Apple Helps Evolve the NSA Narrative

Quite an interesting episode of the ongoing soap opera surrounding “privacy” in the age of ubiquitous internet connected devices.  (It’s been quite a while since I blogged about the NSA’s Narrative:  “we are watching you”. )

Apple’s otherwise horrible release of iOS 8, they tout their privacy features, most of which make me say “why wasn’t that done before?”  (Android will soon follow with the same kind of deployment.)I don’t want to be negative:  for their own self-preservation Apple has done a really good job of paying attention.  All the most obvious stuff is covered. (For more details see the Apple white paper.)

This is better than before, but it would be a mistake to believe that the system is secure.  I mean, it’s a little computer in your pocket connected (you never know exactly how) to the Internet.  And despite Apples highly authoritative attitudes about controlling apps and third parties, the fact is you have to be really careful what you do.

The biggest interest was their splashy announcement that they “cannot access” your personal data, and therefore “it’s not technically feasible for us to respond to government warrants“.  As far as I can tell (and I’m no expert here), basically they encrypt the data with strong encryption and have no ‘back door’ or master key to let them or anyone break the crypto.  In other words, they have implemented actual encryption, rather than the fake encryption popular in the past.  What an amazing innovation!

Of course, this “innovation” is rather “disruptive” of one old-line industry, the police-national security sector.  Law enforcement has been very happy with the fact that people voluntarily carry around these highly capable data collection devices, which the police can use to identify and locate individuals of interest and amass dossiers about recent activities of many kinds–movements, contacts, transactions, and contraband.

The use of stronger encryption means that some of this information will be harder to get, and certainly will take a lot more effort and time, if the police have the resources to do it at all.  From the position of local police, Apple has resigned as an unofficial deputy for the PD.

The national security folks have the resources to attack these problems, but even they will have to work at it.  The NSA can no doubt crack a phone if needed, but  life was so easy when the devices were easy to access!  And the rest of the system (the networks, the connections metadata, the cloud storage, etc.) are still accessible, just not your pix on your handheld.

For me, the interesting part has been the theater surrounding these fairly obvious technical matters.

Apple has put this forward with a splashy slap in the face of US government and police forces.  This is widely recognized as a long anticipated reaction to the Snowden affair.  (If so, he deserves a medal for instigating computer security improvements.) In order to sell phones all around the world, Apple has put forward a narrative about “the NSA is watching you”, but “Apple is on your side”.

The US government helped along the narrative with condemnations from FBI director Comey, pointing out both the policy implications (there may be times you want the police access data) and the sheer arrogance of Apple’s FU to the US government–when there are lot’s of bad guys out there.

The FBI was joined by local police chiefs (who surely will be inconvenienced).

All the jawing by the FBI and police has catapulted an otherwise obscure software update into the world media spotlight.  The US government is seen to cry, “Oh woe, Apple is screwing us.  We can’t spy on you any more.  This is terrible.”   Apple is see to offer a heroic, ground breaking product that is magically “secure” from the US government.

This is all a very subtle evolution of the NSA Narrative:  “we are watching you.”   If you follow this line (and the upcoming Google upgrades), you are playing into their plans:  use the (American made) Apple and Google “magic” and you will be safe.  You don’t need to fear the NSA anymore, just use a long passcode and everything will be fine.

(And by the way, NSA and FBI are certainly happy if these changes make life harder for Chinese and Russian hackers.)

What I’m saying is that this is nothing more than a tiny inconvenience to the NSA (though quite effective against teenagers and local police), but they have exploited it to increase public awareness of cyberdefence and also to make sure that bad guys know that they are being watched.  The new wrinkle is the implication that using the next releases of Apple and Google will “protect” you–false confidence can be more dangerous than global paranoia.

One last comment:  aside from the kind of unfair slap as US government (what about China, Russia, and all the rest?), Apple’s narrative slapped rival companies, and basically said “trust us”.  It was interesting to see Apple slap Google’s ubiquitous user tracking, with a claim that Apple would never do something like that.  On the same page, we see Apple’s financial, home, and health tracking stuff–hugely invasive forays into privacy.

Who will protect us from Apple (or Google or Amazon or Facebook or the rest)?  “Trust us”, and anti government rhetoric isn’t really enough.

NSA Narrative: Internet Companies and NSA Cooperate to “Defend Privacy”

I’ve not looked at the ongoing NSA storytelling for quite a while

Since my last post, we’ve seen a book by Glen Greenwald (which I haven’t read yet), a TV interview by Edward Snowden (which I have not watched all the way through), tales of Chinese hackers, and miscellaneous Russian military adventures. Far too much to keep up on.

This week we see lots and lots of very public “push back” from major Internet companies.

These companies asserting that they are (finally) actually protecting user data from snooping. This is presented as a brave face off with “the government”. And it is very, very publicly announced. Obviously, these companies are acting in their own interest more than ours, since their business model depends on masses of people ignorantly providing personal data to the company (but not to the US government).

To help the narrative, the US government speaks its own part in this story (quoted in the NYT:

“Robert S. Litt, the general counsel of the Office of the Director of National Intelligence, which oversees all 17 American spy agencies, said on Wednesday that it was “an unquestionable loss for our nation that companies are losing the willingness to cooperate legally and voluntarily” with American spy agencies.”

This is a beautifully phrased, “non denial denial”: there is no implication that the data will not be available, only than there is no longer voluntary cooperation. I have no information on the subject, but personally, I wouldn’t bet that the NSA can’t get what it wants, one way or another.

Snowden has really hurt Google and all. They had be sleazing along, having it both ways. They talked a game about privacy (though they are in the business of invading privacy), while silently letting the NSA and others get whatever data they want.   Now they have to make a show of defending their users from the NSA; lest their users will flee to be exploited by other sharks. Can’t have that.

Snowden revealed some extremely embarrassing holes, and, as in the case of OpenSSL, we find that the supposed geniuses of the private sector had cut corners in many ways. They are now, finally, instituting measures that should have been done ages ago. These upgrades certainly will make it harder for civilians to dink around with your traffic.

Given that the NSA has a mandate to protect US communications, they must be quite pleased to have these basic measures promulgated widely. Having the companies publicly sass them is a small price to pay to get this technology out into the world.

Furthermore, the NSA is being very cooperative in this effort: it is publicly complaining about these actions, and decrying the “lack of cooperation”. This rhetoric is, of course, critical to make the measures credible to the users—and to keep US companies competitive globally. Imagine how people would take it if the NSA officially approved of the defensive measures!

So now everyone everywhere knows the NSA is listening, but some may believe that gmail or whatnot is “secure” from the NSA. Everyone knows that Google et al are “geniuses”, so their magic must be better than government magic, no? They  may also believe that the Internet companies are “on your side”, “trust us”.

In my most paranoid moments, I can see that the NSA still has means to access communications when it needs. Maybe more paperwork. Maybe more complex technical measures (wireless is still full of gaping holes, the switches still have backdoors, root keys can be obtained). All the more reason to try to keep people swimming in this lagoon, so they don’t have to go fish elsewhere.

But remember NSA’s other goal: depriving enemies the use of the Internet.

For adversaries, real adversaries, not crusading journalists, there is a tough decision. Is it safe to use the Internet? What services are safe to use? Or do I have to do without? Uncertainly, fear, and doubt. In this way the NSA is depriving enemies of easy, carefree access to the Internet.

All this has never been about you—though you have a role to play in the narrative.

Snowden Used Web Crawlers

I already pointed out one of the lessons of L’affaire Snowden, “be nice to your sysadmins“.

The NYT reports more details, indicating that Edward Snowden was able to suck out his trove of documents using simple web crawler technology. (I know it is simple, because, long, long ago, I built one of the first ones in about an hour–it’s basically trivial.)

Unfortunately, he may also have crawled internal wikis, intended to improve collaboration and information sharing, as an aid to finding juicy stuff to grab. I hope this doesn’t lead to measures that make it too much harder for NSAers to (appropriately) share and collaborate. That would be bad.

But, the point is, Snowden got away with it because, as a sysadmin, he needed to do stuff like test networks and move data around, which required access to lots of stuff.  There just isn’t any way around the fact that you have to give sysadmins access to your systems.  So be nice to them. For example, don’t shaft them and then insult their intelligence claiming that you cut their pensions because someone had a baby.  You are beggin’ for a thumpin’.

Mostly Unsourced NYT Contributions to the Narrative

I’m having trouble parsing the NYT report in Wednesday’s paper, describing NSA devices that surreptitiously wirelessly connect back to NSA.

The breathless headline “reveals” that the NSA can implant devices that radio out to relay stations nearby, enabling them to remotely monitor and attack computers even though they are not connected to a network. (The NPR report on the story more accurately headlines the “100,000 computers worldwide”.)

Since this isn’t a particularly amazing technical feat, I looked carefully to see what the “news” is.

First, I would like to point out that this story is very poorly sourced.  What is the basis for these claims?  As far as I can figure out, this is based on some documents leaked by Snowden, published in December, combined with interviews with “experts”.  There is even a pretty diagram, which has no attribution at all.  We also have a story of an exploding rock in Iran, not specifically and uncritically attributed to “Iranian news media”.

Second, the article conflates “implanting software in 100,000 computers” with the headline wireless technology.  If you read carefully, you see that the (pretty hazy) estimate isn’t about wireless invasions specifically, which is only one method.  (By the way, “100,000 computer world wide” is pretty paltry—there are more computers than that just in my home town.)

Overall, this story turns out to be a rehash of old information.  The main contribution does seem to be a reconstruction of something that the NSA (and others) could probably do five years ago. Big deal.

Narrativewise, this keeps the basic story alive in the US (:”We are watching you”) without revealing anything new. The NSA will be pleased.

I think one of the motives was to put out a new line, in anticipation of Obama’s announcement Friday. (There is another story in the NYT and everywhere, covering the preemptive recommendations and push back on “new restrictions” which haven’t even been announced yet.)

Claiming that in response to “Silicon Valley’s critique of the N.S.A.”, the new policy should be that NSA should not exploit or create vulnerabilities in commercial software (or at least not be caught doing so).   At least part of the reason is that these holes are extremely dangerous for the US interests NSA must protect.

Does the risk to US systems outweigh the benefit of access to adversaries’ systems?  This is familiar territory for the NSA, and they will continue to do their own cost-benefit analyses,