Visiting the NSA

Yesterday, I visited the NSA. It was Cyber Command's birthday, but that's not why I was there. I visited as part of the Berklett Cybersecurity Project, run out of the Berkman Klein Center and funded by the Hewlett Foundation. (BERKman hewLETT -- get it? We have a web page, but it's badly out of date.)

It was a full day of meetings, all unclassified but under the Chatham House Rule. Gen. Nakasone welcomed us and took questions at the start. Various senior officials spoke with us on a variety of topics, but mostly focused on three areas:

  • Russian influence operations, both what the NSA and US Cyber Command did during the 2018 election and what they can do in the future;

  • China and the threats to critical infrastructure from untrusted computer hardware, both the 5G network and more broadly;

  • Machine learning, both how to ensure a ML system is compliant with all laws, and how ML can help with other compliance tasks.

It was all interesting. Those first two topics are ones that I am thinking and writing about, and it was good to hear their perspective. I find that I am much more closely aligned with the NSA about cybersecurity than I am about privacy, which made the meeting much less fraught than it would have been if we were discussing Section 702 of the FISA Amendments Act, Section 215 the USA Freedom Act (up for renewal next year), or any 4th Amendment violations. I don't think we're past those issues by any means, but they make up less of what I am working on.

Posted on May 22, 2019 at 2:11 PM • 58 Comments


RonnieMay 22, 2019 2:26 PM

Because I was curious:

When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

Bruce SchneierMay 22, 2019 4:04 PM


Right. So basically I can use the information I learned in my writings, but I can't say things like "the NSA said..." or -- even worse "this particular person at the NSA said...." I am finding this rule increasingly used for meetings where people who don't want to be quoted nonetheless want to be able to speak freely.

ThunderbirdMay 22, 2019 4:58 PM

I was unfamiliar with the term until I looked it up too. I guess there needs to be a fundamental level of trust between the participants for this rule to work, much like "off the record" for journalists.

I assume the compliance mechanism is people's concern about their reputations, so in much the same way they are people that are "libel proof" (because their reputation is so bad it can't be tarnished) are there people that are "Chatham proof" because no one in their right mind would trust them?

BaspMay 22, 2019 5:31 PM

I find myself by default assuming the NSA defaults to domestic surveillance for domestic security, so I struggle to see how the NSA can improve domestic cybersecurity (absent areas such as voting infrastructure) without some FISA-esque excuse to spy on U.S. citizens.

justinacolmenaMay 22, 2019 5:56 PM

That's too much clearance for a critic of social surveillance & authoritarian government.

Section 702 of the FISA Amendments Act, Section 215 the USA Freedom Act (up for renewal next year), or any 4th Amendment violations.

The laws enacted by Surveillance Party politicians simply do not measure up to the 4th Amendment.

You need the 2nd & 3rd Amendments as context for the 4th, too.

The privacy gist from the Bill of Rights is that we the people own guns, and soldiers & cops are not to have the free run of our homes.

IsmarMay 22, 2019 7:57 PM

IMHO these meetings are very important for the society at large.
I was wandering, Bruce, if you used the opportunity to tell them that they cannot expect the full cooperation from security experts while continuing to erode our privacy?

Bruce SchneierMay 22, 2019 9:11 PM


"I was wandering, Bruce, if you used the opportunity to tell them that they cannot expect the full cooperation from security experts while continuing to erode our privacy?"

Not in those words.

Not because I don't believe that -- or that they don't know that I think that -- but because the topic didn't come up.

We did talk about trust, and what they could do to rebuild it. It's something they're concerned about, and talk about publicly. It's probably one of their motivations for hosting groups like ours in the first place.

Bruce SchneierMay 22, 2019 9:14 PM


"I was unfamiliar with the term until I looked it up too. I guess there needs to be a fundamental level of trust between the participants for this rule to work, much like 'off the record' for journalists."


For example, I sent this blog post to their office. Less for approval, and more for "is there anything you would like changed." They asked for one change. In my original draft, it read like Gen. Nakasone was the one who discussed the three bulleted items. Those were in fact agenda items for the whole day, and their rewrite made that clearer.

I'm not sure what I would have done if they asked me not to mention that I met with Nakasone. On the one hand, it was something I felt like I needed to disclose. On the other hand, if I said it against their wishes it would have probably been my last invitation.

And that's how access to privileged sources corrupts.

JonKnowsNothingMay 22, 2019 10:01 PM

I dunno whether to be impressed or appalled. While I'm sorting that out...

There is an old adage (from I dunno who) that in The Game there are really just 2 things:

1. What you know (but don't want to tell)
2. What you don't know (but would like to)

I wonder if you spent any time reading tea leaves and figuring out which parts you actually learned from them and which parts they harvested from you?

Asking or discussing topics exposes both sides: the Knows from the WannaKnows.

Asking about what you know often reveals what the other side is missing or can give them the hints on how to fill in the blanks.

It's a tricksy proposition and when you go up against Real Pros - Personally, I wouldn't stand a snowball's chance on the arctic with any of them. Hope you did a whole lot better and got far more than they did.

Today's You Can't Believe It but It Might Be True

ht tps://
(url fractured to prevent autorun)

... an alleged attempt by a US Navy prosecutor to plant malware on the devices of US Air Force lawyers ...

If they can't keep the toys from the boys - why would anyone build "TRUST" with them?

NOnamesRareCommentorMay 22, 2019 10:07 PM

The power of the Pyramid.

Sometimes it is best LEFT alone.

Ismar May 22, 2019 10:48 PM

“We did talk about trust, and what they could do to rebuild it. It's something they're concerned about, and talk about publicly. It's probably one of their motivations for hosting groups like ours in the first place.”

One option for rebuilding the trust is to have an independent body overseeing their work consisting of people like you Bruce - people who have both integrity as well as technical knowledge to do the job right

65535May 23, 2019 2:16 AM

"...I am much more closely aligned with the NSA about cybersecurity than I am about privacy, which made the meeting much less fraught than it would have been if we were discussing Section 702 of the FISA Amendments Act, Section 215 the USA Freedom Act (up for renewal next year), or any 4th Amendment violations. I don't think we're past those issues by any means... Bruce S.

If I am reading you correctly you and the NSA are a "little" closer on some points but on others like Privacy, Free speech, the Fourth Amendment, the denial of Jewish cryptographers being band from ligit crypto meetings in the USA and the possibility of the NSA and all of its tentacles, CIA, FBI, DEA unlawfully spying on American citizens - you are not close.

I do think the real life big picture is blurred by such three letter agencies as the NSA. Further the NSA and other three letter agencies have support a rather large economic group of malware venders and brokers with mountains of money. When the Snowden files were exposed you were not so happy with the NSA and I agree.

I remember you saying you writing:

"By ensuring an insecure Internet for everyone, the NSA enables companies like Hacking Team to thrive." -Bruce S.

"I agree. I believe we are seeing an inflated or bubble market for Botnets/virus builders around the world. It is a coalescing borderline criminals with law enforcement..." -65535

Time seems to smooth the jagged rocks of disagreement. I do realize you are elated to rub elbows the "big Guys" or should I say "Guys with inflated heads" but I am not so sure about it - or if the elation will last long. We will have to see.

@ justinacolmena

"That's too much clearance for a critic of social surveillance & authoritarian government.... The laws enacted by Surveillance Party politicians simply do not measure up to the 4th Amendment. You need the 2nd & 3rd Amendments as context for the 4th, too."- justinacolmena

I agree, the NSA's powers and bloated budget doesn't justify what bad things they do and the trampling of the US Constitution - in the big picture.

I never have seen hard evidence of these 3-letter agencies helping the average Jane/Joe live a better life or feel more protected in the last ten years. I feel just the opposite. These TLAs just make people suspicious of their activities and less at ease.

@ JonKnowsNothing

"I dunno whether to be impressed or appalled. While I'm sorting that out..." - JonKnowsNothing

I mostly agree.

I am even surprised that Bruce S. let the NSA edit any of his post. He has got the EFF on his side. Any editing by anyone is not like Bruce.

The "Chatham House Rule" is well and good but are both sides playing by those rules? I doubt it.

The NSA can record Bruce S. and other people with impunity. They NSA can share information with anybody all the way to the President of the United States. It doesn't stop there.

The NSA can share anything Bruce S. says with the Five-eyes. Those countries could make life very unpleasant for Bruce S if they wanted to. They could easily play "Good cop - Bad cop" and nobody could prove otherwise.

I don't think the "Chatham House Rule" means anything to the NSA. They can play a very dirty game. And, they get away with it.

I will have to sleep on those questions and figure it out tomorrow.

Clive RobinsonMay 23, 2019 2:59 AM

@ Bruce,

... all unclassified but under the Chatham House Rule.

Some years ago now I was increasingly seeing the "Chatham rule" comming up. So not only did I look it up, I spoke to the corporate lawyer. I won't repeate their full reasoning but the upshot of what they said was "you would be significantly ill advised to go".

Essentially the reasoning rested on legal "privilege" or more correctly the imbalance of it.

Since then I've looked into those who have asked for such meetings and it can be a bit of an eye opener. Whilst those meetings that are "amongst equals" you can usually see a clear need, it's the others. All to frequently it is used by those who have "privilege"[1] already, where as you have little or none thus they are effectively further hand-cuffing you, as they can use it against you in more waus than there are hours in the day.

The gaging of those reporting on Government in various ways is becoming more and more insiduous every day. It should not matter if you are an activist, WasPo journo through to an ageing History proffessor writting a book that few will ever read, your credability rests on the verifiability of your sources. If your source asks for deniability then either drop them or find other ways to get verifiability before alowing what they tell you to taint your senses.

At the end of the day the credability of a reporter of record is defined not by what they have acurately reported in the past but what they have not accurately reported, the reason for any inaccuracy does not matter, it is still a rock on which reputation will flounder.

I know that modern MSM appears to nolonger play by those rules, but just because one clique behaves like a group of thugish drunks at a party, it does not excuse anyone else behaving that way. Thus it's perhaps best to refrain sipping from that poisoned chalice.

[1] Who has privilege and who does not in any jurisdiction can be difficult to work out. But as has been reported about senior military and intelligence officers having the right for "national security" to lie or misleed judicial proceadings, it's fairly safe to assume that as a result they have in effect have a level of "privilege" most do not.

IsmarMay 23, 2019 3:04 AM

I general I disagree with your approach here as you are not being very constructive and trying to muddy the waters further.

Moreover, as somebody who has been on the receiving edge of the unwanted attention of the government agencies and have been a victim of their hacking (for example I had a rootkit malware installed on my mobile phone years before it was legal for any of the gov agencies here in Australia to do so. This was done at my workplace by a person from a third country to avoid any legal consequences - common practice among spy agencies of Five Eyes countries) I feel obliged to voice my opinion here.
Despite all of this (and a lot more), I still think that the approach Bruce is advocating is the only right way to rebuild the trust between our countries people and its government agencies. Cause, let me tell you that after all I'd rather be spied on by a well supervised professional then by one of the MSB's mercenaries or such.

Clive RobinsonMay 23, 2019 3:18 AM

@ JonKnowsNothing,

Today's You Can't Believe It but It Might Be True

Knowing what went on in the UK after "tin pot jodsworths" got investigatory powers under the UK Regulation of Investigatory Powers Act (RIPA) I am more surprised that we have not heard of such behaviour befor.

The real question now of course is where does the trial go from here, in essence the defendent has had their "privilege rights" violated, thus can nolonger receive a fair trial. At one time judges were not averse to declairing mis-trials when such behaviour occured. However in this current "hang em high" environment when it comes to whistle blowers a certain mentality for "Show Trials" has set in, in which judges will play their part willingly or not, less they face "starvation".

EvanMay 23, 2019 7:16 AM

I don't think it's possible to rebuild trust with the NSA. In the past they've shown a complete unwillingness to be constrained by the boundaries of law, ethics, or good taste, no matter how permissive the law may be, and it's been repeatedly shown that the US intelligence community employees are willing to abuse the agency's capabilities for their own personal and political ends, to cover it up when it occurs, and to lie to the public and punish whistleblowers who point any of this out. Therefore there's no credible way for them to convince us they are changing behavior in any meaningful way. The only remaining conceivable obstacle to government overreach is technical: free access to strong personal cryptography, and they are unwilling to stand up for that right - even though securing America from cyberattack is supposed to be a core part of their mission.

In a major cyber conflict, the fact that pretty much everything in America is going to be vulnerable by design is going to be a major problem, and a lot of the responsibility for the current state of affairs lays at the NSA's feet.

AlejandroMay 23, 2019 7:52 AM


Re: "NSA defaults to domestic surveillance for domestic security,..."

Me too.

Seems one result of the Snowden Revelations was a whole new layer of domestic surveillance laws, with FBI somehow getting direct access by law. That's not hardly benefiting cybersecurity ...of peasant users.

Also, I always thought NSA's job was to break cybersecurity every which way, except for them.

Not a fan.

2^128May 23, 2019 9:44 AM

Since @Bruce visited the NSA, we can't trust him any more.
They probably swapped him to the lookalike copy who will
now introduce all kind of weaknesses and backdoors inside
the cryptographic protocols. Original Bruce will be kept in the
freezer, they need his brain :)

FaustusMay 23, 2019 9:48 AM

@ Bruce

You sound excited about your trip. I have concerns about critics being coopted by organizations like the NSA, but why rain on your parade? I hope the following is only a drizzle...

For me, CERN wuld be the dream visit, and I would probably happily visit them even if I thought they might create a black hole that would consume the Earth.

Humans are wired to value association with "alphas", renowned for their power, achievements, or simply their fame. You are and have been a leading advocate for privacy. I politely suggest that you try to remain conscious of the psychological, social and economic factors that may be coming to influence your positions.

There are many people who unwittingly sell out for money, power, or prestige. We pro-privacy, pro-cryptography, PRO-LIBERTY people need you on our side. The NSA may be dedicated, may be accomplished and may have gallons of rationalizations, but, to me, they clearly fall on the side of power at the expense of liberty.

Bruce SchneierMay 23, 2019 10:00 AM


"You sound excited about your trip. I have concerns about critics being coopted by organizations like the NSA, but why rain on your parade? I hope the following is only a drizzle... "

I like to think that I am pretty resilient against being co-optd, but -- as 2^128 said -- I might have been replaced by a body double.

Security SamMay 23, 2019 10:15 AM

The stallion has escaped in the meadows
The keymaster is searching iN the shadows
The core iS the reflection of dark windows
That stares out At the ocean of minnows.

James TMay 23, 2019 11:20 AM

Please forgive my ignorance about Computer security. Most times I feel like the child sitting at the kids Table. Watching and listening to the adults, sitting around the main Table.
I am not a big NSA fan myself but am beginning to wonder if it isn't a nessary evil. With technology advancing at such a staggering pace. The ability to do so much with so little. Computers getting more powerful with so many places to hide memory. Who can keep up? Is there anyone that can explain what every Electronic part is and what it does? Then understands the complete complexity of the Software that runs on it? While understanding that a "Air Gapped" Computer means nothing anymore.
China makes most of the Micro Components now.
Assembles the Boards and ships them here. Who checks this Hardware? I mean REALLY checks it? Who goes through the Code? Is it line by line or some generic program? What could happen if a hidden backdoor was placed in the Chipset? That activated once hooked to the internet, then completely deleted all traces of itself? What could be done with Kernal level access or maybe would could not be done? Can anyone tell me that this is impossible?
Just feels like its pre WWII and we are ordering all our Military Hardware from Germany and Japan. Please notice all the question marks. I'm nowhere near most peoples knowledge level who posts here but I'm trying to learn. I would really like to know what Clive thinks about this. The view from the kiddy table is, He is the Super Smart Uncle that we all want to be like when we grow up. Sadly, that ship passed many Years ago.

Clive RobinsonMay 23, 2019 11:24 AM

@ All,

Whilst I can quite understand the feelings many have against the SigInt agencies, they do unfortunatly have two sometimes three or four mandated personalities, some from the outset others get aquired with time.

It often ends up that these multiple personalities are in conflict and rather than rendering the organisation a visable "basket case" as you might expect, the stress and fracture lines exhibit in other less seen ways. Thus you get internal "organisational capture" and "turf wars" that are fed by personality type issues exacerbated by the missuse of internal security procedures etc to cover up such rank abuses and "illegal orders". Thus these places are not healthy to work in above a certain level, and many of the staff are there because they are keeping their heads down and "ticking over to pension". Which makes them not only easy to abuse, they are also compliant with such abusers, to avoid getting hamnered down.

A lot of this came to light in the UK back in the 1980's shortly after I had left "employment from the public purse" because I could see the way the wind was blowing. The then UK Prime Minister "Mad Maggie" Thatcher, was determined to destroy trade unions, and with GCHQ tried to introduce further draconian measures that would have made the abuse worse. This was we later found out actively encoraged by the US under the so called "special relationship". A significant number (something like 150) of employees refused and were preasured in various ways, including loss of pension and the sacking of others selected because they had little chance of equitable re-employability (only one of whom made it back into ordinary employment).

It became a very bitter and longterm dispute as a result a lot of "dirty laundry" came into the light in various ways. Including insight as to managment style and behaviour in the NSA who believed that they should have full rights over UK civil servants to abuse and sack them but of course no responsability or liability towards them. Part of which was epitomized in Mad Maggies demands that GCHQ staff could never have legal standing of any kind. This got watered down to no standing under employment law or access to tribunals, no matter what the complaint. This shocked not just Mad Maggies own party, it caused all other parties to combine in universal condemnation.

Such behaviours are very indicative of the type of personalities and their types incharge of SigInt organisations at the time, and from what has leaked since little appears to have changed.

This needs to be remembered when talking about the bulk of those working in SigInt agencies, and one of the reasons why those with abilities and more normal personality types realise they would be better off outside of such organisations. Which is just one reason why the SigInt agencies lack the talent they need. Oh and politicians deciding the direct staff numbers need cut backs does not help. Further how can you expect those left to perform let alone consider "lawful order" ethics when they are continuously having to look over their shoulders just to get health care and living pensions...

Oh and don't forget it's open season on not just whistle blowers but those who bring these "embarrassments" into the light for public scrutiny...

albertMay 23, 2019 11:44 AM


Would you discuss the first point?

"...Russian influence operations, both what the NSA and US Cyber Command did during the 2018 election and what they can do in the future;..."

. .. . .. --- ....

James TMay 23, 2019 12:00 PM

I neglected to thank Mr.Schneider for this form. I want to say Thank You, your site may have saved my sanity. 4 to 5 years ago I began dealing with a Computer problem I didn't understand. I went to countless "Professionals" using that term very loosely! I explained what was happening on my Computer. Time after time I was told, " that's impossible ".I began to wonder if I was just going crazy. I had given up hope when I found your site. I looked back in your archives, lo and behold, I wasn't crazy after all. Don't want to get into it because I'm still on a leash.
So Thank You Sir for having this form where common people like myself can find cutting edge security information. I still think common people like myself are setup for failure in Computer Security. At least you give people a chance fight while going down! Seems to me You still care about people, that's a rare thing in this day and age.

Rick WebbMay 23, 2019 12:33 PM

Is this the premise of the next movie plot contest ?

Bruce visited the NSA and was swapped with a body double.
The real Bruce is inside the NSA and the fake Bruce is outside.

What happens next ?

JonKnowsNothingMay 23, 2019 12:59 PM

re: Movie Plot

I think it might make for a great story. Who would play Bruce?

extending the plot line some:

Topics A B C D discussed in secret.

Bruce expert at A B
Bruce knows some of C
Bruce doesn't know about D (hmm wonder what D would be?)

Happy to have met some Big Dogs Bruce continues helping EFF and Privacy foundations not realizing that every single electronic device on his person, home, car, office has new embedded tracking with audio and video RT links. (Thanks PeterT)

So Bruce goes to new meeting with Privacy Folks reviewing the newest SnowFall Documents where he encounters details of D. DIRE THUMPING MUSIC!

But he cannot say anything at all about D because it was the topic of NDA.

Worried that Bruce might be tempted to save the world: the DNA Master Crisprs doppelganger Bruce which fools his work place but .. (drum roll) does not fool his fans and supporters.

Pings Around the World search for Bruce via his embedded ID signal and find he is hidden in a Rendition Site in UnPleasantLocation.

Using Drone Technology his fans and supporters send in Waves of Dronelets to confuse the AI system and rescue him to a safe place via Dolphin Travel.

Unfortunately Bruce still is not able to describe hint or tell about D because everyone on the planet would then face US Espionage charges and we would all be executed or assassinated.

Room for 101 sequels and 2001 prequels and 501 spinoffs.

JonKnowsNothingMay 23, 2019 1:21 PM

re: fracturing URLs

disclosure: I am not a browser specialist nor js junkie. Others know much more than I do: see Name.

While standards are standards there are some standards that are less than others. Rather like a pig pen.

Browsers and their makers can parse and pre-fetch links and log them into history files. Some websites and apps will do this. Adware can do it too.

Any page with links can be parsed for them. FB logos contain code that will harvest data from the page you are looking at even if you are not a FB member. While they often harvest metadata about you, the links on a page are of interest because you might Go There.

The Adware industry micro-auction system puts you up for sale based on either where you are or where you are going (like clicked) or where you might go (haven't clicked the bait yet).

Breaking a URL is much like obscuring an email address from page harvesters. Which used to be called Spidering but now with Robots.Txt the spidering is blocked however there's no reason why a browser has to honor Robots.Txt.

There are unlimited methods of Link Spoofing too.

There are some countries and governments who have declared that certain documents, webpages and information sites AutoQualify you as a BadHombrette/Hombre. Breaking the URL even on an innocuous link puts you back in control of whether you want to visit the site or not.

Of course the break isn't that hard to repair or parse the text for. It's almost cosmetic in a way. I like to think that if you want to read the topic you can see where you are really going and elect to go there.

You can't know if you got Link Spoofed unless you find out the hard way.

Petre Peter May 23, 2019 2:30 PM

If the NSA decided to work on trust, they might become part of the solution instead of being part of the problem.

Clive RobinsonMay 23, 2019 2:46 PM

@ Petre Peter,

If the NSA decided to work on trust, they might become part of the solution...

Part of the NSA charter makes them "part of the solution" but only for the US Gov...

However I would argue that as those that pay into the US tax coffers "pay for this work" they are entitled to have a share in this work.

Now as a non US citizen you might think I was not entitled to a share of that work. However I would contend that as I have previously contributed to US Companies who pay US State and Federal taxes on many occasions I too have a right to what the US Gov has spent my money on that has already had my own local and national taxes payed on it.

Thus I think the NSA should pony-up on that work (especially as I did some of it several decades ago without getting paid by them for it :-(

FaustusMay 23, 2019 2:47 PM

@ Jon

Another option for at least some browsers is installing an add on that prevents prefetching.

I think you make a good observation but pages full of broken links sound hellish.

Another option is obfuscation. Track Me Not sends random google etc searches, hiding your interests in chaff. Adnauseum clicks on every ad link in the background while suppressing the ad display.

This book is an interesting treatment of obfuscation for privacy:

FaustusMay 23, 2019 2:49 PM

@ Jon continued

Crap! I forgot. Prefetching is usually controllable in browser preferences.

BaspMay 23, 2019 3:28 PM

@Petre Peter

I don't see how trust-building on the NSA's part will work while trust-breaking continues to go on (in the form of lobbying for ever-greater Domestic surveillance authorities and, separately, compulsive use of doublespeak for colloquial uses of "spying" and "surveillance" in public statements made in press releases and to reporters).

lurkerMay 23, 2019 5:19 PM

@ Bruce

China and the threats to critical infrastructure from untrusted computer hardware...

I'm simple-minded, I thought hardware could be vetted, and there's a relative difficulty in post-facto installing hardware backdoors, &c. So the problem (as always) is the matter of trust. (Yes, I read the other article about Cisco's Trusted module...) and the simple mind says NSA don't trust themselves to be able to find problems in Chinese hardware, or software. The Brits think they can trust themselves to find problems, and they have. Mostly the same sort of problems I found when tinkering in the innards of a couple of Huawei phones.

If the stuff is so complex that third party dependencies result in several different versions of, eg. ssl scattered thru the system, is it the 3rd parties we should not trust? Because their leverage is so strong on the prime vendor that such shoddy version control becomes the norm? Or would you rather buy from a monopolist who keeps all development in-house secret?

Geoffrey NicolettiMay 23, 2019 5:32 PM

I would have placed this one on the host's lap...

Can the DoD come into contractual agreement to defend private contractors (defense contractors with classified data) in order to do two things: (a) keep the Chinese out and (b) avoid giving the defense contractors the DoD's best cyber weapons (to keep the Chinese out) but run the risk of exposure of such weapons to many persons?
Sure, insure the defense contractors defend themselves and give them second-rate tools to insure the Chinese will still get in.

JonKnowsNothingMay 23, 2019 6:55 PM


would you rather buy from a monopolist who keeps all development in-house secret?

Open Source software had the good intention of being a place where things useful to the planet could be built by-passing the various forms of programming censorship.

Note: Good Intention

That good intension has gone out with the bathwater once it was uncovered that folks who do NASty Stuffs were using the Open Source systems for .. well.. NASty Stuffs.

When this was complained about the Whole Open Source Chorus yelled: OPEN SOURCE means any dog with a fleabag can use it.

The "monopolist" doesn't "need: to share but G/M$/EatAll get enough $$$$$$$ to hide their true projects from the folks writing the code. Once discovered a lot of those disgruntled employees face NeverWorkAgain Black Lists.

There is no place safe from NASty. Well, the only safe code is obsolete code that belongs to things like R2R Tape Drives and 10-8-5 floppy disks but probably those are still in use in our USA National Mountain Bunker.

Climate change doesn't matter but Wall Street needs to be up and running the day after.

Clive RobinsonMay 23, 2019 6:58 PM

@ James T,

I would really like to know what Clive thinks about this

Depends what you mean by "this" some of my thoughts would require more "Not Suitable For Work" asterisks etc than I would care to type ;-)

However of your specific questions,

The ability to do so much with so little. Computers getting more powerful with so many places to hide memory. Who can keep up?

Not even the NSA, GCHQ et al can keep up with every chip etc, and they very likely don't bother. That is they would take a more select view on certain key components like faults in RNG's in embeded systems. Which is what most routers basically are. They would then get into "the next node up" from target systems. Because routers especially at the consumer level are very rarely if ever either turned off, upgraded or checked in any way. Thus they make ideal places to "hide and observe" because often with SoHo systems all comms goes through them anyway even if it's just from your local NAS box file server to your WP on your PC and back to your printer etc.

There are ways to mitigate this if you know what to do with actual "configurable switches" and the likes of Intrusion Detection software running via an "invisable data diode"[1] on the connection between the switch and your gateway router. If you have a search on this site for "Gardrn Path" you will find a description of a similar set of mitigations for your gateway router.

At the end of the day nobody can know all the "individual instances" of hiding locations or vulnerabilities. What you stand some chance of keeping up with is the "various classes" of locations and vulnerabilities. If you then mitigate "classes" not "instances" you stand a chance of keeping up in a full time job. But that's not necessary if you mitigate at a higher level. For instance keep your sensitive work on a "gapped system" then use a carefully mandated "gap crossing method" where you first encrypt on the gapped machine then use some easily disposed of carrying medium (print to paper and OCR and checksum for errors on) to the comms PC. You can easily liquidize the paper into "fire brickets". With a little care / OpSec your risk goes down considerably, but such methods don't scale above "personal" use. With such systems you also need to practice a hightened level of "physical security" because if you become a "targeted" person of interest, "They will come-a-knocking" there are various conversations with @Nick P and others about how to deal with this. In principle they come twice, the first to "intel gather" armed with intel they develop various hardware implants etc and then come and implant them. The older or rarer the kit you use, the harder you make their task. Like a number of hardware engineers and quite a few makers I have lots of custom prototypes just littering the junk boxes and other places, any one of which might serve a security function... It is after all a little difficult to "implant" a hand wired open PCB contact (dead flesh) keyboard and a little thought makes that even harder for an attacker (open switches are kind of immune to various Hi-Pot tests whereas the best of electronics are either not immune or show up as part of those and other tests). They would then almost certainly try another approach such as one of many "end run" attacks like hiding sound or audio equipment to try and catch you in the process of entering/reading your private communications.

While understanding that a "Air Gapped" Computer means nothing anymore.

It does and does not, it's the old traditional name, and some which are also in locked server rooms with power conditioning and sound proofing are actually fairly well "energy gapped" as well. Energy gapping is a more appropriate term because it is "energy" in all it's forms and all it's "transportation methods" that carry your private information out inadvertantly. The point being is that it's the laws of physics that determin what can and can not be done by an attacker. Most of the fundemental laws are well within the grasp of anyone who did highschool science classes and passed. Some further things like "radiation transport" where very high frequency high energy particles or radiation work their way down to the ultimate form of polution (heat) undergraduates get to grips with mathmatically but the average person can understand enough just by reading about the process. However there are other "gotchers" which is the bi-directional behaviour of basic transducers. That is speakers are also microphones, motors are also generators and the likes of transformers and their more esoteric equivalents of baluns and circulators also reflect what happens at their loads back to their sources and back again as the laws of thermodynamics dictate. This also effects the hardware and software, people tend to forget "errors and exceptions" are in effect "inputs at the output" and crafted errors can work their way very far back into a system in various ways (they are a subset of "fault injection" and "system transparancy" attacks). Even supposed "Data Diodes" can be made to work backwards in various ways.

What could be done with Kernal level access or maybe would could not be done? Can anyone tell me that this is impossible?

Kernal level access is actually "old school" these days for various reasons. You first have to realise just how many layers there are in the computing stack. The kernel sits above the ISA level which is above the CPU which is above the MMU which is above DMA and other I/O layers and below this the memory with quite a few layers below that where attacks can "bubble up" from below gate and transistor level (think cross talk injected to cross between tracks on the metal layers in a Chip layout macro for say an ARM core or other licensed "macro". But there are also the hidden CPUs and OS's. Appatently thanks to Intel's "Managment engine" there are more *nix OS's running than Microsoft OS's... According to who you talk to the ME can access features and places in the computing stack that the kernel running on any conventional core would never ever get to see let alone change (think microcode store in the CPU instruction decode logic etc). The fact that the US Gov alledgedly has some "secret sauce" to at the very least disable the Intel ME has caused one or two security stories and speculations. Lets put it this way if you wanted to add a "backdoor" for the IC rather than LE then the ME is in a very good position to do it with, and outside of using very high precision timing you would not be able to spot such a backdoor in operation using anything from above the ISA level in the computing stack. That is you would have to use some very expensive test equipment in specialised test arangments to "maybe" find the way data was being leaked if it was... Such a backdoor could use "Spread Spectrum" hardware techniques to add data leakage via "timing jitter" to parts of the CPU hardware such as the AES encryption. The data added could be encrypted by using a hidden "public key" in the ME, which could hide data such that only the person who had the private key could read it[2]. Therefor the likes of the AES key could be concatenated with a counter encrypted and pushed out instead of true random numbers, thus end up being used as nonce's etc in crypto algorithms.

The thing about "timing jitter" is with care nearly all systems are transparent to it due to "Security-v-Efficiency". Unless you realy know what you are doing, the more efficient you make a system not just the more potential timing channels you open, but the greater bandwidth you give them. Obviously all standard consumer computers be they PC's or the microcontroler in your most basic electrical appliance are designed to be efficient, therefore they are transparent to data leakage. Thus your PC or TV could leak say key data via the powersupply which would travel around your house wiring to the "Smart Meter" the instrumentation in which could pick up the key leak data and then using it's other protocols send that off anywhere including over the Internet. The thing about timing jitter is, that it is uneffected by encryption because it's the timing of the packets of data not the data that gets encrypted that carries the information. Ironically those measures carried out to stop key or data leakage via software implementations of encryption that actually make the system even more transparent than it was before. So a "Damned if you do, Damned if you don't" problem for a system designer to mull over (the cure as anyone who has been taught TEMPEST / EmSec design is "data re-clocking" which removes the jitter upto a point by effectively closing the channel bandwidth down but not totaly...).

So by now you are probably thinking "what hope for privacy" as I said above you need to mitigate by proper segregation and implementation of the communications across the effective "gapping". Which in effect moves the problem to how you implement "energy gapping". It's one of the reasons Sensitive Compartmented Information Facility (SCIF) rooms/tents exist in Government agencies. Whilst their design is supposadly secret in the US other governments don't regard it that way, therefore much of what is involved not just in the design but testing / certification proceadurs are fairly easy to sniff out. Just looking at the Wikipedia pages on Acoustic and Electromagnetic Anechoic chambers and EMC will give you enough of a headstart to understand what it is that SCIFs do, also "sound/vibration" proofing by making "mechanical gaps" on sailboat engine compartments will give you more insight. Put simply your aim is to turn all energy be it acoustic, mechanical or electromagnetic into very low bandwidth heat via suitably large absorbing masses.

So yes if your privacy is important to you and others you wish to have contact with there are steps you can take to protect it against fairly high level attackers who don't have the resources to start bouncing $5 wrenches off your body parts in dim distant lands where canvas overalls and black hoods are the fashion items to be seen in.

As the latest news on Julian Assange shows some governments are prepared to spend the better part of a billion dollars to get somewhat petty revenge for being shown in their true light rather than that they try to project...

[1] An "invisable data diode" is not invisable to you, only from the external network. In essence they are a "Vampire tap", "Star tap" or just a cable that has the TX pair from the monitoring equipment cut. The monitoring equipment is a *nix box which has a couple of network cards in promiscuous mode that records every packet that goes in either direction on the monitored network cable.

[2] See the work by Adam Young and Moti Yung on Kleptography which is a subset of their Cryptovirology research. Their book is realy quite well written and quite readable and understandable by even security novices.

PatriotMay 23, 2019 10:05 PM

That organization really does have a very, very important series of missions that everyone would agree are worthwhile. They offer a lot of help in protecting networks, believe it or not. We should not think of them as bad or entirely bad.

Recently, one of the writers mentioned General Odom.

General Odom was a superb leader, a former DIRNSA. He basically said that the monkey business that took place after 9-11, the warrantless wiretapping, would not have happened under his watch. He knew what he was doing, and what the limits were.

9-11, the turning point. It became an opportunity for a lot of people to become wealthy by undermining the U.S. Constitution. Contracting--the slippery slope--the more illegal it is, the more one should be paid, the bigger the budget should be. That is what really went on. If it had not been in the interest of certain people to subvert the law, it would not have happened. People who raise their right hand to take an oath to protect and defend the Constitution should not smirk.

BaspMay 24, 2019 12:52 AM


I wish I knew more of missions for the NSA that didn't involve spying on U.S. citizens for the purpose of gathering foreign intelligence. Maybe then I wouldn't de-facto associate them with anti-American mass domestic surveillance.

James TMay 24, 2019 2:53 AM

@ Clive Robinson
Thank You Sir for Your reply. I enjoy reading your posts here but I must admit, l usually have a couple of Electronic Manuals beside me when I do. To be honest I have nothing to hide from the Ba#*%rds. Its the lack of control of my personal property that riles me. I have a very small E-footprint. I don't have a facebbok pages or Twitter Acct. or anything like that. I recently opened a new e-mail account because I broke down and purchased a smart Phone. So I assume I was already tagged as "Suspicious". I think Computers are great " Tools" but seems they are taking the place of true Human interactions. We are Social Species but are slowly losing ability and Art of being Social to one another. I would gladly trade two weeks of this to have a face to face two hour conversation with someone as intelligent as Yourself. I'm just afraid we are putting way too many eggs in one basket. We need to back up a little and unantmate a few things, in my humble opinion. Six years ago I thought BIOS, was when a person wrote a book about themselves towards the end of Their life. I've had a steep learning curve since then. I have been a Nuts and Bolts man my whole life. I can fix just about anything with an Internal Combustion Engine. Home Air Conditioning Plumbing, Electrical ect. Electronics is a different animal. So when my Son complained about His Computer, I jumped in with both feet. I guess I found and copied this things that wasn't allowed, by the powers that be. I seriously pissed someone off because they have had me on a short leash ever since. Seems someone is more worried about covering Their Butts than keeping the Power Grid safe! So their is no love lost with _____. You can fill the blank. So the Question is, who do you want two Feet up your Computers A$$! NSA, Russia or China? I vote none of the above but that doesn't seem to be where we are heading. That Truly SUCKS!!!

The PullMay 24, 2019 9:45 AM

NSA really dropped the ball during the 2016 election. Hopefully, they have a plan and the capacity to implement it for the 2018 election.

The PullMay 24, 2019 10:58 AM


IKR, hahaha... :-) [I really don't judge anyone on that, who even should have been responsible...]

But, more seriously, what does that look like? They probably have to have a tight connection with all the major social media, as well as implement a darned good national firewall that looks for and detects traffic patterns Russian propaganda farms give out.

THEN, you have to also look out for them doing an actual hack. Which is like searching for a needle in a haystack, because alllll these politicians and all the people under them have dirt.

gordoMay 24, 2019 12:06 PM

@ The Pull,

I would guess that operations like Facebook, Google, etc., have their own ASN(s) so anything coming and going can be traced, but knowing why to trace a given signal would be more the art. As you say, there is definitely information that gets shared (fused). I wonder how much stuff gets taken down and how much gets missed, as well as how much of this relies upon AI.

The PullMay 24, 2019 12:17 PM


Aye. That sounds problematic, misfiring. Taking down material that is legitimate.

Though, I am all for crazy conspiracy theory crap not playing a factor in elections. Do not expect that to happen, and that without foreign influence. Nothing Russia started was crazier then pizzagate.

Symphony for the DevilMay 24, 2019 1:07 PM

7:28 / 7:41

The Rolling Stones - Sympathy For The Devil (Live) - OFFICIAL

We may be living in unprecendented times on the Blue Planet.

For example, two quotes from the current USA president, who has authoritarian tendencies:

"I love WikiLeaks" pre-election
“I know nothing about WikiLeaks -- it’s not my thing.” post-election

Secretary of State, let's have another "Benghazi hearing" or, once, a useful pawn of the Koch Brothers, pre election:

"... in June 2016 during the campaign, when Pompeo was a Republican House lawmaker from Kansas, he tweeted a link to hacked documents obtained by WikiLeaks of emails from the Democratic National Committee.

When Pompeo was asked about the tweet at his confirmation hearing in January, he said he never viewed WikiLeaks as a "credible source of information..."

With leaders like those in the USA, perhaps back-channels between the NSA and Schneier et al. is an excellent idea. Such a back-channel, as opposed to a back-door, at worst, perhaps, might help prevent group-think on either side

The Rolling Stones - Start Me Up

Symphony for the DevilMay 24, 2019 1:45 PM

Fleetwood Mac - Go Your Own Way - Dance Tour '97

ps. regarding the sorry leadership, b-level at best, IMO, in the USA, I forgot b-team Bolton.

Of course, Bolton is on another b-team, too, seeking war with Iran.

Of course, to "Wag the Dog" our president might want another war to save his sorry a$$. Same for Netanyahu? Same for MBS?

Regarding Bolton's other b-team members, Iranian Foreign Minister Mohammad Javad Zarif called Bolton part of a "B team" that includes Israeli Prime Minister Benjamin Netanyahu, Saudi Arabia's Crown Prince Mohammed bin Salman (MBS) and Abu Dhabi Crown Prince Mohammed bin Zayed (MBZ?).

The PullMay 24, 2019 2:08 PM


Oh, so Russia was behind the pizzagate conspiracy theory... probably was behind both the hack & the twitter post that posited the idea [I think is the read you have on that, and I agree].

Sad that Americans so willingly become 'as if hypnotized' by foreign intelligence agencies whose only real motive is to harm the country.

I don't see how Russia can resist continuing to do this kind of work. The power they wield because of American gullibility must be irresistible to them.

I bet they got a lot of laughs from that one.

gordoMay 24, 2019 2:24 PM

@ The Pull,

I have no opinion regarding attribution, i.e. no evidence. Anything either you, I or anyone else says in that regard is conjecture.

FaustusMay 24, 2019 5:24 PM

@ Bruce

"I like to think that I am pretty resilient against being co-optd"

I think that that is most people's self perception.

I studied social psychology, which also addresses the perception of self, and there are endless experiments in which subjects' actions and ideas can be influenced surreptitiously. People claim to not be influenced by certain factors but the statistics demonstrate otherwise. Of course these statistics only speak to the aggregate. Perhaps some individuals perceive that they are resistant and actually are.

The idea of a double blind study, for example, is not to stop scientists from purposefully cheating. It is to prevent accidental manipulation of the results by subtle unconscious behaviors that promote the result the scientists would like to see. Google "Clever Hans" for a real world example:

Another example: Getting people to do something relatively small but for insufficient payment causes people to develop opinions that retroactively justify the behavior. If you can get somebody to put a sign for a politician they don't support on their lawn, say in order to please an attractive man or woman, then over a short amount of time it is quite likely that they will change their opinion to match the sign, a reduction of cognitive dissonance.

The NSA had opportunities no doubt to get you to comply with small things you felt dubious about but not enough to make a fuss. This sets in motion a reduction of cognitive dissonance by shifting your opinions in the direction of an action you were actually originally dubious about.

If you had said "I am aware of the risk of being co-opted and therefore I do this to track how my opinions might be influenced" I'd be more confident that you had strong immunity to influence.

I have been influenced in this way and others. I once had a therapist make me watch the movie Zelig because she felt I changed to match my environment, as did Zelig. I felt I was just being flexible and open minded. In retrospect this seems a rationalization.

AtAStoreMay 24, 2019 7:27 PM

"... JEREMY SCAHILL: On June 16th, 1918, the prominent socialist labor leader Eugene Debs delivered a speech in Canton, Ohio. And in that speech, Debs argued against U.S. involvement in World War I, and he praised activists who had been organizing against the military draft or had been convicted of sedition. At the time, Debs was one of the most prominent socialists in the United States, and his speech came on the heels of the Russian revolution and the rise of global socialist and communist movements.

EUGENE DEBS: [read by Mark Ruffalo] The working class who fight all the battles, the working calls [class?] who make the supreme sacrifices, the working class who freely shed their blood and furnish their corpses, have never yet had a voice in either declaring war or making peace.

JEREMY SCAHILL: Soon after Debs delivered that speech, he was arrested and charged under a new law in the U.S. that had passed just a year earlier. It was called the Espionage Act. Debs and his lawyers argued that his antiwar speech was protected by the First Amendment to the Constitution. They lost. And Debs was sentenced to 10 years in prison. The case eventually went to the U.S. Supreme Court, where the justices voted unanimously to uphold his conviction. “I believe in free speech, in war as well as in peace,” Debs told the jury during his trial. “If the Espionage Law stands, then the Constitution of the United States is dead.”

Congress eventually amended parts of that act, but the thrust of the law has remained in effect to this day. Anarchist Emma Goldman was also prosecuted under the act. Julius and Ethel Rosenberg were executed after being convicted under the law.
Throughout its history, the Espionage Act has been used as a weapon to attack free speech and dissent. And then came the Pentagon Papers case, where the government charged the whistleblower Daniel Ellsberg under the Espionage Act. He faced more than a hundred years in prison.

DANIEL ELLSBERG: How can you measure the jeopardy that I’m in, whether it’s 10 years, 20 years, 115 years—rather ludicrous amounts like that—to the penalty that has been paid already by 50,000 American families here and hundreds of thousands of Vietnamese families.

JEREMY SCAHILL: The charges were ultimately dismissed in 1973, mostly because of rampant misconduct and illegal surveillance by the Nixon administration. But it was this model, developed by Nixon’s Justice Department, that would be passionately adopted decades later as the weapon of choice of President Barack Obama to wage attacks on journalistic sources and journalism.

PRESIDENT BARACK OBAMA: Since I’ve been in office, my attitude has been zero tolerance for these kinds of leaks and speculation.

JEREMY SCAHILL: Obama’s Justice Department indicted eight journalistic sources under the Espionage Act—more than all U.S. presidents before him combined. Among these cases was U.S. Army whistleblower Chelsea Manning, former CIA officer Jeffrey Sterling, National Security Agency whistleblower Thomas Drake and NSA whistleblower Edward Snowden. In some of these cases, people were sentenced to lengthy prison terms. In others, the government ruined the lives of the targets.

PRESIDENT DONALD TRUMP: We’re going to find the leakers. We’re going to find the leakers. They’re going to pay a big price for leaking.

JEREMY SCAHILL: And then Donald Trump takes power and immediately begins using the playbook refined and sharpened by his predecessor, President Obama. Donald Trump is now surpassing Obama’s eight-year record in just over two years in office. The first case Trump brought was against Reality Winner, who was accused of leaking a top-secret document to a news organization. That NSA document related to alleged Russian intelligence operations aimed at breaching software systems used in some U.S. voting systems. And then FBI agent Terry Albury was indicted for allegedly leaking information about FBI surveillance and informant operations to a news organization.


" William Barr ... is an obsessive-compulsive addict of the unitary executive, the notion that the executive branch should be a dictatorship when it comes to national security policy. They are going after people who blew the whistle on war crimes ...


And for the news organizations that were publishing and selling their papers based on the risks that Chelsea Manning took, based on the risks that Julian Assange took, waited far too long. Far too long. You know the famous speech that was given about, you know, when they came for the socialists, I didn’t speak up because I wasn’t a socialist. When they came for WikiLeaks was not yesterday, Amy. When they came for WikiLeaks started in 2010. And where was the outrage?

AMY GOODMAN: I want to go back to 2017, when Mike Pompeo talked about WikiLeaks. This wasn’t when he was secretary of state, but this was in his first address as CIA director.

MIKE POMPEO: WikiLeaks walks like a hostile intelligence service and talks like a hostile intelligence service. It has encouraged his followers to find jobs at the CIA in order to obtain intelligence. It directed Chelsea Manning in her theft of specific secret information. It overwhelmingly focuses on the United States, while seeking support from anti-democratic countries and organizations. It’s time to call out WikiLeaks for what it really is: a nonstate, hostile intelligence service, often abetted by state actors like Russia.

AMY GOODMAN: Yes, that’s, at the time, CIA Director Pompeo. Now he’s secretary of state. Dan Ellsberg, your response, and what it means to talk about WikiLeaks in this way for Julian Assange?

DANIEL ELLSBERG: Why is it Julian Assange selected by this administration as the first target in our national history and the first target in a hundred years of the Espionage Act to use that act against a journalist? Because he is not regarded with liking by very many people. He’s a ripe fruit here to be collected, ..."

Has anybody read Ellsberg's book? I think the subtitle is 'confessions of a nuclear war planner'

GeorgeMay 25, 2019 12:11 AM

@James T wrote, "So I assume I was already tagged as "Suspicious""

If you think in terms of "blanket surveillance," anyone visiting the site is suspicious. Posing as a *tard does not remove that suspicion only enhances it. This appears to the prevailant thinking behind "capture it all" and leaving no stones unturned because some things take no chances.

I have no doubt Bruce is a patriot at heart and his work is forever intertwined with "the agency" that we so not spoken of.

RosebudMay 25, 2019 10:04 AM

Maybe it's a Commonwealth thing but, here in Canada Chatham House Rule is well understood, widely used, and more or less accepted.

Heck, I use it whenever I give a guest lecture and I do so not because I plan to disclose secrets (that would, of course, continue to be illegal).

Chatham House Rule provides a means for people like me, who are required to be non-partisan in their jobs, to express their personal views about a controversial issue.

I recognize that, in the United States, the notion of a completely non-partisan civil service is somewhat alien, at least for the uppermost ranks. But, in a Westminster system (like Canada's), it is very important and fiercely defended.

At the same time, Canadian civil servants (and others, like me, who are required to maintain a non-partisan status because they serve the legislative branch) have the right to freedom of thought, belief, opinion and expression under section 2 of this country's Charter of Rights and Freedoms. And, you got it, I defend that right pretty fiercely, too.

Chatham House Rule provides a way to thread the needle, within reason. While I must still weigh my public statements carefully, I can at least have the cover of not being quoted by name.

Without this cover, I would risk losing the trust of those that I serve in my day job. That would spell the end for me.

My client base crosses party lines. Each client comes to me, the subject matter expert, to provide confidential research and analysis. Because I often know what both the "left hand" and "right hand" are doing and thinking, I represent a potential threat. I must therefore make every effort to ensure my clients know that I will serve them loyally and without regard to their political affiliation. This I do, while maintaining my own views on policy matters.

It seems clear to me that the NSA probably insisted on Chatham House Rule because it helped their employees relax a bit and express their opinions on particular matters as freely as possible. That must have been a blessing to them because, -- from an outsider's perspective, at least -- the US IC seems to be operating in a highly politically charged environment these days. Given that charged context, I cannot imagine how nerve-wracking it must be to engage with critics and say anything beyond the completely anodyne.

What Bruce and you folks make of what was said, well that's an entirely separate matter. I trust Bruce to maintain his informed skepticism of NSA talking points, while continuing to engage in dialogue. Sharp questioning is good for both sides. Demonization is just plain intellectually lazy.

Paul RainJune 4, 2019 4:14 AM

@Ronnie basically the subhuman scum who work at the NSA get to spin lies without having them exposed to the disinfectant of prying eyes.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Security.