Bruce Schneier Speculates On NSA Double Laundering Information It Obtains Via Network Infiltration
from the double-reverse-parallel-construction dept
Bruce Schneier has a worth-reading post about the latest reports on the NSA infiltrating the network connections for Google and Yahoo's datacenter, making a number of good points about that story. We'll discuss a few of the points, but I wanted to focus in on this one first:In light of this, PRISM is really just insurance: a way for the NSA to get legal cover for information it already has. My guess is that the NSA collects the vast majority of its data surreptitiously, using programs such as these. Then, when it has to share the information with the FBI or other organizations, it gets it again through a more public program like PRISM.While it's just speculation, there is some reason to suggest it might be the case, and that would show just how far the NSA goes in some cases. After all, until June, PRISM itself was a secret. Yet, now, it's possible that the secret PRISM program was really just a way to put a legal-looking coat of paint on far more invasive activities. After all, it's already been revealed that the NSA and others make use of what they call "parallel construction" to "refind" evidence that they found through means they don't want to be challenged in court. As we said, this is just a way of laundering illegally obtained evidence. If Schneier's suspicion is right, then the NSA was actually probably happy that PRISM info came out first, since it does have at least some claims to being legal under Section 702.
But, if he's correct, it would mean that the NSA has secretly backdoored its way into networks, sucking up pretty much everything -- and then when it finds something useful, it will then use Section 702 under the FAA and the FISA Court to come up with some reasoning why that same info should be "collected" via either PRISM or the upstream telco traps, and then it can do more with it. This might not be true, but layering secret programs on top of secret programs to hide how the info was actually obtained would be something.
Other key points from Schneier are that we cannot assume it was just Google and Yahoo infiltrated this way. It's likely that others have been as well, just under different programs. And, more importantly, this demonstrates how legislative change to fix these things likely won't be enough. If you block the NSA from getting the data from door number 1, they're already in doors numbered 2, 3, 4, 5 and 6. Not only does there need to be a full independent investigation of everything the NSA is doing, but we need to build much more secure systems at the same time.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bruce schneier, infiltration, nsa, nsa surveillance, prism
Reader Comments
Subscribe: RSS
View by: Time | Thread
I sincerely hope the very same corporations that will lose major sales will now turn to using the same lobbying tactics they use for 'ip' protection to put major pressure on the gov't to eliminate these programs.
[ link to this | view in chronology ]
Gotta figure
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What we really need is legislation that prevents the NSA from bullying companies, and installing spyware on citizen's celphones.
NSA couldn't break Google's SSL ciphersuit. So the NSA attacked it's unencrypted WLAN network instead.
If the NSA can't break encrypted messages coming from your cellphone. Then they'll infect your cellphone with spyware, and read the messages after they've been decrypted by your phone.
We need cellphones without proprietary backdoors built into the firmware and GSM/LTE modem drivers. That's the only way to stop the NSA from abusing the power it holds.
Power sponsored wholly by our tax money. You wanna know why we're 16 trillion dollars in debt? Look no farther than the 1 million square feet Datacenter in Utah.
Using our money to build spy centers, to be used against us! Plus handing hundreds of millions of tax dollars over to GCHQ and who knows who else. Probably Israel.
[ link to this | view in chronology ]
Re:
They introduced weaknesses in SSL so none of that is safe either. But they don't need it at all since the companies just hand it over to them (or face a DOJ inquisition).
[ link to this | view in chronology ]
Pretty weak argument, since it's known that NSA isn't actually effective.
"...the NSA was actually probably happy that PRISM info came out first..." -- Oh, so you DO believe is a limited hangout psyop?
[ link to this | view in chronology ]
Re: Pretty weak argument, since it's known that NSA isn't actually effective.
[ link to this | view in chronology ]
Evidence in one form or another just keeps coming about just how rabid the NSA has become. Problem with it is, the public is just getting the vanilla version. Each time there is a new revelation, you keep having to adjust your sense of how deep the rabbit hole goes. Since we're only getting minor pieces and the NSA is scared to death someone is going to do something about it, it really makes you wonder what they are afraid might be revealed next. None of it bodes well for the average citizen when it's government runs on hyped up paranoia.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: how deep the rabbit hole goes
[ link to this | view in chronology ]
Re:
In the UK we're already there!
http://actnowtraining.wordpress.com/2012/06/18/to-ripa-or-not-to-ripa-changes-to-council-surve illance-powers/
[ link to this | view in chronology ]
Game Over
Max Keiser explaining derivatives as a financial weapon:
You swap assets in a bank in a foreign country that are collateral that you can use to build a sound economy with exploding financial derivatives that take down the country.
Wikipedia cites this as a use for derivatives:
Derivatives can be used either for risk management (i.e. to "hedge" by providing offsetting compensation in case of an undesired event, a kind of "insurance") or for speculation (i.e. making a financial "bet"). This distinction is important because the former is a prudent aspect of operations and financial management for many firms across many industries; the latter offers managers and investors a risky opportunity to increase profit, which may not be properly disclosed to stakeholders.
It is the last part where the NSA comes in handy. By knowing things your opponents don't know, you can greatly increase the odds of winning a bet.
This goes a long way explaining why the NSA wants to keep this so secret. It's about money, not terror. Once too many people find out the NSA is essentially a bet rigging device, it can no longer be used for such purposes. No one will want to play ball with us. The game will be over.
[ link to this | view in chronology ]
Re: Game Over
[ link to this | view in chronology ]
NSA
[ link to this | view in chronology ]
Lavabit
You could go back and decode all previous traffic (they keep encrypted US traffic) and all future traffic anyway. Using their other taps.
There's another point aswell. Google make great play of how low the PRISM numbers are, for Lavabit that number would be 1 request about 1 account, yet the way it was done it was 1 request about all accounts past and present and future.
And a final point, if they tapped Google, their keys and other security info, might have been sent across that internal network and thus compromised too.
[ link to this | view in chronology ]
The same
The only limit then was their imagination, seems nothing has changed.
[ link to this | view in chronology ]
Anyone else??
Are we through the 'bottom of the barrel' at this point?
Is it really necessary to "make shit up" as opposed to reporting on known facts.
Once you degenerate to speculation you give up chance of being taken seriously. (not that that appears to be an issue here).
Mr Masnick you must have posted this with the full knowledge that your disciples will take this as honest truth and not as a speculative opinion that it actually is.
We also know that in future you will link back to this article and an indication of the truth of some future piece.
[ link to this | view in chronology ]
Re: Anyone else??
Deduction is not the same as making shit up
Schneier deduced that PRISM was used to pull stuff they already had in a more legal way. Given the new leaks that seems likely.
It's always worth re-examining everything we know in the light of each new leak.
For example, NSA can tap a phone based on an analysts opinion:
http://news.cnet.com/8301-13578_3-57589495-38/nsa-spying-flap-extends-to-contents-of-u.s-pho ne-calls/
Now of course we had Merkels phone tap, we can examine what authority is needed for that and whether the same authority covers anyone, even US citizens.
You see how it works?
[ link to this | view in chronology ]
Re: Re: Anyone else??
http://www.theguardian.com/uk-news/2013/nov/01/gchq-europe-spy-agencies-mass-surveillance- snowden
So NSA using the PRISM program to legalize stuff it got anyway through the hacking of Google(done offshore on the basis that the FISA court didn't have jurisdiction and so the FISA ruling could be ignored). That seems like the same thing, finding some way around oversight and pesky laws.
[ link to this | view in chronology ]
Re: Re: Anyone else??
[ link to this | view in chronology ]
Re: Re: Re: Anyone else??
[ link to this | view in chronology ]
Re: Re: Re: Anyone else??
[ link to this | view in chronology ]
Re: Anyone else??
What I find far more disturbing is this repeated insistence, even among NSA's critics, that there is somehow still something 'legal' about all of this. I.e.:
'it does have at least some claims to being legal under Section 702.'
There is nothing legal about anything the NSA has done and is doing. Stop furthering this lie. It's a lie and everybody knows it. There is nothing more violating of the 4th amendment than this. Ever. No, the discussion about whether or not something can be 'legal' without being constitutional is a non-discussion too. Stop it.
[ link to this | view in chronology ]
Re: Anyone else??
Have a solar panel-powered DMCA vote, darryl, and shove that up your broken little ass.
[ link to this | view in chronology ]
Re: Anyone else??
Because insulting the intelligence of your audience really helps you make your case.
[ link to this | view in chronology ]
Bear in mind...
But don't let the fool you. While he obvious always words his thoughts carefully unless he has in-your-face presentable hard proof of something, he is actually one of the few people who had direct access to selected parts of the leaked documents.
He may be assuming and speculating, but all over the glogosphere he is probably the man with the very best positions to hit very close to home with his theorys.
[ link to this | view in chronology ]
Schneier How is it he leads the most important debate on democracy?
The public should question the real motives of Eric Snowden and Bruce Schneier as well as NSA
By Richard H.L. Marshall, former Director of Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security (DHS) and
André Brisson, founder Whitenoise Laboratories Canada Inc.
Washington D.C. USA, Geneva, Switzerland and Vancouver, BC Canada – Almost daily, Mr. Bruce Schneier has generated incessant buzz about privacy and the National Security Agency (NSA) on his blog. From the sheer volume of his self-proclaimed insight and that of his sycophants, he would have us believe, like Chicken Little, that the sky is falling.
It appears that one of the sources of Mr. Schneier’s information are documents leaked by E.Snowden, fugitive American living in Russia and former contractor with Booz Allen Hamilton, and Glenn Greenwald, a journalist who worked with Mr. Snowden. Mr. Schneier’s intentions clearly have nothing to do with his convictions about privacy, as much as business and profit motives. It must be emphasized that blogs are not journalism: they are marketing tools specifically designed to try to sell a product, not to get to the truth.
Weeks of research regarding Mr. Schneier’s claims have highlighted one of the most frustrating problems with the internet age. Because virtually anyone lacking serious journalistic credentials can, and often does, write or post freely on any subject, the resulting sheer volume of information available may lead people to believe that the reporting is even-handed and well-researched. Unfortunately, in many circumstances nothing can be farther from the truth.
We are currently wrestling with the wrongly defined issue of Privacy versus Security. Rather we should be asking ourselves how we balance Privacy AND Security. They are not mutually exclusive.
Balancing privacy and security is one of the most pressing issues of our age, with far-reaching impact on democracy. It is also ever changing and evolving in real time, in response to terrorists, criminals, and dangerous malcontents. Because the very information analyzed and evaluated may result in policy, it absolutely demands that such information be subject to the highest and most stringent scrutiny and as such, deserves to be evaluated and vetted by verified experts, politicians, business leaders, and citizens with proven track records of integrity, honesty, and true concern for the public interest. It should not be done by those with a history of practicing self-interest over privacy and security.
For many weeks, it has been noted that volumes of proselytizing and dissemination of “opinion-as-fact” come from unverified information through Mr. Schneier’s self-promoting blog, other blogs and various online sites, such as gamer’s sites, of unknown, dubious reputation and/or expertise in the critical areas of cryptography and privacy and not from reputable publications as The New York Times or The Washington Post.
Mr. Schneier decries the NSA and mandated law enforcement agencies empowered by our laws. Yet, Mr. Schneier’s track record shows, significantly, that at least twice over the last decade he has turned a blind eye to workable security (but he complains about privacy.) He has actively engaged in disparaging workable security and communications for his own benefit, and most callously, withheld this information from both his readers and his current employers.
As citizens and through our elected officials, we empower politicians with the creation of agencies and tools that are designed to protect us from the aforementioned threats. The system is not perfect, and must be updated and adjusted as times, technology and threats change. But we are all endangered if these various public servants are hobbled and cannot do their job. This is why Bruce Schneier’s style of journalism and lack of scientific integrity is dangerous.
The primary cause for drifting a bit from original mandates of our law enforcement and defense agencies is a product of rapidly changing technology, the sheer volume of communications, and the exploding threats environment. These agencies have been pressured to react faster than policy can adapt. Part of the answer lies in using the improved security technology we have available to combat the fatal flaws of public key and asymmetric network systems and the algorithms that are currently used to encrypt our data. The other part lies in following the existing FISA protocols currently in place and improving them as need dictates to insure that telecommunication providers, law enforcement and intelligence agencies interface with the LAW and follow the spirit of our constitution as intended.
In conclusion, as we best try to answer the most pressing question of our day, “How do we balance between Privacy and Security?” we believe that a key element of serving our democracies is the judicious evaluation of information written by true journalists using properly researched and sourced information and publishing them in reputable publications without hidden agendas. The collective conversation should not ping pong between extreme positions but rather recognize that privacy and security are both demanded by the constitution. With new technologies and considered thinking, privacy and security can be balanced and achieved easily and inexpensively.
Learn more about Bruce Schneier’s current track record through “The Challenge That Black Hat Would Not Take but DEFCON Did” at: http://wnlabs.com/news/challengeDEFCON.php and http://wnlabs.com/news/Schneier_Challenge_Clock.php.
Learn more about Bruce Schneier’s past track record at: http://www.wnlabs.com/WhitenoiseSecurityChallenge/ and The History of Whitenoise Can't Be Broken
For more information contact Richard H.L. Marshall at E-Mail: rmarshall@wnlabs.com
or visit: www.wnlabs.com
Mr. Marshall previously was a member of the Senior Cryptologic Executive Service (SCES) and the Defense Intelligence Senior Executive Service (DISES). He was the Director of Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security (DHS) by special arrangement between the Director, National Security Agency (DIRNSA) and the Secretary of DHS. Within DHS he directed the National Cyber Security Education Strategy, the Software Assurance, the Research and Standards Integration, and Supply Chain Risk Management programs. He was previously the Senior Information Assurance (IA) Representative, Office of Legislative Affairs at the National Security Agency (NSA) where he served as the Agency's point of contact for all NSA Information Security (INFOSEC) matters concerning Congress. He devised the IA legislative strategy, helped shape the passage of the revised Foreign Intelligence Surveillance Act and was a key contributor to the Bush and Obama administration's Comprehensive National Cyber Security Initiative (CNCI).
André Brisson conceived Whitenoise and founded Whitenoise Laboratories Canada Inc. (WNL) to exploit revolutionary and patented security technology. He was listed by the White House Office of Science and Technology Policy and the first US National Cyber Leap Year Summit as belonging in the top 100 cyber security and cryptography experts.
[ link to this | view in chronology ]
Re: Schneier How is it he leads the most important debate on democracy?
[ link to this | view in chronology ]
Re: Schneier How is it he leads the most important debate on democracy?
The correct question would be something more like "how can we best achieve security without sacrificing privacy?", and/or "how much security can we achieve without sacrificing privacy?".
When security is done right, this is true.
However, doing security right (i.e. in a way which does not compromise privacy) is much harder than doing it in a way which does compromise privacy - and so unless there is heavy, constant pressure put on those trying to provide security, they will always tend to sacrifice privacy in the name of security.
Phrasing the issue in terms of a "balance" leads to questions like "How much privacy should we give up for security?", which is a false equivalency; giving up privacy does not always (or even necessarily often) lead to security, and it is possible - as you note - to achieve reasonable, meaningful security without compromising privacy.
[ link to this | view in chronology ]