Page 449

NSA Storing Internet Data, Social Networking Data, on Pretty Much Everybody

Two new stories based on the Snowden documents.

This is getting silly. General Alexander just lied about this to Congress last week. The old NSA tactic of hiding behind a shell game of different code names is failing. It used to be they could get away with saying “Project X doesn’t do that,” knowing full well that Projects Y and Z did and that no one would call them on it. Now they’re just looking shiftier and shiftier.

The program the New York Times exposed is basically Total Information Awareness, which Congress defunded in 2003 because it was just too damned creepy. Now it’s back. (Actually, it never really went away. It just changed code names.)

I’m also curious how all those PRISM-era denials from Internet companies about the NSA not having “direct access” to their servers jibes with this paragraph:

The overall volume of metadata collected by the N.S.A. is reflected in the agency’s secret 2013 budget request to Congress. The budget document, disclosed by Mr. Snowden, shows that the agency is pouring money and manpower into creating a metadata repository capable of taking in 20 billion “record events” daily and making them available to N.S.A. analysts within 60 minutes.

Honestly, I think the details matter less and less. We have to assume that the NSA has everyone who uses electronic communications under constant surveillance. New details about hows and whys will continue to emerge—for example, now we know the NSA’s repository contains travel data—but the big picture will remain the same.

Related: I’ve said that it seems that the NSA now has a PR firm advising it on response. It’s trying to teach General Alexander how to better respond to questioning.

Also related: A cute flowchart on how to avoid NSA surveillance.

Tags: , , , , , , , ,

Posted on October 1, 2013 at 1:08 PMView Comments

Will Keccak = SHA-3?

Last year, NIST selected Keccak as the winner of the SHA-3 hash function competition. Yes, I would have rather my own Skein had won, but it was a good choice.

But last August, John Kelsey announced some changes to Keccak in a talk (slides 44-48 are relevant). Basically, the security levels were reduced and some internal changes to the algorithm were made, all in the name of software performance.

Normally, this wouldn’t be a big deal. But in light of the Snowden documents that reveal that the NSA has attempted to intentionally weaken cryptographic standards, this is a huge deal. There is too much mistrust in the air. NIST risks publishing an algorithm that no one will trust and no one (except those forced) will use.

At this point, they simply have to standardize on Keccak as submitted and as selected.

CDT has a great post about this.

Also this Slashdot thread.

EDITED TO ADD (10/5): It’s worth reading the response from the Keccak team on this issue.

I misspoke when I wrote that NIST made “internal changes” to the algorithm. That was sloppy of me. The Keccak permutation remains unchanged. What NIST proposed was reducing the hash function’s capacity in the name of performance. One of Keccak’s nice features is that it’s highly tunable.

I do not believe that the NIST changes were suggested by the NSA. Nor do I believe that the changes make the algorithm easier to break by the NSA. I believe NIST made the changes in good faith, and the result is a better security/performance trade-off. My problem with the changes isn’t cryptographic, it’s perceptual. There is so little trust in the NSA right now, and that mistrust is reflecting on NIST. I worry that the changed algorithm won’t be accepted by an understandably skeptical security community, and that no one will use SHA-3 as a result.

This is a lousy outcome. NIST has done a great job with cryptographic competitions: both a decade ago with AES and now with SHA-3. This is just another effect of the NSA’s actions draining the trust out of the Internet.

Tags: , , , , , , , ,

Posted on October 1, 2013 at 10:50 AMView Comments

WhoIs Privacy and Proxy Service Abuse

ICANN has a draft study that looks at abuse of the Whois database.

This study, conducted by the National Physical Laboratory (NPL) in the United Kingdom, analyzes gTLD domain names to measure whether the percentage of privacy/proxy use among domains engaged in illegal or harmful Internet activities is significantly greater than among domain names used for lawful Internet activities. Furthermore, this study compares these privacy/proxy percentages to other methods used to obscure identity ­ notably, Whois phone numbers that are invalid.

Richard Clayton, the primary author of the report, has a blog post:

However, it’s more interesting to ask whether this percentage is somewhat higher than the usage of privacy or proxy services for entirely lawful and harmless Internet activities? This turned out NOT to be the case ­ for example banks use privacy and proxy services almost as often as the registrants of domains used in the hosting of child sexual abuse images; and the registrants of domains used to host (legal) adult pornography use privacy and proxy services more often than most (but not all) of the different types of malicious activity that we studied.

Richard has been telling me about this work for a while. It’s nice to see it finally published.

Tags: , , , , ,

Posted on October 1, 2013 at 9:09 AMView Comments

Senator Feinstein Admits the NSA Taps the Internet Backbone

We know from the Snowden documents (and other sources) that the NSA taps the Internet backbone through secret agreements with major US telcos., but the US government still hasn’t admitted it.

In late August, the Obama administration declassified a ruling from the Foreign Intelligence Surveillance Court. Footnote 3 reads:

The term ‘upstream collection’ refers to NSA’s interception of Internet communications as they transit [LONG REDACTED CLAUSE], [REDACTED], rather than to acquisitions directly from Internet service providers such as [LIST OF REDACTED THINGS, PRESUMABLY THE PRISM DOWNSTREAM COMPANIES].

Here’s one analysis of the document.

On Thursday, Senator Diane Feinstein filled in some of the details:

Upstream collection…occurs when NSA obtains internet communications, such as e-mails, from certain US companies that operate the Internet background [sic, she means “backbone”], i.e., the companies that own and operate the domestic telecommunications lines over which internet traffic flows.

Note that we knew this in 2006:

One thing the NSA wanted was access to the growing fraction of global telecommunications that passed through junctions on U.S. territory. According to former senator Bob Graham (D-Fla.), who chaired the Intelligence Committee at the time, briefers told him in Cheney’s office in October 2002 that Bush had authorized the agency to tap into those junctions. That decision, Graham said in an interview first reported in The Washington Post on Dec. 18, allowed the NSA to intercept “conversations that . . . went through a transit facility inside the United States.”

And this in 2007:

[The Program] requires the NSA, as noted by Rep. Peter Hoekstra, “to steal light off of different cables” in order to acquire the “information that’s most important to us” Interview with Rep. Peter Hoekstra by Paul Gigot, Lack of Intelligence: Congress Dawdles on Terrorist Wiretapping, JOURNAL EDITORIAL REPORT, FOX NEWS CHANNEL (Aug. 6, 2007) at 2.

So we knew it already, but now we know it even more. So why won’t President Obama admit it?

EDITED TO ADD (9/28): Another article on this.

EDITED TO ADD (9/30): Also, there’s Mark Klein’s revelations from 2006.

Tags: , , , , , , ,

Posted on September 28, 2013 at 6:10 AMView Comments

Friday Squid Blogging: A Squid that Fishes

The Grimalditeuthis bonplandi is the only known squid to use its tentacles to fish:

Its tentacles are thin and fragile, and almost always break off when it’s captured. For ages, people thought it lacked tentacles altogether until a full specimen was found in the stomach of a fish. Weirder still, its clubs have neither suckers nor hooks. Instead, they are flanked by a pair of leaf-shaped membranes. Why?

Now, after observing a live individual off the coast of California, Hendrik-Jan Hoving from the Monterey Bay Aquarium Research Institute (MBARI) in California thinks he knows what how the squid uses its feeble tentacles. They’re not grasping limbs, but fishing lures. By waving the membranes, the squid uses its clubs to mimic the movements small animals and attract its prey.

Academic paper.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags:

Posted on September 27, 2013 at 4:53 PMView Comments

Paradoxes of Big Data

Interesting paper: “Three Paradoxes of Big Data,” by Neil M. Richards and Jonathan H. King, Stanford Law Review Online, 2013.

Abstract: Big data is all the rage. Its proponents tout the use of sophisticated analytics to mine large data sets for insight as the solution to many of our society’s problems. These big data evangelists insist that data-driven decisionmaking can now give us better predictions in areas ranging from college admissions to dating to hiring to medicine to national security and crime prevention. But much of the rhetoric of big data contains no meaningful analysis of its potential perils, only the promise. We don’t deny that big data holds substantial potential for the future, and that large dataset analysis has important uses today. But we would like to sound a cautionary note and pause to consider big data’s potential more critically. In particular, we want to highlight three paradoxes in the current rhetoric about big data to help move us toward a more complete understanding of the big data picture. First, while big data pervasively collects all manner of private information, the operations of big data itself are almost entirely shrouded in legal and commercial secrecy. We call this the Transparency Paradox. Second, though big data evangelists talk in terms of miraculous outcomes, this rhetoric ignores the fact that big data seeks to identify at the expense of individual and collective identity. We call this the Identity Paradox. And third, the rhetoric of big data is characterized by its power to transform society, but big data has power effects of its own, which privilege large government and corporate entities at the expense of ordinary individuals. We call this the Power Paradox. Recognizing the paradoxes of big data, which show its perils alongside its potential, will help us to better understand this revolution. It may also allow us to craft solutions to produce a revolution that will be as good as its evangelists predict.

EDITED TO ADD (10/11): Here’s an HTML version of the paper.

Tags: , , , , ,

Posted on September 26, 2013 at 6:58 AMView Comments

Apple's iPhone Fingerprint Reader Successfully Hacked

Nice hack from the Chaos Computer Club:

The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

I’m not surprised. In my essay on Apple’s technology, I wrote: “I’m sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability—or maybe just a good enough printer—can authenticate his way into your iPhone.”

I don’t agree with CCC’s conclusion, though:

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”

Apple is trying to balance security with convenience. This is a cell phone, not a ICBM launcher or even a bank account withdrawal device. Apple is offering an option to replace a four-digit PIN—something that a lot of iPhone users don’t even bother with—with a fingerprint. Despite its drawbacks, I think it’s a good trade-off for a lot of people.

EDITED TO ADD (10/13): The print for the CCC hack was lifted from the iPhone.

Tags: , , , , , ,

Posted on September 24, 2013 at 9:20 AMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.