Entries Tagged "intelligence"

Page 17 of 25

Mossad Hacked Syrian Official's Computer

It was unattended in a hotel room at the time:

Israel’s Mossad espionage agency used Trojan Horse programs to gather intelligence about a nuclear facility in Syria the Israel Defense Forces destroyed in 2007, the German magazine Der Spiegel reported Monday.

According to the magazine, Mossad agents in London planted the malware on the computer of a Syrian official who was staying in the British capital; he was at a hotel in the upscale neighborhood of Kensington at the time.

The program copied the details of Syria’s illicit nuclear program and sent them directly to the Mossad agents’ computers, the report said.

Remember the evil maid attack: if an attacker gets hold of your computer temporarily, he can bypass your encryption software.

Posted on November 5, 2009 at 12:48 PMView Comments

CIA Invests in Social-Network Datamining

From Wired:

In-Q-Tel, the investment arm of the CIA and the wider intelligence community, is putting cash into Visible Technologies, a software firm that specializes in monitoring social media. It’s part of a larger movement within the spy services to get better at using “open source intelligence“—information that’s publicly available, but often hidden in the flood of TV shows, newspaper articles, blog posts, online videos and radio reports generated every day.

Here’s the Visible Technologies press release on the funding.

Posted on October 26, 2009 at 6:53 AMView Comments

James Bamford on the NSA

James Bamford—author of The Shadow Factory: The NSA from 9/11 to the Eavesdropping on America writes about the NSA’s new data center in Utah as he reviews another book: The Secret Sentry: The Untold History of the National Security Agency:

Just how much information will be stored in these windowless cybertemples? A clue comes from a recent report prepared by the MITRE Corporation, a Pentagon think tank. “As the sensors associated with the various surveillance missions improve,” says the report, referring to a variety of technical collection methods, “the data volumes are increasing with a projection that sensor data volume could potentially increase to the level of Yottabytes (1024 Bytes) by 2015.” Roughly equal to about a septillion (1,000,000,000,000,000,000,000,000) pages of text, numbers beyond Yottabytes haven’t yet been named. Once vacuumed up and stored in these near-infinite “libraries,” the data are then analyzed by powerful infoweapons, supercomputers running complex algorithmic programs, to determine who among us may be—or may one day become—a terrorist.

[…]

Aid concludes that the biggest problem facing the agency is not the fact that it’s drowning in untranslated, indecipherable, and mostly unusable data, problems that the troubled new modernization plan, Turbulence, is supposed to eventually fix. “These problems may, in fact, be the tip of the iceberg,” he writes. Instead, what the agency needs most, Aid says, is more power. But the type of power to which he is referring is the kind that comes from electrical substations, not statutes. “As strange as it may sound,” he writes, “one of the most urgent problems facing NSA is a severe shortage of electrical power.” With supercomputers measured by the acre and estimated $70 million annual electricity bills for its headquarters, the agency has begun browning out, which is the reason for locating its new data centers in Utah and Texas.

Of course, that yottabyte number is hyperbole. The problem with all of that data is that there’s no time to process it. Think of it as trying to drink from a fire hose. The NSA has to make lightning-fast real-time decisions about what to save for later analysis. And there’s not a lot of time for later analysis; more data is coming constantly at the same fire-hose rate.

Bamford’s entire article is worth reading. He summarizes some of the things he talks about in his book: the inability of the NSA to predict national security threats (9/11 being one such failure) and the manipulation of intelligence data for political purposes.

Posted on October 22, 2009 at 6:10 AMView Comments

UK Defense Security Manual Leaked

Wow. It’s over 2,000 pages, so it’ll take time to make any sense of. According to Ross Anderson, who’s given it a quick look over, “it seems to be the bureaucratic equivalent of spaghetti code: a hodgepodge of things written by people from different backgrounds, and with different degrees of clue, in different decades.”

The computer security stuff starts at page 1,531.

EDITED TO ADD (10/6): An article.

Posted on October 5, 2009 at 3:10 PMView Comments

Eighth Anniversary of 9/11

On September 30, 2001, I published a special issue of Crypto-Gram discussing the terrorist attacks. I wrote about the novelty of the attacks, airplane security, diagnosing intelligence failures, the potential of regulating cryptography—because it could be used by the terrorists—and protecting privacy and liberty. Much of what I wrote is still relevant today:

Appalled by the recent hijackings, many Americans have declared themselves willing to give up civil liberties in the name of security. They’ve declared it so loudly that this trade-off seems to be a fait accompli. Article after article talks about the balance between privacy and security, discussing whether various increases of security are worth the privacy and civil-liberty losses. Rarely do I see a discussion about whether this linkage is a valid one.

Security and privacy are not two sides of a teeter-totter. This association is simplistic and largely fallacious. It’s easy and fast, but less effective, to increase security by taking away liberty. However, the best ways to increase security are not at the expense of privacy and liberty.

It’s easy to refute the notion that all security comes at the expense of liberty. Arming pilots, reinforcing cockpit doors, and teaching flight attendants karate are all examples of security measures that have no effect on individual privacy or liberties. So are better authentication of airport maintenance workers, or dead-man switches that force planes to automatically land at the closest airport, or armed air marshals traveling on flights.

Liberty-depriving security measures are most often found when system designers failed to take security into account from the beginning. They’re Band-aids, and evidence of bad security planning. When security is designed into a system, it can work without forcing people to give up their freedoms.

[…]

There are copycat criminals and terrorists, who do what they’ve seen done before. To a large extent, this is what the hastily implemented security measures have tried to prevent. And there are the clever attackers, who invent new ways to attack people. This is what we saw on September 11. It’s expensive, but we can build security to protect against yesterday’s attacks. But we can’t guarantee protection against tomorrow’s attacks: the hacker attack that hasn’t been invented, or the terrorist attack yet to be conceived.

Demands for even more surveillance miss the point. The problem is not obtaining data, it’s deciding which data is worth analyzing and then interpreting it. Everyone already leaves a wide audit trail as we go through life, and law enforcement can already access those records with search warrants. The FBI quickly pieced together the terrorists’ identities and the last few months of their lives, once they knew where to look. If they had thrown up their hands and said that they couldn’t figure out who did it or how, they might have a case for needing more surveillance data. But they didn’t, and they don’t.

More data can even be counterproductive. The NSA and the CIA have been criticized for relying too much on signals intelligence, and not enough on human intelligence. The East German police collected data on four million East Germans, roughly a quarter of their population. Yet they did not foresee the peaceful overthrow of the Communist government because they invested heavily in data collection instead of data interpretation. We need more intelligence agents squatting on the ground in the Middle East arguing the Koran, not sitting in Washington arguing about wiretapping laws.

People are willing to give up liberties for vague promises of security because they think they have no choice. What they’re not being told is that they can have both. It would require people to say no to the FBI’s power grab. It would require us to discard the easy answers in favor of thoughtful answers. It would require structuring incentives to improve overall security rather than simply decreasing its costs. Designing security into systems from the beginning, instead of tacking it on at the end, would give us the security we need, while preserving the civil liberties we hold dear.

Some broad surveillance, in limited circumstances, might be warranted as a temporary measure. But we need to be careful that it remain temporary, and that we do not design surveillance into our electronic infrastructure. Thomas Jefferson once said: “Eternal vigilance is the price of liberty.” Historically, liberties have always been a casualty of war, but a temporary casualty. This war—a war without a clear enemy or end condition—has the potential to turn into a permanent state of society. We need to design our security accordingly.

Posted on September 11, 2009 at 6:26 AMView Comments

An Ethical Code for Intelligence Officers

August’s Communications of the ACM has an interesting article: “An Ethics Code for U.S. Intelligence Officers,” by former NSAers Brian Snow and Clint Brooks. The article is behind a paywall, but here’s the code:

Draft Statement of Ethics for the Intelligence Community

Preamble: Intelligence work may present exceptional or unusual ethical dilemmas beyond those of ordinary life. Ethical thinking and review should be a part of our day to day efforts; it can protect our nation’s and our agency’s integrity, improve the chances of mission success, protect us from the consequences of bad choices, and preserve our alliances. Therefore, we adhere to the following standards of professional ethics and behavior:

  1. First, do no harm to U.S. citizens or their rights under the Constitution.
  2. We uphold the Constitution and the Rule of Law; we are constrained by both the spirit and the letter of the laws of the United States.
  3. We will comply with all international human rights agreements that our nation has ratified.
  4. We will insist on clarification of ambiguities that arise between directives or law and the principles of this code. We will protect those within our institutions who call reasonable attention to wrongdoing.
  5. Expediency is not an excuse for misconduct.
  6. We are accountable for our decisions and actions. We support timely, rigorous processes that fix accountability to the responsible person.
  7. Statements we make to our clients, colleagues, overseers and the U.S. public will be true, and structured not to unnecessarily mislead or conceal.
  8. We will resolve difficult ethical choices in favor of constitutional requirements, the truth, and our fellow citizens.
  9. We will address the potential consequences of our actions in advance, especially the consequences of failure, discovery, and unintended or collateral consequences of success.
  10. We will not impose unnecessary risk on innocents.
  11. Although we may work in secrecy, we will work so that when our efforts become known, our fellow citizens will be proud of us and of our efforts.

It’s supposed to be for U.S. intelligence officers, but with one inconsequential modification it could be made international.

Posted on August 11, 2009 at 12:29 PMView Comments

NSA Building Massive Data Center in Utah

They’re expanding:

The years-in-the-making project, which may cost billions over time, got a $181 million start last week when President Obama signed a war spending bill in which Congress agreed to pay for primary construction, power access and security infrastructure. The enormous building, which will have a footprint about three times the size of the Utah State Capitol building, will be constructed on a 200-acre site near the Utah National Guard facility’s runway.

Congressional records show that initial construction—which may begin this year—will include tens of millions in electrical work and utility construction, a $9.3 million vehicle inspection facility, and $6.8 million in perimeter security fencing. The budget also allots $6.5 million for the relocation of an existing access road, communications building and training area.

Officials familiar with the project say it may bring as many as 1,200 high-tech jobs….

It will also require at least 65 megawatts of power….

Another article.

Posted on July 10, 2009 at 5:52 AMView Comments

John Walker and the Fleet Broadcasting System

Ph.D. thesis from 2001:

An Analysis of the Systemic Security Weaknesses of the U.S. Navy Fleet Broadcasting System, 1967-1974, as exploited by CWO John Walker, by MAJ Laura J. Heath

Abstract: CWO John Walker led one of the most devastating spy rings ever unmasked in the US. Along with his brother, son, and friend, he compromised US Navy cryptographic systems and classified information from 1967 to 1985. This research focuses on just one of the systems compromised by John Walker himself: the Fleet Broadcasting System (FBS) during the period 1967-1975, which was used to transmit all US Navy operational orders to ships at sea. Why was the communications security (COMSEC) system so completely defenseless against one rogue sailor, acting alone? The evidence shows that FBS was designed in such a way that it was effectively impossible to detect or prevent rogue insiders from compromising the system. Personnel investigations were cursory, frequently delayed, and based more on hunches than hard scientific criteria. Far too many people had access to the keys and sensitive materials, and the auditing methods were incapable, even in theory, of detecting illicit copying of classified materials. Responsibility for the security of the system was distributed between many different organizations, allowing numerous security gaps to develop. This has immediate implications for the design of future classified communications systems.

EDITED TO ADD (9/23): I blogged about this in 2005. Apologies; I forgot.

Posted on June 23, 2009 at 1:30 PMView Comments

1 15 16 17 18 19 25

Sidebar photo of Bruce Schneier by Joe MacInnis.