215? [Patriot Act surveillance]

Wednesday, February 4th, 2015

What Happens if We #Sunset215? by Harley Geiger.

From the post:

A law the government cites as authority for the bulk collection of millions of Americans’ communications records—Section 215 of the PATRIOT Act—expires unless Congress extends it by Memorial Day weekend.

The Center for Democracy & Technology, and other public interest groups, believes that Sec. 215 should sunset unless it is reformed to stop nationwide surveillance dragnets. What would happen to domestic bulk collection if Sec. 215 sunsets?

After a detailed review of the history and nuances of Sec. 215, Harley says:


Sunset of Sec. 215 would prevent new bulk collection programs under Sec. 215, but would not affect current bulk collection programs under Sec. 215, nor prevent bulk collection programs under the FISA pen/trap statute. From the perspective of the intelligence community, a sunset of Sec. 215 would deprive the government of an evidence-gathering tool with many targeted, legitimate uses other than bulk collection.

I’m sorry, that went by a little fast.

Even if Sec. 215 sunsets, what evidence is there that the government would stop conducting new bulk collection programs or more targeted uses other than bulk collection?

The evidence we do have suggests that sunsetting Sec. 215 will have no impact on NSA data collection efforts. For example, James Clapper lying to Congress. Fire James Clapper. What does that say to lower staffer who appear before Congress or who are interviewed by investigators? Particularly with regard to the consequences of lying to Congress or to investigators?

If Congress and other investigators can’t get truthful answers from the NSA, who is to say that Sec. 215 sunsetting has had any impact at all? A drop in FISA requests? Perhaps the NSA just decides to drop the fiction that the FISA court is any meaningful limit on their power.

The post footer says:

Harley Geiger is Advocacy Director and Senior Counsel at the Center for Democracy & Technology (CDT).

And I am sure that he is far more qualified than I am to address the policy issues of Sec. 215, if one assumes the government is telling the truth and playing by the rules Congress has passed. But the evidence we have to date suggests that the government isn’t telling the truth and pays lip service to any rule that Congress passes.

What needs to sunset is all bulk data collection and all targeted collection that is not subject to the traditional safeguards of U.S. district courts. My suggestion is embedded congressional oversight in all agencies that conduct surveillance with clearance to see or go anywhere, including any compartmentalized projects.

If the argument is that the honest public need not fear bulk surveillance, then honest agencies need fear no embedded congressional oversight.

Your Weekly Snowden Dribble

Saturday, January 31st, 2015

Levitation program tracked file-sharing sites by David Meyer.

From the post:

The Canadian spy agency CSE monitors activity across over 100 free file upload sites, a newly-revealed PowerPoint document from NSA whistleblower Edward Snowden’s cache has shown.

The document describing CSE’s Levitation program was published on Wednesday by The Intercept, reporting alongside Canadian broadcaster CBC. Although Canada has long been known to be a member of the core Anglophone “Five Eyes” spying club, this is the first Snowden revelation putting it at the forefront of one of the Eyes’ mass surveillance programs.

I was truly surprised that the Canadians were monitoring file sharing sites. Shouldn’t that be contracted out to the mad dogs at the RIAA and MPAA, etc.? Cheaper and doubtful you could find anyone more persistent.

On the downside they would want the phone logs of every teenager suspected of copying a song off the radio. To find clusters of copyright thieves. Maybe it is better to have the Canadians do it.

“…we have not identified a single instance…” Ineffectual Phone Surveillance

Saturday, January 31st, 2015

Tim Cushing has a great piece, Privacy Board Says NSA Doesn’t Know How Effective Its Collection Programs Are, Doesn’t Much Care Either at TechDirt on the latest report of the Privacy and Civil Liberties Oversight Board (PCLOB) on government surveillance in the United States.\

As a result of his post, I went searching for the Board’s earlier report on vacuuming up phone records. In part that earlier report reads:

The threat of terrorism faced today by the United States is real. The Section 215 telephone records program was intended as one tool to combat this threat—a tool that would help investigators piece together the networks of terrorist groups and the patterns of their communications with a speed and comprehensiveness not otherwise available. However, we conclude that the Section 215 program has shown minimal value in safeguarding the nation from terrorism. Based on the information provided to the Board, including classified briefings and documentation, we have not identified a single instance involving a threat to the United States in which the program made a concrete difference in the outcome of a counterterrorism investigation. Moreover, we are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack. And we believe that in only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorism suspect. Even in that case, the suspect was not involved in planning a terrorist attack and there is reason to believe that the FBI may have discovered him without the contribution of the NSA’s program.

The Board’s review suggests that where the telephone records collected by the NSA under its Section 215 program have provided value, they have done so primarily in two ways: by offering additional leads regarding the contacts of terrorism suspects already
known to investigators, and by demonstrating that foreign terrorist plots do not have a U.S. nexus. The former can help investigators confirm suspicions about the target of an inquiry or about persons in contact with that target. The latter can help the intelligence community focus its limited investigatory resources by avoiding false leads and channeling efforts where they are needed most. But with respect to the former, our review suggests that the Section 215 program offers little unique value but largely duplicates the FBI’s own information gathering efforts. And with respect to the latter, while the value of proper resource allocation in time-sensitive situations is not to be discounted, we question whether the American public should accept the government’s routine collection of all of its telephone records because it helps in cases where there is no threat to the United States. (emphasis added)

What amazes me is that Tim’s review of the current report reflects that the vacuuming of phone records continues and there has been no effort to develop metrics to test the effectiveness of surveillance programs.

Recommendation 10: Develop a Methodology to Assess the Value of Counterterrorism Programs

Status: Not implemented

I wonder why the “…we have not identified a single instance…” line doesn’t come up in every presidential news conference, every interview with candidates for the House or the Senate, interviews with presidential hopefuls? It should come up repeatedly until the program is terminated by the executive branch or Congress defunds the NSA.

The president and others may be testy because they want to spin some other tale for public consumption but here we have a bi-partisan board that has seen the classified evidence and has reported to the public that the mass collection of phone records is ineffective. (full stop) The effectiveness of mass phone surveillance is no long up for debate. The facts are in.

The question is what will the public do with those facts? Not vote for anyone who refuses to defund the NSA or terminate the phone surveillance program?

That’s a start but just to emphasize the point, call the Whitehouse and your representative and both senators daily to request the ending of the bulk phone records surveillance program. That will also illustrate how the NSA program captures constituents communicating with their elected representatives.

Obama backs call for tech backdoors [Government Frontdoors?]

Saturday, January 17th, 2015

Obama backs call for tech backdoors

From the post:

President Obama wants a backdoor to track people’s social media messages.

The president on Friday came to the defense of British Prime Minister David Cameron’s call for tech companies to create holes in their technology to allow the government to track suspected terrorists or criminals.

“Social media and the Internet is the primary way in which these terrorist organizations are communicating,” Obama said during a press conference with Cameron on Friday.

“That’s not different from anybody else, but they’re good at it and when we have the ability to track that in a way that is legal, conforms with due process, rule of law and presents oversight, then that’s a capability that we have to preserve,” he said.

While Obama measured his comments, he voiced support for the views expressed by Cameron and FBI Director James Comey, who have worried about tech companies’ increasing trends towards building digital walls around users’ data that no one but them can access.

Rather than argue about tech backdoors someday, why not have government frontdoors?

ISPs can copy and direct all email traffic to and from .gov addresses to a big inbox on one of the cloud providers. So that the public can keep a closer eye on the activities of “our” government. Think of it as citizen oversight.

Surely no sensitive information about citizens finds its way into government email so we won’t need any filtering.

Petition your elected representatives for a government frontdoor. For federal, state and local governments. As taxpayers we own the accounts. Just like a private employer. The owners of those accounts wants access to them.

Now that would be open data that could make a real difference!

I first saw this in a tweet by Violet Blue.

PS: We also need phone records for office and cell phones of all government employees. Signals data I think they call it.

Bulk Collection of Signals Intelligence: Technical Options (2015)

Saturday, January 17th, 2015

Bulk Collection of Signals Intelligence: Technical Options (2015)

Description:

The Bulk Collection of Signals Intelligence: Technical Options study is a result of an activity called for in Presidential Policy Directive 28, issued by President Obama in January 2014, to evaluate U.S. signals intelligence practices. The directive instructed the Office of the Director of National Intelligence (ODNI) to produce a report within one year “assessing the feasibility of creating software that would allow the intelligence community more easily to conduct targeted information acquisition rather than bulk collection.” ODNI asked the National Research Council (NRC) — the operating arm of the National Academy of Sciences and National Academy of Engineering — to conduct a study, which began in June 2014, to assist in preparing a response to the President. Over the ensuing months, a committee of experts appointed by the Research Council produced the report.

Believe it or not, you can’t copy-n-paste from the pre-publication PDF file. Truly irritating.

From the report:

Conclusion 1. There is no software technique that will fully substitute for bulk collection where it is relied on to answer queries about the past after new targets become known.

A key value of bulk collection is its record of past signals intelligence that may be relevant to subsequent investigations. If past events become interesting in the present, because intelligence-gathering priorities change to include detection of new kinds of threats or because of new events such as the discovery that an individual is a terrorist, historical events and the context they provide will be available for analysis only if they were previously collected. (Emphasis in the original)

The report dodges any questions about effectiveness or appropriateness of bulk collection of signals data. However, its number one conclusion provides all the ammunition one needs to establish that bulk signals intelligence gathering is a clear and present danger to the American people and any semblance of a democratic government.

Would deciding that all Muslims from the Middle East represented potential terrorist threats to the United States qualify as a change in intelligence-gathering priorities? So all the bulk signals data from Muslims and their contacts in the United States suddenly becomes fair game for the NSA to investigate?

I don’t think any practicing Muslim is a threat to any government but you saw how quickly the French backslide into bigotry after Charlie Hebdo. Maybe they didn’t have that far to go. Not any further than large segments of the U.S. population.

Our National Research Council is too timid voice an opinion other than to say if you don’t preserve signals records you can’t consult them in the future. But whether there is any danger or is this a good policy choice, they aren’t up for those questions.

The focus on signals intelligence makes you wonder how local and state police have operated all these years without bulk signals intelligence? How have they survived without it? Well, for one thing they are out in the communities they serve, not cooped up in cube farms with other people who don’t have any experience with the communities in question. Simply being a member of the community makes them aware of new comers, changes in local activity, etc.

Traditional law enforcement doesn’t stop crime as a general rule because that would require too much surveillance and resources to be feasible. When a crime has been committed, law enforcement gathers evidence and in a very large (90%+) number of cases, captures the people responsible.

Which is a interesting parallel to the NSA, which has also not stopped any terrorist plots as far as anyone knows. Well, there as that case in the State of Georgia where two aging alcoholics were boosting about producing Ricin and driving down I-285 throwing it out the window. The government got a convicted child molester to work as in informant to put those two very dangerous terrorists in jail. And I don’t think the NSA was in on that one anyway.

If the NSA has stopped a major terrorist plot, something that actually was going to be another 9/11, you know it would have been leaked long before now. The absence of such leaks is the best evidence for the lack of any viable terrorist threats in the United States that I can think of.

And what if we stop bulk signals data collection and there is another terrorist attack? So, what is your question? Bulk signals collection hasn’t stopped one so far so if we stop bulk signals collection and there is another terrorist attack, look at all the money we will have saved for the same result. Just as a policy matter, we shouldn’t spend money for no measurable result.

If you really think terrorism is a threat, take the money from bulk signal data collection and fund state and local police hiring, training and paying (long term, not just a grant) more local police officers out in their communities. That will do more to reduce the potential for all types of crimes, including those labeled as terrorism.

To put it another way, bulk signal data collection is a form of wealth sharing, wealth sharing from the public treasury to contractor’s. Wealth sharing that has been shown to be ineffectual against terrorism. Why continue it?

NSA IOB Dump Finally Complete!

Tuesday, December 30th, 2014

The “Christmas Eve” NSA file dump that you will see reported at: NSA Waited Until Christmas Eve To Release Details Of Its Illegal Surveillance On Americans, What you need to know about the NSA document dump, and, U.S. Spy Agency Reports Improper Surveillance of Americans, repeated by various other sources, which never mentioned the dump being incomplete, is now complete.

I reported in Merry Christmas From the NSA! Missing Files about 15 missing files, which by my report of: NSA IOB Report Dump – Still Missing Files had become 3 missing files and when I checked today, the NSA file dump is complete, all being silent corrections to the file dump.

You will notice that the final three files: 3Q FY10, 3Q FY09, 4Q FY09 are named differently from the other files:

nsa-iob-30Dec2014

as text:

IOB/FY2010_1Q_IOB_Report.pdf
IOB/FY2010_2Q_IOB_Report.pdf
IOB/3Q_FY2010.pdf
IOB/FY2010_4Q_IOB_Report.pdf

IOB/FY2009_1Q_IOB_Report.pdf
IOB/FY2009_2Q_IOB_Report.pdf
IOB/3Q_FY2009.pdf
IOB/4Q_FY2009.pdf

Data analysis resources should be focused on the 3rd quarter report for 2010 and 3rd quarter and 4th quarter reports for 2009, especially as compared to other materials (Snowden?) for those time frames.

My heuristic being that people don’t delay without a reason. It isn’t necessary to know the reason, just to observe the delay. Could be entirely due to incompetence but if you count:

  1. Christmas Eve as happenstance
  2. Second incomplete dump as coincidence
  3. File renaming issue is three, enemy action.

I have local copies of the files as they exist as of 17:13 on 30 December 2014 and I will be tarring those up for upload to my site later this evening. Please replicate them elsewhere as you see fit.

Suggestions on tooling, collaborations, analysis, etc. welcome!

Prying Eyes: Inside the NSA’s War on Internet Security

Sunday, December 28th, 2014

Prying Eyes: Inside the NSA’s War on Internet Security

Summary:

US and British intelligence agencies undertake every effort imaginable to crack all types of encrypted Internet communication. The cloud, it seems, is full of holes. The good news: New Snowden documents show that some forms of encryption still cause problems for the NSA.

A very long and comprehensive article from the SPIEGEL on encryption that may cause issues for the NSA. It is too complete to easily summarize so I suggest you read it in full and then take the following actions:

  • If you are not a cryptographer or child of a cryptographer, donate to one of more of the open source encryption projects you will find in the SPIEGEL article. Monthly if at all possible. Perhaps you can’t write encryption code but you can support those who do.
  • Use and consistently update your encryption technology and support those who work to make encryption easier to use. We need to create a tsunami of highly encrypted data everyday. From phone calls and IMs to emails and documents.
  • Politically resist all laws or regulations that make interception and/or decryption of communications legal and/or easier. You may not think you are committing a crime, but when government officials declare crimes and execute the guilty in private, how do you know?
  • Should you encounter any documents or data that expose government surveillance programs, there are existing examples of what you should do.

Once upon a time, privacy was a matter of the difficulty of tracking down physical copies of public records and asking neighbors what you liked to talk about. Those difficulties no longer exist and the electronic debris of our lives tells more than you might know.

The only privacy you have today is the privacy that you stake out and protect on your own. There are no guarantees that you will be successful in protecting your privacy but I can guarantee you won’t have any privacy if you don’t try.

NSA IOB Report Dump – Still Missing Files

Saturday, December 27th, 2014

In Merry Christmas From the NSA! Missing Files, I reported a blog entry on the Christmas Eve posting of Intelligence Oversight Board reports covering a span of years. On closer inspection, I found a number of second quarter reports were missing.

The very next day, 26 December 2014, another blog post reported on the NSA posting and following the link there, most of the missing files had been supplied by the NSA, with nary a peep about the previously missing files.

Today is 27 December 2014 and the following files continue to be missing:

3Q FY10, 3Q FY09, 4Q FY09

I realize that I am being unreasonable. The NSA posting was only missing 15 files out of 48. The current NSA posting continues to miss 3 files out of 48. The stories got NSA correct, some files were released, and the URL was right. What more could you ask for?

I will have to let you answer that last question for yourselves. I will say something untowards if I continue this post.


I have created a compressed tar ball with all the NSA IOB reports that are currently on the NSA website. Avoiding being on the NSA web logs doesn’t count for much because I am sure they are tracking all web traffic anyway. But, as a sign of annoyance with the NSA, please obtain the incomplete file set here (92 MB approximately).

Merry Christmas From the NSA! Missing Files

Thursday, December 25th, 2014

U.S. Spy Agency Reports Improper Surveillance of Americans by David Lerman.

From the post:

The National Security Agency today released reports on intelligence collection that may have violated the law or U.S. policy over more than a decade, including unauthorized surveillance of Americans’ overseas communications.

The NSA, responding to a Freedom of Information Act lawsuit from the American Civil Liberties Union, released a series of required quarterly and annual reports to the President’s Intelligence Oversight Board that cover the period from the fourth quarter of 2001 to the second quarter of 2013.

The heavily-redacted reports include examples of data on Americans being e-mailed to unauthorized recipients, stored in unsecured computers and retained after it was supposed to be destroyed, according to the documents. They were posted on the NSA’s website at around 1:30 p.m. on Christmas Eve.

I was downloading the NSA reports so I could package them up on my website and GitHub, so you would not have to leave traffic on the NSA web logs when I discovered that the second quarter reports for every year are missing.

Oh, they show up in the index but the PDF files for the first and second quarters of each year have the same name.

  • /public_info/_files/IOB/FY2013_1Q_IOB_Report.pdf 1Q FY13
  • /public_info/_files/IOB/FY2013_1Q_IOB_Report.pdf 2Q FY13
  • /public_info/_files/IOB/FY2012_1Q_IOB_Report.pdf 1Q FY12
  • /public_info/_files/IOB/FY2012_1Q_IOB_Report.pdf 2Q FY12
  • /public_info/_files/IOB/FY2011_1Q_IOB_Report.pdf 1Q FY11
  • /public_info/_files/IOB/FY2011_1Q_IOB_Report.pdf 2Q FY11
  • /public_info/_files/IOB/FY2010_1Q_IOB_Report.pdf 1Q FY10
  • /public_info/_files/IOB/FY2010_1Q_IOB_Report.pdf 2Q FY10
  • /public_info/_files/IOB/FY2009_1Q_IOB_Report.pdf 1Q FY09
  • /public_info/_files/IOB/FY2009_1Q_IOB_Report.pdf 2Q FY09
  • /public_info/_files/IOB/FY2008_1Q_IOB_Report.pdf 1Q FY08
  • /public_info/_files/IOB/FY2008_1Q_IOB_Report.pdf 2Q FY08
  • /public_info/_files/IOB/FY2007_1Q_IOB_Report.pdf 1Q FY07
  • /public_info/_files/IOB/FY2007_1Q_IOB_Report.pdf 2Q FY07
  • /public_info/_files/IOB/FY2006_1Q_IOB_Report.pdf 1Q FY06
  • /public_info/_files/IOB/FY2006_1Q_IOB_Report.pdf 2Q FY06
  • /public_info/_files/IOB/FY2005_1Q_IOB_Report.pdf 1Q FY05
  • /public_info/_files/IOB/FY2005_1Q_IOB_Report.pdf 2Q FY05
  • /public_info/_files/IOB/FY2004_1Q_IOB_Report.pdf 1Q FY04
  • /public_info/_files/IOB/FY2004_1Q_IOB_Report.pdf 2Q FY04
  • /public_info/_files/IOB/FY2003_1Q_IOB_Report.pdf 1Q FY03
  • /public_info/_files/IOB/FY2003_1Q_IOB_Report.pdf 2Q FY03
  • /public_info/_files/IOB/FY2002_1Q_IOB_Report.pdf 1Q FY02
  • /public_info/_files/IOB/FY2002_1Q_IOB_Report.pdf 2Q FY02

I have personally verified that the files listed above, for each year are in fact duplicates of each other. This was no simple naming mistake.

This will, of course, make automatic downloading scripts overwrite files while maintaining the correct number of files were downloaded.

BTW, the files for 3rd quarter of 2010, 3rd and 4th quarters of 2009, and the 2nd, 3rd and 4th quarters of 2001 are missing as well.

Courts should take judicial notice of the routine pettiness of the NSA when fashioning remedies for failures to disclose. That will leave the NSA no one but themselves to blame for increasingly burdensome disclosures.

I first saw the NSA story in a tweet by Veli-Pekka Kivimäki.


Update: The missing files have been uploaded by the NSA. The last edited date for the files remains unchanged from 23 December 2014.

The next time I notice an error like this, I will capture an image file, digitally sign it and post it to a third party site.

Tomorrow I will grab a copy of the latest version of the files and tar them up so you won’t have to be recorded on the NSA web logs.

Wall Street Journal Retraction? (Michael V. Hayden)

Thursday, December 11th, 2014

You may have missed NSA Reform That Only ISIS Could Love that appeared in the Wall Street Journal as an opinion piece on November 17, 2014. Less than a month before the release of the executive summary of the Senate Report on CIA Torture.

As a long time reliable source of information to the financial community, the Wall Street Journal should disavow that opinion piece as purposefully mis-leading the very readers it claims to serve.

Why? Consider the excellent summary in Hayden’s testimony vs. the Senate report by the Washington Post that compares Hayden’s recorded testimony to the Senate Select Committee on Intelligence on April 12, 2007, to the written executive summary of the Senate Report on Torture.

There you will find a consistent patterns of lies and deception that make any statements by Michael V. Hayden unworthy of belief. Moreover, since his pattern of lying has not changed over the years, it injects known falsehood into a vital national debate.

To amend for the perpetuation of this liar’s spew, the Wall Street Journal should disavow NSA Reform That Only ISIS Could Love, denounce Michael V. Hayden as a public liar and call for the release of the full and unedited version of the Senate Report on CIA Torture.

While I may not always agree with the Wall Street Journal editorial line, it has always been faithful to the business community that it serves. The WSJ has done a disservice to that community with the Michael V. Hayden opinion piece and should now make amends.


While the Wall Street Journal considers its perpetuation of lies by Michael V. Hayden, other organizations should reconsider their relationships with Michael V. Hayden.

George Mason University, School of Policy, Government and International Affairs, for example, where Michael V. Hayden is a Distinguished Visiting Professor. Unless they are offering a graduate degree in lying to the American public.

Motorolo Solutions has Michael V. Hayden on its board of directors. I wonder how the shareholders of Motorola Solutions, which is 312th on the Fortune 500 list for 2014 feel about having a torture concealer and advocate on their board of directors?

Which reminds me, what is the statute of limitations on lying to Congress? All I could find readily was: Statutes of Limitation in Federal Criminal Cases: An Overview by Charles Doyle (2012). The general rule appears to be a five year statute of limitation and since lying to Congress doesn’t appear to have a separate limit, it may be five years. That’s not legal advice! Check with a lawyer before you make statements to Congress and better yet, why not tell the truth?

What does the NSA think of academic cryptographers? Recently-declassified document provides clues

Tuesday, December 9th, 2014

What does the NSA think of academic cryptographers? Recently-declassified document provides clues by Scott Aaronson.

From the post:

Brighten Godfrey was one of my officemates when we were grad students at Berkeley. He’s now a highly-successful computer networking professor at the University of Illinois Urbana-Champaign, where he studies the wonderful question of how we could get the latency of the Internet down to the physical limit imposed by the finiteness of the speed of light. (Right now, we’re away from that limit by a factor of about 50.)

Last week, Brighten brought to my attention a remarkable document: a 1994 issue of CryptoLog, an NSA internal newsletter, which was recently declassified with a few redactions. The most interesting thing in the newsletter is a trip report (pages 12-19 in the newsletter, 15-22 in the PDF file) by an unnamed NSA cryptographer, who attended the 1992 EuroCrypt conference, and who details his opinions on just about every talk. If you’re interested in crypto, you really need to read this thing all the way through, but here’s a small sampling of the zingers:

Are there any leaked copies of more recent issues of CryptoLog?

I ask because of the recent outcry about secure encryption of cell phones by default. The government should not be able to argue both ways, one that non-government cryptography work is valueless and at the same time, deprive the average citizen of some modicum of privacy. Which is it?

I know the FBI wants us to return to physical phone lines and junction boxes so they can use their existing supply of wire tapping gear but that’s just not going to happen. Promise.

New NSA Drone!

Monday, December 1st, 2014

I don’t pay much attention to the musical chairs game in Washington so I wasn’t aware that the NSA acquired a new drone last April. Code name: Adm. Michael Rogers.

Just in case you need a photograph for identification purposes:

Michael Rogers

Doesn’t look like he gets outside very often does it? Being a cryptographer, what else did you expect?

But that’s makes Rogers a dangerous leader of the NSA.

Consider the latest testimony by Rogers to Congress:

Certain nations are regularly performing electronic “reconnaissance,” Rogers warned, in an effort to be well placed within utility systems in the event that the networks relied on by chemical facilities, water treatment plants and other critical infrastructure components are ordered to be taken offline by a foreign government.

All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” the NSA chief said.

Leading figures within the American intelligence community and Congress have long warned of potentially catastrophic repercussions if such networks should happen to be penetrated and pulverized by foreign actors with malicious intent, but Rogers’ remarks this week are among the most dire ever from not just individual well placed within the administration, but a person arguably most qualified to testify as much. (From China & others can cripple US power grid, NSA admits for the first time)

Well, except that water treatment plants and chemical facilities aren’t part of any seamless network. Minor detail I know but just because some contractor wants to protect us from a non-existent threat with cost-plus contracting, isn’t a reason to credit their reports.

If the Admiral wants to obsess about something, how about the regional power stations that are too big to be housed and are subject to attack with one person anti-tank weapons that could take such stations out for months. (Each is a custom build so there aren’t spare parts if oil cooling goes out and critical parts melt into slag.) No Internet or hacking required. And major parts of the United States could go dark for the entire time needed for repairs. Does that sound like a potential threat?

Compare that to the Admiral’s fantasy about cyber defense:

The U.S. Cyber Command has three primary missions, Adm. Rogers said. Along with defending DOD networks, the Cyber Command is “generating the cyber mission force, the men and women who are going to be addressing the department’s cyber needs, from the defensive to the offensive.” Lastly, Rogers said he is preparing the emerging DOD cyber force to defend U.S. critical infrastructure.

DOD’s cyber force has been given the responsibility to defend, for example, critical power and other utility, telecommunications and transportation networks—which he said are vulnerable to attacks from China and “one or two other” countries. He said a major attack was likely in the next decade.

The cyber chief estimated that DOD is about halfway toward its goal of organizing a cyber capability to defend U.S. networks. (From: NSA chief details ‘real’ threats to US networks, infrastructure)

Quick points to remember:

The civilian population comes dead last, assuming a threat exists at all.

Attack is “likely” within the next decade. (Courteous of our adversaries to wait for us to tool up to repel the attack.)

The DOD is halfway towards a cyber capacity to defend non-existent U.S. water, chemical plants, etc., networks?

The advantage of being halfway to defend networks that don’t exist isn’t clear. But, the DOD is also said to be halfway to being subject to auditing. Maybe those programs are on the same track?

All news outlets should be calling BS on testimony such as that by Adm. Rogers. Creating disinformation about security issues distorts the policy process and makes for fat contractors and a poorly served civilian population.

Not to mention making security issue topic maps more laborious to construct by re-weeding out false threats such as those being pandered by Adm. Rogers.

NSA partners with Apache to release open-source data traffic program

Tuesday, November 25th, 2014

NSA partners with Apache to release open-source data traffic program by Steven J. Vaughan-Nichols.

From the post:

Many of you probably think that the National Security Agency (NSA) and open-source software get along like a house on fire. That's to say, flaming destruction. You would be wrong.

[image and link omitted]

In partnership with the Apache Software Foundation, the NSA announced on Tuesday that it is releasing the source code for Niagarafiles (Nifi). The spy agency said that Nifi "automates data flows among multiple computer networks, even when data formats and protocols differ".

Details on how Nifi does this are scant at this point, while the ASF continues to set up the site where Nifi's code will reside.

In a statement, Nifi's lead developer Joseph L Witt said the software "provides a way to prioritize data flows more effectively and get rid of artificial delays in identifying and transmitting critical information".

I don’t doubt the NSA efforts at open source software. That isn’t saying anything about how closely the code would need to be proofed.

Perhaps encouraging more open source projects from the NSA will eat into the time they have to spend writing malware. 😉

Something to look forward to!

Tor users could be FBI’s main target if legal power grab succeeds

Tuesday, September 23rd, 2014

Tor users could be FBI’s main target if legal power grab succeeds by Lisa Vaas.

From the post:

The US Department of Justice (DOJ) is proposing a power grab that would make it easier for domestic law enforcement to break into computers of people trying to protect their anonymity via Tor or other anonymizing technologies.

That’s according to a law professor and litigator who deals with constitutional issues that arise in espionage, cybersecurity and counterterrorism prosecutions.

Ahmed Ghappour, a visiting professor at UC Hastings College of the Law, San Francisco, explained the potential ramifications of the legal maneuver in a post published last week.

I dislike government surveillance as much as anyone but let’s get the facts about surveillance straight before debating it.

For example, Lisa says:

…make it easier for domestic law enforcement to break into computers of people trying to protect their anonymity via Tor… (emphasis added)

Certainly gets your attention but I’m with Bill Clinton, it depends on what you mean by “easier.”

If you mean “easier,” as in breaking Tor or other technologies, in a word: NO.

If you mean “easier,” as in issuance of search warrants, YES.

The “…power grab….” concerns re-wording of Rule 41 Search and Seizure of the Federal Rules of Criminal Procedure (Herein, Rule 41.).

Section (b) of Rule 41 sets out who can issue a search and seizure warrant and just as importantly, where the person or evidence can be located. The present rules of section (b) can be summarized as:

  1. Person or property located within a district
  2. Person or property outside a district, if located within the district when issued but might move before execution of the warrant
  3. Person or property within or outside a district (terrorism)
  4. Person or property to be tracked within, without a district or both
  5. Person or property located outside a district or state but within (A) US territory, possession, or commonwealth; (diplomatic/consular locations)

(There are other nuances I have omitted in order to focus on location of the person and property to be seized.)

Rule 41 (b) defines where the person or property to be seized may be located.

With that background, consider the proposed amendment to Rule 41:

(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside the district if:

(A) the district where the media or information is located has been concealed through technological means; or

(B) in an investigation of a violation of 18 U.S.C. Sec. 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.

The issue is whether the same terms of present Rule 41 (b) (3) in terrorism cases should be expanded to other cases where the location of “media or information…has been concealed through technological means.”

Professor Ahmed Ghappour, in Justice Department Proposal Would Massively Expand FBI Extraterritorial Surveillance is concerned that searches for electronic media at unknown locations will of necessity result in searches of computers located in foreign jurisdictions. No doubt that is the case because to “not know the location of media or information” means just that, you don’t know. Could be on a domestic computer or a foreign one. Unless and until you find the “media or information,” its location will remain unknown.

In the interest of cooperation with foreign law enforcement and some lingering notion of “jurisdiction” of a court being tied to physical boundaries (true historically speaking), Professor Ghappour would resist expanding the same jurisdiction in Rule 41 (b)(3) to non-terrorism crimes under proposed Rule 41 (b)(6)(A).

The essence of the “unknown server location” argument is that United States courts can issue search warrants, if the government can identify the location of a target server, subject to the other provisions of Rule 41. But since Tor prevents discovery of a server location, ipso facto, no search warrant.

To be fair to the government, a physical notion of jurisdiction for search and seizure warrants, as embodied in Rule 41, is a historical artifact and not essential to the Fourth Amendment for U.S. citizens:

The rights of the people to be secure in their persons, houses, papers, and effects, against unreasonable searchers and seizures, shall not be violated; and no Warrants shall issue but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The government’s often flat-footed response to technology is a common topic of conversation. Here an attempt by government to adapt to modern computer network reality is said to be too far and too fast.

Despite my sympathies being with the hare and not the hounds, I don’t think the law should foster an evidentiary shell game based upon antiquated notions of physical jurisdiction. (Leaving it to the government to procure the information it seeks without assistance from innocent bystanders. See Note 1)


Note 1: I don’t see this as contrary to my position in Resisting Tyranny – Customer-Centric-Cloud (CCCl). The issue there was a subpoena to Microsoft for data held in a foreign server. I think Cloud operators have a fiduciary duty to their customers that is prior and superior to the claims of any particular court. If the FBI can obtain the information on such servers with a warrant, on its own, then it should do so. But courts should not be able to press gang others to assist in local law enforcement activities.

Note 2: You may want to review the Advisory Committee on Criminal Rules, New Orleans, April 7-8, 2014 for background materials on the proposed change to Rule 41. Review the Annotated Constitution chapter on Search and Seizure for Fourth Amendment issues.

Note 3: If you are looking for an amusing example for parsing, try 18 U.S.C. Sec. 1030. Far clearer than any part of the Internal Revenue Code or its regulations but still complicated enough to be amusing.

NPR + CIA = Credible Disinformation

Tuesday, August 12th, 2014

NPR Is Laundering CIA Talking Points to Make You Scared of NSA Reporting by By Glenn Greenwald and Andrew Fishman.

From the post:

On August 1, NPR’s Morning Edition broadcast a story by NPR national security reporter Dina Temple-Raston touting explosive claims from what she called “a tech firm based in Cambridge, Massachusetts.” That firm, Recorded Future, worked together with “a cyber expert, Mario Vuksan, the CEO of ReversingLabs,” to produce a new report that purported to vindicate the repeated accusation from U.S. officials that “revelations from former NSA contract worker Edward Snowden harmed national security and allowed terrorists to develop their own countermeasures.”

The “big data firm,” reported NPR, says that it now “has tangible evidence” proving the government’s accusations. Temple-Raston’s four-minute, 12-second story devoted the first 3 minutes and 20 seconds to uncritically repeating the report’s key conclusion that ”just months after the Snowden documents were released, al-Qaeda dramatically changed the way its operatives interacted online” and, post-Snowden, “al-Qaeda didn’t just tinker at the edges of its seven-year-old encryption software; it overhauled it.” The only skepticism in the NPR report was relegated to 44 seconds at the end when she quoted security expert Bruce Schneier, who questioned the causal relationship between the Snowden disclosures and the new terrorist encryption programs, as well as the efficacy of the new encryption.

The day after that NPR report, I posted Hire Al-Qaeda Programmers, which pointed out the technical absurdity of the claims made in the NPR story. That three different organizations re-wrote security software within three to five months following the Snowden leaks. Contrary to all experience with software projects.

Greenwald follows the money to reveal that both Recorded Future and ReversingLabs are both deeply in the pockets of the CIA and exposes other issues and problems with both the Recorded Future “report” and the NPR story on the same.

We can debate why Dina Temple-Raston didn’t do a fuller investigation, express more skepticism, or ask sharper questions.

But the question that interests me is this one: Why report the story at all?

Just because Recorded Future, the CIA, or even the White House releases claims about Edward Snowden and national security isn’t a reason to repeat them. Even if they are repeated with critical analysis or following the money trail as did Greenwald.

Even superficial investigation would have revealed the only “tangible evidence” in the possession of Recorded Future is the paper on which it printed its own speculations. That should have been the end of the story.

If the story was broken by other outlets, then the NPR story is “XYZ taken in by a false story….”

Instead, we have NPR lending its credibility to a government and agencies who have virtually none at all. We are served “credible” disinformation because of its source, NPR.

The average listener isn’t going to remember the companies involved or most of the substance of the story. What they are going to remember is that they heard NPR report that Snowden’s leaks harmed national security.

Makes me wonder what other inadequately investigated stories NPR is broadcasting.

You?

PS: You could say that Temple-Raston just “forgot” or overlooked the connections Greenwald reports. Or another reporter, confronted with a similar lie, may not know of the connections. How would you avoid a similar outcome in the future?

Deploying Dionaea…

Monday, July 21st, 2014

Deploying Dionaea on a Raspberry Pi using MHN

A complete with screenshots guide to installing Dionaea on a Raspberry Pi.

MHN = Modern Honey Network.

With enough honeypots, do you think a “crowd” could capture most malware within days of its appearance?

I guess the NSA needs to run a honeypot inside its network firewalls. 😉

I first saw this in a tweet by Jason Trost.

Government-Grade Stealth Malware…

Saturday, July 19th, 2014

Government-Grade Stealth Malware In Hands Of Criminals by Sara Peters.

From the post:

Malware originally developed for government espionage is now in use by criminals, who are bolting it onto their rootkits and ransomware.

The malware, dubbed Gyges, was first discovered in March by Sentinel Labs, which just released an intelligence report outlining their findings. From the report: “Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.”

Sentinel was able to detect Gyges with on-device heuristic sensors, but many intrusion prevention systems would miss it. The report states that Gyges’ evasion techniques are “significantly more sophisticated” than the payloads attached. It includes anti-detection, anti-tampering, anti-debugging, and anti-reverse-engineering capabilities.

The figure I keep hearing quoted is that cybersecurity attackers are ten years ahead of cybersecurity defenders.

Is that what you hear?

Whatever the actual gap, what makes me curious is why the gap exists at all? I assume the attackers and defenders are on par as far as intelligence, programming skills, financial support, etc., so what is the difference that accounts for the gap?

I don’t have the answer or even a suspicion of a suggestion but suspect someone else does.

Pointers anyone?