Quotulatiousness

October 1, 2013

PRSM – the not-at-all-a-joke NSA sharing network

Filed under: Government, Technology, USA — Tags: , , , , — Nicholas @ 12:59

Techdirt‘s Mike Masnick on the no-we’re-actually-serious “joke” PRSM network:

Soon after the very earliest reporting on Ed Snowden’s leaked documents about PRISM, the folks from Datacoup put together the very amusing GETPRSM website, which looks very much like the announcement of a new social network, but (the joke is) it’s really the NSA scooping up all our data and making the connections. It’s pretty funny. Except, of course, when you find out that it’s real. And, yes, that seems to be the latest revelation out of Ed Snowden’s leaks. The NY Times has an article by James Risen and Laura Poitras (what a combo reporting team there!) detailing how the NSA has basically built its own “shadow” social network in which it tries to create a “social graph” of pretty much everyone that everyone knows, foreign or American, and it all happens (of course) without a warrant. And, note, this is relatively new:

    The agency was authorized to conduct “large-scale graph analysis on very large sets of communications metadata without having to check foreignness” of every e-mail address, phone number or other identifier, the document said. Because of concerns about infringing on the privacy of American citizens, the computer analysis of such data had previously been permitted only for foreigners.

    The agency can augment the communications data with material from public, commercial and other sources, including bank codes, insurance information, Facebook profiles, passenger manifests, voter registration rolls and GPS location information, as well as property records and unspecified tax data, according to the documents. They do not indicate any restrictions on the use of such “enrichment” data, and several former senior Obama administration officials said the agency drew on it for both Americans and foreigners.

There were apparently two policy changes that allowed this to happen, and both occurred in the past three years. First, in November of 2010, the NSA was allowed to start looking at phone call and email logs of Americans to try to help figure out associations for “foreign intelligence purposes.” Note that phrase. We’ll come back to it. For years, the NSA had been barred from viewing any content on US persons, and the NSA, President Obama and others have continued to insist to this day that there are minimization procedures that prevent spying on Americans. Except, this latest revelation shows that, yet again, this isn’t actually true.

September 18, 2013

The NSA scandal is not about mere privacy

Filed under: Government, Liberty, USA — Tags: , , , , — Nicholas @ 08:19

Last week, Yochai Benkler posted this in the Guardian:

The spate of new NSA disclosures substantially raises the stakes of this debate. We now know that the intelligence establishment systematically undermines oversight by lying to both Congress and the courts. We know that the NSA infiltrates internet standard-setting processes to security protocols that make surveillance harder. We know that the NSA uses persuasion, subterfuge, and legal coercion to distort software and hardware product design by commercial companies.

We have learned that in pursuit of its bureaucratic mission to obtain signals intelligence in a pervasively networked world, the NSA has mounted a systematic campaign against the foundations of American power: constitutional checks and balances, technological leadership, and market entrepreneurship. The NSA scandal is no longer about privacy, or a particular violation of constitutional or legislative obligations. The American body politic is suffering a severe case of auto-immune disease: our defense system is attacking other critical systems of our body.

First, the lying. The National Intelligence University, based in Washington, DC, offers a certificate program called the denial and deception advanced studies program. That’s not a farcical sci-fi dystopia; it’s a real program about countering denial and deception by other countries. The repeated misrepresentations suggest that the intelligence establishment has come to see its civilian bosses as adversaries to be managed through denial and deception.

[…]

Second, the subversion. Last week, we learned that the NSA’s strategy to enhance its surveillance capabilities was to weaken internet security in general. The NSA infiltrated the social-professional standard-setting organizations on which the whole internet relies, from National Institute of Standards and Technology to the Internet Engineering Task Force itself, the very institutional foundation of the internet, to weaken the security standards. Moreover, the NSA combined persuasion and legal coercion to compromise the commercial systems and standards that offer the most basic security systems on which the entire internet runs. The NSA undermined the security of the SSL standard critical to online banking and shopping, VPN products central to secure corporate, research, and healthcare provider networks, and basic email utilities.

Serious people with grave expressions will argue that if we do not ruthlessly expand our intelligence capabilities, we will suffer terrorism and defeat. Whatever minor tweaks may be necessary, the argument goes, the core of the operation is absolutely necessary and people will die if we falter. But the question remains: how much of what we have is really necessary and effective, and how much is bureaucratic bloat resulting in the all-too-familiar dynamics of organizational self-aggrandizement and expansionism?

The “serious people” are appealing to our faith that national security is critical, in order to demand that we accept the particular organization of the Intelligence Church. Demand for blind faith adherence is unacceptable.

September 15, 2013

Bruce Schneier on what you can do to stay out of the NSA’s view

Filed under: Liberty, Technology — Tags: , , , , , — Nicholas @ 10:44

Other than going completely off the grid, you don’t have the ability to stay completely hidden, but there are some things you can do to decrease your visibility to the NSA:

With all this in mind, I have five pieces of advice:

  1. Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.
  2. Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections — and it may have explicit exploits against these protocols — you’re much better protected than if you communicate in the clear.
  3. Assume that while your computer can be compromised, it would take work and risk on the part of the NSA — so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the Internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my Internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.
  4. Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
  5. Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I’m not going to write about. There’s an undocumented encryption feature in my Password Safe program from the command line; I’ve been using that as well.

I understand that most of this is impossible for the typical Internet user. Even I don’t use all these tools for most everything I am working on. And I’m still primarily on Windows, unfortunately. Linux would be safer.

The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.

September 7, 2013

Maybe the conspiracy theorists just aren’t paranoid enough

Filed under: Government, Media, Technology, USA — Tags: , , , , — Nicholas @ 09:49

Bruce Schneier on the destruction of public trust in government agencies:

I’ve recently seen two articles speculating on the NSA’s capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking — and I have no idea whether any of it is true or not — but it’s a good illustration of what happens when trust in a public institution fails.

The NSA has repeatedly lied about the extent of its spying program. James R. Clapper, the director of national intelligence, has lied about it to Congress. Top-secret documents provided by Edward Snowden, and reported on by the Guardian and other newspapers, repeatedly show that the NSA’s surveillance systems are monitoring the communications of American citizens. The DEA has used this information to apprehend drug smugglers, then lied about it in court. The IRS has used this information to find tax cheats, then lied about it. It’s even been used to arrest a copyright violator. It seems that every time there is an allegation against the NSA, no matter how outlandish, it turns out to be true.

Guardian reporter Glenn Greenwald has been playing this well, dribbling the information out one scandal at a time. It’s looking more and more as if the NSA doesn’t know what Snowden took. It’s hard for someone to lie convincingly if he doesn’t know what the opposition actually knows.

All of this denying and lying results in us not trusting anything the NSA says, anything the president says about the NSA, or anything companies say about their involvement with the NSA. We know secrecy corrupts, and we see that corruption. There’s simply no credibility, and — the real problem — no way for us to verify anything these people might say.

August 18, 2013

Rounding up the “government is spying on everyone” news

Filed under: Government, Liberty, Technology — Tags: , , , , — Nicholas @ 10:48

A linkapalooza of information at Zero Hedge:

That’s just the first few items of a long list. Read the whole thing.

August 12, 2013

Online privacy and habitual oversharing

Filed under: Liberty, Media, Technology — Tags: , , , , — Nicholas @ 09:47

Cory Doctorow explains why so many of us have gotten into the habit of oversharing personal details in our social media activities:

Whenever government surveillance is debated, someone inevitably points out that it is no cause for alarm, since people already overshare sensitive personal information on Facebook. This means there’s hardly anything to be gleaned from state surveillance that isn’t already there for the taking on social media.

It’s true people overshare on social networks, providing information in ways that they later come to regret. The consequences of oversharing range widely, from losing a job to being outed for your sexual orientation. If you live in a dictatorship, intercepted social media sessions can be used by those in charge to compile enemies lists, determining whom to arrest, whom to torture, and – potentially – whom to murder.

The key reason for oversharing is that cause and effect are separated by volumes of time and space, so understanding the consequences can be difficult. Imagine practising penalty kicks by kicking the ball and then turning around before it lands; two years later, someone visits you and tells you where your kicks ended up. This is the kind of feedback loop we contend with when it comes to our privacy disclosures.

In other words, you may make a million small and large disclosures on different services, with different limits on your sharing preferences, and many years later, you lose your job. Or your marriage. Or maybe your life, if you’re unlucky enough to have your Facebook scraped by a despot who has you in his dominion.

August 11, 2013

Speculations on why Lavabit went dark

Filed under: Business, Law, Liberty, USA — Tags: , , , — Nicholas @ 11:40

In The New Yorker, Michael Phillips tries to outline the legal picture around the Lavabit shutdown:

In mid-July, Tanya Lokshina, the deputy director for Human Rights Watch’s Moscow office, wrote on her Facebook wall that she had received an e-mail from edsnowden@lavabit.com. It requested that she attend a press conference at Moscow’s Sheremetyevo International Airport to discuss the N.S.A. leaker’s “situation.” This was the wider public’s introduction to Lavabit, an e-mail service prized for its security. Lavabit promised, for instance, that messages stored on the service using asymmetric encryption, which encrypts incoming e-mails before they’re saved on Lavabit’s servers, could not even be read by Lavabit itself.

Yesterday, Lavabit went dark. In a cryptic statement posted on the Web site, the service’s owner and operator, Ladar Levison, wrote, “I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.” Those experiences led him to shut down the service rather than, as he put it, “become complicit in crimes against the American people.” Lavabit users reacted with consumer vitriol on the company’s Facebook page (“What about our emails?”), but the tide quickly turned toward government critique. By the end of the night, a similar service, Silent Circle, also shut down its encrypted e-mail product, calling the Lavabit affair the “writing [on] the wall.”

Which secret surveillance scheme is involved in the Lavabit case? The company may have received a national-security letter, which is a demand issued by a federal agency (typically the F.B.I.) that the recipient turn over data about other individuals. These letters often forbid recipients from discussing it with anyone. Another possibility is that the Foreign Intelligence Surveillance Court may have issued a warrant ordering Lavabit to participate in ongoing e-mail surveillance. We can’t be completely sure: as Judge Reggie Walton, the presiding judge of the FISA court, explained to Senator Patrick Leahy in a letter dated July 29th, FISA proceedings, decisions, and legal rationales are typically secret. America’s surveillance programs are secret, as are the court proceedings that enable them and the legal rationales that justify them; informed dissents, like those by Levison or Senator Ron Wyden, must be kept secret. The reasons for all this secrecy are also secret. That some of the secrets are out has not deterred the Obama Administration from prosecuting leakers under the Espionage Act for disclosure of classified information. Call it meta-secrecy.

August 9, 2013

Locking the (electronic) barn door

Filed under: Law, Media, Technology — Tags: , , , — Nicholas @ 08:03

The encrypted email service that was reportedly used by Edward Snowden just announced that it will be shutting down:

Today, Lavabit announced that it would shut down its encrypted email service rather than “become complicit in crimes against the American people.” Lavabit did not say what it had been asked to do, only that it was legally prohibited from sharing the events leading to its decision.

Lavabit was an email provider, apparently used by Edward Snowden along with other privacy sensitive users, with an avowed mission to offer an “e-mail service that never sacrifices privacy for profits” and promised to “only release private information if legally compelled by the courts in accordance with the United States Constitution.” It backed up this claim by encrypting all emails on Lavabit servers such that Lavabit did not have the ability to access a user’s email (Lavabit’s white paper), at least without that user’s passphrase, which the email provider did not store.

Given the impressive powers of the government to obtain emails and records from service providers, both with and without legal authority, it is encouraging to see service providers take steps to limit their ability to access user data, as Lavabit had done.

[…]

Lavabit’s post indicates that there was a gag order, and that there is an ongoing appeal before the Fourth Circuit. We call on the government and the courts to unseal enough of the docket to allow, at a minimum, the public to know the legal authority asserted, both for the gag and the substance, and give Lavabit the breathing room to participate in the vibrant and critical public debates on the extent of email privacy in an age of warrantless bulk surveillance by the NSA.

August 7, 2013

Bruce Schneier – “it’s becoming clear that we can’t trust anything anyone official says about these programs”

Filed under: Government, Media, USA — Tags: , , , , , , — Nicholas @ 08:39

Bruce Schneier talks about the need to restore trust in government and the internet after all the proof we’ve had lately that “they” are lying to us pretty much all the time:

In July 2012, responding to allegations that the video-chat service Skype — owned by Microsoft — was changing its protocols to make it possible for the government to eavesdrop on users, Corporate Vice President Mark Gillett took to the company’s blog to deny it.

Turns out that wasn’t quite true.

Or at least he — or the company’s lawyers — carefully crafted a statement that could be defended as true while completely deceiving the reader. You see, Skype wasn’t changing its protocols to make it possible for the government to eavesdrop on users, because the government was already able to eavesdrop on users.

At a Senate hearing in March, Director of National Intelligence James Clapper assured the committee that his agency didn’t collect data on hundreds of millions of Americans. He was lying, too. He later defended his lie by inventing a new definition of the word “collect,” an excuse that didn’t even pass the laugh test.

As Edward Snowden’s documents reveal more about the NSA’s activities, it’s becoming clear that we can’t trust anything anyone official says about these programs.

Google and Facebook insist that the NSA has no “direct access” to their servers. Of course not; the smart way for the NSA to get all the data is through sniffers.

Apple says it’s never heard of PRISM. Of course not; that’s the internal name of the NSA database. Companies are publishing reports purporting to show how few requests for customer-data access they’ve received, a meaningless number when a single Verizon request can cover all of their customers. The Guardian reported that Microsoft secretly worked with the NSA to subvert the security of Outlook, something it carefully denies. Even President Obama’s justifications and denials are phrased with the intent that the listener will take his words very literally and not wonder what they really mean.

[…]

Ronald Reagan once said “trust but verify.” That works only if we can verify. In a world where everyone lies to us all the time, we have no choice but to trust blindly, and we have no reason to believe that anyone is worthy of blind trust. It’s no wonder that most people are ignoring the story; it’s just too much cognitive dissonance to try to cope with it.

This sort of thing can destroy our country. Trust is essential in our society. And if we can’t trust either our government or the corporations that have intimate access into so much of our lives, society suffers. Study after study demonstrates the value of living in a high-trust society and the costs of living in a low-trust one.

August 6, 2013

The Electronic Frontier Foundation on reforming the NSA

Filed under: Government, Law, Liberty, USA — Tags: , , , , — Nicholas @ 11:36

The EFF has a few suggestions on how to go about reining-in the NSA:

While we still believe that the best first step is a modern Church Committee, an independent, public investigation and accounting of the government’s surveillance programs that affect Americans, members of Congress seem determined to try to enact fixes now. Almost a dozen bills have already been introduced or will be introduced in the coming weeks.

While we’re also waiting to see what the various bills will look like before endorsing anything, here’s — in broad strokes — what we’d like to see, and what should be avoided or opposed as a false response. We know full well that the devil is in the details when it comes to legislation, so these are not set in stone and they aren’t exhaustive. But as the debate continues in Congress, here are some key guideposts.

This first post focuses on surveillance law reform. In later posts we’ll discuss transparency, secret law and the FISA Court as well as other topics raised by the ongoing disclosures. In short, there’s much Congress can and should do here, but we also need to be on the lookout for phony measures dressed as reform that either don’t fix things or take us backwards.

August 4, 2013

New tools for the surveillance state

Filed under: Government, Liberty, USA — Tags: , , , , — Nicholas @ 11:01

James Miller on token attempts to roll back the security state by local governments and other groups:

New surveillance technology lowers the barrier of effort needed to soak the productive class of the surplus fruits of its labor. From monitoring backyards to ensure taxes are being paid on swimming pools to spying on farmers who violate agricultural regulations, states across the globe are already using new spy tools to extort more loot from the greater public.

All the while, the political class gives an assurance that the technological innovation will not be abused. Newspaper editors parrot the message and paint any critic as a tinfoil hat loon who thinks Big Brother sleeps under their bed. And then there are the television intellectuals who take great joy in making flippant remarks about conspiracy theorists. Each of these personalities pictures him or herself as sitting a few ladder rungs above the horde of bumbling mass-men.

One has to be either lying or painfully ignorant to believe government will not abuse surveillance drones. State officials have rarely failed to use their capacity to terrify the populace. Just recently, journalist Glenn Greenwald and the Guardian revealed that the National Security Agency sweeps up the internet activity of all U.S. residents absent any warrants. Prior to the leak, those politicians in charge of overseeing the government’s oversight activities claimed the snooping was done in the public good and not as widespread as suspected. The new details of the program contradict the assurance, as the NSA’s spy activity is more intrusive – and prone to abuse – than originally thought.

A sterling record of misconduct is still not enough to convince enlightened thinkers and academics of the state’s propensity to terrorize. There are still a handful of civil liberty organizations calling attention to the dangers of the widespread use of surveillance drones and data gathering. But their beef is focused more on the right to privacy rather than a usurpation of basic property rights.

August 1, 2013

“That kind of grassroots power tends to make government officials jittery”

Filed under: Law, Media, USA — Tags: , , — Nicholas @ 12:34

J.D. Tuccille looks at the rise of Twitter … not so much its rise in users, but the rise in government interest and interference:

Twitter information requests 2012-13You know you’ve arrived as an online media operation when governments take an interest in who is speaking out, and make efforts to muzzle what’s published. That’s definitely the case with Twitter, the microblogging platform that started as an outlet for exhibitionist ADHD sufferers, only to become a powerful medium for sharing news and grassroots organizing. According to the company’s latest transparency report, governments around the world are issuing ever-more demands for information about the service’s users, and stepping up efforts to suppress tweeted content.

From January 1 through June 30 of this year, Twitter received 1,157 government requests for private information about users and accounts, up from 849 during the same period in 2012. Of those, authorities in the United States were responsible for 902 requests. Twitter complied in whole or part with 55 percent of all requests — 67 percent of those originating in the U.S.

Interestingly, roughly 20 percent of information requests issued by American authorities were “under seal,” meaning that Twitter was forbidden to fulfill its usual policy of informing users about requests for their private information.

July 31, 2013

The congressional defenders of privacy

Filed under: Government, Law, Liberty, USA — Tags: , , , , , — Nicholas @ 11:12

Jacob Sullum in Reason:

“This is not a game,” Mike Rogers angrily warned last week, urging his colleagues in the House to vote against an amendment that would have banned the mass collection of telephone records by the National Security Agency (NSA). “This is real. It will have real consequences.”

I hope Rogers is right. Despite the Michigan Republican’s best efforts to portray the amendment as a terrifying threat to national security, it failed by a surprisingly narrow margin that could signal the emergence of a bipartisan coalition willing to defend civil liberties against the compromises supported by leaders of both parties.

Rogers was not surprised by the recent revelation that the NSA routinely collects information about every phone call Americans make, just in case it may prove useful in the future. As chairman of the House Intelligence Committee, he knew about the program for years, and he had no problem with it.

Not so two other Michigan congressmen: Justin Amash, a 33-year-old libertarian Republican serving his second term, and John Conyers, an 84-year-old progressive Democrat first elected in 1965. These two legislators, conventionally viewed as occupying opposite ends of the political spectrum, were outraged by the NSA’s data dragnet, especially since representatives of the Bush and Obama administrations had repeatedly denied that any such program existed.

The measure that Amash and Conyers proposed as an amendment to a military spending bill would have required that records demanded under Section 215 of the PATRIOT Act, which authorizes secret court orders seeking “any tangible things” deemed “relevant” to a terrorism investigation, be connected to particular targets. Although it was a pretty mild reform, leaving in place the wide powers granted by Section 215 while repudiating the Obama administration’s even broader, heretofore secret interpretation of that provision, the amendment was viewed as a quixotic effort.

July 30, 2013

The return of “lawful access”

Filed under: Cancon, Law, Liberty, Media, Technology — Tags: , , , , — Nicholas @ 07:56

Michael Geist on the Canadian implications of some information that was published in a Buzzfeed article about a Utah ISP and the NSA’s installation of a “little black box” in their network:

The article describes how a Foreign Intelligence Service Act (FISA) warrant allowed the NSA to monitor the activities of an ISP subscriber by inserting surveillance equipment directly within the ISP’s network. The experience in Utah appears to have been replicated in many other Internet and technology companies, who face secret court orders to install equipment on their systems.

The U.S. experience should raise some alarm bells in Canada, since the now defeated lawful access bill envisioned similar legal powers. Section 14(4) of the bill provided:

    The Minister may provide the telecommunications service provider with any equipment or other thing that the Minister considers the service provider needs to comply with an order made under this section.

That provision would have given the government the power to decide what specific surveillance equipment must be installed on private ISP and telecom networks by allowing it to simply take over the ISP or telecom network and install its own equipment. This is no small thing: it literally means that law enforcement (including CSIS) would have had the power to ultimately determine not only surveillance capabilities but the surveillance equipment itself.

While Bill C-30 is now dead, the government may be ready resurrect elements of it. Earlier this month, a cyber-bullying report included recommendations that are lifted straight from the lawful access package.

July 14, 2013

Unwanted contact

Filed under: Liberty, Randomness — Tags: , , — Nicholas @ 09:52

At Samizdata, Natalie Solent had a rather strong reaction to an unwanted form of contact the other day:

Discussion point: the ethical issues surrounding unsolicited sales phone calls

Is it better to just hang them or should we draw and quarter first?

A few days on, and she’s a bit more philosophical about it:

Before being overwhelmed by phone-induced homicidal rage the other day, I had intended to discuss a subject that has been interesting me lately, namely how difficult it is to specify in advance rules for social interaction. More specifically, I was pondering how hard it is to lay down rules for dealing with unwanted contact. Cold calling is one form of that; what are traditionally described as “unwanted advances” are another.

The problem is that word “unwanted”. To say, as the organisational psychologist quoted in this article does, that “An unwanted advance is a form of injustice”, strikes me as unfair. We are not telepaths. Quite often the only way one can find out that unwanted contact is unwanted is to ask, that is, to initiate unwanted contact. On the other hand while we may not have telepathy, we most of us do have empathy to help us guess in advance when advances might be unwelcome. Phone sales companies know to the fifth decimal place exactly how likely their calls are to be welcome. They know that the first four of those decimal places are filled by zeros, scumbags that they are. Few men asking a woman out have quite such a large database of prior results upon which to draw. I’m glad I’m not a guy! That last breath before you open your mouth to begin the sentence that might get you rejected cruelly or rejected kindly must be painful.

« Newer PostsOlder Posts »

Powered by WordPress