NSA's Partnership with AT&T

There's a new article, published jointly by The New York Times and ProPublica, aboutNSA's longstanding relationship with AT&T. It's based on the Snowden documents, and there are a bunch of new pages published.

AT&T's cooperation has involved a broad range of classified activities, according to the documents, which date from 2003 to 2013. AT&T has given the N.S.A. access, through several methods covered under different legal rules, to billions of emails as they have flowed across its domestic networks. It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T.

[...]
In 2011, AT&T began handing over 1.1 billion domestic cellphone calling records a day to the N.S.A. after "a push to get this flow operational prior to the 10th anniversary of 9/11," according to an internal agency newsletter. This revelation is striking because after Mr. Snowden disclosed the program of collecting the records of Americans' phone calls, intelligence officials told reporters that, for technical reasons, it consisted mostly of landline phone records.

Lots of details in the article and in the documents. Here's commentary from the EFF.

EDITED TO ADD (8/16): ProPublica has published a companion piece showing how they linked both AT&T and Verizon with the NSA's codenames. And Marcy Wheeler has some good commentary.

More commenary.

Posted on August 15, 2015 at 12:44 PM • 43 Comments

Comments

rgaffAugust 15, 2015 1:17 PM

Well you know how you can tell if an Intelligence Official is lying, right? They open their mouth.

Yes, I know it's an old one, but it applies.

VAugust 15, 2015 1:28 PM

Congress retroactively gave ATT (and others) immunity from civil lawsuits over past illegal acts. This deprived a large class of people -- 1) AT&T customers, 2) people who exchanged phone calls/emails with AT&T customers -- of possible damage awards over turning over records willy-nilly. The 5th amendment says "... nor shall private property be taken for public use, without just compensation." Did Congress volunteer to pay any and all damages from lawsuits?

SkepticalAugust 15, 2015 2:05 PM

They say AT&T gave the N.S.A. access to “massive amounts of data,” and by 2013 the program was processing 60 million foreign-to-foreign emails a day.

That's somewhere around .04% of emails sent daily in 2012.

I wonder which is greater - the odds of the content of one's email being read by a human being at NSA, or the odds of being attacked by a shark.

BystanderAugust 15, 2015 2:05 PM

EFF has already covered this more than just a little.
The big news for me is, that someone else than the EFF or Richard Stallman is pointing out the obvious.

I am just a bit surprised that these articles did not even hint Room 641A.

All the WHAT that's fit to print?August 15, 2015 2:08 PM

It's strange to see a vaguely libertarian article coming from that outfit, mere days after spouting the party line about crypto...

65535August 15, 2015 2:37 PM

“The 5th amendment says "... nor shall private property be taken for public use, without just compensation." Did Congress volunteer to pay any and all damages from lawsuits?”

Good question. I have not been compensated nor has anybody I know. When did congress change the US Constitution?

Spike in spying under the Obama Administration:

“NSA’s top-secret budget in 2013 for the AT&T partnership was more than twice that of the next-largest such program, according to the documents. The company installed surveillance equipment in at least 17 of its Internet hubs on American soil… In 2011, AT&T began handing over 1.1 billion domestic cellphone calling records a day to the NSA after “a push to get this flow operational prior to the tenth anniversary of 9/11,” according to an internal agency newsletter. This revelation is striking because after Snowden disclosed the program of collecting the records of Americans’ phone calls, intelligence officials told reporters that, for technical reasons, it consisted mostly of landline phone records. That year, one slide presentation shows, the NSA spent $188.9 million on the Fairview program, twice the amount spent on Stormbrew, its second-largest corporate program.” – probublica

https://www.propublica.org/article/nsa-spying-relies-on-atts-extreme-willingness-to-help

1.1 billion domestic cellphone calling records a day is a large number of records and if you multiply that time 365 days I get around 401,500,000,000. that is a whole lot of spying per year!

I thought Obama promised to reduce spying in the campaign trail. He appears to have actually increased it. With of stroke of his Presidential Pen he could have reduced this spying. I am sorry I help that scallywag get into office.

I will the congress shares plenty of blame by giving this out of control spy agency a huge amount of money. I say cut the NSA’s budget by 35% and put the money to better use!

Further, I will not be using any AT&T services again. They appear to be voluntarily feeding the monster!

65535August 15, 2015 2:53 PM

My comment was directed at V's observation.

This part should read:

"I will say the congress shares plenty of blame..."

SchlapphutAugust 15, 2015 3:28 PM

The info about AT&T isn't exactly surprising or new.

But what about Microsoft?

I find the reports about Windows 10 phoning home to Redmond whenever it feels like it quite alarming. At least in the earlier versions you had some illusion of control in the update settings.

If I were in Fort Meade, I would have begun to make contingency plans in the wake of the backlash from the Snowden revelations, in case the President or the Congress ever ever ever, God forbid, attempted to rein it in.

What could be better than directly subverting people's computing device, on the still leading OS for platforms susceptible to have access to strategic information?

At least you could now more plausibly claim that you are "only" targeting foreign nationals. Usable indicia: the device never was on US territory, was purchased abroad, is set up in a foreign language, was paid for with a foreign credit card, or is registered in the name of a demonstrably foreign national.

One scenario: You could easily and plausibly scan for choice information on the target's hard disk, by inserting what you're looking for in the virus checker signature file, which are typically updated several times daily, and you don't have a choice anymore to refuse.

Only a minute handful of Microserfs would need to be in the know and actively participate, all would be required is to have some deliberate vulnerability inserted the crypto for accessing the firm's web sites, or keys could be shared outright. The vast NSA's existing infrastructure would take care of the rest, for example by injecting its own payloads using a variant of QUANTUM INSERT.

The quid pro quo for Bill Gates could be a quiet assurance that in the case Windows 10 proves to be a dud, and the company fortunes become dramatic, it would never be let down by the US Government. With a few bits of key information, all the work could be done by the NSA, while permitting Microsoft executives to maintain plausible deniability.

Any one got a tin foil hat to spare?

siddAugust 15, 2015 4:29 PM

Is it just me, or does someone else recall "Sequoia," a large database of all call metadata for calls originating or terminating in network by ATT in the old days, long before cellfones and begun pre breakup ? I thought then that it was certainly going to be accessed by state, corporate and criminal actors (forgive the redundancy.) This probably follows introduction of SS7 signalling, but i cannot recall or find my records from decades ago. Something may be in the comp.dcom.telecom archives and mailing list, but have no easy access to a a clean set from the eighties.

Clive RobinsonAugust 15, 2015 7:03 PM

@ Skeptical,

I wonder which is greater - the odds of the content of one's email being read by a human being at NSA, or the odds of being attacked by a shark

It's not a question that makes any sense in the real world.

For various reasons I know I'm not going to go to sea again --sad but true-- thus my shark risk is zero. Which due to the unfortunate way we work out the multiplicity of things ( NSA / shark ) with the probabilty of the NSA reading my Internet usage being greater than zero it's infinitely more likely.

Further whilst the average risk might be what you say, as the old saying goes "none of us is average" thus the probability for a person of interest is very nearly one. As traffic is stored but not all of it read, then there is a future probability that will increase with time from your low water mark figure.

CallMeLateForSupperAugust 15, 2015 9:28 PM

@Bystander
"I am just a bit surprised that these articles did not even hint Room 641A."

Yes, the NYT article does: "In a 2006 lawsuit, a retired AT&T technician named Mark Klein claimed that three years earlier, he had seen a secret room in a company building in San Francisco where the N.S.A. had installed equipment."

siddAugust 15, 2015 10:11 PM

After thinking some more, i seem to recall that the ATA AMA system for billing was deeply intertwingled into eavesdropping on content, to the extent that for a while it was possible to detect intercept thru examination of call billing on the intercepted number, and I recall mention in the Canadian press about this "feature." But for the life of me, I cannot recall any more about Sequoia, except that for a while it was one of the largest databases anywhere.

CallMeLateFor SupperAugust 15, 2015 10:16 PM

@65535
"I read this to mean the content of emails – not just metadata. That is full content."

{emphasis}, below, is mine.
Second bullet says "{Metadata} collection is SMTP only at this time", but as you point out, update does say "STORMBREW began {content} collection of SMTP under Transit Authority".

We already know that DNI's boys are free to vacuum any non-US traffic and read content, be it SMPT or not. Am I correct in assuming you interpret the slide to mean that content of {all} email is read? I don't interpret it that way.

rgaffAugust 15, 2015 11:04 PM

It depends on how you interpret "read"....

a) "read" refers to literal human eyes seeing it and reading it

or

b) "read" means it was all ingested by a system under human control, through which humans run any queries they please, and get back any and all results in real time or later on.

Conceptually, morally, and legally, the two SHOULD be the same.... except that a) requires more manpower to monitor everything and b) requires less. It's still being READ by humans, just that they're using technology to help them "ignore" the bits they aren't interested in, and zero in on anything they are looking for, based on what's being said. I dunno about you, but it SHOULD NOT BE A CRIME to say certain individual words, nor should it put you on any sort of watch list. I mean, if I say "bomb" and "white house" in the same sentence, will we all suddenly be enemy number one? Oops! Sorry, I just did. Have fun with your investigation everybody for reading this message! Yeah, you. You read it. You must be a terrorist. I can hear your handcuffs clinking already...

CallMeLateForSupperAugust 16, 2015 12:43 AM

@rgaaf
"It depends on how you interpret 'read'...."

I disagree. DNI's boys can do anything they want with foreign/foreign traffic, including searching content by machine or literally reading content, i.e. with human eyeballs.

I take this opportunity to add to my earlier comments. I just finished reading the latest trove of slides up to Page 7 (PDF at Cryptome), a slide titled "Transit Authority". There, the definition of the term is stated:
"SSO programs operating under this* authority have filters
at their collection front-ends to insure only authorized
traffic (i.e. foreign-to-foreign) is forwarded to the DNR
and DNI selection engines (driven by UTT/CADENCE/OCTAVE
tasking)."
*Transit Authority

From that, we understand that the skide update that greatly animated @65535 - "STORMBREW began content collection of SMTP under Transit Authority" - means that STORMBREW began content collection of foreign-to-foreign emails.

Interesting to note "have filters at their collection front-ends". We see that it is NSA's "partners", the telecoms, that separate wheat from chaff. While it is good that telecoms are actually doing something in return for the eye-watering amount of taxpayer dollars they rake in, I would much prefer they forego that money and tell NSA to do their own weeding.

BystanderAugust 16, 2015 12:55 AM

@CallMeLateForSupper

Thanks - I missed this one. Still the written is pretty tame, especially when you have an idea of the capabilities of the Narus equipment used and the capabilites of equipment using newer Processors from Cavium.

The capability of doing DPI on a 40Gb connection in real time is a commoditiy by now and you don't need a lot of hardware for that.

ianfAugust 16, 2015 7:00 AM

@Alternative
        how can you square the promise of UNTOUCHABLE PRIVACY in the ostel.co FAQ with the hosting server's location being subjected to US gubmint's laws & jurisprudence. Or has the company swallowed some Golden Pill that makes it immune to FISA, etc. summons?

Where are your servers located?
The server is located at Open Hosting, a privacy-friendly provider in the USA. World wide points of presence are under construction. Remember there are no stored call records, each authenticated call uses unbreakable encryption and there are no back doors for authorities.

BellheadAugust 16, 2015 7:37 AM

@sidd:

What you're describing is TSPS (Traffic Services Position System), initially developed in the early 1960s, not too long after the deployment of DDD (Direct Distance Dialing, or customer-dialed long-distance). It was designed to handle toll and special services calls (e.g. collect, person-to-person, credit card, 3rd party billing, etc.) without having to physically route them through manual toll boards. Instead, the operator or special equipment was bridged on the line at a point close to the actual toll route, and only for the duration of the intervention.

That way you could have a lot fewer toll operator centers, as they could be located anywhere and shared between much larger customer pools, resulting in scale economies. The computerized positions would be connected by 4-wire trunk groups to the various originating toll exchanges, and there would be a supplementary concentrating and switching layer within TSPS.

This type of architecture is ideally suited for bugging, and legal interception has been for quite a while performed using similar principles instead of physically connecting a recorder on the subscriber loop. I know that the RCMP had direct access to digital COs through dedicated special trunks quite early, probably in the 1970s, certainly in the 1980s, but I haven't nailed yet hard information. It is certainly easier to implement on digital equipment than on analogue crossbar technology, and much less noticeable to craftsmen or even the customer.

Canadian Telcos had its own version of TSPS supplied by Nortel.

Without indulging in Canadian Rah Rah nationalism, which I execrate, I will note that the "All Red" open-wire transcontinental line in the 1930s, and the construction of a microwave system 20 years later, were both created by a deliberate policy to insure independence from US facilities. There was also a bit of British imperialism involved, especially in the former, as evidenced by the choice of name.

Nowadays much of Canadian internal telecom traffic, in particular IP, is routed through the US, making it trivial and even legal for the TLAs to exploit. There are few incentives for IP providers, in particular the smaller ones, to exchange traffic north of the border. All they need to do is to connect to some US backbone, and they're done. And we're done too.

And that's before you throw in the reckless bill C-51, which is now the law of the land...

uh, MikeAugust 16, 2015 9:31 AM

I would like a way to mark packets not to travel over a proprietary network.

Couple that with some carriers who openly denounce surveillance.

Apple sells security from the FBI. Some network carriers can do the same.

America will always have carriers that sell security from the U.S. government. The government might try to force Americans to submit to surveillance, but our friends across The Pond will still demand freedom from U.S./U.K. surveillance, and they will get it. Americans will not settle for less than what the French can have.

JohnAugust 16, 2015 9:53 AM

Most of America would hate AT&T if they didn't help the NSA search for terrorist. Sad, but true.

I've spoken with my extended family about these privacy issues - they simply do not care that the NSA is reading their emails, watching them online, saving all traffic for later. They don't care.

rAugust 16, 2015 1:52 PM

Actually, let's not forget who this atnt both is and was... it wasn't too long ago ameritech was investigated and sued by several states for a acting like ma-bell. Ameritech bought Michigan bell and others on its way to the top. Ameritech was sued changed their name to cingular then to sbc, sbc - southern bell - bought the failing atnt and appropriated their name. That retroactive immunity might be the unwritten rule allowing atnt and Comcast to pull off the anti consumer oriented behavior[s] they so often partake in.

More so, on the topic of collaboration - how does a company like Google botch the stagefright patch... or Microsoft pull an oops on the stuxnet usb drive exploit?

These companies want to eat at the table of rabid unbridled capitalism and find a willing partner in the [in]justice department and friends.

My absolute and must sincere apologies for the lack of organization.

rgaffAugust 16, 2015 3:30 PM

@John

You, sir, have a family that does not deserve a Constitution. Why don't they move to a country that doesn't have one, like North Korea, since they don't seem to think it's important? Instead of trying to ruing it for the rest of us who care through their apathy.

65535August 16, 2015 6:55 PM

@ CallMeLateFor Supper

I mean collect, store and the ability to read all content via a key word search or eyeball search.

I’ll don’t believe “filters” will stop the NSA. The NSA could route the email around the globe, use “call chaining” or "two hops" and other means as an excuse to by pass the “filters” and/or “DNI selection engines” restrictions if they desire.

@ rgaff

“a) "read" refers to literal human eyes seeing it and reading it
“or
“b) "read" means it was all ingested by a system under human control, through which humans run any queries they please, and get back any and all results in real time or later on. Conceptually, morally, and legally, the two SHOULD be the same…” -rgaff

I agree. The two are conceptually the same. In short, the NSA can read all content if they desire with their world wide partners who may not respect the US Fourth Amendment for US persons.

Btw, I still will not be using any more AT&T services due to their close relationship with the NSA.


yeah yeahAugust 16, 2015 11:36 PM

At this stage nothing will stop the NSA and their global partners short of a massive EMP or revolution that ousts the complete fascist regime - including the authoritarian partners in government.

And that doesn't seem likely without force due to the rigged two party system that is hard, hard right (Tea Party crazy) everywhere. I'm sure the militarised police and other 1984 junkies aren't gonna let that happen without serious bloodshed.

Basically America and others need to take back their countries from the swine that have corrupted the Constitution and destroyed civil rights. Otherwise, the 99% will continue to eat a shit sandwich on a daily basis.

You're certainly not gonna solve these problems with some fancy new encryption algorithm or piece of hardware, when the entire spectrum of equipment, protocols, hardware, chipsets and so on are hopelessly compromised as shown by disclosures.

The net is simply owned, and the corporates are sucking government d**k on a daily basis, no matter how toxic their agenda.

SamAugust 17, 2015 4:32 AM

@yeah yeah

> the corporates are sucking government d**k on a daily basis, no matter how toxic their agenda.

Two things:

1/ Regulatory capture - it's more of a Ouroboros of board members swapping seats with commission chairs, forming a single twisted snake with it's mouth around it's own genitals.

2/ The corporations stand to gain quite a lot too, depending on how this works out. In the most basic case, they telling the government "that backdoor isn't free" and get paid for the development work. More severely, how much do you think MS & Apple stand to make if the only legal operating systems in the US are ones that the government has signed?

WinterAugust 17, 2015 4:41 AM

Matthew Green discusses the ramifications in a broader perspective:

The network is hostile
http://blog.cryptographyengineering.com/2015/08/the-network-is-hostile.html


If you believe that [someday a large portion of the world's traffic will flow through networks controlled by hostile governments], then the answer certainly won't involve legislation or politics. The NSA won't protect us through cyber-retaliation or whatever plan is on the table today. If you're concerned about the future, then the answer is to finally, truly believe our propaganda about network trust. We need to learn to build systems today that can survive such an environment. Failing that, we need to adjust to a very different world.

What we have been saying for a long time: It is time that the national Intelligence Communities steps up to their task of protecting their compatriots, instead of making them more vulnerable.

ianfAugust 17, 2015 4:53 AM

@John whose “extended family doesn't care... that the NSA is reading their emails”

Apt insight of Gore Vidal's, by way of his biographer in The Guardian:

Happily for the busy lunatics who rule over us, we are permanently the United States of Amnesia.

65535August 17, 2015 4:54 AM

@ Schlapphut

‘But what about Microsoft? I find the reports about Windows 10 phoning home to Redmond whenever it feels like it quite alarming. At least in the earlier versions you had some illusion of control in the update settings.‘

Windows 10 leaks information like the Titanic. The OEM root kit is a non-starter for some people and they will not touch it [an OEM hardware component and MS software component]. We discussed it tangentially on a couple of threads. It was addressed on HN, Slashdot, and Arstechnia.

The Win 10 root kit could be like the Sony rook kit scandal or it could become muted like NSAKEY problem in Win NT 3.5 to NT 4 [NSA public key embedded in Windows crypto library to phone back to the NSA].

See:
https://en.wikipedia.org/wiki/NSAKEY

LessThanObviousAugust 17, 2015 2:55 PM

@skeptical

"I wonder which is greater - the odds of the content of one's email being read by a human being at NSA, or the odds of being attacked by a shark."

It's the WireShark that we are seeing attack large numbers of people. It's hard to quantify the damage though. It just takes a little bite of your data and if it doesn't taste like a criminal or terrorist then it spits it out and stores it in case it needs further evaluation. Some people do limit their exposure because they find even small bites to be quite frightening and unnecessary. The government is pretty confident that these small bites don't interfere with the rights of free people to express themselves in the digital ocean, but others see the very existence of the constant threat of WireShark attack to abridge the freedom of speech.

later_taterAugust 17, 2015 3:43 PM

@ Schlapphut

Most consumers have moved onto mobile devices of some kind with desktop/laptop use declining outside of businesses. People are getting used to living/working without Microsoft right in front of them. It's not going to happen overnight, but it's happening.

@Skeptical,

ATT does long haul service. Anything like email routed through their networks is fair game for domestic surveilance. So, your number is very likely false.

Not There AnymoreAugust 17, 2015 7:46 PM

@Schlapphut

"But what about Microsoft? [...] The quid pro quo for Bill Gates could be a quiet assurance that in the case Windows 10 proves to be a dud, and the company fortunes become dramatic, it would never be let down by the US Government."

I think you have the direction of force almost backwards. Do you remember the 1990s, when Microsoft suddenly found itself in the bad graces of the government? Company executives started spending large amounts of time in courtrooms, facing hostile government lawyers in front of hostile government judges. The government openly discussed its desire to break the company into pieces.

I don't know of any evidence of the government propping up Microsoft, but I think it became pretty clear to the company what sort of bad things can befall you when you fail to accede to government requests. "It's a nice business you have here. Shame if anything were to happen to it."

not_reallyAugust 18, 2015 9:49 AM

@rolf weber

Many opportunities exist to harvest email besides the client-server protocol. By it's nature, it's extremely insecure as it wasn't ever really a priority. That's no ones fault, it is just how it happened.

We don't know if the NSA has compromised STARTTLS. We know the Five Eyes are extremely determined to develop compromises to apparently robust encryption.


Sancho_PAugust 18, 2015 4:50 PM

@Rolf Weber: ”Because of today's wide use of STARTTLS ...”

- yep, thanks to (y)our friend Edward Snowden!
Cheers, Ed!

However, STARTTLS only prevents the stalker at McDo’s free WiFi from reading Susi’s comm between her laptop / phone and her provider [1].
But this isn’t “big scale” (hopefully ;-).
All the way from her provider to the recipient’s provider is fair game.
Now this is called “big scale”.

[1] The same is valid when using a webmail interface with https.

Rolf WeberAugust 19, 2015 3:23 AM

@not_really

Of course other oppertunities exist. But none that works on a big scale. And even with the Snowden documents there is no single hint NSA could bre
ak current, state-of-the-art encryption.

And I don't agree that email is inherently insecure. Quite the contrary, with enforced STARTTLS it is quite secure because by its nature, with STA
RTTLS even the metadata is safe from eavesdroppers.


@Sancho_P

I absolutely agree that the wide deployment of STARTTLS is one of the very few good Snowden effects.

But you are wrong with the claim that emails between providers are fair game. Email servers use STARTTLS as well to exchange emails.

JohnAugust 19, 2015 3:53 PM

@rgaff:
Nice of you to be the constitutional expert for the world. Thanks! Sadly, other US courts have decided these activities were mostly legal, if not entirely so.

While I agree with you, that hardly means that people who are NOT privacy experts and don't understand the implications just think other parts of their daily lives are more important than some abstract idea that hasn't cause any clear harm they can see.

Again - thanks for being THE expert on this topic. Much appreciated.

Sancho_PAugust 20, 2015 4:10 AM

@Rolf Weber: ”Email servers use STARTTLS as well to exchange emails.”

Any proof / link (worldwide)? I think this may be true in “civilized” EU where “lawful” interception already takes place at the provider (including “fair use” agreements of data and server keys between agencies).
STARTTLS is a feature, AFAIK (if!) it is advertised by the receiving server on connecting the sender may use it or not, it’s not mandatory.
I hazily remember the outcry of “safe emails between German providers” some months aS (after Snowden), so Germany may be “lawfully safe” …

Dirk PraetAugust 20, 2015 8:23 AM

@ Sancho_P, @ Rolf Weber

Email servers use STARTTLS as well to exchange emails.

Many only started doing so post Snowden or after public pressure from users and security researchers like Christopher Soghoian. And still you'd be surprised just how few companies actually do. SMTP is an inherently insecure protocol dating back to an age when emails where exchanged over non-public networks. Fondly I think back of the days when I sent steamy emails originating from pamela.anderson@baywatch.com to a gullible co-worker.

Despite layer after layer of authentication and other security improvements that over time have been boulted upon SMTP, the sad truth is that any message is still as secure as the weakest hop in the delivery chain, and which you have no control over. Over the years, I have done countless Sendmail, Postfix, Notes, Netscape (iPlanet/SunONE) and M/S Exchange installations at customers ranging from small businesses to large enterprise accounts and government organisations. From a security vantage, all of them are a nightmare to configure and maintain, and that's even without bringing spam and viruses into the equation.

We may have different opinions on other issues, but calling SMTP secure is not an opinion, it's just not true and I doubt you'll find even one subject matter expert claiming the contrary.

P/KSeptember 2, 2015 12:05 AM

For those who are interested, I prepared an extensive and detailed analysis of the new, as well as the earlier released documents about the FAIRVIEW program:
http://electrospaces.blogspot.com/2015/08/fairview-collecting-foreign.html

Remarkable is that although there are quite a lot of access points to the AT&T backbone switches, relatively small numbers of data are collected, but these data appear to contain a lot of valuable information, as the program is second in the number of product reports.

It's also not the case that FAIRVIEW massively ingests American's communications: for collection under Transit Authority there are IP filters right at the AT&T tapping points that make sure only foreign communications are forwarded to NSA. Collection under 702 FAA and FISA is by itself targeted at specific mail addresses and similar selectors.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.