Thank Snowden: Internet Industry Now Considers The Intelligence Community An Adversary, Not A Partner

from the a-useful-level-of-distrust dept

We already wrote about the information sharing efforts coming out of the White House cybersecurity summit at Stanford today. That's supposedly the focus of the event. However, there's a much bigger issue happening as well: and it's the growing distrust between the tech industry and the intelligence community. As Bloomberg notes, the CEOs of Google, Yahoo and Facebook were all invited to join President Obama at the summit and all three declined. Apple's CEO Tim Cook will be there, but he appears to be delivering a message to the intelligence and law enforcement communities, if they think they're going to get him to drop the plan to encrypt iOS devices by default:

In an interview last month, Timothy D. Cook, Apple’s chief executive, said the N.S.A. “would have to cart us out in a box” before the company would provide the government a back door to its products. Apple recently began encrypting phones and tablets using a scheme that would force the government to go directly to the user for their information. And intelligence agencies are bracing for another wave of encryption.

In fact, it seems noteworthy that this whole issue of increasing encryption by the tech companies to keep everyone out has been left off the official summit schedule. As the NY Times notes (in the link above), Silicon Valley seems to be pretty much completely fed up with the intelligence community after multiple Snowden revelations revealed just how far the NSA had gone in trying to "collect it all" -- including hacking into the foreign data centers of Google and Yahoo. And, on top of that, the NSA's efforts to buy up zero day vulnerabilities before companies can find out and patch them:

“What has struck me is the enormous degree of hostility between Silicon Valley and the government,” said Herb Lin, who spent 20 years working on cyberissues at the National Academy of Sciences before moving to Stanford several months ago. “The relationship has been poisoned, and it’s not going to recover anytime soon.”

That Times article quotes White House cybersecurity boss Michael Daniel (the man who is proud of his own lacking of cybersecurity skills) trying to play down the "tensions" between Silicon Valley and Washington, followed by this anonymous quote from a Silicon Valley exec:

“A stupid approach,” is the assessment of one technology executive who will be seeing Mr. Obama on Friday, and who asked to speak anonymously.

Further, the article discusses how companies are trying to fight back against the NSA's abuse of zero days (another thing that Daniel has championed) by getting to them before the government does:

And while Silicon Valley executives have made a very public argument over encryption, they have been fuming quietly over the government’s use of zero-day flaws. Intelligence agencies are intent on finding or buying information about those flaws in widely used hardware and software, and information about the flaws often sells for hundreds of thousands of dollars on the black market. N.S.A. keeps a potent stockpile, without revealing the flaws to manufacturers.

Companies like Google, Facebook, Microsoft and Twitter are fighting back by paying “bug bounties” to friendly hackers who alert them to serious bugs in their systems so they can be fixed. And last July, Google took the effort to another level. That month, Mr. Grosse began recruiting some of the world’s best bug hunters to track down and neuter the very bugs that intelligence agencies and military contractors have been paying top dollar for to add to their arsenals.

They called the effort “Project Zero,” Mr. Grosse says, because the ultimate goal is to bring the number of bugs down to zero. He said that “Project Zero” would never get the number of bugs down to zero “but we’re going to get close.”

There's a lot more in the two stories ahead, but the angry feeling is real. In the past year, it's amazing how many conversations I've had with people around Silicon Valley who aren't just upset or disgusted over the intelligence community's actions, they're angry. And while the tech industry was never as buddy buddy with the government as some have tried to imply, things had undoubtedly become complacent in some circles, with little effort being made to make sure that information wasn't being misused or abused. But that's no longer the case. There are, of course, legal limits on what companies can do, but just as the NSA once explained how they play right up to the very edge of the limits that Congress puts around them (some of us believe they go beyond that...), the tech industry is rapidly learning that they, too, need to push back to the line that the law allows them to do so as well.

And, of course, none of that would likely have happened without Ed Snowden revealing to journalists the nature of the NSA's overreach.

Filed Under: cybersecurity, cybersecurity summit, ed snowden, government, surveillance, trust, white house, zero days
Companies: apple, facebook, google, yahoo

German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security

from the is-that-really-a-good-idea? dept

The newspaper Süddeutsche Zeitung reports that the German spy agency BND will spend €28 million on what it calls its 'Strategic Technical Initiative' (SIT) next year, and that it has asked the German government for a further €300 million (original in German). The German edition of the English-language site "The Local" explains how the money will be used:

The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.

Government spokesman Steffen Seibert confirmed to dpa on Monday that the BND had worked with French computer security firm Vupen, which is known to sell details of security holes to governments, in the past.

Techdirt has written about Vupen a couple of times recently, and emphasized why buying such zero-day vulnerabilities to use for surveillance purposes without passing them on to be fixed makes the Internet much less safe for everyone. According to a related story in Der Spiegel (original in German), the BND hopes to apply zero-days to undermine the main encryption technology used to protect online communications, the Secure Sockets Layer (SSL) protocol. As The Local writes:

The programme to penetrate SSL, codenamed Nitidezza, would also target the HTTPS protocol which is the standard for many banks, online shops, webmail providers and social networks.

"Holes in SSL need to be patched [fixed] because it is ubiquitous and everyone depends on it for their security," said Jim Killock of London-based digital rights NGO Open Rights Group.

"There is a real risk that failing to fix problems means criminal gangs will seek to obtain the same data using the same defects."

SIT means that not only will the privacy of millions of people be at risk, but so will their economic activities and that of all the companies that use SSL to carry out online transactions.

The BND's move is particularly worrying, since it could well encourage spy agencies in other nations to follow suit, thus starting a bidding war for serious software flaws. That, in its turn, will encourage even more people to find and sell zero-days, rather than report them, reducing security online. It's probably too much to hope that government agencies would ever agree to give up acquiring and using software bugs in this way, but they should at least be required to limit their use so as to minimize the serious harm they could wreak across the entire Internet.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: bnd, germany, security, spy agency, ssl, surveillance, zero days
Companies: vupen

EFF Sues NSA Again Over Failure To Release Procedures For Dealing With Zero Days

from the eff-may-need-a-whole-floor-devoted-to-nsa-lawsuits dept

Another day, another lawsuit filed by the EFF against the NSA. As you may recall, back in April there was some discussion about how the NSA deals with zero day exploits it discovers, and (specifically) whether or not it reveals them to relevant parties or keeps them for its own ability to exploit them. The NY Times revealed that President Obama had put in place an official rule that said the NSA should have a "bias" towards revealing the flaws, but left open a gaping loophole in saying the NSA could exploit those zero days for "a clear national security or law enforcement need." That's a pretty big loophole -- especially when you consider how law enforcement has been abusing every opportunity of late.

EFF filed a FOIA request to find out about the NSA's process for determining whether to exploit or reveal a zero day... and hasn't received a response, despite a promise by the government to "expedite" the request. Hence: the new lawsuit.

"This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community's toolset: security vulnerabilities," EFF Legal Fellow Andrew Crocker said. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."

Over the last year, U.S. intelligence-gathering techniques have come under great public scrutiny. One controversial element has been how agencies such as the NSA have undermined encryption protocols and used zero days. While an intelligence agency may use a zero day it has discovered or purchased to infiltrate targeted computers or devices, disclosing its existence may result in a patch that will help defend the public against other online adversaries, including identity thieves and foreign governments that may also be aware of the zero day.

"Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," Global Policy Analyst Eva Galperin said.

These days, it really does seem that the only way to get the government to cough up these kinds of documents is to file a lawsuit, which really defeats the purpose of the whole FOIA process. Perhaps the government should just admit it's a charade and let people go straight to the lawsuit filing process instead.

Filed Under: cybersecurity, exploit, foia, james clapper, nsa, odni, surveillance, zero days
Companies: eff

Keith Alexander: NSA Makes The Entire Internet Weaker To Protect You From Terrorists

from the those-codes-are-our-codes dept

We've had plenty of discussions about how the NSA has weakened our infrastructure and put us all at much greater risk. A big part of the problem, we've noted, is the dual role of the NSA and US Cyber Command, in which there's a combined offensive and defensive role to crack the technologies that "bad guys" are using... while (they tell us) protecting the technologies that we're using.

In a new interview, former NSA boss General Keith Alexander attempts to defend this weakening of internet security -- and, instead, proceeds to explain why it's such a huge problem:

“When the government asks NSA to collect intelligence on terrorist X, and he uses publicly available tools to encode his messages, it is not acceptable for a foreign intelligence agency like NSA to respond, ‘Sorry we cannot understand what he is saying’,” Alexander told the Australian Financial Review, which he inexplicably granted a 16,000-word interview. “To ask NSA not to look for weaknesses in the technology that we use, and to not seek to break the codes our adversaries employ to encrypt their messages is, I think, misguided. I would love to have all the terrorists just use that one little sandbox over there so that we could focus on them. But they don’t.”

Here's the problem with that statement though. In admitting that the NSA has to "seek to break the codes our adversaries employ to encrypt their messages," he's admitting that they need to do the very same for us. Because the problem for the NSA is that we're all using the same damn technology. He's right that he'd prefer it if the "bad guys" used different technologies. But they don't.

The major issue is that Alexander sees this as an excuse to make everyone less safe. Others who understand security recognize that the cost associated with that is much larger than any benefit. Alexander is admitting that he'd prefer to keep us all less safe if it means being able to read one terrorist's email. I'm not sure that's a worthwhile tradeoff, and I'm almost certain that it reflects the opposite view of what the 4th Amendment of our Constitution was designed to portray.

Filed Under: exploits, keith alexander, nsa, surveillance, us cyber command, zero days