Recently declassified: Deception Maxims: Fact and Folklore, Office of Research and Development, Central Intelligence Agency, June 1981. Research on deception and con games has advanced in the past 25 years, but this is still interesting to read.
The Wall Street Journal has a story that the NSA spied on Israeli Prime Minister Benjamin Netanyahu and other Israeli government officials, and incidentally collected conversations between US citizens -- including lawmakers -- and those officials.
US lawmakers who are usually completely fine with NSA surveillance are aghast at this behavior, as both Glenn Greenwald and Trevor Timm explain. Greenwald:
So now, with yesterday's WSJ report, we witness the tawdry spectacle of large numbers of people who for years were fine with, responsible for, and even giddy about NSA mass surveillance suddenly objecting. Now they've learned that they themselves, or the officials of the foreign country they most love, have been caught up in this surveillance dragnet, and they can hardly contain their indignation. Overnight, privacy is of the highest value because now it's their privacy, rather than just yours, that is invaded.
This reminds me of the 2013 story that the NSA eavesdropped on the cell phone of the German Chancellor Angela Merkel. Back then, I wrote:
Spying on foreign governments is what the NSA is supposed to do. Much more problematic, and dangerous, is that the NSA is spying on entire populations.
Greenwald said the same thing:
I've always argued that on the spectrum of spying stories, revelations about targeting foreign leaders is the least important, since that is the most justifiable type of espionage. Whether the U.S. should be surveilling the private conversations of officials of allied democracies is certainly worth debating, but, as I argued in my 2014 book, those "revelations ... are less significant than the agency's warrantless mass surveillance of whole populations" since "countries have spied on heads of state for centuries, including allies."
And that's the key point. I am less concerned about Angela Merkel than the other 82 million Germans that are being spied on, and I am less concerned about Benjamin Netanyahu than I am about the other 8 million people living in that country.
Over on Lawfare, Ben Wittes agrees:
There is absolutely nothing surprising about NSA's activities here -- or about the administration's activities. There is no reason to expect illegality or impropriety. In fact, the remarkable aspect of this story is how constrained both the administration's and the agency's behavior appears to have been by rules and norms in exactly the fashion one would hope to see.
[...]
So let's boil this down to brass tacks: NSA spied on a foreign leader at a time when his country had a major public foreign policy showdown with the President of the United States over a sharp differences between the two countries over Iran's nuclearization -- indeed, at a time when the US believed that leader was contemplating military action without advance notice to the United States. In the course of this surveillance, NSA incidentally collected communications involving members of Congress, who were being heavily lobbied by the Israeli government and Netanyahu personally. There is no indication that the members of Congress were targeted for collection. Moreover, there's no indication that the rules that govern incidental collection involving members of Congress were not followed. The White House, for its part, appears to have taken a hands-off approach, directing NSA to follow its own policies about what to report, even on a sensitive matter involving delicate negotiations in a tense period with an ally.
The words that really matter are "incidental collection." I have no doubt that the NSA followed its own rules in that regard. The discussion we need to have is about whether those rules are the correct ones. Section 702 incidental collection is a huge loophole that allows the NSA to collect information on millions of innocent Americans.
Greenwald again:
This claim of "incidental collection" has always been deceitful, designed to mask the fact that the NSA does indeed frequently spy on the conversations of American citizens without warrants of any kind. Indeed, as I detailed here, the 2008 FISA law enacted by Congress had as one of its principal, explicit purposes allowing the NSA to eavesdrop on Americans' conversations without warrants of any kind. "The principal purpose of the 2008 law was to make it possible for the government to collect Americans' international communications -- and to collect those communications without reference to whether any party to those communications was doing anything illegal," the ACLU's Jameel Jaffer said. "And a lot of the government's advocacy is meant to obscure this fact, but it's a crucial one: The government doesn't need to 'target' Americans in order to collect huge volumes of their communications."
If you're a member of Congress, there are special rules that the NSA has to follow if you're incidentally spied on:
Special safeguards for lawmakers, dubbed the "Gates Rule," were put in place starting in the 1990s. Robert Gates, who headed the Central Intelligence Agency from 1991 to 1993, and later went on to be President Barack Obama's Defense Secretary, required intelligence agencies to notify the leaders of the congressional intelligence committees whenever a lawmaker's identity was revealed to an executive branch official.
If you're a regular American citizen, don't expect any such notification. Your information can be collected, searched, and then saved for later searching, without a warrant. And if you're a common German, Israeli, or any other countries' citizen, you have even fewer rights.
In 2014, I argued that we need to separate the NSA's espionage mission against target agents for a foreign power from any broad surveillance of Americans. I still believe that. But more urgently, we need to reform Section 702 when it comes up for reauthorization in 2017.
EDITED TO ADD: A good article on the topic. And Marcy Wheeler's interesting take.
On the Intercept, Micah Lee has a good article that talks about how Microsoft is collecting the hard-drive encryption keys of Windows 10 users, and how to disable that "feature."
Interesting blog post:
We are able to de-anonymize executable binaries of 20 programmers with 96% correct classification accuracy. In the de-anonymization process, the machine learning classifier trains on 8 executable binaries for each programmer to generate numeric representations of their coding styles. Such a high accuracy with this small amount of training data has not been reached in previous attempts. After scaling up the approach by increasing the dataset size, we de-anonymize 600 programmers with 52% accuracy. There has been no previous attempt to de-anonymize such a large binary dataset. The abovementioned executable binaries are compiled without any compiler optimizations, which are options to make binaries smaller and faster while transforming the source code more than plain compilation. As a result, compiler optimizations further normalize authorial style. For the first time in programmer de-anonymization, we show that we can still identify programmers of optimized executable binaries. While we can de-anonymize 100 programmers from unoptimized executable binaries with 78% accuracy, we can de-anonymize them from optimized executable binaries with 64% accuracy. We also show that stripping and removing symbol information from the executable binaries reduces the accuracy to 66%, which is a surprisingly small drop. This suggests that coding style survives complicated transformations.
Here's the paper.
And here's their previous paper, de-anonymizing programmers from their source code.
Giant squid filmed swimming through a harbor in Japan:
Reports in Japanese say that the creature was filmed on December 24, seen by an underwater camera swimming near boat moorings. It was reportedly about 13 feet long and 3 feet around. Some on Twitter have suggested that the species may be Architeuthis, a deep-ocean dwelling creature that can grow up to 43 feet.
A few days later, a diver helped him get back out to sea. More amazing video at that link.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
And Happy New Year, everyone.
Cory Doctorow has a good essay on software integrity and control problems and the Internet of Things. He's writing about self-driving cars, but the issue is much more general. Basically, we're going to want systems that prevent their owner from making certain changes to it. We know how to do this: digital rights management. We also know that this solution doesn't work, and trying introduces all sorts of security vulnerabilities. So we have a problem.
This is an old problem. (Adam Shostack and I wrote a paper about it in 1999, about smart cards.) The Internet of Things is going to make it much worse. And it's one we're not anywhere near prepared to solve.
A lot of Pennsylvania government officials are being hurt as a result of e-mails being made public. This is all the result of a political pressure to release the e-mails, and not an organizational doxing attack, but the effects are the same.
Our psychology of e-mail doesn't match the reality. We treat it as ephemeral, even though it's not. And the archival nature of e-mail -- or text messages, or Twitter chats, or Facebook conversations -- isn't salient.
Brian Krebs has the story. Bottom line: PayPal has no excuse for this kind of stuff. I hope the public shaming incents them to offer better authentication for their customers.
In theory, the Internet of Things -- the connected network of tiny computers inside home appliances, household objects, even clothing -- promises to make your life easier and your work more efficient. These computers will communicate with each other and the Internet in homes and public spaces, collecting data about their environment and making changes based on the information they receive. In theory, connected sensors will anticipate your needs, saving you time, money, and energy.
Except when the companies that make these connected objects act in a way that runs counter to the consumer's best interests -- as the technology company Philips did recently with its smart ambient-lighting system, Hue, which consists of a central controller that can remotely communicate with light bulbs. In mid-December, the company pushed out a software update that made the system incompatible with some other manufacturers' light bulbs, including bulbs that had previously been supported.
The complaints began rolling in almost immediately. The Hue system was supposed to be compatible with an industry standard called ZigBee, but the bulbs that Philips cut off were ZigBee-compliant. Philips backed down and restored compatibility a few days later.
But the story of the Hue debacle -- the story of a company using copy protection technology to lock out competitors -- isn't a new one. Plenty of companies set up proprietary standards to ensure that their customers don't use someone else's products with theirs. Keurig, for example, puts codes on its single-cup coffee pods, and engineers its coffee-makers to work only with those codes. HP has done the same thing with its printers and ink cartridges.
To stop competitors just reverse-engineering the proprietary standard and making compatible peripherals (for example, another coffee manufacturer putting Keurig's codes on its own pods), these companies rely on a 1998 law called the Digital Millennium Copyright Act (DCMA). The law was originally passed to prevent people from pirating music and movies; while it hasn't done a lot of good in that regard (as anyone who uses BitTorrent can attest), it has done a lot to inhibit security and compatibility research.
Specifically, the DMCA includes an anti-circumvention provision, which prohibits companies from circumventing "technological protection measures" that "effectively control access" to copyrighted works. That means it's illegal for someone to create a Hue-compatible light bulb without Philips' permission, a K-cup-compatible coffee pod without Keurigs', or an HP-printer compatible cartridge without HP's.
By now, we're used to this in the computer world. In the 1990s, Microsoft used a strategy it called "embrace, extend, extinguish," in which it gradually added proprietary capabilities to products that already adhered to widely used standards. Some more recent examples: Amazon's e-book format doesn't work on other companies' readers, music purchased from Apple's iTunes store doesn't work with other music players, and every game console has its own proprietary game cartridge format.
Because companies can enforce anti-competitive behavior this way, there's a litany of things that just don't exist, even though they would make life easier for consumers in significant ways. You can't have custom software for your cochlear implant, or your programmable thermostat, or your computer-enabled Barbie doll. An auto repair shop can't design a better diagnostic system that interfaces with a car's computers. And John Deere has claimed that it owns the software on all of its tractors, meaning the farmers that purchase them are prohibited from repairing or modifying their property.
As the Internet of Things becomes more prevalent, so too will this kind of anti-competitive behavior -- which undercuts the purpose of having smart objects in the first place. We'll want our light bulbs to communicate with a central controller, regardless of manufacturer. We'll want our clothes to communicate with our washing machines and our cars to communicate with traffic signs.
We can't have this when companies can cut off compatible products, or use the law to prevent competitors from reverse-engineering their products to ensure compatibility across brands. For the Internet of Things to provide any value, what we need is a world that looks like the automotive industry, where you can go to a store and buy replacement parts made by a wide variety of different manufacturers. Instead, the Internet of Things is on track to become a battleground of competing standards, as companies try to build monopolies by locking each other out.
This essay previously appeared on TheAtlantic.com.
Slashdot thread.
EDITED TO ADD (1/5): Interesting commentary.
The Intercept just published a 2011 GCHQ document outlining its exploit capabilities against Juniper networking equipment, including routers and NetScreen firewalls as part of this article.
GCHQ currently has capabilities against:
- Juniper NetScreen Firewalls models Ns5gt, N25, NS50, NS500, NS204, NS208, NS5200, NS5000, SSG5, SSG20, SSG140, ISG 1000, ISG 2000. Some reverse engineering maybe required depending on firmware revisions.
- Juniper Routers: M320 is currently being worked on and we would expect to have full support by the end of 2010.
- No other models are currently supported.
- Juniper technology sharing with NSA improved dramatically during CY2010 to exploit several target networks where GCHQ had access primacy.
Yes, the document said "end of 2010" even though the document is dated February 3, 2011.
This doesn't have much to do with the Juniper backdoor currently in the news, but the document does provide even more evidence that (despite what the government says) the NSA hoards vulnerabilities in commonly used software for attack purposes instead of improving security for everyone by disclosing it.
Note: In case anyone is researching this issue, here is my complete list of useful links on various different aspects of the ongoing debate.
EDITED TO ADD: In thinking about the equities process, it's worth differentiating among three different things: bugs, vulnerabilities, and exploits. Bugs are plentiful in code, but not all bugs can be turned into vulnerabilities. And not all vulnerabilities can be turned into exploits. Exploits are what matter; they're what everyone uses to compromise our security. Fixing bugs and vulnerabilities is important because they could potentially be turned into exploits.
I think the US government deliberately clouds the issue when they say that they disclose almost all bugs they discover, ignoring the much more important question of how often they disclose exploits they discover. What this document shows is that -- despite their insistence that they prioritize security over surveillance -- they like to hoard exploits against commonly used network equipment.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.