Techie Code of Omerta For Colluding With NSA

With RSA, a big and respected name (actually initials) in cryptography, currently getting flayed in the public press for taking $10 million from the NSA and, in return, embedding a dodgy, NSA-compromised random number generator a.k.a. DUAL EC EBRG in its products (RNGs help generate encryption keys; a compromised RNG yields a limited, more crackable set of keys), a few observations:

First, as is probably recalled, the compromised character of the NSA RNG was revealed in a previous tranche of the Snowden documents in September, and an embarrassed RSA quickly issued a recommendation that users cease using that particular RNG.

Second, even back in October, there were rumblings about possible financial considerations playing a part in RSA's willingness to include the RNG in its products.  Here's a snip from a piece I wrote at the time:

[On a recent episode of Science Friday] Ira Flatow asked Philip Zimmerman [creator of the PGP open-key e-mail encryption system] why RSA would have done such a thing. There was a long, awkward silence and some awkward laughter before Zimmerman slid into the passive voice/third person zone:

ZIMMERMAN: And yet RSA did a security - did use it as their default random number generator. And they do have competent cryptographers working there. So.

FLATOW: How do you explain that?

ZIMMERMAN: Well, I'm not going to - I think I'd rather not be the one to say.

(LAUGHTER)

FLATOW: But if someone else were to say it, what would they say?

ZIMMERMAN: Well, someone else might say that maybe they were incentivized. 

Maybe Mr. Zimmerman had an advance peek at the relevant Snowden documents.  I think it more likely that he had already heard some tittle-tattle in his high tech circles but was not interested in calling down a corporate and legal sh*train upon himself by openly accusing the RSA of taking government money (interesting legal question: is it slanderous to allege that a US corporation engaged in a legal transaction with the US government?).

Third, Blame the Suits!  Per the Reuters expose:

No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.

"The labs group had played a very intricate role at BSafe [the product line that was compromised by the RNG], and they were basically gone," said labs veteran Michael Wenocur, who left in 1999.

Actually, outside security analyst Bruce Schneier and others had raised serious concerns about DUAL EC EBRG in 2007 in a public forum and, as Zimmerman pointed out, RSA had competent cryptographers in the building.  DUAL EC EBRG was provided as only one option, albeit the default, and security-savvy users would be able to select another, better RNG.  And RSA cryptographers could further console themselves with the awareness that, even if Clueless Enduser kept DUAL EC EBRG as a default, probably the only entity with the message collection and analysis capability to exploit it effectively was America's own NSA.

In other words, it wasn't just RSA Chief Executive and Designated Villain Art Coviello sneaking down into the lab and inserting the lethal code while the techies obliviously shipped the compromised product.

Fourth, I think there is a growing awareness that a significant element of the Snowden story is the collusion between Big Tech and the NSA, fueled by the awareness that both sides want the same thing: a thoroughly backdoored Internet open to individual data profiling and surveillance penetration (and tolerate the resultant security breaches as cost of doing business/collateral damage).

I wonder if the story will get any more traction, since there are sizable vested economic, political, and ideological interests extending all the way to the Oval Office that are engaged in perpetuating the image of a benign, democratic/populist information order dedicated to information security.  The constituency interested in seeing Google and the other tech giants share the blame for ruining the Internet--and in the process evaporating a few hundred billion dollars of personal wealth, market cap, and stock options--is, on the other hand, powerless and vanishingly small.

Inside the tech industry, the attitude seems to be one of damage control i.e. media initiatives to convince the public that the Internet companies care about YOU and hate helping out that nasty old government.   As to the question of whether a corporate Snowden will emerge, the attitude seems to be, as Phil Zimmerman--a genuine and battered hero of the encryption wars in the 1990s--put it: "I think I'd rather not be the one to say."  Maybe the code of omerta lives on in the tech industry.

Fifth, I find it amusing and somewhat irritating that, ever since I wrote about RSA in October, I am bombarded with RSA pop-up ads on my own blog and across the web.  It's the Internet equivalent of a golden retriever that pursues me down the street driven by the irresistible urge to sniff the seat of my trousers.  Make it stop!

The NSA's Fatal Flaw

I’ve come up with a new coinage FUSMAL, “Fucked Up on So Many Levels” to describe the NSA follies.

I took note of the recent Washington Post poll which found that 60% of respondents believe that Edward Snowden’s revelations had “harmed U.S. security.”

This represented an 11% jump over July, when 49% thought his revelations had harmed U.S. security.

I suppose this increase, which came about equally from the minority who thought he didn’t harm U.S. security (37% in July; 32% now) and the undecided (down to 8% now, from 13%), can be attributed to the shift of the focus of releases from domestic privacy violations to espionage on foreign governments.

37% think he did “the right thing” and 55% think he did “the wrong thing”.

It is of course interesting that, as of now, Edward Snowden is doing “the nothing”.  He gave up his documents before he entered Russia and all the revelations, shocking and otherwise, are the responsibility of Glenn Greenwald, the Guardian, and, yes the Washington Post, which is perhaps anxiously waiting for some other pollster to ask the question, “Do you think the Washington Post is doing the ‘right thing’?”

I don’t believe that Edward Snowden “harmed U.S. security” in a practical sense.  

Snowden and his media collaborators have been sedulous in suppressing information that would be directly helpful to America’s enemies/competitors/China.  The revelations have, of course, created a political uproar in places like Brazil and Germany, which have some pretenses to independent foreign policies and now have to deal with domestic calls to decouple their internet communications from the U.S.

However, I have a feeling that Germany, which served as home base for a clutch of the 9/11 perpetrators and is anxious host of a lot of Muslim immigrants and guest workers, is going to find a way to maintain its surveillance and intelligence sharing regime with the United States even if it takes measures to get the NSA out of Andrea Merkel’s cell phone.

So I think that Mr. Snowden, as he tucks into his bowl of borscht with sour cream and watches his first Russian winter descend like a great icy hammer outside his window, can console himself with the confidence that he has not materially degraded the security of the citizens of the United States.

IMHO the NSA, on the other hand, has done a pretty good job of screwing up the Western world’s intelligence regime.

The root of the NSA’s problem is that it is committed to hegemony in the global information space.  Hegemony is an understandable ambition since U.S. technology, equipment, and infrastructure still dominate the global transmission of information.

I refer doubters about this objective to the homepage of IARPA.  

Readers may be familiar with DARPA—the Defense Advanced Research Project Agency.  It’s a government incubator that reaches out to the academic and private sector to develop technologies that the DoD find useful, like robotic trucks that can drive unmanned through war zones—and an idea to link computers on opposite sides of the country in order to efficiently utilize computing resources.  You may know this successful initiative as “the Internet”.

IARPA—the “Intelligence Advanced Research Project Activity”, pronounced “yarpa”—is DARPA for spooks.  It’s a research agency under the Director of National Intelligence and it pours a lot of money into things like quantum computing (the holy grail for cracking strong encryption) because…

…well, here’s the first sentence from the statement “About [IARPA]” on the IARPA website:

The Intelligence Advanced Research Projects Activity (IARPA) invests in high-risk, high-payoff research programs that have the potential to provide the United States with an overwhelming intelligence advantage over future adversaries. 

The NSA’s data greed, the desire to “have it all”, is not just a matter of organizational hubris and mission creep.  It’s built into US security policy strategy.  Leveraging US capabilities to dominate the information space is seen as the key U.S. advantage in 21^st century strategic competition.

Domestically, the US government has bent and probably broken US laws and the will of the FISA court and colluded with service providers in order to collect US communications data.  And it has subverted the fundamental security and safety of the Internet in order to facilitate NSA access. 

Bad news is, the quest for “an overwhelming intelligence advantage” can’t stop at America’s borders.  Since even our closest allies shrink from openly surrendering their data sovereignty to US surveillance, the NSA has been forced to improvise a covert network of alliances and intrusions in order to get “it all”.

The most recent report on the NSA, by the NRC Handelsblad (a newspaper in the Netherlands) provided an interesting graphic showing the overseas data network penetration by the NSA.  It reported that the NSA had successfully infected 50,000 computers in non-ally jurisdictions with Computer Network Exploitation a.k.a. malware.

 

On the map, CNE hot spots are shown with yellow dots.  China, Russia, Central Asia, Middle East, India, Brazil, Venezuela (and Colombia!), Peru, Ecuador…lotsa dots.

I would also draw the inference that countries without yellow dots are jurisdictions that are probably knowingly cooperating with the NSA and therefore don’t need to be penetrated with malware.    

There don’t seem to be any yellow dots in the Five Eyes countries, for instance.  But there are also don’t seem to be any yellow dots in France, Germany, Spain, Italy, the Scandanavian countries, Central America, Japan, Indonesia, Argentina, or Chile.

But even our closest and most enthusiastic ally, Great Britain, was probably subjected to covert espionage in violation of the “Five Eyes” agreement that the telecommunications of the U.S., U.K., New Zealand, Australia, and Canada would be mutually respected.

No doubt the metastasizing network of yellow, red, and blue dots across the globe was regarded with joy by the NSA bigwigs.  But one could also look at the network and see each dot as an added security risk for an over-extended, undermanaged, and insecure intelligence initiative (note that this graphic was distributed to all of the "Five Eyes").

There were tens of thousands of potential Edward Snowdens with the necessary clearances inside the NSA and its subcontractor agencies.  There are probably thousands, if not tens of thousands more, in intelligence agencies and IT corporations and installations within the Five Eyes and our allies around the world.

A major breach is something not just the NSA is worrying about.  That’s undoubtedly what GCHQ and every other allied security service is worrying about.  And the risk becomes bigger as more and more dots pop up on the board and more foreign data is shoveled into the maw of the NSA.  

And I expect foreign governments are asking themselves whether the omnivorous U.S. demand for sigint is a matter of achieving joint security, or U.S. unilateral information hegemony.

So we have a covert, improvised unilateral intelligence gathering regime executed by to a significant extent by partners whose loyalty is less than absolute and whose actions we are unable to control.

On one level, the Snowden revelations were a remarkable one-off.

At a certain level US priorities will diverge from those of our willing and unwilling intelligence partners.

On another level, the emergence of Snowden may have simply been the inevitable product of a destabilizing, overextended covert operation that was teetering on the edge of collapse.

It’s a dismal situation.  It’s FUSMAL.


Graphic from the NRC Handelsblad website http://www.nrc.nl/nieuws/2013/11/23/nsa-infected-50000-computer-networks-with-malicious-software/

I Spy on the Five-Eye

Well, the guy who said this was full of crap:

David Skillicorn, a professor in the School of Computing at Queen’s University, says this is one piece of the data-sharing relationship "that has always been carefully constructed."

"The Americans will not use Canadians to collect data on U.S. persons, nor will any of the other Five Eyes countries," Skillicorn says.

"In fact, in practice, it’s as if the five countries’ citizens were one large, collective group, and their mutual communications are not intercepted by any in the Five Eyes community."

Actual situation, as per the Guardian today, the NSA honored its no-spy-on-five-eye pledge in the breach:

Britain and the US are the main two partners in the 'Five-Eyes' intelligence-sharing alliance, which also includes Australia, New Zealand and Canada. Until now, it had been generally understood that the citizens of each country were protected from surveillance by any of the others.

But the Snowden material reveals that:

• In 2007, the rules were changed to allow the NSA to analyse and retain any British citizens' mobile phone and fax numbers, emails and IP addresses swept up by its dragnet. Previously, this data had been stripped out of NSA databases – "minimized", in intelligence agency parlance – under rules agreed between the two countries.

• These communications were "incidentally collected" by the NSA, meaning the individuals were not the initial targets of surveillance operations and therefore were not suspected of wrongdoing.

• The NSA has been using the UK data to conduct so-called "pattern of life" or "contact-chaining" analyses, under which the agency can look up to three "hops" away from a target of interest – examining the communications of a friend of a friend of a friend. Guardian analysis suggests three hops for a typical Facebook user could pull the data of more than 5 million people into the dragnet.

• A separate draft memo, marked top-secret and dated from 2005, reveals a proposed NSA procedure for spying on the citizens of the UK and other Five-Eyes nations, even where the partner government has explicitly denied the US permission to do so. The memo makes clear that partner countries must not be informed about this surveillance, or even the procedure itself.

When intelligence community apologists get wrongfooted by these kinds of revelations, one is inclined to wonder: is the so-called security insider who is allaying (and in some cases ridiculing) the public’s anxieties over government surveillance practices a clueless dupe or a duplicitous shill? 

Inquiring minds want to know.

The most recent revelation is tantalizing as it relates to my own personal hobbyhorse, as discussed in a previous post with the theme Blame Canada: did the NSA diddle with traffic patterns through its corporate buddies on the North American backbone and route US persons’ data to Five Eyes partners—like maybe Canada--for storage, collection, and processing, and thereby receive its tittle-tattle on interesting Americans second hand via a foreign intelligence agency, thereby not violating the letter of the U.S. law prohibiting these kinds of interception without a warrant?

With this background, the most interesting element for me was one that the Guardian didn’t even bother to report on.  It only appears in the Guardian’s reproduction of the 2007 memo (click on the image at the head of the article for the full text) authorizing collection of UK persons’ info.  The memo baldly stated that “unmasked” UK data—if I understand it correctly, this simply means in this case “metadata that has been revealed as relating to a UK person” is not only fair game for review by NSA analysts; it may also be dumped into a database for access by GCHQ:

“[US Analysts] Are not required to forward unmasked UK contact identifiers to GCHQ unless specifically requested by GCHQ.  GCHQ should receive all unmasked UK contact identifiers via established or mutually agreed forwarding means or the contact identifiers should be available in the GCHQ-accessible five-eyes [deleted] database, the [deleted] access to [deleted], or other GCHQ-accessible metadata stores.”

Hmmm.  Certainly sounds like the NSA was not only collecting UK data; it was making it available to GCHQ.  If that was the case, one would assume it worked the other way around as well.

There’s probably more onion to be peeled.  Maybe a couple more layers down we’ll find out if we can really {drumroll} “blame Canada.”

If this scenario is determined, I reserve the right to name the illicit, escalating signint exchange with our neighbor in the Great White North "snowballing".  In honor of Kevin Smith, of course.

Article in CounterPunch Magazine on NSA Encryption Follies

Also, Snowden Derangement Syndrome and Andrea Merkel’s Phone

I have an article in the current subscription-only CounterPunch magazine on the NSA encryption follies.  

The takeaway from the article is that, thanks to fiddling by the NSA and its corporate partners, Internet security is a jury-rigged omnishambles.  It’s as if the National Transportation Safety Board, with the garages and auto parts suppliers playing along, had undermined the safety standards for brakes and facilitated the insertion of multiple points of failure in the braking system, and then encouraged everybody to drive down the Information Superhighway at 120 miles per hour in order to give more business to the auto repair industry.

With the powers vested in me by the Internet, I command everyone to subscribe…now!  Here’s the link.

The piece has a different take on the NSA’s surveillance excesses than what readers are probably accustomed to.

Edward Snowden’s core concern, and the basis of a lot of the coverage, is anxiety over the massive scope of NSA surveillance.  It looks like the US government never abandoned the goal of Total Information Awareness, articulated during the George W. Bush era by John Poindexter, and simply decided to implement it clandestinely.  NSA wants it all: metadata, unencrypted data, encrypted data, the correlations, whatever.  

Even for those of us who have “nothing to hide and nothing to fear” a.k.a. nobody, this raises the specter of the Panopticon state, where the hidden eye may be everywhere and anywhere, and the subject is pre-emptively cowed into compliance by the fear of being observed.

I have to admit I already feel that way, to a degree.  I look at the computer on my desk and see it as a window in—to me—as well as a window out onto the WWW.

Not just for the US government which, quite frankly, I don’t think devotes a lot of time to worrying about me.  Also for Google.  For instance, the web ads aren’t mass advertising like TV commercials; they are targeted ads based on my Google searches.  Instead of telling me what’s out there, they are trying to get inside me and push my buy buttons based on what they think what’s in there.  Instead of surfing the web, I’m getting enmeshed in my personalized web of preconceptions and plans, spun courtesy of Google, Facebook, etc.  And for botnets.  I assume I’ve got one.  Maybe just one.  I hope so.  Recently, the FBI and Microsoft took down a botnet infecting 2 million computers.  I look at my computer as a device on loan to me from the botnet when it isn’t using the CPU cycles for its own nefarious ends.

The NSA and the US IT industry have a shared interest in exploiting me as a data asset.  The information, services, and connectivity benefits of the Internet is just the honey pot that lures us in.  Just like newspapers and magazines are advertising circulars with just enough journalism and entertainment to get us to crack open the pages.

If we want to restore our digital privacy, it’s going to take a new network: new hardware, new software, new protocols, and billions of dollars (without any government and corporate subvention!).

Good luck with that.

Short of that, enhanced transparency and accountability from the entities degrading the security functionality of the Internet might help.

It looks like the only way we’re going to get that is via whistleblowers.

When the Edward Snowden revelations hit, my first reaction was Wow.  Somebody’s really stuck it to the Man.

However, on some liberal and conservative sections of the Intertubes, something that I call Snowden Derangement Syndrome erupted.  It was as if Snowden had posted dirty pictures of him having sex with mom.  Some seemed to take the position of Don’t you understand?  We’re the Man.  Edward Snowden is sticking it to us!

Well, my general take is that Edward Snowden is a whistleblower, not a spy.  It’s not my job to help the Man sideline, discredit, silence, or incarcerate whistleblowers in order to make His job easier.

Of course, there has been a persistent bubbling of efforts to discredit Snowden along the lines of naif/narcissist/traitor.  Things quieted down when the carefully managed revelations of NSA domestic surveillance undercut the Snowden as hysterical dingbat narrative, but hotted up again with the reports on US spying on allies.  You know, hurts American interests, old news, everybody does it and, in Mike Rogers’ iteration, Europe should be grateful because Nobody Does It Better than the US of A.

These people obviously lost the Lord Acton memo about the corrupting nature of power—including the power bestowed on the NSA by an open-ended and generously funded mandate, secrecy, and sufficient legal impunity to initiate and perpetuate massive, compounded clusterfucks beyond the reach of congressional oversight.

Consider this revelation about the bugging of Andrea Merkel’s phone:

The Economic Times writes the “high-ranking” NSA official spoke to Bild am Sonntag on the condition of anonymity, saying the president, “not only did not stop the operation, but he also ordered it to continue.”

The Economic Times also reports the official told Bild am Sonntag that Obama did not trust Merkel, wanted to know everything about her, and thus ordered the NSA to prepare a dossier on the politician.

I don’t think that’s Edward Snowden talking.  Maybe it’s the Acela Babbler, Michael Hayden, passing on third-hand tittle-tattle.  Maybe Keith Alexander is sticking the boot in as he stomps off into retirement.  

In any case, that high level gossip, my friends, is probably more damaging to US diplomacy than the Snowden revelations, and also an indication of the culture of impunity and malice that seems to permeate the upper levels of the NSA and is now directed at President Obama for his equivocal defense of the agency.

Angela Merkel is probably seriously pissed that the NSA tapped her phone--and bragging about it.  In July, Merkel, an East German native who has tried to draw a clear, bright line between the security excesses of East Germany and practices in the West, had defended NSA surveillance as qualitatively different from the Stasi since the NSA was interested in protecting American security.  By that reading, Merkel has been considered a security risk for over a decade.

The revelation has done Germany the favor of alerting it to the fact that its communications security technology—in which it has reposed a high level of confidence—has been compromised.

As discussed in this article from Spiegel, German government communications were supposedly protected by world-class non-USA encryption and security products delivered by ex-Stasi technicians rolled into a company called Rohde & Schwarz.  The implication of the bugging of Merkel’s phone is that the US government has suborned and compromised Germany’s own data security apparatus.  Since Rohde & Schwarz is also a NATO supplier, perhaps the prospect of NATO contracts might have enticed them to hand over the goodies.  Or maybe the NSA hacked and fiddled its way in without corporate assistance from R&S.

For whatever reason, one can speculate that the NSA has done as good a job of fucking up German and NATO secure communications as it has done with overall Internet security.