Schneier on Security
A blog covering security and security technology.
« badBIOS |
| The Story of the Bomb Squad at the Boston Marathon »
November 4, 2013
More NSA Revelations
This New York Times story on the NSA is very good, and contains lots of little tidbits of new information gleaned from the Snowden documents.
The agency’s Dishfire database -- nothing happens without a code word at the N.S.A. -- stores years of text messages from around the world, just in case. Its Tracfin collection accumulates gigabytes of credit card purchases. The fellow pretending to send a text message at an Internet cafe in Jordan may be using an N.S.A. technique code-named Polarbreeze to tap into nearby computers. The Russian businessman who is socially active on the web might just become food for Snacks, the acronym-mad agency’s Social Network Analysis Collaboration Knowledge Services, which figures out the personnel hierarchies of organizations from texts.
EDITED TO ADD (11/5): This Guardian story is related. It looks like both the New York Times and the Guardian wrote separate stories about the same source material.
EDITED TO ADD (11/5): New York Times reporter Scott Shane gave a 20-minute interview on Democracy Now on the NSA and his reporting.
Posted on November 4, 2013 at 1:39 PM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
As Joshua once pointed out...
"The only winning move is not to play."
As interesting and helpful as the Snowden documents have been I am quite sure they represent only a small portion of NSA projects and operations. I will second Bruce and others in a call for more whistle blowers to come forward and shine more light on this out of control agency. Hopefully the proliferation of SecureDrop (StrongBox, DeadDrop etc.) installations will help this happen. I only hope those trusted with future releases handle them as well as Snowden's are being handled in terms of keeping them in the public eye and headline worthy.
I thought the very similar Guardian article that came out the same day had an interesting tidbit on NSA's broad view of metadata. From an NSA document on what constitutes metadata:
"What about an email's signature block or telephone numbers within a message? Questions like these are not necessarily clear-cut."
So much for defining metadata as information required for message delivery. Metadata is being interpreted as any type of contact information in the message, including the body. Nice.
Step 1) Encrypt entire internet at the IP layer
Step 2) Design new Wi-Fi protocol with anonymoty and security in mind.
Step 3) Implement global public Wi-Fi and public satellite internet for those not covered by Wi-Fi network.
Step 4) Abandon phone providers in favor of internet-based protocols designed for privacy and security.
Step 0) Convince people to start working on it... This is where my plan fails. Also, convincing people that putting ISPs and phone companies out of business is a good thing will be difficult, especially the politicians that get money from said companies.
@ Chris McLeod
Yes, we need programs (never mind the gov.) for whistleblowers. Take care of out own.
More pressing than new algorithms in my view, but I cannot really judge the cr'y and so
applaud any efforts.
Besides that political awareness. Just went to google maps to look up ASML in Veldhoven
near Eindhoven The Netherlands. Is AMD really more 'user firendly' than Intel is USGOV-
I'm telling you, the people doing this have a pathology. Well, we all do, but then again
we're not all in position of that much (which is a ludicrous notion in this context) power.
This is up and against every sense of decency. Which brings to mind that US defense
lawyer som 60 years ago. Idyllic times... --- then!
Hey NSA come 'n get me!
Meanwhile, in Holland, the Dutch Secretary of the Interior, after meeting with his US counterpart,
in an attempt to allay and pacify (non-existent [btw.] concerns), ensured the Dutch public in general
that "it's only metadata" that had been gathered.
Democracy has been failing big time here in Holland as well, you know.
The name of this sec. of the interior is Ronald Plasterk. Ronald Plasterk is a scientist of preofession,
as a matrer of fact, "a prize-winning molecular geneticist" (Wiki).
The conclusion: he's also a liar, and not worth to carry the name 'scientist'.
Note that name on your blacklist. Ronald Plasterk. Oh, forgot, he's a member of the 'socialist' party.
Not kidding, so note the irony.
An interesting bit, near the end of the article:
One NSA officer ... “ran some queries” ... but added: “Most of it is in Arabic or Farsi, so I can’t make much of it.”
That comment is meant to put off questions about content. They have the full content of the messages. If not, they should be fired, or it reveals the true target of the data collection: English speaking citizens, mostly in the U.S.
It is the feeling of the watchers that downfall will not come from without, but from within. Therefore, hold sway over the sheeple. It is arrogance of the watchers that will be the downfall.
Interesting observation is that the article claims that the US - despite all affirmations to the contrary - is indeed also engaging in economic espionage.
... the agency’s official mission list includes using its surveillance powers to achieve “diplomatic advantage” over such allies as France and Germany and “economic advantage” over Japan and Brazil, among other countries.
... This huge investment in collection is driven by pressure from the agency’s “customers,” in government jargon, not only at the White House, Pentagon, F.B.I. and C.I.A., but also spread across the Departments of State and Energy, Homeland Security and Commerce, and the United States Trade Representative.
I think the NYT article was on whole very supportive of the agency, cautious and polite.
The Guardian's view, not so much:
"Its own list of strategic targets includes: support for US military in the field; gathering information about military technology; anticipating state instability; monitoring regional tensions; countering drug trafficking; gathering economic, political and diplomatic information; ensuring a steady and reliable energy supply for the US; and ensuring US economic advantage. It boasts it can collect information from “virtually every country”.
From: "Portrait of the NSA: No detail too small to watch",
By Ewen MacAskill, The Guardian
So, they admit using military power for general law enforcement per "countering drug trafficking". In other words, they are the IT department for DEA and FBI, et al.
The mention of "ensuring US economic advantage" suggests corporate and bank espionage.
The couple of small bones thrown out by the NYT with emphasis on the "terrorism thing" seems a bit implausible to me.
I really didn't find any value in this article. What the NSA has done may be on the short list of great betrayals against humanity. The only thing I'm interested is the process to dismantle the agency completely and totally. Salt the ground.
@ Dirk Praet, Muddy Road,
When talking of economic espionage you have to consider,
1, The Source.
2, The Product.
3, The Customer.
Before deciding at what level it applies,
For instance it is known that the NSA bugged the plane of a Japanese diplomatic mission on their way to treaty level trade talks to get stratigic level product. Which was used to gain treaty level advantage.
Likewise it is known that the French routienly spy on foreign company/competitor entities for R&D level product that they supply to French Companies especialy those in the Defence Industry. Oddly perhaps on first hearing, not to do something a particular way but what to avoid trying.
It is this latter point people tend to forget about R&D, more money and time is spent on failing than succeding. Avoiding making other peoples mistakes represents a masive saving on time and other resources. Also when you find a working solution it is unlikely to be the same as other peoples soloutions (ie not a straight copy). So the argument of "theft of IP" does not tend to arise.
The worst offenders that I've come across are the Israelis, they steal deisigns exactly and reproduce them and sell at lower prices into third world economies, knowing full well an Israeli court will always find in Israels favour and third world countries won't stop the cheap imports...
Am I supposed to be upset that the NSA is spying on foreign governments?
Isn't that their job?
Anyone here ever hear of a guy named Pollard?
The US's Achilles' Heel vs the Muslim world - the average American is too lazy to learn any other language other than his/her own. And for the last fifty-odd years the American media has been slandering the Arabs and other Muslims in a casual, off-handed way.
Among the Slashdot crowd it's known as "Epic Fail".
"Am I supposed to be upset that the NSA is spying on foreign governments?"
I am upset, because it is my government. And the NSA will use that information to make my life worse. The USA treat us as their enemy, so we must assume the US is our enemy.
Btw, when our current secretary of the interior Plasterk switched to politics, both science and politics were worse off. He was a very good geneticist (Evo-Devo).
SOP (Standard Operating Procedure), if it is to hard to read then default to something easy - like English and then produce reports to increase your year-end stats.
@ Dirk P.
I just wonder which “customers” gets the “diplomatic advantage” and which don’t. Do these “customers” include politicians collecting dirt on their competitors to keep their elected positions?
The same goes for the economic customers of the NSA’s surveillance programs. Who are the customers?
Are they US companies that donate heavily to a certain party? Could this be US customers who need NSA's help against another US competitor? This a huge problem which could tilt the playing field in favor of certain well connected “US customers” against less connected US companies.
@ Muddy R.
Yes, I thought the NSA and it’s secret court could only operate outside of the USA on “National Security” cases – not on simple drug crimes. I wonder if the NSA has the ability to monitor the lawyers for said drug dealers and tilt the legal playing field?
Lastly, it appears that NSA has not stopped one single deadly terrorist attack with their expansive domestic spying. Their terrorist disruption numbers dropped from about 54 to 13 in a hurry. And, when question by Senators the successful cases dropped to one or two. Now, it looks like the only one terror related disruption occurred. It was a San Diego taxi driver who may have laundered a small amount of money for Somalia rebels (or the like).
At a cost of $10.8 billion dollars and 35,000 employees is seems that the NSA could do more with less money. If fact, the rough numbers seem grossly high: Budget of $10.8 billion / 35,000 employees = $308,500 per employee (per year). In this economic climate their budget should be sharply reduced!
Anyone here ever heard of a guy named Pollard
John Pollard? British mathematician who created Pollard's rho algorithm for integer factorisation?
@Scott: Should you ever decide to get this running, count me in. There are already initiatives for free and decentralized Internet access (like "Freifunk" in Germany), but they don't care that much about privacy/encryption by design and most certainly won't touch the IP layer.
Still, Internet could be dirt cheap and accessible from anywhere by anyone, once we get rid of the Telcos and optimize for cheap mass access instead of maximum profits (usually I'm all for private initiative, but it works way better for goods and services than for infrastructure).
If monetization was off the table, you could just put WiFi in every streetlight. It would only make them marginally more expensive, but be much more efficient than a router in every single household.
Bruce, you have been very quiet about BT's role in sharing transcontinental telecom data with GCHQ. Why just write about NSA and US companies? Some reports indicate GCHQ, thanks to BT, has larger take than NSA? You have a golden opportunity to enlighten us all about your current employer.
It's clear to me the NSA is using military strength computational power to provide information and evidence to Federal agencies for general law enforcement purposes.
That data, including pre-emptively collected evidence, with an obfuscated source, can be slipped to Podunk PD.
We can assume that the judicial process has been corrupted and everyone with a sliver of authority can read everything. That we send any information unencrypted or unanonimized is insane. They are sending raw data to foreign countries. This is treason. The NSA and US Gov has sold out the citizens to foreign countries.
Why haven't we secured what we have control over. The internet runs on weak ssl ciphers by default. We don't use pgp by default. We have TOR but I get the sense we need a more seamless form of anonymization. SMTP is completely insecure. I'm glad the Dark Mail Alliance is working on something.
"I woke up in the middle of the night with that line in my head, sat down at the piano and had written it in half an hour. The tune itself is generic, an aggregate of hundreds of others, but the words are interesting. It sounds like a comforting love song. I didn't realize at the time how sinister it is. I think I was thinking of Big Brother, surveillance and control."
Have been listening it again and again
... NSA is using military strength computational power ...
(smirk) Do you have any idea what the military considers "computational power?" Just about anything straight off the shelf beats what the military thinks of as computational power! When I was in the Army, we were using equipment a minimum of 20 years old, and some of it was from WWII! We upgraded to radio equipment that the phone company didn't want anymore!
No, the NSA is using better than Google-strength equipment.
@Aspie: "John Pollard? British mathematician who created Pollard's rho algorithm for integer factorisation?"
No. Jonathan Pollard, who is doing time in a Federal pen for spying on the US for Israel. My point, which may have been a bit too subtle, I admit, is that governments spy on other governments all the time, even nominally friendly governments, like Israel.
I find the "fauxtrage" of all concerned to be laughable in its hypocrisy.
The "customer" jargon has been used by the US IC for a very long time (also used: "consumer") to describe the various parts of the USG that request intelligence products (be it a briefing, access to a particular periodical report, etc). It absolutely does not imply industrial espionage.
The "economic advantage" referred to is almost certainly in the context of trade negotiations between governments. That intelligence agencies provide information to their own governments during international negotiations isn't new news. It's also not industrial espionage, which would occur if the CIA or NSA were stealing designs from Honda to give to Ford.
Note that neither article, nor any article published on Snowden's leaks, carries any mention of industrial espionage (meaning collecting information from one company and then passing it to another company for the benefit of the receiving company). In fact, I'd give good odds that those privy to these documents would agree that the NSA does not engage in industrial espionage.
The Guardian article is a bit silly in its attempt to set up Obama as claiming that all the NSA does is counter-terrorism. Earlier in the same press conference he described the NSA's mission in much broader terms, and the NSA itself defines its mission in much broader terms. Taking a single line, from a lengthy answer, out of context from the rest of the press conference is just shoddy journalism, and is used here to heighten the reader's sense that the USG is trying to hide what the NSA is "really up to."
I don't see anything in that article that describes an illegal or unethical action, much less any surprising action. I do see a lot of legitimate operations being exposed for what amounts to little more than a quest for page hits by the journalists (perhaps harsh on my part). Gosh, the NSA collects signals intelligence from non-US governments and major drug trafficking organizations? Shocking. I await The Guardian's next scoop: US military satellites used to peek over fences!
@Goldry Bluszco: "the average American is too lazy to learn any other language other than his/her own. "
It's not laziness but more a product of geography and economics. The US doesn't have the exposure to other languages the way that European countries do, so the incentive to learn a language is much less. Also, U.S. and British economic power has served as a very strong incentive for people around the world to learn English. (There's also the reality of British colonialism spreading the English language around the world.) Add in the ubiquity of American mass entertainment around the world, which makes learning English much easier, and it's not surprising that people in other countries learn English (plus other foreign languages) at a far greater rate than American citizens learn foreign languages.
@Goldry Bluszco: "the average American is too lazy to learn any other language other than his/her own. "
Uhmmm, the majority of Americans speak Spanish as a second language. I tend to think the monolingual Americans are a small minority on the east coast, centered around Boston.
Uhmmm, the majority of Americans speak Spanish as a second language.
--Uhh, I guess maybe in Texas and California. Conducting a real survey that isn't just a sample of this would be quite an effort. Like Kurzleg said, many other people learn English b/c of history and American mass media. In Belgium, for instance, subtitles on The Simpsons was a very helpful way for many of them to learn English. Of course they are special and can learn like 2-6 languages; go to France and if you can't speak French you'll be back to the stone age communicating w/ hand signals and "umphs" and "grunts" lol. Any other exotic languages like Chinese, Russian, Arabic and all their similar ones; lol, very rare for Americans to know.
the average American is too lazy to learn any other language other than his/her own.
I have heard the same being said about Spanish, British and French. Probably each of these groups have their own reasons or outright lack of need for learning another language.
Op-ed: Lavabit’s primary security claim wasn’t actually true
I think there's a Spanish-as-Alternative-Language line across the south of the US - California, New Mexico, Texas, Florida, and then you have the bright lights of New York City attracting Spanish-speakers from Puerto Rico et alii ... the bizarre thing is that there are a lot of people from those regions in the US - Arab-Americans, Iranian-Americans, etc, but they seem to be regarded as targets, judging from their public statements. And so they are spared the indignity and humiliation of betraying their kith and kin in the lands they derive from.
Makes me wonder if there was a time we were actually safe (in the sense of "private").
The people using paper, trusted personnel and tradecraft still are. The only one's whose privacy were doomed completely were those trusting that tech designed for sharing data would isolate their secrets. The failure of such an approach seems inevitable.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.