Pretty Much Anyone With Any Understanding Of Crypto Tells President Obama That Backdooring Crypto Is Monumentally Stupid

from the basic-understanding dept

Nearly 150 tech companies (including us via the Copia Institute), non-profits and computer security experts have all teamed up to send a letter to President Obama telling him to stop these stupid ideas about backdooring encryption that keeping coming out of his administration. The press headlines will note that big companies -- like Google, Apple, Cisco, Microsoft, Twitter and Facebook -- are signing the letter. But significantly more interesting is the signatures from a huge list of computer security experts, all putting their names down on paper to make it clear what a ridiculously bad idea it is to even think about backdooring encryption. Among those signing on are Phil Zimmermann (who lived through this sort of thing before), Whitfield Diffie (guy who invented public key cryptography), Brian Behlendorf, Ron Rivest, Peter Neumann, Gene Spafford, Bruce Schneier, Matt Blaze, Richard Clarke (long-time counterterrorism guy in the White House), Hal Abelson and many, many more. Basically a who's who of people who actually know what they're talking about.

We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.

Strong encryption is the cornerstone of the modern information economy’s security. Encryption protects billions of people every day against countless threats—be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.

Encryption thereby protects us from innumerable criminal and national security threats. This protection would be undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them “front doors” or “back doors”, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.

There's much more in the full letter which I highly recommend reading. It very nicely summarizes why this is a completely insane idea, and highlights why anyone raising it should be immediately told to move on to some other project instead:

The Administration faces a critical choice: will it adopt policies that foster a global digital ecosystem that is more secure, or less? That choice may well define the future of the Internet in the 21st century. When faced with a similar choice at the end of the last century, during the so-called “Crypto Wars”, U.S. policymakers weighed many of the same concerns and arguments that have been raised in the current debate, and correctly concluded that the serious costs of undermining encryption technology outweighed the purported benefits. So too did the President’s Review Group on Intelligence and Communications Technologies, who unanimously recommended in their December 2013 report that the US Government should “(1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.”

The Washington Post quotes another surprising signatory: Paul Rosenzweig, the former Deputy Assistant Secretary for Policy at Homeland Security. If that name sounds familiar, it's because we've quoted his defense of the NSA, once arguing that "too much transparency defeats the very purpose of democracy." If even he is arguing against backdooring encryption, you know it's an idea that should be killed off. In his case, it's because he recognizes the simple reality that seems to have eluded the FBI director:

The signatories include policy experts who normally side with national-security hawks. Paul Rosenzweig, a former Bush administration senior policy official at the Department of Homeland Security, said: “If I actually thought there was a way to build a U.S.-government-only backdoor, then I might be persuaded. But that’s just not reality.”

That's just not reality. And neither should be any policy effort that involves pushing for more backdoors in encryption. It's bad economic policy. It's bad security policy. It's bad crypto policy. It's bad privacy policy. It's just bad policy all around.

And the world would be much better off if all of these security experts and companies could focus on better protecting us from harm, rather than having to join in ridiculous debates about what a bunch of clueless bureaucrats think might be some sort of mythical magic unicorn encryption breaker.

Filed Under: 4th amendment, backdoors, bruce schneier, crypto, encryption, paul rosenzweig, phil zimmermann, privacy, richard clarke, ron rivest, security, vulnerabilitities, whitfield diffie
Companies: apple, cisco, facebook, google, microsoft, twitter

NSA Director: If I Say 'Legal Framework' Enough, Will It Convince You Security People To Shut Up About Our Plan To Backdoor Encryption?

from the wanna-try-that-again dept

Admiral Mike Rogers, the NSA Director, has barely been on the job for a year, and so far he'd mostly avoided making the same kinds of absolutely ridiculous statements that his predecessor General Keith Alexander was known for. Rogers had, at the very least, appeared slightly more thoughtful in his discussions about the surveillance state and his own role in it. However, Rogers ran into a bit of trouble at New America's big cybersecurity event on Monday -- in that there were actual cybersecurity folks in the audience and they weren't accepting any of Rogers' bullshit answers. The most notable exchange was clearly between Rogers and Alex Stamos, Yahoo's chief security officer, and a well known privacy/cybersecurity advocate.

Alex Stamos (AS): “Thank you, Admiral. My name is Alex Stamos, I’m the CISO for Yahoo!. … So it sounds like you agree with Director Comey that we should be building defects into the encryption in our products so that the US government can decrypt…

Mike Rogers (MR): That would be your characterization. [laughing]

AS: No, I think Bruce Schneier and Ed Felton and all of the best public cryptographers in the world would agree that you can’t really build backdoors in crypto. That it’s like drilling a hole in the windshield.

MR: I’ve got a lot of world-class cryptographers at the National Security Agency.

AS: I’ve talked to some of those folks and some of them agree too, but…

MR: Oh, we agree that we don’t accept each others’ premise. [laughing]

AS: We’ll agree to disagree on that. So, if we’re going to build defects/backdoors or golden master keys for the US government, do you believe we should do so — we have about 1.3 billion users around the world — should we do for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government? Which of those countries should we give backdoors to?

MR: So, I’m not gonna… I mean, the way you framed the question isn’t designed to elicit a response.

AS: Well, do you believe we should build backdoors for other countries?

MR: My position is — hey look, I think that we’re lying that this isn’t technically feasible. Now, it needs to be done within a framework. I’m the first to acknowledge that. You don’t want the FBI and you don’t want the NSA unilaterally deciding, so, what are we going to access and what are we not going to access? That shouldn’t be for us. I just believe that this is achievable. We’ll have to work our way through it. And I’m the first to acknowledge there are international implications. I think we can work our way through this.

AS: So you do believe then, that we should build those for other countries if they pass laws?

MR: I think we can work our way through this.

AS: I’m sure the Chinese and Russians are going to have the same opinion.

MR: I said I think we can work through this.

AS: Okay, nice to meet you. Thanks.

[laughter]

MR: Thank you for asking the question. I mean, there are going to be some areas where we’re going to have different perspectives. That doesn’t bother me at all. One of the reasons why, quite frankly, I believe in doing things like this is that when I do that, I say, “Look, there are no restrictions on questions. You can ask me anything.” Because we have got to be willing as a nation to have a dialogue. This simplistic characterization of one-side-is-good and one-side-is-bad is a terrible place for us to be as a nation. We have got to come to grips with some really hard, fundamental questions. I’m watching risk and threat do this, while trust has done that. No matter what your view on the issue is, or issues, my only counter would be that that’s a terrible place for us to be as a country. We’ve got to figure out how we’re going to change that.

[Moderator Jim Sciutto]: For the less technologically knowledgeable, which would describe only me in this room today, just so we’re clear: You’re saying it’s your position that in encryption programs, there should be a backdoor to allow, within a legal framework approved by the Congress or some civilian body, the ability to go in a backdoor?

MR: So “backdoor” is not the context I would use. When I hear the phrase “backdoor,” I think, “well, this is kind of shady. Why would you want to go in the backdoor? It would be very public.” Again, my view is: We can create a legal framework for how we do this. It isn’t something we have to hide, per se. You don’t want us unilaterally making that decision, but I think we can do this.

As you read it, you realize that Rogers keeps thinking that if he says "legal framework" enough times, he can pretend he's not really talking about undermining encryption entirely. Well known cybersecurity guy Bruce Schneier pushed back, pointing out that:

It’s not the legal framework that’s hard, it’s the technical framework. That’s why it’s all or nothing.

No matter what anyone said, however, Rogers appears to keep going back to the "legal framework" well, over and over again, as if that magic phrase would change magical thinking into reality:

“If these are the paths that criminals, foreign actors, terrorist are going to use to communicate, how do we access that?” he asked, citing the need for a “formalized process” to break through encrypted technology.

Rogers pointed toward cooperation between tech companies and law enforcement to combat child pornography. “We have shown in other areas that through both technology, a legal framework, and social compact that we have been able to take on tough issues. I think we can do the same thing here.”

Yes, but that's very different, even as anyone looking to rip apart important privacy and free speech tools loves to shout "child porn," the examples are not even remotely comparable. And no one's looking to backdoor everything just to get at people passing around child porn. But the larger point stands. Rogers seems to think that there is a magic bullet/golden key that will magically only let the good guys through if only the tech industry is willing to work with him on this.

“You don’t want the FBI and you don’t want the NSA unilaterally deciding what” is permissible, Mr. Rogers said.

Except that presumes that if only the surveillance community and the tech industry got together they could come up with such a safe system, and as everyone else is telling him, that's impossible. And for a guy who is supposed to be running an agency that understand cryptography better than anyone else, that's really troubling:

Filed Under: admiral mike rogers, alex stamos, bruce schneier, encryption, fbi, legal framework, mobile encryption, nsa, privacy, security

Snowden And Schneier Point Out Another Reason Not To Undermine Internet Security: Information Asymmetry

from the all-using-the-same-stuff dept

Neither Edward Snowden nor Bruce Schneier needs any introduction around here. So Techdirt readers won't require much encouragement to watch an interview of the former by the latter, conducted last week at the Harvard Data Privacy Symposium. It is frustrating that Snowden emphasizes at the start that he won't be revealing anything new, because he believes it's for journalists, not him, to decide what is in the public interest, and when it can be released. That said, the whole interview is well-worth watching to enjoy the interplay of two people who are experts in the field of security, although in very different ways.

Towards the end, they discuss an issue that hasn't received much scrutiny so far: the relationship between offensive and defensive operations by intelligence services, and between surveillance and security. Here's what Schneier says, around the 50-minute mark:

The NSA has to balance two different focuses: defend our networks, and attack their networks. Those missions made a lot more sense during the Cold War, when you could defend the US radios and attack the Soviet radios, because the radios were different. It was us and them, and we used different stuff. What's changed since then is that we're all using the same stuff: everyone uses TCP/IP, Microsoft Word, Firefox, Windows computers, Cisco routers.

Whenever you have a technique to attack their stuff, you are necessarily leaving our stuff vulnerable. Conversely, whenever you fix our stuff, you are fixing their stuff. This requires a different way of thinking about security versus surveillance, a different way of balancing, that we can't simultaneously do both. And when we look at all the attack tools out there, the vulnerabilities are great but every time we hoard a zero day, hoard a vulnerability, we are leaving ourselves open to attack from anybody.

Snowden builds on that remark, referring to the recent revelation in Der Spiegel that the US has been spying successfully on North Korea's computers for years:

We have compromised their networks, according to the NSA documentation, since 2010. We have been hacking North Korea successfully, and yet it didn't provide us a lot of detail, it didn't provide us a lot of information. We missed missile launches, we missed nuclear tests, we missed leadership changes, we missed health issues, we missed military drills. And we even missed the Sony attacks that they launched, even though we were eating their lunch over and over, over the course of years. But then they hack us once, just one time, with Sony, and everyone in the nation is rending their garments and going: 'this is terrible, they're attacking our basic values,' because it was so much more valuable to them to win once, than it it was for us to win thousands of times.

That asymmetry is why it makes no sense to put or leave vulnerabilities in that "same stuff," as Schneier calls it. Leaving aside any self-interested desire by intelligence agencies to score points by breaking into systems elsewhere using backdoors, the West has far more to gain from well-wrought online security, and strong encryption, than it has to lose.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: bruce schneier, ed snowden, information asymmetry, surveillance

Rep. Grayson Asks If Keith Alexander Is Selling Classified Information To Get $1 Million Per Month

from the because-what-else-are-people-buying? dept

We recently noted that former NSA boss Keith Alexander is running around asking for $600k to $1 million per month for his new "cybersecurity" consulting firm. While some people thought that the number was "low" for banks, that doesn't make any sense. You could hire a lot of really good actual security professionals for that kind of cash. So it made us wonder just what banks thought they were getting for that $1 million. Actual security professional Bruce Schneier wondered that as well, and wondered aloud if the one difference was that... Alexander could give them classified info -- such as where he hid the backdoors in their routers.

That statement apparently caught the attention of Rep. Alan Grayson, who has been a vocal opponent of NSA overreach. He's now sent a letter to the Financial Service Rountable to point out that selling classified info is a crime:

Security expert Bruce Schneier noted that this fee for Alexander's services is on its face unreasonable. "Think of how much actual security they could buy with that $600k a month. Unless he's giving them classified information." Schneier also quoted Recode.net, which headlined this news as: "For another million, I'll show you the back door we put in your router."

This arrangement with Mr. Alexander may also include additional work with the shadow regulatory firm The Promontory Group, with whom Alexander apparently will partner "on cybersecurity matters." According to Promontory spokesman Chris Winans, Mr. Alexander "and a firm he's forming will work on the technical aspects of these issues, and we on the risk-management compliance and governance elements."

Disclosing or misusing classified information for profit is, as Mr. Alexander well knows, a felony. I question how Mr. Alexander can provide any of the services he is offering unless he discloses or misuses classified information, including extremely sensitive sources and methods. Without the classified information that he acquired in his former position, he literally would have nothing to offer to you.

Grayson also demands "all information related to your negotiations with Mr. Alexander, so that Congress can verify whether or not he is selling military or cybersecurity secrets to the financial services industry for personal gain. Sure, it's a snarky move, but there is a point behind it. Alexander can't command those sums because of his actual technical expertise. The reality, of course, is that he's selling his connections to the government. But it certainly raises the question of appearances.

Filed Under: alan grayson, backdoors, bruce schneier, cybersecurity, keith alexander, nsa, surveillance

Schneier: Snowden's Leaks Have Actually Made It Easier To Crack Terrorists' Encrypted Messages

from the time-for-a-medal? dept

One of the commonest accusations flung at Edward Snowden is that by revealing the massive scale of the NSA's global surveillance, he has tipped off terrorists that they are being watched all the time, and thus caused them to move to stronger encryption to protect their secrets. An article in Recorded Future would seem to support that claim:

Following the June 2013 Edward Snowden leaks we observe an increased pace of innovation, specifically new competing jihadist platforms and three (3) major new encryption tools from three (3) different organizations -- GIMF, Al-Fajr Technical Committee, and ISIS -- within a three to five-month time frame of the leaks.

And yet security expert Bruce Schneier not only doesn't think that's a problem, he believes Snowden has made it easier to break the encrypted communications of terrorists:

I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight. Last fall, Matt Blaze said to me that he thought that the Snowden documents will usher in a new dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising. My guess is that this an example of that.

That's a great point. For obvious reasons, terrorists won't be able to draw on the knowledge and skills of the global crypto community when they create a new "home-brew" encryption program to replace an existing tool they fear may be compromised. Instead, they will be forced to depend on a limited circle of experts, who are likely to miss subtle or even not-so-subtle flaws in the new code. It's a good demonstration of how the open, collaborative approach that produces the best encryption tools makes it very hard to subvert the process for malicious purposes.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: bruce schneier, ed snowden, encryption, nsa, surveillance

Of Trust, The NSA, And Poisoning The Banquet

from the nobody-but-us dept

Two of the sharpest commentators on the implications of Snowden's leaks are the security expert Bruce Schneier, and the science fiction writer Charlie Stross. By an intriguing coincidence, both have recently written highly-readable columns that not only discuss the same issue -- the damage the NSA has wrought on the Internet -- but even employ the same key metaphor. In his "Internet Subversion," Schneier writes:

What we trusted was that the technologies would stand or fall on their own merits.

We now know that trust was misplaced. Through cooperation, bribery, threats, and compulsion, the NSA -- and the United Kingdom's GCHQ -- forced companies to weaken the security of their products and services, then lie about it to their customers.

His metaphor for what this has produced is striking:

This mistrust is poison.

He points out the terrible consequences of that weakened security:

There is a term in the NSA: "nobus," short for "nobody but us." The NSA believes it can subvert security in such a way that only it can take advantage of that subversion. But that is hubris. There is no way to determine if or when someone else will discover a vulnerability. These subverted systems become part of our infrastructure; the harms to everyone, once the flaws are discovered, far outweigh the benefits to the NSA while they are secret.

In his own piece, "The Snowden leaks; a meta-narrative," Stross picks up on that theme, and emphasizes one particularly important implication:

At every step in the development of the public internet the NSA systematically lobbied for weaker security, to enhance their own information-gathering capabilities. The trouble is, the success of the internet protocols created a networking monoculture that the NSA themselves came to rely on for their internal infrastructure. The same security holes that the NSA relied on to gain access to your (or Osama bin Laden's) email allowed gangsters to steal passwords and login credentials and credit card numbers. And ultimately these same baked-in security holes allowed Edward Snowden -- who, let us remember, is merely one guy: a talented system administrator and programmer, but no Clark Kent -- to rampage through their internal information systems.

Stross then turns to the same metaphor that Schneier employed:

The moral of the story is clear: be very cautious about poisoning the banquet you serve your guests, lest you end up accidentally ingesting it yourself.

These two posts on the same topic are part of a growing awareness that the harm caused by spy agencies subverting key elements of the Internet is not only a much more serious problem than many people realize, but a long-term one that will be very hard to fix. It looks like we'll be forced to swallow the NSA's poison for a while yet.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: bruce schneier, charlie stross, infrastructure, nsa, poison, surveillance, trust

Congressional Reps Ask Bruce Schneier To Explain To Them What The NSA Is Doing, Because The NSA Won't Tell Them

from the look-at-that dept

This is both depressing and good news at the same time. A group of Congressional Representatives (who are among the most critical of the NSA) apparently asked Bruce Schneier to come brief them on what the NSA is doing because the NSA won't tell them:

This morning I spent an hour in a closed room with six Members of Congress: Rep. Logfren, Rep. Sensenbrenner, Rep. Scott, Rep. Goodlate, Rep Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn't forthcoming about their activities, and they wanted me -- as someone with access to the Snowden documents -- to explain to them what the NSA was doing. Of course I'm not going to give details on the meeting, except to say that it was candid and interesting. And that it's extremely freaky that Congress has such a difficult time getting information out of the NSA that they have to ask me. I really want oversight to work better in this country.

There's really not much more to be said about that, other than it shows what a complete joke it is for anyone to claim that Congress has real oversight over the NSA. It's great that these Reps would reach out to someone with qualifications like Schneier to have this kind of conversation. It's depressing that such a thing was necessary.

Filed Under: bob goodlatte, bruce schneier, congress, jim sensenbrenner, justin amash, nsa, oversight, security, surveillance, zoe lofgren

Former DHS/NSA Official Attacks Bruce Schneier With Bizarre, Factually Incorrect, Non-sensical Rant

from the anyone-can-publish-on-cnn dept

Over the years, at times, I've seen people criticize Bruce Schneier for perhaps getting more publicity than other security researchers, but it's rare to see people question his knowledge. The complaints often appear to stem more out of jealousy than anything else. But, I've never seen anything quite as ridiculous as this "CNN iReport" by Richard Marshall and Andre Brisson, which appears to be a blatant hatchet job attack on Schneier that is at times incomprehensible, at times factually incorrect and bizarre throughout. Marshall is a former NSA and DHS "cybersecurity" expert, but he's now the CEO of "Whitenoise Labs," (something not mentioned in the article). Brisson is the founder of Whitenoise Labs, and appears to have a beef with Schneier going back at least a decade if not more. Brisson and Marshall appear to not be particularly adept at explaining themselves, so the history is not clearly laid out anywhere. The short hand, as far as I can tell, is that Brisson thinks he's discovered some magic elixir security solution, which Schneier mocked way back in 2003. Brisson now feels that the security community gives him no respect and even Defcon ignores his pleas to present his own brilliance.

Last year, Brisson appears to have hired Marshall, and the two of them see this as an opportunity to attack Schneier. It looks like there are two main points to the article: (1) they don't like Bruce Schneier (2) they want you to know about their own solution, which even they admit Schneier dismissed as "snake oil." But here's the bizarre part. Even though it's clear that they're just trying to promote their own thing, pretty much the whole point of their article is that you shouldn't trust Bruce Schneier because he blogs and he's only trying to promote his own business. I'm not joking.

It appears that one of the sources of Mr. Schneier’s information are documents leaked by E.Snowden, fugitive American living in Russia and former contractor with Booz Allen Hamilton, and Glenn Greenwald, a journalist who worked with Mr. Snowden. Mr. Schneier’s intentions clearly have nothing to do with his convictions about privacy, as much as business and profit motives. It must be emphasized that blogs are not journalism: they are marketing tools specifically designed to try to sell a product, not to get to the truth.

Where to start? First off, it does not "appear" that one of the sources is Snowden, it is confirmed fact. Also, Greenwald did not "work with" Snowden. Greenwald is a journalist and Snowden was a source. Since then, the Guardian, whom Greenwald worked for, also brought on Schneier to help understand some of the Snowden documents. This is all public knowledge. Second, while Schneier does blog quite a bit, he's also been regularly published in all sorts of news publications that have significant editorial staffs, including The Guardian, the Atlantic, Harvard Business Review, Wired and more.

The suggestion that he's just some random blogger is obviously false, and pretty much everyone knows that. Furthermore, Schneier's experience in the field is pretty damn well documented. His own firm, Counterpane, was acquired years ago by British Telecom and Schneier has obviously done tremendous work in the world of computer security for many, many years.

Weeks of research regarding Mr. Schneier’s claims have highlighted one of the most frustrating problems with the internet age. Because virtually anyone lacking serious journalistic credentials can, and often does, write or post freely on any subject, the resulting sheer volume of information available may lead people to believe that the reporting is even-handed and well-researched. Unfortunately, in many circumstances nothing can be farther from the truth.

Weeks? As noted: Brisson's feud with Schneier appears to go back a decade. And it took me all of about 3 minutes to find all those well known publications that Schneier writes for. Brisson and Marshall (two people!) couldn't find them in weeks? Also, I'm beginning to wonder if the above paragraph actually refers to the article by Brisson and Marshall a lot more than anything Schneier has ever done.

Because the very information analyzed and evaluated may result in policy, it absolutely demands that such information be subject to the highest and most stringent scrutiny and as such, deserves to be evaluated and vetted by verified experts, politicians, business leaders, and citizens with proven track records of integrity, honesty, and true concern for the public interest. It should not be done by those with a history of practicing self-interest over privacy and security.

Again, this is coming from people whose main purpose with this article appears to be promoting their own mocked security solution, and who regularly run silly promotional "contests" and "countdown clocks" designed to focus on their own self-interest.

For many weeks, it has been noted that volumes of proselytizing and dissemination of “opinion-as-fact” come from unverified information through Mr. Schneier’s self-promoting blog, other blogs and various online sites, such as gamer’s sites, of unknown, dubious reputation and/or expertise in the critical areas of cryptography and privacy and not from reputable publications as The New York Times or The Washington Post.

I'll let that sink in for a bit. Notice, of course, that they leave out "The Guardian" and "The Atlantic" -- two publications that Schneier does write for, with reputations that are at least on par with the two publications named. Also, it appears to leave out that both the Washington Post and the NY Times have been publishing stories quite similar to Schneier's, and both have (at least some of) the same documents from Snowden, which these two guys mocked Schneier for using as his source.

Mr. Schneier decries the NSA and mandated law enforcement agencies empowered by our laws. Yet, Mr. Schneier’s track record shows, significantly, that at least twice over the last decade he has turned a blind eye to workable security (but he complains about privacy.)

This bold claim is not supported anywhere in the article. It likely refers to Schneier ignoring or mocking their own "solution."

The article goes on to make some half-baked suggestions about how to deal with the NSA surveillance issues that suggest they don't even understand what's going on. Their solution? "using the improved security technology we have available to combat the fatal flaws of public key" technology -- which of course is what their firm has been pushing on the world for years, and which ignores the fact that the evidence so far from Snowden has shown that public key encryption, when done right, still works pretty damn well.

Reading the article, it's laughable. Nearly all of the attacks on Schneier are more accurately directed at the authors of that article. If the DHS and the NSA are looking to attack Schneier, they should at least try to find former execs who can write comprehensibly, and who didn't go off to work for a foreign "security" company with dubious credentials.

Filed Under: andre brisson, blogs, bruce schneier, cybersecurity, dhs, ed snowden, encryption, nsa, reporting, richard marshall, security
Companies: whitenoise labs

Bruce Schneier Speculates On NSA Double Laundering Information It Obtains Via Network Infiltration

from the double-reverse-parallel-construction dept

Bruce Schneier has a worth-reading post about the latest reports on the NSA infiltrating the network connections for Google and Yahoo's datacenter, making a number of good points about that story. We'll discuss a few of the points, but I wanted to focus in on this one first:

In light of this, PRISM is really just insurance: a way for the NSA to get legal cover for information it already has. My guess is that the NSA collects the vast majority of its data surreptitiously, using programs such as these. Then, when it has to share the information with the FBI or other organizations, it gets it again through a more public program like PRISM.

While it's just speculation, there is some reason to suggest it might be the case, and that would show just how far the NSA goes in some cases. After all, until June, PRISM itself was a secret. Yet, now, it's possible that the secret PRISM program was really just a way to put a legal-looking coat of paint on far more invasive activities. After all, it's already been revealed that the NSA and others make use of what they call "parallel construction" to "refind" evidence that they found through means they don't want to be challenged in court. As we said, this is just a way of laundering illegally obtained evidence. If Schneier's suspicion is right, then the NSA was actually probably happy that PRISM info came out first, since it does have at least some claims to being legal under Section 702.

But, if he's correct, it would mean that the NSA has secretly backdoored its way into networks, sucking up pretty much everything -- and then when it finds something useful, it will then use Section 702 under the FAA and the FISA Court to come up with some reasoning why that same info should be "collected" via either PRISM or the upstream telco traps, and then it can do more with it. This might not be true, but layering secret programs on top of secret programs to hide how the info was actually obtained would be something.

Other key points from Schneier are that we cannot assume it was just Google and Yahoo infiltrated this way. It's likely that others have been as well, just under different programs. And, more importantly, this demonstrates how legislative change to fix these things likely won't be enough. If you block the NSA from getting the data from door number 1, they're already in doors numbered 2, 3, 4, 5 and 6. Not only does there need to be a full independent investigation of everything the NSA is doing, but we need to build much more secure systems at the same time.

Filed Under: bruce schneier, infiltration, nsa, nsa surveillance, prism

Bruce Schneier On The Feudal Internet And How To Fight It

from the what-went-wrong? dept

There aren't many upsides to Snowden's revelations that NSA is essentially spying on the entire Internet, all the time, but if one good thing has already come out of that sorry state of affairs it's the emergence of security expert Bruce Schneier as a mainstream commentator on the digital world. That's largely because his core expertise has been shoved into the very center of our concerns, making his thoughts on what's going on particularly valuable.

One fruitful theme that he has been developing recently is the idea of feudal computing (I imagine it could well turn out to be the subject of his next book.) Schneier first wrote about this even before the NSA story broke, back in November last year. He then revisited the idea shortly after the first Snowden story appeared, and has now returned to the theme again, in what is perhaps his best essay on the subject so far. It's called "Power in the Age of the Feudal Internet," and explores some of the implications of our new digital dystopia -- and what we can do about it. It begins by describing how things were supposed to be:

In its early days, there was a lot of talk about the "natural laws of the Internet" and how it would empower the masses, upend traditional power blocks, and spread freedom throughout the world. The international nature of the Internet made a mockery of national laws. Anonymity was easy. Censorship was impossible. Police were clueless about cybercrime. And bigger changes were inevitable. Digital cash would undermine national sovereignty. Citizen journalism would undermine the media, corporate PR, and political parties. Easy copying would destroy the traditional movie and music industries. Web marketing would allow even the smallest companies to compete against corporate giants. It really would be a new world order.

Unfortunately, as we know, that's not how it worked out. Instead, we have seen the rise of the feudal Internet:

Feudal security consolidates power in the hands of the few. These companies [like Google, Apple, Microsoft, Facebook etc.] act in their own self-interest. They use their relationship with us to increase their profits, sometimes at our expense. They act arbitrarily. They make mistakes. They're deliberately changing social norms. Medieval feudalism gave the lords vast powers over the landless peasants; we’re seeing the same thing on the Internet.

More recently, we have witnessed the dangerous alignment of private and governmental interests and power:

Both corporations and governments want ubiquitous surveillance, and the NSA is using Google, Facebook, Verizon, and others to get access to data it couldn't otherwise. The entertainment industry is looking to governments to enforce their antiquated business models.

A key question is: how did this happen? How did things go so wrong when they seemed to start off so well? Schneier has a good answer:

The truth is that technology magnifies power in general, but the rates of adoption are different. The unorganized, the distributed, the marginal, the dissidents, the powerless, the criminal: they can make use of new technologies faster. And when those groups discovered the Internet, suddenly they had power. But when the already powerful big institutions finally figured out how to harness the Internet for their needs, they had more power to magnify. That's the difference: the distributed were more nimble and were quicker to make use of their new power, while the institutional were slower but were able to use their power more effectively.

And that's where we are today, at a point where the big institutions -- governments above all -- have finally overcome their initial cluelessness, and worked out that as well as being a threat to their power, the Internet could also be a means for them to consolidate it. Fortunately, Schneier has some practical suggestions about what we need to do now in order to tip the balance back towards the people:

In the short term, we need more transparency and oversight. The more we know of what institutional powers are doing, the more we can trust that they are not abusing their authority. We have long known this to be true in government, but we have increasingly ignored it in our fear of terrorism and other modern threats. This is also true for corporate power. Unfortunately, market dynamics will not necessarily force corporations to be transparent; we need laws to do that. The same is true for decentralized power; transparency is how we will differentiate political dissidents from criminal organizations.

Oversight is also critically important, and is another long-understood mechanism for checking power. This can be a combination of things: courts that act as third-party advocates for the rule of law rather than rubber-stamp organizations, legislatures that understand the technologies and how they affect power balances, and vibrant public-sector press and watchdog groups that analyze and debate the actions of those wielding power.

Transparency and oversight give us the confidence to trust institutional powers to fight the bad side of distributed power, while still allowing the good side to flourish. For if we are going to entrust our security to institutional powers, we need to know they will act in our interests and not abuse that power. Otherwise, democracy fails.

There's much more in Schneier's essay, including thoughts on the "security gap", and why the longer-term solution is to reduce power differences by opening up data. It's a really important piece that pulls together many of the big issues that Snowden's leaks have raised. Unusually, it not only offers a compelling analysis of what's wrong, but also some sensible, if broad-brush, thoughts on how to put it right.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: bruce schneier, feudal internet, nsa, nsa surveillance