Bruce Schneier Speculates On NSA Double Laundering Information It Obtains Via Network Infiltration

from the double-reverse-parallel-construction dept

Bruce Schneier has a worth-reading post about the latest reports on the NSA infiltrating the network connections for Google and Yahoo's datacenter, making a number of good points about that story. We'll discuss a few of the points, but I wanted to focus in on this one first:
In light of this, PRISM is really just insurance: a way for the NSA to get legal cover for information it already has. My guess is that the NSA collects the vast majority of its data surreptitiously, using programs such as these. Then, when it has to share the information with the FBI or other organizations, it gets it again through a more public program like PRISM.
While it's just speculation, there is some reason to suggest it might be the case, and that would show just how far the NSA goes in some cases. After all, until June, PRISM itself was a secret. Yet, now, it's possible that the secret PRISM program was really just a way to put a legal-looking coat of paint on far more invasive activities. After all, it's already been revealed that the NSA and others make use of what they call "parallel construction" to "refind" evidence that they found through means they don't want to be challenged in court. As we said, this is just a way of laundering illegally obtained evidence. If Schneier's suspicion is right, then the NSA was actually probably happy that PRISM info came out first, since it does have at least some claims to being legal under Section 702.

But, if he's correct, it would mean that the NSA has secretly backdoored its way into networks, sucking up pretty much everything -- and then when it finds something useful, it will then use Section 702 under the FAA and the FISA Court to come up with some reasoning why that same info should be "collected" via either PRISM or the upstream telco traps, and then it can do more with it. This might not be true, but layering secret programs on top of secret programs to hide how the info was actually obtained would be something.

Other key points from Schneier are that we cannot assume it was just Google and Yahoo infiltrated this way. It's likely that others have been as well, just under different programs. And, more importantly, this demonstrates how legislative change to fix these things likely won't be enough. If you block the NSA from getting the data from door number 1, they're already in doors numbered 2, 3, 4, 5 and 6. Not only does there need to be a full independent investigation of everything the NSA is doing, but we need to build much more secure systems at the same time.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Nov 1st, 2013 @ 4:20pm

    How anyone will want to do Internet business with an American company is beyond me now.

    I sincerely hope the very same corporations that will lose major sales will now turn to using the same lobbying tactics they use for 'ip' protection to put major pressure on the gov't to eliminate these programs.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Nov 1st, 2013 @ 4:32pm

    Gotta figure

    They were probably doing all this prior to the Patriot Act as well - they just didn't want anyone to know, and the 9/11 incident gave them an excuse to pass some laws partially-legalizing the activities.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Nov 1st, 2013 @ 4:46pm

    As a target, I can tell you that you do not even have privacy in your own mind. I was targeted pre 911 and they left me lots of little hints that it was going to happen and then taunted me about it afterward in order to induce PTSD. There was nothing I could do to stop it of course, but some in charge are truly monsters. They kill us for power and control and then claim "democracy".

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Nov 1st, 2013 @ 4:54pm

    If course the DOJ will lie in court about how evidence was obtained.

    What we really need is legislation that prevents the NSA from bullying companies, and installing spyware on citizen's celphones.

    NSA couldn't break Google's SSL ciphersuit. So the NSA attacked it's unencrypted WLAN network instead.

    If the NSA can't break encrypted messages coming from your cellphone. Then they'll infect your cellphone with spyware, and read the messages after they've been decrypted by your phone.

    We need cellphones without proprietary backdoors built into the firmware and GSM/LTE modem drivers. That's the only way to stop the NSA from abusing the power it holds.

    Power sponsored wholly by our tax money. You wanna know why we're 16 trillion dollars in debt? Look no farther than the 1 million square feet Datacenter in Utah.

    Using our money to build spy centers, to be used against us! Plus handing hundreds of millions of tax dollars over to GCHQ and who knows who else. Probably Israel.

     

    reply to this | link to this | view in thread ]

  5. This comment has been flagged by the community. Click here to show it
     
    identicon
    Anonymous Coward, Nov 1st, 2013 @ 4:57pm

    Pretty weak argument, since it's known that NSA isn't actually effective.

    At least not for "terrorists" -- getting social trends and industrial espionage works pretty well. Of course, I've never accepted the premise that Schneier/Mike seem to here, that NSA is for keeping We The People safe: I've always regarded "our" gov't as the biggest and nearest threat to liberty, and spies as the worst types, explicitly out to steal liberty (and doesn't matter if they're "commercial" spies, either, they're all just creepy snoops). So, taking that view, the prosecutorial functions of NSA are so rare that building theory on that premise just flops. -- Where are these alleged court cases that justify all the trouble for "parallel" systems? It's a mere handful of patsies who were set up, at most.

    "...the NSA was actually probably happy that PRISM info came out first..." -- Oh, so you DO believe is a limited hangout psyop?

     

    reply to this | link to this | view in thread ]

  6. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Nov 1st, 2013 @ 5:01pm

    Re: Pretty weak argument, since it's known that NSA isn't actually effective.

    Whoops. Forgot some clicks.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Nov 1st, 2013 @ 5:14pm

    Re:

    They don't need backdoors in the drivers for cellphones. They have SIGINT at the carrier level along with all your GPS data handed to them on a silver platter.

    They introduced weaknesses in SSL so none of that is safe either. But they don't need it at all since the companies just hand it over to them (or face a DOJ inquisition).

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Nov 1st, 2013 @ 5:39pm

    Welcome to the Police State of America. Where even your dog might be spied on. (well it's almost that bad)

    Evidence in one form or another just keeps coming about just how rabid the NSA has become. Problem with it is, the public is just getting the vanilla version. Each time there is a new revelation, you keep having to adjust your sense of how deep the rabbit hole goes. Since we're only getting minor pieces and the NSA is scared to death someone is going to do something about it, it really makes you wonder what they are afraid might be revealed next. None of it bodes well for the average citizen when it's government runs on hyped up paranoia.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Nov 1st, 2013 @ 6:41pm

    Re:

    Read PPD 20. It's not just the NSA. They are a scape goat too.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    vastrightwing, Nov 1st, 2013 @ 6:47pm

    Game Over

    As I learn more about the NSA scandal, I am drawing a line through the idea that the data collection is really about insider trading and being able to beat the odds betting on derivative instruments. If you look at a derivative in this way, it now becomes a weapon.

    Max Keiser explaining derivatives as a financial weapon:
    You swap assets in a bank in a foreign country that are collateral that you can use to build a sound economy with exploding financial derivatives that take down the country.

    Wikipedia cites this as a use for derivatives:
    Derivatives can be used either for risk management (i.e. to "hedge" by providing offsetting compensation in case of an undesired event, a kind of "insurance") or for speculation (i.e. making a financial "bet"). This distinction is important because the former is a prudent aspect of operations and financial management for many firms across many industries; the latter offers managers and investors a risky opportunity to increase profit, which may not be properly disclosed to stakeholders.

    It is the last part where the NSA comes in handy. By knowing things your opponents don't know, you can greatly increase the odds of winning a bet.

    This goes a long way explaining why the NSA wants to keep this so secret. It's about money, not terror. Once too many people find out the NSA is essentially a bet rigging device, it can no longer be used for such purposes. No one will want to play ball with us. The game will be over.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    vastrightwing, Nov 1st, 2013 @ 6:55pm

    Re: how deep the rabbit hole goes

    Seriously, do you want to consider just how deep the rabbit hole is? I'll go insane if I seriously contemplate that mental exercise. We only hear the stuff that's sanitized. I can't even imagine the stuff the media won't publish or doesn't know. Please bear with me as my mind freezes contemplating that idea.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    nubwaxer, Nov 1st, 2013 @ 7:04pm

    NSA

    the NSA is the perfect example of waste, fraud, and abuse.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Nov 1st, 2013 @ 7:53pm

    Lavabit

    Lavabit springs to mind. If you have the backbone tapped and a Judge ordered the hand over of the keys, why would you need the box in the Lavabit network?

    You could go back and decode all previous traffic (they keep encrypted US traffic) and all future traffic anyway. Using their other taps.

    There's another point aswell. Google make great play of how low the PRISM numbers are, for Lavabit that number would be 1 request about 1 account, yet the way it was done it was 1 request about all accounts past and present and future.

    And a final point, if they tapped Google, their keys and other security info, might have been sent across that internal network and thus compromised too.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    bgmcb (profile), Nov 1st, 2013 @ 11:41pm

    The same

    Organization who's mission was to find out as much as possible about the Soviets is now doing the same to the whole world.
    The only limit then was their imagination, seems nothing has changed.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Nov 2nd, 2013 @ 2:30am

    Anyone else??

    Does anyone else here have any concerns that TD is now resorting to "Speculation", are there not enough facts and supportable evidence to make your case.

    Are we through the 'bottom of the barrel' at this point?
    Is it really necessary to "make shit up" as opposed to reporting on known facts.

    Once you degenerate to speculation you give up chance of being taken seriously. (not that that appears to be an issue here).

    Mr Masnick you must have posted this with the full knowledge that your disciples will take this as honest truth and not as a speculative opinion that it actually is.
    We also know that in future you will link back to this article and an indication of the truth of some future piece.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Richard (profile), Nov 2nd, 2013 @ 3:20am

    Re:

    Welcome to the Police State of America. Where even your dog might be spied on. (well it's almost that bad)

    In the UK we're already there!

    http://actnowtraining.wordpress.com/2012/06/18/to-ripa-or-not-to-ripa-changes-to-council-surve illance-powers/

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Nov 2nd, 2013 @ 3:57am

    Re: Anyone else??

    "Is it really necessary to "make shit up" as opposed to reporting on known facts."

    Deduction is not the same as making shit up

    Schneier deduced that PRISM was used to pull stuff they already had in a more legal way. Given the new leaks that seems likely.

    It's always worth re-examining everything we know in the light of each new leak.

    For example, NSA can tap a phone based on an analysts opinion:

    http://news.cnet.com/8301-13578_3-57589495-38/nsa-spying-flap-extends-to-contents-of-u.s-pho ne-calls/

    Now of course we had Merkels phone tap, we can examine what authority is needed for that and whether the same authority covers anyone, even US citizens.

    You see how it works?

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Nov 2nd, 2013 @ 3:58am

    Re: Anyone else??

    He's quoting and discussing Schneier's speculation, mostly.

    What I find far more disturbing is this repeated insistence, even among NSA's critics, that there is somehow still something 'legal' about all of this. I.e.:

    'it does have at least some claims to being legal under Section 702.'

    There is nothing legal about anything the NSA has done and is doing. Stop furthering this lie. It's a lie and everybody knows it. There is nothing more violating of the 4th amendment than this. Ever. No, the discussion about whether or not something can be 'legal' without being constitutional is a non-discussion too. Stop it.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Nov 2nd, 2013 @ 4:52am

    Re: Re: Anyone else??

    Also if you read the latest, Europes spying agencies were helped by GCHQ to get around the laws and oversight:

    http://www.theguardian.com/uk-news/2013/nov/01/gchq-europe-spy-agencies-mass-surveillance- snowden

    So NSA using the PRISM program to legalize stuff it got anyway through the hacking of Google(done offshore on the basis that the FISA court didn't have jurisdiction and so the FISA ruling could be ignored). That seems like the same thing, finding some way around oversight and pesky laws.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Andy, Nov 2nd, 2013 @ 7:46am

    Bear in mind...

    You write that Bruce "speculates" this and that.

    But don't let the fool you. While he obvious always words his thoughts carefully unless he has in-your-face presentable hard proof of something, he is actually one of the few people who had direct access to selected parts of the leaked documents.

    He may be assuming and speculating, but all over the glogosphere he is probably the man with the very best positions to hit very close to home with his theorys.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Nov 2nd, 2013 @ 10:19pm

    Re: Re: Anyone else??

    Speculation or deduction its all the same, its still 'making shit up', no matter what you label you put on it.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Nov 3rd, 2013 @ 5:40am

    Re: Re: Re: Anyone else??

    At least Mike made it clear that this was "making shit up". The people you're defending make shit up and pretend they're not.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Nov 3rd, 2013 @ 6:56pm

    Re: Anyone else??

    You, as someone who regularly makes shit up, have really no grounds for complaint or criticism.

    Have a solar panel-powered DMCA vote, darryl, and shove that up your broken little ass.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Pragmatic, Nov 4th, 2013 @ 3:45am

    Re: Game Over

    Okay, that's scary. But why spy on the rest of us?

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Nov 4th, 2013 @ 4:59am

    Re: Re: Re: Anyone else??

    There is a big difference. Speculation and deduction based on known facts that are openly identified as such are hallmarks of critical thinking and are valid until they are disproven. Making shit up is simply stating stuff as fact that is often based on nothing.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    John Fenderson (profile), Nov 4th, 2013 @ 8:58am

    Re: Anyone else??

    that your disciples will take this as honest truth and not as a speculative opinion that it actually is.


    Because insulting the intelligence of your audience really helps you make your case.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Andre Brisson, Nov 4th, 2013 @ 11:49pm

    Schneier How is it he leads the most important debate on democracy?

    http://wnlabs.com/news/SlashDot_integrity_2.php

    The public should question the real motives of Eric Snowden and Bruce Schneier as well as NSA

    By Richard H.L. Marshall, former Director of Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security (DHS) and
    André Brisson, founder Whitenoise Laboratories Canada Inc.

    Washington D.C. USA, Geneva, Switzerland and Vancouver, BC Canada – Almost daily, Mr. Bruce Schneier has generated incessant buzz about privacy and the National Security Agency (NSA) on his blog. From the sheer volume of his self-proclaimed insight and that of his sycophants, he would have us believe, like Chicken Little, that the sky is falling.

    It appears that one of the sources of Mr. Schneier’s information are documents leaked by E.Snowden, fugitive American living in Russia and former contractor with Booz Allen Hamilton, and Glenn Greenwald, a journalist who worked with Mr. Snowden. Mr. Schneier’s intentions clearly have nothing to do with his convictions about privacy, as much as business and profit motives. It must be emphasized that blogs are not journalism: they are marketing tools specifically designed to try to sell a product, not to get to the truth.

    Weeks of research regarding Mr. Schneier’s claims have highlighted one of the most frustrating problems with the internet age. Because virtually anyone lacking serious journalistic credentials can, and often does, write or post freely on any subject, the resulting sheer volume of information available may lead people to believe that the reporting is even-handed and well-researched. Unfortunately, in many circumstances nothing can be farther from the truth.

    We are currently wrestling with the wrongly defined issue of Privacy versus Security. Rather we should be asking ourselves how we balance Privacy AND Security. They are not mutually exclusive.

    Balancing privacy and security is one of the most pressing issues of our age, with far-reaching impact on democracy. It is also ever changing and evolving in real time, in response to terrorists, criminals, and dangerous malcontents. Because the very information analyzed and evaluated may result in policy, it absolutely demands that such information be subject to the highest and most stringent scrutiny and as such, deserves to be evaluated and vetted by verified experts, politicians, business leaders, and citizens with proven track records of integrity, honesty, and true concern for the public interest. It should not be done by those with a history of practicing self-interest over privacy and security.

    For many weeks, it has been noted that volumes of proselytizing and dissemination of “opinion-as-fact” come from unverified information through Mr. Schneier’s self-promoting blog, other blogs and various online sites, such as gamer’s sites, of unknown, dubious reputation and/or expertise in the critical areas of cryptography and privacy and not from reputable publications as The New York Times or The Washington Post.

    Mr. Schneier decries the NSA and mandated law enforcement agencies empowered by our laws. Yet, Mr. Schneier’s track record shows, significantly, that at least twice over the last decade he has turned a blind eye to workable security (but he complains about privacy.) He has actively engaged in disparaging workable security and communications for his own benefit, and most callously, withheld this information from both his readers and his current employers.

    As citizens and through our elected officials, we empower politicians with the creation of agencies and tools that are designed to protect us from the aforementioned threats. The system is not perfect, and must be updated and adjusted as times, technology and threats change. But we are all endangered if these various public servants are hobbled and cannot do their job. This is why Bruce Schneier’s style of journalism and lack of scientific integrity is dangerous.

    The primary cause for drifting a bit from original mandates of our law enforcement and defense agencies is a product of rapidly changing technology, the sheer volume of communications, and the exploding threats environment. These agencies have been pressured to react faster than policy can adapt. Part of the answer lies in using the improved security technology we have available to combat the fatal flaws of public key and asymmetric network systems and the algorithms that are currently used to encrypt our data. The other part lies in following the existing FISA protocols currently in place and improving them as need dictates to insure that telecommunication providers, law enforcement and intelligence agencies interface with the LAW and follow the spirit of our constitution as intended.

    In conclusion, as we best try to answer the most pressing question of our day, “How do we balance between Privacy and Security?” we believe that a key element of serving our democracies is the judicious evaluation of information written by true journalists using properly researched and sourced information and publishing them in reputable publications without hidden agendas. The collective conversation should not ping pong between extreme positions but rather recognize that privacy and security are both demanded by the constitution. With new technologies and considered thinking, privacy and security can be balanced and achieved easily and inexpensively.

    Learn more about Bruce Schneier’s current track record through “The Challenge That Black Hat Would Not Take but DEFCON Did” at: http://wnlabs.com/news/challengeDEFCON.php and http://wnlabs.com/news/Schneier_Challenge_Clock.php.

    Learn more about Bruce Schneier’s past track record at: http://www.wnlabs.com/WhitenoiseSecurityChallenge/ and The History of Whitenoise Can't Be Broken

    For more information contact Richard H.L. Marshall at E-Mail: rmarshall@wnlabs.com
    or visit: www.wnlabs.com

    Mr. Marshall previously was a member of the Senior Cryptologic Executive Service (SCES) and the Defense Intelligence Senior Executive Service (DISES). He was the Director of Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security (DHS) by special arrangement between the Director, National Security Agency (DIRNSA) and the Secretary of DHS. Within DHS he directed the National Cyber Security Education Strategy, the Software Assurance, the Research and Standards Integration, and Supply Chain Risk Management programs. He was previously the Senior Information Assurance (IA) Representative, Office of Legislative Affairs at the National Security Agency (NSA) where he served as the Agency's point of contact for all NSA Information Security (INFOSEC) matters concerning Congress. He devised the IA legislative strategy, helped shape the passage of the revised Foreign Intelligence Surveillance Act and was a key contributor to the Bush and Obama administration's Comprehensive National Cyber Security Initiative (CNCI).

    André Brisson conceived Whitenoise and founded Whitenoise Laboratories Canada Inc. (WNL) to exploit revolutionary and patented security technology. He was listed by the White House Office of Science and Technology Policy and the first US National Cyber Leap Year Summit as belonging in the top 100 cyber security and cryptography experts.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Nov 8th, 2013 @ 2:18am

    Re: Schneier How is it he leads the most important debate on democracy?

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    The Wanderer (profile), Nov 9th, 2013 @ 10:49am

    Re: Schneier How is it he leads the most important debate on democracy?

    We are currently wrestling with the wrongly defined issue of Privacy versus Security. Rather we should be asking ourselves how we balance Privacy AND Security.
    That's not the correct question either.

    The correct question would be something more like "how can we best achieve security without sacrificing privacy?", and/or "how much security can we achieve without sacrificing privacy?".
    They are not mutually exclusive.
    When security is done right, this is true.

    However, doing security right (i.e. in a way which does not compromise privacy) is much harder than doing it in a way which does compromise privacy - and so unless there is heavy, constant pressure put on those trying to provide security, they will always tend to sacrifice privacy in the name of security.

    Phrasing the issue in terms of a "balance" leads to questions like "How much privacy should we give up for security?", which is a false equivalency; giving up privacy does not always (or even necessarily often) lead to security, and it is possible - as you note - to achieve reasonable, meaningful security without compromising privacy.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This