The NSA is Commandeering the Internet

It turns out that the NSA's domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we've learned, fight and lose. Others cooperate, either out of patriotism or because they believe it's easier that way.

I have one message to the executives of those companies: fight.

Do you remember those old spy movies, when the higher ups in government decide that the mission is more important than the spy's life? It's going to be the same way with you. You might think that your friendly relationship with the government means that they're going to protect you, but they won't. The NSA doesn't care about you or your customers, and will burn you the moment it's convenient to do so.

We're already starting to see that. Google, Yahoo, Microsoft and others are pleading with the government to allow them to explain details of what information they provided in response to National Security Letters and other government demands. They've lost the trust of their customers, and explaining what they do -- and don't do -- is how to get it back. The government has refused; they don't care.

It will be the same with you. There are lots more high-tech companies who have cooperated with the government. Most of those company names are somewhere in the thousands of documents that Edward Snowden took with him, and sooner or later they'll be released to the public. The NSA probably told you that your cooperation would forever remain secret, but they're sloppy. They'll put your company name on presentations delivered to thousands of people: government employees, contractors, probably even foreign nationals. If Snowden doesn't have a copy, the next whistleblower will.

This is why you have to fight. When it becomes public that the NSA has been hoovering up all of your users' communications and personal files, what's going to save you in the eyes of those users is whether or not you fought. Fighting will cost you money in the short term, but capitulating will cost you more in the long term.

Already companies are taking their data and communications out of the US.

The extreme case of fighting is shutting down entirely. The secure e-mail service Lavabit did that last week, abruptly. Ladar Levison, that site's owner, wrote on his homepage: "I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision."

The same day, Silent Circle followed suit, shutting down their e-mail service in advance of any government strong-arm tactics: "We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now." I realize that this is extreme. Both of those companies can do it because they're small. Google or Facebook couldn't possibly shut themselves off rather than cooperate with the government. They're too large; they're public. They have to do what's economically rational, not what's moral.

But they can fight. You, an executive in one of those companies, can fight. You'll probably lose, but you need to take the stand. And you might win. It's time we called the government's actions what they really are: commandeering. Commandeering is a practice we're used to in wartime, where commercial ships are taken for military use, or production lines are converted to military production. But now it's happening in peacetime. Vast swaths of the Internet are being commandeered to support this surveillance state.

If this is happening to your company, do what you can to isolate the actions. Do you have employees with security clearances who can't tell you what they're doing? Cut off all automatic lines of communication with them, and make sure that only specific, required, authorized acts are being taken on behalf of government. Only then can you look your customers and the public in the face and say that you don't know what is going on -- that your company has been commandeered.

Journalism professor Jeff Jarvis recently wrote in the Guardian: "Technology companies: now is the moment when you must answer for us, your users, whether you are collaborators in the US government's efforts to 'collect it all -- our every move on the internet -- or whether you, too, are victims of its overreach."

So while I'm sure it's cool to have a secret White House meeting with President Obama -- I'm talking to you, Google, Apple, AT&T, and whoever else was in the room -- resist. Attend the meeting, but fight the secrecy. Whose side are you on?

The NSA isn't going to remain above the law forever. Already public opinion is changing, against the government and their corporate collaborators. If you want to keep your users' trust, demonstrate that you were on their side.

This essay originally appeared on TheAtlantic.com.

Slashdot thread. And a good interview with Lavabit's founder.

Posted on August 15, 2013 at 6:10 AM • 94 Comments

Comments

MusashiAugust 15, 2013 7:37 AM

Actually, we are War - it's called the endless "War on Terror" and "War on Drugs" that give the government the right to commandeer everyone, everything and every freedom that they like... Get used to it since it will only get worse...

RichAugust 15, 2013 7:38 AM

Aren't Google, Apple, Microsoft, and co. protected by the law that retroactively allowed AT&T to illegally tap people's phones?

(And how did that law claim to get around Article 1 Section 9 of the Constitution?)

((I would have been happy to see AT&T successfully sued for more than its stock value... it would make a lovely customer-owned co-op.))

NobodySpecialAugust 15, 2013 7:47 AM

@rich - yes but they aren't reimbursed for all the customers that leave.

?August 15, 2013 7:57 AM

Bruce,

I probably shouldn't say this, but the Intel community does think we're at war. It already considers us in a "cyberwar".

Tom StoppardAugust 15, 2013 8:07 AM

Funny how Disgracebook has basically becoming a living, breathing public dossier for the government. I still don't know why anyone who cares about this actively uses it at all.

SomeoneAugust 15, 2013 8:10 AM

Because it's an escape for many folks. Facing the reality of the problem and acting accordingly brings too many people too much distress.

Peter WilsonAugust 15, 2013 8:17 AM

Surely there is no correlation between the companies that have caved and those that have large government contracts. Is it realistic to expect Microsoft or Google to stand up when they stand to loose those contracts?

R2August 15, 2013 8:25 AM

Musashi • August 15, 2013 7:37 AM : Actually, we are War - it's called the endless "War on Terror" and "War on Drugs"...

... "War on Privacy", "War on the Constitution", "War on Americans",...


SomeoneAugust 15, 2013 8:41 AM

I don't know what I can do about this all. The stress of having to mentally justify every single action I take online in the context of how it could look like to a spook is killing me. This is having a significant impact on my quality of life.

Joseph RatliffAugust 15, 2013 8:41 AM

It's sad, the bigger companies like Facebook, Google, etc... have resources to actually pull off a nice "trust earning" PR move by directly and openly resisting the NSA.

Will they really do it though? Probably not. Costs money.

When it's too late, and users don't trust them anymore (this is America, someone will create a secure version of Google, like startpage.com or duck-duck-go etc...)... when users don't trust the big companies, the bigger effect is innovation will hit a big stumbling block.

Hopefully, they stand up.

Not really anonymousAugust 15, 2013 9:11 AM

It isn't just the loss of contracts, but also personal retribution. The CEO QWest was convicted of insider trading after refusing to cooperate with the telcom spying. He probably was guilty, but I doubt that he would have been prosecuted if he had just cooperated.

Alex Okiemute OnovweruoAugust 15, 2013 9:40 AM

I am into security and need more security tips to enable me to be proactive

ThecaseforpeaceAugust 15, 2013 9:58 AM

Bruce,

Simply splendid article! Thanks for becoming so outspoken on this.

We need to stop this here and now. If we don't, I'm afraid we'll be trying to stop it on a battlefield and that will be much much worse.

mike ackerAugust 15, 2013 9:59 AM

my question is: Are they really looking for 'terrorists', -- or dissidents?

jonesAugust 15, 2013 10:13 AM

Google has already taken their stand, mainly, that the 4th Amendment doesn't apply to their customers.

In the words of Google's lawyers:

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery. Indeed, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44 (1979). In particular, the Court noted that persons communicating through a service provided by an intermediary (in the Smith case, a telephone call routed through a telephone company) must necessarily expect that the communication will be subject to the intermediary’s systems. For example, the Court explained that in using the telephone, a person “voluntarily convey[s] numerical information to the telephone company and ‘expose[s]’ that information to its equipment in the ordinary course of business.” Id. at 744"


http://www.sfgate.com/technology/businessinsider/...


The number of possible attack vectors are mounting.


Google is citing the 1979 Smith v. Maryland ruling, though they just as well may cite the 1986 Electronic Communications Privacy Act.

Under the Electronic Communications Privacy Act, any email left on the third-party server for over 180 days is considered "abandoned" and the content can be accessed without a warrant. Given the way most people use Gmail, most communications would be covered by this provision.

"Under 18 U.S.C. 2703(a), the government may require a service provider to disclose the contents of an electronic or wire communication that is in electronic storage1 in an electronic communications system2 for one hundred and eighty days or less, only-pursuant to a search warrant. (As defined in 18 U.S.C. § 2510(8), "'contents', when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication.") If the information has been in electronic storage for more than one hundred and eighty days, disclosure may be required by a search warrant (without prior notice to the subscriber), a court order sought pursuant to section 2703(d) (with prior notice to the subscriber, requirements for this order are summarized below), or an administrative, grand jury, or trial subpoena (with prior notice to the subscriber). Delayed notice to the subscriber may be sought under section 2705."

http://www.justice.gov/criminal/foia/docs/...


J.D. BertronAugust 15, 2013 10:21 AM

Government has always had the power to conscript people. But without clear wars and the fact modern people would resist it, government has done the next best thing.
Why bother having to feed the troops when you can get their work for free ? It's easy, as government, just create some incredible incentives, subsidies for the companies that do work you need, until they get so big that it's impossible for them to resist when you decide to commandeer them.
And if people start asking questions, of blow the whistle on your operations, justify it with an external threat, someone somewhere who destroys a windmill, so you can reassure people the measures are necessary.

BF SkinnerAugust 15, 2013 10:24 AM

@jones " the 4th Amendment doesn't apply to their customers."

Well. How could it. The 4th Amendment is a control on Government power. It is up to Government to regulate and control Corporate power and make laws protecting citizen privacy.

But the US won't do that because there is this fairy tale about this magical being called "the market." People WANT to be spied on. The market gives that to them; easy as lying. If they didn't they wouldn't use the service. cf Rational person construct and play against 'informed consent.'

AssafAugust 15, 2013 10:30 AM

I'm afraid the public simply does not care. People have already accepted that whatever they put on Facebook or Gmail is "out there" for governments to pour through, with or without cooperation from vendors. Convenience trumps privacy. Facebook is exquisitely engineered to keep us coming back, or, more realistically, never leave, just like a Casino. It's down to a science.

If asked "Facebook or confidentiality?", people choose the former. The train has sailed. A few engineers will be left behind clutching their TrueCrypts, until they too will break.

CuriousAugust 15, 2013 10:33 AM

Could the notion of a secret 'martial law' in USA be a sensible one? :)

I have to assume that a so called state of 'martial law' is never kept secret, but perhaps lawmakers have explored exactly such a possibility and put it into reality somehow with regard to how the authorities are managing its interests pertaining to everyones internet/networking usage.

What is interesting about this notion of 'martial law', is how there would be (would have to be) a military rule, with military authority. I guess that would be something of a scandal (because one could raise questions about when it had begun in such a case?).

If 'martial law' is merely proverbial then this notion of mine is immediately pointless ofc. And if the military has some kind of general authority with regard to networking usage in some manner, then I think that also doesn't really entertain this notion of a 'martial law', but perhaps if there is a special authority with unknown goals and such, then I think that perhaps that could quality for there perhaps being a state of 'martial law'.

NobodySpecialAugust 15, 2013 10:35 AM

@Assaf - Facebook don't care but Microsoft and Apple and Amazon and Google should.

One ruling from an Eu judge that using a US cloud supplier doesn't meet Eu data protection rules and 500million rich customers just got cut off.

European or Asian banks/aerospace/government banning iPhones at work because of the risks of data snooping.

Foreign governments dropping Microsoft or banning US companies from tendering for government contracts could hurt a little.

FigureitoutAugust 15, 2013 10:55 AM

So while I'm sure it's cool to have a secret White House meeting with President Obama
Bruce
--Please, hardly. I can imagine the discussion was pretty dull and insincere, and you know, he's essentially carried on his successor's policies and made other trivial changes for idiot's that don't see the agnostic policies.

this is America, someone will create a secure version of Google
Joseph Ratliff
--I wouldn't be so sure about that. These entrepreneurs are going to be moving to different countries where they don't get raided by the state. Not to mention the general lack of hope and optimism that typically characterized America of the past, so will new companies (that create innovative products and aren't simply a restaurant or fashion mall) be started in an uncertain economic environment?

Everyone, this is why work needs to be started now on a separate internet. It mustn't use any of the current infrastructure and needs at least one person w/in a 2-3 mile radius of each other. This internet you use for porn, reddit, your social networks if you need them, non-critical email, and gaming. The other one you use for sending scientific research to each other, secure methods and techniques, and pillow talk to your lovers.

Petréa MitchellAugust 15, 2013 10:55 AM

Looks like it's time to circulate Dr. Philip Zimbardo's guide to resisting influence again.

And to remind people that as easy as the principles are to recite, it's really, really hard to train oneself to apply them, even for low-intensity social interactions. It's easy as a bystander to say "You should obviously not do that", but cooperation is hardwired into nearly every human.

seaoctopusAugust 15, 2013 10:56 AM

Bruce,

What do you see as some simple, concrete things that an average netizen can do?

Tor browser bundle? using anonymous search engines?

llaenAugust 15, 2013 11:00 AM

How sweet would it be if google (search) and facebook shut down for a couple of days with a message about government spying and why we should all care about it?
Imagine the noise this would make and the amount of berating political representatives will have to endure.

Granted, this tactic can be problematic and misused, but let's just imagine this for a moment and enjoy the feeling.

Richard CaldwellAugust 15, 2013 11:14 AM

These companies have no earthly reason to fight. They can supposedly be "compelled" to participate in the surveillance schemes, yet we are to believe they cannot also be compelled to refrain from tax evasion schemes (to international levels)? Facebook alone has received over one billion in tax subsidies, just in the last three years. I think a point everyone seems to be neglecting is that these tech firms are obviously getting something for their "troubles", regardless of what their respective PR yes-men are claiming.

FigureitoutAugust 15, 2013 11:18 AM

Ok, the whole transatlantic cable thing....yeah....Digital radio, sat-bounce, never mind...

T. TraubAugust 15, 2013 11:25 AM

@Figureitout - what country will these entrepreneurs move to? Britain? France? Russia? China? India? I doubt there's a country in the Northern Hemisphere that isn't involved in spying on citizens, either implicitly or overtly.

The only solution in the long run is to create a new country somewhere out in the Pacific Ocean, a floating city named Internetopia or some such. Data is completely private, completely encrypted, constantly guarded. You have an equally secure client system to access your data from wherever you live. This country would probably need to have a nuclear missile or two in order to fully guarantee its security and independence (plus a pretty good coast guard and police force to repel invasions).

Other than the somewhat fantastical notion above, I see little hope for a safe haven anywhere on Earth. Of course, we here in the United States can lobby and pressure and vote our government into stronger protection of our civil liberties, but unfortunately the majority of citizens lack the education and information to take such a stand. In fact several educated, tech-literate people I know have actually stated that they "have nothing to hide", unconsciously quoting George Orwell.

Richard CaldwellAugust 15, 2013 11:32 AM

@T. Traub:
I do think boycotting any and every American-based tech company is a start though. And while islands such as what you describe may not exist in physical space, they do exist online, such as here:
http://www.autistici.org/en/index.html

I am interested in Pirate Bay's new browser, and I am hopeful for when Kim Dotcom unveils his encrypted webmail service next year.

And on your final note I entirely agree. Having nothing to hide has done wonders for the many innocents held at GitMo. Offenses can be fabricated in today's world, just as easily as laws can be retroactively re-written. In that regard, nobody is truly safe.

Clive RobinsonAugust 15, 2013 11:56 AM

Perhaps I should sound a note of caution for non technical managers, and other more technical managers who have not specialised in security.

Sometimes something that appears a very senible idea in a technical or engineering perspective is a very bad idea from the security perspective.

Two of the more memorable instances are CarrierIQ's "test and support" software that did an "end run" around all the security built into a smart phone by dumping raw keypresses and other information directly onto the Internet. And RSA's "customer support DB" which was accessable to the internet because it was not "air gapped" and contained the seeds and other information required to break the security on just about all of their two factor key fobs on which many of their customers security relied upon.

Now consider this, as far as an organisations customers are concerned their relationship is with that organisation, not any other entity the organisation has dealings with. If your organisation buys in technology from a third party entity it's your reputation profits and continuance of your organisation that matters to you. Your customers won't see it as some entity letting you down but you failing in your duties to them, likewise any court or judicial body such as a regulator (SEC etc) if the customers or authorities decide to take action. You might be able to take civil action against the entity but the odds are it won't happen in any short time frame and it also won't be successfull...

FigureitoutAugust 15, 2013 12:03 PM

T.Traub
--Yeah point taken, some countries mentioned here have been Iceland, Norway, maybe Switzerland. There's also Sealand that's been talked about on here before. (Apparently, "On 22 May 2013, mountaineer Kenton Cool placed a Sealand flag at the summit of Mount Everest", so people are still standing for it). And there are many countries and tiny islands that you will have never heard of and only come to my attention due to Hams DXpeditions my dad talks to and QSL's. They are typically not occupied but you have to bring all your supplies w/ you.

I'm fine w/ lobbying the gov't for better protections so long as these agencies follow the F-ing law; b/c I know for a fact they round the edges.

cbobAugust 15, 2013 12:34 PM

It's not like the gov't would ever punish a company for supporting the wrong party or threaten people with IRS audits for failing to cooperate in planting audio surveillance. (and the "the other party did it" argument only shows how low standards truly are)

SimonAugust 15, 2013 12:37 PM

@Clive Robinson - the problem with your comment is, that it sounds like you know ahead of time which ideas are good. But you don't. You are using information afterwards to make it sound like you would not have made the mistake. So, if I'm wrong, then go ahead and disclose all the weaknesses in all systems in use now. Go ahead. Don't leave anything out. See how that works? You and a bunch of other "experts" get to show up after the tornado has passed, then point to every loose nail and split piece of lumber and claim "oh here, see they should have made it stronger" You're no different than system administrators who just say "no" to everything, not because they know it's wrong, but because they know they'll when something breaks they can say "see, told you not to do that". It's the same with inventions, people couldn't find a way to fix a problem to save their life, but when someone else does they go "oh, anyone could have thought of that." Why don't you go fix something. The world is on fire and there are enormous problems that need fixing. Not more of this conceited crap.

CorwinAugust 15, 2013 12:46 PM

They won't fight.

Their customers are simply trapped, because they generally don't know that there even are alternatives to the services they use, and as long as nothing personally happens to them, they're not caring beyond liking a pair of angry facebook rants. If even that.

As for international policy, Angela Merkel can write strongly-worded letters all she wants, that's about as effective as her Shiny New Privacy Laws are going to get at influencing the policy of the USA : i.e. hilariously not at all.

Of course, the Right Way(TM) to solve all of that is to make everything peer-to-peer and completely trust-free, but that's not happening any time ever.

An other way would be to simply make everything totally public. Wipe out secrecy for everyone forever, flat-out erasing the concept of privacy. EQUALLY.
There's a neat thing in that : it's that NOBODY can argue that their privacy is worth more than EVERYbody else's combined.

That would put a mirror in front of Humanity's face that it couldn't run away from. "THIS IS WHAT YOU ARE." There would be a LOT of behaviors that would need to stop being considered as bad... every notion of sin that irrationally condemns doing natural things that feel good would be crushed overnight under the inescapable weight of FACTS.

So, choose.
1. Dystopian 1984 police state. Anyone not Serving The System is a target for arbitrary enforcement of laws designed to criminalize everyone everywhere.
2. P2P heaven of crypto-anarchy. This will never happen, those guys can't get anything done ever.
3. Panoptical mirror. Everything you and/or anyone say(s) and/or do(es), can and will be used in the future eventually, by anyone, for anything.

We're going to Number 1, straight ahead with zero resistance.

Stevensoners116@comcast.netAugust 15, 2013 2:15 PM

This is why Bruce is so cool among other things. He's not afraid to speak the truth, and if he is, he does it anyway. Your the man! Keep the talking points rolling.

jonesAugust 15, 2013 2:20 PM

@BF Skinner

Wow. What an incredibly literal reading of my comment.

In the context of Mr. Scheneir's admonition "to the executives of those companies: fight," allow me to rephrase my remark as follows:

"Google has already taken their stand, mainly, that they aren't interested in defending the 4th Amendment rights of their customers."

Now, you could be very literal, and suppose "Well, it's not Google's job to protect the rights of their customers."

Fine. They aren't taking up Mr. Scheneir's challenge. That's all I came to say.

I would add, though, one step removed from this, that they shouldn't go around portraying themselves as defending human rights when they do things like ending censorship of Tienanmen Square in China. Their behavior is duplicitous. Maybe the moral is not to trust the media when it depicts a corporation acting in the interests of human rights or civil liberties.

Now, lets take one further step back. When Google is acting on behalf of the government, does it need to follow the law?

Does participating in a state-run surveillance program make Google a "state actor?"

http://en.wikipedia.org/wiki/State_actor

Specifically:

3. If the government merely acquiesces in the performance of an act by a private individual or organization it is not state action, but if the government coerces, influences, or encourages the performance of the act, it is state action (Rendall-Baker v. Kohn, 457 U.S. 830 (1982));


If so, then Google DOES need to be mindful of the 4th Amendment.

Think about it. A little harder.

TomAugust 15, 2013 4:05 PM

Better to opt for a zero-trust approach: learn to keep your private stuff encrypted; use other serious tools to improve your online privacy (there are dozens, from pgp to https everywhere, etc.), and mind where you share your private info (from fb to the clouds).
Miranda warning applies all the time, everywhere.

BryanAugust 15, 2013 4:37 PM

If I understand Levison's remarks about the closure of LavaBit correctly, I think perhaps something like the following is his situation:

(1) All customer email storage is encrypted using a passphrase supplied by the customer (using SSL).

(2) He has cooperated in the past by providing customer to law enforcement, (specifically citing the case of a suspected child pornagrapher) and sees no reason not to do so for proper warrants now.

(3) The value of the encrypted files he turned over under warrent/subpoena were probably not useful, while the identity, credit card, login session times, and IP addr data are probably of marginal utility.

(4) Looking at the email storage white paper at http://lavabit.com/secure.html (you now have to use http://archive.org to see it), you can see the weakness in LavaBit's system is coercion by legal process. Both the private and public key are generated and maintained on LavaBit's servers. The private key is/was protected by a hierarchy of algorithmic security mechanisms using AES-256, passphrase, the account ID, account password, and salt.

(5) He received a warrant/NSL/court order that would order him to install changes that would compromise future stored messages. We don't know the exact mechanism that would be used, but it is clear that at least one user would have future messages stored with an alternative process, or a copy of the clear-text message would be taken before encryption. Alternatively, a copy of all public keys would be immediately provided to the LEO, and as a user needed to decrypt a message, a copy of the private key would be taken and sent along.

Bravo to Levison!

Chilling EffectAugust 15, 2013 5:43 PM

Well, the silver (or aluminium) lining is that it argues against those who claim the United States is a fascist regime. The corporations aren't calling the shots. They're merely obeying the bureaucrats in a security apparatus that operates under a secret body of classified law authorized by the secret FISA Court, is exempt from review by any non-secret court, and is accountable only to itself. But arguably that's worse than fascism.

Unfortunately, executives of major corporations are unlikely to fight. They're a cautious lot who care only about quarterly performance that makes their stock enticing to the institutional investors that are their only true customers. Wall Street would never tolerate any CEO who risked their share price by refusing to cooperate with bureaucrats who probably threatened to shut them down if they don't instantly provide whatever masses of data the spooks want.

I honestly hope that the outrage about what Snowden revealed persists and forces Congress and the courts to do their jobs of providing the checks and balances as the Constitution intends. But I'm afraid that Obama, Clapper, and the rest of the security apparatus don't care about public opinion and believe they're empowered to do whatever they want. Obama's recent speech proposing palliative measures to make the public "comfortable" with Hoover surveillance suggest that he's committed to the ever-expanding Surveillance State regardless of what people want. And I doubt that Obama's successor would want to relinquish that power.

Clive RobinsonAugust 15, 2013 5:58 PM

@ Simon,

    - the problem with your comment is, that it sounds like you know ahead of time which ideas are good. But you don't. You are using information afterwards to make it sound like you would not have made the mistake.

I don't know what you do for a living or how many years experiance you have, but hopefully you understand the notion of "Due Diligence" and how it effects a company when one of the legal proffession gets hold of it in court or worse a regulator that can place arbitary fines and or imprisonment on executive and non executive directors?

ICTsec has no real or worthwhile metrics to demonstrate that a company has taken reasonable steps to ensure the "marketable performance" of it's products. Thus people fall back on "Best Practice" which from a defence position is a very bad place to be in. Effectivly all a lawyer has to do is find another company performing similar activities which has taken preventative steps that your company has not, and if they can show it has a bearing on any "unfit for market" parts of your system it's in effect game over unless you have in some way prior to marketing the product limited your liability not just in general but specificaly with respect to the type of harms claimed.

If it can be shown that you actually added functionality that does an "end run" around security features that are in your product then a court or regulator is going to rip away any chance of a defence you might of had, because it's moved from negligence to fairly easily demonstrable willfull behaviour.

Claiming ignorance of ability to check the security of a product prior to release is likewise not going to do you any favours.

The only reason we have not had a court case of any substance in the US is due to a quirk of the US legal system which alows large organisations to defend themselves by "out spending" a littigant and thus in effect striping them of their rights under law. Or where the littigant is another large organisation or a regulator an accomadation by way of an out of court settlement is made.

Thus an organisation of any worth should be duely dilligant and perform best practice testing prior to "placing on the market" any product they have designed, produced, manufactured or re-labled, even if they are not providing it to make direct comercial gain from the end users as in effect the "something offered, something gained" of contract law applies.

With regards your statment,

    So, if I'm wrong, then go ahead and disclose all the weaknesses in all systems in use now. Go ahead. Don't leave anything out. See how that works

You know or should know that that is an impossible "ask" the reason being quite simple for two reasons.

The first is,

    There are known knowns, unknown knowns and unknown unknowns.

The second being a couple of mathmatical proofs from before the first working computer that indicates there are various limitations of logic and mathmatical questions that our current notion of a universal computer (Turing engine) cannot resolve. The consiquence of this is there will always be vectors via which such a computer can be attacked.

If you can be bothered to search back on this blog you will see that I have said both of these a number of times befor and have also made proposels for a "probabalistic security" system that whilst it can not stop attacks can detect them fairly rapidly alert human operators and halt.

But just to ensure you understand what known knowns, unknown knowns and unknown unknowns mean I will go through it.

First you have to accept that any one attack is infact a specific instance within a more general class of attacks. Thus an attack that exists is a "known" specific attack within a "known" class of attacks. A variation of an existing attack that has not yet been seen is an "unknown" specific attack within a "known" class of attack. Thus an entirely new type of attack using a new method would be an "unknown" specific attack in an "unknown" class of attack.

In normal anti-malware systems there are two approaches one is to look for a specific attack the other is to mitigate against a class of attack. Of the two class mitigation is a better but considerably more difficult aproach, as it provides protection against many zero day attacks which malware signiture style systems don't as they need a known signiture for the malware to be detected.

Further if you search back through this blog you will see I have discussed a number of times an issue most software developers have difficulty accepting which is "Efficience -v- Security". Optomising code fore efficience unless you realy know what you are doing is almost always guarenteed of opening up various side channels through which information will leak.

I have in the past highlighted some of the required stratagies for reducing your security surface and put simply it's the same as it is for hardware design. You reduce the complexity in your code by segregation and interface control, further you remove all functional feedback and feedforward and adopt where possible a "single chain of execution" approach, which means no test stubs or harnesses in the product. Further you reduce the transparancy of the product by clocking the inputs and clocking the outputs as well as failing hard and long on any error.

Fully understanding the why of these rules and following then correctly will go a very long way in improving not just the security of a product but the reliability as well. With once you are experianced in the mind set fairly minimal increase in coding, but a consiquently greater time saving when going through the various test phases.

I've also in the past given a list of EmSec / TEMPEST rules for hardware design, however most also translate into software as well when you can visualise the analogs.

Further you will find comments and posts from other regular posters such as Nick P giving guidence on formal methods for producing secure code, available secure OS's and importantly a list of past papers.

It is this last point you should consider, back in the 1960's and 70's most of the things you need to do to produce secure OSs and applications was not just known about but discussed in published papers from both the theoretical and practicle view point.

Saddly for most developers this trove of information is unknown to them for various reasons. And worse even if it were known it is unlikely that most organisations would alow the knowledge to be used, because managment and marketing have in the main not seen a need for security and thus regard moves in that direction to be a waste of resources.

From your closing comments of,

    Why don't you go fix something. The world is on fire and there are enormous problems that need fixing. Not more of this conceited crap.

You make a series of unwarented assumptions about me, without any knowledge of me which does not bode well of your thought processes. And is bordering on trollish behaviour.

For your information I used to be what some Americans call a "fireman" or more pragmaticaly a trouble shooter for hire. I used to go in and pull projects back on the rails when they had jumped the points. To be able to do this I needed a lot of skills oddly mostly technical not human. These skills came from many years working in many diverse fields of endevor within engineering. What has stopped me doing this is ill health that amongst other things makes flying medicaly inadvisable.

I do however continue to perform various usefull functions in ICT as well as some research so I am still "fixing something" on a regular basis.

As for the world being on fire, as I've indicated above the reason is not a lack of knowledge or tools that have put us in this position but the simple fact that security outside of a very small and quite select market is not seen as a "money earner". The upshot of which is few if any designers of products and systems have any knowledge or experiance of security requirements, let alone how to go about building them into products and then testing.

In effect it's become virtualy "lost knowledge" and it is this issue that has in effect put all the fuel where it can be easily lit.

As for "conciet" I'll let others draw their own conclusions, but as I've repeatedly posted to this and other blogs about these issues long before our current problems it is going to be more than a bit difficult to make your assumptions stand in the face of contradictory evidence.

But at the very least go back and re-read what I wrote in my comment above, I think you will find on reflection I was advising caution and giving real world examples of why it should be excercised.

J.R.August 15, 2013 6:40 PM

@ mike acker

Are they really looking for 'terrorists', -- or dissidents?

Perhaps they see no difference between terrorists and dissidents. Some remarks former NSA chief Michael Hayden recently made suggest that he sees no difference between terrorists and activists. If I recall correctly, [privacy] activists = anarchists, = nihilists = Al Qaida etc. Lovely fellow.

RSaundersAugust 15, 2013 6:45 PM

@Richard Caldwell, I don't follow your rationale for avoiding all US internet companies becaue of the NSA. The NSA has numerous restrictions on what they can get from US companies, and if an actual whistleblower knew NSA was breaking the rules they could report them to the congressional folks that fund the NSA. These restrictions might not be what you or I would proscribe, but there are actual restrictions. Once you leave the safety of the US, there are no restrictions on NSA collection. It's in the foreign intelligence collection business, they even say so on their web site. With no Patriot Act or FISA to compell companies to work with them, the NSA can't implement fancy rules. Instead they can just hoover up everything. Once a server is "foreign" it's presumably "reasonable" to collect everything in the search for foreign intelligence.

If anything, I'd be concerned that the US is using the NSA to target all non-US servers. Is this economic imperialism? If the NSA commandeers the Internet, who's going to pay to build another one? How would we keep the NSA out of this new Internet?

I think I'll keep my stuff on Google, their privacy protections are better than nothing.

Richard CaldwellAugust 15, 2013 7:25 PM

@RSaunders:
The US government evidently has access to all digital information. That seems to be the point of the Edward Snowden ordeal, and even the lavabit incident. Numerous governmental officials have been caught in self-contradictory statements over recent weeks, up to and including the President. There is absolutely no reason to believe that A) restrictions are indeed in place that the Federal government must legitimately abide by, or B) that any government (or corporate) voice is saying anything remotely truthful regarding the surveillance programs.

Additionally, why on Earth would more whistle-blowers feel like they'd have a fighting chance in speaking up? It has done wonders for the freedom and peace of mind for Snowden, for Assange, for Manning, etc. Nobody honestly believes that Michael Hastings died by accident. Ladar Levison will apparently be tied up in legal matters for some time to come. Why?

My point is that foreign agencies (particularly apolitical) would have less cause to play along in Uncle Sam's reindeer games, because it is American Industry that is joined at the hip to American State. It's not a clearly lit path, but the ground is far more stable than anything American.

And I am far from the tinfoil hat type, mind. Personally, I would love if the UN were to grow some balls and give the states the pink slip. But I sincerely believe that anarchy is the only viable option. The persons with the power to declare the necessary changes are precisely the ones who would forfeit power in the doing, so it would never willingly happen. Not by petitions or voting for "the other guy". PRISM alone is the product of years of work involving hundreds of persons. It is not some case of a select few accidentally doing something wrong. And anyone who seriously believes that Google, etc, are not readily profiteering from all of this are shamefully innocent of the ways of the world.

Dirk PraetAugust 15, 2013 7:43 PM

@ Jones

Thanks for the insightful legalese heads-up.

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery. Indeed, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”

Although I'm not a solicitor, I think this line of reasoning is total felgerkarb. I can imagine a "recipient's assistant" in a business context opening certain types of snail mail addressed to his/her manager and as per standard instructions/policies, but definitely not everything. Digitally speaking, I don't know of many execs that allow their secretaries full access to their mailboxes either.

In a private context, it doesn't even make any sense at all. When a letter from party A is specifically addressed to party B, then why should anyone assume that it can be opened and read by party C, whatever the relation between B and C ? Am I also to believe that under the same argumentation the US Postal Office has the right to open up anything being sent through them?

Outside the US, the secrecy of correspondence - a fundamental legal principle enshrined in the constitutions of several European countries - is exactly what guarantees that the content of sealed letters is never revealed and letters in transit are not opened by government officials or any other third party. Where I live, for example, this is enshrined in Art. 29 of our constitution.

Google can say whatever they want in the US, but this argument would never hold up in European courts where on the constitutional level Article 7 of the EU Charter of Fundamental Rights (December 2000) even replaces the right of privacy of “correspondence” with the right of privacy of “communications”.

To Google and the rest of the corporate NSA collaborators: we now know who you are and what you are doing. Prepare to become corporate pariah's and suffer massive losses outside the US if you don't put up an even remotely credible fight. Like Bruce says: it's time to show whose side you're on. The members of the House of Representatives already did so when voting on the Amash-Conyers amendment. Now it's your turn.

WaelAugust 15, 2013 8:10 PM

@ Clive Robinson,

As for "conciet" I'll let others draw their own conclusions

Hmm! Nope! I don't think you are.

Dirk PraetAugust 15, 2013 8:28 PM

@ RSaunders

The NSA has numerous restrictions on what they can get from US companies

Er, no. The evidence on the table today clearly suggests the opposite whereby most if not all restrictions can be easily bypassed or reinterpreted by the FISC.

... if an actual whistleblower knew NSA was breaking the rules they could report them to the congressional folks that fund the NSA.

No again. In the wake of the 1975 Church Committee, the House/Senate Select Committees on Intelligence were established to reign in the activities of the intelligence agencies. From what we've been seeing lately - their chair persons Dianne Feinstein and Mike Rogers being the most ardent NSA proponents - it would seem that exactly the opposite has come to pass, i.e. the executive branch and the intelligence agencies reigning in Congress.

In the current state of affairs, there would simply be no point whatsoever for a whistleblower to come forward, spill his guts and take his chance in court. Snowden including, an unprecedented total of eight people have now been charged by the current administration under the the 1917 Espionage Act. Under this act, there is no public interest or whistleblower exception, meaning that prosecutors can and already have convinced courts in prior cases that intent of the leaker, the value of leaks to the public, and the lack of harm caused by the leaks are irrelevant, and therefore inadmissible in court. (Source: https://pressfreedomfoundation.org/blog/2013/08/why-edward-snowden-cannot-receive-fair-trial-united-states )

In this light, the recent statement of POTUS - a former senior lecturer in constitutional law at the University of Chicago - that “If, [Snowden] believes that what he did was right, then, like every American citizen, he can come here, appear before the court with a lawyer and make his case.” seems misleading at best and mendacious at worst.

Nick PAugust 15, 2013 9:47 PM

@ Simon

" the problem with your comment is, that it sounds like you know ahead of time which ideas are good. But you don't. You are using information afterwards to make it sound like you would not have made the mistake."

I read his comment. It draws on previous experience to warn about specific kinds of things. Quite the opposite of your claim.

" So, if I'm wrong, then go ahead and disclose all the weaknesses in all systems in use now. "

We've actually covered many of them on this blog. Most of the time, there was a way to avoid the issues cost-effectively but prevention was simply ignored. But, since you asked, here's a brief summary and an example-filled follow up that should answer your question. The second comment has useful links on security engineering in it as well.

"You're no different than system administrators who just say "no" to everything, not because they know it's wrong, but because they know they'll when something breaks they can say "see, told you not to do that""

Certain ideas shown to experienced people will get a no because they will lead to problems. Quick comparison. Most of my designs' modules communicate through interfaces with well-specified behavior and error conditions. The wire or configuration formats are designed to be easy to parse. Input data is checked & can't result in arbitrary control jumps. And so on. This is very unlikely to cause performance, reliability or security issues while meeting functional requirements.

The competing approach includes things such as secrets via XML technologies or generating SQL commands from arbitrary user input. The first is a bandwidth hog by design with periodic security flaws from complexity. The second is called SQL injection. Both are very popular in web stacks right now even though I told them "No" many, many years ago. ;) I even gave them pre-built, free alternatives. They weren't (and mostly still aren't) interested even after all the problems those techs caused. At least JSON and input validation are slowly being adopted in their place. Slowly.

"It's the same with inventions, people couldn't find a way to fix a problem to save their life, but when someone else does they go "oh, anyone could have thought of that.""

We've posted plenty of solutions on this blog alone. Many other people have also created smart solutions to business problems with security baked in. They were neglected because something else was a bit more convenient, cheap, or cute looking. With a tradeoff, people usually trade away quality or security for even a small increase in other traits. Then they gripe when huge problems happen. Picture perfect examples of this nonsense are SCADA systems on net without firewalls, preference for unsafe languages in projects that don't require them, and my favorite... American companies bringing immensely valuable I.P. to China regularly despite seeing their peers loose immensely valuable I.P. to Chinese espionage.

Concluding

Your analogy is fighting fires. Why fight fires in a home whose owner is still using the flamethrower on his or her own property? And what if arson on one's own property is SOP for homeowners across the nation with exceptions being rare? That's ITSEC for past ten years. People that want it make the tough tradeoffs (e.g. no flamethrowers in the house). Yet, neither I nor someone like Clive have any legitimate reason to invest tons of energy into something that won't get used.

A supply usually requires a demand. This certainly does. If people *really* will use it, I might help make it [if i'm not 70 by then]. Until then, they better be grateful for all the free advice they've been getting from people on this blog, academic papers on cutting edge, commercial security experts' articles, and so on. They didn't deserve all that help. They sure didn't pay for it, either. Yet, INFOSEC people keep putting energy in on principle with hope that people will use their work to be safe and productive. I hope it pans out.

FigureitoutAugust 16, 2013 12:30 AM

Curious
--Rather "curious" question. Not much point to it, merely echoing recommendations from others. Would I trust it and sleep well knowing that it's secure from TLA adversaries? No. I simply do not trust transmitting data (that I think should be private) from a previously compromised machine (or w/in a network I don't control like...the internet!!!) so I do not believe many protocols claiming to be secure if you are in fact under attack from some people that won't leave you alone.

My personal project, I expect to take at least 20-30 years and I pretty much expect to be compromised at some point w/in that time frame which will of course come to bite me in the A.

I'm not interested in "typical security", I want the ultimate and maybe that involves some actions that only a tiny amount of people will do. So be it, I want to talk only to them.

Can one still hack in the face of 24/7 surveillance and having been compromised? Absolutely, that's the best. Infection due to prior infection, karma is so sweet. And let the initial attackers enjoy figuring out what unknown weakness you discovered and don't ever get employed by them nor tell any of your closest friends, lovers, etc. b/c they can all be fabricated.

Welcome to a spy's life, it's hell and I want to get out of this world and live a normal life.

FigureitoutAugust 16, 2013 1:04 AM

Curious
--I would only trust if I had physical access and knew trusted insiders. Establishing trust is something that you have to make right in your own head. I've only had a crush and minor relationship w/ a Danish chick lol. 2 major areas I want to get into are ISP's and chip fabricators. Moreso chip fabers, Microchip or ATmel are really high on my list now; in fact I'd really like to work for these companies...

DRAugust 16, 2013 2:41 AM

I suspect that a "spy's life" does not include posting on a popular security blog which is no doubt experiencing a spike in visits due to the Time list. But hey.

Jan DoggenAugust 16, 2013 2:53 AM

If Google, Yahoo, Microsoft agree to go public (e.g. disclosing NSA requests, disregarding FISA) at a specific date, does anyone think that the government can actually do anything against them?

CuriousAugust 16, 2013 3:18 AM

@Figureitout

You mentioned "Norway" earlier and then stated that you have been echoing other peoples recommendations. I now have to ask, what is the specific recommendation (here reasoning) you are referring to as it pertains to Norway being precisely your chosen nation state in this regard?

Clive RobinsonAugust 16, 2013 4:16 AM

@ Figureitout,

Speaking of places far far away, "Tax Havens" might be another place to consider.

For some of them the only income they have is via keeping financial and other secrets.

As Nick P has discussed in the past countries with very non aligned outlooks make for oposit ends of a secure bridge for data. Combined with tax havens this might prove an interesting area to look at.

HOWEVER you should always examin the routes by which data travels, due to historical reasons most international data networks go through or are easily interceptable from the UK and her past colonies that are WASP nations,

1, America (USA)
2, Australia
3, Canada
4, New Zealand

It's no real secret that these "Five Eyes" nations government communications organisations are not realy run by their own governments let alone the nations elected politicians.

From past experiance I can tell you that much of it uses NSA or GCHQ designed and manufactured equipment run within any particular nation by personnel from one of the other nations. Any intercepted data is sent to the NSA/GCHQ for analysis and only a tiny unimportant fraction ever gets back to the host nations government, and even less if anything to the elected politicians of the nation.

I've been (thankfully) out of contact with these organisations for quite some time so a few things will have changed, such as I suspect better front end processing with direct communications back to UKUSA as opposed to raw data on tapes etc. But I doubt any real changes have happened in the human operational and managment side, nore to the destinations of data.

Oh and if people are thinking I'm giving away "state secrets" no, most of it's in the public domain either because governmental organisations have put it there or "old commrads associations" reminise online in a public or semi public way as have people living around and unofficialy visiting the sites.

To see what I mean google "UK secret bases" or more esotericaly "Elephant cage" which used to be prominently visable in Chicksands in the UK on an RAF base with two or more US military signals organisations.

curiousAugust 16, 2013 6:45 AM

I'll be around in case he actually has given me an answer due. I'd think Norway being as pro-USA as any other country can get, so I for one don't entertain the notion of Norway being some kind of haven for anything.

Dirk PraetAugust 16, 2013 6:50 AM

@ curious

Do you have any factual evidence or even tinfoil hat theories that Norway is in bed with the NSA to the same extent as for example the UK, Sweden, Germany and the like ? I'd love to hear about those as I am currently not aware of any.

jonesAugust 16, 2013 7:39 AM

@Dirk Praet

I'm just reading the tea leaves at this point, since nothing has been litigated yet, but I agree with you that Google's legal position is dubious at best.

What I'm guessing by their remarks is that they are trying to side-step the whole state actor / 4th Amendment issue by saying their customers never had a reasonable expectation of privacy, i.e., that the 4th Amendment doesn't even apply to customer email correspondence and that the state actor issue isn't an issue.

And you quite rightly point out that this sort of argument would never fly with respect to the postal service. Or a bank, for that matter.

AnonAugust 16, 2013 8:09 AM

They have to do what's economically rational, not what's moral.

It is an inconvenient truth that individuals should always try to do what is moral, not only when it does not clash with economic imperatives.

wwwparkerAugust 16, 2013 8:59 AM

When you're constantly facing attacks from "terrorists" there can be no peacetime.

Pretty convenient.

PatAugust 16, 2013 9:20 AM

@ Clive Robinson :

You make a series of unwarented assumptions about me, without any knowledge of me which does not bode well of your thought processes. And is bordering on trollish behaviour.

... you mispelled "unwarranted"

Pat

gezzerxAugust 16, 2013 9:49 AM

No more lies, excuses rationalizations,or justifications, the public needs to hold these officials to account to the fullest extent of the law under
Title 18 sec. 241 & 242 So any future traitors will know there will be consequences to such behavior.

REMEMBER: POLITICIANS AND DIAPERS SHOULD BE CHANGED OFTEN AND FOR THE SAME
REASON.

He that is good for making excuses is seldom good for anything else.
Benjamin Franklin

CallMeLateForSupperAugust 16, 2013 10:32 AM

@Pat
"... you mispelled 'unwarranted'.
(Inside joke? Rush to go to press?)

You misspelled "misspelled".

FigureitoutAugust 16, 2013 12:58 PM

DR
--Yeah, it doesn't. I just wanted to make a complete mockery of their unjustified operations and get away from me. The only thing I want from them is their circuit designs; no more encounters w/ spies that make Austin Powers seem competent.

Curious
--Yeah, it was Dirk Praet. I haven't researched where to host any data b/c I'm on other projects; and I wouldn't do it w/o some access to the underbelly. I mention a Danish crush and I forgot a Swedish crush too b/c that's the closest I've ever been to Norway. Anything short of armed guards I wouldn't accept; or a completely deserted tiny island (where the occupants are the law) which would need facilities and obviously power/cables. I don't know what else you want from me so tame your curiosity.

Clive Robinson
--Life on the outside's much more enjoyable, eh? All travel is more or less logged somewhere and I don't trust going through set up wires and aircraft and satellites are listening above for sine wave leakage so I'm really at a loss of where to find secure hosting that isn't constantly moving around and I have to conduct "background investigations" to get the truth. Regardless I have other problems to solve first so for the time being I don't care if all servers are compromised.

PatAugust 16, 2013 2:06 PM

@ CallMeLateForSupper :

@Pat
"... you mispelled 'unwarranted'.
(Inside joke? Rush to go to press?)

You misspelled "misspelled".

... please don't be a trole

Michael MoserAugust 16, 2013 8:06 PM

So private companies and the government are building the surveillance state. If one does not like this fact then one can try to influence either part of this relationship.

With regards to the government there is a problem: the state will not readily part with the power that it got; the argument of national security is always a strong one here; if things get better they will always find a new justification for their new powers: be it fighting crime, other countries effort in cyberwar (so we have to keep up with outside enemies), efficiency of government, etc. etc. etc.

The private part of the equation: big tech companies might weight in, if they see that this is costing them money; maybe politicians will be more inclined to listen if all this is costing jobs.

In any event I can't imagine how things could change: do you advocate for self imposed industry norms on what data can be gathered and aggregated, or should there be laws that govern what data the tech companies are allowed to gather? Is it possible to enforce such laws, or will these just exist on paper?

In a way it does not matter: if private companies have all the data that they have on us then sooner or later this data will benefit the state and its quest for power.

Maybe a new awareness of what is going on will cause the public to care more about issues of privacy; what can such an awareness change? People will start to get off facebook, gmail or chrome? They will find other means to get at the data!

SuperDude451August 16, 2013 8:55 PM

Bruce wrote, "Google, Yahoo, Microsoft and others are pleading with the government to allow them to explain details of what information they provided in response to National Security Letters and other government demands."

I am not a lawyer, however it seems apparent that the U.S. government is going against the Constitution (specifically the fourth amendment). They then have laws that they use to threaten companies with criminal charges if they disclose the fact that the government is indeed doing illegal things.

The United States is supposed to uphold the rule of law above all else, and the fourth ammendment has not been repealed. In my view of the situation (naieve though it may be), if the government itself is breaking the law, or passes laws, regulations or rules that go directly against the law of the land, those "laws" are in fact illegal.

Taking this a step further, do the companies and individuals have to comply with laws that are in conflict with the Constitution? Could the companies simply say that they will disclose the information anyway because the government is using regulations and laws that go against the Constitution? It would be legally risky, and would probably wind up making its way to the Supreme Court.

Is there any recourse/protection against illegal laws and regulations that are directly conflicting with the US Contitution? Do you have to obey illegal laws?

Coyne TibbetsAugust 17, 2013 12:49 AM

@SuperDude451: "I am not a lawyer, however it seems apparent that the U.S. government is going against the Constitution (specifically the fourth amendment)."

The government actually has done this for a long, long time; the ink was hardly dry before it started. The problem has always been that there is no effective enforcement for violations of the Constitution, because the same functionaries who would arrest violators, are the violators.

The courts have responded to continued abuse and lack of enforcement by doing such things as ruling evidence inadmissible to protect rights; and civil penalties.

Both penalties are no longer effective because in both cases there is no meaningful penalty for the violator; who loudly bemoans the courts and continues violating. Instead the citizens get the penalty double. First by the violation of rights, second by the penalty. (When evidence is ruled inadmissible, a criminal goes free. When civil awards are won, the taxpayers pay.)

In the case of the NSA, of course they violate rights. Who would punish them? The administration, which is authorizing the violations? The congress, which passed laws enabling the violations? Those bodies are useless for enforcement and, what has really made the difference here, they have now found ways to keep the courts from acting as well.

JardaAugust 17, 2013 2:34 AM

Fighting is pointles, as you can't win. What you can do is to load your servers on a truck or boat and go elsewhere where you can get a good backbone connection. Rename your domain from .com to anything which doesn't go through US root DNS server, so that the FBI doesn't have the oportunity to redirect you to some FBI page and leave an ecplanatory nitice and redirection on your old domain name. Now, that would cause some noise if e.g. Google and Facebook would have the balls to do that and a caravane of others would follow.

Kántor TétényAugust 17, 2013 4:55 AM

"I suspect that a "spy's life" does not include posting on a popular security blog which is no doubt experiencing a spike in visits due to the Time list. But hey."

The job of a spy is to gather information.

This may include probing users in blogs, forums, mailing lists, etc. depending on the data being sought.

PeterAugust 17, 2013 3:52 PM

Yes, it's easy for the press to attack the NSA with documents presented to them for free, and make people think this agency is the monster we know from the movies. But how about all those private companies?

They also collect our data, far more than the NSA does, because NSA is only looking for terrorists and such, but Google, Facebook, Amazon, etc want as many details possible about all of us, not for protecting our society, but for making money. Making money by (also quite secretly) exploiting and selling very much and very private data. I really don't see what makes private companies any better than government agencies like NSA.

Also we should be aware of the fact that many private corporations are already more powerful then many national governments, and also have rather strong influence on governments by means of lobbying etc. But there are hardly any checks and balances for private companies, like there are for national governments. So if we want to control agencies like NSA, let's also control the private companies - abuse of power can happen in both.

Wesley ParishAugust 17, 2013 9:55 PM

Unwarranted assumptions, and excluded middle, @Peter.

[private companies] also collect our data, far more than the NSA does, because NSA is only looking for terrorists and such, but [private companies] etc want as many details possible about all of us, not for protecting our society, but for making money.

I think that when the definition of "weapons of mass destruction" can cover a jury-rigged black-powder-loaded pressure-cooker explosive and "espionage" can cover the leaking of sensitive documents about government evildoing for public discussion, "terrorists" can cover anything the "definers" and "deciders" define and decide.

I suspect if we were ever to have the full details to hand, we'd find that there is a murky financial trail leading from companies wanting to sell highly expensive surveillance technology and crowd control weapons, to the authorities who want to do things to people but who can't without "reasons", and the communications industry, which does have its finger in more than one pie ... so any American who raises his voice about the unconstitutional mess the Egyptian Army is making of Egypt, is "INSERT DEFINITION HERE", any German who disagrees with the NSA reading his emails is by definition a "INSERT DEFINITION HERE", any Russian who considers that the Russian Bear is no worse than the American Eagle is likewise a "INSERT DEFINITION HERE", any Kiwi who despises secretive government is "INSERT DEFINITION HERE", ditto for your average Arab, Indian, Iranian, South East Asian, African, Latin American, etc, ad nauseam ...

As far as

So if we want to control agencies like NSA, let's also control the private companies - abuse of power can happen in both.
goes, you're absolutely right. I've been thinking that since the DOJ took on Microsoft. It's not so much Private-versus-Public, as Accountable-versus-Unaccountable.

ErewhonAugust 18, 2013 3:34 AM

If NSA employees have the right to read **OUR** correspondence, then **WE** have the right to read **THEIR** correspondence.

Dirk PraetAugust 18, 2013 7:45 PM

@ CallMeLateForSupper, @ Pat

... please don't be a trole

Ladies, please.

It is a commonly known fact that Clive's typos are not misspellings but rather deliberate and consistent to the point that they are rumoured to contain secret clues for deciphering the Voynich manuscript, which under a secret gag order he is barred from talking about in public.

FigureitoutAugust 18, 2013 8:39 PM

Dirk Praet Re: The NOobies
--Lol, actually I have strong reason to believe it's just a habit of his to avoid frequency analysis during his time "wearing the green" as he says. My favorite is "supposadly".

Der FuhrerAugust 18, 2013 11:22 PM

Advertizing companies such as Google stand to lose most (economically) if they lose the users trust, considering that they will then have less users to gather profile data on.

Companies that have other revenue sources (IT companies like Oracle, Microsoft, etc) have less to lose as they are not as dependent on gathering user data.

Facebook on another hand seems to have an addicted userbase that does not care whether data is gathered or not.

Scott "SFITCS" FergusonAugust 19, 2013 1:35 AM

@Dirk Praet

It is a commonly known fact that Clive's typos are not misspellings but rather deliberate and consistent to the point that they are rumoured to contain secret clues for deciphering the Voynich manuscript, which under a secret gag order he is barred from talking about in public.

Wacky as it sounds I can now confirm it as fact.

The Voynich manuscripts now decoded using Clive's Rosetta reads:-

"Man on the move typing email into CrackBerry with thumbs"
"Note, must invent word completion"

This is going to re-write history as we know it....

TimAugust 19, 2013 3:17 PM

At last, thank you Mr. Bruce Schneier for not quitting and keep alive the need to fight vigorously until complete success on the unconstitutional practices of the NSA!!

If there is only one, maybe the USA has some hope one day to regain the freedom of its citizens, not a little bit but fully!

65535August 22, 2013 12:22 AM

It is clear that NAS and it’s secret rulings have trampled the fourth and the constitution. We need to fight on all levels, legal, technical, and educational.

Big companies such as Discracebook and Giggle have made a ton of money via selling customers personal information directly to the government. If you look closely at Giggle’s 10K report you will find that their so-called ad revenues contain a lot of “professional services” and the like. It hard to drill down and separate exactly how much money they are getting from the government via those mixed “Ad revenues” and Giggle’s subsidiary companies but it is a lot.

It would be nice to have a clear path to encrypting emails, TOR and using available software such as TrueCrypt to keep communications and cloud based storage private.

For example how to we disable geolocation features in Firefox and I-phones? What browsers are the most secure? What browsers should be avoided?

Who are the movers and shakers that can file viable lawsuits against the government and big tech companies that are in bed with the NSA? Can NSA letters be interpreted to mean that they are illegal? Can big Tech companies be sued for invasion of privacy regardless of the secret court rulings?

If we can’t cut-down the big companies in bed with the NSA can we clip-off their branches via public exposure and suits? Which law firms are providing advice on these secret NSA rulings? Can we make it difficult for the NSA to spy the little guy via known tech tricks?

At this point I am open to any suggestions on how to defeat the NSA/Tech Company Godzilla.

xAugust 25, 2013 5:42 PM

I wonder, can they force you to perjure yourself with a national security letter?

Let's say I put this on my webpage? Or send it out every day by email to each customer?


Today is August the 25th, I hereby swear, under penalty of perjury, that I have not received any national security letter or any warrant

Signed x

Clive RobinsonAugust 25, 2013 9:13 PM

@ X,

    I wonder, can they force you to perjure yourself with a national security letter?

In the theoretical or practical sense?

You'ld have to check with a suitably qualified US legal representative as to what applies or does not apply in the US, but it boils down to "your problem" in most places, especialy where yo have the right to not testify against yourself...

We have similar nonsense in the UK with the Regulation of Investigatory Powers Act (RIPA) when the Police or other recognised authority (and the list is very broad) attempts to force you to disclose your "Crypto Private Key" you are caught in a trap because disclosing the "request" or if you have or have not complied are all offences for which you can do long jail time for.

However I don't think the UK Authorities want to test it in court because similar legislation cost them big in the European Court of Human Rights (ECHR) years ago. Put simply the Companies Act had a similar clause where it was an imprisonable offence to not answer the questions of a Department of Trade and Industry (DTI) inspector to their satisfaction. In a complex trial case the Serious Fraud Office was as it usually did failling to make headway with their questioning of company directors, so they got the DTI to do it. The result was a short lived success for the SFO because the ECHR indicated that the evidence was unlafally obtained...

Well one way the UK Government Responded was to get Lord Falkner under Tony Blair PM to tear up a thousand years or so of UK law, such that you in effect have no right of silence any longer but worse that you can now be tried in effect by common hearsay...

Oh and for total ludicrosy have a look at UK super injunctions, you can be found guilty of breaching them even if you are legaly not alowed to know of their existance because the injunction it's self is secret...

Oh and the latest moronic ramblings of Ex Metropolitan Police Commissioner Ian Blair,

http://www.thisisguernsey.com/news/uk-news/2013/...

(He resigned his post after what many regarded as his serious failings in the post were further called into question, publicaly his worse blunder was over MPS officers murdering an innocent Brazilian man by shooting him eight times in a busy underground tube train)

With regards,

    Let's say I put this on my webpage? Or send it out every day by email to each customer?

You would be committing an offense if you received an NSL because you would be committing perjury if you continued to email it out, and you would be in contempt of court if you stopped. Of the two commiting perjury might give you the lesser jail time (if I remember correctly the longest imprisonment in the US was over 17 years and based purely on hearsay evidence from an ex-wife).

It is because the Lavabit owner shut down his service the authorities are probably going to go after him for contempt (which is what I predicted in my response to @Figureitout when he first posted about the shutdown).

The only legal option is to not say anything not even "no comment" and as some journalists know this they may well try to goad a response out of a person. Which raises the stakes on the only legal option which now becomes not to communicate with anyone at all thus living the life of a hermit or just disappear altogether (which with secret courts could happen even if you don't want it to, which is a very sure indicator of a Police State out of control).

FigureitoutAugust 25, 2013 9:41 PM

x
--^^What he said. You would need to come up w/ a means of communicating that NO ONE could ever figure out. This would logically be easier in a high traffic environment. I've personally been pushing for a new means of RF modulation, but I need to keep my goals from getting out of control; and I know I'm going to have to take some very uncomfortable leaps of faith to get a working system for strangers I meet. They would have to literally follow you all the time, bug your entire residence, have many agents attempt to make physical contact w/ you. Not very many normal people want to do this and people ensnared in it don't want to bring people in.

The easier route: become a hermit living in a Police State, keeping yourself happy studying whatever you want, so long as it involves minimal contact w/ the outside world, and will result in the utter destruction of civil society as no one talks or trusts anyone anymore.

Dirk PraetAugust 26, 2013 8:57 AM

@ Clive

Oh and the latest moronic ramblings of Ex Metropolitan Police Commissioner Ian Blair

Just had a look at that article. It would seem that Sir Blair is as ignorant as he is incompetent. I quote: "“It has to have the right to preserve those secrets and we have to have a law that covers a situation when somebody, for all sorts of wonderfully principled reasons, wishes to disclose those secrets". Then he goes on "Most of the legislation about state secrets is in the Official Secrets Act and it only concerns an official".

He may wish to look at Section 5 of the Official Secrets Act 1989 which at least to me seems to indicate that the legislation he is asking for is already in place and does not just apply to officials. Surely, the legal staff of whomever ordered Mr. Miranda detained must have known this too, beit under the constraint that it was not applicable as long as he was in transit instead of on UK soil. Which made them resort to Schedule 7 of the Terrorism Act with the same silly argument used in the Manning trial that the documents he was suspected to carry could be used by terrorists.

@ X

Let's say I put this on my webpage? Or send it out every day by email to each customer?

What your describing is known as a "warrant canary". AFAIK the legality of this method has not been tested in any court yet, but when put to the test I would strongly advise having a serious legal defense fund in place as to avoid being prosecuted into bankrupcy and under the threat of several decades of prison time. That's how the DoJ killed Aaron Swartz.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..