Schneier on Security
A blog covering security and security technology.
« Da Vinci Code Ruling Code |
| Microsoft and Internet Explorer »
April 28, 2006
NSA Warrantless Wiretapping and Total Information Awareness
Technology Review has an interesting article discussing some of the technologies used by the NSA in its warrantless wiretapping program, some of them from the killed Total Information Awareness (TIA) program.
Washington's lawmakers ostensibly killed the TIA project in Section 8131 of the Department of Defense Appropriations Act for fiscal 2004. But legislators wrote a classified annex to that document which preserved funding for TIA's component technologies, if they were transferred to other government agencies, say sources who have seen the document, according to reports first published in The National Journal. Congress did stipulate that those technologies should only be used for military or foreign intelligence purposes against non-U.S. citizens. Still, while those component projects' names were changed, their funding remained intact, sometimes under the same contracts.
Thus, two principal components of the overall TIA project have migrated to the Advanced Research and Development Activity (ARDA), which is housed somewhere among the 60-odd buildings of "Crypto City," as NSA headquarters in Fort Meade, MD, is nicknamed. One of the TIA components that ARDA acquired, the Information Awareness Prototype System, was the core architecture that would have integrated all the information extraction, analysis, and dissemination tools developed under TIA. According to The National Journal, it was renamed "Basketball." The other, Genoa II, used information technologies to help analysts and decision makers anticipate and pre-empt terrorist attacks. It was renamed "Topsail."
Posted on April 28, 2006 at 8:01 AM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
actually, I know who develops topsail. I was the SA at the company running the program for a while. when I left in '03, it still wasn't very useful.
They've actually got a few other pieces of the old TIA program over there...
er...I should clarify..."the *unix* SA". small company. left bcause in their opinion Unix had no place in IT.
bah....now I'm feeling like I shouldn't have posted either of those comments.
You know, this whole thing is bad. I read in the paper here a couple days ago about a guy who is being convicted of a crime to plot something (I do not remember the details of the crime) is actually using the defense from with full support of his attorney that the only reason he was targeted and suspected was because of Bush's illegal Warrantless Wiretapping. Which since they didn't have a warrant this guy stands a chance at getting off. Some way the government has to either prove that they weren't tapping his lines without a warrant, or admit to tapping his lines and maybe go into detail about how and why. This kind of opens up a whole new can of worms can anyone now just claim they were targeted by illegal warrantless phone tapping. I wish I could find the article, I searched for half an hour but in the last 14 days illegal wiretapping turns up a lot of news articles.
I bet the false-positive rate of terrorist plot detection is substantial.
To be sure, the securocrats won't care --- their gold standard for evildoer
detection is the polygraph, which has approximately the same false-positive
rate as the coin toss method. In effect, we're all going to be subjected
to continuous polygraphs now. I can't begin to describe how proud I am to
be an American today.
end-to-end encryption of phone calls will make this bogeyman go away; i envision hardware attached to the ear and mouth parts of a telephone handset with a little keypad for entering new keys as easily as programming a microwave oven.
the technologists holding forth in the article got in a little over their heads when they started discussing the law. somebody wanted machine surveillance to be like a "terry stop", which requires the officer making the stop to be able to articulate his reasonable suspicion for so doing. reasonable suspicion is a faculty of people, not machines which just do as they're programmed, and i suspect that if the machines' programmers were queried in court, they would tell you that the program is classified in order not to alert the terrorists to the factors under scrutiny.
End-to-end encryption is really besides the point here. This is largely about traffic analysis, not eavesdropping. Unless most calls are encrypted (which would require the telcos to set themselves up as PKI Authorities, probably in defiance of CALEA), all encrypting your calls will do is make you --- and whoever you call --- a target for further scrutiny, by supplying the data-mining robots with a nice, juicy, hard-to-miss signature.
I think recording is a bigger danger to the citizenry then automated spying. I know it's probably obvious to you folks, but how many people out there realize that all their traffic is recorded when intercepted, even if nothing interesting is found in it? The idea of a clumsy machine grasping at straws of keywords isn't nearly as terrifying as the power the government could get by having a record of every phone conversation made. When crunching the numbers it costs very very little to store that much data. Voice compresses pretty well.
> legislators wrote a classified annex to that
When was the Secret Law amendment passed? Or was that also classified?
Friday, 28 April 2006
Feds Drop Bomb on EFF Lawsuit
The federal government intends to invoke the rarely used "State Secrets Privilege" -- the legal equivalent of a nuclear bomb -- in the Electronic Frontier Foundation's class action lawsuit against AT&T that alleges the telecom collaborated with the government's secret spying on American citizens.
>...all encrypting your calls will do is make you --- and whoever you call --- a target for further scrutiny, by supplying the data-mining robots with a nice, juicy, hard-to-miss signature.
Posted by: Carlo Graziani
Yes, and then TPTB will enter your home when you are not there, look around, copy your hard drive and install a root kit trojan with a hard to find key logger. If you encrypt your calls, you better make sure that anything else you want to hide is encrypted or not on your premises.
Traffic analysis is what it is all about, and on every single phone call foreign and domestic. Why else bypass a rubber stamp court that gave them everything remotely reasonable they ever asked for? I used to work in that community, and the technique can be very useful even if devoid of content, which this will of course not be. The trouble is false positives of course, and the fact that the government is bad at keeping secrets, especially from themselves. For example, A calls B, who in turn calls C,D,E,F, all very short calls. Terrorisim "go" signal, or "the dope is here, come and get it"? Both of these are illegal, of course. But I don't buy into the argument that "if you're not doing anything wrong, there's nothing to worry about", as I've seen what can happen due to profiling here (how about having the DEA come and put all your employees in handcuffs because your product development company has chemistry equipment and oh yeah, is profitable, must be making meth, right?). The taint of that cost us a half million dollar a year customer who assumed that where there's smoke...even though we were and are totally innocent of such things.
But a neighbor HAD asked us to make her some meth on the phone after seeing the setup (which was actually for something entirely different and legal -- micro explosive welding, which the BATFE thought was just fine). We said "no way" repeatedly and forcefully. And then here comes the DEA...Go figure.
And "what is wrong" can be changed (and is) in secret and daily, so if they have records of what you were doing that was alright at the time...but is now wrong...the implications stink. Like the above poster said, I'm just so proud to be an American right now. Seems the terrorists won, and not all of them were Muslim extremists either. Those were Americans pointing machine (and hand, and shot) guns at us.
It was pretty terrifiying, if you ask us. At least we are now on the "good guy" lists, or so I think, so it won't repeat, I think...
You really shouldn't hang out with people that do meth. You should have turned her in from the getgo. Haven't you watched the news lately? You're right...its not the terrorists killing our kids, its the woman next door hopped up on meth and suddenly decides to go mafia style on a family of 7. If you are friends or neighbors of meth heads, be sure your under some sort of surveillance, as it is the number on priority for most state police depts at the moment. I still think the saying, "If you're not doing anything wrong, you have nothing to worry about" stands strong. I personally don't care if the government records ALL my conversations, emails, and data. Hell, burn me a dvd of that junk and I can stop toting all these thumbdrives around.
john pointdexter is a genius I hear. So I respect what he makes.
But genius can be used to do the greatest things for humanity and also the worse. So watch out.
""If you're not doing anything wrong, you have nothing to worry about" stands strong"
I think the concept of having a grip on reality stands stronger.
@ Troy Brown
"If you're not doing anything wrong, you have nothing to worry about"
Is a very wrong attitude to have.
Think of the number of people each day that are convicted on "circumstantial evidence" and that it can be shown they where in the same location at the same time as a crime.
With mobile phones now being tracked to within a few feet for "emergancy purposes" how soon do you think it will be before the Police realise that the easiest and most cost effective way to find either witnessess or suspects is to search phone company logs?
Now that the US elected representatives have done what GWB and the phone companies want (blanket immunity). How long do you think it will take the telcos to reorganise the "logged" data they have to hold to aid in searching rapidly and cost effectivly and set charges for access to not just cover costs but also to cover further development?
It will very likley be, with a few Gov grants, turned quickly turned into a business in it's own right by the Telcos. And as it's "Endless Tax Money" it will almost certainly become a "profit centre" just as quickly as they get it up and running.
Then when you as an unsuspecting person get a knock on the door from the Police wanting to question you how are you going to react?
How long before your smart criminal learns not to be "tracked" and leaves their phone at home or gives it to an accomplice to take "clubing" etc. (This sort of behaviour has already started in London with Oyster Travel cards and phones in hoodie culture where CCTV footage is effectivly usless).
If you are one of only a couple of "potential witnessess" and there are no likley "suspects" and the other person has a better alibi than you?
Are you smart enough or have enough money to rent the "legal smarts" to keep you from becoming a "circumstantial suspect" who was at the "scene of the crime" as it was "going down" and be able to convince a jury of your (supposed) peers?
What if it's a serious "media" crime such as the homicide of a well known person, where there is very serious preasure to find a "guilty party" quickly?
In London there is a re-trial of somebody accused of killing a celebrity on her door step. The only evidence the person is a tiny speck of gun residue, that could dur to it's size have got into his cloathing by bad evidence handeling. Unfortunatly for the man concerned he does not have a very high IQ and appears to have mental health problems giving rise to some obsesive behaviour.
At his first trial the prosecution played heavily on his mental health and obsesive behaviour, and although they could not place him at the scene of the crime when it occured and indipendent witnessess who knew him well placed him somewhere else he was still convicted...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.