Tag Archives: Edward Snowden

NSA Narrative: Internet Companies and NSA Cooperate to “Defend Privacy”

I’ve not looked at the ongoing NSA storytelling for quite a while

Since my last post, we’ve seen a book by Glen Greenwald (which I haven’t read yet), a TV interview by Edward Snowden (which I have not watched all the way through), tales of Chinese hackers, and miscellaneous Russian military adventures. Far too much to keep up on.

This week we see lots and lots of very public “push back” from major Internet companies.

These companies asserting that they are (finally) actually protecting user data from snooping. This is presented as a brave face off with “the government”. And it is very, very publicly announced. Obviously, these companies are acting in their own interest more than ours, since their business model depends on masses of people ignorantly providing personal data to the company (but not to the US government).

To help the narrative, the US government speaks its own part in this story (quoted in the NYT:

“Robert S. Litt, the general counsel of the Office of the Director of National Intelligence, which oversees all 17 American spy agencies, said on Wednesday that it was “an unquestionable loss for our nation that companies are losing the willingness to cooperate legally and voluntarily” with American spy agencies.”

This is a beautifully phrased, “non denial denial”: there is no implication that the data will not be available, only than there is no longer voluntary cooperation. I have no information on the subject, but personally, I wouldn’t bet that the NSA can’t get what it wants, one way or another.

Snowden has really hurt Google and all. They had be sleazing along, having it both ways. They talked a game about privacy (though they are in the business of invading privacy), while silently letting the NSA and others get whatever data they want.   Now they have to make a show of defending their users from the NSA; lest their users will flee to be exploited by other sharks. Can’t have that.

Snowden revealed some extremely embarrassing holes, and, as in the case of OpenSSL, we find that the supposed geniuses of the private sector had cut corners in many ways. They are now, finally, instituting measures that should have been done ages ago. These upgrades certainly will make it harder for civilians to dink around with your traffic.

Given that the NSA has a mandate to protect US communications, they must be quite pleased to have these basic measures promulgated widely. Having the companies publicly sass them is a small price to pay to get this technology out into the world.

Furthermore, the NSA is being very cooperative in this effort: it is publicly complaining about these actions, and decrying the “lack of cooperation”. This rhetoric is, of course, critical to make the measures credible to the users—and to keep US companies competitive globally. Imagine how people would take it if the NSA officially approved of the defensive measures!

So now everyone everywhere knows the NSA is listening, but some may believe that gmail or whatnot is “secure” from the NSA. Everyone knows that Google et al are “geniuses”, so their magic must be better than government magic, no? They  may also believe that the Internet companies are “on your side”, “trust us”.

In my most paranoid moments, I can see that the NSA still has means to access communications when it needs. Maybe more paperwork. Maybe more complex technical measures (wireless is still full of gaping holes, the switches still have backdoors, root keys can be obtained). All the more reason to try to keep people swimming in this lagoon, so they don’t have to go fish elsewhere.

But remember NSA’s other goal: depriving enemies the use of the Internet.

For adversaries, real adversaries, not crusading journalists, there is a tough decision. Is it safe to use the Internet? What services are safe to use? Or do I have to do without? Uncertainly, fear, and doubt. In this way the NSA is depriving enemies of easy, carefree access to the Internet.

All this has never been about you—though you have a role to play in the narrative.

More Revelations from NSA Powerpoints

The NSA narrative is back in the news.

At SXSW Edward Snowden boasted that his cryptography is so good the NSA still doesn’t know what he stole.  Actually, all we know is the NSA says they don’t know, and are performing a theatrical “investigation”.  But, both Snowden and the NSA want you to believe that your cryptography “protects” you from their snooping, so the uncritical reporting was a blessing to both.

The same week saw a new drop from Snowden’s powerpoint collection. It is impossible to verify these artistic powerpoints, but it all makes sense. The question is, is this information part of NSA’s Narrative:  “we are watching you, so stay off the Internet”.

A long article in “The Intercept” gives many new purported details of NSA technical capabilities which enable them to penetrate computers and networks.  Most of the capabilities have been reported before, in that they are used by hackers.  It is slightly newsworthy to read the description of the “expert system” allegedly built by the NSA, which effectively automates the (not especially deep) thought processes of a teenage hacker.  This makes sense to me, from the technical standpoint.  (The dollar amounts mentioned in the article seem low to me—if accurate, this program is an absolute steal, financially.)

The article enjoys name-dropping, giving us a list of Bond-movie code names that are too good to be true.  A module to covertly turn on the camera and microphone?  The plugin is said to be called “CAPTIVATEDAUDIENCE”.  Really?  Etc.

The purpose of this tool kit is—wait for it—to “own the net”.  Where NSA once literally owned the net (through tight collaboration with telcom companies), it must now use the toys of teenage hackers to maneuver at will through computers and networks.

While the “NSA watching you through your webcam” claim has captured the public imagination through its vividly memorable mental image; I think the most important use of these implants is to capture passwords and thereby subvert cryptography.   The article explains scenarios which make clear the reason NSA would want to do this:  the easiest way to monitor an encrypted channel is to monitor the endpoints where the data isn’t encrypted.  (By the way, this is another example of the “end-to-end” principle: a communication system is only as secure as its least secure link.)

The article also reports NSA using versions of common net hacking techniques, including phishing and false servers.  Of course, the NSA has resources beyond those available to the kids down the block, including, we assume, sophisticated taps deep in the network infrastructure.

As the reporters are careful to point out; it is one thing if these techniques are used selectively, for highly justified cases.  The “shocking” part is that the NSA is clearly positioned to penetrate thousands of computers with a simple command, anywhere in the world.  This mass surveillance is, at least psychologically, quite another kettle of fish.

Are these revelations authentic?  They seem nicely calibrated to benefit the NSA without serious damage.

My own assessment is that the NSA cannot be too unhappy with this article.  It is extremely valuable that “everyone knows” what the NSA can do, and behaves accordingly.

Savvy competitors and adversaries would surely already understand these techniques.  The rest of us are provided with graphic, James Bond-y images, which remind us of just how insecure the Internet is, and perhaps how “magical” the NSA (and GCHQ) is.

This narrative has two benefits for the NSA:  it motivates friendlies to be more sensible and careful, and it deters adversaries from freely using the Internet.

The harder you have to work to use the Internet, the less value it provides. As I have said, every minute spent dinking around with (civilian grade) cryptography and putting your phone in the refrigerator; is a minute not spent on malicious or dangerous activities on the Internet. (It is moot whether any of these precautions have much impact on NSA’s actual activities.)

So—did Snowden “find” a deliberately planted honeypot?  Did the NSA hope these carefully crafted half truths would come out?  Is the chase and condemnation of Edward Snowden (and the Guardian) political theater intended to bolster the credibility of the “leaks”?

I don’t know (how could I?)  But this theory fits the case, and might even explain the inexplicable “blundering” that led to the leak and escape, and the subsequent ineffective and counterproductive countermeasures we have seen.


Related Story:

An unintentionally comic sidebar arose from the Intercept story: Mark Zuckerberg publicly beefed about the “damage the government is creating for all of our future”, by which he means, the damage to Facebook’s business.  It is widely assumed that this incoherent complaint was triggered by the report that NSA has used false “Facebook” servers to hack into network connections.

How dare the US government conduct covert ops that take advantage of Facebook’s covert commercial operations?

The NSA can’t “own the net”, because Facebook already “owns the net” (in their own heads).

SXSW Confusion on Internet Technology

The SXSW tech-fest had some interesting, if intellectually confused, juxtapositions.

Speaking to SXSW from his secret lair in Russia (that great bastion of Internet freedom), Edward Snowden called on Internet companies to save the Internet, asserting that they “can enforce our rights for technical standards.”  Essentially, he called for widespread use of strong cryptography and similar data protection technology.

Equally important, he called on companies to be more responsible in their data collection, and “hold [data] for as long as necessary.”

This position was apparently lost on Eric Schmidt of Google, appearing to plug his book and plutocratic vision of the Internet, the world, and our lowly place in it.  Schmidt appears to believe that it is good for you for Google to amass data you produce to make money.  Privacy is a luxury that ordinary peasants can no longer afford. So don’t worry, be happy. (Notably, we should be happy for lucky fools who blunder into big payouts in Silicon Valley.)

I note that the very confused Julian Assange, more Bond-movie character than ever, had withering criticism for Google as well as Facebook and the US government. Amid his paranoid ramblings from his exile in the Ecuadorian Embassy in London, he correctly suggested that there isn’t much difference between government tracking and Google tracking.

Not on the stage at SXSW this year (as far as I know), I refer to you to Jaron Lanier for some sanity on the topic.

NSA Out of Control? Or Totally In Command?

“No Morsel Too Minuscule for All-Consuming N.S.A” (NYT)

I am really trying to cut down on blogging about the NSA.  But how can I resist?

As we have been presented with a stream of “revelations” (sometimes recounting information published many years ago) about NSA electronic data collection I have focused on the narrative that has been unfolded.  From the beginning, I have pointed out how this story is so beautifully useful to the NSA that it might as well have been scripted by them.

The basic argument here is to note that the NSA has a difficult mission.  It must not only monitor world wide communications, it is also tasked to protect US communications.  Furthermore, it is almost certainly seeking to deny the use of the Internet to adversaries, especially non-state actors.

I observe that one way to pursue these goals is to make sure that everyone “knows” that the NSA is snooping on them.  Whatever the true activities of the NSA, if everyone believes their cell phone and Internet are being monitored and mined by the NSA, they will have to worry and will use telcom less freely or not at all.  The same narrative shines a harsh light on Internet privacy in general, educating the public and improving domestic security.

How do you get this story told?  Well you certainly don’t issue a press release from Fort Meade.  You want to get it out into the media, and you want the public to remember it.  Hence, you need a Hollywood story line.  The most effective possible approach is to let the media “uncover the truth”.  Even better, you would like a brave whistleblower to make spectacular revelations.  The “truth” of the leaks is enhanced by publicly crucifying the leaker (without actually stopping the leaks).  (Note the beautiful irony of potentially using the anti US “credibility” of wikileaking to promote a US government infowar campaign.)

These mechanisms are used to tell a simple story, The Narrative:  The NSA is spying on everyone, everywhere.  (Including prime ministers, chancellors, and presidents!)

The narrative continues this week.  Mr. Snowden reminds us that he is still in exile, a martyr who serves to validate the deep truths being revealed.  The stories must be true, otherwise, why hound the poor guy to the ends of the Earth.  (OK, Russia is not the end of the Earth, nor the worst possible exile.)

Internet titans are publicly outraged:  not only are they cooperating with the NSA, the NSA is also hacking them.  In a desperate attempt to salvage their global empires, they are working like mad to defend their infrastructure against the NSA. (Given that NSA has inside access, I’m not sure what material effect the countermeasures described might have.  This kind of Spy vs. Spy is hard to read from the outside.)   While Google-hoo strives to preserve their “governments are obsolete” story line, the kerfluffle serves NSA critical mission to protect communication:  the Internet is not private or secure. Are you getting the point yet?

Most important of all, the pundits are closing in on the “NSA was out of control” theory (with its corollary, “why wasn’t I briefed on this?”). The paper of record gives us a wonderful canonical version of The Narrative.  As the title suggests, the NSA is “all consuming” (“an electronic omnivore of staggering capabilities, eavesdropping and hacking its way around the world”), and there are many clever insinuations that tell us that the NSA are a bunch of out of control cowboys.  (We are also treated to many code names and acronyms—indecipherable, but very James Bond.)

This ready-made Hollywood narrative is convenient for politicians who want to have it both ways.  But more important, it tells us that NSA data collection is infinite and not subject to rational limits.  Superhuman. Magical.

Of course, it is quite possible that the NSA is not out of control. We know that politicians in the US and abroad were briefed and consented to these actions.  What we know of the targets are completely rational, even if they don’t necessarily look good on the front page.

In all of this, it is critical to remember that we really don’t know much about what the NSA actually does.  More to the point, the media, pundits, and politicians don’t know either.  So, The Narrative should not be swallowed without examination.

(By the way, I should emphasize that my comments are based 100% on open sources, media reports and known facts.  No inside information, anonymous sources, or unpublished “facts”.)

Continental Episode of “The Narrative”

We see Mr. Snowden once again serving the vital interests of the NSA, feeding The Narrative, “we are watching everyone, everywhere, all the time”. This time, we are treated to “le récit”, “nous surveillons tout le monde, partout, tout le temps.” (Please pardon my schoolboy French.)

The latest of a masterful drip, drip, drip, of stories, this one clearly timed to embarrass both the US an French governments. Le Monde (my spell checker likes to rewrite this to “lemonade”) reports about a leaked NSA summary report, supposedly detailing data collection on French citizens telephones and SMS for a one month period.

The “lemonade” report itself is otherwise inscrutable, as we have no idea exactly how this gathering was done, or what the data might have been used for.  We are meant to believe that the data was collected by the Americans, rather than simply forwarded by French sources (as often happens), though it doesn’t really say.  We also don’t know what was done with the data. We can imagine many possible searches the NSA might want to do, but we have no facts.

We do get some scary, technical sounding “facts”, including code words such as “DRTBOX” and “US-985D”.  These are a nice decoration for the basic story.  We have no idea what they mean, but they certainly sound James Bond.

We can see the telltale signs of The Narrative.  The story was timed to correspond to a visit by the US Sec. of State, for maximum attention. The French government noisily professes to be “shocked” to discover that the US collects intelligence in France, and even summons the ambassador for an explanation.  Everyone is helping to assure the French people get the message, at almost no cost.

In short, we see once again how Mr. Snowden, far from damaging the NSA, has well served the vital interests of The Narrative.

NSA/Snowden Narrative: Today’s Lesson is “Be Nice to Your Sysadmins”

As the narrative continues, bringing in all the media’s favorite tropes–a ‘OJ meets where’s Waldo’ chase, wikileakers trying to get “back in the game” (to quote the NYT), and a review of the limited number of places you might flee to avoid extradition to the US.

The most interesting development today was the NYT article today, “N.S.A. Leak Puts Focus on System Administrators“, which “reveals” that all those nerds they make fun of actually have tremendous responsibility and, potentially, capability to do great harm.

I’m sure that most readers will think, “we should crack down on admins”.

A long time ago I, too, was a sysadmin (our group mottoes included: “the job of the operating system group is to keep the systems operating” and “what goes up, must go down”). I sure remember the strange dissonance between the job we were entrusted with–keeping a complex, poorly understood system working–and the status we experienced.  Despite the fact that the whole show depended on us, we were considered slightly more useful than the housekeeping crews–except when we had to inconvenience someone, when we became intolerable pests.  (Note that we were on call 24/7, and “allowed” a few hours per week in which we could, if truly necessary, take the systems down. Its not easy to work within such parameters.)

For those of you who have never experienced it, I assure you it is quite scary to login as superuser on an operational, critical system, knowing that a mistake can damage or destroy vital activities and products.  Access to confidential information is a minor issue compared to the possibility of an ‘oops’ that, unfortunately, you actually had permission to  execute.  Say goodbye to that server!

 

You should be nice to your sysadmins.  Bring them cookies.  Listen to what they try to tell you.  It wouldn’t be a terrible idea to pay them more, and let them have nice offices, etc., but I’m sure you won’t do that.