by Mike Masnick
Tue, Jul 16th 2013 2:43am
by Tim Cushing
Mon, Jul 8th 2013 2:21am
Former NSA Director On Privacy Vs. Security Balance: Would 'Shave Points' Off Effectiveness For 'Public Comfort'
from the meeting-the-public-halfway...-to-a-couple-of-percentage-points dept
The administration, various members of Congress and heads of security agencies all agree: there must be a balance between security and privacy. The defenders of the NSA's actions all seem to agree the balance should swing heavily in the favor of 'security.' Obviously, many of our nation's citizens (and now, many citizens of our allies' nations) disagree.
Obama has said that he "welcomes the debate" on these issues, but so far has done little to dispel the notion that "debate" is just administration-specific slang for "regurgitate talking points and safety v. privacy platitudes."
Does the NSA welcome this debate? It's highly doubtful it even considers there to be room for argument, much less be willing to cede ground to privacy concerns. Every bit of data harvesting and surveillance makes everyone that much "safer," according to its claims. Surely the security of the American people (and the agencies themselves) is more important than the comfort level of the public.
Former CIA and NSA director Michael Hayden certainly believes it is. But unlike the current head of the NSA, Hayden is willing to tweak the all-important balance if that will make everyone a tiny bit happier.
Today on Face the Nation, former CIA and National Security Agency Director Michael Hayden was talking to Bob Schieffer about the most recent round of surveillance revelations. Schieffer said it sounded like Hayden thought maybe the government should go public with at least some of the information it’s been keeping secret. Hayden’s reply:Perhaps Hayden's more willing to "shave points" now that he's no longer in the position to make that call. Anyone can cede anything in a hypothetical situation. It's rather telling that so little is being hypothetically ceded, post facto.
"Here’s how I do the math. I’m willing to shave points off of my operational effectiveness in order to make the American people a bit more comfortable about what it is that we’re doing."
Hayden had much more to say in his Face the Nation interview, most of which sounds like he'd rather still be in the thick of it at the NSA and CIA. He addresses the European reaction to news that the US has been surveilling our overseas allies by deflecting the argument in two different directions.
"Any European who wants to go out and rend their garments with regard to international espionage should look first and find out what their own governments are doing," Hayden said. "Let's keep in mind that in a global telecommunications infrastructure, geography doesn't mean what it used to mean. ...The Internet lacks geography, so I wouldn't draw any immediate conclusions with regard to some of those numbers that have been put out there as to who's being targeted and who isn't."1. It's OK because everyone else is doing it.
2. It's OK because technology has rendered borders and other geographic designations meaningless.
First, even if everyone else is spying on everyone else, it still doesn't make it acceptable. It just makes everyone look equally bad. And while it may be commonplace behavior for the world's spy agencies, it's hardly going to help smooth things over for the NSA, or the USA, for that matter. As for the second deflection, Hayden seems to be saying that the NSA's actions occur neither at home nor abroad since it relies heavily on internet and telephone surveillance. This allows the terms "domestic" and "foreign" to be used interchangably at the agency's convenience.
Unsurprisingly, Hayden also feels Snowden isn't being pursued aggressively enough.
"The president is trying to limit diplomatic, and perhaps even political, damage. But the leadership of the American intelligence community has caused damage from these leaks so far - and it's very clear there's going to be some more here - so far have been significant and irreversible. That's a big deal."I have no doubt the damage is "significant and irreversible" but I'm pretty sure Hayden and I would disagree on what's been damaged. If it's the reputation of these agencies, the administration and the US in general, then yes, the damage is significant and irreversible. If it's our safety/security/anti-terrorism efforts, then I have my doubts, especially as many of these leaks indicate the NSA's actions are nothing more than wholescale surveillance deployed whenever and wherever possible. There's very little that indicates a targeted approach to fighting terrorism.
Some may construe Hayden's point shaving as a gesture (albeit meaningless in his position) towards openness, but it simply follows the administration's attitude towards transparency: make big promises, deliver next to nothing, and when it comes to privacy vs. security, give the public an inch while the agencies roll up the miles.
by Mike Masnick
Tue, Jun 25th 2013 10:57pm
from the that's-not-going-to-work dept
As regards protecting "white hat hackers" as integral part of the internet's immune system we managed to achieve a very weak recital (6a bis) compared to the initial LIBE orientation vote. It is made clear that reporting of threats, risks, and vulnerabilities is crucial and needs incentives. The crucial last sentence, however, is not clear enough and far away from creating obligations for member states... Therefore there is no serious protection for white hat hackers who find vulnerabilities in other peoples' information systems and report them. we did howeveR start a debate at all and getting the whole EP united behind this.From the details of the directive that came out, it appears that not many of these flaws have been fixed. Jan Philipp Albrecht, who was a part of the effort, clearly is not at all happy with how it came out:
[....] We managed to get a number of important safeguards in, and the fundamental debate on better IT security is opened. However the direct is in many ways worse than the old framework decision. Higher penalties and the criminalisation of more practices and even tools not only mainly symbolic, but even risks criminalising well-intended "white hat hackers" and curious teenagers. The problem was Council and a too weak negotiation strategy of the rapporteur at the very end.
But Albrecht attacked the directive, saying, "The legislation confirms the trend towards ever stronger criminal sanctions despite evidence, confirmed by Europol and IT security experts, that these sanctions have had no real effect in reducing malicious cyber attacks.The equation here is pretty simple. Simply ratcheting up punishment does little to stop malicious hacking, as hackers rarely expect to get caught. So it does little to nothing to actually helping to stop online crime. What does help is having security researchers and others exposing and fixing vulnerabilities. But, if you create massive new penalties for "cybercrime" and make the rules amorphous enough that those security researchers may get charged under them for trying to help, you do create fewer incentives for them to actually help.
"Top cyber criminals will be able to hide their tracks, whilst criminal law and sanctions are a wholly ineffective way of dealing with cyber attacks from individuals in non-EU countries or with state-sponsored attacks.
"Significantly, the legislation fails to recognise the important role played by 'white hat hackers' in identifying weaknesses in the internet's immune system, with a view to strengthening security.
This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals.
"The result will leave hardware and software manufacturers wholly responsible for product defects and security threats, with no incentive to invest in safer systems."
End result: more malicious hacking, and fewer people willing to actually help protect and fix vulnerabilities.
That's not good for anyone. But, it fits with the technically clueless "law enforcement above all else" mentality we see too often in government these days, which seems to think that "great enforcement" and "greater punishment" is the answer to any wrong, no matter how much evidence suggests that's untrue.
by Mike Masnick
Fri, Jun 21st 2013 7:39pm
from the quite-a-difference dept
This administration puts forth a false choice between the liberties we cherish and the security we provide.But as President, he says (while rolling his eyes -- the video is incredible):
You can't have 100% security... and then also have 100% privacy and zero inconvenience.... We're, we're going to have to make some choices.As a candidate:
I will provide our intelligence and law enforcement agencies the tools they need to take out the terrorists without undermining our Constitution and our freedoms. That means no more illegal wiretapping of American citizens. That means no more national security letters to spy on Americans who are not suspected of committing a crime. No more tracking citizens who do no more than protest a misguided war. No more ignoring the law when it is inconvenient. That is not who we are. That's not what is necessary to defeat the terrorists.As President, he talks vaguely about how his team made an "assessment" and that these programs keep people safe, and "in the abstract" people might claim these programs are "Big Brother" but he thinks there's a "balance" to be struck. It's funny how different dictatorial surveillance powers look when you're the guy in charge of them.
Fri, Jun 21st 2013 12:32pm
from the the-balance-sheet dept
As the national discussion about the NSA's secret domestic spying program rolls along, revelation has given way to a vast splintering of argument. By that I mean, the shock of the discovery has since devolved into various discussions about whether the program was needed, what checks and balances oversee it, and how effective it has been. Case in point, the NSA sent Keith Alexander to the Hill with claims that fifty terrorist plots have been thwarted by the program, arguing that keeping Americans safe and alive is all the justification needed for such an endeavor. As some have noted, this is a clear attempt to shift the argument from one of principal to an actuarial one.
Alexander and other witnesses before the House Intelligence Committee made sure to highlight key details of these foiled attacks. Understandably so: The more we focus on the program's successes, the less harshly we might be inclined to judge its alleged excesses. But what exactly is the tradeoff being made here, and how do these revelations address concerns about the potential for NSA over-spying?That is indeed the question, is it not? Particularly in light of President Obama's assertion that any over-spying in question would be deemed illegal by the government. The same government, mind you, that is committing the illegal acts themselves under the purview of a secretive agency, discussed in secretive committees, and codified by a secretive court. That's the kind of oversight one might call Stalin-esque. As the National Journal rightly continues:
That any abuse of the system would be treated after the fact as a crime doesn't do anything to assuage Americans worrying that the crime is possible in the first place. It's also not outrageous to say, as my colleague Conor Friedersdorf does, that the tradeoff we've made between liberty and security is out of balance, and that maybe we've let our fear of terrorism get the better of us.Except that statement is lacking. We're still functioning on a balance sheet, where the concern is how much freedom we're abdicating for security, rather than if we're abdicating any at all. It's a losing argument that leaves the tyrannical door open to feature creep, secrecy without oversight, and a patient stalking of public apathy. The fact of the matter is that the basic concepts of freedom cannot be done half way. This isn't a call for anarchy. We do have certain fundamental rights codified by one of the most ingenious documents ever devised and any creep against them is an afront to what generations long past did for us today.
I would argue that what's needed, instead of the wishy washy arguments for the balance sheet, is for a more frank, stark, and even frightening position to be taken. One of the most under-quoted lines from Thomas Jefferson is:
"Rightful liberty is unobstructed action according to our will within limits drawn around us by the equal rights of others. I do not add 'within the limits of the law' because law is often but the tyrant's will, and always so when it violates the rights of the individual."Were there a more apt counter-example of Jefferson's concept of liberty than the NSA's domestic spying program, it would involve actual weaponry. His words come from a time when our leaders were brave. They say, essentially, that no quarter will be given to the shaving of liberty under guise of legal justification. I would add to Jefferson's quotation only that the limits of justification should also be ignored.
So, with that, I would suggest the more extreme position we should all be taking is simply that we're willing to accept fear, injury, and even death at the hands of enemies in exchange for the return of our freedom. While I happen to think the threat of international terrorism is real but overblown, I would be willing to accept that same trade were it not overblown. I'm willing to state for the record that it is not only my life I'm willing to trade for freedom from intrusive government, but on principal I would have to accept the loss of safety to my family's lives, my friend's lives, and all of yours as well. "Give me liberty of give me death", as Patrick Henry famously said, but it apparently needs to be repeated. This isn't some silly call to armed revolution, of course, only a willingness, nay, an eagerness to prefer dangerous liberty over safety in the arms of government intrusion.
by Glyn Moody
Tue, Jun 18th 2013 1:38am
from the maybe-not-the-real-problem dept
The revelations of Edward Snowden about the NSA's snooping of citizens both inside and outside the US are posing more questions than they answer at the moment. One key area is whether the use of encryption -- for example for email -- is effective against the techniques and raw power available to the NSA (and equivalents in other countries). That's something that has come up before in the context of the UK's Snooper's Charter. When a top official there was asked whether the proposed surveillance technology would be able to cope with encrypted streams, he replied: "it will." Snowden's claims about massive, global spying makes the issue even more pertinent.
Here's one view, from Germany. Politicians from the Die Linke party posed a number of questions to their government on the subject of the latter's use of surveillance techniques (original PDF in German). Most of the answers were the kind of thing you might expect -- "we can't possibly go into details" etc. etc. -- but one was surprising. To the question:
Is the technology used also capable of decrypting at least partially, or evaluating, encrypted communications (eg via SSH or PGP)?Back came the answer:
Yes, the technology used is generally able to do that, depending on the type and quality of the encryption.But Edward Snowden doesn't agree. When he was asked in an online Q&A session on the Guardian Web site the following question:
Is encrypting my email any good at defeating the NSA survelielance? Id my data protected by standard encryption?He replied:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.In discussions about the German government's claim that it can crack encryption in certain circumstances, some suggested that maybe it could -- not directly, but using the malware that Techdirt has written about before. So even if the question as to the efficacy of encryption itself is still rather up in the air, there seems to be a consensus that the real weakness lies in letting people gain access to your system.
by Mike Masnick
Fri, Jun 14th 2013 6:58am
from the whoa dept
The report names one major participant: Microsoft:
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.That's fairly incredible. You'd expect Microsoft and other tech companies to be focused on fixing the bugs first, not letting the NSA exploit the vulnerabilities on foreign computers.
Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.
The same report, once again, implicates the big telcos for their cushy relationship with the intelligence community -- in which the telcos willingly and voluntarily hand over massive amounts of user data. There's no oversight here, because the telcos apparently have no problem dismantling the privacy of their users.
Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.The article later notes that the big telcos -- AT&T, Verizon, Sprint, Level3 and CenturyLink -- have all agreed to participate in a program called Einstein 3, which analyzes metadata on emails, but that all of the companies asked for and received assurances that participating wouldn't make them liable for violating wiretapping laws.
In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.
Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.Suddenly the "blanket immunity" clauses in CISPA make a lot of sense. The whole point of CISPA, it appears, is to further protect these companies when this kind of information comes out.
by Glyn Moody
Fri, May 31st 2013 12:33pm
from the how-daft-can-you-get? dept
One of the key flaws with the data retention schemes being proposed by the UK and elsewhere, supposedly to catch terrorists and serious criminals, is that they won't work. It is trivially easy to avoid surveillance by using encrypted connections, for example those provided by The Onion Router (Tor). This means that the only people who are likely to end up being spied on are innocent members of the public.
According to this article in Crikey, the secret services in Australia have apparently woken up to this fact; but rather than convince their government that data retention is therefore an expensive and intrusive waste of time, they have decided to take the damage to the next level:
In a major admission, the Attorney-General's Department has revealed Australia's intelligence and law enforcement agencies are seeking the legal power to break into internet routing encryption services such as Tor, after admitting the centerpiece of its proposed national security reforms, data retention, will be "trivially easy" to defeat.
This is, of course, an incredibly stupid idea, for reasons that one of Tor's developers, Jacob Appelbaum, explains well in the Crikey piece:
"If they wish to break such [encrypted] services, they ensure that when they use such services, they will also be insecure -- this ensures again that only criminals will have privacy, regular people -- including the police fighting crime -- they will be left out of having strong privacy. This opens business people up to industrial and economic espionage. It also promotes the idea that to make ourselves more secure, we should weaken our networks and add the very backdoors that most attackers work day and night to create," he said.
The plan to create detailed, centralized stores of high-value information about people's Internet and telephone usage already exposes the public to an elevated risk of having personal information accessed and misused. Moving beyond that to break key encrypted Internet services like Tor and virtual private networks (VPNs) would deal another serious blow to online privacy and business confidentiality.
by Tim Cushing
Tue, May 14th 2013 8:44am
from the adding-up-wrongs-to-make-a-right dept
The US government is waging electronic warfare on a vast scale — so large that it's causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.I'm not sure how increasing user vulnerability helps win a cyberwar, but no doubt any home team casualties will be written off as sacrifices for the greater good. Even more troubling than the government's willingness to sacrifice security for security (??) is the fact that it's unwilling to share this information. What good are those provisions in CISPA and President Obama's recent cybersecurity executive order about the government sharing cybersecurity info with companies, if the government hoards the information for their own hacking purposes? More details from the Reuters report.
Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to "offensive" cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.
"If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users," Clarke told Reuters. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."
Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.Is it any surprise the public distrusts the government? It claims to be fighting a cyberwar in order to make us more secure and yet, when it goes on the attack, it values its own secretive efforts over the security of the public.
When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.
As the government purchases more of these exploits to help fight its cyberwar, the lines on the battlefield are continuously redrawn and obscured. Buying exploits from independent hackers leaves them free to sell to other high bidding countries when not using the exploits themselves. This arms race also creates a perverse set of incentives. As the demand for new exploits increases, security companies and contractors that used to release information to those affected are now keeping their discoveries to themselves to preserve "market value."
The Reuters report also notes that this new breed of security contractor is offering up, among other things, keys to criminal botnets. Endgame, a heavily funded tech startup with close ties to the intelligence community, is more than willing to hand over control of thousands of zombie computers for the right price.
Some of Endgame's activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal "botnets" - networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.So, we're engaged in a cyberwar that's going to help us by hurting us, is that it? I understand that no one wants to be outgunned when facing the enemy, but what's being detailed here looks like a whole lot of collateral damage in the pursuit of unattainable goals. The same exploits will be used on both sides of the battle, and with end users and the companies they rely on being cut out of the loop, it will be the civilians who fare the poorest. We'll just be asked to pretend the government's saving us from something even worse.
The point was not to disinfect the botnet's computers or warn the owners. Instead, Endgame's customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.
from the government-created-'ad-blindness' dept
David Henderson, writing for Econlog, suggests that years of government-mandated warnings are resulting in a sort of "warning blindness" in Americans. He begins by discussing California's infamous Proposition 65, a law that requires warning labels to be affixed to any product that might possibly contain chemicals the state has determined "cause cancer, birth defects or other reproductive harm." Like any bit of overweening governmental concern, it has its heart in the right place. In practice, it's a nightmare.
Nearly every product sold in California contains this warning label. And it's not just products. A majority of businesses in California feature signage containing this warning. (One example: a parking garage may have to post the warning sign because of the exhaust cars produce.) This has led to Californians ignoring the label completely, even if the product in question actually contains harmful substances. Why? Because the warning label is omnipresent. If something's everywhere, on everything, it's obviously meaningless. (The old adage: if everyone's special then no one's special applies here.)
Californians have learned to ignore Proposition 65 labels because they are white noise: they don't communicate anything about degrees of danger or probabilities.The problem here is created by the government itself. By declaring a majority of places and products "dangerous," it has lessened the effectiveness of the labels. This sort of self-defeating behavior goes much further than product labeling. It also carries over into other areas controlled by the government, undermining various agencies' non-stop efforts to portray this country as being in imminent danger at all times.
When I went through the San Jose airport Saturday morning in a long line at TSA, we passengers were subjected to John Pistole's warning, on an infinite loop, of the dangers of terrorism. We've all seen enough to know that it's not that dangerous. So we tend to ignore government warnings.The government wants to be taken seriously and yet, it can't help but get in its own way. It gets in its own way because it wants to micromanage the lives of Americans. It loves control. It "knows better." On the rare occasion the government has something important to communicate, it can't find many people willing to grant it much credulity.
So when there really is a high-probability threat and the government warns us, we tend to dismiss that too. Government cries wolf way too often.If the Homeland Security Advisory System moves from "elevated" to "high," is that up or down in terms of severity? Does anyone outside of the DHS know or even care? If we suddenly went to "severe," would it affect the daily lives of Americans outside of more hassles at airport checkpoints? The public doesn't really seem to know what these phrases mean in terms of an actual threat. And most Americans have long since stopped caring about "yellow alerts" or "orange alerts." It's meaningless and it conveys no useful information.
How meaningless? The alert system has never dropped below Yellow ("Heightened" [as compared to what?]) in its existence. (We have always been at war with terror.) In fact, a 2009 Task Force report suggested removing the two lowest tiers and making "Heightened" the baseline. If that's the baseline, then the government has won and the terrorists have won. Americans will remain awash in a sea of government-generated ambiance just loud enough to be noticeable but not annoying enough to grant it their full attention. It's a steady supply of junk "info" that generates resigned complacency, rather than heightened vigilance, and it does little more than make the government feel better about its monotonous efforts.