Prism and Verizon surveillance discussion thread

[Junkenstein]

Something of a tangent, but this seems relevant and probably important:

http://www.wired.com/threatlevel/2013/09/dotcom-lawsuit/

File-sharing tycoon Kim Dotcom has a plan to become a multi-millionaire again: He's filed a seven-figure lawsuit against the New Zealand government over the spectacular 2012 assault on his mansion, and the electronic spying that preceded it.

Court filings released this week show Dotcom and associates have made good on a threat last year to sue police and the country's main spy agency, the Government Communications Security Bureau, or GCSB, for the SWAT-style raid in which Dotcom and the others were arrested a year and a half ago.

The New Zealand government appealed a ruling last year that granted Dotcom the right to sue, but lost last March. Court documents filed in the High Court earlier this year, but not made public until this week, lay out Dotcom's case that the police were excessively invasive and aggressive in conducting the raid, and used NSA-like spy systems to place him under covert surveillance.

"The case will show how the Five-Eyes spy cloud, X-Keyscore and PRISM were utilized in our copyright case," Dotcom tells WIRED. "Remember, I'm not a terrorist."

RIAA/MPAA and others would probably disagree. Vehemently. With many lawyers.

[Cain]

-

[Bebek Sincap Ratatosk]

From one of my favourite infosec writers:

http://krypt3ia.wordpress.com/2013/09/13/so-heres-my-thing/

Face it.. We are all PWND six ways to Sunday

Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It's true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.

*ponder ponder ponder*

Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don't think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.

As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt  the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door'd. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of "National Security"

Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ....In short, we can't stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing "we" can do to stop this short of a bloody coup on the government at large.

I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.

It's worth reading the whole thing, though.  This person definitely knows their stuff when it comes to computer security, and if they say privacy is now functionally impossible...well, I'm inclined, based on what I already know, what I suspect and what they say, to believe it.

I agree with him. Privacy from random people, sure. Privacy from hackers, if you build it right. Privacy from the NSA, probably not ever again.

[tyrannosaurus vex]

Because the surveillance works best at the social network level, your personal privacy is irrelevant anyway unless every single person you communicate with is equally secure. They don't need to directly read your communications to calculate what they are based on the communications and activity of everyone you're in contact with.

That said, statements like "everything is probably back-door'd anyway" is kind of ignorant. That's why you use and participate in open-source software. You can see the source code and any back doors right there in plain code. This is why open-source software is more secure than closed-source in general.

[Bebek Sincap Ratatosk]

Because the surveillance works best at the social network level, your personal privacy is irrelevant anyway unless every single person you communicate with is equally secure. They don't need to directly read your communications to calculate what they are based on the communications and activity of everyone you're in contact with.

That said, statements like "everything is probably back-door'd anyway" is kind of ignorant. That's why you use and participate in open-source software. You can see the source code and any back doors right there in plain code. This is why open-source software is more secure than closed-source in general.

I think that backdoors would be caught in some of the more highly reviewed open source stuff, like the Linux kernel. However, it wouldn't be impossible for someone to slip in obfuscated code within a library, a popular add-on or something like that. If the claims of influencing standards is true, then even if an open source product is clean, it may be implementing a compromised standard. For example, if the SSL/TLS standard had been manipulated so that the NSA knew about the CBC flaw that lead to the BEAST attack. Its a perfect flaw for the kind of thing that the NSA would want to exploit.

[tyrannosaurus vex]

Certainly if the standards are compromised, then there isn't much that developers can do about it. Either use a compromised standard, or break compatibility and have a program that "doesn't work." Or design a new standard that itself will likely be flawed or eventually compromised. But that isn't the software's fault. As for obfuscated code, there's obviously a high level of review for very active projects (like the Linux kernel) and for projects intended to secure data (encfs, etc.). It's entirely possible that obfuscated code would be submitted, but it's more likely to be approved in less active projects and fluffy BS programs like whatever the open-source equivalent of WeatherBug is.

[Bebek Sincap Ratatosk]

Certainly if the standards are compromised, then there isn't much that developers can do about it. Either use a compromised standard, or break compatibility and have a program that "doesn't work." Or design a new standard that itself will likely be flawed or eventually compromised. But that isn't the software's fault. As for obfuscated code, there's obviously a high level of review for very active projects (like the Linux kernel) and for projects intended to secure data (encfs, etc.). It's entirely possible that obfuscated code would be submitted, but it's more likely to be approved in less active projects and fluffy BS programs like whatever the open-source equivalent of WeatherBug is.

Right, the question is how deep their influence has been. If I were the NSA I would have aimed for standards, protocols, algorithms etc.

[Junkenstein]

Good News!

http://www.wired.com/threatlevel/2013/09/telcos-metada-orders/

Since at least 2006 a secret spy court has continuously compelled the nation's carriers to hand over records of every telephone call made to, from, or within the United States.

But none of the phone companies have ever challenged the orders in court, according to an August 29 opinion (.pdf) by the Foreign Intelligence Surveillance Court, which was declassified today.

"To this date, no holder of records who has received an Order to produce bulk telephony metadata has challenged the legality of such an Order," reads the ruling. "Indeed, no recipient of any Section 215 Order has challenged the legality of such an Order, despite the explicit statutory mechanism for doing so."

No, wait.

Congress in 2008 passed legislation immunizing the telcos  from ever being sued for forwarding customer data to the NSA.

Hang on

A day after the Guardian's story, however, Verizon declined to acknowledge the program but also said it was just following orders.

It's OK! They were only following orders.

[Lord Cataplanga]

After the revelations that the NSA has been spying on Brazil's government (particularly on president Dilma Rousseff and the state-owned oil company Petrobras), their government is trying to force some web companies to keep their data about brazilian citizens in brazilians datacenters. That way, they would have to comply with brazilian privacy laws.

There are also plans to connect Brazil with the rest of South America and with Europe directly with fiber, so their communications won't go through American servers and they won't be spied on. This won't work (the NSA has been tapping undersea cables for some time) but is still a good idea for other reasons (more availability, less latency).

The reaction from the American press has been hilarious:

Internet security and policy experts say the Brazilian government's reaction to information leaked by former NSA contractor Edward Snowden is understandable, but warn it could set the Internet on a course of Balkanization.

Matthew Green, a Johns Hopkins computer security expert, said Brazil won't protect itself from intrusion by isolating itself digitally. It will also be discouraging technological innovation, he said, by encouraging the entire nation to use a state-sponsored encrypted email service.

"It's sort of like a Soviet socialism of computing," he said, adding that the U.S. "free-for-all model works better."

[Cain]

-

[Junkenstein]

http://www.wired.com/threatlevel/2013/09/nsa-backdoor/all/

Even without more explicit confirmation that the weaknesses in the algorithm and standard constitute a backdoor, Kocher and Schneier believe they do.

"It is extraordinarily bad cryptography," says Kocher. "If you look at the NSA's role in creating standards [over the years] and its general cryptographic sophistication, none of it makes sense if there isn't a backdoor in this."

Schneier agrees and says the NSA has done too many other things for him to think, when he sees government-mandated crypto that's weak, that it's just by accident.

"If we were living in a kinder world, that would be a plausible explanation," he says. "But we're living in a very malicious world, it turns out."

HAHAHAHAHAAAAIIEEEEE.

[Mesozoic Mister Nigel]

http://www.wired.com/threatlevel/2013/09/nsa-backdoor/all/

Even without more explicit confirmation that the weaknesses in the algorithm and standard constitute a backdoor, Kocher and Schneier believe they do.

"It is extraordinarily bad cryptography," says Kocher. "If you look at the NSA's role in creating standards [over the years] and its general cryptographic sophistication, none of it makes sense if there isn't a backdoor in this."

Schneier agrees and says the NSA has done too many other things for him to think, when he sees government-mandated crypto that's weak, that it's just by accident.

"If we were living in a kinder world, that would be a plausible explanation," he says. "But we're living in a very malicious world, it turns out."

HAHAHAHAHAAAAIIEEEEE.

[von]

Don't know if this has been mentioned yet, or if it's sorta implied with the "standards manipulation" mentioned above, but I've been hearing things recently that make me say that you'd need to go full-on RMS and use only open source hardware in order to get the "open source auditing" advantage that comes with FOSS.

For example, I've been hearing things about the AES-NI instruction from modern intel microcode that imply that it simplifies random number generation in order to "make encryption quicker"...or at least that's how it's being marketed. Appearently, someone "in the know" about how it simplifies the RNG could use that to their advantage when cracking AES that's been encrypted with a modern Intel processor ("modern" == made after about 2008 from what I've heard)

Naturally, if this is true, and the implications I'm drawing from it are true...it doesn't matter how open your software is. It's hardware levels of bad...

[Q. G. Pennyworth]

Article on Barrett that covers a lot of surveillance stuff: http://www.dailydot.com/opinion/barrett-brown-private-intelligence-industry/#!

[Cain]

-