In the USA...NSA decryption revelations 'provide roadmap' to adversaries, US warns
Office of the director of national intelligence also suggests stories published by the Guardian and New York Times are 'not news'
theguardian.com, Friday 6 September 2013 18.27 BST
The Obama administration has responded to revelations on the NSA's successes in defeating online security and privacy published on Thursday by the Guardian, New York Times and ProPublica.
In a statement issued on Friday, the office of the director of national intelligence (ODNI), which oversees the US's intelligence agencies, suggested the stories, simultaneously published on the front pages of the New York Times and Guardian, were "not news", but nonetheless provided a "road map … to our adversaries".
At the core of the story, based on reporting from dozens of top-secret documents relating to encryption passed to the Guardian by NSA whistleblower Edward Snowden, were efforts by the NSA and its British counterpart GCHQ to place "backdoors" in online security, and to undermine internationals standards.
These efforts included:
• A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made "vast amounts" of data collected through internet cable taps newly "exploitable".
• The NSA spends $250m a year on a program which, among other goals, works with technology companies to "covertly influence" their product designs.
• The secrecy of their capabilities against encryption is closely guarded, with analysts warned: "Do not ask about or speculate on sources or methods."
• The NSA describes strong decryption programs as the "price of admission for the US to maintain unrestricted access to and use of cyberspace".
• A GCHQ team has been working to develop ways into encrypted traffic on the "big four" service providers, named as Hotmail, Google, Yahoo and Facebook.
However, the ODNI said it was not surprising that intelligence agencies would work to defeat encryption, and that disclosing any specifics would cause damage.
"It should hardly be surprising that our intelligence agencies seek ways to counteract our adversaries' use of encryption," the statement begins. "Throughout history, nations have used encryption to protect their secrets, and today, terrorists, cybercriminals, human traffickers and others also use code to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that.
"While the specifics of how our intelligence agencies carry out this cryptanalytic mission have been kept secret, the fact that NSA's mission includes deciphering enciphered communications is not a secret, and is not news. Indeed, NSA's public website states that its mission includes leading 'the US government in cryptology … in order to gain a decision advantage for the Nation and our allies.'
"The stories published yesterday, however, reveal specific and classified details about how we conduct this critical intelligence activity. Anything that yesterday's disclosures add to the ongoing public debate is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions."
Privacy groups, however, said the NSA's activities were endangering privacy and putting both US internet users and businesses users at risk.
"Even as the NSA demands more powers to invade our privacy in the name of cybersecurity, it is making the internet less secure and exposing us to criminal hacking, foreign espionage, and unlawful surveillance," said the ACLU's principal technologist Christopher Soghoian.
"The NSA's efforts to secretly defeat encryption are recklessly shortsighted and will further erode not only the United States' reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies."
A blogpost by Dan Auerbach and Eva Galperin of the Electronic Frontier Foundation dubbed the activities "frightening" and "an egregious violation of our privacy".
Meanwhile, the New York Times' public editor Margaret Sullivan praised the collaboration, calling the organisations' reporting "an important story, published courageously". In the same post, she quoted the Times' executive editor Jill Abramson as noting "The Guardian at the beginning was highly concerned about working in a way that kept the material secure – we went to lengths to safeguard the material."
Abramson said she had met with US officials who had asked her not to publish the story, but said the decision to publish alongside the Guardian was "not a particularly anguished one".
****************Microsoft and Yahoo voice alarm over NSA's assault on internet encryption
Tech companies say they were unaware of top secret programs but warn they present 'substantial potential for abuse'
Dominic Rushe in New York
The Guardian, Saturday 7 September 2013
Two of the world's biggest technology companies, Microsoft and Yahoo, expressed deep concern on Friday about widespread attempts by the US and UK intelligence services to circumvent the online security systems that protect the privacy of millions of people online.
Microsoft said it had "significant concerns" about reports that the National Security Agency and its British counterpart, GCHQ, had succeeded in cracking most of the codes that protect the privacy of internet users. Yahoo said it feared "substantial potential for abuse".
Google said it was not aware of any covert attempts to compromise its systems. However, according to a report in the Washington Post on Saturday, the company said that it had accelerated the encryption of information in its data centres in a bid to prevent snooping by the NSA and the intelligence agencies of other governments.
Documents obtained by whistleblower Edward Snowden and published jointly by the Guardian, the New York Times and the nonprofit news organisation ProPublica on Thursday show that agents at GCHQ have been working to undermine encrypted traffic on the "big four" service providers, named as Hotmail (the Microsoft email service now known as Outlook), Google, Yahoo and Facebook.
Yahoo responded with a strongly worded statement on Friday. "We are unaware of and do not participate in such an effort, and if it exists, it offers substantial potential for abuse. Yahoo zealously defends our users' privacy and responds to government requests for data only after considering every applicable objection and in accordance with the law," a spokesman said.
A Microsoft spokesperson said: "We addressed these issues in our blog on July 16. We have significant concerns about the allegations of government activity reported yesterday and will be pressing the government for an explanation."
Tensions between tech firms and US authorities have been escalating. On Monday Microsoft and Google will file their latest legal briefs in a joint attempt to force the Foreign Intelligence Surveillance court to allow them to disclose more information about the requests for confidential information they receive.
A spokesman for Google said: "The security of our users' data is a top priority. We do not provide any government, including the US government, with access to our systems. As for recent reports that the US government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring. We provide user data to governments only in accordance with the law."
Facebook was not immediately available for comment.
In a blogpost Ron Bell, Yahoo's general counsel, said: "Our legal department demands that government data requests be made through lawful means and for lawful purposes. We regularly push back against improper requests for user data, including fighting requests that are unclear, improper, overbroad or unlawful. In addition, we mounted a two-year legal challenge to the 2008 amendments to the Foreign Intelligence Surveillance Act and recently won a motion requiring the US government to consider further declassifying court documents from that case."
The revelations over the agencies' assault on encryption were greeted with consternation by technology industry groups.
Ed Black, president of the Washington-based Computer and Communications Industry Association said the NSA had a "tragic case of myopia" and had put all internet users' data at risk.
"By secretly embedding weaknesses into encryption systems in order to create a 'back door' for surveillance access, the NSA creates a road map for similar cyber-incursions by others with less noble intentions," Black said in a statement.
But on Friday, the office of the director of national intelligence (ODNI), which oversees the US's intelligence agencies, said it should "hardly be surprising that our intelligence agencies seek ways to counteract our adversaries' use of encryption".
In a statement issued on Friday, the ODNI said the stories were "not news" but warned that they threatened national security.
"The stories published yesterday, however, reveal specific and classified details about how we conduct this critical intelligence activity. Anything that yesterday's disclosures add to the ongoing public debate is outweighed by the road map they give to our adversaries about the specific techniques we are using to try to intercept their communications in our attempts to keep America and our allies safe and to provide our leaders with the information they need to make difficult and critical national security decisions," said the ODNI.
The latest revelations come as experts warn the private sector is becoming increasingly distrustful of the NSA and its allies. Speaking to federal technology website Nextgov.com, Christopher Finan, a former White House and Pentagon official who worked in cyber offence research, said the NSA revelations were underming relations with the private sector.
Private industry has long counted on the NSA's cybersecurity expertise. "NSA has postured itself as a neutral arbiter who could provide these capabilities to the private sector and really didn't necessarily want much in return," said Finan. "I don't know if they can present themselves as the same honest broker now that we're seeing the enormous quantities of data that they are actually taking in."
*****************Explaining the latest NSA revelations – Q&A with internet privacy experts
The Guardian's James Ball and cryptology expert Bruce Schneier answer questions about revelations that spy agencies in the US and UK have cracked internet privacy tools
James Ball and Bruce Schneier
theguardian.com, Friday 6 September 2013 15.41 BST
Today, beginning at 3pm ET | 8pm BST, the Guardian's James Ball, who reported on the latest NSA and GCHQ revelations, and cryptology expert Bruce Schneier, who wrote about the implications, will take your questions on the new revelation that the US and UK governments can crack much of the encryption protecting personal data, online transactions and emails – as well as the ongoing debate over surveillance. Toss your questions below and as you wait for a response, re-visit yesterday's stories:
• How US and UK spy agencies defeat internet privacy and security
• How internet encryption works
• The US government has betrayed the internet. We need to take it back
The Q&A is now over.
User avatar for rahulilr
06 September 2013 4:47pm
Can we trust open source? Of course it is more transparent than properietry, but if NSA has been influencing standard documents, what is stopping them penetrating free software?
Do we have evidence supporting/denying contamination of open source?
James Ball: Because the NSA and GCHQ have been influencing standards, and working to covertly modify code, almost anything could potentially have been compromised. Something as simple as – hypothetically – modifying a basic random-number-generator could weaken numerous implementations of open-source code.
That said, anything done to open source projects, particularly popular ones, will have to be subtle, as anyone can audit the code. So I do believe they’re more trustworthy/dependable than other things. But almost nothing is certain, and we see quite regularly bugs/vulnerabilities discovered in major open source projects that have lain undiscovered for months.
User avatar for bushism
06 September 2013 4:28pm
Is there any reason to believe that these back doors have also been built into hardware?
Ball: There’s every reason to think this. The Washington Post mentioned in passing last week the use of ‘implants’, and the New York Times’ take on this story made reference to efforts against “encryption chips”.
User avatar for SteppenHerring
06 September 2013 4:19pm
How hard do you think it will be to get people to take security seriously when people are willing to type so much personal data into Facebook/Google+ etc?
Ball: I think we need more awareness of privacy and security generally, and I think as generations grow up net-native (as today’s teens are), that’s taking care of itself. I don’t think people who volunteer information to a strictly-controlled network on Facebook (or webmail, etc) are automatically willing to share that same information with their governments. That’s a large part of what the whole privacy and security debate the NSA files are fueling is about, I think.
User avatar for oberstm
06 September 2013 3:57pm
How would one go about selecting a VPN service that is still viable? All US-based ones are likely compromised via National Security Letters, and many foreign ones are probably hacked. Is there anything specific about a VPN service's transmission protocol (key exchange method) that may make it more reliable?
Ball: As you say, I think this is quite difficult, but one thing that is worth flagging is we have a sense of what the US and the other “Five Eyes” nations (the UK, Canada, Australia and New Zealand) are doing, because we have a whistleblower from those agencies.
It’s not inconceivable that intelligence agencies in other countries are doing a lot of the same things (it would be surprising if they weren’t doing some of it) – but we won’t hear about them unless a Chinese, Russian, German, Indian, etc, Edward Snowden comes along. I hope they do.
User avatar for AhzirrTraajijazeri
06 September 2013 4:17pm
First off -- thanks to James and Bruce for taking some time to answer people's questions! I know a lot of us need answers in these uncertain times.
Mine is a two-part question:
1.) What can the average internet user do to protect him- or herself from government snooping online?
2.) What can the average citizen do to help stop the NSA?
Ball: Bruce had a great article yesterday (http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
) on what to do to try to secure your own communications. I think it’s a brilliant starting place, especially for journalists and activists. Even though he’s described it well, of course, I think it’s beyond the expertise levels of 95%+ of internet users. This stuff is seriously hard, and I hope the crypto community carries on trying to make it easier.
As to the second question, the solution is going to have to be political: if your view is that what the NSA is doing isn’t acceptable, I think contacting congressmen, petitioning, and campaigning are the right steps. I’m sure the EFF, ACLU, EPIC and similar organizations will be stepping up their long-running efforts in the near future.
User avatar for FlipGuard
06 September 2013 4:40pm
Bruce's article giving advice on staying more private online included selecting certain encryption algorithms based on their mathmatical features etc -- what are some direct examples of the most 'safe' encryption techniques to use, key lengths etc?
How can Tor be any safer than VPN if both SSL/TLS and VPN methodologies have been exploited? Is the Tor routing process still a good security?
Ball: GCHQ’s phrasing of beating “30” then “300” VPNs suggest it’s done on a case-by-case basis, rather than a blanket capability. It’s also worth noting that just because the NSA can, say, beat SSL in some (or many, or most) cases, it doesn’t mean they can do it all the time, especially as they often seem to circumvent rather than directly beat security. Tor also has its onion methodology. I think Bruce’s take – that Tor makes tracing you harder, rather than impossible – seems a sensible one.
Note: Bruce Schneier has been traveling but will be online shortly. James Ball will take questions in the meantime.
User avatar for Patrick White
06 September 2013 4:58pm
The questions I find myself asking are "Who is chiefly responsible for this breach of trust?", "Will anyone be held accountable?" and "What sort of backlash will there be, if any, from society at large?".
Ball: Me too! There are a lot of issues here, not least that the technological capabilities of the NSA have hugely outpaced the efforts of most lawmakers to meaningfully understand them, let alone regulate them.
In the environment after 9/11, the agency had a permissive environment to expand its remit, masses more funding, and technological advancements making surveillance possible on a scale never previously imaginable. For privacy advocates, the past decade was essentially the perfect storm.
That encroachment happened under three Presidents, from two parties. I don’t think this is a partisan issue. It feels a little like the (apocryphal) tale of a frog in boiling water: if the water is slowly heated, the frog never notices it’s being cooked.
A final note is that at a bare minimum we need to hold senior intelligence officials accountable in public, and demand honest answers. Obama’s Director of National Intelligence has been accused of outright lying to Congress, seemingly with no adverse consequences. If you’re looking to increase accountability and transparency, surely you’ve got to start there.
User avatar for estebanesto
06 September 2013 7:29pm
Thus far the focus has been on the US and UK. But we see the five-eyed acronym on some of the documents. Should Aussies, Kiwis and Canadians be concerned about their privacy too?
Ball: The short answer is yes – the techniques revealed in the whole NSA Files series are shared with the five eyes nations, as is access to most of the databases of intelligence and communications the agencies collect.
Of course, there’s a flipside, which is that (in theory at least) the citizens of the five-eyes nations get a little bit extra protection against being spied on by the others – so perhaps you should be more worried if you’re NOT in the US, UK, Canada, Australia or New Zealand. Hard to say!
User avatar for geoffk
06 September 2013 6:50pm
Could the spooks sell the information or keys when they retire?..Would it be impossible?
Ball: If the NSA’s internal security was perfect, Edward Snowden would never have been able to leak. We’re essentially lucky he chose to release to the press – and it’s worth remembering he asked for responsible, measured publication, not mass-release – rather than simply sell it to hackers or criminals.
If someone in a similar position to Snowden decided to just take what they could and sell it to a foreign government, or criminal gang, would we ever know? It seems unlikely we’d be told. And given the NSA has repeatedly said they don’t know which documents Snowden accessed, maybe they wouldn’t know either.
That’s an important, additional, reason to be very concerned about the scope of NSA surveillance and activities, in my view – whatever your take on the need/legitimacy of mass-surveillance in general.
User avatar for dellcam
06 September 2013 8:18pm
Your article states:
$250m-a-year US program works covertly with tech companies to insert weaknesses into products
I don't see tech industry and their lobbyists rallying to put a stop to this. Won't this revelation that the US government is undermining the quality of their products damaging their reputation with consumers -- as well as effect the ability of the US tech industry to export their products around the world?
Ball: I think this is a serious risk of what the NSA has been doing: if I ran a US security company, I’d be concerned about my reputation (maybe deservedly so, though) – and I’m sure overseas competition will be stressing their ability to refuse US government requests in their advertising (though maybe their own government have similar programs).
That does seem to have been a concern of the NSA and GCHQ. I find that quite telling: if companies are just doing what the government requires, and no more, why such a need for secrecy around it? Why can’t they level? I think the efforts some of the silicon valley firms seem to be making are a good start – though what seems to be happening with Lavabit (a secure email company that shut down) are concerning.
Finally: this could be a boost to the free software / open source movement, too. That would be no bad thing.
User avatar for KatharineAshton
06 September 2013 8:37pm
They may have broken various methods of encryption (I'd assumed as much), but my question is; is this legal/viable evidence, that can be used in court? My understanding is that evidence that is acquired via snooping in on a secure/encrypted connection is illegitimate, and thus unusable in a court of law? (Not that legality seems to bother these people)
Ball: I can’t speak for the US system, as I don’t know it in detail (if you do, please chip in, in the comments) but in the UK intercept evidence isn’t admissable in court – it can be used as part of an investigation, and to get information which is then obtained ‘again’ by means of a warrant (so it can be used in court), but you can’t use it towards a conviction.
All three of the UK’s major political parties have said they want to make intercept evidence available in court, but the intelligence agencies have long opposed it – so far, with success.
User avatar for Martin1984
06 September 2013 8:26pm
Details may be protected by one or more ECIs and/or the secure BULLRUN COI
COI = Community of interest
So what does ECI stand for? The term is used frequently in the documents.
Ball: ECI stands for “Exceptionally Controlled Information” – it’s another level above top-secret, which keeps information to a very select group of individuals.
User avatar for ThisIsNotJohn
06 September 2013 8:24pm
In the face of the larger Snowden revelations, has The Guardian made any website changes, or critiqued business partners data usage, like Google and Facebook [for example how they may use the comments on this very page], in exploration of ways to insure, or at least enhance, TheGuardian.com users' privacy?
Ball: I can only really speak on this from the journalists’ perspective, as a reporter, but here I know we’re definitely thinking about what we can do to help make it clear how potential sources can communicate with us safely and securely (something we obviously think about anyway).
Obviously it’s something reporters have thought about for a long time, in terms of technical and legal protections (I use things like OTR, GPG email, etc, and have for several years), but I think in the wake of this particular story any responsible reporter at any outlet in the world should be reassessing what they do. I’d like to see outlets doing more to learn about security, train their staff in it, and I’d like to see outside groups doing more to help with training – and building new tools to help. It takes a village, and all that.
User avatar for ColinOnTweets
06 September 2013 8:40pm
Hi, thanks for answering questions. While everyone focuses on facebook accounts and emails, there's this thing that's been nagging me. A month ago the US authorities concluded a prosecution against 5 russians that have penetrated NASDAQ and many banks. They stole over 160 million credit card numbers, and had the entire NASDAQ network under control, apparently.http://arstechnica.com/security/2013/07/nasdaq-is-owned-five-men-charged-in-largest-financial-hack-ever/
I think that is more dangerous than facebook accounts. How likely is it that thes NSA tampering have weakened the security of say financial institutions or critical communication infrastructure?
Ball: This touches on a really important issue: if the NSA *have* successfully undermined some universal encryption standards, then they may have indeed made some infrastructure more vulnerable to attacks by foreign governments.
That would have been a conscious trade-off in the agency, though possibly one based either on the hope/knowledge that hackers in the Chinese or Russian governments (or gangs) weren’t sophisticated enough to take advantage of the flaws, and would never get to that level, and that they would never get a mole inside the NSA or a contractor who could pass on knowledge of it. That seems like quite a lot of bets to take.
I wonder, if more were ever to emerge on what standards were compromised, whether there’d be widespread concern or reprisals. Could the NSA face legal responsibility for leaving institutions open to attack?
Note: Bruce Schneier will now begin answering questions
User avatar for IndependentSkeptic
06 September 2013 4:02pm
Bruce, in an article yesterday you said that you used the Tails version of Linux for security purposes. Another Linux distribution built for security is Liberté Linux. Are there any reasons to prefer Tails over Liberté?
Schneier: I like Tails because it fits on a memory stick and gives me a relatively secure environment on any computer. I don't know Liberte, so I can's comment on it. In general, I don't have any inside knowledge about which applications have been compromised and which are secure. I'm making my best guesses based on what we all now know about the NSA's methods and economic realities.
User avatar for AnotherBee
06 September 2013 4:22pm
Are there known to have been any "hacker" exploits of back-doors built into hardware, software or standards at the request of NSA/GCHQ?
What steps do NSA/GCHQ take to stop their operatives "going rogue" and supplying exploitable information to hackers or other parties?
Schneier: It's a good question. Given 1) that the NSA has repeatedly said that they do not know what documents Edward Snowden has, and 2) that they would not have known he had them had he not gone public, it is reasonable to assume he's not the first. He's the first to go public.
User avatar for ID0140272
06 September 2013 4:19pm
From what I got the gist of this round of revelations is that cryptography has been weakened by human, political decisions: that of the government to make covert agreements with tech companies - by the way, are they voluntary on their part or not? - to collaborate with intelligence agencies, for example, and let them insert "secret vulnerabilities".
Of course there is a legal complication here - the companies say they are basically compelled to comply when required by law - but there seems to be a difference between mathematically defeating cryptography and circumventing it by covert partnerships.
So my question is: can we still trust cryptography per se? Is it still mathematically sound or does NSA spying provide us with a case to believe that it is «less secure than we thought», as in this paper by MIT http://web.mit.edu/newsoffice/2013/encryption-is-less-secure-than-we-thought-0814.html?
Schneier: I wrote about this explicitly here. I believe we still can trust cryptography. The problem is that there is so much between the mathematics of cryptography and the "encrypt" button on your computer, and all of that has been subverted.
User avatar for eriktau
06 September 2013 5:22pm
What are the implications for the financial industry? For example, can people trust their internet banking services? Any comment what a reasonable security action in this matter an ordinary citizen (whatever that is) should take?
Schneier: Like everything else, it depends on the definition of "trust." Even before any of these Snowden revelations, we knew that the FBI has been collecting wholesale banking data on Americans. And this deliberate weakening of the cryptographic systems that protect Internet banking only put us at greater risk from criminals and other espionage agencies.
As to your second question, I talked about how to maintain security here. But what ordinary citizens need to do is to make their voices heard; this will not stop unless we all demand it, loudly and repeatedly.
User avatar for johnwashburn
06 September 2013 6:45pm
Regarding the"10-year NSA program against encryption technologies made a breakthrough in 2010".
Is the breakthrough NSA break through related to the MD5 weakness described inhttp://www.sslshopper.com/article-md5-weakness-allows-fake-ssl-certificates-to-be-created.html
Has the NSA created a poisoned (i.e. false) root certificate purporting to be from a trusted Certificate Authority (e.g. from thawte, symantec, trustco, etc.)?
If so, how does one identify the poisoned CA root certificate?
How do I inform my SSL (secure socket layer) module from not using any certificate "signed" by the poisoned certs?
Better yet, have my SSL browser module not use *ANY* SSL cert signed only with an MD5 signature?
Schneier: I do not know. My guess is that the "breakthrough" is not related to MD5. The cryptanalysis of that was public, and the algorithm is only peripherally involved in confidentiality. And I would certainly suspect the entire CA root structure. Answer to "poisoned CA root question": I don't think we can. Answer to SSL questions: MD5 should have been purged years ago.
User avatar for pjpfeifer
06 September 2013 6:33pm
Assuming these are illegal activities, what is the ultimate motivator for these private companies to be complicit?
Wouldn't these private companies be concerned with losing market share when/if these revelations became public? What's the motivation?
Schneier: There are many possible motivations. Patriotism. A desire to help. Fear of reprisal if you won't help. Not wanting to engage in an expensive legal battle. I'm sure the NSA promises absolute secrecy; perhaps the possibility of losing market share when it becomes public is so remote that it's not really an issue.
User avatar for lmindlin81
06 September 2013 7:41pm
My questions are:
1. Are the symmetric and/or asymmetric protocols (AES-256, RSA-2048+) fundamentally compromised? Or is it simply the implementation?
2. Are point to point VPN links between commercial OTS h/w such as SonicWALL therefore decryptable, even with PFS?
3. Are A/V vendors cooperating with NSA/GCHQ to ignore gov't malware in order to compromise endpoints? If so, would it makes sense to use A/V such as Kaspersky?
4. Mobile devices: Is it possible the h/w or s/w on Androids and iPhones is backdoored, rendering on-device encryption such as silent phone useless?
5. All-in-all, is it safe to assume that there exists no viable means of protecting traffic against NSA/GCHQ?
Schneier: 1. I believe that the algorithms are not fundamentally compromised, only the implementations. I talk about this more here.
2. I don't know. I have no reason to believe that SonicWALL is secure.
3. This is an interesting question. I actually believe that AV is less likely to be compromised, because there are different companies in mutually antagonistic countries competing with each other in the marketplace. While the U.S. might be able to convince Symantec to ignore its secret malware, they wouldn't be able to convince the Russian company Kaspersky to do the same. And likewise, Kaspersky might be convinced to ignore Russian malware but Symanetec would not. These differences are likely to show up in product comparisons, which gives both companies an incentive to be honest. But I don't know.
4. I think it would be completely implausible for the NSA not to pursue both Android and iOS with the same fervor as the rest of the Internet.
5. That's what I wrote about here
******************************Welcome to the end of secrecy
The real lesson of the Snowden leaks is not the threat to privacy. It is the NSA's losing battle against the new agents of openness
theguardian.com, Friday 6 September 2013 16.56 BST
It has been said that privacy is dead. Not so. It's secrecy that is dying. Openness will kill it.
American and British spies undermined the secrecy and security of everyone using the internet with their efforts to foil encryption. Then, Edward Snowden foiled them by revealing what is perhaps – though we may never know – their greatest secret.
When I worried on Twitter that we could not trust encryption now, technologist Lauren Weinstein responded with assurances that it would be difficult to hide "backdoors" in commonly used PGP encryption – because it is open-source.
Openness is the more powerful weapon. Openness is the principle that guides, for example, Guardian journalism. Openness is all that can restore trust in government and technology companies. And openness – in standards, governance, and ethics – must be the basis of technologists' efforts to take back the the net.
Secrecy is under dire threat but don't confuse that with privacy. "All human beings have three lives: public, private, and secret," Gabriel García Márquez tells his biographer. "Secrecy is what is known, but not to everyone. Privacy is what allows us to keep what we know to ourselves," Jill Lepore explains in the New Yorker. "Privacy is consensual where secrecy is not," write Carol Warren and Barbara Laslett in the Journal of Social Issues.
Think of it this way: privacy is what we keep to ourselves; secrecy is what is kept from us. Privacy is a right claimed by citizens. Secrecy is a privilege claimed by government.
It's often said that the internet is a threat to privacy, but on the whole, I argue it is not much more of a threat than a gossipy friend or a nosy neighbor, a slip of the tongue or of the email "send" button. Privacy is certainly put at risk when we can no longer trust that our communication, even encrypted, are safe from government's spying eyes. But privacy has many protectors.
And we all have one sure vault for privacy: our own thoughts. Even if the government were capable of mind-reading, ProPublica argues in an essay explaining its reason to join the Snowden story, the fact of it "would have to be known".
The agglomeration of data that makes us fear for our privacy is also what makes it possible for one doubting soul – one Manning or Snowden – to learn secrets. The speed of data that makes us fret over the the devaluation of facts is also what makes it possible for journalists' facts to spread before government can stop them. The essence of the Snowden story, then, isn't government's threat to privacy, so much as it is government's loss of secrecy.
Oh, it will take a great deal for government to learn that lesson. Its first response is to try to match a loss of secrecy with greater secrecy, with a war on the agents of openness: whistleblowers and journalists and news organizations. President Obama had the opportunity to meet Snowden's revelations – redacted responsibly by the Guardian – with embarrassment, apology, and a vow to make good on his promise of transparency. He failed.
But the agents of openness will continue to wage their war on secrecy.
In a powerful charge to fellow engineers, security expert Bruce Schneier urged them to fix the net that "some of us have helped to subvert." Individuals must make a moral choice, whether they will side with secrecy or openness.
So must their companies. Google and Microsoft are suing government to be released from their secret restrictions – but there is still more they can say. I would like Google to explain what British agents could mean when they talk of "new access opportunities being developed" at the company. Google's response – "we have no evidence of any such thing ever occurring" – would be more reassuring if it were more specific.
This latest story demonstrates that the Guardian, now in partnership with the New York Times and ProPublica, as well as publications in Germany and Brazil that have pursued their own surveillance stories, will continue to report openly in spite of government acts of intimidation.
I am disappointed that more news organizations, especially in London, are not helping support the work of openness by adding reporting of their own and editorializing against government overreach. I am also saddened that my American colleagues in news industry organizations, as well as journalism education groups, are not protesting loudly.
But even without them, what this story teaches is that it takes only one technologist, one reporter, one news organization to defeat secrecy. At length, openness will out.
***************NSA surveillance: A guide to staying secure
The NSA has huge capabilities – and if it wants in to your computer, it's in. With that in mind, here are five ways to stay safe
• Explaining the latest NSA revelations – Q&A
theguardian.com, Friday 6 September 2013 14.09 BST
'Trust the math. Encryption is your friend. That's how you can remain secure even in the face of the NSA.' Photograph: Beck Diefenbach/Reuters
Now that we have enough details about how the NSA eavesdrops on the internet, including today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.
For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn't part of today's story – it was in process well before I showed up – but everything I read confirms what the Guardian is reporting.
At this point, I feel I can provide some advice for keeping secure against such an adversary.
The primary way the NSA eavesdrops on internet communications is in the network. That's where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.
Leveraging its secret agreements with telecommunications companies – all the US and UK ones, and many other "partners" around the world – the NSA gets access to the communications trunks that move internet traffic. In cases where it doesn't have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.
That's an enormous amount of data, and the NSA has equivalently enormous capabilities to quickly sift through it all, looking for interesting traffic. "Interesting" can be defined in many ways: by the source, the destination, the content, the individuals involved, and so on. This data is funneled into the vast NSA system for future analysis.
The NSA collects much more metadata about internet traffic: who is talking to whom, when, how much, and by what mode of communication. Metadata is a lot easier to store and analyze than content. It can be extremely personal to the individual, and is enormously valuable intelligence.
The Systems Intelligence Directorate is in charge of data collection, and the resources it devotes to this is staggering. I read status report after status report about these programs, discussing capabilities, operational details, planned upgrades, and so on. Each individual problem – recovering electronic signals from fiber, keeping up with the terabyte streams as they go by, filtering out the interesting stuff – has its own group dedicated to solving it. Its reach is global.
The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability.
The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO – Tailored Access Operations – group. TAO has a menu of exploits it can serve up against your computer – whether you're running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won't detect them, and you'd have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it's in. Period.
The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. First, there's a lot of bad cryptography out there. If it finds an internet connection protected by MS-CHAP, for example, that's easy to break and recover the key. It exploits poorly chosen user passwords, using the same dictionary attacks hackers use in the unclassified world.
As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically: CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. A few people have told me some recent stories about their experiences, and I plan to write about them soon. Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it's explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.
TAO also hacks into computers to recover long-term keys. So if you're running a VPN that uses a complex shared secret to protect your data and the NSA decides it cares, it might try to steal that secret. This kind of thing is only done against high-value targets.
How do you communicate securely against such an adversary? Snowden said it in an online Q&A soon after he made his first document public: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on."
I believe this is true, despite today's revelations and tantalizing hints of "groundbreaking cryptanalytic capabilities" made by James Clapper, the director of national intelligence in another top-secret document. Those capabilities involve deliberately weakening the cryptography.
Snowden's follow-on sentence is equally important: "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."
Endpoint means the software you're using, the computer you're using it on, and the local network you're using it in. If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn't matter at all. If you want to remain secure against the NSA, you need to do your best to ensure that the encryption can operate unimpeded.
With all this in mind, I have five pieces of advice:
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.
2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.
3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.
Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about. There's an undocumented encryption feature in my Password Safe program from the command line); I've been using that as well.
I understand that most of this is impossible for the typical internet user. Even I don't use all these tools for most everything I am working on. And I'm still primarily on Windows, unfortunately. Linux would be safer.
The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical. They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.
Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure even in the face of the NSA.
September 06, 2013 03:00 PMN.S.A. Has Cracked Most Of Encryption-Digital Scrambling Online Safeguards
By John Amato
If you were wondering how far has the NSA actually gone in their quest to spy on Americans, the NY Times has your answer. They are master code breakers who hacked their way to being able to get through almost all online protections, and they are close to being able to see everything that happens online.
N.S.A. Able to Foil Basic Safeguards of Privacy on Web
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents. The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.
The NSA has invested billions of our tax dollars to figure out how to hack into everything online so that their eavesdropping could continue. This is scary, people:
Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.
The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.
“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.
”When the British analysts, who often work side by side with N.S.A. officers, were first told about the program, another memo said, “those not already briefed were gobsmacked!”
The Brits were gobsmacked by what the NSA can do. I suggest you read the whole article. It didn't matter to the NSA that they were prohibited from putting in back doors to all encryption, so they went the Anonymous way.
The N.S.A., which has specialized in code-breaking since its creation in 1952, sees that task as essential to its mission. If it cannot decipher the messages of terrorists, foreign spies and other adversaries, the United States will be at serious risk, agency officials say.
Even with the cat out of the bag, the NSA will never stop trying to spy on all Americans. And there are consequences for all of us when other agency's start to use their capabilities for other purposes outside of protecting us from terrorist attacks.
Click to watch Greenwald..it's just incredible: http://www.youtube.com/watch?v=fV_U51GqJQ4
**************President Obama Says He Learns What NSA Is Doing From The Press, Then Goes To NSA For Details
Saturday, September 7, 2013 10:34 EDT
Ewan MacAskill calls out a rather astounding statement by President Obama during his most recent press conference in St. Petersburg at the G20 summit. The very last question, which I believe is asked by AFP reporter Tangi Quemener, asks President Obama to respond to some of the recent NSA leaks, in particular the spying on Brazilian and Mexican officials. The President gives the usual long and winding answer about doing what intelligence agencies do, and various costs and benefits, but then there's this:
Now, just more specifically, then, on Brazil and Mexico. I said that I would look into the allegations. I mean, part of the problem here is we get these through the press and then I've got to go back and find out what’s going on with respect to these particular allegations -- I don’t subscribe to all these newspapers, although I think the NSA does -- now at least. (Laughter.)
Leaving aside the "joke" at the end, the admission is rather startling. Here is the President of the US admitting two astounding things. First, it appears that he and the NSA really have no clue at all what information Ed Snowden walked away with, and second (and worse), it appears that the President is admitting that he doesn't know what the NSA is doing and is similarly learning these facts from the press. This comes from the same President who has repeatedly insisted that there is plenty of oversight over these programs. If that's true, then he shouldn't be taken by surprise when the press reveals what the NSA is doing, and shouldn't have to "go back and find out what's going on." He's more or less admitting that there's no oversight and the NSA is a rogue agency making its own rules, only checked on when the press reveals something.
*************Court Says TSA Can Lie About Whether Or Not It Has The Information You're Requesting
Saturday, September 7, 2013 10:34 EDT
In theory, the Freedom of Information Act is great. It allows citizens to pursue disclosure from government entities in order to better understand processes or look for malfeasance. In reality, however, it's often incredibly difficult to convince these agencies to actually free up any information.
Whatever isn't delayed indefinitely is redacted heavily. Everything else that doesn't hit these two extremes tends to run into various bureaucratic walls. FOIA request fulfillment is often handed off to whatever part of the agency seems least likely to want the job, either because of its natural antipathy towards the public or because it's chronically understaffed.
It's gotten to the point where people are regularly suing the government to get documents released. No one needs to point out the sheer insanity of a system that expends public money to keep public documents from the public, especially one that is governed by an act meant to make the wall between the public and its servants so thin as to be nearly transparent.
Now, take that insanity and add to it a court decision that basically says it's perfectly fine for government agencies to lie to the public about the availability of requested information. The blogger who runs TSA Out of Our Pants! recently had his FOIA lawsuit against the agency dismissed by a district court. In her decision, Judge Joan A. Lenard came to a conclusion that agreed with the TSA's assertion that it didn't have the records the blogger requested, despite evidence to the contrary.
U.S. District Judge Joan A. Lenard granted the TSA the special privilege of not needing to go that route, rubber-stamping the decision of the TSA and the airport authority to write to me that no CCTV footage of the incident existed when, in fact, it did. This footage is non-classified and its existence is admitted by over a dozen visible camera domes and even signage that the area is being recorded. Beyond that, the TSA regularly releases checkpoint video when it doesn’t show them doing something wrong (for example, here’s CCTV of me beating their body scanners). But if it shows evidence of misconduct? Just go ahead and lie.
Attached below, you'll see his photos of the security cameras. While there may be some periodic dumps of stored footage, the likelihood of just the footage he requested not being available is pretty slim, especially since (as he points out) the TSA has no trouble locating flattering footage of its employees hard at work.
The court does seem to have a point about his second argument -- that releasing unredacted info about the TSA employees involved doesn't really serve the public interest. The TSA argued that releasing the names and faces could "expose them to unnecessary unofficial questioning, harassment, and stigmatization." This argument is a bit of a non-starter, as any public position has a good chance of exposing employees to all of the above. The TSA's second argument, the one the judge agreed with, is a bit more on point.
The TSA also determined that "none of the individuals' personal information would shed light on how TSA performs its statutory duties generally or in the particular instance at issue..." The TSA concluded that "the public interest in having that information disclosed was insufficient to merit disclosure."
This makes more sense even if it does seem a little illogical to pretend the TSA's employees, who work in public areas and interact with many members of the public, should somehow expect this level of privacy to be retroactively applied. However, the overall point is solid: naming names doesn't "shed light" on the issue. The TSA-opposing blogger does make a very good point, however: for all the concern the TSA has for its own members' privacy, it's rather careless with the privacy of others. Earlier this year, the TSA published an unredacted copy of his driver's license in a public court filing. Presumably this was an accident and not some petty form of intimidation.]
Unfortunately for this blogger, along with anyone else filing FOIA requests with government agencies, the judge not only took the TSA's claim that it didn't have the footage at face value in order to dismiss one of the claims, it also gave it tacit permission to permanently lock away any other info it wished to keep undisclosed.
Judge Lenard ruled that once a document is labeled “Sensitive Security Information” (which the TSA does by merely waiving [sic] a magic wand and writing “SSI” on the cover of a document) the U.S. District Court loses its power to review that determination, and the U.S. Court of Appeals is the proper forum. But wait, the Court of Appeals doesn’t evaluate FOIA claims, so now, in order to get a document you want, you must petition 2 courts and pay over $800 in filing fees alone.
And that's how the FOIA works in reality. Limitations, delays, redactions and over-classification. That alone would be enough of an uphill battle without courts pitching in with decisions that further distance requested information from the public.