Dept. of Holy Crap: The NSA stuff is worse than you thought.

Apparently, the NSA, in their zeal to listen to everyone, has been successfully inserting back doors into encryption protocols for years, ProPublica has learned.

How’d they learn this?

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

Thank you, Edward Snowden. Back doors are horrible ideas, because they invariably fall to nefarious use. Even, as we’ve seen, inside supposedly trusted organizations like the NSA.

Among the technologies compromised by the NSA is SSL, which you rely on every day to keep your browser traffic safe when banking, shopping, or accessing other private services online. I am reminded of what former Lavabit CEO Ladar Levison wrote when he shut down his secure email service out of the fear that the spooks would infest it: “Without Congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”

The Feds are, obviously, not happy about the publication of this information, but you know what? Fuck them. This is security apparatus run wild, and it must be both disclosed and stopped. ProPublica, for their part, published a clear and well reasoned article detailing why they chose to publish:

The story, we believe, is an important one. It shows that the expectations of millions of Internet users regarding the privacy of their electronic communications are mistaken. These expectations guide the practices of private individuals and businesses, most of them innocent of any wrongdoing. The potential for abuse of such extraordinary capabilities for surveillance, including for political purposes, is considerable. The government insists it has put in place checks and balances to limit misuses of this technology. But the question of whether they are effective is far from resolved and is an issue that can only be debated by the people and their elected representatives if the basic facts are revealed.

[…]

There are those who, in good faith, believe that we should leave the balance between civil liberty and security entirely to our elected leaders, and to those they place in positions of executive responsibility. Again, we do not agree. The American system, as we understand it, is premised on the idea — championed by such men as Thomas Jefferson and James Madison — that government run amok poses the greatest potential threat to the people’s liberty, and that an informed citizenry is the necessary check on this threat. The sort of work ProPublica does — watchdog journalism — is a key element in helping the public play this role.

Finally: What to do now?

Good question. It’s not completely clear which implementations have been compromised by the NSA, but Bruce Schneier has a great bit in the Guardian today about placing this in perspective, and about what you can do to keep your own data safe from prying eyes — even eyes ostensibly on the same side as you are. The gist is this:

First, Properly implemented strong cryptography still works as advertised. The NSA doesn’t have special math it can deploy; trap-door algorithms are still trap doors. Multiplication is and will remain orders of magnitude easier than factoring.

Second and no less important: Open source security software is better. The NSA has obviously been influencing proprietary solutions, and will continue to do so; with open source software, though, an army of privacy-advocate neckbeards are perusing every commit. This is a good thing.

Bruce has, obviously, more concrete suggestions; go read the bit.

“Are You My Mother?”, Amazon Edition

David Good’s parents come from different countries – hardly unusual in the US where he was raised. But the 25-year-old’s family is far from ordinary – while his father is American, his mother is a tribeswoman living in a remote part of the Amazon. Two decades after she left, David realised he had to find her.

Go. Read. Now. This is extraordinary.

Via MeFi.

Good News, Bad News in Federal Rulings

The Good News is that the ACLU has won its case before Anna Brown in re: the Constitutionality of the mysterious, un-auditable, un-checkable “no-fly” list. I’m sure the gummit will appeal, but don’t look for many judges to be swayed by their utter bullshit argument.

On the other hand, there’s the Bad News, regarding the terrorism case against Adel Daoud. Daoud was caught up in one on the FBI’s many “let’s invent a terror scheme and arrest an idiot!” plans. Daoud’s lawyers have, sensibly, insisted on seeing some of the evidence against their client — specifically, that which was obtained via FISA and which supposedly establishes Daoud (a clearly not-terribly bright high school student) as the agent of a foreign power. The Feds refused, saying it was classified.

Think on that for a minute.

Well, it gets worse, because the judge sided with the Feds. It’s a giant due process problem that we can only hope will be overturned on appeal.

Today in Huge Developments

First: The IRS announced today that all legally married gay couples will be considered married for tax purposes, regardless of where they live.

In other words, two Californians who move to Alabama won’t lose their status just because of their zip code.

Second: Ending years of vague and contradictory statements, the DOJ has announced it will not challenge states that legalize marijuana, and will basically leave them alone as long as certain guidelines are followed (which generally have to do with keeping it away from minors, suppressing illegal cartel activity, and related goals). It’s not as much of a clear win as the first one (individual USAs will still be able to be dicks if they want to, basically), but it’s still a step in the right direction.

Smart Thinking about the NSA — from 1983

Via BoingBoing, we find this quote from the New York Times 30 years ago:

No laws define the limits of the N.S.A.’s power. No Congressional committee subjects the agency’s budget to a systematic, informed and skeptical review. With unknown billions of Federal dollars, the agency purchases the most sophisticated communications and computer equipment in the world. But truly to comprehend the growing reach of this formidable organization, it is necessary to recall once again how the computers that power the N.S.A. are also gradually changing lives of Americans – the way they bank, obtain benefits from the Government and communicate with family and friends. Every day, in almost every area of culture and commerce, systems and procedures are being adopted by private companies and organizations as well as by the nation’s security leaders that make it easier for the N.S.A. to dominate American society should it ever decide such action is necessary.

What happens when the NSA head has dinner with a critic?

Again, via TechDirt, we find this story about NSA critic Jennifer Granick’s dinner with Keith Alexander. You really ought to read the whole thing (which is full of links not reproduced in quotes here).

In general, Granick’s argument isn’t particularly novel, but it’s devastating to Alexander’s “we really have to do these things to keep you safe” line. (“The General seemed convinced that if only I knew what he knew, I would agree with him.” That reasoning is rhetorically and logically bankrupt, but it doesn’t stop intel types from spouting it whenever challenged.)

I have no doubt that Gen. Alexander loves this country as much as I do, or that his primary motivation is to protect our nation from terrorist attacks. “Never again,” he said over dinner. But it may be that our deep differences stem from a fundamental disagreement about human nature. I think Gen. Alexander believes that history is made by great individuals standing against evil. I believe that brave people can make a difference, but that larger inexorable forces are often more important: history, economics, political and social systems, the environment. So I believe that power corrupts and that good people will do bad things when a system is poorly designed, no matter how well-intentioned they may be. More than once, my dinner companions felt the need to reassure the DIRNSA that none of us thought he was a bad man, but that we thought the surveillance policies and practices were bad, and that eventually, inevitably, those policies and practices would lead to abuse.

It’s utterly unsurprising that Alexander is sure the abuses will be minor, and that these awesome powers are required, but men are not angels, and abuses are rampant.

How does a good man sit across from you at the dinner table and assure you the government is properly constrained, when in reality it lies and disregards even the most anemic purported safeguards? The easy answer is that he’s not a good man after all. Some people will call me naïve, but I disagree with that conclusion. In any case, it’s a simplistic view that masks the truth about systems of power, a truth we must understand and respect if we are to fix this surveillance nightmare we are just beginning to uncover.

Of course, we see mission creep – once you build the mousetrap of surveillance infrastructure, they will come for the data. First it was counterterrorism, then it was drug investigations, then it was IRS audits. Next it will be for copyright infringement.

And of course, there also will be both “inadvertent” and intentional abuse, inevitable but difficult to discover. Bored analysts do things like spy on women using surveillance cameras and listen to American GIs overseas having phone sex with their loved ones back home.

Granick concludes:

Liberty and security are the hard-won results of democratic process and limited government power. A system of mass surveillance puts innocent people at risk, and is, in itself, an abuse of liberty. Inevitably, it leads to further abuses. When the justification is counter-terrorism, and that’s your only concern, there is no countervailing interest that justifies slowing you down or stopping you. We are only beginning to learn all the ways in which good men are nevertheless failing to withstand the corrupting force of vast spying abilities. Indeed, the FISA court noted in that 2011 opinion that the government’s collection of tens of thousands of purely domestic communications, hidden from the court for years, could be a crime. (Footnote 15) The good people at NSA have literally pulverized the Fourth Amendment, government accountability, freedom of expression, rule of law, and so many other equally critical components of the American system.

Today’s Winner for Government Thuggery: The UK!

The journalist who’s done most of the first-line reporting on the Snowden saga is a guy named Glenn Greenwald. Over the weekend, Mr Greenwald’s partner, David Miranda, was detained upon arriving at Heathrow Airport for nine hours on obviously trumped-up reasons. In the UK, nine hours is the legal max before they must charge you, which is not an amazing coincidence. (Mr Greenwald, an American, and Mr Miranda, a Brazilian, make their home in Rio.)

In addition to being detained, though, the Heathrow officials impounded Miranda’s cell phone, laptop, and memory sticks, ostensibly to search for “terrorism” evidence or some other such bullshit; the real reason for both the detention and the confiscation is obviously to harass Mr Greenwald.

This is complete bullshit.

From Greenwald’s column today:

[T]hey obviously had zero suspicion that David was associated with a terrorist organization or involved in any terrorist plot. Instead, they spent their time interrogating him about the NSA reporting which Laura Poitras, the Guardian and I are doing, as well the content of the electronic products he was carrying. They completely abused their own terrorism law for reasons having nothing whatsoever to do with terrorism: a potent reminder of how often governments lie when they claim that they need powers to stop “the terrorists”, and how dangerous it is to vest unchecked power with political officials in its name.

Worse, they kept David detained right up until the last minute: for the full 9 hours, something they very rarely do. Only at the last minute did they finally release him. We spent all day – as every hour passed – worried that he would be arrested and charged under a terrorism statute. This was obviously designed to send a message of intimidation to those of us working journalistically on reporting on the NSA and its British counterpart, the GCHQ.

Before letting him go, they seized numerous possessions of his, including his laptop, his cellphone, various video game consoles, DVDs, USB sticks, and other materials. They did not say when they would return any of it, or if they would.

Fortunately, it’s stirred up quite a bit of inquiry from Labour pols in Britain. What’s not cool is that apparently the White House knew beforehand.

More Guardian coverage here.

Schneier is paying attention to the NSA’s excesses. So should you.

At this point, I don’t think it’s at ALL hyperbole to say the Internet as it exists today is one of the happiest accidents in human history. Because of its convoluted history, it became a free-for-all space and, in some ways, a lawless frontier. This allowed a billion flowers to bloom based on a very simple foundation, and is anathema to control and censorship; John Gilmore famously distilled this principle as “the net interprets censorship as damage and routes around it.”

Governments — even, or maybe especially, ours — don’t like this lack of control. They don’t like that proper encryption makes it almost impossible to read anything they like. So the NSA is effectively commandeering the Internet, and will continue to push for more invasive surveillance and control unless they are stopped.

Help stop them. Here’s Bruce:

It turns out that the NSA’s domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we’ve learned, fight and lose. Others cooperate, either out of patriotism or because they believe it’s easier that way.

I have one message to the executives of those companies: fight.

Do you remember those old spy movies, when the higher ups in government decide that the mission is more important than the spy’s life? It’s going to be the same way with you. You might think that your friendly relationship with the government means that they’re going to protect you, but they won’t. The NSA doesn’t care about you or your customers, and will burn you the moment it’s convenient to do so.

We’re already starting to see that. Google, Yahoo, Microsoft and others are pleading with the government to allow them to explain details of what information they provided in response to National Security Letters and other government demands. They’ve lost the trust of their customers, and explaining what they do — and don’t do — is how to get it back. The government has refused; they don’t care.

It will be the same with you. There are lots more high-tech companies who have cooperated with the government. Most of those company names are somewhere in the thousands of documents that Edward Snowden took with him, and sooner or later they’ll be released to the public. The NSA probably told you that your cooperation would forever remain secret, but they’re sloppy. They’ll put your company name on presentations delivered to thousands of people: government employees, contractors, probably even foreign nationals. If Snowden doesn’t have a copy, the next whistleblower will.

This is why you have to fight. When it becomes public that the NSA has been hoovering up all of your users’ communications and personal files, what’s going to save you in the eyes of those users is whether or not you fought. Fighting will cost you money in the short term, but capitulating will cost you more in the long term.

How the NSA is lying to you

The EFF has a handy rundown of the positively Orwellian bullshit coming out of our “intelligence” community. Here’s an example:

Another tried and true technique in the NSA obfuscation playbook is to deny it does one invasive thing or another “under this program.” When it’s later revealed the NSA actually does do the spying it said it didn’t, officials can claim it was just part of another program not referred to in the initial answer.

This was the Bush administration’s strategy for the “Terrorist Surveillance Program”: The term “TSP” ended up being a meaningless label, created by administration officials after the much larger warrantless surveillance program was exposed by the New York Times in 2005. They used it to give the misleading impression that the NSA’s spying program was narrow and aimed only at intercepting the communications of terrorists. In fact, the larger program affected all Americans.

Dept. of Surprising Facts

Via Kottke, we find this article that details the ages of the key participants in the American Revolution as of July 4, 1776.

  • Marquis de Lafayette was 18; so was James Monroe
  • Gilbert Stuart was 20, as was Aaron Burr
  • Alexander Hamilton, 21
  • James Madison, 25
  • Thomas Jefferson, 33
  • John Adams, 40
  • Paul Revere, 41
  • George Washington, 44
  • Samuel Adams, 53

You sort of expect that they were all older men at the time, but that’s really not the case at all.

Yeah, about that NSA thing?

Turns out they CAN actually read our email. They just promise not to without a really good reason.

Oh, and they get to decide what a good enough reasons is, and they’d don’t have to tell us.

Still not freaked out about spying, Snowden, and the governmental hysteria around it?

Yeah, go read this.

tl;dr: the secure email provider Snowden used has shut down, citing cryptic governmental action. In his closure notice, the firm’s founder notes this:

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

He’s not wrong. Market reaction to the Snowden revelations is likely to cost US cloud and hosting firms a pretty penny. Sure, a Swedish firm might give up data to the Swedish government, but right now it’s the US government’s actions that disturb everyone who’s paying attention. Sweden, for example, hasn’t sent anyone to be tortured in Syria lately.

Oh, just go read it: Schneier on trust and effectivness

Bruce Schneier on the state of public trust.

And, while you’re at it, take in this Ars Technica article where they ask him how HE would run the NSA. It’s illuminating:

“There’s a fundamental problem in that the issues are not with the NSA but with oversight,” he told Ars. “[There’s no way to] counterbalance the way [the NSA] looks at the world. So when the NSA says we want to get information on every American’s phone call, no one is saying: ‘you can’t do that.’ Without that, you have an agency that’s gone rogue because there is no accountability, because there is nothing checking their power.”

The way Schneier sees it, in an attempt to keep the operational details of the targets secret, the NSA (and presumably other intelligence agencies, too) has also claimed that it also needs to keep secret the legal justification for what it’s doing. “That’s bullshit,” Schneier says.

The famed computer scientist wants to apply traditionally open and public scrutiny to how the NSA operates.

“How much does this stuff cost and does it do any good?” he said. “And if they can’t tell us that, they don’t get approved. Let’s say the NSA costs $100 million annually and that an FBI agent is $100,000 a year. Is this worth 1,000 FBI agents? Or half and half? Nowhere will you find that analysis.”

For the record: the size of the NSA’s budget is officially classified as secret, but estimates put it at at least $8 to $10 billion annually—but his point stands. It’s nearly impossible to judge the effectiveness of federal spending of an unknown sum, whose tactics, legal justifications, and most importantly, outcomes, are completely hidden from the public.

Southern Sheriffs: Stay Classy

Apparently, cops around Baton Rouge are still arresting folks for sodomy despite Lawrence v. Texas. The DA refuses to prosecute, but the arrests continue; we’ll let them explain why:

“This is a law that is currently on the Louisiana books, and the sheriff is charged with enforcing the laws passed by our Louisiana Legislature,” Casey Rayborn Hicks, a Sheriff’s Office spokeswoman, said. “Whether the law is valid is something for the courts to determine, but the sheriff will enforce the laws that are enacted.”

Dept. of Shocking Statistics

From this very interesting article:

Microsoft’s share of connected devices sales (in effect, PCs plus iOS and Android) has collapsed from over 90% in 2009 to under a quarter today.

Emphasis mine.

In other words, in the space of four years, the overwhelming majority of devices on the Internet went from being Windows machines to being either iOS or Android.

And yet, Ballmer STILL has a job.

Dept. of Not-No-But-FUCK-NO

CNET:

The U.S. government has demanded that major Internet companies divulge users’ stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

The best story you’ll read about Nirvana, Soundgarden, and the US Special Forces

Jason Everman was kicked out of Nirvana just before they hit it big. Then he was kicked out of Soundgarden, just before THEY hit it big.

Then he joined the Rangers and, eventually, the Special Forces, and now he’s a student at Columbia.

Yeah.

He is, predictably, quiet about it. And thank God, because otherwise he’d be the guy who could say he was in Nirvana, and in Soundgarden, and in the Special Forces, and no one would ever believe him.

Stay classy, you ridiculous fuck

WaPo:

The most remarkable thing about the Supreme Court’s opinions announced Monday was not what the justices wrote or said. It was what Samuel Alito did.

The associate justice, a George W. Bush appointee, read two opinions, both 5-4 decisions that split the court along its usual right-left divide. But Alito didn’t stop there. When Justice Ruth Bader Ginsburg read her dissent from the bench, Alito visibly mocked his colleague.

What is, and isn’t, espionage

Greenwald nails it. Here’s an interesting fact about Espionage Act charges, btw:

Prior to Barack Obama’s inauguration, there were a grand total of three prosecutions of leakers under the Espionage Act (including the prosecution of Dan Ellsberg by the Nixon DOJ). That’s because the statute is so broad that even the US government has largely refrained from using it. But during the Obama presidency, there are now seven such prosecutions: more than double the number under all prior US presidents combined. How can anyone justify that?

And more:

The Terrorists already knew, and have long known, that the US government is doing everything possible to surveil their telephonic and internet communications. The Chinese have long known, and have repeatedly said, that the US is hacking into both their governmental and civilian systems (just as the Chinese are doing to the US). The Russians have long known that the US and UK try to intercept the conversations of their leaders just as the Russians do to the US and the UK.

They haven’t learned anything from these disclosures that they didn’t already well know. The people who have learned things they didn’t already know are American citizens who have no connection to terrorism or foreign intelligence, as well as hundreds of millions of citizens around the world about whom the same is true. What they have learned is that the vast bulk of this surveillance apparatus is directed not at the Chinese or Russian governments or the Terrorists, but at them.

I don’t fall into the trap of thinking either McCain or Romney would have been better here; the GOP theory of government power is typically far more offensive to me than the Democratic one – and, besides, everyone inside the Beltway is already lining up to pillory Snowden. The accord the parties find themselves in over this issue is part of the problem.

The Quotable Edward Snowden

Via here:

Snowden said Monday, “Being called a traitor by Dick Cheney is the highest honor you can give an American,” slamming Cheney for the Bush administration’s warrantless wiretapping and for “deceitfully engineering” the Iraq war.

Schneier on Snowden

As always, he nails it:

Edward Snowden broke the law by releasing classified information. This isn’t under debate; it’s something everyone with a security clearance knows. It’s written in plain English on the documents you have to sign when you get a security clearance, and it’s part of the culture. The law is there for a good reason, and secrecy has an important role in military defense.

But before the Justice Department prosecutes Snowden, there are some other investigations that ought to happen.

We need to determine whether these National Security Agency programs are themselves legal. The administration has successfully barred anyone from bringing a lawsuit challenging these laws, on the grounds of national secrecy. Now that we know those arguments are without merit, it’s time for those court challenges.

It’s clear that some of the NSA programs exposed by Snowden violate the Constitution and others violate existing laws. Other people have an opposite view. The courts need to decide.

We need to determine whether classifying these programs is legal. Keeping things secret from the people is a very dangerous practice in a democracy, and the government is permitted to do so only under very specific circumstances. Reading the documents leaked so far, I don’t see anything that needs to be kept secret. The argument that exposing these documents helps the terrorists doesn’t even pass the laugh test; there’s nothing here that changes anything any potential terrorist would do or not do. But in any case, now that the documents are public, the courts need to rule on the legality of their secrecy.

And we need to determine how we treat whistle-blowers in this country. We have whistle-blower protection laws that apply in some cases, particularly when exposing fraud, and other illegal behavior. NSA officials have repeatedly lied about the existence, and details, of these programs to Congress.

Only after all of these legal issues have been resolved should any prosecution of Snowden move forward. Because only then will we know the full extent of what he did, and how much of it is justified.

I believe that history will hail Snowden as a hero — his whistle-blowing exposed a surveillance state and a secrecy machine run amok. I’m less optimistic of how the present day will treat him, and hope that the debate right now is less about the man and more about the government he exposed.

Three Felonies A Day

You oughta go read this:

Boston civil rights lawyer Harvey Silverglate says that everyone in the US commits felonies everyday and if the government takes a dislike to you for any reason, they’ll dig in and find a felony you’re guilty of.

Case in point: I remember, but you probably don’t, that the telco Qwest refused to participate in some very, very broad and overreaching (and probably illegal) surveillance back before 9/11. Immediately, the DOJ terminated a whole slew of unrelated contracts with Qwest, and then things REALLY got fun:

And then the DoJ targeted him and prosecuted him and put him in prison for insider trading — on the theory that he knew of anticipated income from secret programs that QWest was planning for the government, while the public didn’t because it was classified and he couldn’t legally tell them, and then he bought or sold QWest stock knowing those things.

This CEO’s name is Joseph P. Nacchio and TODAY he’s still serving a trumped-up 6-year federal prison sentence today for quietly refusing an NSA demand to massively wiretap his customers.

Why You Should Shop At Costco

BusinessWeek: The Cheapest, Happiest Company in the World.

The precis is simple: WalMart pays its workers badly, treats them poorly, and is in trouble. Costco is the anti-WalMart:

Despite the sagging economy and challenges to the industry, Costco pays its hourly workers an average of $20.89 an hour, not including overtime (vs. the minimum wage of $7.25 an hour). By comparison, Walmart said its average wage for full-time employees in the U.S. is $12.67 an hour, according to a letter it sent in April to activist Ralph Nader. Eighty-eight percent of Costco employees have company-sponsored health insurance; Walmart says that “more than half” of its do. Costco workers with coverage pay premiums that amount to less than 10 percent of the overall cost of their plans. It treats its employees well in the belief that a happier work environment will result in a more profitable company. “I just think people need to make a living wage with health benefits,” says [CEO Craig] Jelinek. “It also puts more money back into the economy and creates a healthier country. It’s really that simple.”

Dept. of Darkly Hilarious Corporate Infighting

From Talking Points Memo, we find this story, attributed to internal documents recovered by the AP in a building abandoned by terrorists in Mali:

After years of trying to discipline him, the leaders of [this organization] sent one final letter to their most difficult employee. In page after scathing page, they described how he didn’t answer his phone when they called, failed to turn in his expense reports, ignored meetings and refused time and again to carry out orders.

Most of all, they claimed he had failed to carry out a single spectacular operation, despite the resources at his disposal.

The employee […] responded the way talented employees with bruised egos have in corporations the world over: He quit and formed his own competing group.

What makes this weirdly funny is that the organization is the North African branch of al-Qaida, and the employee is terrorist rising star Moktar Belmoktar. The funny stops quickly, thought: since leaving the old, hidebound organization, Belmoktar has

carried out two lethal operations that killed 101 people in all: one of the largest hostage-takings in history at a BP-operated gas plant in Algeria in January, and simultaneous bombings at a military base and a French uranium mine in Niger just last week.

Yikes.

This is immensely, profoundly fucked up.

And I say this as a notional beneficiary:

BJ2VfooCcAAcgRj

Yeah, that’s right. The top-paid state employee is a coach of some kind in 40 states (unless I miscounted), excluding only Nevada, Montana, the Dakotas, Maine, New York, Massachusetts, Vermont, Delaware, and Alaska.

Via Deadspin.