Schneier on Security
A blog covering security and security technology.
« New York Times Movie-Plot Threat Contest |
| Police Data Mining Done Right »
August 9, 2007
The New U.S. Wiretapping Law and Security
Last week, Congress gave President Bush new wiretapping powers. I was going to write an essay on the security implications of this, but Susan Landau beat me to it:
To avoid wiretapping every communication, NSA will need to build massive automatic surveillance capabilities into telephone switches. Here things get tricky: Once such infrastructure is in place, others could use it to intercept communications.
Grant the NSA what it wants, and within 10 years the United States will be vulnerable to attacks from hackers across the globe, as well as the militaries of China, Russia and other nations.
Such threats are not theoretical. For almost a year beginning in April 2004, more than 100 phones belonging to members of the Greek government, including the prime minister and ministers of defense, foreign affairs, justice and public order, were spied on with wiretapping software that was misused. Exactly who placed the software and who did the listening remain unknown. But they were able to use software that was supposed to be used only with legal permission.
U.S. communications technology is fragile and easily penetrated. While advanced, it is not decades ahead of that of our friends or our rivals. Compounding the issue is a key facet of modern systems design: Intercept capabilities are likely to be managed remotely, and vulnerabilities are as likely to be global as local. In simplifying wiretapping for U.S. intelligence, we provide a target for foreign intelligence agencies and possibly rogue hackers. Break into one service, and you get broad access to U.S. communications.
More about the Greek wiretapping scandal. And I would be remiss if I didn't mention the excellent book by Whitfield Diffie and Susan Landau on the subject: Privacy on the Line: The Politics of Wiretapping and Encryption.
Posted on August 9, 2007 at 3:29 PM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Could not agree more. Those that point this kind of weapons at the population will find them aiming at themselves.
Remember the Italian Wiretapping scandal where everyone was wiretapped and blackmailed by scrupulous internals to the system?
I thought the US Senate had a majority of Democrats in power now.
Weren't the Democrats supposed to be in FAVOR of protecting our civil liberties?
In the House it passed 227-183.
So 183 voted against it.
So find the ones that voted for it and replace them in the next election.
Same thing that happened at the time of the October 2002 Congressional Resolution authorizing the invasion of Iraq. Enough Democrats are spooked by the fear of being labeled soft on terrorism that the party is easily rolled by the White House.
Lots of members of Congress who were for the war when it was popular are against it now that the public has changed its mind. Unfortunately, the public finds our incipient high-surveillance police state unobjectionable, so the Congress will certainly not file a dissent.
Something that I don't understand about this ....
"Because communications from around the world often go through the United States, the government can still get access to much of the information it seeks."
How did it happen that Someone in Iran calling someone in Saudi Arabia has their call routed through the US?
Particularly with countries who would be considered "enemies" of ours.
Seriously. Do these countries really trust us THAT MUCH that they'd route their traffic through out systems KNOWING that we have all kinds of political / economic / etc reasons to listen to them?
"Seriously. Do these countries really trust us THAT MUCH that they'd route their traffic through out systems KNOWING that we have all kinds of political / economic / etc reasons to listen to them?"
I imagine it's a matter of shopping for carrier service among the small number of players who have telecommunication satellites with available capacity. I don't think that's a buyer's market, and none of the sellers are necessarily based in countries that are manifestly more trustworthy than the US with the telecom data.
All other things being equal, the selection is probably made on the basis of which comsat/company offers the most commercially attractive deal.
"Enough Democrats are spooked by the fear of being labeled soft on terrorism that the party is easily rolled by the White House."
So those Democrats will stick to their principles, until it's inconvenient.
If that's true, does anyone else find that truth inconvenient?
Put politics aside for the moment.
Apparently the system already exists, at least in large part. Was it built robustly enough to prevent pre-emption and use by unauthorized parties?
If not, get it fixed or turn it off.
"In the House it passed 227-183.
So 183 voted against it.
So find the ones that voted for it and replace them in the next election."
But how do I know that their replacements won't do the same thing: pretend they'll uphold the principle of defending civil liberties while they're running for election, and then once elected, abandon that principle as soon as its defense seems inconvenient?
Seems like that system lacks accountability.
That still makes no sense to me.
Okay, routing a call from Saudi Arabia to Canada or Mexico or even Panama could logically go through the US.
But when you're talking about their NATIONAL SECURITY why wouldn't they spend the money and build their own systems? At the very least to connect to their neighbors and such.
Not only that, but a less advanced system would also be more difficult to tap.
@Confused: The FISA court was downgraded to rubber-stamping status under Clinton (while Bush just ignored it entirely). I find the idea of the Democrats being the savior of civil rights very naive.
For a good laugh, check out this Free Republic thread from late-2000 on the FISA court under Clinton:
Which includes this gem of a comment:
"Any chance of Bush rolling some of this back?"
@Confused: It's an iterative process.
"I find the idea of the Democrats being the savior of civil rights very naive."
Well gosh golly.
If the Democrats won't defend our civil liberties, and the Republicans won't either, then who will?
who has a land line anymore? Cut your phone lines now.
> then who will?
What are you going to do about it?
"What are you going to do about it?"
Clamour for my rights?
I know! Vote, vote and vote again! That'll solve it!
"But when you're talking about their NATIONAL SECURITY why wouldn't they spend the money and build their own systems? At the very least to connect to their neighbors and such."
But it doesn't affect their national security -- only the privacy of their citizens/customers. Which has no monetary value.
Governments have means of secure communication with embassies, traveling officials, agents, etc. that are unaffected by these particular eavesdropping operations. Unless they choose to take a stand on their citizens' privacy, there is no issue here for them. They might even get a little counter-terrorist intel kicked back to them as a side benefit.
The surrender monkey from Illinois, Durbin, thought it was better to be a senator than to reveal the lies of the "top secret" briefings in his committee.
So the answer is that the democrates would rather get reelected than be right.
It seems to me that people heaping invective upon the politicians are kind of missing the point.
Our elective representatives are, well, representing us. And it turns out that most of us, in the U.S., are terrified of terrorists. We are so scared, as a nation, that we are perfectly prepared to sacrifice our political birthright -- we're OK with massive, pervasive surveillance; we approve of the permanent jailing without trial of "enemy combatants" -- even US citizens arrested on US soil; we're indifferent to our status as the world's newest and most enthusiastic torture state (we may even be proud of it, judging from our Jack Bauer worship).
We have such a trivial and petty understanding of our Liberty that we happily trade it away in large parcels, in return for assurances that we'll be made safe from terrorists. We accept, essentially, that the country must be defended from any attack at any cost, even if the cost is to destroy the principles that make the country worth defending in the first place.
Pity the poor politician who tries to reason with this pervasive craven fear. It's inviting professional suicide. I don't wonder that most Democrats would rather change the subject. This certainly doesn't absolve them of their civic responsibilities, but so long we're handing out demerits for non-performance of duty, let's recall who is really in charge in a democracy.
"Governments have means of secure communication with embassies, traveling officials, agents, etc. that are unaffected by these particular eavesdropping operations."
Nope. Just as with our recent Republican email scandal, having secure means of communications is not the same as always them.
When their traffic is routed across out network, it only takes a single error and we have information that we would not otherwise have had.
Read this site and you'll see how often people fail to follow basic security procedures.
The FIRST step in security is limiting the avenues of attack. This is the OPPOSITE of that. This is OPENING an avenue right to your enemy.
First thing to understand is that pols, of both major parties, are in politics to get power and money. They say what they think will help them get elected, which may have little to do with what they think.
Second thing to understand is that most people do not want freedom. They want to be told what to do, because this avoids the necessity of having to think, which most people don't like.
Once you understand these 2, a lot of puzzling things about the world will become clearer.
This story reminds me of my days working in telecoms (about 8-10 years ago).
I was told that all the old BT exchanges that were being replaced were sold to other nations, as even though they were old to the UK, they were better than nothing.
The point is that they were all modified, such that you could remotely issue a "kill code" which would knock out the exchange. This was supposed to be secret and the destination countries had no idea. The plan was, if the UK deemed it necessary, the foreign telephone networks could be taken out easily.
I don't know which countries got them, but certainly Poland and some African countries.
I remember thinking at the time that this was pretty risky and open to abuse/accidental use. That was the late 1990's and now we have the US government attempting the same trick.
Kind of OT: As being an alien (eg. non US citizen) Bruce and those who are commenting his blog are keeping up my faith that the USA will recover from their endless fall in the last 6 years.
For most of my life america (seen from the outside) has been a lighthouse of freedom and peace and I really hope it will recover this look.
Don't blame me, I voted for Kodos...
(Simpsons - Treehouse of Horror VII)
@concerned: "old BT exchanges that were being replaced were sold to other nations"
Same with Enigma crypto machines that were happily sold to third world countries after WWII.
The key point I take away from Landau's article:
If you love the idea of increased surveillance in U.S. systems (to catch terrorists), you should still want it built so that unauthorized parties cannot use it against you.
If you hate the idea of increased surveillance (as an invasion of privacy or whatever) then you should be crying out for robust controls in such systems simply as a tactic to slow down or head off their deployment, or at least to reduce the risk if they are deployed.
Both sides, each for their own reasons, should be calling for congressional review of the system to assure robust control.
Why hasn't it happened? Such a technical review could be turned to political advantage for either side.
The only dumb thing is to ignore the issue.
@nostromo, "First thing to understand is that pols, of both major parties, are in politics to get power and money."
Furthermore, those who are in politics for more altruistic motives will soon be out if they ignore those two fundamental imperatives.
Being out of office makes it much more difficult to cast principled votes on any legislation.
Worse, being voted out of office for being scrupulously principled makes it much more likely that the replacement will be less principled or scrupulous.
@nostromo, "Second thing to understand is that most people do not want freedom. They want to be told what to do, because this avoids the necessity of having to think, which most people don't like."
People do want freedom, just not responsibility for the consequences (that's where the need for thought enters).
They especially do want the freedom to gripe about what they're told to do, but they can, and usually will, do it without thinking.
What a bunch of tunnel visioned "surveillance wimps" your rights are being eroded daily by liberal nanny-state-government types, forcing gay indoctrination on children, telling people they can't smoke, own a gun, defining what is acceptable PC speach, telling people what they can and can't do with their private property, the global-warming myth being used to change the way you live, raise your taxes, the cars you drive, Got carbon offsets, oh yeah - can't wait to get a great health care system like canada and cuba - surveillance has become an necessary evil -be concerned - just don't leave out all the other infringements on your freedom that you say is so important to you
@hitechjanitor, as opposed to the conservative big-brother authoritarian government types who want to listen to our conversations if not our innermost thoughts, put Carnivore wiretaps on everybody, subvert free elections with tamper-friendly voting machines, and cart objectors to the US PATRIOT act off to Gitmo in the middle of the night.
It's a race between the two extremes to see which one can strip individual citizens of liberty faster.
so wait a few years for it to get deployed, hack it to wiretap all the politicians and their families, and blackmail them into making it go away. the blackmail is done as much for the sake of demonstratio, as for coercion, so such an action is merely ethically dubious, rather than patently unethical. and since the ends justify the means, that ought to tip the scales.
> If the Democrats won't defend our civil liberties, and the Republicans
> won't either, then who will?
The full list of who voted and how is on my blog.
This is what organizations like the ACLU are for, and why we have a judicial branch as well as an executive and legislative. This is obviously unconstitutional. I imagine lawsuits are in final drafts now.
"This is what organizations like the ACLU are for, and why we have a judicial branch as well as an executive and legislative."
The ACLU! And the judges!! They'll defend our civil liberties!! THANK GOD! (I thought I was going to have to take responsibility for my own liberty--whew!)
I wonder if, at any time in our country's history, there's even been an example of a judge affirming an encroachment on our civil liberties. Hmmmm.......
> I thought I was going to have to take responsibility for my own liberty
If you want to live in a complex society, you're going to have to give up the notion that you're the complete master of your domain. Sorry. If you've participated lately in going out in public, traveled on a plane, sent anything by the USPS, paid taxes, called the fire department, *turned on the lights in your house* (assuming you don't run your own generator) you've voluntarily given up some of the responsibility for your own liberty. Hell, even if you run your own generator, you've outsourced some of the responsibility for your safety and liberty to whoever built the thing.
> I wonder if, at any time in our country's history, there's even been an
> example of a judge affirming an encroachment on our civil liberties.
There have been, yes. Sometimes years or decades after the encroachment, but our system of government is designed to move slowly. Here endeth the troll-feeding.
Neither the typical Democrat nor Republican at the federal level ever does much to defend civil liberties.
Instead they split legal hairs to find out how to acquire more power and control and satisfy the Supreme Court. And it takes the Court years to catch up.
To say either party really is out there defending civil liberties is ridiculous. Neither party is pushing smaller, less intrusive government.
"you've voluntarily given up some of the responsibility for your own liberty"
Hell, I wanna give it all up (the responsibility, that is)!
The good part is, I don't have to do a darn thing to give it up in our complex society, do I? It's done for me. Sweet.
I wonder how slowly our government will move in cleaning up my extra liberty for me?
Of course the Democrats rolled over for Bush on the wiretapping issue. How many years has he been tapping their phones? I am sure he got PLENTY of dirt on every single one of them and reminded them of it before the vote.
"Blackmail is such an ugly word. I prefer Extortion. The X make it sound cool." - Bender
"U.S. communications technology is fragile and easily penetrated. While advanced, it is not decades ahead of that of our friends or our rivals. " Uh, with the faintly possible exception of Ciena, there are no major US telecom manufacturers anymore; they are French, Canadian, Japanese and soon Chinese... So tell me again how we are supposed to keep these back doors out of the hands of the Sureté?
The quotes from the original aricle sound somewhat apocalyptic to me. They present as fact that the agencies in charge are incompetent to implement the lawful interception measures securely, and that breaches by hackers (read: cyber-terrorists) and foreign intelligence agencies are unavoidable.
Yet we on this blog all know that measures can be put into place to limit wiretapping to the authorized parties (strong authentication, logging every transaction, and regular audits), and second that we should be much more concerned about insider threats.
I am concerned about the expansion of warrantless wiretapping. But that is a political battle. While we fight, we should be more constructive, and ensure that measures are put in place to discourage and avoid abuse.
According to some in the legal and legal reporting communities, the new law does not limit surveillance without a warrant to only those communications known to be participated in by a party outside of the USA. If they're correct, communications between parties located within the USA would be fair game, no warrant required. It would be nice to now how Congress sees it; reportedly the matter will be revisited. And it would be nice to know how the NSA sees it.
What is really the news here?
As clearly shown by the Greek scandal, wiretap software is a standard part of the software of pretty much all modern telephone exchanges. I would be very surprised if for some reason that capability is not in place in all systems already sold in the US today. Regardless of whether a Nortel, Alcatel/Lucent, Ericsson, Nokia/Siemens, or other vendor created the system.
Since the police already have wiretapping powers, that capability has been needed since the dawn of digital switches. So it is sure already in there.
Exactly who placed the software and who did
the listening remain unknown.
Perhaps in the US, the rest of the world knows it was the CIA. Don't you lot read the news?
If you think that is dangerous to us and our liberty, learn how to crack ALL PGP PRODUCTS, AND TRUECRYPT DISKS AND OTHERS SECURITY PRODUCTS...
in www.safehack.com and see how are installed backdoors in PGP , and the demostration how and where are the backdoors in this soo called best security product.
I really will apreciated not removing this post Bruce. Because the true is the true, and the need to know this class of problems. Thanks.
Also hashes are reversible too by this times , scary huh...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.