Schneier on Security
A blog covering security and security technology.
« Measuring Entropy and its Applications to Encryption |
| Hacking Consumer Devices »
August 22, 2013
Susan Landau Article on the Snowden Documents
Really good article by Susan Landau on the Snowden documents and what they mean.
Posted on August 22, 2013 at 6:54 AM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
While I am concerned about NSA monitoring, I don't understand why they did not just buy the data collected by gmail and hotmail. Using those providers user knowing give the companies full right to their emails
That would cause a tremendous backlash from the users, effectively putting these services out of business as customers migrate to other providers.
Doesn't seem like there's really anything new here, although I haven't printed it out yet. Multi-column PDFs are almost impossible to read on a computer screen.
I Really dont think that Snowden is a traitor... He just release us of U.S goverment Spy..
I can only pity anyone who believes that "Multi-column PDFs are almost impossible to read on a computer screen." I suppose on a laptop it would be awkward; with the document zoomed to a point of good readability, you'd have to scroll up to get to the top of the next column. But even on a 20" (4:3) monitor at 1600x1200 resolution, it's fine; I've got it open in another window on such a display right now zoomed to full page height, and even with my lousy almost 50-year-old eyes, it's perfectly readable. With a Retina display it would be even better.
As for the document itself, it may be nothing new (I haven't finished it yet), but it seems like a good summary, especially useful to anyone who hasn't yet figured out that the traitors in this case are not Edward Snowden or Glenn Greenwald, but Barack Obama, James Clapper, Keith Alexander, and their co-conspirators, along with fellow-travelers such as Dianne Feinstein. Obama, in particular, took an oath to defend the Constitution, yet seems to have devoted his administration to destroying it, just like his predecessor G. W. Bush.
Snowden is not a traitor, the NSA are, as they have violated what it means to be an American.
From the play "Wicked", the "Wonderful" song (linked):
Elphaba, where I'm from, we believe all sorts of
things that aren't true. We call it - "history."
A man's called a traitor - or liberator
A rich man's a thief - or philanthropist
Is one a crusader - or ruthless invader?
It's all in which label
Is able to persist
There are precious few at ease
With moral ambiguities
So we act as though they don't exist
So the term "traitor" depends upon who feels most betrayed.
I will grant that most of us want to believe that people are honest so having one's eyes unwillingly opened to how much wrongness exists in what we thought were honorable organizations is, well, unhelpful.
Sadly, this whole mess-- and the fact that the NSA could choose to OUT ANYBODY and remove the anonymity that makes it possible to deal honestly on the InterNet-- has caused an exceptionally major casualty: GrokLaw (http://www.groklaw.net/)... especially since PJ has received death threats over exposing the underbelly of the SCO v. IBM case since 2003.
I don't think that many "customers migrate to other providers".
If the customers were such intelligent and aware of what Snowden revealed and the business driver not so hot on making money (or buying "cheap" services by easily paying with their customers and employees data) then they wouldn't spend money for expensive spy phones with google-, apple-, microsoft-, etc. features pre-installed (or so buggy that making a difference between a bug and a feature is fluid).
Think of the many reports about security holes in any must-have-technology that is called modern. The normal people flooded with informations of what is insecure and hope that they have the luck to be outside of this game.
Do you really think companies reverse their effort in BYOD or Clouds only because of privacy concerns? Do you think companies stop their engagement to produce in china or invite chinese (possible) customers because of the risk of economic espionage? Both rhetorical questions.
If the normal people would be such security aware they wouldn't accept that politicians get excited that the NSA does the best to get their hand on as many information as possible worldwide ... you can't blame a spy to spy. Maybe they do it a bit to extreme, but from there perspective it must shine as very good work and from technological view I think it is indeed.
"a really good article..." Uh, not nearly as good as your own writing.
I don't know if I'm confused, the author is confused, or I'm reading the work of a fantatist. From page 5 (middle column) "Under laws and regulations based on the EU Charter of Fundamental Rights and the European Convention on Human Rights, Europe has spent several decades establishing privacy protections for personal data, including trans-border flows. NSA eavesdropping on non-US persons greatly undermines these protections...." Well, I checked, and the US hasn't signed onto any of those. Is the author aware that British libel laws are an enormous infringement of the First Amendment to the US Constitution? Non-sequitur. But a few paragraphs later, Landau informs us:"GCHQ was handling 600m 'telephone events' a day, had tapped more than 200 fibre optic cables..." The UK is a signatory to the aforementioned treaties. Copy and paste is not covered in my book on formal logic.
Using those providers user knowing give the companies full right to their emails
Not at all true, as evidenced by the disease with which the stories about their complicity have been greeted.
Beyond that, paying for the data in ways other than quid-pro-quo kickbacks like billion-dollar telecoms contracts likely involves financial regulations and constraints that the gov't would prefer to sidestep through secret laws and force.
Today EFF obtained release of a FISC document in which some government surveillance activities were found to be unconstitutional:
More worrisome is the secrecy. You can't consent or dissent to the exercise of powers that are kept hidden. "...Governments are instituted among Men, deriving their just powers from the consent of the governed..." Which makes what's happened here rather worse than the colonial activities that Landau references.
You want traitors: begin with Obama who has broken his oath of office so many times I've lost track
Snowden is the patriot...acting to protect the Constitution he has quite possibly put his life on the line
from a 50 years USAF veteran...fifth Air force.WWII , ARDC Korean War...
Don't feed the troll. The only person who says Snowden is a traitor is Dianne Feinstein, notable in her full-throated support for every single one of these programs.
D'accord. I was hoping if nobody said it the the thing would crawl away somewhere else to get the attention it craves with other carefully reasoned four-word debates.
I wonder if it left a useful IP address behind ... dangerous forum to be a dickhead on.
And what is the justification for Snowden releasing information on the NSA's activities in China/HK ?
The kind of well-written, detailed, factual and seemingly unbiased report we have come to expect from Susan Landau. Unfortunately, it's from somewhere in July and thus missing a number of important recent events and revelations, such as the Amash-Conyers vote and the yesterday published FISC opinion report as FOIA'ed by EFF.
1) Martin Schultz is not the EU President, but the President of the EU Parliament. The EU President is Herman Van Rompuy, whereas Manuel Barroso is the President of the European Commission (sort of PM). It's a bit like confusing Barack Obama with John Boehner (Speaker of the House).
2) Although Susan states that the US, contrary to China, is not using data collected by the NSA for industrial espionage because that would be illegal under US law, I have recently seen several articles alledging the opposite. I just can't remember where, but I wouldn't be too surprised given another recent revelation that the DEA has been tapping into the NSA data stream too.
3) I agree with @ Kevin an Auditor that the part on the EU is reasonably confusing to say the least. Under the European Data Protection Directive (officially Directive 95/46/EC), personal data may only be transferred to third countries if that country provides an adequate level of protection. Under Article 29, a working party negotiating with the US and other stakeholders established the rules for Safe Harbour, many US and other companies have self-certified for as being compliant. Snowden's revelations have however shown this to be a complete and utter joke, with quite some folks over here demanding immediate revocation of Safe Harbour status for all companies involved in PRISM.
Not mentioned either is that there is a new directive in the making, the General Data Protection Regulation, that will supersede the Data Protection Directive. Snowden's revelations couldn't possibly have come at a worse time because a number of very restrictive articles the USG, the UKG and US companies have been vehemently lobbying against are now back on the agenda before the final vote expected somewhere in the fall of this year.
As for the joint NSA-GCHQ operations sanctioned by the UKG and obviously threading on Directive 95/46/EC, the EU has been aware of this ever since the 2001 Echelon report. One of the report's recommendations was that the UK explained it's role in Echelon. Perhaps this was done in some secret meeting, but it's just as likely that the UK - behaving more as a US colony than a EU member state - told the EU to go sod themselves.
I may be overreaching here, but if Susan or anyone close to her is reading this, your former colleague (and fan) DP124845 would be more than happy to help out with the European angle on this matter, even if but for proofreading.
No sockpuppeting on this forum, please, Mike and Dianne.
Apologies, Wael 8-)
At least we now know more about another world-class hosting service: getprsm.com.
It managed to make me grin which is no mean feat befor my first pot of hot "Strong Brownian Motion" producing restorative in the morning.
Did you try clicking the sign up now button ?
No there's somethings I don't do ;-)
And the kettle had just boiled to make my pot of tea :-)
Oh a word of warning to all you "Devil Brew" coffee drinkers in Europe and the US, recent scientific research is moving towards the "you are kidding yourself" view about coffee perks you up...
Apparently your normal state of health, wellbeing and energy is at where you think the coffee puts you. This is due to the fact that coffee withdrawal makes you below par for several days by mucking up your day-night rythm and drinking it only puts you back to where you should be... Which I guess is also the reason why people who go on a week long "detox" as a holiday feel so alive afterwards and slump back so quickly on returning to the daily grind... brew, stew, slurp and slump of Devils Brew injestion.
After years of careful scientific research, I have found that I get as perked up from the sugar I put in my coffee as I do from the caffeine therein. Perhaps you sweeten your tea, and thus establish another common bond between the Yanks and Brits?
I think both the US and UK have a better bond than sugar, in that we are both "Mongrel Nations" and our social habits and norms reflect the more interesting parts of the myriad of cultures within. Think what the many and varied tastes have done for our food, of which I've been an over indulgant participant, so the only sweetener I'm allowed for my various white, green and black teas are those that are in the milk or citrus jucie I add to them.
Oddly my favourate morning tea is not British but a Swedish brand of breakfast tea, but not made with horrible "London tap water" (it kills top notes like you would not belive) or boild in a plastic kettle. For black teas I use when at home a propper copper kettle and china (not metal) pot and cup/mug which is actually a tall coffee mug with sloped sides (it holds the scent better).
For white and green teas I tend to use a glass pot with a silver leaf holder, chinese style porcelin bowl cup and just a dash of citrus (lemon,lime,manderin) and on rare occasions peach juice.
Importantly is that you use the water "just off the boil" and alow it to steap for 3-7mins depending not just on the tea type but how the leaf has been cut.
When away from home I'm forced to "slum it" and the "Continental Habit" of providing a glass of teppid water a bag of indeterminate "tea dust" on a string and a wedge of tired lemon in a "bulldog clip" style squeaser does sometimes cause me to wonder if they are doing a "le roast beuf" on me ;-)
I guess Dirk Praet will have some insight on this, and when in nominaly his home region I tend to drink the local light beers :-)
W/R/T Snowden and the surveillance scandal...
With all of the folks running around trying to suppress evidence, well, if they weren't doing anything wrong, why are they so worried?
Aren't WE told that as long as we're doing nothing wrong we don't have to worry about surveillance?
Somehow there are folks unhappy when the shoe is on the other foot, don'tcha think?
and the "Continental Habit" of providing a glass of teppid water a bag of indeterminate "tea dust" on a string and a wedge of tired lemon in a "bulldog clip" style squeaser does sometimes cause me to wonder if they are doing a "le roast beuf" on me
I'm sorry to say that we don't have much of a tea culture over here indeed. It's quite hard to find civilised bars or hotels with a decent tea offering and serving it in another way than the standard teabag on a string. These can however be great fun spinning them around and launching them at the ceiling, which is a great way to tick off owner/staff as it inevitably requires a ladder to remove them. It's an incredibly stupid sight to see a bunch of teabags hanging from the ceiling at some posh bar or hotel. Back in the day when we were hanging out with the local rascals, we even made a sport out of trying to group them together in pretty much the same way we practiced our shooting at the gun club.
@ Dirk Praet
Yes, there is one major flaw with the article, and it should have been obvious at the time. On page 6/10 on the PDF, pg. 59 in the text, Ms. Landau in a sidebar implies that the U.S. Government does not apparently share information with industries; "all signs point to..."
Except at the time of the leaks, Edward Snowden wasn't working for the NSA. He was working for Booz Allen Hamilton, a company "... is majority owned by private equity firm The Carlyle Group..." as a contractor.
So yes, the NSA was very much sharing with industry at the time. If those documents were available to Mr. Snowden, they were available to The Carlyle Group as well.
I'm amazed she missed that.
Back in the day when we were hanging out with the local rascals, we even made a sport out of trying to group them together...
It's nice to hear a good old fashioned and short word rather than todays politicaly correct managment speak of "disaffected, disconnected and discordant members of the adolecent population with social behavioural boundary concerns" :-)
That said the "game" sounds a whole lot more fun then chewing bits of "copy book" and launching them with a ruler while the teacher had their backs turned, perhaps you can teach an old dog new tricks ;-)
@ Dirk, Jon,
With regards handing over the fruits of surveilance/espionage, it is a well known practice.
Many years ago the head of the French organisation openly admitted on camera to doing it pointing out it was less expensive than R&D... Which means it would be covered by that broad "National Security" blanket.
But it's not just direct contracors to the intel organisations that "get to see" the intel. It is known that certain US defence, electronics and communications companies with very close links to the USG (such as TRW) were being given not just "economic" data in bidding contests but actual R&D information gleened from foriegn competitors.
In fact so much so one well known UK TV presenter made the comment "The only thing of use the US has invented was condenced milk in a tin".
On one of the other threads of this blog a cople of people have been debating how "Megga Corps" stay in business by buying/blackmailing government support. Well I guess they don't know just how incidous the behaviour is with the "chosen few". Although these days the information flow appears not to be directly any more but through companies / consultancies with ex US intel organisation seniors on the books topping their pensions up...
Thanks for the document. A few highlights for me.
"The head of the Department of Scientific and Technological Intelligence... was boasting in the early 1980s that the value of information obtained [on the West] via economic espionage more than covered the functional expenditures of KGB operations."
Well, there's the ROI of intelligence against US right there. The payoff covered the KGB's expenditures and then some. I'm sure some Russian has joked that their paystubs should have American company names on them. ;)
"The report concluded that the 80% of the Japanese operations were directed against USA and Western Europe and involved the interception of technological intelligence."
I could see that. I actually expected it. Their MO was similar to China's in that they would make stuff we already made. The difference is they tried to beat us in quality, where China aims at cost.
"NSA analysts were shocked when they decrypted and translated an intercepted message sent by the Washington offices of Mitsubishi to Tokyo. The message included the Daily Briefing delivered daily to the U.S. President and the members of the National Security Council (NSC)."
THAT surprised me. I thought that document was hard to get a hold of or at least very few people saw it. That the Japs got ahold of it without the source itself being detected speaks well for their capability. I doubt we have *their* daily briefing.
And the section on France is no surprise either. Scheming Frenchmen, seductive French women... plenty of opportunities for stuff to happen to careless foreigners with possessions of great value.
Except at the time of the leaks, Edward Snowden wasn't working for the NSA. He was working for Booz Allen Hamilton ...
At least in theory, supplier-customer confidentiality is covered by a standard non-disclosure agreement (NDA) any contractor or contracting outfit is supposed to sign, especially when working in intelligence. It can also be part of their security clearance. Susan is way too smart to miss something as obvious as that. I'd love to see her on the PCLOB or other watch dog POTUS has recently been making some noise about. If you re-read her essay in that context, I'd say it makes for a very astute and diplomatic application indeed.
Thanks for that link. Very interesting reading indeed. My favourite "politically correct" newspeak expression since a while is "integration area for culturally challenged newcomers" to describe what the rest of us usually call a ghetto of mostly North African and Eastern European poverty immigrants and asylum seakers. I heard it from an old acquaintance, a former drummer with kleptomaniac tendencies who was seeking public office for a local left-wing party in the latest municipal elections. He failed miserably.
And of course to ensure enforcement of all those confidentiality agreements there is oversig... Oh.
See what I mean?
And of course to ensure enforcement of all those confidentiality agreements there is oversight ...
We both know that most NDA's are not worth the paper they're written/printed on, and that enforcement is reasonably difficult, especially when dealing with hundreds of thousands of contractors. My point is that "sharing of data" with any third party - particularly contractors and commercial entities - is probably not official NSA policy, and that NDA's and other processes in place at least give them plausable deniability against any claims of doing so.
@ Dirk Praet
Um, they're paying them. NSA contractors are getting paid to work with this data. How can it be 'unofficial' when very large checks are being written, signed, and cashed?
If 'unofficial' it's absolutely massive fraud. Given the "close relationship" of corporations and government these days I might not be completely surprised by that...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.