Bruce Schneier | ||||
Schneier on SecurityA blog covering security and security technology. « November 2005 | Main | January 2006 » December 2005 ArchivesID Cards and ID FraudUnforeseen security effects of weak ID cards: It can even be argued that the introduction of the photocard licence has encouraged ID fraud. It has been relatively easy for fraudsters to obtain a licence, but because it looks and feels like 'photo ID', it is far more readily accepted as proof of identity than the paper licence is, and can therefore be used directly as an ID document or to support the establishment of stronger fraudulent ID, particularly in countries familiar with ID cards in this format, but perhaps unfamiliar with the relative strengths of British ID documents. Posted on December 30, 2005 at 01:51 PM • 21 Comments • View Blog Reactions DOJ Privacy BreachThe U.S. Department of Justice is no better than anyone else at protecting individual privacy. Posted on December 30, 2005 at 07:50 AM • 10 Comments • View Blog Reactions An RFID-Blocking WalletHere's how to make an RFID-blocking wallet out of duct tape. Posted on December 29, 2005 at 02:40 PM • 43 Comments • View Blog Reactions Project ShamrockDecades before 9/11, and the subsequent Bush order that directed the NSA to eavesdrop on every phone call, e-mail message, and who-knows-what-else going into or out of the United States, U.S. citizens included, they did the same thing with telegrams. It was called Project Shamrock, and anyone who thinks this is new legal and technological terrain should read up on that program. Project SHAMROCK...was an espionage exercise that involved the accumulation of all telegraphic data entering into or exiting from the United States. The Armed Forces Security Agency (AFSA) and its successor NSA were given direct access to daily microfilm copies of all incoming, outgoing, and transiting telegraphs via the Western Union and its associates RCA and ITT. Operation Shamrock lasted well into the 1960s when computerized operations (HARVEST) made it possible to search for keywords rather than read through all communications. If you want details, the best place is James Banford's books about the NSA: his 1982 book, The Puzzle Palace, and his 2001 book, Body of Secrets. This quote is from the latter book, page 440: Among the reforms to come out of the Church Committee investigation was the creation of the Foreign Intelligence Surveillance Act (FISA), which for the first time outlined what NSA was and was not permitted to do. The new statute outlawed wholesale, warrantless acquisition of raw telegrams such as had been provided under Shamrock. It also outlawed the arbitrary compilation of watch list containing the names of Americans. Under FISA, a secret federal court was set up, the Foreign Intelligence Surveillance Court. In order for NSA to target an American citizen or a permanent resident alien--a "green card" holder--within the United States, a secret warrant must be obtained from the court. To get the warrant, NSA officials must show that the person they wish to target is either an agent of a foreign power or involved in espionage or terrorism. A lot of people are trying to say that it's a different world today, and that eavesdropping on a massive scale is not covered under the FISA statute, because it just wasn't possible or anticipated back then. That's a lie. Project Shamrock began in the 1950s, and ran for about twenty years. It too had a massive program to eavesdrop on all international telegram communications, including communications to and from American citizens. It too was to counter a terrorist threat inside the United States. It too was secret, and illegal. It is exactly, by name, the sort of program that the FISA process was supposed to get under control. Twenty years ago, Senator Frank Church warned of the dangers of letting the NSA get involved in domestic intelligence gathering. He said that the "potential to violate the privacy of Americans is unmatched by any other intelligence agency." If the resources of the NSA were ever used domestically, "no American would have any privacy left.... There would be no place to hide.... We must see to it that this agency and all agencies that possess this technology operate within the law and under proper supervision, so that we never cross over that abyss. That is an abyss from which there is no return." Bush's eavesdropping program was explicitly anticipated in 1978, and made illegal by FISA. There might not have been fax machines, or e-mail, or the Internet, but the NSA did the exact same thing with telegrams. We can decide as a society that we need to revisit FISA. We can debate the relative merits of police-state surveillance tactics and counterterrorism. We can discuss the prohibitions against spying on American citizens without a warrant, crossing over that abyss that Church warned us about twenty years ago. But the president can't simply decide that the law doesn't apply to him. This issue is not about terrorism. It's not about intelligence gathering. It's about the executive branch of the United States ignoring a law, passed by the legislative branch and signed by President Jimmy Carter: a law that directs the judicial branch to monitor eavesdropping on Americans in national security investigations. It's not the spying, it's the illegality. Posted on December 29, 2005 at 08:40 AM • 96 Comments • View Blog Reactions Bomb-Sniffing WaspsNo, this isn't from The Onion. Trained wasps: The tiny, non-stinging wasps can check for hidden explosives at airports and monitor for toxins in subway tunnels. Sounds like it will be cheap enough.... EDITED TO ADD (12/29): Bomb-sniffing bees are old news. Posted on December 28, 2005 at 12:47 PM • 34 Comments • View Blog Reactions Are Computer-Security Export Controls Back?I thought U.S. export regulations were finally over and done with, at least for software. Maybe not: Unfortunately, due to strict US Government export regulations Symantec is only able to fulfill new LC5 orders or offer technical support directly with end-users located in the United States and commercial entities in Canada, provided all screening is successful. The software in question is the password breaking and auditing tool called LC5, better known as L0phtCrack. Anyone have any ideas what's going on, because I sure don't. Posted on December 28, 2005 at 07:08 AM • 31 Comments • View Blog Reactions Bug Bounties Are Not SecurityPaying people rewards for finding security flaws is not the same as hiring your own analysts and testers. It's a reasonable addition to a software security program, but no substitute. I've said this before, but Moshe Yudkowsky said it better: Here's an outsourcing idea: get rid of your fleet of delivery trucks, toss your packages out into the street, and offer a reward to anyone who successfully delivers a package. Sound like a good idea, or a recipe for disaster? Posted on December 27, 2005 at 07:46 AM • 20 Comments • View Blog Reactions Is the NSA Reading Your E-Mail?Richard M Smith has some interesting ideas on how to test if the NSA is eavesdropping on your e-mail. With all of the controversy about the news that the NSA has been monitoring, since 9/11, telephone calls and email messages of Americans, some folks might now be wondering if they are being snooped on. Here's a quick and easy method to see if one's email messages are being read by someone else. The only problem is that you might get a knock on your door by some random investigative agency. Or get searched every time you try to get on an airplane. But I think that risk is pretty low, actually. If people actually do this, please report back. I'm very curious. Posted on December 26, 2005 at 12:31 PM • 125 Comments • View Blog Reactions Internet Explorer SucksThis study is from August, but I missed it. The researchers tracked three browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were "known unsafe." Their definition of "known unsafe": a remotely exploitable security vulnerability had been publicly announced and no patch was yet available. MSIE was 98% unsafe. There were only 7 days in 2004 without an unpatched publicly disclosed security hole. Firefox was 15% unsafe. There were 56 days with an unpatched publicly disclosed security hole. 30 of those days were a Mac hole that only affected Mac users. Windows Firefox was 7% unsafe. Opera was 17% unsafe: 65 days. That number is accidentally a little better than it should be, as two of the upatched periods happened to overlap. This underestimates the risk, because it doesn't count vulnerabilities known to the bad guys but not publicly disclosed (and it's foolish to think that such things don't exist). So the "98% unsafe" figure for MSIE is generous, and the situation might be even worse. Wow. Posted on December 26, 2005 at 06:27 AM • 82 Comments • View Blog Reactions New TSA Guidelines from The OnionThe Onion has a new set of TSA guidelines. Posted on December 24, 2005 at 12:19 PM • 12 Comments • View Blog Reactions Story About "Little Red Book" and Federal Agents a HoaxThis is important news: The UMass Dartmouth student who claimed to have been visited by Homeland Security agents over his request for "The Little Red Book" by Mao Zedong has admitted to making up the entire story. I don't know what the moral is, here. 1) He's an idiot. 2) Don't believe everything you read. 3) We live in such an invasive political climate that such stories are easily believable. 4) He's definitely an idiot. Posted on December 24, 2005 at 08:53 AM • 31 Comments • View Blog Reactions Weird Computer-Worm Social Engineering StoryI can't make this stuff up: A child porn offender in Germany turned himself in to the police after mistaking an email he received from a computer worm for an official warning that he was under investigation.... Seems like the e-mail was actually from a worm, and not a sting operation by the police. But who knows? Posted on December 23, 2005 at 03:30 PM • 18 Comments • View Blog Reactions Idiotic Article on TPMThis is just an awful news story. "TPM" stands for "Trusted Platform Module." It's a chip that may soon be in your computer that will try to enforce security: both your security, and the security of software and media companies against you. It's complicated, and it will prevent some attacks. But there are dangers. And lots of ways to hack it. (I've written about TPM here, and here when Microsoft called it Palladium. Ross Anderson has some good stuff here.) In fact, with TPM, your bank wouldn’t even need to ask for your username and password -- it would know you simply by the identification on your machine. Since when is "your computer" the same as "you"? And since when is identifying a computer the same as authenticating the user? And until we can eliminate bot networks and "owned" machines, there's no way to know who is controlling your computer. Of course you could always “foolâ€? the system by starting your computer with your unique PIN or fingerprint and then letting another person use it, but that’s a choice similar to giving someone else your credit card. Right, letting someone use your computer is the same as letting someone use your credit card. Does he have any idea that there are shared computers that you can rent and use? Does he know any families that share computers? Does he ever have friends who visit him at home? There are lots of ways a PIN can be guessed or stolen. Oh, I can't go on. My guess is the reporter was fed the story by some PR hack, and never bothered to check out if it were true. Posted on December 23, 2005 at 11:13 AM • 42 Comments • View Blog Reactions Car Thieves AdaptBecause automobile security devices are so effective, some car thieves are breaking into people's homes in order to steal the keys. He said modern cars with electronic keys and immobilisers were putting car thieves out of business -- but the thieves were adapting. Posted on December 23, 2005 at 06:21 AM • 47 Comments • View Blog Reactions Vehicle Tracking in the UKUniversal automobile surveillance is coming: Britain is to become the first country in the world where the movements of all vehicles on the roads are recorded. A new national surveillance system will hold the records for at least two years. As The Independent opines, this is only the beginning: The new national surveillance network for tracking car journeys, which has taken more than 25 years to develop, is only the beginning of plans to monitor the movements of all British citizens. The Home Office Scientific Development Branch in Hertfordshire is already working on ways of automatically recognising human faces by computer, which many people would see as truly introducing the prospect of Orwellian street surveillance, where our every move is recorded and stored by machines. I've already written about the security risks of what I call "wholesale surveillance." Once this information is collected, it will be misused, lost, and stolen. It will be filled with errors. The problems and insecurities that come from living in a surveillance society more than outweigh any crimefighting (and terrorist-fighting) advantages. Posted on December 22, 2005 at 02:41 PM • 58 Comments • View Blog Reactions Miller on OpenSSHInteresting interview: Federico Biancuzzi interviews OpenSSH developer Damien Miller to discuss features included in the upcoming version 4.3, public key crypto protocols details, timing based attacks and anti-worm measures. Posted on December 22, 2005 at 11:53 AM • 13 Comments • View Blog Reactions Dutch BotnetBack in October, the Dutch police arrested three people who created a large botnet and used it to extort money from U.S. companies. When the trio was arrested, authorities said that the botnet consisted of about 100,000 computers. The actual number was 1.5 million computers. And I've heard reports from reputable sources that the actual actual number was "significantly higher." And it may still be growing. The bots continually scan the network and try to infect other machines. They do this autonomously, even after the command and control node was shut down. Since most of those 1.5 million machines -- or however many there are -- still have the botnet software running on them, it's reasonable to believe that the botnet is still growing. Posted on December 22, 2005 at 08:18 AM • 30 Comments • View Blog Reactions Electronic Shackles and Telephone CommunicationsThe article is in Hebrew, but the security story is funny in any language. It's about a prisoner who was forced to wear an electronic shackle to monitor that he did not violate his home arrest. The shackle is pretty simple: if the suspect leaves the defined detention area, the electronic shackle signals through the telephone line to the local police. How do you defeat a system such as this? Just stop paying your phone bill and wait for the phone company to shut off service. Posted on December 21, 2005 at 12:03 PM • 29 Comments • View Blog Reactions The Security Threat of Unchecked Presidential PowerThis past Thursday, the New York Times exposed the most significant violation of federal surveillance law in the post-Watergate era. President Bush secretly authorized the National Security Agency to engage in domestic spying, wiretapping thousands of Americans and bypassing the legal procedures regulating this activity. This isn't about the spying, although that's a major issue in itself. This is about the Fourth Amendment protections against illegal search. This is about circumventing a teeny tiny check by the judicial branch, placed there by the legislative branch, placed there 27 years ago -- on the last occasion that the executive branch abused its power so broadly. In defending this secret spying on Americans, Bush said that he relied on his constitutional powers (Article 2) and the joint resolution passed by Congress after 9/11 that led to the war in Iraq. This rationale was spelled out in a memo written by John Yoo, a White House attorney, less than two weeks after the attacks of 9/11. It's a dense read and a terrifying piece of legal contortionism, but it basically says that the president has unlimited powers to fight terrorism. He can spy on anyone, arrest anyone, and kidnap anyone and ship him to another country ... merely on the suspicion that he might be a terrorist. And according to the memo, this power lasts until there is no more terrorism in the world. Yoo starts by arguing that the Constitution gives the president total power during wartime. He also notes that Congress has recently been quiescent when the president takes some military action on his own, citing President Clinton's 1998 strike against Sudan and Afghanistan. Yoo then says: "The terrorist incidents of September 11, 2001, were surely far graver a threat to the national security of the United States than the 1998 attacks. ... The President's power to respond militarily to the later attacks must be correspondingly broader." This is novel reasoning. It's as if the police would have greater powers when investigating a murder than a burglary. More to the point, the congressional resolution of Sept. 14, 2001, specifically refused the White House's initial attempt to seek authority to preempt any future acts of terrorism, and narrowly gave Bush permission to go after those responsible for the attacks on the Pentagon and World Trade Center. Yoo's memo ignored this. Written 11 days after Congress refused to grant the president wide-ranging powers, it admitted that "the Joint Resolution is somewhat narrower than the President's constitutional authority," but argued "the President's broad constitutional power to use military force ... would allow the President to ... [take] whatever actions he deems appropriate ... to pre-empt or respond to terrorist threats from new quarters." Even if Congress specifically says no. The result is that the president's wartime powers, with its armies, battles, victories, and congressional declarations, now extend to the rhetorical "War on Terror": a war with no fronts, no boundaries, no opposing army, and -- most ominously -- no knowable "victory." Investigations, arrests, and trials are not tools of war. But according to the Yoo memo, the president can define war however he chooses, and remain "at war" for as long as he chooses. This is indefinite dictatorial power. And I don't use that term lightly; the very definition of a dictatorship is a system that puts a ruler above the law. In the weeks after 9/11, while America and the world were grieving, Bush built a legal rationale for a dictatorship. Then he immediately started using it to avoid the law. This is, fundamentally, why this issue crossed political lines in Congress. If the president can ignore laws regulating surveillance and wiretapping, why is Congress bothering to debate reauthorizing certain provisions of the Patriot Act? Any debate over laws is predicated on the belief that the executive branch will follow the law. This is not a partisan issue between Democrats and Republicans; it's a president unilaterally overriding the Fourth Amendment, Congress and the Supreme Court. Unchecked presidential power has nothing to do with how much you either love or hate George W. Bush. You have to imagine this power in the hands of the person you most don't want to see as president, whether it be Dick Cheney or Hillary Rodham Clinton, Michael Moore or Ann Coulter. Laws are what give us security against the actions of the majority and the powerful. If we discard our constitutional protections against tyranny in an attempt to protect us from terrorism, we're all less safe as a result. This essay was published today as an op-ed in the Minneapolis Star Tribune. Here's the opening paragraph of the Yoo memo. Remember, think of this power in the hands of your least favorite politician when you read it: You have asked for our opinion as to the scope of the President's authority to take military action in response to the terrorist attacks on the United States on September 11, 2001. We conclude that the President has broad constitutional power to use military force. Congress has acknowledged this inherent executive power in both the War Powers Resolution, Pub. L. No. 93-148, 87 Stat. 555 (1973), codified at 50 U.S.C. §§ 1541-1548 (the "WPR"), and in the Joint Resolution passed by Congress on September 14, 2001, Pub. L. No. 107-40, 115 Stat. 224 (2001). Further, the President has the constitutional power not only to retaliate against any person, organization, or State suspected of involvement in terrorist attacks on the United States, but also against foreign States suspected of harboring or supporting such organizations. Finally, the President may deploy military force preemptively against terrorist organizations or the States that harbor or support them, whether or not they can be linked to the specific terrorist incidents of September 11. There's a similar reasoning in the Braybee memo, which was written in 2002 about torture: In a series of opinions examining various legal questions arising after September 11, we have examined the scope of the President's Commander-in-Chief power. . . . Foremost among the objectives committed by the Constitution to [the President's] trust. As Hamilton explained in arguing for the Constitution's adoption, ‘because the circumstances which may affect the public safety’ are ‘not reducible within certain limits, it must be admitted, as a necessary consequence, that there can be no limitation of that authority, which is to provide for the defense and safety of the community, in any manner essential to its efficacy.’ . . . [The Constitution’s] sweeping grant vests in the President an unenumerated Executive power . . . The Commander in Chief power and the President’s obligation to protect the Nation imply the ancillary powers necessary to their successful exercise. NSA watcher James Bamford points out how this action was definitely considered illegal in 1978, which is why FISA was passed in the first place: When the Foreign Intelligence Surveillance Act was created in 1978, one of the things that the Attorney General at the time, Griffin Bell, said -- he testified before the intelligence committee, and he said that the current bill recognizes no inherent power of the President to conduct electronic surveillance. He said, ‘This bill specifically states that the procedures in the bill are the exclusive means by which electronic surveillance may be conducted.’ In other words, what the President is saying is that he has these inherent powers to conduct electronic surveillance, but the whole reason for creating this act, according to the Attorney General at the time, was to prevent the President from using any inherent powers and to use exclusively this act. Also this from Salon, discussing a 1952 precedent: Attorney General Alberto Gonzales argues that the president's authority rests on two foundations: Congress's authorization to use military force against al-Qaida, and the Constitution's vesting of power in the president as commander-in-chief, which necessarily includes gathering “signals intelligenceâ€? on the enemy. But that argument cannot be squared with Supreme Court precedent. In 1952, the Supreme Court considered a remarkably similar argument during the Korean War. Youngstown Sheet & Tube Co. v. Sawyer, widely considered the most important separation-of-powers case ever decided by the court, flatly rejected the president's assertion of unilateral domestic authority during wartime. President Truman had invoked the commander-in-chief clause to justify seizing most of the nation's steel mills. A nationwide strike threatened to undermine the war, Truman contended, because the mills were critical to manufacturing munitions. The Attorney General said that the Administration didn't try to do this legally, because they didn't think they could get the law passed. But don't worry, an NSA shift supervisor is acting in the role of a FISC judge: GENERAL HAYDEN: FISA involves the process -- FISA involves marshaling arguments; FISA involves looping paperwork around, even in the case of emergency authorizations from the Attorney General. And beyond that, it's a little -- it's difficult for me to get into further discussions as to why this is more optimized under this process without, frankly, revealing too much about what it is we do and why and how we do it. Senators from both parties are demanding hearings: Democratic and Republican calls mounted on Tuesday for U.S. congressional hearings into President George W. Bush's assertion that he can order warrantless spying on Americans with suspected terrorist ties. This New York Times paragraph is further evidence that we're talking about an Echelon-like surveillance program here: Administration officials, speaking anonymously because of the sensitivity of the information, suggested that the speed with which the operation identified "hot numbers" - the telephone numbers of suspects - and then hooked into their conversations lay behind the need to operate outside the old law. And some more snippets. There are about a zillion more URLs I could list here. I posted these already, but both Oren Kerr and And this George W. Bush quote (video and transcript), from December 18, 2000, is just too surreal not to reprint: "If this were a dictatorship, it’d be a heck of a lot easier, just so long as I’m the dictator." I guess 9/11 made it a heck of a lot easier. Look, I don't think 100% of the blame belongs to President Bush. (This kind of thing was also debated under Clinton.) The Congress, Democrats included, have allowed the Executive to gather power at the expense of the other two branches. This is the fundamental security issue here, and it'll be an issue regardless of who wins the White House in 2008. EDITED TO ADD (12/21): FISC Judge James Robertson resigned yesterday: Two associates familiar with his decision said yesterday that Robertson privately expressed deep concern that the warrantless surveillance program authorized by the president in 2001 was legally questionable and may have tainted the FISA court's work. More generally, here's some of the relevant statutes and decisions: "Foreign Intelligence Surveillance Act (FISA)" (1978). "Authorization for Use of Military Force (2001)," the law authorizing Bush to use military force against the 9/11 terrorists. "United States v. United States District Court," 407 U.S. 297 (1972), a national security surveillance case that turned on the Fourth Amendment. "Hamdi v. Rumsfeld," 124 S. Ct. 981 (2004), the recent Supreme Court case examining the president's powers during wartime. [The Government's position] cannot be mandated by any reasonable view of the separation of powers, as this view only serves to condense power into a single branch of government. We have long since made clear that a state of war is not a blank check for the President when it comes to the rights of the Nation's citizens. Youngstown Steel and Tube, 343 U.S. at 587. Whatever power the United States Constitution envisions for the Executive in times of conflict with other Nations or enemy organizations, it most assuredly envisions a role for all three branches when individual liberties are at stake. And here are a bunch of blog posts: Daniel Solove: "Hypothetical: What If President Bush Were Correct About His Surveillance Powers?." Seth Weinberger: "Declaring War and Executive Power." Juliette Kayyem: "Wiretaps, AUMF and Bush's Comments Today." Mark Schmitt: "Alito and the Wiretaps." Eric Muller: "Lawless Like I Said." Cass Sunstein: "Presidential Wiretap." Spencer Overton: "Judge Damon J. Keith: No Warrantless Wiretaps of Citizens." Will Baude: "Presidential Authority, A Lament." And news articles: Washington Post: "Clash Is Latest Chapter in Bush Effort to Widen Executive Power." The clash over the secret domestic spying program is one slice of a broader struggle over the power of the presidency that has animated the Bush administration. George W. Bush and Dick Cheney came to office convinced that the authority of the presidency had eroded and have spent the past five years trying to reclaim it. New York Times: Spying Program Snared U.S. Calls." A surveillance program approved by President Bush to conduct eavesdropping without warrants has captured what are purely domestic communications in some cases, despite a requirement by the White House that one end of the intercepted conversations take place on foreign soil, officials say. Posted on December 21, 2005 at 06:50 AM • 279 Comments • View Blog Reactions How Much High Explosive Does Any One Person Need?The stolen goods include 150 pounds of C-4 plastic explosive and 250 pounds of thin sheets of explosives that could be used in letter bombs. Also, 2,500 detonators were missing from a storage explosive container, or magazine, in a bunker owned by Cherry Engineering. The theft was professional: Thieves apparently used blowtorches to cut through the storage trailers -- suggesting they knew what they were after. Most likely it's a criminal who will resell the stuff, but it could be a terrorist organization. My guess is criminals, though. By the way, this is in America... The material was taken from Cherry Engineering, a company owned by Chris Cherry, a scientist at Sandia National Labs. ...where security is an afterthought: The site, located outside Albuquerque, had no guards and no surveillance cameras. Or maybe not even an afterthought: It was the site's second theft in the past two years. If anyone is looking for something to spend national security money on that will actually make us safer, securing high-explosive-filled trailers would be high on my list. EDITED TO ADD (12/29): The explosives were recovered. Posted on December 20, 2005 at 02:20 PM • 34 Comments • View Blog Reactions NSA and Bush's Illegal EavesdroppingWhen President Bush directed the National Security Agency to secretly eavesdrop on American citizens, he transferred an authority previously under the purview of the Justice Department to the Defense Department and bypassed the very laws put in place to protect Americans against widespread government eavesdropping. The reason may have been to tap the NSA's capability for data-mining and widespread surveillance. Illegal wiretapping of Americans is nothing new. In the 1950s and '60s, in a program called "Project Shamrock," the NSA intercepted every single telegram coming into or going out of the United States. It conducted eavesdropping without a warrant on behalf of the CIA and other agencies. Much of this became public during the 1975 Church Committee hearings and resulted in the now famous Foreign Intelligence Surveillance Act (FISA) of 1978. The purpose of this law was to protect the American people by regulating government eavesdropping. Like many laws limiting the power of government, it relies on checks and balances: one branch of the government watching the other. The law established a secret court, the Foreign Intelligence Surveillance Court (FISC), and empowered it to approve national-security-related eavesdropping warrants. The Justice Department can request FISA warrants to monitor foreign communications as well as communications by American citizens, provided that they meet certain minimal criteria. The FISC issued about 500 FISA warrants per year from 1979 through 1995, and has slowly increased subsequently -- 1,758 were issued in 2004. The process is designed for speed and even has provisions where the Justice Department can wiretap first and ask for permission later. In all that time, only four warrant requests were ever rejected: all in 2003. (We don't know any details, of course, as the court proceedings are secret.) FISA warrants are carried out by the FBI, but in the days immediately after the terrorist attacks, there was a widespread perception in Washington that the FBI wasn't up to dealing with these new threats -- they couldn't uncover plots in a timely manner. So instead the Bush administration turned to the NSA. They had the tools, the expertise, the experience, and so they were given the mission. The NSA's ability to eavesdrop on communications is exemplified by a technological capability called Echelon. Echelon is the world's largest information "vacuum cleaner," sucking up a staggering amount of voice, fax, and data communications -- satellite, microwave, fiber-optic, cellular and everything else -- from all over the world: an estimated 3 billion communications per day. These communications are then processed through sophisticated data-mining technologies, which look for simple phrases like "assassinate the president" as well as more complicated communications patterns. Supposedly Echelon only covers communications outside of the United States. Although there is no evidence that the Bush administration has employed Echelon to monitor communications to and from the U.S., this surveillance capability is probably exactly what the president wanted and may explain why the administration sought to bypass the FISA process of acquiring a warrant for searches. Perhaps the NSA just didn't have any experience submitting FISA warrants, so Bush unilaterally waived that requirement. And perhaps Bush thought FISA was a hindrance -- in 2002 there was a widespread but false believe that the FISC got in the way of the investigation of Zacarias Moussaoui (the presumed "20th hijacker") -- and bypassed the court for that reason. Most likely, Bush wanted a whole new surveillance paradigm. You can think of the FBI's capabilities as "retail surveillance": It eavesdrops on a particular person or phone. The NSA, on the other hand, conducts "wholesale surveillance." It, or more exactly its computers, listens to everything. An example might be to feed the computers every voice, fax, and e-mail communication looking for the name "Ayman al-Zawahiri.". This type of surveillance is more along the lines of Project Shamrock, and not legal under FISA. As Sen. Jay Rockefeller wrote in a secret memo after being briefed on the program, it raises "profound oversight issues." It is also unclear whether Echelon-style eavesdropping would prevent terrorist attacks. In the months before 9/11, Echelon noticed considerable "chatter": bits of conversation suggesting some sort of imminent attack. But because much of the planning for 9/11 occurred face-to-face, analysts were unable to learn details. The fundamental issue here is security, but it's not the security most people think of. James Madison famously said: "If men were angels, no government would be necessary. If angels were to govern men, neither external nor internal controls on government would be necessary." Terrorism is a serious risk to our nation, but an even greater threat is the centralization of American political power in the hands of any single branch of the government. Over 200 years ago, the framers of the U.S. Constitution established an ingenious security device against tyrannical government: they divided government power among three different bodies. A carefully thought out system of checks and balances in the executive branch, the legislative branch, and the judicial branch, ensured that no single branch became too powerful. After watching tyrannies rise and fall throughout Europe, this seemed like a prudent way to form a government. Courts monitor the actions of police. Congress passes laws that even the president must follow. Since 9/11, the United States has seen an enormous power grab by the executive branch. It's time we brought back the security system that's protected us from government for over 200 years. A version of this essay originally appeared in Salon. I wrote another essay about the legal and constitutional implications of this. The Minneapolis Star Tribune will publish it either Wednesday or Thursday, and I will post it here at that time. I didn't talk about the political dynamics in either essay, but they're fascinating. The White House kept this secret, but they briefed at least six people outside the administration. The current and former chief justices of the FISC knew about this. Last Sunday’s Washington Post reported that both of them had misgivings about the program, but neither did anything about it. The White House also briefed the Committee Chairs and Ranking Members of the House and Senate Intelligence Committees, and they didn’t do anything about it. (Although Sen. Rockefeller wrote a bizarre I'm-not-going-down-with-you memo to Cheney and for his files.) Cheney was on television this weekend citing this minimal disclosure as evidence that Congress acquiesced to the program. I see it as evidence of something else: if people from both the Legislative and the Judiciary branches knowingly permitted unlawful surveillance by the Executive branch, then the current system of checks and balances isn't working. It’s also evidence about how secretive this administration is. None of the other FISC judges, and none of the other House or Senate Intelligence Committee members, were told about this, even under clearance. And if there’s one thing these people hate, it’s being kept in the dark on a matter within their jurisdiction. That’s why Senator Feinstein, a member of the Senate Intelligence Committee, was so upset yesterday. And it’s pushing Senator Specter, and some of the Republicans in these Judiciary committees, further into the civil liberties camp. There are about a zillion links worth reading, but here are some of them you might not yet have seen. Some good newspaper commentaries. An excellent legal analysis. Three blog posts. Four more blog posts. Daniel Solove on FISA. Two legal analyses. An interesting "Democracy Now" commentary, including interesting comments on the NSA's capabilities by James Bamford. And finally, my 2004 essay on the security of checks and balances. “Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.â€? -- William Pitt, House of Commons, 11/18/1783. Posted on December 20, 2005 at 12:45 PM • 93 Comments • View Blog Reactions Microsoft Windows Receives EAL 4+ CertificationWindows has a Common Criteria (CC) certification: Microsoft announced that all the products earned the EAL 4 + (Evaluation Assurance Level), which is the highest level granted to a commercial product. Is this true? ...director of security engineering strategy at Microsoft Steve Lipner said the certifications are a significant proof point of Redmond's commitment to creating secure software. Or are the certifications proof that EAL 4+ isn't worth much? Posted on December 20, 2005 at 07:21 AM • 47 Comments • View Blog Reactions Cell Phone Companies and SecurityThis is a fascinating story of cell phone fraud, security, economics, and externalities. Its moral is obvious, and demonstrates how economic considerations drive security decisions. Susan Drummond was a customer of Rogers Wireless, a large Canadaian cell phone company. Her phone was cloned while she was on vacation, and she got a $12,237.60 phone bill (her typical bill was $75). Rogers maintains that there is nothing to be done, and that Drummond has to pay. Like all cell phone companies, Rogers has automatic fraud detection systems that detect this kind of abnormal cell phone usage. They don't turn the cell phones off, though, because they don't want to annoy their customers. Ms. Hopper [a manager in Roger's security department] said terrorist groups had identified senior cellphone company officers as perfect targets, since the company was loath to shut off their phones for reasons that included inconvenience to busy executives and, of course, the public-relations debacle that would take place if word got out. As long as Rogers can get others to pay for the fraud, this makes perfect sense. Shutting off a phone based on an automatic fraud-detection system costs the phone company in two ways: people inconvenienced by false alarms, and bad press. But the major cost of not shutting off a phone remains an externality: the customer pays for it. In fact, there seems be some evidence that Rogers decides whether or not to shut off a suspecious phone based on the customer's ability to pay: Ms. Innes [a vice-president with Rogers Communications] said that Rogers has a policy of contacting consumers if fraud is suspected. In some cases, she admitted, phones are shut off automatically, but refused to say what criteria were used. (Ms. Drummond and Mr. Gefen believe that the company bases the decision on a customer's creditworthiness. "If you have the financial history, they let the meter run," Ms. Drummond said.) Ms. Drummond noted that she has a salary of more than $100,000, and a sterling credit history. "They knew something was wrong, but they thought they could get the money out of me. It's ridiculous." Makes sense from Rogers' point of view. High-paying customers are 1) more likely to pay, and 2) more damaging if pissed off in a false alarm. Again, economic considerations trump security. Rogers is defending itself in court, and shows no signs of backing down: In court filings, the company has made it clear that it intends to hold Ms. Drummond responsible for the calls made on her phone. ". . . the plaintiff is responsible for all calls made on her phone prior to the date of notification that her phone was stolen," the company says. "The Plaintiff's failure to mitigate deprived the Defendant of the opportunity to take any action to stop fraudulent calls prior to the 28th of August 2005." The solution here is obvious: Rogers should not be able to charge its customers for telephone calls it did not make. Ms. Drummond's phone was cloned; there is no possible way she could notify Rogers of this before she saw calls she did not make on her bill. She is also completely powerless to affect the anti-cloning security in the Rogers phone system. To make her liable for the fraud is to ensure that the problem never gets fixed. Rogers is the only party in a position to do something about the problem. The company can, and according to the article has, implemented automatic fraud-detection software. Rogers customers will pay for the fraud in any case. If they are responsible for the loss, either they'll take their chances and pay a lot only if they are the victims, or there'll be some insurance scheme that spreads the cost over the entire customer base. If Rogers is responsible for the loss, then the customers will pay in the form of slightly higher prices. But only if Rogers is responsible for the loss will they implement security countermeasures to limit fraud. And if they do that, everyone benefits. There is a Slashdot thread on the topic. Posted on December 19, 2005 at 01:10 PM • 56 Comments • View Blog Reactions Insider Threat StatisticsFrom Europe, although I doubt it's any different in the U.S.:
One caveat: the study is from McAfee, and as the article rightly notes: Naturally McAfee has a vested interest in talking up this kind of threat.... And finally: Based on its survey, McAfee has identified four types of employees who put their workplace at risk: I like the list. Posted on December 19, 2005 at 07:13 AM • 34 Comments • View Blog Reactions Security CartoonSecurity is only as strong as the weakest link. Posted on December 17, 2005 at 10:21 AM • 21 Comments • View Blog Reactions Computer Crime HypeI guess this is the season for sensationalist hype of computer crime: first CNN, and then USA Today (drug users and Internet crime, for a double-scary story). Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four. Posted on December 16, 2005 at 03:15 PM • 19 Comments • View Blog Reactions More Erosion of Police Oversight in the U.S.From EPIC: Documents obtained by EPIC in a Freedom of Information Act lawsuit reveal FBI agents expressing frustration that the Office of Intelligence Policy and Review, an office that reviews FBI search requests, had not approved applications for orders under Section 215 of the Patriot Act. A subsequent memo refers to "recent changes" allowing the FBI to "bypass"; the office. EPIC is expecting to receive further information about this matter. Some background: Under Section 215, the FBI must show only "relevance" to a foreign intelligence or terrorism investigation to obtain vast amounts of personal information. It is unclear why the Office of Intelligence Policy and Review did not approve these applications. The FBI has not revealed this information, nor did it explain whether other search methods had failed. Remember, the issue here is not whether or not the FBI can engage in counterterrorism. The issue is the erosion of judicial oversight -- the only check we have on police power. And this power grab is dangerous regardless of which party is in the White House at the moment. Posted on December 16, 2005 at 10:03 AM • 18 Comments • View Blog Reactions The Military is Spying on AmericansThe Defense Department is collecting data on perfectly legal, peaceful, anti-war protesters. The DOD database obtained by NBC News includes nearly four dozen anti-war meetings or protests, including some that have taken place far from any military installation, post or recruitment center. One "incident" included in the database is a large anti-war protest at Hollywood and Vine in Los Angeles last March that included effigies of President Bush and anti-war protest banners. Another incident mentions a planned protest against military recruiters last December in Boston and a planned protest last April at McDonald's National Salute to America's Heroes -- a military air and sea show in Fort Lauderdale, Fla. Personally, I am very worried about this increase in military activity inside our country. If anyone should be making sure protesters stay on the right side of the law, it's the police...not the military. And it could get worse. EDITED TO ADD (12/16): There's also this news : Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without the court-approved warrants ordinarily required for domestic spying, according to government officials..... And: ....officials familiar with it said the N.S.A. eavesdropped without warrants on up to 500 people in the United States at any given time. The list changes as some names are added and others dropped, so the number monitored in this country may have reached into the thousands over the past three years, several officials said. Overseas, about 5,000 to 7,000 people suspected of terrorist ties are monitored at one time, according to those officials. This is a very long article, but worth reading. It is not overstatement to suggest that this may be the most significant violation of federal surveillance law in the post-Watergate era. EDITED TO ADD (12/16): Good analysis from Political Animal. The reason Bush's executive order is a big deal is because it's against the law. Here is the Foreign Intelligence Surveillance Act. Its Section 1809a makes it a criminal offense to "engage in electronic surveillance under color of law except as authorized by statute." Posted on December 16, 2005 at 06:49 AM • 60 Comments • View Blog Reactions Are Port Scans Precursors to Attack?Interesting research: Port scans may not be a pre-cursor to hacking efforts, according to conventional wisdom, reports the University of Maryland's engineering school. I agree with Ullrich, who said that the analysis seems too simplistic: Johannes Ullrich, chief technology officer at the SANS Institute 's Internet Storm Center, said that while the design and development of the testbed used for the research appears to be valid, the analysis is too simplistic. Posted on December 15, 2005 at 06:38 AM • 23 Comments • View Blog Reactions Totally Secure Classical Communications?My eighth Wired column: How would you feel if you invested millions of dollars in quantum cryptography, and then learned that you could do the same thing with a few 25-cent Radio Shack components? I go on to describe how the system works, and then discuss the security: There hasn't been enough analysis. I certainly don't know enough electrical engineering to know whether there is any clever way to eavesdrop on Kish's scheme. And I'm sure Kish doesn't know enough security to know that, either. The physics and stochastic mathematics look good, but all sorts of security problems crop up when you try to actually build and operate something like this. Here's the press release, here's the paper, and here's the SlashDot thread. EDITED TO ADD (1/31): Here's an interesting rebuttal. Posted on December 15, 2005 at 06:13 AM • 49 Comments • View Blog Reactions |