Cybersecurity Archives - Page 72 of 88

The Common Commercial Services OLC Opinion Affecting Cyber Policy Is Over a Decade Old

January 14, 2014/6 Comments/in Cybersecurity /by emptywheel

I’ve been meaning to go back to an exchange that occurred during Caroline Krass’ confirmation hearing to be CIA’s General Counsel back on December 17. In it, Ron Wyden raised a problematic OLC opinion he has mentioned in unclassified settings at least twice in the last year (he also wrote a letter to Eric Holder about it in summer 2012): once in a letter to John Brennan, where he described it as “an opinion that interprets common commercial service agreements [that] has direct relevance to ongoing congressional debates regarding cybersecurity legislation.” And then again in Questions for the Record in September.

Having been ignored by Eric Holder for at least a year and a half (probably closer to 3 years) on this front and apparently concerned about the memo as we continue to discuss legislation that pertains to cybersecurity, he used Krass’ confirmation hearing to get more details on why DOJ won’t withdraw the memo and what it would take to be withdrawn.

Wyden: The other matter I want to ask you about dealt with this matter of the OLC opinion, and we talked about this in the office as well. This is a particularly opinion in the Office of Legal Counsel I’ve been concerned about — I think the reasoning is inconsistent with the public’s understanding of the law and as I indicated I believe it needs to be withdrawn. As we talked about, you were familiar with it. And my first question — as I indicated I would ask — as a senior government attorney, would you rely on the legal reasoning contained in this opinion?

Krass: Senator, at your request I did review that opinion from 2003, and based on the age of the opinion and the fact that it addressed at the time what it described as an issue of first impression, as well as the evolving technology that that opinion was discussing, as well as the evolution of case law, I would not rely on that opinion if I were–

Wyden: I appreciate that, and again your candor is helpful, because we talked about this. So that’s encouraging. But I want to make sure nobody else ever relies on that particular opinion and I’m concerned that a different attorney could take a different view and argue that the opinion is still legally valid because it’s not been withdrawn. Now, we have tried to get Attorney General Holder to withdraw it, and I’m trying to figure out — he has not answered our letters — who at the Justice Department has the authority to withdraw the opinion. Do you currently have the authority to withdraw the opinion?

Krass: No I do not currently have that authority.

Wyden: Okay. Who does, at the Justice Department?

Krass: Well, for an OLC opinion to be withdrawn, on OLC’s own initiative or on the initiative of the Attorney General would be extremely unusual. That happens only in extraordinary circumstances. Normally what happens is if there is an opinion which has been given to a particular agency for example, if that agency would like OLC to reconsider the opinion or if another component of the executive branch who has been affected by the advice would like OLC to reconsider the opinion they will come to OLC and say, look, this is why we think you were wrong and why we believe the opinion should be corrected. And they will be doing that when they have a practical need for the opinion because of particular operational activities that they would like to conduct. I have been thinking about your question because I understand your serious concerns about this opinion, and one approach that seems possible to me is that you could ask for an assurance from the relevant elements of the Intelligence Community that they would not rely on the opinion. I can give you my assurance that if I were confirmed I would not rely on the opinion at the CIA.

Wyden: I appreciate that and you were very straightforward in saying that. What concerns me is unless the opinion is withdrawn, at some point somebody else might be tempted to reach the opposite conclusion. So, again, I appreciate the way you’ve handled a sensitive matter and I’m going to continue to prosecute the case for getting this opinion withdrawn.

The big piece of news here — from Krass, not Wyden — is that the opinion dates to 2003, which dates it to the transition period bridging Jay Bybee/John Yoo and Jack Goldsmith’s tenure at OLC, and also the period when the Bush Administration was running its illegal wiretap program under a series of dodgy OLC opinions. She also notes that it was a memo on first impression — something there was purportedly no law or prior opinion on — on new technology.

Yet for some reason, it was not among the opinions Goldsmith chose to withdraw in 2004 (assuming he didn’t write it), nor will Eric Holder even respond to questions about why he won’t withdraw it now.

I wonder if Wyden has asked whether some opinion written since that time relies back on that 2003 opinion, just as the illegal wiretap programs relied back on Yoo’s Fourth Amendment stripping one?

Maybe Jim Comey Killed Off the Nation’s Premier Law Enforcement Agency?

January 6, 2014/16 Comments/in Cybersecurity, Financial Fraud, Terrorism /by emptywheel

Update: The change went into effect on July 1, 2013, so before Comey’s coronation.

I’ve been tracking the FBI’s embrace of its national security/intelligence role (with a consequent inattention to bank crimes, in particular) for years — notably with this post on its self-congratulation a decade after 9/11. (See also this post, this post, and this one.)

So regular readers will be unsurprised by Foreign Policy’s report that the FBI’s boilerplate fact sheet now hails its primary function to be national security.

But quietly and without notice, the agency has finally decided to make it official in one of its organizational fact sheets. Instead of declaring “law enforcement” as its “primary function,” as it has for years, the FBI fact sheet now lists “national security” as its chief mission. The changes largely reflect the FBI reforms put in place after September 11, 2001, which some have criticized for de-prioritizing law enforcement activities. Regardless, with the 9/11 attacks more than a decade in the past, the timing of the edits is baffling some FBI-watchers.

But I am a bit interested in the question FP goes onto ask: when did this happen. It appears to have happened during the summer.

“What happened in the last year that changed?” asked Kel McClanahan, a Washington-based national security lawyer.

McClanahan noticed the change last month while reviewing a Freedom of Information Act (FOIA) request from the agency. The FBI fact sheet accompanies every FOIA response and highlights a variety of facts about the agency. After noticing the change, McClanahan reviewed his records and saw that the revised fact sheets began going out this summer. “I think they’re trying to rebrand,” he said. “So many good things happen to your agency when you tie it to national security.”

What FP doesn’t answer is why this happened.

But one possibility is the arrival of Jim Comey.

Comey didn’t take over as FBI DIrector until September 4, 2013. But his confirmation hearing (more of a coronation, really) was on July 9; his confirmation vote was on July 29. So he had plenty of time to complete the FBI’s rebranding as a domestic spy agency rather than its premier domestic law enforcement agency before he officially took over.

I checked his ~~confirmation hearing~~ coronation, to see if he announced this rebranding. I’ve been unable to find a formal statement (!!). And while later in the hearing he talked about balancing the intelligence side with the law enforcement side (the FBI itself emphasized this part of the hearing), what apparently extemporaneous statement he did give focused on the FBI’s transition under Robert Mueller to an intelligence agency. (This is my transcription of the non-family part, which took up half of the statement; it starts around 42:30.)

If I’m confirmed for this position I will follow a great American, one who has been clear-eyed about the threat facing our country, especially the metastasizing terrorist threat, the cyber-threat, that poses a risk to our secrets, to our commerce, to our people, and most ominously, to the networks we depend upon as our lifeblood. I know he has changed the FBI, as the Chairman and the Ranking Member described, in fundamental and crucial ways. I know that this will be a hard job. I’m sure that things will go wrong and I will make mistakes. What I pledge to you though is to follow Bob Mueller’s example of staring hard at those mistakes, learning from those mistakes, and getting better as a result of those mistakes. His legacy of candor and straight-forwardness and integrity is one that I pledge to continue. I also know that the FBI is and must be an independent entity in the life of America. It cannot be associated with any party or any interest or any group. It has to be seen as the good guys and good gals in this country. The FBI is and must be about finding the facts and only the facts in a fair, thorough, and objective way, and to do that with a rock-solid commitment to our Constitution and to our laws. That culture of commitment to law and resistance to any jeopardy of independence is at the core of the FBI. I know it is deep inside FBI Agents. Those values are the things that I love about the FBI.

It wouldn’t be surprising that a guy with roots in NY who was prosecuting terrorism even before 9/11 would adopt this focus. Nor do I, thus far, have reason to believe he won’t be better at going after banksters than Mueller was (and Obama has finally shifted some focus to it).

But I do hope — given his appeal to independence — he realizes that making the FBI a domestic intelligence agency does make the FBI a partisan institution, because it de-emphasizes a threat every bit as serious as terrorists and cybercriminals: the banksters.

The Civil Liberties Celebration Hangover Wears Off

December 23, 2013/16 Comments/in Congress, Cybersecurity, Department of Justice, FISA, Intelligence, Law, Leak Investigations, Obama Administration, state secrets, Unitary Executive /by bmaz

At the end of last week, I joked a little about privacy and civil liberties advocates having had the “best week ever”. It was indeed a very good week, but only relatively compared to the near constant assault on the same by the government. But the con is being put back in ICon by the Administration and its mouthpieces.

As I noted in the same post, Obama himself has already thrown cold water on the promise of his NSA Review Board report. Contrary to some, I saw quite a few positives in the report and thought it much stronger than I ever expected. Still, that certainly does not mean it was, or is, the particularly strong reform that is needed. And even the measures and discussion it did contain are worthless without sincerity and dedication to buy into them by the intelligence community and the administration. But if Obama on Friday was the harbinger of the walkback and whitewash of real reform, the foot soldiers are taking the field now to prove the point.

Sunday morning brought out former CIA Deputy Director Michael Morrell on CBS Face the Nation to say this:

I think that is a perception that’s somehow out there. It is not focused on any single American. It is not reading the content of your phone calls or my phone calls or anybody else’s phone calls. It is focused on this metadata for one purpose only and that is to make sure that foreign terrorists aren’t in contact with anybody in the United States.

Morrell also stated that there was “no abuse” by the NSA and that Ed Snowden was a “criminal” who has shirked his duties as a “patriot” by running. Now Mike Morrell is not just some voice out in the intelligence community, he was one of the supposedly hallowed voices that Barack Obama chose to consider “reform”.

Which ought to tell you quite a bit about what Barack Obama really thinks about true reform and your privacy interests. Not much. In fact, Morrell suggested (and Obama almost certainly agrees) that the collection dragnet should be expanded from telephony to also include email. Not exactly the kind of “reform” we had in mind.

Then, Sunday night 60 Minutes showed that fluffing the security state is not just a vice, but an ingrained habit for them. Hot on the heels of their John Miller blowjob on the NSA, last night 60 Minutes opened with a completely hagiographic puff piece on and with National Security Advisor Susan Rice. There was absolutely no news whatsoever in the segment, it was entirely a forum for Rice and her “interviewer”, Lesley Stahl, to spew unsupported allegations about Edward Snowden (He “has 1.5 million documents!”), lie about how the DOJ has interacted with the court system regarding the government surveillance programs (the only false statements have been “inadvertent”) and rehab her image from the Benghazi!! debacle. That was really it. Not exactly the hard hitting journalism you would hope for on the heels of a federal judge declaring a piece of the heart of the surveillance state unconstitutional.

Oh, yes, Susan Rice also proudly proclaimed herself “a pragmatist like Henry Kissinger which, as Tim Shorrock correctly pointed out, is not exactly reassuring from the administration of a Democratic President interested in civil liberties, privacy and the rule of law.

So, the whitewashing of surveillance dragnet reform is in full swing, let the giddiness of last week give way to the understanding that Barack Obama, and the Intelligence Community, have no intention whatsoever of “reforming”. In fact, they will use the illusion of “reform” to expand their authorities and power. Jonathan Turley noted:

Obama stacked the task force on NSA surveillance with hawks to guarantee the preservation of the program.

Not just preserve, but to give the false, nee fraudulent, patina of Obama Administration concern for the privacy and civil liberties concerns of the American citizenry when, in fact, the Administration has none. It is yet another con.

Or, as Glenn Greenwald noted:

The key to the WH panel: its stated purpose was to re-establish public confidence in NSA – NOT reform it.

There may be some moving of the pea beneath the shells, but there will be no meaningful reform from the administration of Barack Obama. The vehicle for reform, if there is to be one at all, will have to come from the Article III federal courts. for an overview of the path of Judge Leon’s decision in Klayman through the DC circuit, see this piece by NLJ’s Zoe Tillman.

Lastly, to give just a little hope after the above distressing content, I recommend a read of this excellent article by Adam Serwer at MSNBC on the cagy pump priming for surveillance reform Justice Sotomayor has done at the Supreme Court:

If Edward Snowden gave federal courts the means to declare the National Security Agency’s data-gathering unconstitutional, Sonia Sotomayor showed them how.

It was Sotomayor’s lonely concurrence in U.S. v Jones, a case involving warrantless use of a GPS tracker on a suspect’s car, that the George W. Bush-appointed Judge Richard Leon relied on when he ruled that the program was likely unconstitutional last week. It was that same concurrence the White House appointed review board on surveillance policy cited when it concluded government surveillance should be scaled back.

“It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties,” Sotomayor wrote in 2012. “This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

Give the entire article a read, Adam is spot on. If there is to be reform on the surveillance dragnet, it will almost certainly have to be the handiwork of the courts, and Justice Sotomayor planted the seed. The constant barrage of truth and facts coming from the Snowden materials, what Jay Rosen rightfully terms “The Snowden Effect” is providing the food for Sotomayor’s seed to flower. Hopefully.

Conning the Record, Conning the Courts, Defrauding the People

December 21, 2013/26 Comments/in Bush Administration, Cybersecurity, Department of Justice, FISA, Intelligence, Law, Obama Administration, PATRIOT, state secrets, Terrorism, Unitary Executive /by bmaz

In the parlance of the once and forever MTV set, civil libertarians just had one of the “Best Weeks Ever”. Here is the ACLU’s Catherine Crump weighing in on the surprising results of President Obama’s Review Board:

Friday, the president’s expressed willingness to consider ending the NSA’s collection of phone records, saying, “The question we’re going to have to ask is, can we accomplish the same goals that this program is intended to accomplish in ways that give the public more confidence that in fact the NSA is doing what it’s supposed to be doing?”

With this comment and the panel’s report coming on the heels of Monday’s remarkable federal court ruling that the bulk collection of telephone records is likely unconstitutional, this has been the best week in a long time for Americans’ privacy rights.

That “federal court ruling” is, of course, that of Judge Richard Leon handed down a mere five days ago on Monday. Catherine is right, it has been a hell of a good week.

But lest we grow too enamored of our still vaporous success, keep in mind Judge Leon’s decision, as right on the merits as it may be, and is, is still a rather adventurous and activist decision for a District level judge, and will almost certainly be pared back to some extent on appeal, even if some substantive parts of it are upheld. We shall see.

But the other cold water thrown came from Obama himself when he gave a slippery and disingenuous press conference Friday. Here is the New York Times this morning capturing spot on the worthless lip service Barack Obama gave surveillance reform yesterday:

By the time President Obama gave his news conference on Friday, there was really only one course to take on surveillance policy from an ethical, moral, constitutional and even political point of view. And that was to embrace the recommendations of his handpicked panel on government spying — and bills pending in Congress — to end the obvious excesses. He could have started by suspending the constitutionally questionable (and evidently pointless) collection of data on every phone call and email that Americans make.

He did not do any of that.
….
He kept returning to the idea that he might be willing to do more, but only to reassure the public “in light of the disclosures that have taken place.”

In other words, he never intended to make the changes that his panel, many lawmakers and others, including this page, have advocated to correct the flaws in the government’s surveillance policy had they not been revealed by Edward Snowden’s leaks.

And that is why any actions that Mr. Obama may announce next month would certainly not be adequate. Congress has to rewrite the relevant passage in the Patriot Act that George W. Bush and then Mr. Obama claimed — in secret — as the justification for the data vacuuming.

Precisely. The NYT comes out and calls the dog a dog. If you read between the lines of this Ken Dilanian report at the LA Times, you get the same preview of the nothingburger President Obama is cooking up over the holidays. As Ken more directly said in his tweet, “Obama poised to reject panel proposals on 702 and national security letters.” Yes, indeed, count on it.

Which brings us to that which begets the title of this post: I Con The Record has made a Saturday before Christmas news dump. And a rather significant one to boot. Apparently because they were too cowardly to even do it in a Friday news dump. Which is par for the course of the Obama Administration, James Clapper and the American Intel Shop. Their raison de’etre appears to be keep America uninformed, terrorized and supplicant to their power grabs. Only a big time operator like Big Bad Terror Voodoo Daddy Clapper can keep us chilluns safe!

So, the dump today is HERE in all its glory. From the PR portion of the “I Con” Tumblr post, they start off with Bush/Cheney Administration starting the “bulk” dragnet on October 4, 2001. Bet that is when it first was formalized, but the actual genesis was oh, maybe, September 12 or so. Remember, there were security daddies agitating for this long before September 11th.

Then the handcrafted Intel spin goes on to say this:

Over time, the presidentially-authorized activities transitioned to the authority of the Foreign Intelligence Surveillance Act (“FISA”). The collection of communications content pursuant to presidential authorization ended in January 2007 when the U.S. Government transitioned the TSP to the authority of the FISA and under the orders of the Foreign Intelligence Surveillance Court (“FISC”). In August 2007, Congress enacted the Protect America Act (“PAA”) as a temporary measure. The PAA, which expired in February 2008, was replaced by the FISA Amendments Act of 2008, which was enacted in July 2008 and remains in effect. Today, content collection is conducted pursuant to section 702 of FISA. The metadata activities also were transitioned to orders of the FISC. The bulk collection of telephony metadata transitioned to the authority of the FISA in May 2006 and is collected pursuant to section 501 of FISA. The bulk collection of Internet metadata was transitioned to the authority of the FISA in July 2004 and was collected pursuant to section 402 of FISA. In December 2011, the U.S. Government decided to not seek reauthorization of the bulk collection of Internet metadata.

After President Bush acknowledged the TSP in December 2005, two still-pending suits were filed in the Northern District of California against the United States and U.S. Government officials challenging alleged NSA activities authorized by President Bush after 9/11. In response the U.S. Government, through classified and unclassified declarations by the DNI and NSA, asserted the state secrets privilege and the DNI’s authority under the National Security Act to protect intelligence sources and methods. Following the unauthorized and unlawful release of classified information about the Section 215 and Section 702 programs in June 2013, the Court directed the U.S. Government to explain the impact of declassification decisions since June 2013 on the national security issues in the case, as reflected in the U.S. Government’s state secrets privilege assertion. The Court also ordered the U.S. Government to review for declassification all prior classified state secrets privilege and sources and methods declarations in the litigation, and to file redacted, unclassified versions of those documents with the Court.

This is merely an antiseptic version of the timeline of lies that has been relentlessly exposed by Marcy Wheeler right here on this blog, among other places. What is not included in the antiseptic, sandpapered spin is that the program was untethered from law completely and then “transitioned” to FISC after being exposed as such.

Oh, and lest anybody think this sudden disclosure today is out of the goodness of Clapper and Obama’s hearts, it is not. As Trevor Timm of EFF notes, most all of the “I Con” releases have been made only after being forced to by relevant FOIA and other court victories and that this one in particular is mostly germinated by EFF’s court order (and Vaughn index) obtained.

So, with that, behold the “I Con” release of ten different declarations previously filed and extant under seal in the Jewel and Shubert cases. Much of the language in all is similar template affidavit language, which you expect from such filings if you have ever dealt with them. As for individual dissection, I will leave that for later and for discussion by all in comments.

The one common theme that I can discern from a scan of a couple of note is that there is no reason in the world minimally redacted versions such as these could not have been made public from the outset. No reason save for the conclusion that to do so would have been embarrassing to the Article II Executive Branch and would have lent credence to American citizens properly trying to exercise and protect their rights in the face of a lawless and constitutionally infirm assault by their own government. The declarations by Mike McConnell, James Clapper, Keith Alexander, Dennis Blair, Frances Fleisch and Deborah Bonanni display a level of too cute by a half duplicity that ought be grounds for sanctions.

The record has been conned. Our federal courts have been conned. All as the Snowden disclosures have proven. And the American people have been defrauded by pompous terror mongers who value their own and institutional power over truth and honesty to those they serve. Clapper, Alexander and Obama have the temerity to call Ed Snowden a traitor? Please, look in the mirror boys.

Lastly, and again as Trevor Timm pointed out above, these are just the declarations for cases the EFF and others are still pursuing. What of the false secret declarations made in al-Haramain v. Obama, which the government long ago admitted were bogus? Why won’t the cons behind “I Con” release those declarations? What about the frauds perpetrated in Mohamed v. Jeppesen that have fraudulently ingrained states secrets cons into the government arsenal?

If the government wants to come clean, here is the opportunity. Frauds have been perpetrated on our courts, in our name. We should hear about that. Unless, of course, Obama and the “I Cons” are really nothing more than simple good old fashioned cons.

[By the way, Christmas is a giving season. If you have extra cheer to spread, our friends like Cindy Cohn, Trevor Timm, Hanni Fakhoury and Kurt Opsahl et al at EFF, and Ben Wizner, Alex Abdo, Catherine Crump et al at the ACLU all do remarkable work. Share your tax deductible love with them this season if you can. They make us all better off.]

The NSA Review Group’s Non-Denial Denial on Encryption

December 19, 2013/10 Comments/in Cybersecurity, FISA /by emptywheel

As part of a section on “Technical Measures to Increase Security and User Confidence,” Recommendation 29 of the NSA Review Group is, in part, the following:

We recommend that, regarding encryption, the US Government should:

(1) fully support and not undermine efforts to create encryption standards;

(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software;

Several paragraphs into this section, the Group with no tech experts asserts,

Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data. Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability, or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access.

This appears to be based on an Appendix provided by NSA addressing the reliability of certain encryption systems. I’m not competent to assess the claims or comprehensiveness of that presentation and eagerly await some reviews of this report from the tech experts. [Update: William Ockham notes the Appendix doesn’t include the standard NSA is accused of weakening.]

The very next paragraph, with bullet points, reads,

Nonetheless, it is important to take strong steps to enhance trust in this basic underpinning of information technology. Recommendation 32 is designed to describe those steps. The central point is that trust in encryption standards, and in the resulting software, must be maintained. Although NSA has made clear that it has not and is not now doing the activities listed below, the US Government should make it clear that:

NSA will not engineer vulnerabilities into the encryption algorithms that guard global commerce;

The United States will not provide competitive advantage to US firms by the provision to those corporations of industrial espionage;

NSA will not demand changes in any product by any vendor for the purpose of undermining the security or integrity of the product, or to ease NSA’s clandestine collection of information by users of the product; and

NSA will not hold encrypted communication as a way to avoid retention limits.

I consider myself a bit of an aficionado in NSA claims, and I can only think of one place where they’ve made even some of these claims, sort of: the obviously bogus talking points NSA sent home at Thanksgiving. That document made a similar caveated comment about industrial espionage and assured that NSA will not demand changes by any vendor, noting it did not have the authority to do so. I pointed out some of the loopholes to those claims here.

I don’t think they have said anything about engineering vulnerabilities into encryption standards; in any case, the allegation was that they inserted vulnerabilities into certain standards through persuasion, not engineering. Besides, ODNI General Counsel Robert Litt has stated explicitly (and not all that surprisingly) that cracking encryption is their job.

Finally, I don’t think the NSA has ever addressed the fact that their minimization standards clearly allow them to keep encrypted communication forever. They like to lie about that one instead. To place in their mouth a claim that they won’t do so to get around retention limits (particularly followed, as it is, by a recommendation for how not to do this) is thin comfort coming from an agency that considers encryption possible evidence of terrorism.

I doubt this assertion that NSA doesn’t try to weaken encryption is fooling anyone. Indeed, it appears less than 30 pages after the Report states, in justifying moving Information Assurance out of NSA,

When the offensive personnel find some way into a communications device, software system, or network, they may be reluctant to have a patch that blocks their own access.

So it’s hard to treat this entire passage as anything else but the “strong step to enhance trust” they say is necessary within it.

The NSA Review Group makes worthwhile recommendations on a reorganization of NSA–the most aggressive one of which — to split the DIRNSA from the CyberCommand position — Obama already pre-empted. Moving Information Assurance out of NSA would also create a champion for privacy, albeit a hopelessly weak one (they even state it should be moved to DHS, but Congress would never agree to do so).

But ultimately on this and some other cybersecurity related issues (including its toothless recommendation on Zero Days that immediately follows this section), the Report serves only to pretend the US doesn’t engage in weakening security as part of its offensive attacks using the Internet.

Update: Oh, as to that Appendix that doesn’t include the standard everyone has been worried about? Someone’s just found a fatal bug in the standard.

An advisory published Thursday warns that a “FIPS module” of the widely used OpenSSL library contained a “fatal bug” in its implementation of Dual EC_DRBG. Credible doubts about the trustworthiness of the deterministic random bit generator surfaced almost immediately after National Security Agency (NSA) officials shepherded it through an international standards body in 2006. In September, those fears were rekindled when The New York Times reported the algorithm may contain an NSA-engineered backdoor that makes it easier for government spies to decode encrypted communications.

The fatal Dual EC_DRBG bug resides in the FIPS Object Module v2.0, an optional OpenSSL library used to build crypto apps that are certified by the US government’s Federal Information Processing Standards. When using the module’s implementation of Dual EC_DRBG, the application crashes and can’t be recovered. That’s an amazing discovery for an application that had to undergo countless hours of testing to be certified by the government of the world’s most powerful country.

60 Minutes Betters Their Benghazi Debacle: Pirates Ahoy! and Chinese Global Suicide Bombers

December 15, 2013/24 Comments/in Cybersecurity, FISA /by emptywheel

I will have more to say about tonight’s 60 Minutes debacle.

But for now, let me make three points.

First, John Miller should never work in journalism again (he’s reportedly prepping to run NYPD’s intelligence shop, so he may not need to). There were numerous examples in tonight’s 60 Minutes piece where even a mildly curious journalist would have asked follow-up questions. But given that Miller, who has an ODNI and FBI background, knows this stuff, his failure to ask obvious follow-up questions is proof this was not at all about journalism.

Of particular note that everyone is getting snookered on: Lying Keith Alexander said that NSA only listens to the phone calls of 60 US persons. When Miller sort of asked a follow-up, Alexander seemed to reiterate that this is NSA.

Of course, FBI formally owns the wiretapping of US persons in the US. So that 60 number may only be Americans we wiretap overseas. One of those follow-up questions that might have been useful.

Then there was the NSA’s effort to show us what contact chaining looks like. As a threshold matter, they had subbed out all the real phone numbers with “555-1212” type numbers. Which means the computer was altered for TV.

Then, CBS showed an NSA analyst contact chaining off pirates.

Yes, pirates!

Aside from opening up NSA to the claim that we’re now all 3 degrees of Captain Hook, the pirate operation of course means the claims of the analyst only apply to EO 12333 collection (cause pirates are almost never US persons).

That is, we should assume it is completely meaningless as a demonstration of what the US phone dragnet is about.

Then there’s the scary BIOS plot.

I’ll need to go back and review this, but the jist of the scary claim at the heart of the report is that the NSA caught China planning a BIOS plot to shut down the global economy.

To.

Shut.

Down.

The.

Global.

Economy.

Of course, if that happened, it’d mean a goodly percentage of China’s 1.3 billion people would go hungry, which would lead to unbelievable chaos in China, which would mean the collapse of the state in China, the one thing the Chinese elite want to prevent more than anything.

But the NSA wants us to believe that this was actually going to happen.

That China was effectively going to set off a global suicide bomb. Strap on the economy in a cyber-suicide vest and … KABOOOOOOOM!

And the NSA heroically thwarted that attack.

That’s what they want us to believe and some people who call themselves reporters are reporting as fact.

“We’re Not Going to Leave It To the Guy Who Lies to Congress with Impunity Anymore”

December 13, 2013/25 Comments/in Cybersecurity, FISA /by emptywheel

The regular outlets for NSA leakers are presenting details of the recommendations the NSA Review Committee has given to President Obama (Gorman, Sanger). Curiously, Siobhan Gorman suggests that because the recommendations closely following the Leahy-Sensenbrenner bill, it bodes well for passage of that bill.

The panel’s idea “aligns very closely” with a bill offered by House Judiciary Committee Chairman James Sensenbrenner (R., Wis.) and Senate Judiciary Chairman Patrick Leahy (D., Vt.), said one person familiar with the report, suggesting it could give ammunition to congressional efforts.

From what I’ve seen so far, I’m not sure that’s actually true. Moreover, that’s not how intelligence reform generally works. Rather, usually the executive adopts changes asked by Congress, thereby dissuading Congress from actually passing those changes into enforceable law. With Jim Sensenbrenner correctly calling Dianne Feinstein’s Fake FISA Fix “a joke” and growing number of co-sponsors for Sensenbrenner’s bill, I can imagine why the Executive would want to pre-empt actual law.

Significantly, the proposed recommendations don’t end the concept of a phone dragnet; they just move administration of it elsewhere — either a third party or the telecoms — equally prone for abuse. The Review Committee apparently didn’t review efficacy of these programs.

Besides, according to David Sanger, the proposals predictably focus more on Angela Merkel’s privacy than the hundreds of millions of others whose privacy the NSA compromises.

The advisory group is also expected to recommend that senior White House officials, including the president, directly review the list of foreign leaders whose communications are routinely monitored by the N.S.A. President Obama recently apologized to Chancellor Angela Merkel of Germany for the N.S.A.’s monitoring of her calls over the past decade, promising that the actions had been halted and would not resume. But he refused to make the same promise to the leaders of Mexico and Brazil.

Administration officials say the White House has already taken over supervision of that program. “We’re not leaving it to Jim Clapper anymore,” said one official, referring to the director of national intelligence, who appears to have been the highest official to review the programs regularly.

[snip]

[National Security Council spokesperson Caitlin Hayden] added that the review was especially focused on “examining whether we have the appropriate posture when it comes to heads of state; how we coordinate with our closest allies and partners; and what further guiding principles or constraints might be appropriate for our efforts.”

It’s that James Clapper line that ought to be the tell, however: that folks within the Administration are boldly stating that James Clapper won’t be able to run amok anymore.

The same James Clapper, of course, on whom the White House imposed no consequences for lying to Congressional overseers.

Which brings me to my favorite detail, from the NYT:

One of the expected recommendations is that the White House conduct a regular review of those collection activities, the way covert action by the C.I.A. is reviewed annually.

Obama suggested last week he serves in no more than an advisory role for the Deep State, someone who can propose changes, but not someone who can order them. That an advisory committee has to tell the President that the NSA operates with less oversight than the CIA whose covert operations have systematically exceeded the claimed authority granted by the President says something.

I do fear this Review will pre-empt some of the most important legislative fixes.

But I also hope we’ll finally see heightened distance between the Deep State and the Executive that is overdue for reining it in.

Sheldon Whitehouse: We Can’t Unilaterally Disarm, Even to Keep America Competitive

December 11, 2013/5 Comments/in Cybersecurity, FISA, Manufacturing /by emptywheel

I have to say, the Senate Judiciary Committee hearing on the dragnet was a bust.

Pat Leahy was fired up — and even blew off a Keith Alexander attempt to liken the Internet to a library with stories of the library card he got when he was 4. While generally favoring the dragnet, Chuck Grassley at least asked decent questions. But because of a conflict with a briefing on the Iran deal, Al Franken was the only other Senator to show up for the first panel. And the government witnesses — Keith Alexander, Robert Litt, and James Cole — focused on the phone dragnet disclosed over 6 months ago, rather than newer disclosures like back door searches and the Internet dragnet, which moved overseas. Litt even suggested — in response to a question from Leahy — that they might still be able to conduct the dragnet if they could bamboozle the FISA Court on relevance, again (see Spencer on that). As a result, no one discussed the systemic legal abuses of the Internet dragnet or NSA’s seeming attempt to evade oversight and data sharing limits by moving their dragnet overseas.

Things went downhill when Leahy left for the Iran briefing and Sheldon Whitehouse presided over the second panel, with the Computer & Communications Industry Association’s Edward Black, CATO’s Julian Sanchez, and Georgetown professor (and former DOJ official) Carrie Cordero. Sanchez hit some key points on the why Internet metadata is not actually like phone pen registers. Cordero acknowledged that metadata was very powerful but then asserted that the metadata of the phone-based relationships of every American was not.

And Black tried to make the case that the spying is killing America.

Or, more specifically, his industry’s little but significant corner of America, the Internet. While only some of this was in his opening statement, Black made the case that the Internet plays a critical role in America’s competitiveness.

While these are critical issues, it is important that the Committee also concern itself with the fact that the behavior of the NSA, combined with the global environment in which this summer’s revelations were released, may well pose an existential threat to the Internet as we know it today, and, consequently, to many vital U.S. interests, including the U.S. economy.

[snip]

The U.S. government has even taken notice. A recent comprehensive re- port from the U.S. International Trade Commission (ITC) noted, “digital trade continues to grow both in the U.S. economy and globally” and that a “further increase in digital trade is probable, with the U.S. in the lead.” In fact, the re- port also shows, U.S. digital exports have exceeded imports and that surplus has continually widened since 2007.

[snip]

As a result, the economic security risks posed by NSA surveillance, and the international political reaction to it, should not be subjugated to traditional national security arguments, as our global competitiveness is essential to long-term American security. It is no accident that the official National Security Strategy of the United States includes increasing exports as a major component of our national defense strategy.

Then he laid out all the ways that NSA’s spying has damaged that vital part of the American economy: by damaging trust, especially among non-American users not granted to the protections Americans purportedly get, and by raising suspicion of encryption.

Black then talked about the importance of the Internet to soft power. He spoke about this generally, but also focused on the way that NSA spying was threatening America’s dominant position in Internet governance, which (for better and worse, IMO) has made the Internet the medium of exchange it is.

The U.S. government position of supporting the multi-stakeholder model of Internet governance has been compromised. We have heard increased calls for the ITU or the United Nations in general to seize Internet governance functions from organizations that are perceived to be too closely associated with the U.S. government, such as the Internet Corporation for Assigned Names and Numbers (ICANN).

And he pointed to proposals to alter the architecture of the Internet to minimize the preferential access the US currently has.

Let’s be honest, Black is a lobbyist, and he’s pitching his industry best as he can. I get that. Yet even still, he’s not admitting that these governance and architecture issues really don’t provide neutrality — though US stewardship may be the least-worst option, it provides the US a big advantage.

What Black hinted at (but couldn’t say without freaking out foreign users even more) is that our stewardship of the Internet is not just one of the few bright spots in our economy, but also a keystone to our power internationally. And it gives us huge spying advantages (not everyone trying to erode our control of the Internet’s international governance is being cynical — Edward Snowden has made it clear we have abused our position).

Which is why Whitehouse’s response was so disingenuous. He badgered Black, interrupting him consistently. He asked him to compare our spying with that of totalitarian governments, which Black responded was an unfair comparison. And Whitehouse didn’t let Black point out that American advantages actually do mean we spy more than others, because we can.

Basically, Whitehouse suggested that, in the era of Big Data, if we didn’t do as much spying as we could — and to hell with what it did to our preferential position on the Internet — it would amount to unilaterally disarming in the face of Chinese and Russian challenges.

If we were to pass law that prevented us from operating in Big Data, would be unilaterally disarming.

Whitehouse followed this hubris up with several questions that Sanchez might have gladly answered but Black might have had less leeway to answer, such as whether a court had ever found these programs to be unconstitutional. (The answer is yes, John Bates found upstream collection to be unconstitutional, he found the Internet dragnet as conducted for 5 years to be illegal wiretapping, and in the Yahoo litigation in 2007, Yahoo never learned what the minimization procedures were, and therefore never had the opportunity to make the case.) Black suggested, correctly, I think, that Whitehouse’s position meant we were just in an arms race to be the Biggest Brother.

I get it. Whitehouse is one of those who believe — like Keith Alexander (whose firing Whitehouse has bizarrely not demanded, given his stated concerns about the failure to protect our data during Alexander’s tenure) that the Chinese are plundering the US like a colony.

Not only does this stance seem to evince no awareness of how America used data theft to build itself as a country (and how America’s hardline IP stance will kill people, making America more enemies). But it ignores the role of the Internet in jobs and competition and trade in ideas and goods.

Sheldon Whitehouse, from a state suffering economically almost as much as Michigan, seems anxious to piss away what competitive advantages non-defense America has to conduct spying that hasn’t really produced results (and has made our networks less secure as a result — precisely the problem Whitehouse claims to be so concerned about). That’s an ugly kind of American hubris that doesn’t serve this country, even if you adopt the most jingoistic nationalism imaginable.

He should know better than this. But in today’s hearing, he seemed intent on silencing the Internet industry so he didn’t learn better.

Update: Fixed the Black quotation.

Update: Jack Goldsmith pushes back against the American double standards on spying and stealing here.

When Susan Rice Is Right, She’s Right!

December 4, 2013/10 Comments/in Cybersecurity, Department of Justice, FISA, Intelligence, Law, Obama Administration, Terrorism, Unitary Executive /by bmaz

From the No Kidding Files, courtesy of Jason Leopold, comes this gem from vaunted National Security Advisor Susan Rice:

“Let’s be honest: at times we do business with govts that do not respect the rights we hold most dear”

Well, hello there Susan, I couldn’t agree more. Especially on days when I see things like this from the ~~Glenn Greenwald and Pierre Omidyar Snowden file monopoly~~ err, Barton Gellman at the Washington Post:

The National Security Agency is gathering nearly 5 billion records a day on the whereabouts of cellphones around the world, according to top-secret documents and interviews with U.S. intelligence officials, enabling the agency to track the movements of individuals — and map their relationships — in ways that would have been previously unimaginable.
….
The number of Americans whose locations are tracked as part of the NSA’s collection of data overseas is impossible to determine from the Snowden documents alone, and senior intelligence officials declined to offer an estimate. “It’s awkward for us to try to provide any specific numbers,” one intelligence official said in a telephone interview. An NSA spokeswoman who took part in the call cut in to say the agency has no way to calculate such a figure.

It is thoroughly loathsome that Americans must do business with a government that does this, and insane that it is their own government.

It is “awkward” to determine how many innocent Americans are rolled up in the latest out of control security state dragnet the United States government is running globally. Actually, that is not awkward, it is damning and telling. Therefore the American citizenry must not know, at any cost.

Susan Rice is quite right, we are forced to “do business” with a government that does “not respect the rights we hold most dear”

[Here is the full text of the Susan Rice speech today that the above quote was taken from. It is a great speech, or would be if the morals of the United States under Barack Obama matched the lofty rhetoric]

Information Monopoly Defines the Deep State

November 28, 2013/16 Comments/in Cybersecurity /by Rayne

The last decade witnessed the rise of deep state — an entity not clearly delineated that ultimately controls the military-industrial complex, establishing its own operational policy and practice outside the view of the public in order to maintain its control.

Citizens believe that the state is what they see, the evidence of their government at work. It’s the physical presence of their elected representatives, the functions of the executive office, the infrastructure that supports both the electoral process and the resulting machinery serving the public at the other end of the sausage factory of democracy. We the people put fodder in, we get altered fodder out — it looks like a democracy.

But deep state is not readily visible; it’s not elected, it persists beyond any elected official’s term of office. While a case could be made for other origins, it appears to be born of intelligence and security efforts organized under the Eisenhower administration in response to new global conditions after World War II. Its function may originally have been to sustain the United States of America through any threat or catastrophe, to insure the country’s continued existence.

Yet the deep state and its aims may no longer be in sync with the United States as the people believe their country to be — a democratic society. The democratically elected government does not appear to have control over its security apparatus. This machinery answers instead to the unseen deep state and serves its goals.

As citizens we believe the Department of State and the Department of Defense along with all their subset functions exist to conduct peaceful relations with other nation-states while protecting our own nation-state in the process. Activities like espionage for discrete intelligence gathering are as important as diplomatic negotiations to these ends. The legitimate use of military force is in the monopolistic control of both Departments of State and Defense, defining the existence of a state according to philosopher Max Weber.

The existing security apparatus, though, does not appear to function in this fashion. It refuses to answer questions put to it by our elected representatives when it doesn’t lie to them outright. It manages and manipulates the conditions under which it operates through implicit threats. The legitimacy of the military force it yields is questionable because it cannot be restrained by the country’s democratic processes and may subvert control over military functions.

Further, it appears to answer to some other entity altogether. Why does the security apparatus pursue the collection of all information, in spite of such activities disrupting the ability of both State and Defense Departments to operate effectively? Why does it take both individuals’ and businesses’ communications while breaching their systems, in direct contravention to the Constitution’s Fourth Amendment prohibition against illegal search and seizure? Read more →