Would You Trust The NSA's Advice On How To Deal With Heartbleed?

from the didn't-think-so dept

Somewhat late to the game (by about a week), after the Heartbleed vulnerability was publicly revealed, and a few days after it was reported and denied that the NSA was already well aware of Heartbleed and exploiting it, the NSA has put out a one page PDF about Heartbleed. This seems like something of a too little, too late effort by the NSA to live up to its semi-promise of a "bias" towards revealing vulnerabilities over exploiting them. However, that leads to the simple question that plenty of people should be asking: given everything you've learned about the NSA recently (or, well, for years), would you trust the NSA's advice on how to deal with Heartbleed? Not that I think the NSA would publicly suggest anything bad, but at this point, the NSA has a serious trust problem in convincing anyone engaged in computer security that they have their best interests in mind.

Filed Under: heartbleed, nsa, openssl, trust

Member Of Intelligence Review Group Tells NSA: You Guys Have Done Amazing Work Protecting America... And Should Never, Ever Be Trusted

from the quite-a-speech dept

Geoffrey Stone was a member of the Presidential panel tasked with reviewing the NSA's surveillance efforts -- the one that urged significant changes to the program, some of which may actually happen. He was one of the more outspoken members of the panel concerning the importance of civil liberties, and after the panel's report came out he was vocal about how "shocked" he was that the NSA's phone record collection program was basically useless.

Apparently he was recently asked to go speak to NSA staffers at NSA headquarters in Fort Meade about the work he did for the panel, and he's released his entire speech. It's an interesting read. It opens with him explaining his long-standing and strong commitment to civil liberties, noting his connection to the ACLU and that he's been a long-term skeptic of the NSA. He then goes on for most of the speech to talk about how the investigation by the review panel opened his eyes to recognizing that the NSA actually had done some really amazing and important work in stopping terrorists, and similarly that it really did seem committed to protecting Americans -- including their civil liberties.

Instead, he pointed out that the real issue was not the people of the NSA, but the Executive Branch and Congress expanding what the NSA was able to do:

The Review Group found that many of the programs undertaken by the NSA were highly problematic and much in need of reform. But the responsibility for directing the NSA to carry out those programs rests not with the NSA, but with the Executive Branch, the Congress, and the Foreign Intelligence Surveillance Court, which authorized those programs -- sometimes without sufficient attention to the dangers they posed to privacy and civil liberties. The NSA did its job -- it implemented the authorities it was given.

But, he now has changed his opinion on the NSA, saying that it has been unfairly demonized:

It gradually became apparent to me that in the months after Edward Snowden began releasing information about the government's foreign intelligence surveillance activities, the NSA was being severely -- and unfairly -- demonized by its critics. Rather than being a rogue agency that was running amok in disregard of the Constitution and laws of the United States, the NSA was doing its job.

It pained me to realize that the hard-working, dedicated, patriotic employees of the NSA, who were often working for far less pay than they could have earned in the private sector because they were determined to help protect their nation from attack, were being castigated in the press for the serious mistakes made, not by them, but by Presidents, the Congress, and the courts.

In the end, however, Stone points out that even as he was impressed with the professionalism and the values that the employees of the NSA held, they should not be trusted:

To be clear, I am not saying that citizens should trust the NSA. They should not. Distrust is essential to effective democratic governance. The NSA should be subject to constant and rigorous review, oversight, scrutiny, and checks and balances. The work it does, however important to the safety of the nation, necessarily poses grave dangers to fundamental American values, particularly if its work is abused by persons in positions of authority. If anything, oversight of the NSA -- especially by Congress -- should be strengthened. The future of our nation depends not only on the NSA doing its job, but also on the existence of clear, definitive, and carefully enforced rules and restrictions governing its activities.

In short, I found, to my surprise, that the NSA deserves the respect and appreciation of the American people. But it should never, ever, be trusted.

This is a really good point in many ways. One can argue over the various efforts and authorities, and whether or not they're legal. But, the issue is definitely targeted at the top -- and that includes not just the White House but the leadership of the NSA, as well as the FISA Courts and Congress. However, in following this debate since it began (even before that), I've seen little evidence that the public has been demonizing everyday NSA employees. Of course, some of the leaks suggest something that appears to be less than professional behavior by NSA folks, but nearly all of the criticism I've seen has been directed at those actually responsible at the top of the chain -- not the day to day staffers.

Either way, Stone's final point is a good one. Even if the NSA employed the most morally upstanding people ever alive, we should not trust them. An agency like the NSA should never be merely trusted, not because anyone questions the morals of the people who work there, but because a democracy cannot function when an organization like that is allowed to function solely on trust. It needs real, vigorous and comprehensive oversight. At this time, it's not clear it has any of that.

Filed Under: geoffrey stone, nsa, surveillance, trust

Security Researchers Find RSA Even More Completely Compromised By The NSA Than Previously Thought

from the setting-the-decryption-standard dept

Last December, Reuters broke the news that RSA had received $10 million from the NSA to push a weakened crypto standard as the default. This resulted in an incredible amount of backlash against RSA, resulting in many security researchers pulling out of the RSA's conference (which itself was met by a protest conference).

There's more bad news ahead for the RSA, again delivered by Reuters.

Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers.

Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or "back door" - that allowed the NSA to crack the encryption.

A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software's vulnerability.

The professors found that the tool, known as the "Extended Random" extension for secure websites, could help crack a version of RSA's Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters.

As Reuters notes, Extended Random has not been widely adopted (and now won't be), so the real story here is how the NSA undermines companies (and their aims) under the name of "advising on protection."

Rather belatedly, RSA officials are developing a sense of skepticism towards the NSA's motives.

"We could have been more skeptical of NSA's intentions," RSA Chief Technologist Sam Curry told Reuters. "We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure."

As has been shown numerous times over the last several years, the government would rather make the connected world less secure -- by stockpiling exploits and preventing holes from being patched -- in the name of "security." There's more than one kind of security, and the definition that works for most normal people runs contrary to the NSA's desire to exploit and collect everything it can.

The NSA has refused to comment on the story and the RSA, for its part, has not disputed what researchers have uncovered. Dual Elliptic Curve is the NSA's $10 million baby, and the addition of Extended Random does nothing more than make the next set of random numbers easier to predict.

Johns Hopkins Professor Matthew Green said it was hard to take the official explanation for Extended Random at face value, especially since it appeared soon after Dual Elliptic Curve's acceptance as a U.S. standard.

"If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline," Green said…

The academic researchers said it took about an hour to crack a free version of BSafe for Java using about $40,000 worth of computer equipment. It would have been 65,000 times faster in versions using Extended Random, dropping the time needed to seconds, according to Stephen Checkoway of Johns Hopkins.

This is what happens when you allow the NSA to not only play with the toys, but to also design them. "Security," in terms of the RSA's chosen standard, is now nothing more than a buzzword appended to its product line. The company learned far too late that the intelligence agency has little need for solid encryption, viewing it as an obstacle to be surmounted rather than a defensive tool that might make computing more secure -- for everybody.

The agency wants it all and it wants to gather it with the least amount of effort possible. While it may have little desire to turn its weapons on Americans ("incidental collections" will still continue, of course…), it has exactly zero compelling legal reasons not to weaponize crippled encryption against the rest of the world. RSA's credulousness (and perhaps $10 million) apparently silenced its better judgement, and now the connected world is open not only to the NSA's exploits, but anyone else with the desire to open the agency's backdoors.

Filed Under: compromised security, dual elliptical curve, encryption, extended random, nsa, security, surveillance, trust
Companies: rsa

To Catch A Meaningless Leaker, Microsoft Made It Clear It Has No Concern For Your Privacy

from the cost-benefit dept

Yesterday, we wrote about the bizarre decision by Microsoft to search through a reporter's Microsoft Hotmail email account, in an attempt to catch the Microsoft employee who had leaked that reporter a copy of Windows 8. While most of the initial stories about this had focused on the arrest of the employee, Alex Kibkalo, and had pushed the email snooping issue to the bottom of the story, it appears that the email snooping is quickly becoming the story. After all, the leak itself was basically meaningless. Some early screenshots of Windows 8 were never a big deal, and Microsoft has struggled to get adoption of Windows 8 not because of any leak, but because a variety of other issues. So capturing the leaker does little of benefit for Microsoft.

However, at the same time, revealing that the company has no problem snooping through users' email accounts if it feels it is beneficial to Microsoft is hugely damaging to the company. People need to trust their email providers. A well-known venture capitalist I know has spoken repeatedly about how so many people use Gmail, even when doing things like negotiating deals with Google (or competitors!) because they actually trust Google not to abuse their privacy and snoop on those emails. In part, they do this because they know if Google was exposed for snooping on emails that way there would be a mass exodus from Gmail to alternative providers. Yet, Microsoft doesn't seem to have considered just how astoundingly damaging it is to violate its own users privacy -- whether permitted by Microsoft's terms of service or not.

On a basic cost-benefit analysis it's difficult to see how anyone at Microsoft thought this was a wise move. Absolutely wipe out any possible trust and privacy for all email users to track down one meaningless leaker? Instead, what this shows is how "piracy obsession" blinds companies. They seem to forget all about cost-benefit analysis and assume that "something must be done" at all costs, even if it basically destroys an entire business line for the company.

Microsoft is now desperately trying to minimize the damage as it's realizing just how it's wiped out all of its bogus talk about protecting your privacy. They've announced new policies concerning how and when they'll violate your privacy, but this seems quite clearly to be a case of too little, too late.

Filed Under: copyright, cost benefit, email, leaks, overreaction, privacy, trust
Companies: microsoft

Jealous Lovers Now Get NSA Powers!

from the brave-new-world dept

I've been thinking, with all the revelations coming out about the NSA spying on all of us, maybe we've been going about reacting the wrong way. I mean, we all seem to fall somewhere on the spectrum of being upset about this, from the more mildly uncomfortable but resigning folks that are okay with the spying to those more militant about privacy. What if we're all just pissed that we aren't the ones getting to do all this sweet, sweet surveillance on everyone we know.

Well, that's all changed, thanks to the makers of the mSpy software, which allows you to gift smart phones preinstalled with their software to those you care about most and then play NSA on them to your heart's content.

Starting today, the company is also selling phones preloaded with the software, making it simple for users without any tech savvy to start surveillance right out of the box. The phone package is available with the HTC One, Nexus 5, Samsung Galaxy S4 and iPhone 5s, at varying cost; for example, the Samsung Galaxy S4 costs $300; the subscription for the preloaded software costs another $199 for a year.

[From the moment the software is installed], the phone records everything that happens on the device and sends the details to a remote website. Every call is recorded, every keystroke logged, every email seen, every SMS chat or photograph monitored.

Count me as someone who is suddenly even more glad than ever that I'm out of the dating world. On the other hand, I suppose it'll be weird for any of us married folks to get smart phones as gifts from now on as well. Oh well, down the surveillance hatch, I say! The NSA spies on us, we spy on each other, and the important thing to remember is that the makers of this software, which advertises to buyers that their targets "won't find out", are the most innocent of innocents here.

The phone's proclaimed target markets are employers and parents who have the legal authority to watch what their children do on their smart phones. Company founder Andrei Shimanovich knows others may use his products in illegal ways, but says it is not his responsibility.

"It is the same question with the gun producer," says Shimanovich, a Belarus native who recently moved to New York. "If you go out and buy a gun and go shoot someone, no one will go after the gun producer. People who shoot someone will be responsible for this. Same thing for mSpy. We just provide the services which can solve certain tasks regarding parents and teenagers."

And creepy bastards, estranged lovers, stalkers, or anyone else who might be able to surreptitiously sneak this software onto the phones of whomever they're targeting. While it's completely true that we ought not blame the tool-maker for the way the tool is used, that doesn't discount the level of creepy in this software. Gone, apparently, are the days when parents raised their children to be responsible and then loosed them on the world to make a few mistakes and grow up better because of it. Gone are the days when employers made it a point to hire staff that they trusted. The NSA has paved the way for a whole new level of Orwellian acceptance, where the only difference between government surveillance and that we do ourselves is that our personal spying might actually be effective, since it will be more targeted.

Prepare yourselves, people, for when the news media first gets hold of some stalker who commits a violent act and is found to have employed this software, because the backlash against it is going to be insane.

Filed Under: privacy, spying, surveillance, trust
Companies: mspy

NSA Helped Destroy Trust In US Internet Firms, But Would Going Overseas Be Any Better?

from the unfortunately-not dept

The NSA has created a real mess for the tech industry these days. As has been detailed repeatedly, and showing a complete lack of concern for basic privacy, the NSA has basically destroyed trust in US internet companies not just for Americans but everyone outside of the US as well. We're already hearing stories of foreign companies demanding contracts with internet firms that say data must be kept outside the US. And there are worries about a splintering internet. Even Eric Schmidt has said that Google explored the option of moving its servers out of the US, if it would protect them more from the NSA. But the company eventually chose otherwise, and the more you think about it, the more you realize that the really messed up thing in all of this is that even with all of the revelations, it's still probably safer to keep the data inside the US than out of it.

First off, when the data is within the US, there are at least some restrictions on what the NSA/FBI can access. There are quite reasonable complaints about just how insanely broad Section 215 of the PATRIOT Act and Section 702 of the FISA Amendments Act are... but, at least those laws do include some restrictions and oversight (even if we all agree it's not nearly enough). However, once things are outside of the US, it's basically "fair game" to the NSA. The NSA has interpreted Executive Order 12333 to mean that it's "open season" on all information not in the US. As ridiculous as it sounds, that actually means that there are somewhat greater restrictions on information inside the US than outside. Those stories about the NSA hacking into the links between Google and Yahoo data centers? Those were only done on offshore data centers outside of the US, under the auspices of EO 12333. Meanwhile, for local intelligence operations, they rarely even have the same kind of restrictions that the NSA has -- meaning that offshore data may be even more at risk of being spied on by whatever local intelligence agencies are in that country.

It's a complete mess for the entire tech industry -- but if you were running a tech company and wanted to best protect that data from the NSA, there's at least a strong argument that the best move is to stay in the US, even after all of these revelations. And, honestly, that's even more of a reason why the US tech industry needs to be fighting strongly for much greater reform and oversight concerning NSA (and FBI) activities inside the US. The protections are way too low, but at least there are some protections.

I recognize that some are going to disagree with this entirely, as many have completely written the US off because of these revelations. But, there's a simple question to ask: if that's the case, do you really feel safer with your data somewhere else, where there are no rules at all about what the NSA can do with it?

Filed Under: privacy, surveillance, tech, trust

How NSA Spying On Angela Merkel May Scuttle TAFTA/TTIP Trade Agreement

from the another-good-deed-by-Snowden dept

There's been plenty of attention paid to the news of the past week or so about the NSA spying on German Chancellor Angela Merkel's mobile phone. While some still insist this is no big deal, the eventual consequences could be a very big deal. First off, remember that it was just a few months ago that (in the wake of the initial Snowden leaks), the US and Germany had made a silly pledge, which no one believed, that they wouldn't spy on each other. That "agreement" is already being put to the test.

As we discussed last week, the real "casualty" from all of these discussions may actually be that America can't get away with being a massive hypocrite anymore, despite so much of its foreign and domestic policy being built around being able to get away with just that. And, a large part of that is how the US pushes other countries into very questionable trade agreements -- another thing that we've been following for years. And those two things may be on a collision course. For quite some time now, we've been discussing the big trade agreement that the EU and the US are working towards, called TAFTA or TTIP. But one of the lesser noticed points about the revelations of the spying on Merkel is that many people in Germany are saying that negotiations on this agreement should be put on hold:

The chancellor's office is also now considering the possibility that the much-desired trans-Atlantic free trade agreement could fail if the NSA affair isn't properly cleared up. Since the latest revelations came out, some 58 percent of Germans say they support breaking off ongoing talks, while just 28 percent are against it. "We should put the negotiations for a free-trade agreement with the US on ice until the accusations against the NSA have been clarified," says Economy Minister Ilse Aigner, a member of the Christian Social Union, the Bavarian sister party to Merkel's Christian Democrats.

There are many reasons why TAFTA/TTIP is looking like a bad deal anyway, having nothing to do with the NSA spying, but if the Snowden docs lead to that agreement being put "on ice" for a while, that seems like another useful outcome.

Filed Under: angela merkel, nsa, nsa surveillance, tafta, trade agreements, trust, ttip

NSA Top Two Officials Retiring Isn't News, But Is An Opportunity To Reshape The Agency

from the but-that-won't-happen dept

There's been some recent chatter over a Reuters report highlighting that both of the top two officials at the NSA, director Keith Alexander and deputy director Chris Inglis, are retiring in the next few months. Lots of people are misreading this, believing that this is something new, and suggesting that both were either pushed out, or are doing this in response to all of the Snowden revelations. That's simply not true. Alexander's retirement has been widely reported since at least June (and has been covered in a number of other publications as well). Both retirements were planned long ago, and appear to be exactly on schedule, rather than as any reaction to things happening in the news.

This is unfortunate, as it really does seem like there should be some punishment for the widespread excesses and abuses that have been revealed by Snowden. However, what is important to recognize is that this does present a real opportunity for the President to reshape the NSA. It seems unlikely that this will happen, but the President has said that he wants to rebuild the trust of Americans in the NSA and the wider intelligence community, and the choices he makes for who will lead the NSA are a real opportunity to at least take a step in that direction. No one actually expects him to, say, pick a civil liberties activist, but there are people out there who have experience in the intelligence community and who also have shown a respect and appreciation for privacy and civil liberties. Furthermore, finding someone who can present the case for reform -- one which recognizes that "collect it all" is not just bad policy, but bad for actually finding useful information -- would be a big step forward.

Filed Under: barack obama, chris inglis, civil liberties, keith alexander, leadership, nsa, nsa surveillance, privacy, trust

NSA Defenders Need To Learn: Trust Is Something You Earn, Not Legislate

from the wake-up-to-reality dept

I've been thinking about last week's Senate Intelligence Committee hearing with Director of National Intelligence James Clapper, NSA boss Keith Alexander, and deputy Attorney General James Cole. This was the one in which Senator (and Intelligence Committee chair) Dianne Feinstein both insisted that it's shameful that the press and the public refer to the NSA's surveillence program as "surveillance" while accidentally admitting that the NSA gets internet information via tapped "upstream" backbone connections. But if there was one issue that came up over and over again it was the palpable anger of the NSA's defenders that the press and the public don't trust them. This seemed to focus on a two key arguments:

1. Everything we do is legal and is handled by "oversight from all three branches of government."
2. We're not listening in on everyone's calls, but trying to stop terrorist attacks.

First of all, the first claim is basically false and the second one is mostly a strawman, but also somewhat misleading to false (depending on your perspective of the continuum).

However, just for fun, let's give the NSA and its defenders the benefit of the doubt, and explain how even if both of those points are 100% true, it still is no reason to trust them.

In response to the first point, the NSA defenders seem to think that just because the secret FISA court says this is all okay, that means the American people should agree that it's okay. But that's not how this works. In fact, part of the point why people are so pissed off about this is the fact that we don't think this should be legal in the first place. Whether or not the courts decide that it's legal doesn't change that. And it certainly does not lead to "trust." Quite the opposite. When the judicial system rules against what the American public believes is just and right, that hurts trust and makes us a hell of a lot less trusting of the judiciary.

As for the second point, the whole "we're not listening to your calls with your mother" line is a total strawman. People (generally) aren't concerned about whether or not the NSA is listening to calls like that. What they're (quite reasonably) concerned about is the possibility that such powers can and are abused. And this type of abuse has happened many times before. This includes a few different kinds of abuse:

1. Abuse for political power, such as spying on political enemies and critics.
2. Abuse for personal reasons, such as spying on spouses and love interests.
3. Abuse for law enforcement reasons, such as stretching the definition of the law or finding perfectly normal behavior that can be turned into a felony charge for the purpose of piling charges on people the government wants to lock up.

All of those things have happened (in some cases quite recently). The fact is that while the NSA might not be listening to calls between me and my mom, the NSA and other law enforcement agencies have long shown that they'll come up with all sorts of excuses to spy on people they don't like to try to twist and distort things, often out of context, to shut up people they don't like. The NSA and its defenders response to all of this seems to be something along the lines of "sure that happened in the past, but we're different." Yet, they give no reason at all to show why they're different. It just comes back to "trust us."

But the American people (and, actually, the rest of the world) have been fooled plenty of times already. Telling people to "trust us" doesn't cut it. At all. The only way to build trust is to earn it. If the NSA needs to do these kinds of things, prove it. Explain publicly what they do and why they do it, and let a public debate occur about whether or not this kind of effort is appropriate. That's still missing. We're just told to trust them, because they're different and that the NSA doesn't want to listen to every call. But that's not what leads to trust. In fact, it just leads to greater distrust.

Filed Under: intelligence committee, nsa, nsa surveillance, senate, trust

No Real Changes Will Happen With NSA Surveillance Until Clapper And Alexander Are Fired

from the there-needs-to-be-punishment-for-lying dept

We've been arguing for months now that with James Clapper having admitted to blatantly lying to Congress (after trying to lie about the lie) that it's insane that the man still has a job. If there is to be any accountability or trust going forward, he should lose his job (and potentially face charges). Instead, nothing is happening and no one seems to have any interest in doing anything. We've raised the question as to how anyone could possibly ever trust statements coming from the Intelligence Community again.

Once again: the director of the intelligence community flat out lied to Congress about it, admitted it, and there have been no consequences at all. What that teaches Clapper and others is that they can continue to lie, and, in fact, that they are effectively encouraged to lie, because there's no downside risk in doing so.

It's good to see we're not the only ones who think so. James Goodale, a prominent First Amendment lawyer, and former General Counsel for the NY Times has written a stinging critique in the Guardian about all of the lies (noting that they go way beyond Clapper to Congress, but also include Clapper and Alexander both to the public and to the FISA court which is in charge of oversight):

The Director of National Intelligence James R Clapper admitted he lied to Congress about the NSA metadata collection program. He said the NSA had no such program – and then added that that was the least "untruthful" remark he could make. General Keith Alexander, director of the National Security Agency, lied in 2012 that the NSA does not hold data on US citizens, and repeated similar misstatements, under oath, to Congress about the program:

We're not authorized to do it [data collection on US citizens], nor do we do it.

NSA lawyers lied to secret Fisa court Judges John D Bates and Reggie B Walton. In recently released opinions, Bates said he had been lied to on three separate occasions and Walton said he had been lied to several times also.

Then he notes that there's been no punishment at all for these guys, which is absolutely true. He further calls out the Justice Department for refusing to investigate the lies to the FISA court, and notes that if President Obama actually wants to rebuild trust in the government and the intelligence community it must include punishing those who lied to Congress and to the FISA court. Otherwise, it is guaranteed that they will do so again.

Filed Under: james clapper, keith alexander, lying, nsa, nsa surveillance, trust