by Mike Masnick
Fri, May 9th 2014 7:50am
by Mike Masnick
Tue, May 6th 2014 9:58am
from the depends-on-what-'measure' dept
“I tell the [NSA] workforce out there as the new guy, let’s be honest with each other, the nation has lost a measure of trust in us,” Admiral Michael Rogers told a conference of the Women in Aerospace conference in Crystal City, Va."A measure of trust." I guess that depends on exactly what "measure" you're talking about, but I'd start with a fairly large one, and then go up from there. And then up some more.
In the future, he said, “If we make a mistake, you will hear about it. That’s my job as director and I have no problem with it. ... We are not going to hide our mistakes.”Yes, the director of the agency which once denied its own existence and was referred to as No Such Agency is claiming the agency won't hide its mistakes? Pretty much the only thing that the NSA does is hide its own activities. That's its core competence. Hiding everything that it does, which all too frequently includes its mistakes.
“The whole media leaks issue as we call it, has caused quite a stir,” said Rogers, who was sworn in as director of NSA and assumed command of U.S. Cyber Command at the beginning of April."Lost a measure of trust," "media leaks issue," "quite a stir." Yes, Admiral Rogers is the master of the understatement.
And, for all the talk about how the NSA won't hide from its mistakes, rather than taking responsibility for its mistakes, Admiral Rogers takes the easy way out: blame the media!
Rogers didn’t lay complete responsibility at the doorstep of the NSA: He blamed public mistrust on the way the newsmedia had framed the issues raised in the Snowden revelations.That's a joke?
“From my perspective the debate and the dialogue to date have been very uneven,” he said.
“Your neighbors are saying to you: ‘Man, I’ve been listening about you on the TV and reading about you in the papers and I had no idea what a bad person you are,’” he joked.
He said the NSA and its staff had to work to “earn and sustain” Americans’ trust, but could not be too open about the work of the ultra-secret agency, which specializes in electronic eavesdropping and other surveillance using the latest high technology.Wait. I thought he was just saying that the NSA wouldn't hide from its mistakes any more (note that he has still yet to admit to a mistake, but instead, blamed the media for everything).
“I believe in transparency and I will be as transparent as possible, but I also have to be mindful that in doing so I cannot undermine the specifics of what we’re doing” to protect the country, he said.So, he doesn't know how to be transparent, but he believes in transparency.
“To do that [be transparent] I have to get out of my comfort zone,” he acknowledged. “I have to walk that tightrope.”
To sum up, Admiral Rogers appears to be saying that the NSA lost some trust because of a "media leak" which caused "a bit of a stir," and because of that he's going to embrace transparency and not hide from his mistakes. But... at the same time, he won't admit to a single mistake, and it's really all the press's fault for misreporting on things that need to be kept secret. And, also, he believes in transparency so much that he admits he isn't comfortable with transparency, and if he's actually transparent, we might all die.
That's not exactly going to win back any of the "measure" of trust the NSA lost there...
by Mike Masnick
Tue, Apr 29th 2014 11:01am
from the overreacting dept
First, the whole "desperation" argument is really somewhat nonsensical. You could make the same argument about any major cultural or economic shift in history if you wanted to. Did mass production and the industrial age come about because of desperation? Why, yes, you could show how that's the case as well. But it still created tremendous benefits around the globe and created tremendous progress (even for those who were desperate). I mean, you could equally argue that nearly all work is the result of desperation. If you don't have a job and aren't independently wealthy, you're pretty desperate for a job. But we don't automatically argue that all economic productivity is because of desperation.
Second, the whole "trust" issue is overstated in the Wired article. Even the article itself notes that studies show that Americans actually trust each other a lot less today than in the past (potentially for good reason). And that's because people seem to be confusing general trust with specific trust. What these services enable are ways to have a better sense of who you can trust. In fact, you could argue that what these services have done is help show who you can trust within an inherently untrustworthy population.
But my major takeaway from this argument is that both sides are missing the larger point of why this is so important. Just recently, we were discussing Jeremy Rifkin's new book, in which he argued that this is actually the beginning of an entirely new economic paradigm that eclipses capitalism. But, as I argued in the piece, I think it's just a much more true form of capitalism that allows for much more efficient uses of resources for everyone -- and that's regardless of whether or not there's more trust or desperation in the system.
Prior to industrialization, trust was more prevalent, in part because you would have many, many interactions with the same small group of people. You didn't deal much with outsiders, and tended to know the people you dealt with on a regular basis. That engendered trust, because relationships were built, and you knew that abusing trust would come back to bite you in future interactions. With industrialization and urbanization, some of that trust broke down, because you no longer only dealt with a close-knit community of folks over and over again. You had many more transactions where you likely would never deal with the counterparty ever again -- opening up a lot of opportunity for fraud and scams. Like in the classic Prisoner's Dilemma experiment -- when it's run only once, people tend to cheat. When you know it'll be run many times over, people learn to "trust" each other, because it leads to much better long term outcomes.
So, without those regular interactions with the same kinds of people, government often stepped in with regulations to try to effectively force a more trustworthy framework on the world. You had health inspectors for food, safety regulations for work, general regulations on hotels and taxis and a variety of similar laws -- all designed to make sure that these kinds of transactions, which are generally one-offs, can be trustworthy and safe. Given the overall world they existed in, those regulations made perfect sense.
However, as is often the case in a regulatory environment, they also introduced certain inefficiencies in the process, making running those business more expensive, locking in certain (perhaps less-than-efficient) business practices, and often keeping out new upstarts and innovators. As we've seen, overtime, incumbents (despite claiming to hate regulations) will often embrace such regulations because they keep out competitors.
So here's where the interesting shift has come into play. Things like Lyft and AirBnB are using a combination of transparency and information to create systems that allow for both the more efficient use of resources and making transactions more trustworthy even without making use of those regulations. This freaks some people out and it clearly does not always work perfectly. But, on the whole, it has created some really amazing new opportunities on both sides of the markets, in which greater information transparency steps in and provides a better solution to legacy regulations, with significantly less overhead. That's freeing up economic resources by increasing efficiency in a really compelling way.
And this is why the traditional players, who had embraced the regulations wholeheartedly, are so pissed off. It does seem unfair that AirBnB can effectively compete with hotels without complying with hotel regulations. But part of the reason it does so is that the system that AirBnB has created doesn't need those kinds of regulations. While it's just anecdotal, my own experience using AirBnB has consistently resulted in a much better experience than at hotels, and one where that kind of trust that is built up matches much more with the pre-industrial version. As an example, I'm actually Facebook friends with one AirBnB host whose apartment I used once, and I will likely stay at his place again in the future. He didn't join AirBnB out of desperation, but because to him it's a great way for him to run his own business, which he's always wanted to do.
Thus, I think arguing over whether or not these services have increased trust or are a result of desperation is sort of a meaningless argument. It's happening one way or the other. What's much more interesting about this is how it's actually opening up all sorts of new efficiencies and economic opportunities for everyone -- and doing so by using information to show why old regulations, no matter how much they made sense at the time, may be inefficient and obstructionist today.
by Mike Masnick
Tue, Apr 15th 2014 5:16am
from the didn't-think-so dept
by Mike Masnick
Wed, Apr 2nd 2014 10:00am
Member Of Intelligence Review Group Tells NSA: You Guys Have Done Amazing Work Protecting America... And Should Never, Ever Be Trusted
from the quite-a-speech dept
Apparently he was recently asked to go speak to NSA staffers at NSA headquarters in Fort Meade about the work he did for the panel, and he's released his entire speech. It's an interesting read. It opens with him explaining his long-standing and strong commitment to civil liberties, noting his connection to the ACLU and that he's been a long-term skeptic of the NSA. He then goes on for most of the speech to talk about how the investigation by the review panel opened his eyes to recognizing that the NSA actually had done some really amazing and important work in stopping terrorists, and similarly that it really did seem committed to protecting Americans -- including their civil liberties.
Instead, he pointed out that the real issue was not the people of the NSA, but the Executive Branch and Congress expanding what the NSA was able to do:
The Review Group found that many of the programs undertaken by the NSA were highly problematic and much in need of reform. But the responsibility for directing the NSA to carry out those programs rests not with the NSA, but with the Executive Branch, the Congress, and the Foreign Intelligence Surveillance Court, which authorized those programs -- sometimes without sufficient attention to the dangers they posed to privacy and civil liberties. The NSA did its job -- it implemented the authorities it was given.But, he now has changed his opinion on the NSA, saying that it has been unfairly demonized:
It gradually became apparent to me that in the months after Edward Snowden began releasing information about the government's foreign intelligence surveillance activities, the NSA was being severely -- and unfairly -- demonized by its critics. Rather than being a rogue agency that was running amok in disregard of the Constitution and laws of the United States, the NSA was doing its job.In the end, however, Stone points out that even as he was impressed with the professionalism and the values that the employees of the NSA held, they should not be trusted:
It pained me to realize that the hard-working, dedicated, patriotic employees of the NSA, who were often working for far less pay than they could have earned in the private sector because they were determined to help protect their nation from attack, were being castigated in the press for the serious mistakes made, not by them, but by Presidents, the Congress, and the courts.
To be clear, I am not saying that citizens should trust the NSA. They should not. Distrust is essential to effective democratic governance. The NSA should be subject to constant and rigorous review, oversight, scrutiny, and checks and balances. The work it does, however important to the safety of the nation, necessarily poses grave dangers to fundamental American values, particularly if its work is abused by persons in positions of authority. If anything, oversight of the NSA -- especially by Congress -- should be strengthened. The future of our nation depends not only on the NSA doing its job, but also on the existence of clear, definitive, and carefully enforced rules and restrictions governing its activities.This is a really good point in many ways. One can argue over the various efforts and authorities, and whether or not they're legal. But, the issue is definitely targeted at the top -- and that includes not just the White House but the leadership of the NSA, as well as the FISA Courts and Congress. However, in following this debate since it began (even before that), I've seen little evidence that the public has been demonizing everyday NSA employees. Of course, some of the leaks suggest something that appears to be less than professional behavior by NSA folks, but nearly all of the criticism I've seen has been directed at those actually responsible at the top of the chain -- not the day to day staffers.
In short, I found, to my surprise, that the NSA deserves the respect and appreciation of the American people. But it should never, ever, be trusted.
Either way, Stone's final point is a good one. Even if the NSA employed the most morally upstanding people ever alive, we should not trust them. An agency like the NSA should never be merely trusted, not because anyone questions the morals of the people who work there, but because a democracy cannot function when an organization like that is allowed to function solely on trust. It needs real, vigorous and comprehensive oversight. At this time, it's not clear it has any of that.
by Tim Cushing
Mon, Mar 31st 2014 11:06am
from the setting-the-decryption-standard dept
Last December, Reuters broke the news that RSA had received $10 million from the NSA to push a weakened crypto standard as the default. This resulted in an incredible amount of backlash against RSA, resulting in many security researchers pulling out of the RSA's conference (which itself was met by a protest conference).
There's more bad news ahead for the RSA, again delivered by Reuters.
Security industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers.As Reuters notes, Extended Random has not been widely adopted (and now won't be), so the real story here is how the NSA undermines companies (and their aims) under the name of "advising on protection."
Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or "back door" - that allowed the NSA to crack the encryption.
A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software's vulnerability.
The professors found that the tool, known as the "Extended Random" extension for secure websites, could help crack a version of RSA's Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters.
Rather belatedly, RSA officials are developing a sense of skepticism towards the NSA's motives.
"We could have been more skeptical of NSA's intentions," RSA Chief Technologist Sam Curry told Reuters. "We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure."As has been shown numerous times over the last several years, the government would rather make the connected world less secure -- by stockpiling exploits and preventing holes from being patched -- in the name of "security." There's more than one kind of security, and the definition that works for most normal people runs contrary to the NSA's desire to exploit and collect everything it can.
The NSA has refused to comment on the story and the RSA, for its part, has not disputed what researchers have uncovered. Dual Elliptic Curve is the NSA's $10 million baby, and the addition of Extended Random does nothing more than make the next set of random numbers easier to predict.
Johns Hopkins Professor Matthew Green said it was hard to take the official explanation for Extended Random at face value, especially since it appeared soon after Dual Elliptic Curve's acceptance as a U.S. standard.This is what happens when you allow the NSA to not only play with the toys, but to also design them. "Security," in terms of the RSA's chosen standard, is now nothing more than a buzzword appended to its product line. The company learned far too late that the intelligence agency has little need for solid encryption, viewing it as an obstacle to be surmounted rather than a defensive tool that might make computing more secure -- for everybody.
"If using Dual Elliptic Curve is like playing with matches, then adding Extended Random is like dousing yourself with gasoline," Green said…
The academic researchers said it took about an hour to crack a free version of BSafe for Java using about $40,000 worth of computer equipment. It would have been 65,000 times faster in versions using Extended Random, dropping the time needed to seconds, according to Stephen Checkoway of Johns Hopkins.
The agency wants it all and it wants to gather it with the least amount of effort possible. While it may have little desire to turn its weapons on Americans ("incidental collections" will still continue, of course…), it has exactly zero compelling legal reasons not to weaponize crippled encryption against the rest of the world. RSA's credulousness (and perhaps $10 million) apparently silenced its better judgement, and now the connected world is open not only to the NSA's exploits, but anyone else with the desire to open the agency's backdoors.
by Mike Masnick
Fri, Mar 21st 2014 11:55am
from the cost-benefit dept
However, at the same time, revealing that the company has no problem snooping through users' email accounts if it feels it is beneficial to Microsoft is hugely damaging to the company. People need to trust their email providers. A well-known venture capitalist I know has spoken repeatedly about how so many people use Gmail, even when doing things like negotiating deals with Google (or competitors!) because they actually trust Google not to abuse their privacy and snoop on those emails. In part, they do this because they know if Google was exposed for snooping on emails that way there would be a mass exodus from Gmail to alternative providers. Yet, Microsoft doesn't seem to have considered just how astoundingly damaging it is to violate its own users privacy -- whether permitted by Microsoft's terms of service or not.
On a basic cost-benefit analysis it's difficult to see how anyone at Microsoft thought this was a wise move. Absolutely wipe out any possible trust and privacy for all email users to track down one meaningless leaker? Instead, what this shows is how "piracy obsession" blinds companies. They seem to forget all about cost-benefit analysis and assume that "something must be done" at all costs, even if it basically destroys an entire business line for the company.
Microsoft is now desperately trying to minimize the damage as it's realizing just how it's wiped out all of its bogus talk about protecting your privacy. They've announced new policies concerning how and when they'll violate your privacy, but this seems quite clearly to be a case of too little, too late.
Fri, Mar 21st 2014 12:02am
from the brave-new-world dept
I've been thinking, with all the revelations coming out about the NSA spying on all of us, maybe we've been going about reacting the wrong way. I mean, we all seem to fall somewhere on the spectrum of being upset about this, from the more mildly uncomfortable but resigning folks that are okay with the spying to those more militant about privacy. What if we're all just pissed that we aren't the ones getting to do all this sweet, sweet surveillance on everyone we know.
Well, that's all changed, thanks to the makers of the mSpy software, which allows you to gift smart phones preinstalled with their software to those you care about most and then play NSA on them to your heart's content.
Starting today, the company is also selling phones preloaded with the software, making it simple for users without any tech savvy to start surveillance right out of the box. The phone package is available with the HTC One, Nexus 5, Samsung Galaxy S4 and iPhone 5s, at varying cost; for example, the Samsung Galaxy S4 costs $300; the subscription for the preloaded software costs another $199 for a year.Count me as someone who is suddenly even more glad than ever that I'm out of the dating world. On the other hand, I suppose it'll be weird for any of us married folks to get smart phones as gifts from now on as well. Oh well, down the surveillance hatch, I say! The NSA spies on us, we spy on each other, and the important thing to remember is that the makers of this software, which advertises to buyers that their targets "won't find out", are the most innocent of innocents here.
[From the moment the software is installed], the phone records everything that happens on the device and sends the details to a remote website. Every call is recorded, every keystroke logged, every email seen, every SMS chat or photograph monitored.
The phone's proclaimed target markets are employers and parents who have the legal authority to watch what their children do on their smart phones. Company founder Andrei Shimanovich knows others may use his products in illegal ways, but says it is not his responsibility.And creepy bastards, estranged lovers, stalkers, or anyone else who might be able to surreptitiously sneak this software onto the phones of whomever they're targeting. While it's completely true that we ought not blame the tool-maker for the way the tool is used, that doesn't discount the level of creepy in this software. Gone, apparently, are the days when parents raised their children to be responsible and then loosed them on the world to make a few mistakes and grow up better because of it. Gone are the days when employers made it a point to hire staff that they trusted. The NSA has paved the way for a whole new level of Orwellian acceptance, where the only difference between government surveillance and that we do ourselves is that our personal spying might actually be effective, since it will be more targeted.
"It is the same question with the gun producer," says Shimanovich, a Belarus native who recently moved to New York. "If you go out and buy a gun and go shoot someone, no one will go after the gun producer. People who shoot someone will be responsible for this. Same thing for mSpy. We just provide the services which can solve certain tasks regarding parents and teenagers."
Prepare yourselves, people, for when the news media first gets hold of some stalker who commits a violent act and is found to have employed this software, because the backlash against it is going to be insane.
by Mike Masnick
Wed, Jan 22nd 2014 9:03am
from the unfortunately-not dept
First off, when the data is within the US, there are at least some restrictions on what the NSA/FBI can access. There are quite reasonable complaints about just how insanely broad Section 215 of the PATRIOT Act and Section 702 of the FISA Amendments Act are... but, at least those laws do include some restrictions and oversight (even if we all agree it's not nearly enough). However, once things are outside of the US, it's basically "fair game" to the NSA. The NSA has interpreted Executive Order 12333 to mean that it's "open season" on all information not in the US. As ridiculous as it sounds, that actually means that there are somewhat greater restrictions on information inside the US than outside. Those stories about the NSA hacking into the links between Google and Yahoo data centers? Those were only done on offshore data centers outside of the US, under the auspices of EO 12333. Meanwhile, for local intelligence operations, they rarely even have the same kind of restrictions that the NSA has -- meaning that offshore data may be even more at risk of being spied on by whatever local intelligence agencies are in that country.
It's a complete mess for the entire tech industry -- but if you were running a tech company and wanted to best protect that data from the NSA, there's at least a strong argument that the best move is to stay in the US, even after all of these revelations. And, honestly, that's even more of a reason why the US tech industry needs to be fighting strongly for much greater reform and oversight concerning NSA (and FBI) activities inside the US. The protections are way too low, but at least there are some protections.
I recognize that some are going to disagree with this entirely, as many have completely written the US off because of these revelations. But, there's a simple question to ask: if that's the case, do you really feel safer with your data somewhere else, where there are no rules at all about what the NSA can do with it?
by Mike Masnick
Mon, Oct 28th 2013 7:57pm
from the another-good-deed-by-Snowden dept
As we discussed last week, the real "casualty" from all of these discussions may actually be that America can't get away with being a massive hypocrite anymore, despite so much of its foreign and domestic policy being built around being able to get away with just that. And, a large part of that is how the US pushes other countries into very questionable trade agreements -- another thing that we've been following for years. And those two things may be on a collision course. For quite some time now, we've been discussing the big trade agreement that the EU and the US are working towards, called TAFTA or TTIP. But one of the lesser noticed points about the revelations of the spying on Merkel is that many people in Germany are saying that negotiations on this agreement should be put on hold:
The chancellor's office is also now considering the possibility that the much-desired trans-Atlantic free trade agreement could fail if the NSA affair isn't properly cleared up. Since the latest revelations came out, some 58 percent of Germans say they support breaking off ongoing talks, while just 28 percent are against it. "We should put the negotiations for a free-trade agreement with the US on ice until the accusations against the NSA have been clarified," says Economy Minister Ilse Aigner, a member of the Christian Social Union, the Bavarian sister party to Merkel's Christian Democrats.There are many reasons why TAFTA/TTIP is looking like a bad deal anyway, having nothing to do with the NSA spying, but if the Snowden docs lead to that agreement being put "on ice" for a while, that seems like another useful outcome.