Tag Archives: “The Narrative”

Apple Helps Evolve the NSA Narrative

Quite an interesting episode of the ongoing soap opera surrounding “privacy” in the age of ubiquitous internet connected devices.  (It’s been quite a while since I blogged about the NSA’s Narrative:  “we are watching you”. )

Apple’s otherwise horrible release of iOS 8, they tout their privacy features, most of which make me say “why wasn’t that done before?”  (Android will soon follow with the same kind of deployment.)I don’t want to be negative:  for their own self-preservation Apple has done a really good job of paying attention.  All the most obvious stuff is covered. (For more details see the Apple white paper.)

This is better than before, but it would be a mistake to believe that the system is secure.  I mean, it’s a little computer in your pocket connected (you never know exactly how) to the Internet.  And despite Apples highly authoritative attitudes about controlling apps and third parties, the fact is you have to be really careful what you do.

The biggest interest was their splashy announcement that they “cannot access” your personal data, and therefore “it’s not technically feasible for us to respond to government warrants“.  As far as I can tell (and I’m no expert here), basically they encrypt the data with strong encryption and have no ‘back door’ or master key to let them or anyone break the crypto.  In other words, they have implemented actual encryption, rather than the fake encryption popular in the past.  What an amazing innovation!

Of course, this “innovation” is rather “disruptive” of one old-line industry, the police-national security sector.  Law enforcement has been very happy with the fact that people voluntarily carry around these highly capable data collection devices, which the police can use to identify and locate individuals of interest and amass dossiers about recent activities of many kinds–movements, contacts, transactions, and contraband.

The use of stronger encryption means that some of this information will be harder to get, and certainly will take a lot more effort and time, if the police have the resources to do it at all.  From the position of local police, Apple has resigned as an unofficial deputy for the PD.

The national security folks have the resources to attack these problems, but even they will have to work at it.  The NSA can no doubt crack a phone if needed, but  life was so easy when the devices were easy to access!  And the rest of the system (the networks, the connections metadata, the cloud storage, etc.) are still accessible, just not your pix on your handheld.

For me, the interesting part has been the theater surrounding these fairly obvious technical matters.

Apple has put this forward with a splashy slap in the face of US government and police forces.  This is widely recognized as a long anticipated reaction to the Snowden affair.  (If so, he deserves a medal for instigating computer security improvements.) In order to sell phones all around the world, Apple has put forward a narrative about “the NSA is watching you”, but “Apple is on your side”.

The US government helped along the narrative with condemnations from FBI director Comey, pointing out both the policy implications (there may be times you want the police access data) and the sheer arrogance of Apple’s FU to the US government–when there are lot’s of bad guys out there.

The FBI was joined by local police chiefs (who surely will be inconvenienced).

All the jawing by the FBI and police has catapulted an otherwise obscure software update into the world media spotlight.  The US government is seen to cry, “Oh woe, Apple is screwing us.  We can’t spy on you any more.  This is terrible.”   Apple is see to offer a heroic, ground breaking product that is magically “secure” from the US government.

This is all a very subtle evolution of the NSA Narrative:  “we are watching you.”   If you follow this line (and the upcoming Google upgrades), you are playing into their plans:  use the (American made) Apple and Google “magic” and you will be safe.  You don’t need to fear the NSA anymore, just use a long passcode and everything will be fine.

(And by the way, NSA and FBI are certainly happy if these changes make life harder for Chinese and Russian hackers.)

What I’m saying is that this is nothing more than a tiny inconvenience to the NSA (though quite effective against teenagers and local police), but they have exploited it to increase public awareness of cyberdefence and also to make sure that bad guys know that they are being watched.  The new wrinkle is the implication that using the next releases of Apple and Google will “protect” you–false confidence can be more dangerous than global paranoia.

One last comment:  aside from the kind of unfair slap as US government (what about China, Russia, and all the rest?), Apple’s narrative slapped rival companies, and basically said “trust us”.  It was interesting to see Apple slap Google’s ubiquitous user tracking, with a claim that Apple would never do something like that.  On the same page, we see Apple’s financial, home, and health tracking stuff–hugely invasive forays into privacy.

Who will protect us from Apple (or Google or Amazon or Facebook or the rest)?  “Trust us”, and anti government rhetoric isn’t really enough.

NSA Narrative: Excellent WH Post on Cybersecurity

This week Michael Daniel wrote in a White House blog about US government policies about cyber vulnerabilities. The item, “Heartbleed: Understanding When We Disclose Cyber Vulnerabilities”, is well worth reading. When the government becomes aware of a security vulnerability in widely used systems, what should it do? Keep quiet? Reveal it? Help fix it? Use it when needed for espionage? As, Daniel says, “the answer may seem clear to some, but the reality is much more complicated.”

Bear in mind that the NSA, FBI, and other agencies are saddled with impossibly conflicting missions: they are charged with protecting the communications and IP of the US, with penetrating the same systems of adversaries, and, on occasion, disabling or compromising systems to achieve other goals.   Since “our systems” and “their systems” have no clear boundary these days, and use the same components, how can the same people play both defense and offense at the same time on the same field? It’s not simple.

The post is partly in light of questions surrounding the recent revelations of a security hole in OpenSSL (code name Heartbleed). Many believe that the NSA know about the bug—if it didn’t put it in itself!—and kept quiet in order to exploit it to penetrate systems of interest. The NSA has flatly denied either, via Twitter, no less.

(For fans of the NSA Narrative  we note that the denial does little to settle the facts, but greatly helps to keep the stories alive. If our most trusted, openest, whitest hatted, software could have such a bug, possibly deliberately placed there by “someone”, we must assume that the NSA knows about it and takes advantage of all such holes.   “The NSA is watching everyone, everywhere.” Nothing on the Internet is safe!)

Daniel gives a list of question that are supposedly weighed in deciding what to do about security vulnerabilities:

    • “How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
    • Does the vulnerability, if left unpatched, impose significant risk?
    • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
    • How likely is it that we would know if someone else was exploiting it?
    • How badly do we need the intelligence we think we can get from exploiting the vulnerability?
    • Are there other ways we can get it?
    • Could we utilize the vulnerability for a short period of time before we disclose it?
    • How likely is it that someone else will discover the vulnerability?
    • Can the vulnerability be patched or otherwise mitigated?”  (from Daniels)

This is a sensible list, and is actually familiar to anyone who has worked in system admin. We have to make similar decisions all the time on greater or lesser scales.

The essential challenge is to weigh what is known, the risks of action (or inaction), and benefits of actions (or inaction).

While a humble system admin will mostly worry about his or her own domain, and weigh financial costs, the US government has additional factors to consider. Multiple risks must be weighed (damaged web sites versus nuclear sabotage? Domestic versus overseas impacts?), and sometimes there may be dark “benefits” for espionage to weigh against losses.

Note, too, that there is always a timing issue. For defense, it is usually best to report bugs as soon as possible (along with countermeasures). Sometimes, though, if you wait a few hours or days someone else will discover the same bug. If so, then is there a reason to reveal what you have learned, possibly revealing what you are up to?

Worse, if there is no easy fix, then revealing the problem will assure that adversaries will be able to attack the systems you are charged with defending. Perhaps the problem should be kept quiet until there is a countermeasure? But, in the mean time, can we know if a system is already compromised? Yoiks!

Of course, the exciting, James Bond case is when there might be very important short term need (e.g., to penetrate particular adversaries) that argue for inaction until a later time. There are many folk tales and some evidence that these cases have occurred in the past, and presumably today and in the future.

As I said, this is a very good post, worth reading.  And the fact that it was posted is interesting, as well.

It is also an interesting contribution to The Narrative. It openly acknowledges that there are means, motives, and opportunities for the NSA to Know About Bugs Than Noone Else Knows, which they use to spy on you and turn your systems against you.

NSA CryptoKids (The Narrative takes a day off…)

There is nothing like talking to a kid to bring you right down to Earth.

After all the noisy “disclosures” about the NSA in the last year, it is amusing to look back at the NSA’s site for kids (which has been there for quite a while).

The site is a decent summary of the NSA’s mandate, and so boring it is reassuring.

I note the site has a strong element of safety/security on the Internet–a very difficult part of NSA’s mission.  If this web site gets kids to be a bit more alert and intelligent about using the Internet, so much better for everyone (though I sincerely doubt this, or any site, will have much impact.)

I took a look at the recruiting section, which describes career paths, with suggestions for how to prepare.  This looked pretty sensible to me, and anyone who followed their suggestions would be well qualified for lot’s of good jobs.

There was at least one controversial bullet, in list of “Do you like to…”

“Do you enjoy finding the limits and holes in computer systems?”

“If so, working as a Computer Scientist at the National Security Agency might be the job for you.”

(Most of the other “Do you”s were about problem solving and similar generic skills.)

Despite my best efforts, I can’t really tie this site to The Narrative except the most generic way. I suspect it is just what is seems to be: a feeble, bureaucratic PR activity.

IEEE Spectrum on NSA Wireless Hacking

Earlier this month I commented on the Der Spiegel and NYT breathless reports on NSA’s capability to hack computer that are not connected to any network.

This week Jeremey Hsu has an excellent piece in IEEE Spectrum that gives an informed and intelligent survey of this Buck Rogers stuff. It’s really, really cool, but, as Hsu makes clear, this stuff is “retail” spying, very targeted. (This is in line with my own comments about the numbers reported.)  The IEEE Spectrum has a long history of solid reporting on this kind of extrapolating-from-civiian-to-secret-military technology stories.

The information that has been leaked is pretty old, so we can assume that NSA has even better capabilities now.  I suspect that defending against these threats will do little good against today’s methods (though it will help defend against lower grade adversaries, such as private security and college students.)

I agree with Hsu that these methods are really useful only for particular targets that are deemed worth extraordinary effort (and risk).

Of course, Hsu’s calm, reasonable article is just as valuable to The Narrative as the NYT’s unsourced storytelling, but for different audiences.  Hsu will be read and understood in the worldwide nation of geekistan, where it will inspire yet higher levels of paranoia and irrational defensive measures.

“Oh my gosh!  The NSA might have planted a bug in my computer while it was being shipped!” ” Oh no! There might be a transceiver in that rock over there!”

As I have noted, sewing this kind of suspicion is a tremendous asset for NSA’s implicit goal to deny adversaries access to networks and IT. The more effort spent trying to evade the methods we know about from leaks, the less effort that is spent on plots, weapons development, and industrial espionage.

Bottom line:  really interesting technical note, and probably valuable to the NSA for it to appear.

 

NSA “Narrative”: Some Math Checks

Recent media reports on NSA spying have been throwing around some large numbers.  These numbers are completely unverifiable, but they make the narrative sound more precise, and perhaps scarier.

I had to do some back of the envelope checking to see if these numbers are plausible, and what they imply.

The NYT and others report that, for many years, the NSA has infected computers with malware that allow them to activate and get or put information to the targeted computer. Since random high school kids can do this, we can be confident that the NSA can and will do it when they need to.

The reports indicated that maybe 100,000 computers per year have been hacked by the NSA in the way.  If this number is representative of NSA’s activity, it is pretty limited.  Defending on the definition of “computer” (is your HDTV counted as a “computer”?  It certainly could be hacked like one.), there are certainly billions, if not tens of billions of computers the NSA might hack.  So 100,000 is a tiny, select sample.  Odds are, these are strategically important and/or used by important targets.

Another way to think of this is to note that malicious hackers regularly assemble bot nets of 100,000 computers and more.  So this is not really a very big number.

Another claim reported by the Guardian and others is that the NSA intercepts about 200 million text messages per day.  (Actually the story is mostly about how the NSA and GCHQ collaborate and exploit loopholes in respective national laws.)

So how many text messages are sent each day?  There might be different definitions of what is a “text message” (SMS is, tweets are usually counted separately, etc.)  A reasonable estimate would give numbers in billions, like say 4 billions text messages per day.

If you take that as an estimate, you would see that this is a pretty large sample (2 million out of 4 billion is about 5% of the total), though very far from “everything”.  Again, this is probably selected strategic traffic from areas of interest.

I note that SMS are relatively easy to sweep up this way, and it is probably a lot easier to capture everything and pull out what you want rather than try to pick out a the few messages you are interested in.  So there are probably practical reasons for collected in bulk.

Both these numbers have to be taken with a grain of salt.  The source is unconfirmable (purported internal powerpoints from a couple of years ago), which, even if real, do not represent all the activities of the NSA.  There could very well be other programs not mentioned here that intercept even more.

However, the numbers are plausible and certainly well withing technical feasibility.

However, the numbers are not necessarily indications of broad, unselective data collection, as implied by media reports and political statements.  I’m not saying the NSA is not collecting more data that maybe it should, but these numbers don’t really say that.

I note that ballyhooing these numbers does help The Narrative.

First, images of powerpoint slides describing cool James Bond programs like “Dishfire” are very exciting and memorable.  I note that one of the slides shows a map with big dots on the places that the NSA wants you to know they are really, really, watching you.

Second, tossing out specific numbers makes it truthier, and memorable. And the large numbers out of context help make the point that “we are watching everybody all the time”.

So, overall, these reports help portray the NSA as “watching everyone, everywhere”, without giving away any actual secrets.  If the NSA did not orchestrate these releases, it can’t be too unhappy about how they are being publicized.

Mostly Unsourced NYT Contributions to the Narrative

I’m having trouble parsing the NYT report in Wednesday’s paper, describing NSA devices that surreptitiously wirelessly connect back to NSA.

The breathless headline “reveals” that the NSA can implant devices that radio out to relay stations nearby, enabling them to remotely monitor and attack computers even though they are not connected to a network. (The NPR report on the story more accurately headlines the “100,000 computers worldwide”.)

Since this isn’t a particularly amazing technical feat, I looked carefully to see what the “news” is.

First, I would like to point out that this story is very poorly sourced.  What is the basis for these claims?  As far as I can figure out, this is based on some documents leaked by Snowden, published in December, combined with interviews with “experts”.  There is even a pretty diagram, which has no attribution at all.  We also have a story of an exploding rock in Iran, not specifically and uncritically attributed to “Iranian news media”.

Second, the article conflates “implanting software in 100,000 computers” with the headline wireless technology.  If you read carefully, you see that the (pretty hazy) estimate isn’t about wireless invasions specifically, which is only one method.  (By the way, “100,000 computer world wide” is pretty paltry—there are more computers than that just in my home town.)

Overall, this story turns out to be a rehash of old information.  The main contribution does seem to be a reconstruction of something that the NSA (and others) could probably do five years ago. Big deal.

Narrativewise, this keeps the basic story alive in the US (:”We are watching you”) without revealing anything new. The NSA will be pleased.

I think one of the motives was to put out a new line, in anticipation of Obama’s announcement Friday. (There is another story in the NYT and everywhere, covering the preemptive recommendations and push back on “new restrictions” which haven’t even been announced yet.)

Claiming that in response to “Silicon Valley’s critique of the N.S.A.”, the new policy should be that NSA should not exploit or create vulnerabilities in commercial software (or at least not be caught doing so).   At least part of the reason is that these holes are extremely dangerous for the US interests NSA must protect.

Does the risk to US systems outweigh the benefit of access to adversaries’ systems?  This is familiar territory for the NSA, and they will continue to do their own cost-benefit analyses,

NSA Narrative In One Picture

A routine satellite launch this week. The NSA can’t conceal the launch, so they turn the inevitable publicity into an opportunity to promulgate The Narrative: we are watching you.  No further comment is needed here.