Category Archives: NSA

The U.S. government: Paying to undermine internet security, not to fix it

By Julia Angwin, ProPublica, April 15, 2014

The Heartbleed computer security bug is many things: a catastrophic tech failure, an open invitation to criminal hackers and yet another reason to upgrade our passwords on dozens of websites. But more than anything else, Heartbleed reveals our neglect of Internet security.

The United States spends more than $50 billion a year on spying and intelligence, while the folks who build important defense software 2014 in this case a program called OpenSSL that ensures that your connection to a website is encrypted 2014 are four core programmers, only one of whom calls it a full-time job.

In a typical year, the foundation that supports OpenSSL receives just $2,000 in donations. The programmers have to rely on consulting gigs to pay for their work. “There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work,” says Steve Marquess, who raises money for the project.

Is it any wonder that this Heartbleed bug slipped through the cracks?

Continue reading

Facebooktwittermail

It’s time to encrypt the entire internet

Wired reports: The Heartbleed bug crushed our faith in the secure web, but a world without the encryption software that Heartbleed exploited would be even worse. In fact, it’s time for the web to take a good hard look at a new idea: encryption everywhere.

Most major websites use either the SSL or TLS protocol to protect your password or credit card information as it travels between your browser and their servers. Whenever you see that a site is using HTTPS, as opposed to HTTP, you know that SSL/TLS is being used. But only a few sites — like Facebook and Gmail — actually use HTTPS to protect all of their traffic as opposed to just passwords and payment details.

Many security experts — including Google’s in-house search guru, Matt Cutts — think it’s time to bring this style of encryption to the entire web. That means secure connections to everything from your bank site to Wired.com to the online menu at your local pizza parlor.

Cutts runs Google’s web spam team. He helps the company tweak its search engine algorithms to prioritize certain sites over others. For example, the search engine prioritizes sites that load quickly, and penalizes sites that copy — or “scrape” — text from others.

If Cutts had his way, Google would prioritize sites that use HTTPS over those that don’t, he told blogger Barry Schwartz at a conference earlier this year. The change, if it were ever implemented, would likely spur an HTTPS stampede as web sites competed for better search rankings. [Continue reading…]

Facebooktwittermail

Did Snowden just make a visa-renewal application directly to Putin live on Russian TV?

Mashable reports: In what could be best described as a bizarre PR stunt, Edward Snowden made a surprise appearance on live TV to ask Russian President Vladimir Putin whether he spies on his citizens.

Snowden, who has received asylum in Russia, appeared during Putin’s annual call-in show on Russian TV on Thursday, during which Putin answered questions from the public. It’s unclear whether Snowden’s appearance was staged, but his question gave Putin a chance to poke at his favorite target: the United States.

“Does Russia store, intercept, or analyze, in any way, the communications of millions of individuals, and do you believe that simply increasing the effectiveness of intelligence or law enforcement investigations can justify a place in societies rather than subjects under surveillance?” Snowden asked Putin (see the full exchange in the video embedded below).

“Mr. Snowden, you are a former agent, a spy. I used to work for the intelligence service, we are going to talk one professional language,” Putin said, according to translation by state-run TV channel Russia Today. “We don’t have as much money as they have in the States and we don’t have these technical devices that they have in the States. Our special services, thank God, are strictly controlled by society and the law and regulated by the law.”

Russia clearly has means to “respond” to terrorists and criminals who use technology, Putin added, but doesn’t have “uncontrollable efforts like [in America].”

What Putin didn’t say, however, is that Russia actually boasts one of the most sophisticated surveillance systems in the world, described by some as “PRISM on steroids.” This system, known as SORM, practically gives the Federal Security Service (FSB) direct access to Internet servers and telecommunications providers, allowing the government to eavesdrop on all online and phone communications that go through their networks. [Continue reading…]

No doubt Edward Snowden’s most loyal supporters will find ways of putting a positive spin on his TV performance, but neither of two of the most obvious ways in which it can be interpreted cast him in a favorable light.

If Snowden thought that he was promoting political freedom inside Russia by giving Putin the opportunity to assert, unchallenged, his commitment to the protection of privacy, then Snowden’s naivety is staggering.

If on the other hand, Snowden was “invited” to ask his question with the understanding or expectation that this would result in some kind of quid pro quo — such as increasing the chance of him being offered permanent asylum — then he just demonstrated his willingness to function as a propaganda tool supporting Putin’s agenda.

Suppose the same question had been posed to Putin by the TV host. It would have merited no attention whatsoever. Of course Putin is going to cast his own security services as squeaky clean when the questioner has neither the opportunity, the means, or the motive to challenge the Russian president’s response.

There’s no question that Snowden’s appearance was a PR stunt. The question is: who instigated it?

Facebooktwittermail

Behind closed doors, Google and Facebook are fighting efforts to stop NSA spying

Vice reports: Revelations about the National Security Agency’s most controversial surveillance program, which centers on the bulk collection of hundreds of billions of records of Americans’ phone conversations, were quickly greeted with calls for reform by major internet powerhouses like Facebook, Google, Microsoft, and Yahoo last year. But all four companies, along with dozens of other major tech firms, are actively opposing an initiative to prevent NSA spying known as the Fourth Amendment Protection Act, leaning on secretive industry lobbying groups while they profess outrage in official statements.

Virtually immediate public condemnation of government spying put the industry in an uncomfortable position when the Snowden leaks began pouring out in June 2013, and in carefully written responses to news reports claiming that they’d cooperated with the now notorious PRISM apparatus, these tech companies emphasized their compliance with existing laws that require them to hand over user data under certain conditions.

“When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if [it] is required by law,” Mark Zuckerberg, the CEO of Facebook, wrote in a blog post last June. “We will continue fighting aggressively to keep your information safe and secure.”

Statements like this suggest Zuckerberg and his industry peers would support legislative efforts to rein in surveillance, and it’s true that they’ve called for reform in letters to the Senate Judiciary Committee applauding a bill known as the USA Freedom Act. Google, Facebook, and six other tech giants have even hired a firm that claims to fight NSA surveillance on their behalf.

The real action, however, has been much subtler, with the industry wielding its influence behind closed doors using two lobbying groups to oppose certain restrictions on internet surveillance: the IT Alliance for Public Sector (ITAPS) and the State Privacy and Security Coalition (SPSC). A look at the actions of these two groups suggests that the companies want reform, sure, but only on terms that don’t affect their day-to-day business.

In particular, VICE has uncovered that ITAPS and SPSC have sent letters to politicians lobbying against the Fourth Amendment Protection Act, a wide-sweeping bill that would limit the NSA’s ability to read private electronic communications without a warrant. [Continue reading…]

Facebooktwittermail

NSA pretends it can increase national security while diminishing internet security

The New York Times reports: Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.

But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he began a three-month review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.

But elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers. [Continue reading…]

Facebooktwittermail

New evidence that the NSA poses a major threat to global security

When it comes to intelligence officials, past or present, it seems much safer to assume that they are not acting in national interests than to assume otherwise. It doesn’t matter which nation or which agency, the business of intelligence is deception.

There is an inherent conflict between the declared need of such agencies to operate in secrecy and the need to provide those operations with the oversight they require in order to prevent the abuse of power.

After the latest revelations about the CIA’s torture programs and NSA operations which undermine the security of the internet, are we not already far past the point where it must be faced that the U.S. intelligence community has systemic flaws? These should not just be patched over. It’s time to ask fundamental questions about the function of the intelligence agencies.

Bloomberg reports: The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.” [Continue reading…]

Update — DNI states: NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.

The problem for the DNI, NSA, CIA, and the rest of the intelligence community, is that they can’t restore trust simply by issuing statements or through cosmetic reform. It’s no good saying, we wouldn’t do something like that, when we already know they already have.

Facebooktwittermail

Edward Snowden: U.S. government spied on human rights workers

The Guardian reports: The US has spied on the staff of prominent human rights organisations, Edward Snowden has told the Council of Europe in Strasbourg, Europe’s top human rights body.

Giving evidence via a videolink from Moscow, Snowden said the National Security Agency – for which he worked as a contractor – had deliberately snooped on bodies like Amnesty International and Human Rights Watch.

He told council members: “The NSA has specifically targeted either leaders or staff members in a number of civil and non-governmental organisations … including domestically within the borders of the United States.” Snowden did not reveal which groups the NSA had bugged.

The assembly asked Snowden if the US spied on the “highly sensitive and confidential communications” of major rights bodies such as Amnesty and Human Rights Watch, as well as on similar smaller regional and national groups. He replied: “The answer is, without question, yes. Absolutely.” [Continue reading…]

Facebooktwittermail

NSA infiltrated RSA security more deeply than thought

Reuters reports: Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency’s ability to eavesdrop on some Internet communications, according to a team of academic researchers.

Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw – or “back door” – that allowed the NSA to crack the encryption.

A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software’s vulnerability.

The professors found that the tool, known as the “Extended Random” extension for secure websites, could help crack a version of RSA’s Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters. [Continue reading…]

Facebooktwittermail

NSA revelations ‘changing how businesses store sensitive data’

The Guardian reports: The vast scale of online surveillance revealed by Edward Snowden is changing how businesses store commercially sensitive data, with potentially dramatic consequences for the future of the internet, according to a new study.

A survey of 1,000 business leaders from around the world has found that many are questioning their reliance on “cloud computing” in favour of more secure forms of data storage as the whistleblower’s revelations continue to reverberate.

The moves by businesses mirror efforts by individual countries, such as Brazil and Germany, which are encouraging regional online traffic to be routed locally rather than through the US, in a move that could have a big impact on US technology companies such as Facebook and Google. [Continue reading…]

Facebooktwittermail

GCHQ and NSA targeted private German companies

Der Spiegel reports: Documents show that Britain’s GCHQ intelligence service infiltrated German Internet firms and America’s NSA obtained a court order to spy on Germany and collected information about the chancellor in a special database. Is it time for the country to open a formal espionage investigation?

The headquarters of Stellar, a company based in the town of Hürth near Cologne, are visible from a distance. Seventy-five white antennas dominate the landscape. The biggest are 16 meters (52 feet) tall and kept in place by steel anchors. It is an impressive sight and serves as a popular backdrop for scenes in TV shows, including the German action series “Cobra 11.”

Stellar operates a satellite ground station in Hürth, a so-called “teleport.” Its services are used by companies and institutions; Stellar’s customers include Internet providers, telecommunications companies and even a few governments. “The world is our market,” is the high-tech company’s slogan.

Using their ground stations and leased capacities from satellites, firms like Stellar — or competitors like Cetel in the nearby village of Ruppichteroth or IABG, which is headquartered in Ottobrunn near Munich — can provide Internet and telephone services in even the most remote areas. They provide communications links to places like oil drilling platforms, diamond mines, refugee camps and foreign outposts of multinational corporations and international organizations.

Super high-speed Internet connections are required at the ground stations in Germany in order to ensure the highest levels of service possible. Most are connected to major European Internet backbones that offer particularly high bandwidth.

The service they offer isn’t just attractive to customers who want to improve their connectivity. It is also of interest to Britain’s GCHQ intelligence service, which has targeted the German companies. Top secret documents from the archive of NSA whistleblower Edward Snowden viewed by SPIEGEL show that the British spies surveilled employees of several German companies, and have also infiltrated their networks. [Continue reading…]

Facebooktwittermail

No NSA reform can fix the American Islamophobic surveillance complex

o13-iconArun Kundnani writes: Better oversight of the sprawling American national security apparatus may finally be coming: President Obama and the House Intelligence Committee unveiled plans this week to reduce bulk collection of telephone records. The debate opened up by Edward Snowden’s whistle-blowing is about to get even more legalistic than all the parsing of hops and stores and metadata.

These reforms may be reassuring, if sketchy. But for those living in so-called “suspect communities” – Muslim Americans, left-wing campaigners, “radical” journalists – the days of living on the receiving end of excessive spying won’t end there.

How come when we talk about spying we don’t talk about the lives of ordinary people being spied upon? While we have been rightly outraged at the government’s warehousing of troves of data, we have been less interested in the consequences of mass surveillance for those most affected by it – such as Muslim Americans. [Continue reading…]

Facebooktwittermail

Beware the surveillance reform Trojan horse: what’s not in the new NSA laws?

o13-iconTrevor Timm writes: This week was undoubtedly a turning point in the NSA debate. Edward Snowden said it himself on Monday, as some of the NSA’s most ardent defenders, including the House Intelligence Committee and the White House, suddenly released similar proposals endorsing the end of the NSA’s bulk collection of phone records as we know it.

Stopping the government from holding onto of all Americans’ phone metadata would undoubtedly be a good thing for American privacy, but if you read between the legislative lines, the government might not be curtailing mass surveillance so much as permanently entrenching it in American law.

Rep Justin Amash, one of the NSA’s leading critics in the House, said of the Intelligence Committee bill: “It doesn’t end bulk collection but actually puts more Americans in danger of having their constitutionally protected rights violated.” While the Obama plan is undoubtedly more promising, with court requests and much more, Jameel Jaffer of the American Civil Liberties Union has several important questions about the proposal that need to be answered before anyone will really be able to judge. And the Cato Institute’s Julian Sanchez detailed why neither of these proposals are as good as the USA Freedom Act, which may now be getting boxed out. [Continue reading…]

Facebooktwittermail

NSA lackies hijack House reform bill

n13-iconThe Guardian reports: Congressional critics of the bulk collection of telephone records by the National Security Agency fear that its allies are circumventing them in the House of Representatives.

The House parliamentarian, who oversees procedural matters, has determined that a new bill that substantially modifies the seminal 1978 Foreign Intelligence Surveillance Act will go through the intelligence committee rather than the judiciary committee, a move that two congressional aides consider “highly unusual.”

Seemingly an arcane parliamentary issue, the jurisdiction question reveals a subterranean and intense fight within the House about the future course of US surveillance in the post-Edward Snowden era. The fight does not align with partisan divides, with both sides claiming both Republican and Democratic support.

The bill, authored by Republican Mike Rogers of Michigan and Democrat Dutch Ruppersberger of Maryland, would largely get the NSA out of the business of collecting US phone data in bulk. Rogers and Ruppersberger, both staunch advocates of the NSA and until now just as staunch defenders of bulk collection, are the leaders of the intelligence committee.

Yet the House judiciary committee thought it was the natural choice for primary legislative jurisdiction over the Fisa Transparency and Modernization Act, introduced on Tuesday. While the intelligence committee oversees US spy activities, the judiciary committee has oversight responsibilities over surveillance law. [Continue reading…]

The Associated Press adds: Cyber security experts are questioning whether President Barack Obama can make good on his assurance that U.S. intelligence agencies aren’t spying on “ordinary folks.”

That promise is especially dubious, experts say, in instances where Americans are communicating with U.S. citizens living abroad and other people overseas.

“It’s very clear there are enormous loopholes,” said Jonathan Mayer, a cybersecurity fellow at Stanford University’s Center for International Security and Cooperation, who is reverse engineering the NSA surveillance program to learn how much collection — if taken to extremes — is legally possible. “Their rules, combined with their capabilities, cut against the classical protections built into our legal system.”

Facebooktwittermail

How Dick Cheney remade our world

f13-iconMark Danner writes: Almost exactly a decade ago, Vice President Dick Cheney greeted President George W. Bush one morning in the Oval Office with the news that his administration was about to implode. Or not quite: Cheney let the president know that something was deeply wrong, though it would take Bush two more days of increasingly surprising revelations, and the near mass resignation of his senior Justice Department and law enforcement officials, to figure out exactly what it was. “On the morning of March 10, 2004,” as the former president recounts the story in his memoirs,

Dick Cheney and Andy Card greeted me with a startling announcement: The Terrorist Surveillance Program would expire at the end of the day.

“How can it possibly end?” I asked. “It’s vital to protecting the country.”

The Terrorist Surveillance Program, then known to the handful who were aware of it only as “the Program” or by its code name, “Stellar Wind,” was a highly secret National Security Agency effort — eventually revealed by The New York Times in December 2005 and then in much greater detail by former NSA contractor Edward Snowden last June. Among other things, Stellar Wind empowered the agency to assemble a vast collection of “metadata,” including on the telephone calls and e-mails of millions of Americans, that its analysts could search and “mine” for information.

Though the program would appear on its face to violate the Fourth Amendment and the Foreign Intelligence Surveillance Act of 1978, President Bush had approved it three weeks after the September 11 attacks, securing the signature of Attorney General John Ashcroft after the fact. To remain in force the program had to be recertified by the president and the attorney general every forty-five days.

And now, two and a half years later, Cheney and White House chief of staff Andrew Card told Bush, Justice Department lawyers “had raised a legal objection to one component of the program.” Unless that “component” — apparently, the sweeping up of Internet metadata — was eliminated or modified, they told the president, the lawyers would refuse to certify that the program was legal. [Continue reading…]

Facebooktwittermail

Obama needs to end of laws of the spies, by the spies and for the spies

o13-iconJameel Jaffer writes: To anyone who criticized the National Security Agency’s phone-records dragnet over the last nine months or so, the American intelligence community had this stock response: all three branches of government signed off on it.

The intelligence community was right, at least in a sense, but what it presented as a defense of the surveillance program was actually an indictment of our oversight system. What it presented as a defense of the program was actually a scandal.

In today’s New York Times, Charlie Savage reports that the administration has come to the belated realization that its intelligence interests can be accommodated without placing hundreds of millions of people under permanent surveillance. This is to the good, of course. But if the administration is right that the dragnet was unnecessary, we should ask how all three branches of government got it so wrong.

The answer, in a word, is secrecy. When intelligence officials proposed the dragnet, there was no one on the other side to explain that the government’s goals could be achieved with less-intrusive means. There was no one there to mention that the law the government was invoking couldn’t lawfully be used to collect call-records. There was no one there to mention that the bulk collection of call records was unconstitutional. [Continue reading…]

Facebooktwittermail

After reports on NSA, China urges end to spying

n13-iconThe New York Times reports: The Chinese government called on the United States on Monday to explain its actions and halt the practice of cyberespionage after news reports said that the National Security Agency had hacked its way into the computer systems of China’s largest telecommunications company.

The reports, based on documents provided by the former security contractor Edward J. Snowden, related how the spy agency penetrated servers owned by the company, Huawei, and monitored communications by its senior executives in an effort to discover whether the executives had links to the Chinese military. The operation also sought to exploit the company’s technology and gain access to the communications of customers who use Huawei cellphones, fiber optic cables and network hubs.

American officials have been working to block Huawei from entering the American telecommunications market because of concerns that its equipment could provide Chinese hackers with a “back door” for stealing American corporate and government secrets.[Continue reading…]

Facebooktwittermail

The House’s NSA bill could allow more spying than ever. You call this reform?

o13-iconTrevor Timm writes: The White House and the House Intelligence Committee leaked dueling proposals last night that are supposedly aimed at ending the mass collection of all Americans’ phone records. But the devil is in the details, and when it comes to the National Security Agency’s unique ability to twist and distort the English language, the devil tends to wrap his horns around every word.

The House proposal, to be unveiled this morning by Reps Mike Rogers and Dutch Ruppersberger, is the more worrying of the two. Rogers has been the NSA’s most ardent defender in Congress and has a long history of distorting the truth and practicing in outright fabrication, whether in touting his committee’s alleged “oversight” or by way of his attempts to impugn the motives of the once again vindicated whistleblower who started this whole reform debate, former NSA contractor Edward Snowden.

As a general rule, whenever Mike Rogers (not to be confused with incoming NSA director Michael Rogers) claims a bill does something particular – like, say, protect your privacy – it’s actually a fairly safe assumption that the opposite will end up true. His new bill seems to have the goal of trading government bulk collection for even more NSA power to search Americans’ data while it sits in the hands of the phone companies. [Continue reading…]

Facebooktwittermail

Obama just opened the door for Snowden’s immunity

o13-iconMichael Maiello writes: Today, Charlie Savage at The New York Times reports that the Obama administration will propose the end of the NSA’s bulk data collection program, replacing it with a more targeted, more thoroughly court supervised alternative. It is an imperfect solution for those who suspect that the FISA court is too eager to grant such requests but Marc Rotenberg, executive director of the Electronic Privacy Information Center, told the paper that this was “a sensible outcome.”

As we are a good way through Obama’s second term as president, I think it’s more than fair to say that we would not be here, at the cusp of sensibility, without the actions of Edward J. Snowden, the former NSA contractor who now lives in Russia under the protection of Vladimir Putin. Snowden took and released an uncounted number of sensitive documents from his employers and is responsible for disclosing the breadth and scope of the NSA’s global telecommunications surveillance program. Had the details of this program remained rumor and whisper as they were for the bulk of Obama’s tenure, it’s a fair bet that nothing would be changing now. [Continue reading…]

Facebooktwittermail