Schneier on Security
A blog covering security and security technology.
« How Many Leakers Came Before Snowden? |
| Opsec Details of Snowden Meeting with Greenwald and Poitras »
August 30, 2013
More on the NSA Commandeering the Internet
If there's any confirmation that the U.S. government has commandeered the Internet for worldwide surveillance, it is what happened with Lavabit earlier this month.
Lavabit is -- well, was -- an e-mail service that offered more privacy than the typical large-Internet-corporation services that most of us use. It was a small company, owned and operated by Ladar Levison, and it was popular among the tech-savvy. NSA whistleblower Edward Snowden among its half-million users.
Last month, Levison reportedly received an order -- probably a National Security Letter -- to allow the NSA to eavesdrop on everyone's e-mail accounts on Lavabit. Rather than "become complicit in crimes against the American people," he turned the service off. Note that we don't know for sure that he received a NSL -- that's the order authorized by the Patriot Act that doesn't require a judge's signature and prohibits the recipient from talking about it -- or what it covered, but Levison has said that he had complied with requests for individual e-mail access in the past, but this was very different.
So far, we just have an extreme moral act in the face of government pressure. It's what happened next that is the most chilling. The government threatened him with arrest, arguing that shutting down this e-mail service was a violation of the order.
There it is. If you run a business, and the FBI or NSA want to turn it into a mass surveillance tool, they believe they can do so, solely on their own initiative. They can force you to modify your system. They can do it all in secret and then force your business to keep that secret. Once they do that, you no longer control that part of your business. You can't shut it down. You can't terminate part of your service. In a very real sense, it is not your business anymore. It is an arm of the vast U.S. surveillance apparatus, and if your interest conflicts with theirs then they win. Your business has been commandeered.
For most Internet companies, this isn't a problem. They are already engaging in massive surveillance of their customers and users -- collecting and using this data is the primary business model of the Internet -- so it's easy to comply with government demands and give the NSA complete access to everything. This is what we learned from Edward Snowden. Through programs like PRISM, BLARNEY and OAKSTAR, the NSA obtained bulk access to services like Gmail and Facebook, and to Internet backbone connections throughout the US and the rest of the world. But if it were a problem for those companies, presumably the government would not allow them to shut down.
To be fair, we don't know if the government can actually convict someone of closing a business. It might just be part of their coercion tactics. Intimidation, and retaliation, is part of how the NSA does business.
Former Qwest CEO Joseph Nacchio has a story of what happens to a large company that refuses to cooperate. In February 2001 -- before the 9/11 terrorist attacks -- the NSA approached the four major US telecoms and asked for their cooperation in a secret data collection program, the one we now know to be the bulk metadata collection program exposed by Edward Snowden. Qwest was the only telecom to refuse, leaving the NSA with a hole in its spying efforts. The NSA retaliated by canceling a series of big government contracts with Qwest. The company has since been purchased by CenturyLink, which we presume is more cooperative with NSA demands.
That was before the Patriot Act and National Security Letters. Now, presumably, Nacchio would just comply. Protection rackets are easier when you have the law backing you up.
As the Snowden whistleblowing documents continue to be made public, we're getting further glimpses into the surveillance state that has been secretly growing around us. The collusion of corporate and government surveillance interests is a big part of this, but so is the government's resorting to intimidation. Every Lavabit-like service that shuts down -- and there have been several -- gives us consumers less choice, and pushes us into the large services that cooperate with the NSA. It's past time we demanded that Congress repeal National Security Letters, give us privacy rights in this new information age, and force meaningful oversight on this rogue agency.
This essay previously appeared in USA Today.
EDITED TO ADD: This essay has been translated into Danish.
Posted on August 30, 2013 at 6:12 AM
• 56 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Time to change the ssh protocol so that the clear-text password is not more given to the Daemon sshd.
For this, it is not necessary need to change passwords, or salting mechanism of /etc/shadow (unlike the patch Secure Remote Password (SRP) for openssh):
the bcrypt call should be done by the client ssh, not by the server sshd.
(now, sshd has clear-text access on your password as you typed it; it even know if and how you mis-spelled it).
Presumably, if forced to keep the business running, there are alternatives such as charging a ridiculous service fee, selling the business to your new company in NZ, or having your security fall over and get hacked.
Does anyone have a scheme outlined for multi-jurisctional distributed service, such that complying with an NSL-type request in one jurisdiction gracefully removes itself from that jurisdiction just by turning on surveillance? Is there a cute name for such behavior?
What I find far more disturbing is the disappearance of Groklaw - a weblog that started with the SCO-Linux lawsuits and moved on to other checks on corporate/legal behavior. Groklaw has shut down, with essentially the same citation as LavaBit and the other, name forgotten, secure email service.
I find it more disturbing because it implies a tit-for-tat between government and big business - You let us peek, and we'll protect you from corporate whistleblowers. I'm not saying shutting down LavaBit was right - it wasn't, but at some level it could be taken (or mistaken) as national-security related. Nothing of the sort can be said for Groklaw - it's pure and simple corporate protection - or corruption.
I was wondering if you could structure a company like Lavabit in such a way that all customers receive an ownership share in the company and write the bylaws of the company so that all owner-clients have the right to know about any national security letters received. Not a corporation but more like some type of cooperative.
If you can be forced to work against your will, then you are a slave.
And we know that Joseph Nacchio is currently in prison on "insider-trading" charges, a conviction that is in no way connected with his refusing to cooperate with the NSA without a court order. The timing is not suspicious.
Your complaint about OpenSSH is off topic, but ... an "evil" sshd daemon is equivalent to an "evil" server. Anyone with administrative and/or physical control of the server has access to unencrypted data on it, with or without your password.
Passwords are passé. Don't use them. Use a different authentication method, such as PKA, and that with passphrases. Pay attention to the server's public key fingerprint at first authentication, and use strict host key checking.
Pred14 - I'm not sure I put much stock in PJ shutting down Groklaw. I remember she tried to shutdown the site after it looked like the whole SCO issue was mostly done a few years ago. I don't doubt her conviction and desire to work with the open source community to help in any way she can, but I get the feeling she was looking for a way to exit gracefully before this whole NSA thing blew up.
Bruce - We don't know why they were threatening the owner of of Lavabit with arrest. It may be simply because he dared to mention that he couldn't talk about the reason. Of course, I don't doubt that the NSA was upset by him shutting down the service. I do doubt that anyone would argue that he was required to maintain the service as part of the order he received. If the government wanted to service to remain up, they could have just confiscated it; and maybe they will do that in the future.
The surveillance regime is organized around centralized repositories of data on multiple users. There would be too much time and expense and liability for the government to issue warrants to all individual internet users, if those users hosted their own email in their own residences. The solution to this particular surveillance problem is not in some more innovative service, but it opting out of commercial services, to the greatest extent possible.
The same basic principle applies to airport screening. If every traveler got a pat-down, the lines would last many more hours. People don't have more hours, otherwise they would drive. So people opt for the pornoscanners. If every traveler rejected the pornoscanners, it would create the sort of havoc that would really make government officials rethink their policies. Consumers would be hurt, airlines would be hurt, tourism would be hurt. The system would be non-functional, the policies blatantly untenable.
Unfortunately, for webmail and FaceBook as for air travel, Americans don't want to change their behavior. In the absence of political will, individual will is required.
We can shut down the two-party system the same way: just stop voting for democrats and republicans. Many people are afraid of this option, since it might allow "the other side" a numerical advantage at the polls. Beyond the fact that "both sides" are complicit in all this, there is an equally fundamental problem with this logic: while most Americans think "polarization" is a problem in American politics, the default solution that most Americans would offer is.... more polarization. Americans still think "their side" needs to win. There is another problem with this logic: given how close our elections have become, many of them might as well be settled by chance. The outcome of such an election says nothing about voter preference. Voting for democrats and republicans clearly isn't the answer. Unfortunately, most people don't want to change their behavior.
I wonder if it would be possible to use the BitCoin infrastructure to manage holdings in such entities?
In other words, certain business decisions are taken by voting, and voting rights are implemented as bitcoin-based "smart property".
That way, voting rights can be bought and sold, with ownership validated in a decentralised manner.
It might also be possible for voting to be implemented using some cryptographic mechanism too, so the entire scheme does not require a trust chain.
The collusion of corporate and government surveillance interests is a big part of this, but so is the government's resorting to intimidation.
Yes. Though I don't think it matters much which part of The Complex is more to blame in any particular case. The point is that The Complex exists, and is too damn strong.
If you run a business, and the FBI or NSA want to turn it into a mass surveillance tool, they believe they can do so, solely on their own initiative. They can ...
Taking a very distant, eagle's-eye view, the problem is that society has decided that economic rights like Levinson's right to run his business are not worthy of protection. Thus the US doesn't have to explain why its powers extend to doing whateverthehell it feels like to his business. Thus the only way to survive is to join The Complex.
And The Complex is too damn strong.
Good luck with getting the Congress to smack down the NSA. The NSA has access to their banking records. The NSA truly knows where the bodies are buried. Any Congressman who speaks out about the NSA needs to have a squeaky-clean fundraising record, and none of those 'black' line items leading back to him. It's a pile of interconnected spaghetti that no one can attack, because there's always *something* in their background that can cause embarrassment or impeachment. The Congress is no more immune to this sort of coercion than Ledar Levison was. He was probably *more* immune, as he had an independent firm, and hadn't signed any contracts of secrecy.
It's a very scary time in America. We already know that the government is willing to use tear gas against those who protest legitimate issues with corporations. Who knows what ends they might go to if we start questioning the government itself?
"Every Lavabit-like service that shuts down -- and there have been several -- gives us consumers less choice, and pushes us into the large services that cooperate with the NSA."
But new ones also spring up (albeit outside the US) to fill the niche. One such startup, Mailpile, is aimed at making centralised email servers redundant and giving users control over their own email: http://www.indiegogo.com/projects/...
Has www.schneier.com been Commandeered yet?
Lot's of terrorists talking of blowing up damps there.
Soon we will get Linux distributions having to release their master keys so that NSA can distribute modified binaries to all the terrorists out there - unless it is already done.
In my spare time I've been working on the code for a crowdsourced history website. The idea is to provide the necessary tools online to do high-quality historical research and make it available to everyone on the web.
Unfortunately, the issue of surveillance has reared its ugly head, and now I'm not sure whether I can ethically offer such a service. History can be very controversial, both in terms of current events (Syria, Iran, Iraq) but also going back a bit further - the Depression and Roosevelt are still currently controversial, particularly when dealing with issues like banking (Glass-Steagal) and monetary policy.
The questions get more complicated when I consider the possibility that people from other countries with less rights than we have in the US might use the service, and whether that ties in with issues like intelligence sharing agreements... I'm currently contemplating whether I should throw 3 years of spare-time work out the window.
Mailpile is not an email service located outside the U.S. Mailpile will be an email server that you run on your own computer and access through a web interface. So if I run my own email server on my own machine on U.S. soil, the NSA, FBI, etc. can still send me National Security Letters demanding the contents. It's not clear whether running my own email server would fend off the surveillance.
It seems the secrecy part of NSLs could work both ways. Imagine having the courage to refuse to comply with an NSL. What can the government do? If they arrest you, then they have to be charged with something. But they can't charge you with refusing to comply with an NSL, because the NSL must remain secret.
So they have to drum up some other charge (e.g., insider trading). If enough people had the courage to say no to NSLs, that wouldn't scale well.
We should start a whitehouse.gov petition to award Nacchio the Presidential Medal of Freedom.
Is it possible we are overlooking a solution that might strike fear into the apparatus. That is to say, why not punish the transgressors of privacy be they individual(s), corporations, or government(s), with monetary penalties so "Draconian" no one individual or institution would dare any behavior that would be financially ruinous.
We first need to address the idea that the genie is out of the bottle. Our modern activities are, and have been for some time, recorded, first with paper storage repositories and now with digital storage repositories. That will not, and maybe should not change. However, we can place a monetary value on our own, individual records, that if misused, and that misuse discovered, would cost the "thief" so dearly, they could not possibly take the chance of using the information for any nefarious purpose. For illustrative purposes, let's revisit the phone hacking scandals in the UK.
If the parent company of the tabloid that hacked private phone calls to discover information later used in articles about celebrities (or other newsworthy(?) individuals), were to pay all gross profits from all subsidiaries world-wide for the calendar year in which the transgression took place, there would be no transgression; period. The value of the potential "news" would be so insignificant when compared to the potential cost, unlawful, immoral, and unethical, behavior would be stopped in its tracks.
The only way to rise up against a totalitarian regime is to make the cost of misusing information orders of magnitude greater than the benefit.
Of course, implementing this type of check and balance will be difficult at best. But, I for one, cannot see any other solution.
Freedom and Privacy are products.
The government has granted itself a monopoly over their distribution. As for every monopoly the product becomes more scarce, uniform and expensive because it becomes inconvenient for the provider to continue providing it when it can command its price without regard to its quality or quantity.
The result is rationing. Are you happy with your ration ?
In the case of freedom and privacy, it isn't even in the government's interest to keep providing it at all.
In fact, it's already what has been happening. The government had us believe we had some privacy when we had none. Thanks to Edward Snowden, we now know the product was fake.
The next logical step is for the government to grant itself the exclusive rights over the freedom of speech.
sshdoor: Performing the password hash on the client opens a massive security hole in the ssh system. Once you have stolen the list of hashed passwords from the server through some other vulnerability, you have open access to log in to any account on the system.
The current method of performing the password hash on the server means that the client has to prove it has knowledge that even the server does not have, in order to log in, which is much safer.
If we can't trust both the server and client software, then all bets are off anyway. Revealing the password to the server software would only be an issue if you are re-using the same password on another system, and you wouldn't do that, would you?
Joseph Nacchio was convicted of insider trading because he didn't reveal publicly that profits wouldn't be as high as expected.
The reason for missing profit goals was that the NSA was canceling contracts in retaliation.
But, per NSA secrecy regulations, Nacchio wasn't allowed to talk about that!
Now he is in prison.
(The above argument is not waterproof. It can't be, given that secrecy rules are covering up so much of the truth. But it seems to describe the situation as far as I can piece it together.)
"The whole concept of the journeyman artist has disappeared. You are not allowed to go on a journey. There is no journey. You're either extraordinarily brilliant or you're dead." George Wolfe, NYPT
Marketing angle? Zmail for zombies.
> The only way to rise up against a totalitarian regime is to
> make the cost of misusing information orders of magnitude
> greater than the benefit.
At what price would you set this misuse so that a government, whose ability to print money at will and to tax its citizens is unlimited, can't 'turn a profit'? How would you enforce this price on a government that can seize operating services without recourse for the owner?
As it stands now, by issuing an NSL, the government can have its way with you or your business, and you can't do anything about it since suing the government to get it to stop requires "standing" (evidence that you've been harmed by the activity in question) and you can't prove standing because of the gag order. ...And that's when the courts are sympathetic to your cause!
In the meantime in Russia: “The Big Advertising Brother ”, marketers offer "free"¹ traffic analysis systems to internet service providers.
The system is built upon Deep Packet Inspection technology. This technology was first employed by wireless carriers in 2009. Approximate installation cost is $50M.
iMarker (the company that offers DPI traffic analysis systems) officials claim that the system is already in use by 11 ISPs and collects data from ~12% of Runet users.
Here's the link, but the text is in Russian, no English variant, sorry: http://www.vedomosti.ru/tech/news/15669231/...
¹ All data collected by the system is shared with marketers.
Get down, Mr. Schneier! Tell it like it is, and chew that fat right off the bone.
Two problems with your statement.
1) "Cost" is more than just money. Influence, elections, etc. are all potential costs as well.
2) The US government cannot simply print all the money it would like, because eventually the cost of printing more money exceeds the value of the printed money. The dollar is actually the second national currency - the first one suffered hyperinflation (from exactly this) and was abandoned.
So this probably means that Hushmail is practically open to The Government.
Not to mention Amazon.
Yep. Nacchio is in jail for insider trading, because he knew the government was going to punish Qwest for not cooperating and sold some stock.
And IIRC he had a tough time getting evidence for his trial due to secrecy.
I can't image many CEO's resisting after that. Their personal lives were at stake.
Just like congress didn't resist much after their offices were quarantined.
Back in 2001, I wonder how close we were to the brink.
I accept that, given the existence of the Patriot Act and FISA, what the NSA and FBI are doing is "legal" so we will not beat them in the courts. What we can do is to make the gathering of internet traffic more onerous. Suppose everyone who sees this as a problem ran a bot to send thousands of emails, text messages, chat streams, etc. everyday. Think what that does to the agencies ' bandwidth and storage capacity. While we're at it let's make sure those bogus communications are encrypted so they are targeted for "special attention". We already sold our birthright; all we can do is make it more difficult for our benevolent overlords.
@ Terrance McCann
Big fly in your ointment: the "thousands of emails, text messages and chat streams" you would send would have to end up somewhere. Who would want to shovel that spam into Trash every day?
What if he had shut down his service in the name of "an abrupt increase in legal costs"?
Pat: While I too remember PJ wanting to shut on Groklaw (I followed it for many years until it's final day), I'm not sure that you can really disregard the "chilling effect" argument simply because PJ had doubts about continuing the site longer term.
The reality probably was that many factors were taken into account in her decision to shut down comments and new content on Groklaw and that the "chilling effect" reason of potentially having to disclose real identities of posters was merely the tipping point reason an ongoing enterprise.
That's probably true for Lavabit too. If Levison was making money hand over fist with his service he might have been tempted away from his moralistic reasons for shutting the service down.
People are complex. Big decisions commonly mean examining all the factors including the moral ones and then making your choice.
Just because someone may have had somewhat mixed motivations, it doesn't take away from a brave and moral stand to stand up to a very powerful and scary opponent.
"Regime" can also be used to define systems. So for instance, our so-called press, striving desperately for eyeballs to sell ads at greater CPMs to their sponsors (read benefactors), acting in concert one with the others, becomes a regime. The same is true with the health care industry, the incarceration industry, the energy cabal, etc.
When a transgression is discovered, and a cost, orders of magnitude greater than the benefit, is extracted, the benefit disappears. For governments, the cost is not always monetary loss.
If, for example, a cabinet member is found to be in collusion with the industry they are charged with regulating/policing, then that cabinet member would forfeit both money (huge fines) and freedom (prison time), either or both of which should act as deterrents to nefarious actions.
I understand implementing the laws which would allow investigations into wrongdoing, and subsequent implementation of punitive measures, will be difficult. But, as we are all addressing the issues on this post in ways that indicate we're all interested in solving the problem(s) at hand.
Perhaps we can start by recognizing ad hominem arguments for what they are, and dismissing same when used against whistle blowers.
Every road to a more open society starts with the first step, however small.
> Has www.schneier.com been Commandeered yet?
"We have never received a National Security Letter, or any other form of gag order, that requests individual information."
Should I ever receive a NSL, would I no longer be allowed to *not* say something like that? I very much like that as a null hypothesis. Perhaps the EFF should start a campaign, so we can know in advance which organizations are still free.
So tell us, Bruce, that you haven't received a NSL. If you can't, we have no choice but to assume that you have been served a secret order to keep quiet.
Bruce - "The government threatened him with arrest, arguing that shutting down this e-mail service was a violation of the order."
Pat - "We don't know why they were threatening the owner of of Lavabit with arrest."
Mike Masnick at TechDirt similarly claimed that "the government has threatened him with criminal charges for his decision to shut down the business."
But all of these claims are based on Levison's interpretation of single passage in an email from federal prosecutors, "stating that Levison may have 'violated the court order.'" That is, the email from prosecutors used the phrase "violated the court order," and Michael Isikoff of NBC characterized the email as "stating that Levison may have" done so. Levison doesn't seem to have published the email, but based on the quoted passages, and the characterizations of it by "sources familiar with the matter," Levison isn't being threatened with either arrest or prosecution. Prosecutors are just pointing out that choosing to shut down rather than comply with a court order may (surprise!) violate the court order. That's not threatening arrest or prosecution. Those dudes in the federal building in Virginia know how to threaten someone with prosecution when they want to. This ain't that.
When I read about this whole brouhaha what I mostly think about is that Murca is losing its power and influence on the world's stage.
It has already lost against the EU in the GDP race and it is certain to lose to China overall.
That, matched with the historical incompetence of Murca's dealings with the rest of the world makes me think of a petulant child that is dragged kicking and screaming to the bathroom sink to have its mouth washed out with soap.
Murca has lost the good war but continues fighting the bad wars. And it is now making victims of its own companies and citizens in order to maintain power in the face of it's own incompetence. What a shame!
This is a losing battle however one looks at it.
"Remember, the customers wanting protected email had these options:
1. Untrustworthy/sneaky email services with little care for privacy.
2. Security- or privacy-enhanced email services like Lavabit.
Now, a whole bunch of people must find another option 2 or be stuck with security/privacy woes of option 1. I feel certain that, for most users/customers, being stuck with option 1 is worse than option 2 + govt snooping. And, btw, govt snooping is still in option 1. It's a constant issue for domestic providers. And offshore providers can be bad guys in disguise. (Have been, on occasion.)
So, Lavabit and SilentMail provided benefits over regular email services with no worse govt-related risks than average. Now, those benefits are taken away with nothing given in their place for the customers who still need protected email. Also, two less players in that market keeping it competitive. The above made me call it A Bad Thing for [former] customers. " (me)
" Every Lavabit-like service that shuts down -- and there have been several -- gives us consumers less choice, and pushes us into the large services that cooperate with the NSA. " (Bruce)
Glad my analysis is having some effect here. :)
Only voters and legislators can solve this problem. Criminals can dodge it but then they're... criminals. A temporary solution might be a powerful organization in a foreign country to implement end-to-end, usable, private email/comms that benefits itself, but then allow others to use it. That could benefit them strategically, help recover the cost, boost image for something else beneficial, etc. I could see one of the remaining havens for Perpetual Traveler types trying this (or a foreign intelligence agency). Even that has risks for users, though. Brings us back full circle to the laws themselves.
Bruce, you said:
"So far, we just have an extreme moral act in the face of government pressure. It's what happened next that is the most chilling. The government threatened him with arrest, arguing that shutting down this e-mail service was a violation of the order."
But the link you provided reads as if the government is threatening him with legal action if he does not turn over user information, not for walking away and refusing to continue the business. Your claim that shutting down the email service was being charged as a violation of the order is misleading. It appears that he may be charged for refusing to turn over details of his existing user base when served the order, before his decision to close rather than divulge.
If my interpretation is off-base and yours is more likely, please point out what sentences in the links you provide cause you to believe so. Thank you.
It's nice to see rsync.net doing something similar, but I don't see how it is necessarily "better". They jump through more hoops with encryption and refreshing, but to my mind, the bulk of value comes with being able to freely make a statement *before* you are silenced. Better, to me, would be a statement that is improved by legal minds, not mechanical processes (hence my interest in an EFF campaign).
I am still waiting to hear Bruce make a declaration.
@jggimi : "Your complaint about OpenSSH is off topic"
Not so much: we can assume any server as evil, due to NSL. So you should only transmit what is strictly necessary for your connection. Do not transmit the password if possible.
@jggimi : "Pay attention to the server's public key fingerprint at first authentication":
Not more useful because of NSL.
@jggimi : "Use a different authentication method, such as PKA, and that with passphrases.
@Matthew : "Revealing the password to the server software would only be an issue if you are re-using the same password on another system, and you wouldn't do that, would you?
I guess you use accounts on some computer hosting an account of a user logging in with a re-used password.
If *one* user of a computer is re-using the same password on another system, the evil may take over this computer from the other system. Even if it was not your account.
@Matthew : "Once you have stolen the list of hashed passwords from the server through some other vulnerability, you have open access to log in to any account on the system.
If an evil has retrieved /etc/shadow, that evil already has pretty good priviledged access to that computer or a backup of it, possibly including your private keys, and ssh commands in your .bash_history.
@Matthew : "If we can't trust both the server and client software, then all bets are off anyway."
You may trust the client server (decompile it to check it didn't change the protocol), if the protocol is carefuly designed to contain minimal information.
In your case you would have to do something on receipt of a NSL so that your customers know such an event took place.
In their case they wouldn't have to.
Both approaches have their limitations but I think their way is better.
"In their case they wouldn't have to."
Incorrect. They still have to kill their canary. Now, true, it may well be the case that the canary dies if they fail to take a particular action, but that amounts to the same free will exercise. They themselves note that coercion is still a potential factor. Again, that's why we'd all be better served to have a lawyer craft the best statement that can be made in order to ensure that a declaration can be most safely retracted when the time comes.
I am still waiting to hear Bruce make a declaration.
You conclude your insightful analysis with:
Every Lavabit-like service that shuts down — and there have been several — gives us consumers less choice, and pushes us into the large services that cooperate with the NSA. It’s past time we demanded that Congress repeal National Security Letters, give us privacy rights in this new information age, and force meaningful oversight on this rogue agency.
I invite you to consider if even perfect new legislation can be sufficient to prevent, or even detect, continuous and wide-spread abuses to the privacy of citizens by NSA and others. Or if maybe the solution may be technological or, more precisely, in the procedural and organization processes behind private Internet service offering.
Even we had perfect (and non-secret) legislation in regards to Surveillance and its oversight, and even publicly-disclosed NSA internal regulations interpreting those laws, users of any Internet device, service or end-to-end solution may still have no reasonable or substantial way neither to detect nor to prevent wide and continuous violations of their constitutional rights.
The solution may reside in building large-scale no-profit end-to-end communication service offerings, and in particolare their procedural, organizational and certification processes, that do away altogether with the need for trust in anyone – as argued by Lawrence Lessig, and as is the basis of the security ballot boxes during well-run paper-based governmental elections – because the quality and precision of those processes, covering both devices and servers-side of a given end-to-end ICT service, intrinsically “auto-guarantee” their own constitutionality.
Here’s how such process could work as applied to server room management processes, in an excerpt from the User Verifiable Social Telematics project:
The CivicRoom is a server room inside the CivicLab, that hosts the servers providing UVST services, the latest version of the CivicPod/Phone firmware and approved applications, and the keys that are necessary for law officers to decrypt communications and logs among UVST end users. In addition to state-of-the-art end-to-end security provisions, live streaming and many other transparency procedures, any physical access to the server room (CivicRoom) will be physically conditional to the presence and approval (through keypad locks) of at least a “jury” of 5-10 randomly-selected rotating users and/or with conflicting interests, in ways similar to the what is possibly the “most beneficial security invention of human history”, democratic procedures for polling stations and ballot boxes for well-run paper-based governmental elections. If an admin, rogue state agency and/or anyone wants to commit an illegal OR unconstitutional act in the server room, then each “jury user” – before, during or after – can type in their key pads their “emergency code” instead of their “access code”. If two of them do, then all user are automatically notified of a potential breach, if a majority of them do, then an automated procedure to make “scorched earth” as done by Silent Circle, possibly automatically switching the service to a P2P solution. It will not be detectable who of them typed the “access code” and who typed the “emergency code” of them did. In the case of unconstitutional access, but legal (secret or public law). The will therefore allow for effectively allow for peaceful civil disobedience actions to protect all users.
Who then guarantees and certifies the adequacy of the software, hardware and procedures, and updates those standards? It sure needs to be an extremely competent and independent body, let’s call it CivicAuthority. And who would then control the controllers? CivicAuthority may potentially accrue a huge power that need to be thoroughly checked, through effective and democratic organization procedure and body, let’s call it CivicOvershight.
Such organization could be intergovernmental but it would probably inspire more trust if it was non-governmental but thoroughly democratically accountable.
Here’s how such body could work, in an excerpt from the User Verifiable Social Telematics project:
The CivicAuthority, a global dedicated committee made mostly of leading IT security experts digital civil rights organizations – but also consumer, authors and content rights holders associations – also responsible for the updating of the certification specifications. It is run by proceeds from certification revenue and from % of revenue generated by CivicProviders. We’ll propose membership in order to: Privacy International, EFF, EPIC, CDT, Human Rights Watch, Amnesty International, Altroconsumo, and more. Such board would be re-elected by and accountable directly to an informed sample of ordinary citizens through deliberative polling(tm) procedures, CivicOversight.
If our hopes are in the politicians hands, we have little reason to hope. But with user-controlled user-verifiable auto-guaranteeing services, that enable digital civil disobedience, we can directly protect our freedom and affirm technologies and practices that improve even the ability of security agencies to promote their missions, proving that security and privacy are no zero-sum game, on the contrary.
(I made a blog post of this comment: Dear Dr. Schneier: new surveillance laws will not do, we also need “auto-guaranteeing” user-controlled ICT services
No problem with a destination for the traffic. Thee are any number of .gov addresses that can be used.
Adrian • August 30, 2013 10:04 AM
We should start a whitehouse.gov petition to award Nacchio the Presidential Medal of Freedom.
in case you hadn't noticed, whitehouse.gov IS THE PROBLEM
As we all know 85% of our confidential data we kept in our Email account. specially in Gmail, Mail service provider should not allowed to share any of account holder data with US gov. you never know how can be your data may be misused by any means.
I suspect Levison was accused of destroying evidence.
"There was no 12-hour heads up," Mike Janke, Silent Circle's CEO and co-founder, said in a telephone interview. "If we announced it, it would have given authorities time to file a national security letter (demanding information). We decided to destroy it before we were asked to turn (information) over. We had to do scorched earth."
As far as I know it's not a crime to destroy evidence before it becomes evidence. That is presumably what Janke was thinking.
What they really need is some sort of a "dead hand" setup, so that under the right circumstance, the data are deleted (or made undecryptable); a court could order the owner to retrieve the data, and noncompliance could be contempt, but if the person is unable to retrieve the data, that seems like a solid defense (the burden of proof should be high if the accusation of lying). As far as I know this sort of setup is not illegal yet. And it wouldn't technically be destroying evidence. (Well, that's for the courts to decide, I suppose).
Nothing really new.
There have been firms that are in the "protection" business for a while (Cosa Nostra, mafia...)
So the NSA just follows known examples.
And with a lack of pretection to be performed they just create their own work....
Also who are terrorists... in the WW-II the resistance movements in Europe were called terrorists by the Germans etc.
It's just that the allies won and germany lost that they are now called resistance (heroes)...
Strange that there seems no legal way to limit the behavior of those abusing the 'American dream', and as I think, constitution? Isn't America the (western at least) bulwark of democracy, also prepared to 'protect' it world wide?
Don't think I need this kind of 'protection' anymore, I'll do without. It also seem to come down to a corrupted mishmash of intelligence agencies, etc, collaborating with Big Business, and there one find direct confirmation looking a Snowden's evidence.
Way worse than what J. E. Hoover ever succeed in.
USA don't seem to get that what is 'okay' for a dictatorship, never can, should, or will, be okay for a democracy. Waterboarding not being torture for example? Give me a break please.
Or abolish democracy, and that weird rubber constitution installed. With that you can throw away the 'American dream' too, as it builds on those ideas. Maybe that is it? Well then, just tell us, so that we outside know.
Democracy comes from individuals voting, one voice, one vote. It should not matter for this if the guy/gal voting is red, black, white etc, neither does it matter if he is affluent or poor, multi millionaire or a convict. You don't want certain people voting? Well, just don't call it democracy.
What will USA have left? No integrity, no democracy, and no excuses for further aggressions on foreign soil, well, except the usual ones, as greed, protecting business, etc. But please stop telling me that it is 'protecting democracy'.
USA is using highly educated people coming from all over the world, coming to partake in that American dream. Part of the economic engine giving USA a edge. That edge should dull with the new reputation it is gaining.
@sshdoor, you can make it work if you have an algorithm to generate a public/private key pair from a password and salt provided by the server.
Server stores logonid:salt:publickey
client sends logonid
server sends salt:nonce
client prompts user to enter password
client calculates keys from password and salt
client sends nonce signed with private key
server checks signature matches the publickey
This assumes the nonce is never reused so saving the signature is no use. It lets the server validate the password without knowing it so an attacker controlling that server can not use it to log on to other servers.
The more I think about this the more ways I can think of to break it. I think it's OK if the nonce is digitally signed by the sever with its host key. The client then checks the signature is for the server it has just connected to and sends back a signature covering the nonce and the host's signature. This ensures the signature is not accepted by any other server.
But sshd can easily log everything you do. So if you use su or sudo and enter your password you are stuffed.
Forward all your trash e-mail directly to the NSA site. They'll just love it! Sign them up for Publishers Clearing House deals! If enough people do this they'll choke on it!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.