The NSA's New Risk Analysis

As I recently reported in the Guardian, the NSA has secret servers on the Internet that hack into other computers, codename FOXACID. These servers provide an excellent demonstration of how the NSA approaches risk management, and exposes flaws in how the agency thinks about the secrecy of its own programs.

Here are the FOXACID basics: By the time the NSA tricks a target into visiting one of those servers, it already knows exactly who that target is, who wants him eavesdropped on, and the expected value of the data it hopes to receive. Based on that information, the server can automatically decide what exploit to serve the target, taking into account the risks associated with attacking the target, as well as the benefits of a successful attack. According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety of options. The documentation mentions United Rake, Peddle Cheap, Packet Wrench, and Beach Head -- all delivered from a FOXACID subsystem called Ferret Cannon. Oh how I love some of these code names. (On the other hand, EGOTISTICALGIRAFFE has to be the dumbest code name ever.)

Snowden explained this to Guardian reporter Glenn Greenwald in Hong Kong. If the target is a high-value one, FOXACID might run a rare zero-day exploit that it developed or purchased. If the target is technically sophisticated, FOXACID might decide that there's too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FOXACID might run an exploit that's less valuable. If the target is low-value and technically sophisticated, FOXACID might even run an already-known vulnerability.

We know that the NSA receives advance warning from Microsoft of vulnerabilities that will soon be patched; there's not much of a loss if an exploit based on that vulnerability is discovered. FOXACID has tiers of exploits it can run, and uses a complicated trade-off system to determine which one to run against any particular target.

This cost-benefit analysis doesn't end at successful exploitation. According to Snowden, the TAO -- that's Tailored Access Operations -- operators running the FOXACID system have a detailed flowchart, with tons of rules about when to stop. If something doesn't work, stop. If they detect a PSP, a personal security product, stop. If anything goes weird, stop. This is how the NSA avoids detection, and also how it takes mid-level computer operators and turn them into what they call "cyberwarriors." It's not that they're skilled hackers, it's that the procedures do the work for them.

And they're super cautious about what they do.

While the NSA excels at performing this cost-benefit analysis at the tactical level, it's far less competent at doing the same thing at the policy level. The organization seems to be good enough at assessing the risk of discovery -- for example, if the target of an intelligence-gathering effort discovers that effort -- but to have completely ignored the risks of those efforts becoming front-page news.

It's not just in the U.S., where newspapers are heavy with reports of the NSA spying on every Verizon customer, spying on domestic e-mail users, and secretly working to cripple commercial cryptography systems, but also around the world, most notably in Brazil, Belgium, and the European Union. All of these operations have caused significant blowback -- for the NSA, for the U.S., and for the Internet as a whole.

The NSA spent decades operating in almost complete secrecy, but those days are over. As the corporate world learned years ago, secrets are hard to keep in the information age, and openness is a safer strategy. The tendency to classify everything means that the NSA won't be able to sort what really needs to remain secret from everything else. The younger generation is more used to radical transparency than secrecy, and is less invested in the national security state. And whistleblowing is the civil disobedience of our time.

At this point, the NSA has to assume that all of its operations will become public, probably sooner than it would like. It has to start taking that into account when weighing the costs and benefits of those operations. And it now has to be just as cautious about new eavesdropping operations as it is about using FOXACID exploits attacks against users.

This essay previously appeared in the Atlantic.

Posted on October 9, 2013 at 6:28 AM • 64 Comments

Comments

More Squid NewsOctober 9, 2013 7:48 AM

What's with all these security stories recently? We need you to weigh in on squids more.

Muddy RoadOctober 9, 2013 7:51 AM

IF, they are targeting truly serious and specific FOREIGN threats to national security I would allow some of this sounds ...OK.

However, my impression is they are using these hardware and software hacks on large numbers of Americans where there is no reasonable suspicion of wrong doing.

They do, because they can.

As for the rest of the world, they are all the enemy.

In turn, the world will see US as the enemy.

How can this possibly lead to a safe and secure cyber world?

I don't think they have any interest in transparency at all, as evidenced by their behavior over the last several decades. EVERYTHING is a big secret, and that's the way they like it, and will keep it, because there is no way to stop it.

Michael.October 9, 2013 7:54 AM

So, how can we protect ourselves against this again? I guess using whatever is the latest (and therefore presumably most secure) version of a decent browser (i.e. probably not MSIE) is a start. And not using MS Windows is also a good idea. But, beyond that, what can us paranoids do, while continue to browse the web normally?

I already use NoScript (and block everything by default, including this website). I also use RequestPolicy (and so further block tracking scripts and shit). I don't have any sort of Flash player installed (I used to use Gnash, but it didn't work anyway, so I uninstalled it).

Any other obvious and easy tips for paranoids? Any obvious and easy tips for people who aren't paranoid, and aren't willing to muck around (i.e. most people)?

JanOctober 9, 2013 8:36 AM

@Muddy Road: Keep in mind that if you have 2 cooperating spy agencies, every single person on earth is a FOREIGNER, at least to one of them. And then they swap and share...

ethernetusbOctober 9, 2013 8:43 AM

@Michael: "Any other obvious and easy tips for paranoids?"

Buy an Ethernet over USB dongle, don't use your mainboard ethernet controller. Avoid the Wifi.

Add a physical kill switch on the cable to the antenna of Wifi and Bluetooth.

If you can, go for FreeBSD or OpenBSD.

Install the TOR Bundle, use it when possible.

Use another separate computer for anything important (journalism, ...).

JacobOctober 9, 2013 8:47 AM

Mr. Harris, You asked "Any other obvious and easy tips for paranoids?" - well, the problems with paranoids are that there are no limits to their perceived need for protection.

However, there are some sensible and easy to follow procedures that I personally find "good enough", noting that this depends on the individual state of mind:
1. To protect yourself while browsing on-line, the no-script addon is a very good start. I would suggest to also run the browser inside a sandbox (http://www.sandboxie.com).

2. I assume that you run a firewall on your machine. If it's a Window machine, the available FW programs do a fair job (+/-) against regular intruders but not against agencies. I suggest to add a linux box with pfSense between your computer and your modem. The connoisseurs add another layer, between pfSense and their machine, with Untangle (can run on a virtual machine on the linux box).
That's sufficient for the mildly paranoid doing normal on-line stuff. If you are a target potential, then keep a total stranger on a retainer (cash-only basis) and browse from his house/computer.

TinkerOctober 9, 2013 8:54 AM

The code names give a bit of insight into who is working on these operations. It's not much, but tied to the type of positions (secret, nonmilitary, government, surveillance, it systems, etc.) we can put together a rudimentary behavioral analysis of the NSA analysts.

Initial thoughts lead towards a nihilistic, individualistic, cavalier mentality. There doesn't seem to be the patriotic, nationalistic, sense to these ops (as would be found in military operations for instance.) As Muddy Road just stated, "They do, because they can." Typically this is found in adolescent script kiddies. What happens when you get a lot of these types in a room together, give them unlimited resources, money, and complete legal autonomy?

Another interesting idea is the concept that most government bureaucracies, while bloated and immovable, add, at the very least, a sense of stability to government operations. Here, the NSA is spreading instability, weaking systems, attacking a very wide set of targets, etc. Quite interesting to see the effects. I can't think of a point in history of a similar institution.

DaveOctober 9, 2013 9:09 AM

"EGOTISTICALGIRAFFE has to be the dumbest code name ever"

That code name sounds, to me, like a reference to TOR users: Sticking their necks out while self-assured that they remain anonymous.

AspieOctober 9, 2013 9:12 AM

@Jan
Exactly. That's where domestic laws protecting citizens, where these exist and are enforced, are circumvented. Moreover cooperative ICs tend to become a common tribe with a greater willingness to share and enjoy.

@ethernetusb
...physical kill switch...
A bit drastic; It'll work if you panic. Better to adopt the "pillbox" approach and open up the (very) few ports you need to conduct business and carefully watch the apps that use those ports. As for TOR, given its provenance and in the light of possible SSL tampering, it might be better to set up/beg access to a server in a foreign locale to serve web pages by encrypted email if you really care about the content. And put a "kill" switch on your cable link if you're the only user.

@Bruce
Code names reminiscent of the kinds of war-simulators popular in the 1980's micro games. Some other suggestions:

AssHats, USchImps, LostThePlot and ByeByeDollar.
Oh and: "Hoover" (in all senses of the word).

;-)

Brian M.October 9, 2013 9:51 AM

@Michael.:
So, how can we protect ourselves against this again?

Aluminum foil hats are great, yada yada yada.

The NSA has exploits for everything. That's the most important part there to remember. The FBI doesn't have exploits for everything, which is why they could only mess with the older Firefox versions. Probably the safest "browser" is wget, and then run the page through sed to remove all of the HTML.

Years ago I was hit with a drive-by download when I was searching for information on betta fish, and it took me an entire afternoon to remove the adware. McAfee was helpless. There are still drive-by vulnerabilities, and the NSA is too hip to use them. Does that tell you anything about surfing the web?

If your computer is connected to a network, you have a vulnerability. If you transfer files using anything with a file system on it, i.e., floppy or USB drive, then you are vulnerable. There are lots of ways to pack stuff onto boot sectors. That's old school, and it's still highly effective. It's effective because the drive has to be read and code executed to let the OS know how to read it!

The safest way to transfer files is a serial cable. Then you can attach a breakout box with LED lights. Why? Because the lights will light up with traffic, and you can see the traffic in action. You start UUCP on one computer, and UUCP on the other. Transfer the files and unplug the cable. You're done. Strip out the binary, and view the file. (UUCP is even available on the Mac.)

You can also use a live CD. Lots of Linux distros have live CDs. You can either install Ubuntu, or run it from a CD image on a USB drive. Knoppix is another one, and there's lots more. (I used a Knoppix disc on a coworker's computer. He went on vacation, and we popped a CD into his computer the day before he came back. "Hey, while you were gone, we loaded your machine with Linux!" He thought that he had lost everything until we had him eject the CD.)

Of course, all of that is futile, since the NSA installed all of those cameras in your ceiling.

FPOctober 9, 2013 10:03 AM

It also occurred to me the other day that, since the NSA can just ask nicely for any company's private keys and other certificates to be handed them quietly on a silver platter, they can just sit back and relax and wait for your operating system or any of your apps calls home to check for a new and improved upgrade.

E.g., if they see that a target's computer (by IP address or geolocation) connects to update.microsoft.com (or Google, Apple, Sun, Adobe, etc.), they intercept that connection and redirect it to a server of their own. With the company's SSL certificate they can impersonate the original server. They then slip you that upgrade that you were asking for with that *special* extra, with a proper digital signature, of course. The update is then installed automatically ...

So either you enable upgrades for your applications and leave this barn door wide open, or you disable upgrades and live with the application's existing remotely exploitable bugs.

Paranoid? Why, certainly. But paranoid enough?

roadieOctober 9, 2013 10:39 AM

fwiw:
I use Twibright Links 2.7 which does not care about css java and such (schneier.com has one of the cleanest layouts in this browser, good job bruce).
I am on a mac 10.6 and I do:

sudo chmod 000 /System/Library/Java/JavaVirtualMachines/
sudo chmod 000 /Library/Java/JavaVirtualMachines

The only other browser I have is Seamonkey with noscript adblock and ghostery. I use it to book tickets or apply for a visa. I never had a gmail account and quit Facebook 5 years ago. I send Google, Facebook, Twitter, Amazon and about 32458 other urls to 0.0.0.0 in my hosts file which is updated by merging two hostfiles from the web:
curl http://winhelp2002.mvps.org/hosts.txt -o host-winhelp
curl http://someonewhocares.org/hosts/hosts -o host-pollock

All of this is not about security really but to make the internet suck less for me. It is not an option for most people.

David LeppikOctober 9, 2013 10:58 AM

This pattern of low-level diligence with high-level laziness seems to be a general pattern. We saw it with when Google exposed Chinese government hacking a few years ago. It was the combination of technical sophistication with a user-friendly, barely-protected front end that proved to me that it was not just rogue hackers. You see the same thing in corporations, where the CEO can put any sensitive data on any device he wants, no matter the official procedures.

The psychology is simple. There's a balance between maintaining secrecy and being able to use the secrets. The folks at the bottom are under pressure to not make mistakes. They see the little mistakes and the near-misses every day. The folks on top are insulated from the little mistakes, and are under pressure to produce results. Plus they don't want their underlings to proscribe their behaviors. (Who does?)

I think we're seeing this in a more structural way with the NSA and private contractors. There's big money to be made in private contracting. As a result there's a long tradition of contractors that are heavy on top-level marketing (wining and dining) and aren't as focused on practical, cost-efficient results. So you're going to see weird mixes of extreme technical expertise in keeping secrets paired with the cheapest IT outsourcing possible.

Which is why Snowden was probably late to the party, after a whole host of foreign spies infiltrated the NSA.

ZersetzungOctober 9, 2013 11:04 AM

@Michael

Any other obvious and easy tips for paranoids?

Digital computer security is one category.

Analog computer security for the one between your ears is also important.

To reduce the psychological attack surface, turn off images in the browser by default. The bad guys use subliminal shaping and memetic warfare.

In text, be alert for psychological framing connected with your ego concept and your values. That is the prime target for taking control of your mind.

When posting to public forums, you can attenuate hostile blowback by introducing a time lag between when you post and when you read responses. The doctrine of psychological attack seems to put a very high priority on rapid response for maximum conditioning impact. Simply introducing a delay between when you do something online, and when you observe the result can allow you to reduce harmful responses aimed directly at you and who you are.

NobodySpecialOctober 9, 2013 12:47 PM

>NSA has to assume that all of its operations will become public
And so it will do what governments always do - deniability.

The murkier areas will be sub-contracted out to layers of deniable semi-government semi-military corporations with no oversight, no loyalty and a profit motive = how can that possibly go wrong?

Alan KaminskyOctober 9, 2013 12:52 PM

@Brian M.

You can also use a live CD. Lots of Linux distros have live CDs.

Prove to me that none of those live CDs have been infiltrated by NSA spyware.

BravissimoOctober 9, 2013 12:54 PM

"It's not that they're skilled hackers, it's that the procedures do the work for them."

The same approach is used by companies offering tech support for your smart phone, laptop, tablet, or desktop. They have complex flowcharts, rules, and procedures. It's effective and inexpensive, and requires only a modest level of training and expertise.

Unfortunately, the use of this approach indicates that the NSA has a large number of operators at this level. If they only needed a small group, they would prefer experts.

Nick POctober 9, 2013 1:01 PM

@ Bruce

re codenames

Yeah, there's some good ones. FOXACID reminds me of Metal Gear Solid which had FOXHOUND (elite spec ops) and FOXDIE (gene targeted bioweapon). Till the Snowden leak, there were probably some conspiracy nuts thinking FOXACID was the NSA's own LSD program. ;)

re stopping NSA's activities

The security problem here is simple: we are trying to do trusted computation on untrustworthy computers, using the enemy's network, talking with untrustworthy protocols, secured by standards weakened by the enemy, and using centralized Internet ID systems possibly controlled by the enemy.

All these "secure communications" projects, products and services popping up sounds pretty funny when you phrase the problem that way, yeah? That's because *they cannot succeed while ignoring those problems.*

The new trusted global network is going to look a bit like France's old Minitel, Bittorrent, wireless mesh networks, or old BBS's. If anonymity is builtin, it might follow the models of I2P, Tor, or Freenet. The key here is that it uses easily verified protocols, it's decentralized, it's multi-national, multi-platform, confidentiality/integrity are baked in, it's somewhat resilient, it's asynchronous in transport, and other applications can easily leverage its properties to protect themselves.

If you want NSA and similar TLA's to stay out, you have several implementation strategies:

1. EAL6-7 development process with the simplest of everything, capability security and fully componentized architecture from ground up.

(Security through rigorous engineering.)

2. Full, shared, open specs for behavior, error handling, interfaces and data formats. Then, a ton of different implementations with different languages, libraries and OS's. Software diversity & exploit prevention techniques should be used through the whole stack to make each node unique even if running same configuration.

(Security through diversity.)

It might need a mix of both as NSA's budget and skillset show they can hack a bunch of stuff. If we can't build tools to automate diversity, I'm not sure the small pool of human developers can build enough implementations to keep NSA out. So, the best bet will be to use high assurance techniques at least on the key protocols and design elements to offer provable security to a certain extent, *then* diverse implementations from there on. And all software should be design to handle updates of protocols and logic easily so they can be swapped out in the event of problems.

Far as the tech, I'm a week or so away from my next paper release which will show many good options from hardware to legacy hardening to safer software. Quite a few are publicly available entirely or to some extent.

Brian M.October 9, 2013 1:39 PM

@Alan Kaminsky
Prove to me that none of those live CDs have been infiltrated by NSA spyware.

And what's the difference between running the live CD and installing those files on your machine? Since the NSA has infiltrated everything, it's all the same, isn't it? Nothing can be trusted, as NSA has either backdoors or exploits to everything. The NSA is judged by the amount of data it collects, not how efficient and effective its intelligence is. It's rather like an old Soviet camping supply factory that's evaluated based on how much material it consumes, rather than the production of its products.

It's a matter of data persistence, not of spyware. The data on the CD can't be modified. Thus, the spyware will have to be updated when the person connects to the network. The other vector would be a BIOS, either on the network card or on the system. (That's old hat, too. CIH in 1998?)

The only thing we can do is slow the NSA down (besides laughing at the lightning bolts in their data centers). We can slow down how much data they extract from us, and we can create encrypted data that they have to store indefinitely. Yes, they are going to be really amused to discover that it all consists of cat videos.

CarpeOctober 9, 2013 2:02 PM

"At this point, the NSA has to assume that all of its operations will become public, probably sooner than it would like. It has to start taking that into account when weighing the costs and benefits of those operations."

It has, and the conclusion is that because they know the temporary inevitability of large portions of operations becoming public, they are making the long awaited power grab now, as fast as possible, as strongly as possible, so that it can seat that power enough to weather almost any amount of public scrutiny. Dark days are ahead for freethinkers and speakers. The coup is solidifying itself.

GregWOctober 9, 2013 2:39 PM

@Brian M.
...we can create encrypted data that they have to store indefinitely. Yes, they are going to be really amused to discover that it all consists of cat videos.

Just to take it a step further... How about cat videos which contain steganographic encoding which, when decoded consists of other cat videos, which themselves are encoded ....

"It's cat videos all the way down!"
Let's call it "Onion Steganography"!

WaelOctober 9, 2013 3:20 PM

@ GregW,

Let's call it "Onion Steganography"!

How about "9-lives Steganography"? Unless you are not in the US, then "7-lives Steganography" would do.

Brian M.October 9, 2013 5:12 PM

What if the videos are in a Moebius strip? Or we could just use sampled atmospheric noise like random.org does, and then just call it encrypted. "Oh, here's our uber-secret file. Let's be careful with the keys or the NSA will find out!"

SamOctober 9, 2013 7:24 PM

Congress should demand the NSA's automatic risk assessment system, also evaluate the legality of infecting the target. If their spying actions are deemed illegal by the system (such as infecting a law-abiding citizen with spyware without a warrent), then the system should refuse to fire Ferret Cannon.

Congress should reform the spy laws, and then put this autonomous system in place to prevent the NSA from breaking the law, all over again.

Johannes RexxOctober 9, 2013 8:23 PM

So the NSA is blatantly and shamelessly performing acts that every other person outside of the organization would be put in jail for committing - deliberate premeditated computer sabotage.

The USA is a land of laws and not of men, and there is one set of laws. There can be no secret court, no secret legal opinions, no secret organization acting outside the law if our republic is to survive.

Is this not grounds sufficient to jail every NSA employee and its leaders, all the way to the oval office, be changed with innumerable crimes under the law, and forced into hard labor prisons for life? What cost to liberty, freedom, and national respect have we incurred from all these shenanigans?

creatureofhabitOctober 10, 2013 12:16 AM

@FP

It's not paranoid at all. Linux Mint has been giving bad GPG signatures for its updates for a while now. I'm certain that update channels are a primary method of spreading malicious software for the government.

"So either you enable upgrades for your applications and leave this barn door wide open, or you disable upgrades and live with the application's existing remotely exploitable bugs."

That's the catch-22.

Mike the goatOctober 10, 2013 3:27 AM

Brian: I like where you're going with this.

I might just add the following to my crontab to run it twice daily:

cat /dev/urandom |cut -c1-10000|gpg -a -e keyid | mail -s "Re: terror plan" friendaddress

And get my friend to do the same with the same details. We will be sure to publish our dummy keys to the servers and make them 1024R so it is tantalizingly possible for them to waste time on them.

Increase their noise to signal.

Clive RobinsonOctober 10, 2013 3:45 AM

@ Brian M.,

    Or we could just use sampled atmospheric noise like random.org does, and then just call it encrypted."Oh, here's our uber-secret file. Let's be careful with the keys or the NSA will find out!"

That is not a good idea due to the way the law works in many places.

In the UK there is RIPA which after you cut the legal verbosity out of it says "Give us the Keys or go to jail for a considerable period of time" and just to make it stick they also remove your right of public protest, because if you tell anybody (including many legal advisors) you go to jail for atleast the same period of time and possibly more.

Whilst their is recognition to the difference between enciphering and signing keys, there is no recognition of the difference between sent and received messages.

Thus if I send you a mail with an attachment that puports to be an encipherd file, and not what it realy is a collection of random bytes you have a very real problem on your hands.

Along comes inspector plod with his security letter requiring you to give up the keys for the file sent to you immediatly or go to jail... But you cannot because some joker sent you a random file. What do you do? You cannot get legal advice of what to do without a very real risk of committing another offense. Even if you do get the required expert legal advise without commiting another offense, the burden of proof is on you to prove beyond reasonable doubt that you don't have the key, which as it's neigh on impossible to prove a negative means you end up being guilty...

There are similar legal nasties with regards enciphered documents in nearly all WASP nations, in other places they go directly to the $5 wrench or wet flannel on the face routien if you are lucky, in others they bill your family for the bullet and cost of shoving your corpse in a furnace.

As security proffessionals we get upset when people get "SWATed" or have drugs/etc sent to their home via the postal service and the local plod get an anonymous letter telling them the person is a drugs dealer or worse. So why would we want to do the EMail equivalent?

Mike the goatOctober 10, 2013 4:30 AM

Clive: I think the point is that if we all start doing it then it becomes an impossible law to police. If you publish the source of your "fake PGP email generator" online so that it is public knowledge then it would be easy to establish that it could potentially be random junk.

I have one very old PGP key to which I lost access due to corruption of my RAID array in the late 90s. It's a crying shame too because it was signed by quite a few celebrities in our industry and a few wouldn't sign my new key without me signing the new with the old or a physical meeting (not complaining, I would require the same). Anyway without the key or the revocation certificate to upload I continue to get the odd encrypted email which I cannot decrypt.

Are you telling me that if I were in the UK that I could be jailed for not providing the secret key even when I don't and can't have it in my possession?

Also - pretend there are no headers and you've got an encrypted chunk of data in the unused space of, say a HDD. They couldn't establish that the data is encrypted - it could equally be just random data generated by a disk wiping tool. What then?

More interestingly what of people who cat /dev/urandom to their block devices to santitize them. Or just make an AES container that fills the entire disk and then cat /dev/zero to the dm device and then not retain the key?

This seems ludicrous.

Michael MoserOctober 10, 2013 4:36 AM

Interesting, lots of people have noticed the similarities between personalities of cops and crooks. Now it turns out that NSA types are similar to script kiddies;
Funny.

(Well maybe NSA types who do cryptography are different)

My trustworthy friendOctober 10, 2013 4:37 AM

The revelations show up one notable and positive attitude of the NSA.

They don't make a difference between the colour of skin or religion or country or own employees or profession or something else in principle.

Sure they filter for interesting informations and go deeper by specific details, but they spy on everyone and use as much information they are able to get, but they make the difference in the second step.


Why is that positive?
They treat us all as equal individuals and everyone is worth to have a personal profile.

Even the most boring person with connection to their world wide web produces data that could be useful for something ... maybe in future ... that means, they see a chance, that even this person could turn into an interesting member of the worlds population.

You might not like the range of their activities, but this fundamental attitude could be founded on positive values ... and on the most negative, too, but I want to see it positive at the moment.

Equality

P.S.:
It isn't impossible, that some parts could be misinterpreted as sarcasm. I apologize for this side-effect.

Clive RobinsonOctober 10, 2013 6:05 AM

@ My Trustworthy Friend,

I would suggest you go and study the history of slave owners/traders and plutocrates as well as many "class systems".

Those who hold the "whip hand" care not who is opressed or pressed into servitude to enrich their position. Their in built sense of entitlement or superiority usually trancends such base ideals as race or relegion.

So the fact they oppress all others equally which you recognise with,

    They don't make a difference between the colour of skin or religion or country or own employees or profession or something else in principle.

Is not as you put it a "notable and positive attitude" unless your view point is equivalent to that of an oppressor.

Pascal SOctober 10, 2013 6:27 AM

If they detect a PSP, a personal security product, stop

What is a PSP ? Google didn't help...

My trustworthy friendOctober 10, 2013 6:41 AM

@ Clive Robinson

You really think it wasn't sarcastic, don't you?
Nobody can be dumb enough to think they follow more than their own interests. I thought this would be clear and once more reinforced by my "P.S." at the end ... ok, if you were employee of the NSA you probably would have took a look into my personal profile and the joke would have been instantly revealed. Sorry for that :-)

If I would think they have a jot of trustworthiness, then I wouldn't understand the consequences for each of us ... not just the American, monitored by the own agency financed by their taxes ... and would sleep much better these days without the need of desperate effort to lighten my day with sarcasm about reality.

Clive RobinsonOctober 10, 2013 7:10 AM

@ My trustworthy friend,

Your PS says "It isn't impossible" which means it's possible, you then go on and say "could be misinterpreted as sarcasm" so claiming it is not sarcasam prior to saying "I apologize for this side-effect."

So to reword what you have said as,

"I apologize if you misinterprete some parts as sarcasm."

Which taken as read means the reader is to belive what you have written above the P.S. as your considered thoughts.

As for your other comments "If you behave as a troll expect to be treated as one" as other "Anonymous" posters have found recently...

Clive RobinsonOctober 10, 2013 7:55 AM

@ Mike the Goat,

    Are you telling me that if I were in the UK that I could be jailed for not providing the secret key even when I don't and can't have it in my possession?

The simple answer is "yes"...

Because that's the way the "executive" wrote the law even though it was strongly criticised at the time, and the "judiciary" are not interested by and large with laws being impossible to comply with untill public preasure makes them the subject of ridicule and villification.

The law states you have to hand over the key upon lawfull request (basicaly a letter signed by someone with the rank of inspector or higher) as in all other law there is "no defence of ignorance" thus you should know the penalty for losing a key and have taken precautions to prevent it's loss. The Executave chose to wilfully ignore the protests about the potential of people being framed, so there is no exception for it, thus you have the logicaly impossible task of proving that you do not have the key in your posession.

I suspect that if and when someone is taken to court the way out will be a chalenge under the Human Rights laws via the ECHR. The UK signed upto HR some time ago and the current and previous crops of politicians want to "unsign". Primarily because it's politicaly inconvenient when they want justice "to be seen as being done" rather than actualy done. In other times such behaviour was called "show trials" and was seen as a significant indicator of "authoriterian excess" often found in oppresive states such as dictatorships, police states, and corrupt states. Typical of the sorts of states 20th Century history taught us were prevelant in Europe shortly after the US Stock Market crashed which brought Facism to the fore and gave rise to WWII.

And as I indicated such legislation is not just limited to the UK, I suspect that if you could see all relevant US legislation you would find similar "damed if you can't" laws. And many suspect that atleast one major US Telco executive was jailed for not "rolling over" when presented with an open ended NSL.

The small advantage we have in the UK is the judiciary and LEO's are less under the thumb of the Executive than they are in the US, where "office title" appears to be by either "beauty pagent" election (state) or "political lickspittal" appointment (federal) neither of which can even remotly be considered to be impartial, corruption free or just.

WaelOctober 10, 2013 8:27 AM

@ Mike the goat

if I take FOXACID will I see EGOTISTICAL GIRAFFEs?
Only if your Acid Trip takes you to a safari, or more likely brings the safari to your office;) by the way, was that a real goat on your desk, or was it something you saw on a previous trip? :)

My trustworthy friendOctober 10, 2013 8:59 AM

#parameter for this comment
seriousness=true


@ Clive Robinson

Yes, this was a bit tricky/cascaded written and without knowing me, it was hard to understand that I meant the contrary.

As for your other comments "If you behave as a troll expect to be treated as one" as other "Anonymous" posters have found recently...

From my perspective it was a humoristic intended comment, nothing more or less. If you reference to other postings you didn't like in the past, you do me wrong.
As far as I remeber, I never posted as Anonymous or (like Mike the goat expected) with Anon10, that would be to crude from my perspective.

I've chosen "My trustworthy friend" in accordance with an earlier comment:

Chris Travers • October 1, 2013 10:33 PM
I keep wondering if the NSA has a project codenamed "Nobody" that listens to phone calls and reads emails. Such would be great, allowing elected officials to state truthfully that "Nobody is listening to your phone calls."

Answering to my comment correctly leads to "@ My trustworthy friend" ... as long as we arn't friends (and I think the chance for this has decreased extremely with my first comment) ... was a lie of you a little bit like the lie in Chris Travers example for outliers.


Now, let us get back to more constructive work and laugh together about something else.

Thank you for your honest feedback!

seriousness=false
If this was "acting like a troll" it was my first time here, so gratulation to me for my premiere.

Wilson ZornOctober 10, 2013 9:11 AM

Ongoing, it seems two distinct aspects are being unfairly merged in the discussion.

First and foremost, there is the wide berth legally (put that in quotes as you prefer) given to the NSA/government. One might argue the berth is so wide that "they do because they can" is an improper inversion: "they can because they are told to do" would seem more accurate. This requires fundamental fixes to the law, from the repeal or rework of the Patriot Act to laws rewriting now-used legal interpretations and creating greater transparency. Until this is addressed, the NSA is merely doing its job - a job the citizens of the United States have continued to essentially back and still are not, even by polling numbers, clearly regretting (we still see, depending on the polls, in the 40-50% range of support for surveillance even as reported from the Snowden-released "information"/collection of data).

Second is the abuse aspect, the "do because can," which by all means I don't mean to dismiss. Among the few actual new and useful bits of data released via Snowden has been the results of an internal audit indicating specifics as to abuse. And this issue requires its own attention. But I doubt any significant impact will or even can be made until the fundamental policies mandating vast and unusually proactive (as opposed to warrant-based or other for-evidence) surveillance are undone.

mooOctober 10, 2013 10:00 AM

Off-topic (well, not really):

http://www.theatlantic.com/politics/archive/2013/...

The Brennan Center for Justice at New York University Law School has published a 50-page report which tries to explain "all of the ways that [U.S.] surveillance professionals are collecting, storing, and disseminating private data on U.S. citizens", as well as to make some policy recommendations.

Brian M.October 10, 2013 10:36 AM

@Pascal S:
What is a PSP ? Google didn't help...

"Personal security product:" A virus scanner or some such. Some of them have become rather good. When I installed Kaspersky on my Lenovo, it alerted me that Lenovo's utilities exhibited root-kit-like behavior.

@Clive Robinson:
That is not a good idea due to the way the law works in many places.

Yes, I'm aware of that. There's a good Forbes article about key disclosure, and a few cases in the U.S. At some point I'm going to apply some analysis to what PGP, et. al., produces, and noise from one of the available hardware generators. I'm initially guessing that PGP doesn't look like actual noise, and basic statistical analysis will easily show this.

Another question is, how good are these spook programs? If, say, the "encrypted" file is simply plain text with the PGP or other headers, will the spook software pick up on that and reject it, or will the plods come knocking on the door? If the text is ROT13, will it be picked up?

Now, since the point is to hog spook storage bandwidth, how about putting the decryption key in with the message? Of course then you'd have to spend some CPU bandwidth actually encrypting the messages instead of just grabbing some noise, base-64 encode it, and attach it to a message.

(Personally, I wouldn't use the subject line "bomb plans," I'd use "confidential manufacturing schematics" or some such. It's still encrypted, so they'll still store it, and it's provable that since the data was temporary, then of course the keys weren't kept.)

Another question is, if the data is labeled as "binary file," will they store it? If I was going to do something nefarious and use encryption, I'd strip the PGP headers off and relabel the attachment as JPG or something. So is the NSA hoovering up all binary attachments?

Here's another thought: Have a spam blocker that demands that all email be sent to you in encrypted format. "Hi, I can't read your email due to automatic spam filtering. Please resend your email using PGP encryption. My public key has been automatically attached to this email."

Mike the goatOctober 10, 2013 10:37 AM

Wael: oh, it's a real goat. If you look under his left hoof you'll find the missile launch codes. He can also decrypt triple DES in his head.

Mike the goatOctober 10, 2013 10:41 AM

Brian: if you look at the OpenPGP spec you'll see what's needed for it to 'look' like a pgp encrypted email. Base64ing junk won't work. That said it is easiest just to send your random junk to pgp (use a junk key) and let it do the work for you. I already insist on encrypted correspondence with most of my buddies. I figure why not make their job harder!

Mike the goatOctober 10, 2013 10:46 AM

Brian: re key disclosure. If you were really worried about that being a possibility then set no passphrase and keep a copy of the secret key at your lawyer's office in escrow in the unlikely event you are forced to reveal it. If you pipe, say a wget of news.google.com daily in your 'noise making' script and put it through pgp encrypting to the escrowed dummy key then you achieve your purpose (wasting their time) along with protecting yourself as it can be decrypted and verified to just be news.

Fred GrottOctober 10, 2013 12:05 PM

Assuming that NSA did an analysis of what its actions might accomplish, what could have prompted NSA to risk everything just to get two sides of any communication?

There is a large story we are missing..let me explain geopolitical areas that only have GDP income via raw resources are set to loose that GDP in the next 50 years..that is not just the Middle East Oil however, it includes raw resources in other geo areas as well.


Is NSA looking at trend and saying take a huge set of risks now as that is in the future to prepare for? A World ON FIRe if you will..


UnderwriterOctober 10, 2013 12:25 PM

@Fred Grott
geopolitical areas that only have GDP income via raw resources are set to loose that GDP in the next 50 years

Why do you say that? Has the ability to transmutate elements been invented somewhere and is being kept secret?

Dirk PraetOctober 10, 2013 3:58 PM

@ my trustworthy friend

They don't make a difference between the colour of skin or religion or country or own employees or profession or something else in principle.

I don't suppose you have ever heard of one medieval Cistercian abbot and inquisitor called Arnaud Amaury (or Amalric), a man who took a prominent role in the Albigensian Crusade. He is most remembered for allegedly advising a soldier worrying about killing orthodox Catholics along with the heretics during the sack of the Cathar stronghold of Béziers the following immortal words: "Caedite eos. Novit enim Dominus qui sunt eius".

It roughly translates to "Kill 'em all, let God sort them out". Now there was a man who truely believed in equality.

@ Brian M., Mike the goat

Increase their noise to signal.

You guys may like Scaremail by Benjamin Grosser, a neat browser extension that aims to disrupt NSA surveillance.

Mike the goatOctober 10, 2013 6:20 PM

Dirk: yeah, except for the scaremail link it embeds would give them something to grep and exclude it by. You'd have to remove that bit ;-)

Layer_8October 10, 2013 6:21 PM

@ Dirk Praet

Correct me if I'm wrong, but wouldn't Scaremail be the best example for privacy by obscurity?

Dirk PraetOctober 10, 2013 7:21 PM

@ Mike the goat, @ Layer_8

Dirk: yeah, except for the scaremail link it embeds would give them something to grep and exclude it by. You'd have to remove that bit ;-)

I'm not using it myself, but I guess the author would be smart enough to realise that too at the risk of totally defeating the purpose.

Correct me if I'm wrong, but wouldn't Scaremail be the best example for privacy by obscurity?

I don't know. For what is worth, I think initiatives like this can only work when people adopt it in great numbers or when it's built in as a default feature. Otherwise it would probably just land you on a no-fly list or give someone a reason to indict you with some silly charges over breaking the CFAA.

Mike the goatOctober 11, 2013 3:58 AM

Brian M, Clive, etc: Okay so I was bored while traveling before and cooked up a concept of the cron job that would send encrypted messages (that's just news when decrypted to avoid any issues with using random noise and then being accused of not revealing the key to the 'second layer'). I had to write this on a windows laptop at 35,000' while sleep deprived but I think it'll work nonetheless...

terror cron job

It also makes up suspicious subject lines - like these three gems:


Re: great encouragement for the car-bombing at the CIA HQ
Re: Tehriki-Taliban: members NOTE NEW ORDERS
Re: pickup of our ephedrine from Florida rescheduled

SkepticalOctober 12, 2013 5:37 PM

Hmmm... three things.

First, I'm not persuaded that the results of NSA's current cost/benefit analysis would be altered by including greater likelihood of public exposure.

The one aspect of the leaks that concerns me is that NSA may have weakened standards used to protect data and systems from private parties and non USG entities. However - and granted I speak as someone who wouldn't know a byte from a bite - I've yet to see strong evidence that NSA has in fact done so. Moreover, I'm extremely skeptical of the notion that NSA would attempt to compromise the protection US companies have against foreign espionage. From an intellectual property vantage, the US obviously has much, much more to lose by such a compromise, something NSA and the USG generally are very much cognizant of.

Other than that aspect, I've largely found the activities revealed to be acceptable, and I've found the FISC oversight/NSA compliance, while a bit bumbling at points, fairly good and certainly not pernicious. I suspect my reaction on this largely tracks that of the voting public.

Second, while including a higher probability of exposure might be justified, I don't think setting the probability to 1.0 is justified.

Third, I think your generational hypothesis may well be incorrect. Those around Snowden's age left home for college while Ground Zero was still smoldering. They've also experienced firsthand the costs of too much transparency - they're not naive about the consequences of something being published on the internet. Finally, perhaps most importantly, the subset of such generations that choose to work at NSA are self-selecting; their average characteristics may well differ from those of their broader cohorts.

GoldryOctober 13, 2013 2:36 AM

@Mike the goat

nice piece of work. I myself would suggest something to take phrases from texts such as Pride and Prejudice and official documents from the US, UK and other governments for the mix-n-match, plus a few phrases from various foreign languages ... sub 1 "Mossad" "CIA" frex ...

Prinz Wilhelm Gotha-Saxe-CobergOctober 13, 2013 5:15 AM

@My trustworthy friend

To quote Arlo Guthrie in The Paws of Mr Claws:

But think of the last guy. For one minute, think of the last guy. Nobody's got it worse than that guy. Nobody in the whole world. That guy...he's so alone in the world that he doesn't even have a street to lay in for a truck to run him over. He's out there with nothin'. Nothin's happenin' for that cat.

And all that he has to do to create a little excitement in his own life is to bum a dime from somewhere, call up the FBI. Say "FBl?", they say "Yes", say "I think Uncle Ho and Chair-Man Mao and their friends are comin' over for dinner" (click) Hang up the phone.

And within two minutes, and not two minutes from when he hangs up the phone, but two minutes from when he first put the dime in, they got 30,000 feet of tape rollin'; files on tape; pictures, movies, dramas, actions on tape. But then they send out a half a million people all over the entire world, the globe,
They find out all they can about this guy.

'Cause there's a number of questions involved in the guy. I mean, if he was the last guy in the world, how'd he get a dime to call the FBI? There are plenty of people that aren't the last guys that can't get dimes. He comes along and he gets a dime.

I mean, if he had to bum a dime to call the FBI, how was he gonna serve dinner for all of those people? How could the last guy make dinner for all those people. And if he could make dinner, and was gonna make dinner, then why did he call the FBI?

They find out all of those questions within two minutes. And that's a great thing about America. I mean, this is the only country in the world ... l mean, well, it's not the only country in the world that could find stuff out in two minutes, but it's the only country in the world that would take two minutes for that guy.

Other countries would say "Hey, he's the last guy ... screw him", you know? But in America, there is no discrimination, and there is no hypocrisy, 'cause they'll get anybody.

Dirk PraetOctober 13, 2013 8:44 PM

@ Skeptical

Other than that aspect, I've largely found the activities revealed to be acceptable, and I've found the FISC oversight/NSA compliance fairly good and certainly not pernicious.

In which case I kinda wonder how you define "acceptable" and "fairly good". In the wake of Snowden's revelations, we've seen quite some new definitions by the NSA and their apologists of common words such as "collection", "content", "surveillance" and "conversations and communications".

if with "acceptable", you mean that a global surveillance dragnet unparalleled in the history of mankind and based on secret orders of secret courts based on secret interpretations of the law is legal in the US, than you're probably right for now. Note however that several court cases have been filed claiming that it is a violation of the 1st, the 4th and the 5th Amendment to the US Constitution. I guess we'll have to wait how that eventually plays out.

If with "fairly good" you mean that indeed there was some form of secret oversight by the secret court of secret mass surveillance, and that all three branches of government were fully aware of what was going on, than I'm still with you too. I have come to accept the fact that large parts of the general public have been conditioned into believing that as long as something is legal, it is pretty much OK. And even if it's illegal, it's still OK as long as you can get away with it, especially if it's being done by the good guys.

Now let's assume for a minute that the internet was largely governed by China and that instead of Edward Snowden some PLA guy called Ho Lee Fuk had blown the whistle on the Chinese government's global mass surveillance, the latter defending both their domestic and international programs as 100% legal under Chinese law. I think it's safe to say that Ho Lee Fuk would have been granted asylum immediately, nominated for a Nobel and Sakharov price, with politicians, corporations, mass media and the general public all crying bloody murder over this unacceptable violation of the free world's sovereignty, civil liberties and human rights.

That's pretty much how many non-US folks are feeling today. Every time an American, whether it be a politician or an ordinary citizen, is saying that what the NSA is doing is really all OK, it's nothing less than an insult fed by the mistaken belief that the world is made up of two parts, i.e. the US and the International Americas, the latter made up of vassal nations that can either be bought or bombed into compliance with the former.

I understand why our host is not tackling the international dimension of the NSA's activities in a more head-on way because he would risk losing a huge part of his domestic audience in doing so. But I believe I'm speaking for all non-US folks on this blog in saying that we've kinda had it with American NSA apologists who completely ignore how their government and secret services are violating our rights and liberties or even defend these activities by saying that others are doing it too and that the US just happens to be very good at it.

However true both may be, that doesn't make it right. If short-sighted US foreign policy continues to alienate the country from the rest of the world, there will inevitably be political and economical consequences in the long run.

AnonOctober 13, 2013 10:53 PM

@Dirk

Regarding your China scenario, it's already public knowledge that China spies on the US, although its specific targets and methods are not. I'll concede that your whistle blower would probably get asylum, but a Nobel Prize is ridiculous hyperbole. The US media would certainly criticize China for a while, as they periodically do about China's IP theft. I suspect within a year, it would be business as usual again, with the US quietly trying to fix some of the vulnerabilities revealed in its networks. However, you scenario raises an interesting question: why haven't we heard about any Ho Lee Fuks? Or why does China seem capable of much better OPSEC than the US?

#%*!?October 14, 2013 1:18 AM

hmm yea...China may be spying on US, but it would be plain _dumb_ to compare that to what the NSA is doing.

For one thing the level of surveillance is completely different. China's interest in USA are strategic and the surveillance is on a level that supports the strategic operations (the level is akin to the surveillance between USSR and USA during cold war).

The Chinese government likely does not have huge data centers with profiles of every US citizen, every EU citizen, every 5-eyes-nation citizen (yes I realize there is some overlap here) and who-knows-whom-else. But that is what NSA is doing - and these are not some superficial profiles either.

Admittedly they likely do not have _exactly_ every citizen (I would think there are people who are not captured for one reason or another). Nevertheless what NSA is doing is on a level that is like a global version of East Germany.

Even if China would do surveillance on its domestic population, that is still on a very different level from NSA.

SkepticalOctober 15, 2013 9:22 AM

@ Dirk

By acceptable, I mean methods that are legal, not perniciously directed, embedded in a system of checks and oversight to reduce error and any attempts at abuse, and used to legitimate counter-terrorist and foreign intelligence purposes.

I have yet to see or hear of a single instance of these programs being used to suppress dissent, to harass and intimidate political opponents or minorities, or to conduct commercial espionage. Nor have I seen or heard of a single instance suggesting that the NSA was even interested in such uses.

Sifting through global traffic to find signals connected to foreign intelligence and international terrorist networks and targets is, to my mind, a legitimate function of the NSA. I would absolutely want them to do so in a way that does not pry into the private lives of innocent persons, and that is respectful of the dignity of innocent persons, but I don't see some type of warrant requirement administered by the courts as feasible or desired in that domain.

No country of which I'm aware requires its intelligence agencies to obtain search warrants for searches or eavesdropping conducted outside national boundaries and designed to exclude their own citizens. If I send signals traffic to Germany, it's as much subject to interception and review by the Bundesnachrichtendienst as would be any cargo I send.

I understand your frustration that a lot of discussion regarding NSA surveillance is centered around legality. I think that is because the justification for leaking this information is that it reveals abuses; so the question of whether NSA has in fact exceeded their legal remit is of great relevance and interest.

There's certainly a broader conversation to be had about privacy generally. To what extent do we want global communications to be private? To be subject to some government surveillance? These are hard ethical questions, and good ethical questions. In a somewhat anarchic international system of states, finding workable solutions that respect all legitimate concerns - from privacy to security - is very difficult.

As to "secret courts" and "secret interpretations", many judicial proceedings and decisions happen in secret when the occasion warrants. FISA simply created a certain type of court, on which sit otherwise ordinary federal judges, to deal with matters that will be by nature highly confidential.

With respect to your China analogy, surveillance by a government that eschews freedom of speech, suppresses political dissent, and engages in enormous amounts of commercial espionage for the benefit of its state enterprises is far more concerning than surveillance by a government that does almost precisely the opposite.

Terry in PhoenixOctober 17, 2013 11:11 AM

Our country (U.S.A.) was founded on having three separate branches of government. The Executive Branch controls and has access to all the data from the NSA. The NSA, the FBI and the CIA all work for the President of the United States. How can Congress and the Supreme Court sit idly by and let the Executive Branch read their emails and track their phone calls? The founding premise of this nation has been violated and the President has been given the "Keys to the Kingdom". The previous resident of the White House was not tech savvy or anything savvy for that matter. However this President is tech savvy and knows how to use that data. And every President from now on will also. We no longer have a Republic when one and only one branch of government can spy on the other two. How can the people, the Congress and the Supreme Court not see this? This country is so screwed!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..