The NSA used to target only foreign signals, and according to its own legal interpretations, that's what it still does. But communications are now global: the Internet is so interconnected that everything and everyone on the network becomes a potential target, even the network itself. That's not to say that the NSA has "broken" all cryptography: "the math works," says Schneier, and while anonymizing tools like Tor are targeted by NSA, they seem to remain secure. Instead, the NSA appears to have manipulated encryption tools and tapped into data center links and fiber backbones—in essence, silently removing the hinges from their doors.
"We do know they made a systematic effort to place back doors in the products we use to get our security, and that makes us all less safe," he said. Schneier, like others in the cryptography community, regularly trades hunches and suspicions about NSA encryption exploits, and the National Institute for Standards and Technology, the federal group that sets encryption standards, is reviewing its past work in light of the NSA scandal. But few know for sure just how widespread the NSA's targeting of encryption standards is. And, Schneier worries, those who do know might not necessarily be well-intentioned.
"It's folly to believe they are the only ones that are taking advantage of it," he said. "So [the NSA is] saying in effect, we want to listen in on the Chinese, so much that we're gonna let the Chinese listen in on you. I think we'll be safer in a world where neither can listen—if we spend more effort on security, on assurance, then we'll be safer, even though there are bad actors." (Motherboard)
———————————————-
A few days ago Bruce Schneier gave a video interview to Alex Pasternak of Motherboard Online Magazine. In his typically calm and reasoned manner, Bruce Schneier explained the current state of the societal conflict between freedom and security. In the end he is optimistic. He states, “We as a society will figure this out, that privacy and liberty are so important to us as a people that we will reestablish it.” I certainly hope so.
We didn’t arrive at our current state because the NSA put us here. We came here voluntarily as a society because 9/11 scared the bejeezus out of us. We wanted somebody to tell us everything will be okay. That doesn’t mean the NSA was just following orders. Our government in general and the IC in particular are riddled with bureaucrats more dedicated to their national security fiefdoms than to our Constitution. They took the opportunity we offered them after 9/11 and ran with it. They built a surveillance capability second to none. I’m proud of that capability, but that capability outstripped the legal and oversight regime needed to make it an effective tool to both protect the American people and to preserve our Constitutional freedoms.
The IC didn’t seize control of our communications all by themselves. As Schneier notes, Google, Verizon and many other IT companies have been seizing control of our information long before the NSA ever did. He describes this in his essay “Surveillance as a Business Model.” The NSA just built on what was already in place, but their ability to “market” their capability was far inferior to the IT industry’s ability to convince consumers that this is all good for them. This led to one of the ways I feel the NSA has screwed the pooch. The world no longer trusts American IT, fearing NSA installed backdoors and total network penetration. Bloomberg estimates NSA spying risks 35 billion in US technology sales. In this economy, that hurts.
As Schneier points out, the NSA’s unrelenting efforts to weaken encryption is damaging the security of the entire internet. That puts all information at risk. In addition to our personal information, business, industrial and government information is also put at risk. Again, the NSA is screwing the pooch. Luckily, the IT industry is now making some efforts to better encrypt customer information and their network traffic… although they’re probably only doing so to protect their market share. No matter what the industry’s motivations are, the NSA and the government should be supporting those efforts, not hindering them.
TTG (That's not me, but I've done the same thing.)
TTG.
sorry about the nitpicking, but Bloomberg says, and you probably mean, 35 billion, aka 35,000 million.
Lars Moller-Rasmussen.
Thanks, Lars.
To follow the covers being pulled back on the NSA the Guardian Newspaper has a most excellent section devoted to the NSA. There is so much coming out about the NSA that the U.S. public is becoming numb or dumb to the continuing flood of information.
How can we trust the Google’s, Microsoft’s, Dell’s, Intel’s of this world if back doors are installed in the hardware and software at the request of the NSA in the past. On the flip side of other countries penetrating our networks, I just cringe when I see a Lenovo laptop installed in a secure federal network.
Low cost servers and front end computers supplied by foreign entities that win Federal contracts through low cost will sink networks. I am highly suspicious of so called secure systems that are supposed to be constructed of protected known origins of manufacture. The temptation to source some cheep parts to keep profits up or project costs inline must be tempting.
Remember the old new U.S. embassy in Russia? At least that wa the enemy doing it to ya.
TTG,
Your post reminds me how long I have been “in the biz” and how much has changed.
As a mere youth (almost) I sat in a meeting about something called OPERATION GEMSTONE when it was first proposed to the Fort. A genteel lady of my acquaintance (I thought her elderly then) listened without interruption to the description of how SIGINT could help in the forthcoming presidential campaign until the young White House staffer finished. When asked later she said, “That’s bullshit, that’s not what we do.” She said clearly if they said she had to carry out such activities she was going to the press. She never had to, and that young man ended up in jail, I believe, as the whole Watergate thing unraveled.
A few short years later as an erstwhile collection manager chasing Soviet spies I suggested a communications reconnaissance mission against the US East Coast to catch them in the act. Cudgels rained down on my head and a certain regulation was quoted to me several times.
Fast forward twenty-five years or so. I was exchanging classified e-mail with a DIRNSA who pointed out to me that if UBL was walking across the bridge at Niaara talking on a cellphone we would drop coverage when he got to our side.
Then came 9/11 and everything changed. We lost our underpinnings and anything we COULD do, suddenly we WOULD do.
Screw the pooch? Well, it’s an inelegant turn of phrase, but I’m afraid you may be right.
Basilisk,
I’ve seen that pre 9/11 attitude myself. And it didn’t die easy after 9/11. There were a lot of holdouts as late as 2010 when I left the business.
I fear operational laziness also played a part in this journey down the road to perdition. Not long before I retired, I was asked by CIA to brief them on how to set up a collection platform that I set up at DIA. That in itself was quite a change from the usual imperious and condescending attitude emanating from the “Klingons.” When I told them that they must operate on foreign online venues and communicate in the foreign language about the technical subjects they were interested in, they acted like it was some kind of revelation. I think they would have rather spoken English on Facebook. It was easier than discussing BIOS hacking in Russian with a bunch of mudaks and hooligans.
“We didn’t arrive at our current state because the NSA put us here. We came here voluntarily as a society because 9/11 scared the bejeezus out of us.” …. BS. This began under Bush Jr and has been secretly growing without our knowledge. In particular, Congresspersons like Dianne Feinstein (for all their protestations) purposely foisted this ugliness on us. How can that be interpreted as ‘voluntarily’?
John Reagan,
Compare the vocal protests against the administration’s efforts to join the Syrian civil war a short while ago to the general mood after 9/11. There were precious few calls for protecting our constitutional freedoms twelve years ago. If there were, the national security bureaucrats might have been a little less inclined to construct the domestic surveillance apparatus we have today. FYI, 9/11 occurred under Bush Jr.
“We didn’t arrive at our current state because the NSA put us here. We came here voluntarily as a society because 9/11 scared the bejeezus out of us.”
The NSA was doing it in the 1980s. I know because I taught them AT&T’s Private Line Network (PLN), the AT&T trunk node software as a consultant (plausible deniability on AT&T’s part). You’re naive if you think 911 started it. NSA hooked up their machines to (then) 10 national AT&T’s trunk nodes (San Diego, San Fran, Chicago, NJ, Denver, etc) and siphoned all data off it. All of it. Any BS they tell you that they determined overseas info in real time is bogus. I did not know until the end of he week that the four guys not taking the test were NSA. Only 100 AT&T scientists knew the software, and there was no capability in the software to distinguish foreign calls or callers. NSA only needed to identify the fields and the call routines.
Snowden is only giving the tip of the iceberg. Congress is so naive, it’s antediluvian. What Snowden hasn’t said is that all the collected data so far is underneath NSA Headquarters in massive multi-football-sized fields X floors deep…full of old drive formats (like the kind consumers and businesses use today). My guess is that they went to the Utah facility because they changed to something like holographic storage, which can store zetabytes in cigarette pack-sized drives. That’s why the place is touted as available to store data for the next 100 years.
I wrote about this in more detail around May 6, 2013 on Greenwald’s Guardian site and everyone sneered that it was impossible. Three weeks later, the Snowden story broke.
MRW,
Basilisk may reply, or maybe not… pl
Well, none of this is a mystery, Colonel. Israel’s NARUS machines were interjected between NSA’s and AT&T’s nodes in 1996 or 1997. This provided 100% deniability for NSA. Cohen, NARUS’s owner, liked to brag in the late 90s about his brilliance and the details of what they were doing, all in the public domain until someone obviously got to him to tell him to STFU. They even removed his braggadocio from the Wayback Machine after I copied it all. 😉
NARUS is now owned by Boeing, after going through the standard Israeli subsidiary show with WASPy 20-something CEOs.
But your readers will remember NARUS as the machine AT&T whistleblower Klein discovered in a locked room in San Francisco in 2006/2007. What the story never told is that the San Fran setup was replicated on every trunk node in the country. And it is NARUS machines that feed NSA’s Utah facility today.
I want to correct something: “holographic storage, which can store zetabytes in cigarette pack-sized drives” should read “holographic storage, which can store the EQUIVALENT OF A ZETABYTE in a cigarette pack-sized drive.” This tech is not new either; military has been using it in the Stealth for over 35 years, although capacity has increased.
In the ’90s while working for Microsoft I was “embedded” in very large enterpriser firms with global operations as an “Enterprise Program Manager”. I worked full time at those firms acting as a technical advisor on their IT projects giving those firms direct access to Microsoft resources and giving Microsoft direct access to those companies IT plans all the while doing everything I could to influence the CIOs, CFOs, and CEOs IT and business decisions in favor of MS technology. My mission was to addict those firms to MS tech so we could plan on them paying us not less than $200 per person per year using MS tech. I was sort of a very expensive corporate double agent paid for by the budgets of rising stars in those firms who wanted to hitch their wagon to Microsoft and displace existing directors by demonstrating how successful projects based on MS technology could be. In each firm there were other “rising stars” that wanted to hitch their wagons to open source systems like Linux. They could easily demonstrate their firms could save millions by going with open source software like Linux.
At that time “open source” software was becoming all the rage and Microsoft perceived server and desktop operating systems like Linux and variants of open source desktop software to be a serious threat to their revenue stream.
Much of the “open source” software was being written and is still being written by very
sharp programmers in India, Pakistan, and other countries in the reason. I recall explaining to those “C” level executives how dangerous “open source” software was because no matter how much security one tried to implement in a system based on Linux, the software drivers talking to the hardware components of the computer systems (video cards, network adapters, disk drives, etc.) ran in “ring 0”, way down inside the operating system. By their nature they ran beneath any security software that might be implemented on the desktops and servers. Since the software was “open source”, no one could ever be certain where it came from, who wrote it, and what “extra” or “malicious” code might also be included.
I would point out how a whole lot of people who wrote those drivers felt they had legitimate grievances agains the US (the US and Iran had been enemies for almost 20 years, the USS Vincennes shot down an Iranian airliner, and Iraqi (our ally) pilot put an Excocet missile into the USS stark and the first Gulf war had embarrassed the entire Muslim world with the ease in which the largest standing army in the ME could be absolutely destroyed in less than 100 days.
I would discredit the Linux proponents by explaining in simple terms that the career of anyone who exposed their company to the threats potentially posed by open system software would be brief and embarrassing. I never lost that argument and several Linux proponents I savaged hate me to this day.
I was so naive back then. It never occurred to me that it would be the US government in league with US firms that actually posed the greater threat.
Ås an aside to that story, a Kansas City pharmaceutical company was purchased by a large German conglomerate. The project manager for the merger of the IT departments was my counterpart in Stuttgart. There was more than a little animosity from the Americans towards the Germans, to whom they would soon be subservient.
One mid-October the German EPM hosted a lavish dinner at one of KC’s most exclusive dinner clubs. As is usual in these things the Americans sat on one side of the table and the Germans on the other. My counterpart went over the timeline that would wrap up the project and pointed out that a critical milestone would occur on November 11 and that it would be very important that all hands be on deck on that date and be prepared to work continuously until the milestone was completed.
There was complete silence on the American side of the table as all eyes from my team fell on me. I politely explained that we would not be working on November 11 as that was a holiday. Confused looks passed between the German contingent and one of them asked what holiday it was as he was certain that we celebrated Thanksgiving much later in November.
I finally asked my German counterpart if the date November 11 held any significance to him. He said no. I asked if he wasn’t certain that it might have been mentioned in a history class in secondary school or college. He said no. By this time everyone on the American side of the table was grinning as they saw where I was going.
My German friend finally asked me directly why we celebrated November 11 and so I told him politely that on the 11th hour of the 11th day of 1918 the Germans were forced to sign an armistice agreement in a French railway car ending World War I. The Germans looked to one another in confusion.
I then told him bluntly that that I was surprised he had never heard of Veterans Day, formerly known as Armistice Day because every year we celebrated kicking their Teutonic asses and they should probably plan on us taking May 8th off as well. When I asked him “They did tell you in school that you lost didn’t they?” several Americans spit beer through their noses laughing at the German’s embarrassment and anger.
On November 11 they worked and we did not. My counterpart missed his milestone and could not explain to his superiors how he had lost control of the project and was replaced by yours truly as lead project manager.
One of my first tasks was to explain to the international team was that we would never miss another milestone because of a holiday because on this side of the Atlantic we would build holidays into our timeline. American holidays. It only seemed fair because as they say in sports, we had “scoreboard” on them. Americans 2 – Germans 0.
MRW! And do the NARUS machines feed Israel?
I would rebut you to an extent by saying if everyone learned to write code, crack and decompile, pretty good security would be possible. Except all that ability is being rolled out to the hoi polloi with easy-bake machines that do it for you. As hackable as the legislated hackable machines they are to produce. Even if we could roll back the law, rolling back the broader mass architecture would no doubt be a threat to security and not feasibly cost-effective. Or palatable to the screen addled masses.
“The NSA was doing it in the 1980s.”
And the Black Chamber [forerunner of the NSA] was doing something similar in the 1920s.
82 Years Before Edward Snowden, There Was Herbert O. Yardley http://www.theatlantic.com/politics/archive/2013/12/82-years-before-edward-snowden-there-was-herbert-o-yardley/282019/
By the time Yardley returned to the United States in April 1919, the State Department was already busy trying to establish a secret liaison with the Western Union Telegraph Company. It was hoped that Western Union would cooperate with the Black Chamber in providing copies of needed messages. … Under the agreed on arrangements, a messenger called at Western Union’s Washington office each morning and took the telegrams to the office of the Military Intelligence Division in Washington. They were returned to Western Union before the close of the same day. In the spring of 1920 the Black Chamber began approaching the other major telegraph company, Postal Telegraph, with the same request. … by the end of 1920 the Black Chamber had the secret and illegal cooperation of almost the entire American cable industry.
[Some excerpts on Yardley]
But Yardley wasn’t just the progenitor of the trade practiced at the NSA today. He was also the surveillance state’s first betrayer, as loathed by insiders in his day as Edward Snowden is in ours. His 1931 book The American Black Chamber spilled secrets on a scale that a pre-Snowden-leak NSA described as follows… What’s more, he published his book and lent his expertise to foreign governments partly because he lost his job just before the 1929 stock-market crash and needed money and work. Put another way, if you survey the evidence-free accusations that surveillance-state apologists lob at Edward Snowden, you’ll find that the father of American cryptology actually did perpetrate those very transgressions.
—————-
Despite all this Yardley was not prosecuted and none of the things I have read about him today label him a “traitor”.
Valissa
Interesting, but it has always been my understanding that pre-war SIGINT was directed at foreign embassies and missions. In those days these institutions rarely had radio equipment and sent and received their encrypted “cables” through commercial telegraphy. The FBI, as we know could even then get a court order to tap a telephone. You object to intelligence activities in general or just those of the US? pl
On the contrary, I have always been fascinated by intelligence activities. I’m also quite interested in the ongoing (forever) struggle between the needs/wants of the individual and the state (or the tribe or whatever establishment sets the rules the individual is supposed to follow).
I liked to read what I call “long histories”, books that show changes in societies over time. The dance between the needs of military intelligence and the rights of those who want their privacy is almost timeless (on personal secrecy – people don’t want to be transparent although they want their gov’t that way… LOL). At least as long as there has been a concept of privacy, and I really that dating that is controversial.
FWIW, my position is basically that of the observer and generally prefer to take a “neutral outsider” (meaning non-partisan, non-loyalist) overview of events so I can learn more about how the world really works, as opposed to being upset that it’s not working the way I think it should. I an ex-liberal 😉
btw, I really enjoy your blog. I always learn so much here. Thanks to all!
Richard, your comment looks like everything on Slashdot about 8 years ago. In case the personal politics don’t wash out in peer review for open source drivers, I would be much more concerned about custom application code in environments with open outbound access.
MWR,
From the mid to late 90s, NARUS and a host of other even more expensive network monitoring tools were also used to identify penetrations into U.S. networks. I have no idea what else they were used for. Attribution of these penetrations was difficult to damned near impossible to prove. The NSA was putting a lot of resources into trying to prove who was doing these penetrations.
Charles I and Mark Kolmar,
I think the point of Richard’s story is that proprietary software probably had government installed backdoors for quite a while and that open source software can at least be audited. That’s common knowledge now, but it wasn’t that clear to government and commercial IT buyers years ago. Sure coders and crackers knew this, but not the general public.
Is SAP ERP the German revenge for past offenses and indignities?
So:
>Bruce Schneier explained the current state of the societal conflict between freedom and security. In the end he is optimistic. He states, “We as a society will figure this out, that privacy and liberty are so important to us as a people that we will reestablish it.”< Really? Pretty thoroughly disingenuous in my view. Enjoy your complacency. How are the "we as a society" going to get started on that project to re-establish freedom & privacy, if "our" every attempt is fully monitored by controlling interests opposed to being ousted? If "we" are accused of dissidence, or terrorism or destabilising the regime... The US, and the UK, seem a long way from Curran preaching about "temporary safety", and from proper awareness of the real concepts of freedom. At least the US had a written constitution once, but do I hear people saying it's outmoded and should be changed to keep you all safe? Perhaps the saving grace is that too much information is as useless as too little. With regard to unwanted interference in software & hidden back doors (going back long before 9/11), I am much more concerned about the increasing prevalence of electronic voting, profoundly not to be trusted.
The issue is who controls the logs.
That was the scuttlebutt in the late 90s but no one paid attention (meaning the national media) because of attention to Clinton’s peccadilloes. The tech people I knew said yes because Cohen’s group knew how to access the same trunk lines they were siphoning from, and had the retail call record data. Doubt that’s going on after Boeing took over. Then there is this: Part 3, which I KNOW is accurate:
http://www.informationclearinghouse.info/article6480.htm
Watch Eben Moglen here explain what the architecture problem is. Nice thing is that he’s so damn smart and plain speaking that it’s a joy to listen to him:
http://www.youtube.com/watch?v=QOEMv0S8AcA
Another good one, and only 15 minutes is this:
http://www.livestream.com/pdf2011/video?clipId=pla_8ad51bab-a440-4e9b-87c8-6e0b9e196903
That’s incredible. I’m a layperson and can follow the basic thread of his logic and linguistics. Amazing. Needed:::: translation for the common man as many people I know are beginning to feel very, very freaked out by technology.
TTG, others – To whittle a point into my earlier point, I would be less worried about leaky drivers than about functionality built into specific business applications, where your leak knows the environment, has access to the data, and can interpret the data meaningfully. Our consumer level data connections barely can upload enough secrets, even if they knew what kind of secrets.