Today, The Intercept released documents on election tampering from an NSA leaker. Later, the arrest warrant request for an NSA contractor named "Reality Winner" was published, showing how they tracked her down because she had printed out the documents and sent them to The Intercept. The document posted by the Intercept isn't the original PDF file, but a PDF containing the pictures of the printed version that was then later scanned in.
As the warrant says, she confessed while interviewed by the FBI. Had she not confessed, the documents still contained enough evidence to convict her: the printed document was digitally watermarked.
The problem is that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed. Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document.
In this post, I show how.
Showing posts with label NSA. Show all posts
Showing posts with label NSA. Show all posts
Monday, June 05, 2017
Thursday, October 06, 2016
What the Yahoo NSA might've looked for
The vague story about Yahoo searching emails for the NSA was cleared up today with various stories from other outlets [1]. It seems clear a FISA court order was used to compel Yahoo to search all their customer's email for a pattern (or patterns). But there's an important detail still missing: what specifically were they searching for? In this post, I give an example.
The NYTimes article explains the search thusly:
In the screenshot below, I use this software to type in a secret message:
I then hit the "encrypt" button, and get the following, a chunk of random looking text:
This software encrypts, but does not send/receive messages. You have to do that manually yourself. It's intended that terrorists will copy/paste this text into emails. They may also paste the messages into forum posts. Encryption is so good that nobody, not even the NSA, can crack properly encrypted messages, so it's okay to post them to public forums, and still maintain secrecy.
In my case, I copy/pasted this encrypted message into an email message from one of my accounts and sent to to one of my Yahoo! email accounts. I received the message shown below:
The obvious "highly unique signature" the FBI should be looking for, to catch this software, is the string:
The thing to note about this is that the string is both content and metadata. As far as the email system is concerned, it is content like anything else you might paste into a message. As far as the terrorists are concerned, the content is encrypted, and this string is just metadata describing how the content was encrypted. I suspect the FISA court might consider content and metadata differently, and that they might issue such an order to search for this metadata while not being willing to order searches of patterns within content.
Regardless of what FISA decides, though, this is still mass surveillance of American citizens. All Yahoo! mail is scanned for such a pattern. I'm no sure how this can possibly be constitutional. Well, I do know how -- we can't get any details about what the government is doing, because national security, and thus we have no "standing" in the court to challenge what they are doing.
Note that one reason Yahoo! may have had to act in 2015 is because after the Snowden revelations, and at the behest of activists, email providers started to use STARTTLS encryption between email servers. If the NSA had servers passively listening to email traffic before, they'd need to be replaced with a new system that tapped more actively into the incoming email stream, behind the initial servers. Thus, we may be able to blame activists for this system (or credit, as the case may be :).
In any case, while the newer stories do a much better job at describe what details are available, no story is complete on this issue. This blogpost suggests one possible scenario that matches the available descriptions, to show more concretely what's going on.
If you want to be troublemaker, add the above string to as your email signature, so that it gets sent as part of every email you send. It's hard to imagine the NSA or GCHQ aren't looking for this string, so it'll jam up their system.
The NYTimes article explains the search thusly:
Investigators had learned that agents of the foreign terrorist organization were communicating using Yahoo’s email service and with a method that involved a “highly unique” identifier or signature, but the investigators did not know which specific email accounts those agents were using, the officials said.What they are likely referring it is software like "Mujahideen Secrets", which terrorists have been using for about a decade to encrypt messages. It includes a unique fingerprint/signature that can easily be searched for, as shown below.
In the screenshot below, I use this software to type in a secret message:
I then hit the "encrypt" button, and get the following, a chunk of random looking text:
This software encrypts, but does not send/receive messages. You have to do that manually yourself. It's intended that terrorists will copy/paste this text into emails. They may also paste the messages into forum posts. Encryption is so good that nobody, not even the NSA, can crack properly encrypted messages, so it's okay to post them to public forums, and still maintain secrecy.
In my case, I copy/pasted this encrypted message into an email message from one of my accounts and sent to to one of my Yahoo! email accounts. I received the message shown below:
The obvious "highly unique signature" the FBI should be looking for, to catch this software, is the string:
### Begin ASRAR El Mojahedeen v2.0 Encrypted Message ###Indeed, if this is the program the NSA/FBI was looking for, they've now caught this message in their dragnet of incoming Yahoo! mail. This is a bit creepy, which is why I added a plea to the message, in unencrypted form, asking them not to rendition or drone strike me. Since the NSA can use such signatures to search traffic from websites, as well as email traffic, there's a good change you've been added to their "list" simply for reading this blog post. For fun, send this blogpost to family or friends you don't particularly like, in order to get them on the watch list as well.
The thing to note about this is that the string is both content and metadata. As far as the email system is concerned, it is content like anything else you might paste into a message. As far as the terrorists are concerned, the content is encrypted, and this string is just metadata describing how the content was encrypted. I suspect the FISA court might consider content and metadata differently, and that they might issue such an order to search for this metadata while not being willing to order searches of patterns within content.
Regardless of what FISA decides, though, this is still mass surveillance of American citizens. All Yahoo! mail is scanned for such a pattern. I'm no sure how this can possibly be constitutional. Well, I do know how -- we can't get any details about what the government is doing, because national security, and thus we have no "standing" in the court to challenge what they are doing.
Note that one reason Yahoo! may have had to act in 2015 is because after the Snowden revelations, and at the behest of activists, email providers started to use STARTTLS encryption between email servers. If the NSA had servers passively listening to email traffic before, they'd need to be replaced with a new system that tapped more actively into the incoming email stream, behind the initial servers. Thus, we may be able to blame activists for this system (or credit, as the case may be :).
In any case, while the newer stories do a much better job at describe what details are available, no story is complete on this issue. This blogpost suggests one possible scenario that matches the available descriptions, to show more concretely what's going on.
If you want to be troublemaker, add the above string to as your email signature, so that it gets sent as part of every email you send. It's hard to imagine the NSA or GCHQ aren't looking for this string, so it'll jam up their system.
Tuesday, October 04, 2016
The Yahoo-email-search story is garbage
Joseph Menn (Reuters) is reporting that Yahoo! searched emails for the NSA. The details of the story are so mangled that it's impossible to say what's actually going on.
The first paragraph says this:
The third paragraph seems to resolve this, but it doesn't:
And, are they analyzing the raw information the author sent them? Or are they opining on the garbled version of events that we see in the first two paragraphs.
The confusion continues:
It's not just technical terms, but also legal ones:
We outsiders already know about the NSA/FBI's ability to ask for strong selectors (email addresses). What what we don't know about is their ability to search all emails, regardless of account, for arbitrary keywords/phases. If that's what's going on, then this would be a huge story. But the story doesn't make it clear that this is actually what's going on -- just strongly implies it.
There are many other ways to interpret this story. For example, the government may simply be demanding that when Yahoo satisfies demands for emails (based on email addresses), that it does so from the raw incoming stream, before it hits spam/malware filters. Or, they may be demanding that Yahoo satisfies their demands with more secrecy, so that the entire company doesn't learn of the email addresses that a FISA order demands. Or, the government may be demanding that the normal collection happen in real time, in the seconds that emails arrive, instead of minutes later.
Or maybe this isn't an NSA/FISA story at all. Maybe the DHS has a cybersecurity information sharing program that distributes IoCs (indicators of compromise) to companies under NDA. Because it's a separate program under NDA, Yahoo would need to setup a email malware scanning system separate from their existing malware system in order to use those IoCs. (@declanm's stream has further variations on this scenario).
My point is this: the story is full of mangled details that really tell us nothing. I can come up with multiple, unrelated scenarios that are consistent with the content in the story. The story certainly doesn't say that Yahoo did anything wrong, or that the government is doing anything wrong (at least, wronger than we already know).
I'm convinced the government is up to no good, strong arming companies like Yahoo into compliance. The thing that's stopping us from discovering malfeasance is poor reporting like this.
The first paragraph says this:
Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emailsThe second paragraph says this:
The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accountsWell? Which is it? Did they "search incoming emails" or did they "scan mail accounts"? Whether we are dealing with emails in transmit, or stored on the servers, is a BFD (Big Fucking Detail) that you can't gloss over and confuse in a story like this. Whether searches are done indiscriminately across all emails, or only for specific accounts, is another BFD.
The third paragraph seems to resolve this, but it doesn't:
Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency's request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.Who are these "some surveillance experts"? Why is the story keeping their identities secret? Are they some whistleblowers afraid for their jobs? If so, then that should be mentioned. In reality, they are unlikely to be real surveillance experts, but just some random person that knows slightly more about the subject than Joseph Menn, and their identities are being kept secret in order to prevent us from challenging these experts -- which is a violation of journalistic ethics.
And, are they analyzing the raw information the author sent them? Or are they opining on the garbled version of events that we see in the first two paragraphs.
The confusion continues:
It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.What the fuck is a "set of characters"??? Is this an exact quote for somewhere? Or something the author of the story made up? The clarification of what this "could mean" doesn't clear this up, because if that's what it "actually means", then why not say this to begin with?
It's not just technical terms, but also legal ones:
The request to search Yahoo Mail accounts came in the form of a classified edict sent to the company's legal team, according to the three people familiar with the matter.What the fuck is a "classified edict"? An NSL? A FISA court order? What? This is also a BFD.
We outsiders already know about the NSA/FBI's ability to ask for strong selectors (email addresses). What what we don't know about is their ability to search all emails, regardless of account, for arbitrary keywords/phases. If that's what's going on, then this would be a huge story. But the story doesn't make it clear that this is actually what's going on -- just strongly implies it.
There are many other ways to interpret this story. For example, the government may simply be demanding that when Yahoo satisfies demands for emails (based on email addresses), that it does so from the raw incoming stream, before it hits spam/malware filters. Or, they may be demanding that Yahoo satisfies their demands with more secrecy, so that the entire company doesn't learn of the email addresses that a FISA order demands. Or, the government may be demanding that the normal collection happen in real time, in the seconds that emails arrive, instead of minutes later.
Or maybe this isn't an NSA/FISA story at all. Maybe the DHS has a cybersecurity information sharing program that distributes IoCs (indicators of compromise) to companies under NDA. Because it's a separate program under NDA, Yahoo would need to setup a email malware scanning system separate from their existing malware system in order to use those IoCs. (@declanm's stream has further variations on this scenario).
My point is this: the story is full of mangled details that really tell us nothing. I can come up with multiple, unrelated scenarios that are consistent with the content in the story. The story certainly doesn't say that Yahoo did anything wrong, or that the government is doing anything wrong (at least, wronger than we already know).
I'm convinced the government is up to no good, strong arming companies like Yahoo into compliance. The thing that's stopping us from discovering malfeasance is poor reporting like this.
Sunday, September 18, 2016
Why Snowden won't be pardoned
Edward Snowden (NSA leakerblower) won’t be pardoned. I’m not arguing that he shouldn’t be pardoned, but that he won’t be pardoned. The chances are near zero, and the pro-pardon crowd doesn't seem to be doing anything to cange this. This post lists a bunch of reasons why. If your goal is to get him pardoned, these are the sorts of things you’ll have to overcome.
The tl;dr list is this:
The tl;dr list is this:
- Obama hates whistleblowers
- Obama loves the NSA
- A pardon would be betrayal
- Snowden leaked because he was disgruntled, not because he was a man of conscience (***)
- Snowden hasn’t yet been convicted
- Snowden leaked too much
- Snowden helped Russian intelligence
- Nothing was found to be illegal or unconstitutional
Tuesday, December 01, 2015
NSA needs more EFF hoodies
A few months ago, many stories covered "intelexit.org", a group that bought billboards outside NSA buildings encouraging moderates to leave intelligence organizations. This is a stupidbad idea.
For one thing, it's already happening inside the intelligence community. Before Snowden, EFF hoodies were tolerated. From what I hear, they aren't anymore. Anybody who says anything nice about the EFF or Snowden quickly finds their promotion prospects reduced. And if you aren't being promoted, you are on track to be pushed out, to make room for new young blood.
The exit of moderates is radicalizing the intelligence community. More and more, those who stay want more surveillance.
In my own experience, the intelligence community is full of pro-EFF moderates. More than anybody, those inside the community can see the potential for abuse. For all that mass surveillance is unacceptable, the reality is that it's not really being abused. These people stop abuses. The NSA really is just focused on catching evil terrorists, not on tracking political activists in America. All this power is in the hands of people who use the power as intended.
A mass exodus of moderates, though, will change this, creating a more secretive and more abusive organization. The NSA is nowhere near how "Enemy of the State" imagines, but could easily become that bad when all the moderates leave.
Instead of encouraging moderates to leave, we should be encouraging them to stay. Not just stay, we should be encouraging them to speak out. We should have an organization supplying free EFF hoodies to everyone in intelligence.
For one thing, it's already happening inside the intelligence community. Before Snowden, EFF hoodies were tolerated. From what I hear, they aren't anymore. Anybody who says anything nice about the EFF or Snowden quickly finds their promotion prospects reduced. And if you aren't being promoted, you are on track to be pushed out, to make room for new young blood.
The exit of moderates is radicalizing the intelligence community. More and more, those who stay want more surveillance.
In my own experience, the intelligence community is full of pro-EFF moderates. More than anybody, those inside the community can see the potential for abuse. For all that mass surveillance is unacceptable, the reality is that it's not really being abused. These people stop abuses. The NSA really is just focused on catching evil terrorists, not on tracking political activists in America. All this power is in the hands of people who use the power as intended.
A mass exodus of moderates, though, will change this, creating a more secretive and more abusive organization. The NSA is nowhere near how "Enemy of the State" imagines, but could easily become that bad when all the moderates leave.
Instead of encouraging moderates to leave, we should be encouraging them to stay. Not just stay, we should be encouraging them to speak out. We should have an organization supplying free EFF hoodies to everyone in intelligence.
Friday, September 18, 2015
Some notes on NSA's 0day handling process
The EFF got (via FOIA) the government's official policy on handling/buying 0days. I thought I'd write up some notes on this, based on my experience. The tl;dr version of this post is (1) the bits they redacted are the expected offensive use of 0days, and (2) there's nothing surprising in the redacted bits.
Before 2008, you could sell 0days to the government many times, to different departments ranging from the NSA to Army to everybody else. These government orgs would compete against each other to see who had the biggest/best cyber-arsenal.
In 2008, there came an executive order to put a stop to all this nonsense. Vuln sellers now only sold 0days once to the government, and then the NSA would coordinate them with everyone else.
That's what this "VEP" (Vuln Equities Process) document discusses -- how the NSA distributes vulnerability information to all the other "stakeholders".
I use "stakeholders" loosely, because there are a lot of government organizations who feel entitled to being part of the 0day gravy train, but who really shouldn't be. I have the impression the NSA has two processes, the real one that is tightly focused on buying vulns and deploying them in the field, and a notional one where they deal with the bureaucratic nonsense that is government. This VEP document is probably the second one.
I don't think the redactions hide anything of consequence. For example, take a look at the first redaction:
The missing words are "Offensive Capabilities", and this isn't too hard to figure out.
The next redaction is refers to paragraph 49 of NSPD-54/HSPD-23. Well, EPIC got this document a while ago, and it's here (http://fas.org/irp/offdocs/nspd/nspd-54.pdf) (also here). Though paragraph 49 is redacted here, we can read it form the original document there.
Activists have pointed out this unhelpful part of the document:
But as the text says, these parts redacted here are simply a summary for what is detailed in the sections below. Those are mostly not redacted. So we can reconstruct the process:
The organizations involved are intelligence (NSA, CIA, etc.), military (Army, Air Force, JSOC, etc.), Departments of State, Justice, Commerce, Treasury, Energy, and of course, Homeland Security.
I'm not sure what the word "equities". I think it means anybody who has an "ownership interest" in an 0day. These are listed in Appendix A, but most are redacted. They show the "defensive" need and essentially nothing else.
But we know what the redacted equities are about "offensive" use of vulns, in particular, for intelligence and for military operations.
Whatever this policy states, I'm sure practically things are handled much differently. For 0days in SCADA/ICS equipment, for example, they go directly to the Department of Energy, and the focus will be on getting those things patched.
On the other hand, the NSA has its offensive programs. Every time Apple updates iOS with new Safari protections, they'll buy the first 0day that gets around it. I suspect there's just a standing item of "iPhone 0days" where all departments have agreed that go to the NSA for offensive exploitation, since the particulars (other than iPhone version) never change. Indeed, the NSA has a whole class of similar bugs, bought from the 0day market that flow through to their tools for exploitation.
Moreover, as I read the document, the NSA (at its discretion) can trump the entire process and keep things secret. For example, if somebody sold a way to factor 2048 bit numbers to the NSA for $1 billion, they'd keep that secret from everyone in the government except maybe the President. It'd be interesting knowing how often this has happened.
Note that this document is phrased in terms of 0days the government just happens to come across. To some extent this is valid, where the Department of Energy and DHS comes across 0days in industrial systems. But mostly what's talked about here is where the NSA buys 0days in the shady underground vulnerability market. Again, this shows a difference between the claimed process in the document, and what's really happening.
Summary
So in summary, as we reverse engineer the redacted bits, we see just what we'd expect for offensive use of 0days. As we read the document, we see just what we'd expect from bureaucracy. The missing bits aren't the redaction themselves, but what practically happens in the real world: this policy seems aspirational, what everyone agrees is the official policy, and how 0days are handled that nobody really cares about. But for the real 0days that the NSA uses, like whichever latest iPhone 0day that exists, I suspect in practice there's a very different process.
Update: Kim Zetter has discussions of the "equities" process in her Stuxnet book. Where this post just reflects my experiences with the government, her book is researched talking to lots of people.
Op-ed: By the way, I disagree with most privacy/security activists. I think it's nonsense that the NSA buying 0day makes our computers less safe; I suspect quite the opposite is true. I do think the NSA has gone too far and needs to be reigned in a bit, but there's nothing special about 0days in this regard.
Before 2008, you could sell 0days to the government many times, to different departments ranging from the NSA to Army to everybody else. These government orgs would compete against each other to see who had the biggest/best cyber-arsenal.
In 2008, there came an executive order to put a stop to all this nonsense. Vuln sellers now only sold 0days once to the government, and then the NSA would coordinate them with everyone else.
That's what this "VEP" (Vuln Equities Process) document discusses -- how the NSA distributes vulnerability information to all the other "stakeholders".
I use "stakeholders" loosely, because there are a lot of government organizations who feel entitled to being part of the 0day gravy train, but who really shouldn't be. I have the impression the NSA has two processes, the real one that is tightly focused on buying vulns and deploying them in the field, and a notional one where they deal with the bureaucratic nonsense that is government. This VEP document is probably the second one.
I don't think the redactions hide anything of consequence. For example, take a look at the first redaction:
The missing words are "Offensive Capabilities", and this isn't too hard to figure out.
The next redaction is refers to paragraph 49 of NSPD-54/HSPD-23. Well, EPIC got this document a while ago, and it's here (http://fas.org/irp/offdocs/nspd/nspd-54.pdf) (also here). Though paragraph 49 is redacted here, we can read it form the original document there.
Activists have pointed out this unhelpful part of the document:
But as the text says, these parts redacted here are simply a summary for what is detailed in the sections below. Those are mostly not redacted. So we can reconstruct the process:
a. All 0days must first be sent through this process before anything else (with exceptions).
b. Each department involved will designate a point-of-contact who ensures their organization is represented in the process.
c. This process applies only 0days (newly discovered vulns that aren't publicly known).
d. The NSA is in charge of this process.
e. Any organization that gets an 0day gives it to the NSA, then the NSA distributes that 0day to all the member organization point-of-contacts.
f. Organizations will then evaluate the 0day, and then have their point-of-contact report what the organization believes should be done (e.g. use for cyber-offensive, or contact vendor and have them patch it).
g. The executive board made up of all organizations will decide what to do with the 0day.
The organizations involved are intelligence (NSA, CIA, etc.), military (Army, Air Force, JSOC, etc.), Departments of State, Justice, Commerce, Treasury, Energy, and of course, Homeland Security.
I'm not sure what the word "equities". I think it means anybody who has an "ownership interest" in an 0day. These are listed in Appendix A, but most are redacted. They show the "defensive" need and essentially nothing else.
But we know what the redacted equities are about "offensive" use of vulns, in particular, for intelligence and for military operations.
Whatever this policy states, I'm sure practically things are handled much differently. For 0days in SCADA/ICS equipment, for example, they go directly to the Department of Energy, and the focus will be on getting those things patched.
On the other hand, the NSA has its offensive programs. Every time Apple updates iOS with new Safari protections, they'll buy the first 0day that gets around it. I suspect there's just a standing item of "iPhone 0days" where all departments have agreed that go to the NSA for offensive exploitation, since the particulars (other than iPhone version) never change. Indeed, the NSA has a whole class of similar bugs, bought from the 0day market that flow through to their tools for exploitation.
Moreover, as I read the document, the NSA (at its discretion) can trump the entire process and keep things secret. For example, if somebody sold a way to factor 2048 bit numbers to the NSA for $1 billion, they'd keep that secret from everyone in the government except maybe the President. It'd be interesting knowing how often this has happened.
Note that this document is phrased in terms of 0days the government just happens to come across. To some extent this is valid, where the Department of Energy and DHS comes across 0days in industrial systems. But mostly what's talked about here is where the NSA buys 0days in the shady underground vulnerability market. Again, this shows a difference between the claimed process in the document, and what's really happening.
Summary
So in summary, as we reverse engineer the redacted bits, we see just what we'd expect for offensive use of 0days. As we read the document, we see just what we'd expect from bureaucracy. The missing bits aren't the redaction themselves, but what practically happens in the real world: this policy seems aspirational, what everyone agrees is the official policy, and how 0days are handled that nobody really cares about. But for the real 0days that the NSA uses, like whichever latest iPhone 0day that exists, I suspect in practice there's a very different process.
Update: Kim Zetter has discussions of the "equities" process in her Stuxnet book. Where this post just reflects my experiences with the government, her book is researched talking to lots of people.
Op-ed: By the way, I disagree with most privacy/security activists. I think it's nonsense that the NSA buying 0day makes our computers less safe; I suspect quite the opposite is true. I do think the NSA has gone too far and needs to be reigned in a bit, but there's nothing special about 0days in this regard.
Friday, December 12, 2014
FYI: Snowden made things worse
Snowden appeared at a #CatoSpyCon, and cited evidence of how things have improved since his disclosures (dislaimer: as Libertarian, I'm a fan of both CATO and Snowden). He cited some pretty compelling graphs, such as a sharp increase of SSL encryption. However, at the moment, I'm pretty sure he's made things worse.
The thing is, governments didn't know such surveillance was possible. Now that Snowden showed what the NSA was doing, governments around the world are following that blueprint, dramatically increasing their Internet surveillance. Not only do they now know how to do it, they are given good justifications. If the United States (the moral leader in "freedoms") says it's okay, then it must be okay for more repressive governments (like France). There is also the sense of competition, that if the NSA knows what's going on across the Internet, then they need to know, too.
This is a problem within the United Sates, too. The NSA collected everyone's phone records over the last 7 years. Before Snowden, that database was accessed rarely, and really for only terrorism purposes. However, now that everyone else in government knows the database exists, they are showing up at the NSA with warrants to get the data. It's not just the FBI, but any department within the government who thinks they have a need for that data (e.g. the IRS). Recently, an amendment was added to the Intelligence Authorization bill to codify the process. We don't have any transparency into this, but it's a good bet that the database has been accessed to retrieve American information more often in the year since Snowden than the 7 years before.
Snowden did the right thing in exposing phone surveillance, of course. My point isn't to say he's wrong. Instead, my point is that we aren't winning the war against surveillance. Activists are focussing on the good news, cherry picking the parts where we win. They are ignoring the bad news, that we are losing the war. The Intelligence Authorization bill is an excellent example of that.
The thing is, governments didn't know such surveillance was possible. Now that Snowden showed what the NSA was doing, governments around the world are following that blueprint, dramatically increasing their Internet surveillance. Not only do they now know how to do it, they are given good justifications. If the United States (the moral leader in "freedoms") says it's okay, then it must be okay for more repressive governments (like France). There is also the sense of competition, that if the NSA knows what's going on across the Internet, then they need to know, too.
This is a problem within the United Sates, too. The NSA collected everyone's phone records over the last 7 years. Before Snowden, that database was accessed rarely, and really for only terrorism purposes. However, now that everyone else in government knows the database exists, they are showing up at the NSA with warrants to get the data. It's not just the FBI, but any department within the government who thinks they have a need for that data (e.g. the IRS). Recently, an amendment was added to the Intelligence Authorization bill to codify the process. We don't have any transparency into this, but it's a good bet that the database has been accessed to retrieve American information more often in the year since Snowden than the 7 years before.
Snowden did the right thing in exposing phone surveillance, of course. My point isn't to say he's wrong. Instead, my point is that we aren't winning the war against surveillance. Activists are focussing on the good news, cherry picking the parts where we win. They are ignoring the bad news, that we are losing the war. The Intelligence Authorization bill is an excellent example of that.
Thursday, July 31, 2014
No, the CIA didn't spy on other computers
The computer's the CIA spied on were owned and operated by the CIA.
I thought I'd mention this detail that is usually missing from today's news about the CIA spying on Senate staffers. The Senate staffers were investigating the CIA's torture program, reviewing classified documents. The CIA didn't trust the staffers, so they setup a special computer network just for the staffers to use -- a network secured and run by the CIA itself, in a CIA building, maintained by CIA sysadmins. Dianne Feinstein describes this as background information in her complaint:
Thus, what the CIA did was clearly corrupt and wrong, and counter to their agreement with the Senate. It's just that it isn't what most people understand when they read today's headlines. It wasn't a case of the CIA hacking into other people's computers. You can't "hack" a computer you own using your own password.
Many stories quote CIA director Brennan who said earlier this year:
In pointing out the truth many people assume that I'm defending the CIA. I'm not. The torture program was morally wrong and beneath us as a country. Surreptitiously spying on the investigators into the program is clearly corrupt, and all involved need to be fired -- even if it turns out no law was broken (since it was the CIA's own computers).
I'm outraged, but believe we should be outraged by the right things, not the distorted story in the news. Seriously, I can't be more outraged at how the CIA revoked the declassification of things the staffers found useful to their investigation. It's not the spying (of their own computer) that angers me so much as their corrupt actions the spying enabled.
Update: @grayrisk points to this Lawfare blogpost with specifics. As you can see, CIA sysadmins had access to the system to administer it, but otherwise the system was supposed to be segregated from the rest of the CIA.
http://www.lawfareblog.com/2014/03/ssci-v-cia-three-key-questions/
I thought I'd mention this detail that is usually missing from today's news about the CIA spying on Senate staffers. The Senate staffers were investigating the CIA's torture program, reviewing classified documents. The CIA didn't trust the staffers, so they setup a special computer network just for the staffers to use -- a network secured and run by the CIA itself, in a CIA building, maintained by CIA sysadmins. Dianne Feinstein describes this as background information in her complaint:
I agreed in an exchange of letters that the CIA was to provide a “stand-alone computer system” with a “network drive” “segregated from CIA networks” for the committee that would only be accessed by information technology personnel at the CIA—who would “not be permitted to” “share information from the system with other [CIA] personnel, except as otherwise authorized by the committee.”The CIA, though, spied on what the staffers did on the system. This allowed the CIA to manipulate investigation. When the staffers found some particularly juicy bit of information, the CIA was able to yank it from the system and re-classify it so that the staffers couldn't use it. Before the final report was ready, the CIA was already able to set the political machine in motion to defend itself from the report.
Thus, what the CIA did was clearly corrupt and wrong, and counter to their agreement with the Senate. It's just that it isn't what most people understand when they read today's headlines. It wasn't a case of the CIA hacking into other people's computers. You can't "hack" a computer you own using your own password.
Many stories quote CIA director Brennan who said earlier this year:
I think a lot of people who are claiming that there has been this tremendous sort of spying and monitoring and hacking will be proved wrongMany stories (like this one) claim that it's Brennan who was proven wrong, but instead, he was proven right. The investigation showed that at no time did the CIA hack anybody else's computer.
In pointing out the truth many people assume that I'm defending the CIA. I'm not. The torture program was morally wrong and beneath us as a country. Surreptitiously spying on the investigators into the program is clearly corrupt, and all involved need to be fired -- even if it turns out no law was broken (since it was the CIA's own computers).
I'm outraged, but believe we should be outraged by the right things, not the distorted story in the news. Seriously, I can't be more outraged at how the CIA revoked the declassification of things the staffers found useful to their investigation. It's not the spying (of their own computer) that angers me so much as their corrupt actions the spying enabled.
Update: @grayrisk points to this Lawfare blogpost with specifics. As you can see, CIA sysadmins had access to the system to administer it, but otherwise the system was supposed to be segregated from the rest of the CIA.
http://www.lawfareblog.com/2014/03/ssci-v-cia-three-key-questions/
Friday, July 04, 2014
XKeyScore: regex foo
For those of you rusty on your regex code, I thought I'd explain those found in the alleged XKeyScore source. The first one is:
/bridge\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):?([0-9]{2,4}?[^0-9])/
Jamming XKeyScore
Back in the day there was talk about "jamming echelon" by adding keywords to email that the echelon system was supposedly looking for. We can do the same thing for XKeyScore: jam the system with more information than it can handle. (I enumerate the bugs I find in the code as "xks-00xx").
Reading the XKeyScore-rules source
Today's story is about "XKeyScore source code" leak. As an expert, I'm going to read through the code line-by-line and comment on it.
Let's assume, for the moment, that somebody has taken an open-source deep-packet-inspection project like Snort and written a language on top of it to satisfy XKeyScore needs. Let's look at the gap between what Snort can do now and what this code wants to produce.
Let's assume, for the moment, that somebody has taken an open-source deep-packet-inspection project like Snort and written a language on top of it to satisfy XKeyScore needs. Let's look at the gap between what Snort can do now and what this code wants to produce.
Thursday, July 03, 2014
XKeyScore: it's not attacking Tor
The latest Jacob Appelbaum story is, as usual, activist garbage. The underlying technical information is solid, but their conclusions are completely unwarranted.
The story starts by claiming that that two German Tor servers are "under surveillance by the NSA". That implies the NSA has installed a wiretap monitoring all traffic going to/from those servers. That's not what the evidence shows. Instead, the deal is that the wiretaps exist elsewhere in the world, such as Pakistan or Iran. The NSA wants to find users in those countries who connect to Tor. It's those people the NSA is surveilling. The same argument applies to the MixMinion server: the NSA isn't "tracking all connections" to the server as the story claims -- just ones that originate from the targets under surveillance, in order to find out information about those targets.
The story starts by claiming that that two German Tor servers are "under surveillance by the NSA". That implies the NSA has installed a wiretap monitoring all traffic going to/from those servers. That's not what the evidence shows. Instead, the deal is that the wiretaps exist elsewhere in the world, such as Pakistan or Iran. The NSA wants to find users in those countries who connect to Tor. It's those people the NSA is surveilling. The same argument applies to the MixMinion server: the NSA isn't "tracking all connections" to the server as the story claims -- just ones that originate from the targets under surveillance, in order to find out information about those targets.
Friday, January 10, 2014
Why Snowden belongs in jail
For me, Snowden is a hero, having revealed intolerable actions by Congress, Courts, the Executive branch, and collusion among the two official Parties.
Not everyone agrees with me.
But that's okay. We live in a pluralistic society where not everyone has to believe the same thing. Reasonable people can disagree. That you disagree with me doesn't mean that one of us is stupid, evil, or otherwise unreasonable. It simply means that we disagree.
Consequently, according to polls, Snowden only served half the country, the country that wants less domestic surveillance. Snowden worked against the interests of the other half the country, the half that votes for (fascist) politicians like Dianne Feinstein and Lindsey Graham.
In other words, rather than fighting for everyone's interests, Snowden only fought for his own interests, against the interests of others. That's not noble. His ends don't justify his means, which were clearly illegal. That his interests are my interests doesn't change this.
That a president would grant clemency to Snowden would be evil. It would invite everyone to break their word (and the law) to promote their politics. That invites chaos. That the powerful would then pardon those with the right politics would be wholly corrupt.
However, this argument would change if the Supreme Court rules in Snowden's favor. Snowden's highest, most important oath was to "defend the Constitution", and it's obvious that the only way the case could get to the Supreme Court was through leaks. By definition, the Constitution is above politics -- even if you disagree with it. Should this happen, should the Supreme Court (not just lower courts) rule in his favor, then Snowden deserves a full pardon and medals of honor.
But until/if that happens, he is merely a lawbreaker/oathbreaker who belongs in jail.
I write this because there are a lot of people writing about whether Snowden should/shoudn't be given clemency. All of them are based on whether they agree with his "ends", rather than than discussing whether they agree with the "means". All I'm arguing here is that the "ends don't justify the means". The only thing that can justify Snowden's means are whether the Supreme Court agrees, not whether any of us personally like/dislike Snowden's ends.
Not everyone agrees with me.
But that's okay. We live in a pluralistic society where not everyone has to believe the same thing. Reasonable people can disagree. That you disagree with me doesn't mean that one of us is stupid, evil, or otherwise unreasonable. It simply means that we disagree.
Consequently, according to polls, Snowden only served half the country, the country that wants less domestic surveillance. Snowden worked against the interests of the other half the country, the half that votes for (fascist) politicians like Dianne Feinstein and Lindsey Graham.
In other words, rather than fighting for everyone's interests, Snowden only fought for his own interests, against the interests of others. That's not noble. His ends don't justify his means, which were clearly illegal. That his interests are my interests doesn't change this.
That a president would grant clemency to Snowden would be evil. It would invite everyone to break their word (and the law) to promote their politics. That invites chaos. That the powerful would then pardon those with the right politics would be wholly corrupt.
However, this argument would change if the Supreme Court rules in Snowden's favor. Snowden's highest, most important oath was to "defend the Constitution", and it's obvious that the only way the case could get to the Supreme Court was through leaks. By definition, the Constitution is above politics -- even if you disagree with it. Should this happen, should the Supreme Court (not just lower courts) rule in his favor, then Snowden deserves a full pardon and medals of honor.
But until/if that happens, he is merely a lawbreaker/oathbreaker who belongs in jail.
I write this because there are a lot of people writing about whether Snowden should/shoudn't be given clemency. All of them are based on whether they agree with his "ends", rather than than discussing whether they agree with the "means". All I'm arguing here is that the "ends don't justify the means". The only thing that can justify Snowden's means are whether the Supreme Court agrees, not whether any of us personally like/dislike Snowden's ends.
Thursday, December 19, 2013
What good are lead lined rooms?
The recent 60 Minutes report on the NSA contains many factual errors (like those about BIOS). One thing that looks like an error is the description of "lead lined rooms". Are rooms at the NSA really lined with lead? Or is this just a mistake reflecting the common misconception about lead stopping radiation?
We all grew up with the stories that Superman's X-Ray vision can see through any substance other than lead, and that lead is used to block radiation in nuclear reactors. These stories aren't really true.
What stops X-Rays is mass. The heavier the object between you and the X-Ray source, the better, but the material doesn't really matter. Lead is often chosen because it's dense and cheap, not because it has any special blocking capabilities. A 1-inch thick lead wall is equivalent to 2.5 inches of steel, or 6-inches of concrete. I'm pretty sure building walls out of concrete and steel would be a better choice for the NSA, since they can bear their own weight, than lining them with lead.
As a corollary, unlike how you see in the movies where any lead, no matter how thin, stops Superman's vision, the real issue is the amount. Twice as much mass stops X-rays twice as good. Thin lead foil in your undies to protect your modesty around Superman isn't going to work -- there's just not enough mass.
The major threat to the NSA isn't X-rays, but radio waves. The NSA wants to stop signals from getting out (TEMPEST), and radio waves from getting in (EMP). To stop these things, what you really want are electrical conductors. Sure, lead is a conductor, but copper and aluminum are far better. These are the metals you want to line your room with, rather than lead.
A minor threat is sound, preventing people from eavesdropping. Most sound protection is done by controlling the echoes, as in an anechoic chamber. But mass also helps, so lead is sometimes used for deadening sound, often in foams that both distort and block the sound. I'm not sure if this has any bearing on the NSA "lead lined rooms".
What I think happened here is that the NSA talked about SCIFs, which have to be TEMPEST hardened against leaking electromagnetic radiation, and the reporters at CBS just assumed this meant "lead" without checking the facts.
So my question for anybody is this: are rooms at the NSA actually lined with lead? And if so, why?
We all grew up with the stories that Superman's X-Ray vision can see through any substance other than lead, and that lead is used to block radiation in nuclear reactors. These stories aren't really true.
What stops X-Rays is mass. The heavier the object between you and the X-Ray source, the better, but the material doesn't really matter. Lead is often chosen because it's dense and cheap, not because it has any special blocking capabilities. A 1-inch thick lead wall is equivalent to 2.5 inches of steel, or 6-inches of concrete. I'm pretty sure building walls out of concrete and steel would be a better choice for the NSA, since they can bear their own weight, than lining them with lead.
As a corollary, unlike how you see in the movies where any lead, no matter how thin, stops Superman's vision, the real issue is the amount. Twice as much mass stops X-rays twice as good. Thin lead foil in your undies to protect your modesty around Superman isn't going to work -- there's just not enough mass.
The major threat to the NSA isn't X-rays, but radio waves. The NSA wants to stop signals from getting out (TEMPEST), and radio waves from getting in (EMP). To stop these things, what you really want are electrical conductors. Sure, lead is a conductor, but copper and aluminum are far better. These are the metals you want to line your room with, rather than lead.
A minor threat is sound, preventing people from eavesdropping. Most sound protection is done by controlling the echoes, as in an anechoic chamber. But mass also helps, so lead is sometimes used for deadening sound, often in foams that both distort and block the sound. I'm not sure if this has any bearing on the NSA "lead lined rooms".
What I think happened here is that the NSA talked about SCIFs, which have to be TEMPEST hardened against leaking electromagnetic radiation, and the reporters at CBS just assumed this meant "lead" without checking the facts.
So my question for anybody is this: are rooms at the NSA actually lined with lead? And if so, why?
Sunday, December 15, 2013
How we know the 60 Minutes NSA interview was crap
There is probably some real event behind this, but it's hard to tell, because we don't have any details. The event has been distorted to serve the needs of propaganda. It's completely false in the message it is trying to convey. What comes out is gibberish, as any technical person can confirm.
Tuesday, October 15, 2013
Baconizing: how the NSA collects buddy-lists
Over the weekend it was revealed that the NSA is slurping up everyone's email "address book" and chat "buddy lists". How does this work?
You can look at my open-source "ferret" utility for the answer. It parses a bunch of different email (SMTP, POP, IMAP) and chat protocols (MSN, Yahoo, and AOL). I wrote this code back in 2007. It's unlikely that any NSA engineer writing similar code since wouldn't have seen my ferret program. Also, my code is very fast, it can reasonable be run on multi-gigabit links -- the sort you'd find in underwater taps of fiber-optic links.
Likewise, there's a good chance they saw my presentations on ferret and "data seepage", such as this one from Black Hat DC in 2007 where I explain on how to grab a person's address book:
In my presentation, I called this "baconizing", refering to the "6 degrees of Kevin Bacon" theory. I was hoping it would catch on. It didn't.
Anyway, if you want to understand this issue more, I highly recommend either the above presentation or the ferret source code itself.
You can look at my open-source "ferret" utility for the answer. It parses a bunch of different email (SMTP, POP, IMAP) and chat protocols (MSN, Yahoo, and AOL). I wrote this code back in 2007. It's unlikely that any NSA engineer writing similar code since wouldn't have seen my ferret program. Also, my code is very fast, it can reasonable be run on multi-gigabit links -- the sort you'd find in underwater taps of fiber-optic links.
Likewise, there's a good chance they saw my presentations on ferret and "data seepage", such as this one from Black Hat DC in 2007 where I explain on how to grab a person's address book:
In my presentation, I called this "baconizing", refering to the "6 degrees of Kevin Bacon" theory. I was hoping it would catch on. It didn't.
Anyway, if you want to understand this issue more, I highly recommend either the above presentation or the ferret source code itself.
Wednesday, October 02, 2013
Silk Road: caught by the NSA?
According to the complaint against Silk Road, the investigation into Ulbricht appears to have started when border agents intercepted fake IDs [update: though see Popehat's discussion of evidence it started earlier]:
On or about July 10, 2013, CBP [Customs and Border Patrol] intercepted a package from the mail inbound from Canada as part of a routine border search. The package was found to contain nine counterfeit identity documents."Routine border search" is one of the techniques taught by the "Special Operations Devision" to hide the source of unconstitutionally obtained information. As documented in the Reuters article, when the NSA or FBI obtains unconstitutional evidence against American citizens, they tell border agents what to look for when things cross the borders.
Sunday, September 15, 2013
NSA's Fort Belvoir and Star Trek
This is an example of how my experiences with the NSA jar with the press's reporting. An article in Foreign Policy Review claims that General Alexander hired a Hollywood set designer to make his command center at Fort Belvoir look like the bridge of the Enterprise. That's not the story I heard.
I visited Fort Belvoir around 2003 (I forget the exact timeframe). The story I was given is that the Hollywood set designer was a relative, of the head himself or one of his underlings, and that the set designer provided his services for free. Rather than a passion for Star Trek, the situation was more about taking advantage of the opportunity. Whether they spent a ton of money, or got free services, seems to me to be a critical part of the story.
Also, it's not just Federation. The exterior doors have interlocking swords like the Klingon High Council Chamber.
I point this out to show how the press creates a narrative, in this case of Keith Alexander being a "cowboy", and ignores things that don't fit their narrative. I'm on the front lines calling the NSA evil and Orwellian, but at the same time, I don't trust the press, either.
I visited Fort Belvoir around 2003 (I forget the exact timeframe). The story I was given is that the Hollywood set designer was a relative, of the head himself or one of his underlings, and that the set designer provided his services for free. Rather than a passion for Star Trek, the situation was more about taking advantage of the opportunity. Whether they spent a ton of money, or got free services, seems to me to be a critical part of the story.
Also, it's not just Federation. The exterior doors have interlocking swords like the Klingon High Council Chamber.
I point this out to show how the press creates a narrative, in this case of Keith Alexander being a "cowboy", and ignores things that don't fit their narrative. I'm on the front lines calling the NSA evil and Orwellian, but at the same time, I don't trust the press, either.
Monday, September 09, 2013
The first rule of NSA club...
According to the law, you can't use the NSA log -- or even mention the letters "NSA" or use the name "National Security Agency":
Sec. 15. (a) No person may, except with the written permission of the Director of the National Security Agency, knowingly use the words 'National Security Agency', the initials 'NSA', the seal of the National Security Agency, or any colorable imitation of such words, initials, or seal in connection with any merchandise, impersonation, solicitation, or commercial activity in a manner reasonably calculated to convey the impression that such use is approved, endorsed, or authorized by the National Security Agency.
Well, you might argue, clearly that doesn't apply, but it is precisely this law that was used to justify censorship of a post critical of the NSA by cryptography professor Mathew Green's post. His university threatened Green with legal action unless he removed the NSA logo -- based on their interpretation of this law.
Sunday, September 08, 2013
No, the NSA can't spy on arbitrary smartphone data
The NSA has been exposed as evil and untrustworthy, but so has the press. The press distorts every new revelation, ignoring crucial technical details, and making it sound worse than it really is. An example is this Der Spiegel story claiming "NSA Can Spy On Smartphone Data", such as grabbing your contacts or SMS/email stored on the phone. Update: That was a teaser story, the actual story appearing tomorrow (available here) has more facts and fewer speculations than the teaser story.
Subscribe to:
Posts (Atom)