November 4, 2013
Living in a Surveillance State: Mikko Hypponen at TEDxBrussels
October 29, 2013
What happens when you challenge hackers to investigate you?
Adam Penenberg had himself investigated in the late 1990s and wrote that up for Forbes. This time around, he asked Nick Percoco to do the same thing, and was quite weirded out by the experience:
It’s my first class of the semester at New York University. I’m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. To receive the four-digit code I need to unlock it I’ll have to dial a number with a 312 area code. Then my iPhone, set on vibrate and sitting idly on the table, beeps madly.
I’m being hacked — and only have myself to blame.
Two months earlier I challenged Nicholas Percoco, senior vice president of SpiderLabs, the advanced research and ethical hacking team at Trustwave, to perform a personal “pen-test,” industry-speak for “penetration test.” The idea grew out of a cover story I wrote for Forbes some 14 years earlier, when I retained a private detective to investigate me, starting with just my byline. In a week he pulled up an astonishing amount of information, everything from my social security number and mother’s maiden name to long distance phone records, including who I called and for how long, my rent, bank accounts, stock holdings, and utility bills.
[…]
A decade and a half later, and given the recent Edward Snowden-fueled brouhaha over the National Security Agency’s snooping on Americans, I wondered how much had changed. Today, about 250 million Americans are on the Internet, and spend an average of 23 hours a week online and texting, with 27 percent of that engaged in social media. Like most people, I’m on the Internet, in some fashion, most of my waking hours, if not through a computer then via a tablet or smart phone.
With so much of my life reduced to microscopic bits and bytes bouncing around in a netherworld of digital data, how much could Nick Percoco and a determined team of hackers find out about me? Worse, how much damage could they potentially cause?
What I learned is that virtually all of us are vulnerable to electronic eavesdropping and are easy hack targets. Most of us have adopted the credo “security by obscurity,” but all it takes is a person or persons with enough patience and know-how to pierce anyone’s privacy — and, if they choose, to wreak havoc on your finances and destroy your reputation.
H/T to Terry Teachout for the link.
October 28, 2013
Reason.tv – What We Saw At The Anti-NSA “Stop Watching Us” Rally
On October 26, 2013, protesters from across the political spectrum gathered in Washington, D.C. to take part in the Stop Watching Us rally, a demonstration against the National Security Agency’s domestic and international surveillance programs.
Reason TV spoke with protesters — including 2012 Libertarian Party presidential candidate Gary Johnson and former Congressman Dennis Kucinich — to discuss the rally, why people should worry about the erosion of privacy, and President Barack Obama’s role in the growth of the surveillance state.
Correction: Laura Murphy, Director of the ACLU Washington Legislative Office, was incorrectly identified as Susan N. Herman, ACLU President.
Produced by Joshua Swain, interviews by Todd Krainin.
Mark Steyn on the Obamacare software
Mark Steyn’s weekend column touched on some items of interest to aficionados of past government software fiascos:
The witness who coughed up the intriguing tidbit about Obamacare’s exemption from privacy protections was one Cheryl Campbell of something called CGI. This rang a vague bell with me. CGI is not a creative free spirit from Jersey City with an impressive mastery of Twitter, but a Canadian corporate behemoth. Indeed, CGI is so Canadian their name is French: Conseillers en Gestion et Informatique. Their most famous government project was for the Canadian Firearms Registry. The registry was estimated to cost in total $119 million, which would be offset by $117 million in fees. That’s a net cost of $2 million. Instead, by 2004 the CBC (Canada’s PBS) was reporting costs of some $2 billion — or a thousand times more expensive.
Yeah, yeah, I know, we’ve all had bathroom remodelers like that. But in this case the database had to register some 7 million long guns belonging to some two-and-a-half to three million Canadians. That works out to almost $300 per gun — or somewhat higher than the original estimate for processing a firearm registration of $4.60. Of those $300 gun registrations, Canada’s auditor general reported to parliament that much of the information was either duplicated or wrong in respect to basic information such as names and addresses.
Sound familiar?
Also, there was a 1-800 number, but it wasn’t any use.
Sound familiar?
So it was decided that the sclerotic database needed to be improved.
Sound familiar?
But it proved impossible to “improve” CFIS (the Canadian Firearms Information System). So CGI was hired to create an entirely new CFIS II, which would operate alongside CFIS I until the old system could be scrapped. CFIS II was supposed to go operational on January 9, 2003, but the January date got postponed to June, and 2003 to 2004, and $81 million was thrown at it before a new Conservative government scrapped the fiasco in 2007. Last year, the government of Ontario canceled another CGI registry that never saw the light of day — just for one disease, diabetes, and costing a mere $46 million.
But there’s always America! “We continue to view U.S. federal government as a significant growth opportunity,” declared CGI’s chief exec, in what would also make a fine epitaph for the republic. Pizza and Mountain Dew isn’t very Montreal, and on the evidence of three years of missed deadlines in Ontario and the four-year overrun on the firearms database CGI don’t sound like they’re pulling that many all-nighters. Was the government of the United States aware that CGI had been fired by the government of Canada and the government of Ontario (and the government of New Brunswick)? Nobody’s saying. But I doubt it would make much difference.
October 11, 2013
Creating an “air gap” for computer security
Bruce Schneier explains why you’d want to do this … and how much of a pain it can be to set up and work with:
Since I started working with Snowden’s documents, I have been using a number of tools to try to stay secure from the NSA. The advice I shared included using Tor, preferring certain cryptography over others, and using public-domain encryption wherever possible.
I also recommended using an air gap, which physically isolates a computer or local network of computers from the Internet. (The name comes from the literal gap of air between the computer and the Internet; the word predates wireless networks.)
But this is more complicated than it sounds, and requires explanation.
Since we know that computers connected to the Internet are vulnerable to outside hacking, an air gap should protect against those attacks. There are a lot of systems that use — or should use — air gaps: classified military networks, nuclear power plant controls, medical equipment, avionics, and so on.
Osama Bin Laden used one. I hope human rights organizations in repressive countries are doing the same.
Air gaps might be conceptually simple, but they’re hard to maintain in practice. The truth is that nobody wants a computer that never receives files from the Internet and never sends files out into the Internet. What they want is a computer that’s not directly connected to the Internet, albeit with some secure way of moving files on and off.
He also provides a list of ten rules (or recommendations, I guess) you should follow if you want to set up an air-gapped machine of your own.
October 4, 2013
John Lanchester on the Guardian‘s GCHQ files
Novelist John Lanchester was invited to look at the trove of files the Guardian received from Edward Snowden:
In August, the editor of the Guardian rang me up and asked if I would spend a week in New York, reading the GCHQ files whose UK copy the Guardian was forced to destroy. His suggestion was that it might be worthwhile to look at the material not from a perspective of making news but from that of a novelist with an interest in the way we live now.
I took Alan Rusbridger up on his invitation, after an initial reluctance that was based on two main reasons. The first of them was that I don’t share the instinctive sense felt by many on the left that it is always wrong for states to have secrets. I’d put it more strongly than that: democratic states need spies.
And all’s well in the world and we’re worried over nothing?
My week spent reading things that were never meant to be read by outsiders was, from this point of view, largely reassuring. Most of what GCHQ does is exactly the kind of thing we all want it to do. It takes an interest in places such as the Horn of Africa, Iran, and North Korea; it takes an interest in energy security, nuclear proliferation, and in state-sponsored computer hacking.
There doesn’t seem to be much in the documents about serious crime, for which GCHQ has a surveillance mandate, but it seems that much of this activity is covered by warrants that belong to other branches of the security apparatus. Most of this surveillance is individually targeted: it concerns specific individuals and specific acts (or intentions to act), and as such, it is not the threat.
Few people are saying we don’t need intelligence-gathering organizations like GCHQ, but we do have a right to be concerned about what they are doing when they’re not watching actual, known threats. They have capabilities that we generally thought were just from the pages of James Bond novels or Tom Clancy thrillers … and they use them all the time, not just for keeping tabs on the “bad guys”.
In the case of modern signals intelligence, this is no longer true. Life has changed. It has changed because of the centrality of computers and digital activity to every aspect of modern living. Digital life is central to work: many of us, perhaps most of us, spend most of our working day using a computer. Digital life is central to our leisure: a huge portion of our discretionary activity has a digital component, even things which look like they are irreducibly un-digital, from cycling to cooking.
[…]
As for our relationships and family lives, that has, especially for younger people, become a digital-first activity. Take away Facebook and Twitter, instant messaging and Skype and YouTube, and then — it’s hard to imagine, but try — take away the mobile phone, and see the yawning gap where all human interaction used to take place. About the only time we don’t use computers is when we’re asleep — that’s unless we have a gadget that tracks our sleep, or monitors our house temperature, or our burglar alarm, or whatever.
This is the central point about what our spies and security services can now do. They can, for the first time, monitor everything about us, and they can do so with a few clicks of a mouse and — to placate the lawyers — a drop-down menu of justifications.
Looking at the GCHQ papers, it is clear that there is an ambition to get access to everything digital. That’s what engineers do: they seek new capabilities. When it applies to the people who wish us harm, that’s fair enough. Take a hypothetical, but maybe not unthinkable, ability to eavesdrop on any room via an electrical socket. From the GCHQ engineers’ point of view, they would do that if they could. And there are a few people out there on whom it would be useful to be able to eavesdrop via an electrical socket. But the price of doing so would be a society that really did have total surveillance. Would it be worth it? Is the risk worth the intrusion?
That example might sound far-fetched, but trust me, it isn’t quite as far fetched as all that, and the basic intention on the part of the GCHQ engineers — to get everything — is there.
October 2, 2013
October 1, 2013
September 18, 2013
The NSA scandal is not about mere privacy
Last week, Yochai Benkler posted this in the Guardian:
The spate of new NSA disclosures substantially raises the stakes of this debate. We now know that the intelligence establishment systematically undermines oversight by lying to both Congress and the courts. We know that the NSA infiltrates internet standard-setting processes to security protocols that make surveillance harder. We know that the NSA uses persuasion, subterfuge, and legal coercion to distort software and hardware product design by commercial companies.
We have learned that in pursuit of its bureaucratic mission to obtain signals intelligence in a pervasively networked world, the NSA has mounted a systematic campaign against the foundations of American power: constitutional checks and balances, technological leadership, and market entrepreneurship. The NSA scandal is no longer about privacy, or a particular violation of constitutional or legislative obligations. The American body politic is suffering a severe case of auto-immune disease: our defense system is attacking other critical systems of our body.
First, the lying. The National Intelligence University, based in Washington, DC, offers a certificate program called the denial and deception advanced studies program. That’s not a farcical sci-fi dystopia; it’s a real program about countering denial and deception by other countries. The repeated misrepresentations suggest that the intelligence establishment has come to see its civilian bosses as adversaries to be managed through denial and deception.
[…]
Second, the subversion. Last week, we learned that the NSA’s strategy to enhance its surveillance capabilities was to weaken internet security in general. The NSA infiltrated the social-professional standard-setting organizations on which the whole internet relies, from National Institute of Standards and Technology to the Internet Engineering Task Force itself, the very institutional foundation of the internet, to weaken the security standards. Moreover, the NSA combined persuasion and legal coercion to compromise the commercial systems and standards that offer the most basic security systems on which the entire internet runs. The NSA undermined the security of the SSL standard critical to online banking and shopping, VPN products central to secure corporate, research, and healthcare provider networks, and basic email utilities.
Serious people with grave expressions will argue that if we do not ruthlessly expand our intelligence capabilities, we will suffer terrorism and defeat. Whatever minor tweaks may be necessary, the argument goes, the core of the operation is absolutely necessary and people will die if we falter. But the question remains: how much of what we have is really necessary and effective, and how much is bureaucratic bloat resulting in the all-too-familiar dynamics of organizational self-aggrandizement and expansionism?
The “serious people” are appealing to our faith that national security is critical, in order to demand that we accept the particular organization of the Intelligence Church. Demand for blind faith adherence is unacceptable.
September 15, 2013
Bruce Schneier on what you can do to stay out of the NSA’s view
Other than going completely off the grid, you don’t have the ability to stay completely hidden, but there are some things you can do to decrease your visibility to the NSA:
With all this in mind, I have five pieces of advice:
- Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.
- Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections — and it may have explicit exploits against these protocols — you’re much better protected than if you communicate in the clear.
- Assume that while your computer can be compromised, it would take work and risk on the part of the NSA — so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the Internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my Internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.
- Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
- Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.
Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I’m not going to write about. There’s an undocumented encryption feature in my Password Safe program from the command line; I’ve been using that as well.
I understand that most of this is impossible for the typical Internet user. Even I don’t use all these tools for most everything I am working on. And I’m still primarily on Windows, unfortunately. Linux would be safer.
The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.
Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.
September 7, 2013
Maybe the conspiracy theorists just aren’t paranoid enough
Bruce Schneier on the destruction of public trust in government agencies:
I’ve recently seen two articles speculating on the NSA’s capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking — and I have no idea whether any of it is true or not — but it’s a good illustration of what happens when trust in a public institution fails.
The NSA has repeatedly lied about the extent of its spying program. James R. Clapper, the director of national intelligence, has lied about it to Congress. Top-secret documents provided by Edward Snowden, and reported on by the Guardian and other newspapers, repeatedly show that the NSA’s surveillance systems are monitoring the communications of American citizens. The DEA has used this information to apprehend drug smugglers, then lied about it in court. The IRS has used this information to find tax cheats, then lied about it. It’s even been used to arrest a copyright violator. It seems that every time there is an allegation against the NSA, no matter how outlandish, it turns out to be true.
Guardian reporter Glenn Greenwald has been playing this well, dribbling the information out one scandal at a time. It’s looking more and more as if the NSA doesn’t know what Snowden took. It’s hard for someone to lie convincingly if he doesn’t know what the opposition actually knows.
All of this denying and lying results in us not trusting anything the NSA says, anything the president says about the NSA, or anything companies say about their involvement with the NSA. We know secrecy corrupts, and we see that corruption. There’s simply no credibility, and — the real problem — no way for us to verify anything these people might say.
August 18, 2013
Rounding up the “government is spying on everyone” news
A linkapalooza of information at Zero Hedge:
- Just weeks after NSA boss Alexander said that a review of NSA spying found not even one violation, the Washington Post published an internal NSA audit showing that the agency has broken its own rules thousands of times each year
- 2 Senators on the intelligence committee said the violations revealed in the Post article were just the “tip of the iceberg”
- Glenn Greenwald notes: “One key to the WashPost story: the reports are internal, NSA audits, which means high likelihood of both under-counting & white-washing”.(Even so, the White House tried to do damage control by retroactively changing on-the-record quotes)
- The government is spying on essentially everything we do. It is not just “metadata” … although that is enough to destroy your privacy
- The government has adopted a secret interpretation of the Patriot Act which allows it to pretend that “everything” is relevant … so it spies on everyone
- NSA whistleblowers say that the NSA collects all of our conversations word-for-word
- It’s not just the NSA … Many other agencies, like the FBI and IRS – concerned only with domestic issues – spy on Americans as well
That’s just the first few items of a long list. Read the whole thing.
August 12, 2013
August 11, 2013
Speculations on why Lavabit went dark
In The New Yorker, Michael Phillips tries to outline the legal picture around the Lavabit shutdown:
In mid-July, Tanya Lokshina, the deputy director for Human Rights Watch’s Moscow office, wrote on her Facebook wall that she had received an e-mail from edsnowden@lavabit.com. It requested that she attend a press conference at Moscow’s Sheremetyevo International Airport to discuss the N.S.A. leaker’s “situation.” This was the wider public’s introduction to Lavabit, an e-mail service prized for its security. Lavabit promised, for instance, that messages stored on the service using asymmetric encryption, which encrypts incoming e-mails before they’re saved on Lavabit’s servers, could not even be read by Lavabit itself.
Yesterday, Lavabit went dark. In a cryptic statement posted on the Web site, the service’s owner and operator, Ladar Levison, wrote, “I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.” Those experiences led him to shut down the service rather than, as he put it, “become complicit in crimes against the American people.” Lavabit users reacted with consumer vitriol on the company’s Facebook page (“What about our emails?”), but the tide quickly turned toward government critique. By the end of the night, a similar service, Silent Circle, also shut down its encrypted e-mail product, calling the Lavabit affair the “writing [on] the wall.”
Which secret surveillance scheme is involved in the Lavabit case? The company may have received a national-security letter, which is a demand issued by a federal agency (typically the F.B.I.) that the recipient turn over data about other individuals. These letters often forbid recipients from discussing it with anyone. Another possibility is that the Foreign Intelligence Surveillance Court may have issued a warrant ordering Lavabit to participate in ongoing e-mail surveillance. We can’t be completely sure: as Judge Reggie Walton, the presiding judge of the FISA court, explained to Senator Patrick Leahy in a letter dated July 29th, FISA proceedings, decisions, and legal rationales are typically secret. America’s surveillance programs are secret, as are the court proceedings that enable them and the legal rationales that justify them; informed dissents, like those by Levison or Senator Ron Wyden, must be kept secret. The reasons for all this secrecy are also secret. That some of the secrets are out has not deterred the Obama Administration from prosecuting leakers under the Espionage Act for disclosure of classified information. Call it meta-secrecy.
August 9, 2013
Locking the (electronic) barn door
The encrypted email service that was reportedly used by Edward Snowden just announced that it will be shutting down:
Today, Lavabit announced that it would shut down its encrypted email service rather than “become complicit in crimes against the American people.” Lavabit did not say what it had been asked to do, only that it was legally prohibited from sharing the events leading to its decision.
Lavabit was an email provider, apparently used by Edward Snowden along with other privacy sensitive users, with an avowed mission to offer an “e-mail service that never sacrifices privacy for profits” and promised to “only release private information if legally compelled by the courts in accordance with the United States Constitution.” It backed up this claim by encrypting all emails on Lavabit servers such that Lavabit did not have the ability to access a user’s email (Lavabit’s white paper), at least without that user’s passphrase, which the email provider did not store.
Given the impressive powers of the government to obtain emails and records from service providers, both with and without legal authority, it is encouraging to see service providers take steps to limit their ability to access user data, as Lavabit had done.
[…]
Lavabit’s post indicates that there was a gag order, and that there is an ongoing appeal before the Fourth Circuit. We call on the government and the courts to unseal enough of the docket to allow, at a minimum, the public to know the legal authority asserted, both for the gag and the substance, and give Lavabit the breathing room to participate in the vibrant and critical public debates on the extent of email privacy in an age of warrantless bulk surveillance by the NSA.
