Page 449

Senator Feinstein Admits the NSA Taps the Internet Backbone

We know from the Snowden documents (and other sources) that the NSA taps the Internet backbone through secret agreements with major US telcos., but the US government still hasn’t admitted it.

In late August, the Obama administration declassified a ruling from the Foreign Intelligence Surveillance Court. Footnote 3 reads:

The term ‘upstream collection’ refers to NSA’s interception of Internet communications as they transit [LONG REDACTED CLAUSE], [REDACTED], rather than to acquisitions directly from Internet service providers such as [LIST OF REDACTED THINGS, PRESUMABLY THE PRISM DOWNSTREAM COMPANIES].

Here’s one analysis of the document.

On Thursday, Senator Diane Feinstein filled in some of the details:

Upstream collection…occurs when NSA obtains internet communications, such as e-mails, from certain US companies that operate the Internet background [sic, she means “backbone”], i.e., the companies that own and operate the domestic telecommunications lines over which internet traffic flows.

Note that we knew this in 2006:

One thing the NSA wanted was access to the growing fraction of global telecommunications that passed through junctions on U.S. territory. According to former senator Bob Graham (D-Fla.), who chaired the Intelligence Committee at the time, briefers told him in Cheney’s office in October 2002 that Bush had authorized the agency to tap into those junctions. That decision, Graham said in an interview first reported in The Washington Post on Dec. 18, allowed the NSA to intercept “conversations that . . . went through a transit facility inside the United States.”

And this in 2007:

[The Program] requires the NSA, as noted by Rep. Peter Hoekstra, “to steal light off of different cables” in order to acquire the “information that’s most important to us” Interview with Rep. Peter Hoekstra by Paul Gigot, Lack of Intelligence: Congress Dawdles on Terrorist Wiretapping, JOURNAL EDITORIAL REPORT, FOX NEWS CHANNEL (Aug. 6, 2007) at 2.

So we knew it already, but now we know it even more. So why won’t President Obama admit it?

EDITED TO ADD (9/28): Another article on this.

EDITED TO ADD (9/30): Also, there’s Mark Klein’s revelations from 2006.

Tags: , , , , , , ,

Posted on September 28, 2013 at 6:10 AMView Comments

Friday Squid Blogging: A Squid that Fishes

The Grimalditeuthis bonplandi is the only known squid to use its tentacles to fish:

Its tentacles are thin and fragile, and almost always break off when it’s captured. For ages, people thought it lacked tentacles altogether until a full specimen was found in the stomach of a fish. Weirder still, its clubs have neither suckers nor hooks. Instead, they are flanked by a pair of leaf-shaped membranes. Why?

Now, after observing a live individual off the coast of California, Hendrik-Jan Hoving from the Monterey Bay Aquarium Research Institute (MBARI) in California thinks he knows what how the squid uses its feeble tentacles. They’re not grasping limbs, but fishing lures. By waving the membranes, the squid uses its clubs to mimic the movements small animals and attract its prey.

Academic paper.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags:

Posted on September 27, 2013 at 4:53 PMView Comments

Paradoxes of Big Data

Interesting paper: “Three Paradoxes of Big Data,” by Neil M. Richards and Jonathan H. King, Stanford Law Review Online, 2013.

Abstract: Big data is all the rage. Its proponents tout the use of sophisticated analytics to mine large data sets for insight as the solution to many of our society’s problems. These big data evangelists insist that data-driven decisionmaking can now give us better predictions in areas ranging from college admissions to dating to hiring to medicine to national security and crime prevention. But much of the rhetoric of big data contains no meaningful analysis of its potential perils, only the promise. We don’t deny that big data holds substantial potential for the future, and that large dataset analysis has important uses today. But we would like to sound a cautionary note and pause to consider big data’s potential more critically. In particular, we want to highlight three paradoxes in the current rhetoric about big data to help move us toward a more complete understanding of the big data picture. First, while big data pervasively collects all manner of private information, the operations of big data itself are almost entirely shrouded in legal and commercial secrecy. We call this the Transparency Paradox. Second, though big data evangelists talk in terms of miraculous outcomes, this rhetoric ignores the fact that big data seeks to identify at the expense of individual and collective identity. We call this the Identity Paradox. And third, the rhetoric of big data is characterized by its power to transform society, but big data has power effects of its own, which privilege large government and corporate entities at the expense of ordinary individuals. We call this the Power Paradox. Recognizing the paradoxes of big data, which show its perils alongside its potential, will help us to better understand this revolution. It may also allow us to craft solutions to produce a revolution that will be as good as its evangelists predict.

EDITED TO ADD (10/11): Here’s an HTML version of the paper.

Tags: , , , , ,

Posted on September 26, 2013 at 6:58 AMView Comments

Apple's iPhone Fingerprint Reader Successfully Hacked

Nice hack from the Chaos Computer Club:

The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

I’m not surprised. In my essay on Apple’s technology, I wrote: “I’m sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability—or maybe just a good enough printer—can authenticate his way into your iPhone.”

I don’t agree with CCC’s conclusion, though:

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”

Apple is trying to balance security with convenience. This is a cell phone, not a ICBM launcher or even a bank account withdrawal device. Apple is offering an option to replace a four-digit PIN—something that a lot of iPhone users don’t even bother with—with a fingerprint. Despite its drawbacks, I think it’s a good trade-off for a lot of people.

EDITED TO ADD (10/13): The print for the CCC hack was lifted from the iPhone.

Tags: , , , , , ,

Posted on September 24, 2013 at 9:20 AMView Comments

NSA Job Opening

The NSA is looking for a Civil Liberties & Privacy Officer. It appears to be an internal posting.

The NSA Civil Liberties & Privacy Officer (CLPO) is conceived as a completely new role, combining the separate responsibilities of NSA’s existing Civil Liberties and Privacy (CL/P) protection programs under a single official. The CLPO will serve as the primary advisor to the Director of NSA for ensuring that privacy is protected and civil liberties are maintained by all of NSA’s missions, programs, policies and technologies. This new position is focused on the future, designed to directly enhance decision making and to ensure that CL/P protections continue to be baked into NSA’s future operations, technologies, tradecraft, and policies. The NSA CLPO will consult regularly with the Office of the Director of National Intelligence CLPO, privacy and civil liberties officials from the Department of Defense and the Department of Justice, as well as other U.S. government, private sector, public advocacy groups and foreign partners.

EDITED TO ADD (9/23): Better link here that allows new registration for prospective applicants—it’s Job ID 1039797.

Tags: , , , , ,

Posted on September 23, 2013 at 1:14 PMView Comments

Metadata Equals Surveillance

Back in June, when the contents of Edward Snowden’s cache of NSA documents were just starting to be revealed and we learned about the NSA collecting phone metadata of every American, many people—including President Obama—discounted the seriousness of the NSA’s actions by saying that it’s just metadata.

Lots and lots of people effectively demolished that trivialization, but the arguments are generally subtle and hard to convey quickly and simply. I have a more compact argument: metadata equals surveillance.

Imagine you hired a detective to eavesdrop on someone. He might plant a bug in their office. He might tap their phone. He might open their mail. The result would be the details of that person’s communications. That’s the “data.”

Now imagine you hired that same detective to surveil that person. The result would be details of what he did: where he went, who he talked to, what he looked at, what he purchased—how he spent his day. That’s all metadata.

When the government collects metadata on people, the government puts them under surveillance. When the government collects metadata on the entire country, they put everyone under surveillance. When Google does it, they do the same thing. Metadata equals surveillance; it’s that simple.

EDITED TO ADD (10/12): According to Snowden, the administration is partially basing its bulk collection of metadata on an interpretation by the FISC of Section 215 of the Patriot Act.

EDITED TO ADD (10/28): this post has been translated into Portuguese.

Tags: , , , ,

Posted on September 23, 2013 at 6:21 AMView Comments

Friday Squid Blogging: How Bacteria Terraform a Squid

Fascinating:

The bacterium Vibrio fischeri is a squid terraformer. Although it can live independently in seawater, it also colonises the body of the adorable Hawaiian bobtail squid. The squid nourishes the bacteria with nutrients and the bacteria, in turn, act as an invisibility cloak. They produce a dim light that matches the moonlight shining down from above, masking the squid’s silhouette from predators watching from below. With its light-emitting microbes, the squid becomes less visible.

Margaret McFall-Ngai from the University of Wisconsin has been studying this partnership for almost 25 years and her team, led by postdoc Natacha Kremer, have now uncovered its very first moments. They’ve shown how the incoming bacteria activate the squid’s genes to create a world that’s more suitable for their kind. And remarkably, it takes just five of these microbial pioneers to start the terraforming (teuthoforming?) process.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags:

Posted on September 20, 2013 at 4:25 PMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.