Cyberwar, Cyber Crime, and American Freedom

[G M]

http://www.examiner.com/article/fbi-director-robert-mueller-faces-tough-questions-on-boston-bombings

FBI Director Robert Mueller faces tough questions on Boston bombings
Government Topics
June 14, 2013
By: Renee Nal


FBI Director Robert Mueller defends FBI handling of Boston bombing


On Thursday, Rep. Louie Gohmert (R-TX) and FBI Director Robert Mueller had a tense exchange regarding the FBI investigation of the Boston marathon bombings.
Gohmert brought up the 'purge' of FBI training materials that may have contributed to FBI investigators overlooking dangers involving radical Islam, as well as the lack of investigation into the Massachusetts mosque where the Tsarnaev brothers attended, which was 'co-founded by a man who is behind bars [Abdurahman Alamoudi] for supporting terrorism.'
 
Rep. Louie Gohmert (R-TX) spoke about the heated discussion On America's Newsroom with Fox News anchor Martha MacCallum on Friday.
 
Director Mueller claimed that the FBI was at the Boston mosque months prior to the Boston bombing as a part of their 'outreach efforts,' but that the FBI was unaware that the mosque was co-founded by Abdulrahman Alamoudi, who was convicted for his part in '...an assassination plot against a Saudi prince.' The same mosque has been associated with other terrorists, as reported in April by USA Today.
 
How is it possible that the FBI had no idea that the mosque attended by the Tsarnaev brothers is associated with terrorists?

Speaking with MacCallum, Gohmert said regarding the 'purge' of FBI training materials,
 
“
'You cannot do an adequate investigation of radical Islam if you cannot talk about what radical Islam is...what it believes.'
 
'I get tired of the FBI and this administration saying [that] the Russians should have given us more information,' Gohmert said. 'They didn't even know the mosque these brothers were attending was started by a terrorist supporter who is in prison for it. It's shocking.'
 
There are some very serious unanswered questions in relation to the Boston bombing.
•The New York Times reported that Tamerlan was 'entered into two different United States government watch lists in late 2011 that were designed to alert the authorities if he traveled overseas.' If they already had Tamerlan Tsarnaev on their radar from previous communications with him, why did the FBI have to appeal to the American people to identify the brothers on national television?
 •Despite repeated assurances that there was no intelligence leading up to the Boston bombing, there actually was an 18-page, taxpayer-funded report that 'identified the finish line of the race as an area of increased vulnerability and warned Boston police that extremists may use small scale bombings to attack spectators and runners at the event,' as reported by the LA Times.
 •Considering that martial law was imposed on the entire city of Boston (which continues to be a troubling fact), how is it that 19-year-old Dzhokhar Tsarnaev managed to escape during the initial battle that killed his brother, Tamerlan?
 •There have been conflicting reports of whether Dzhokhar Tsarnaev fled the gun battle scene by car or on foot. Col. Timothy Alben of the Massachusetts state police, for example, specifically stated that Dzhokhar “fled on foot...” The New York Times, however, reported that Dzhokhar '...climbed back into the car and drove off, apparently hitting his older brother.' After Tamerlan Tsarnaev was pronounced dead, Dr. Richard Wolfe, head of emergency medicine at Beth Israel Deaconess Medical Center said 'I certainly did not see any tire marks or the usual things we see with someone run over by a car,' as reported by the Boston Herald.
 
Other troubling questions related to the Boston bombing remain.
 •The original person of interest in the Boston marathon bombing, Abdulrahman al-Harbi, was widely reported to have been 'tackled' after a citizen noticed suspicious behavior. It turns out that the Saudi National was never tackled. So why did he come to the attention of the FBI in the first place?
 •Ibragim Todashev was reportedly a friend of Tamerlan Tsarnaev. He was killed by the FBI during an interview where he was reportedly about to sign a written confession to a 2011 murder. Initially, it was reported that he had a knife and lunged at agents. But, that story was changed later. Todashev had no knife. What happened? Was the interview recorded?
 
If nobody asks the questions, the Boston marathon bombing will fade into the background. Despite the fact that Gohmert is vilified in the mainstream media, his questions to Mueller were valid.

[G M]

[Crafty_Dog]

http://www.slate.com/articles/technology/future_tense/2013/02/silent_circle_s_latest_app_democratizes_encryption_governments_won_t_be.single.html


The Threat of Silence
Meet the groundbreaking new encryption app set to revolutionize privacy and freak out the feds.

By Ryan Gallagher|Posted Monday, Feb. 4, 2013, at 12:21 PM
Mike Janke.
Silent Circle CEO Mike Janke

Courtesy of Silent Circle

For the past few months, some of the world’s leading cryptographers have been keeping a closely guarded secret about a pioneering new invention. Today, they’ve decided it’s time to tell all.

Back in October, the startup tech firm Silent Circle ruffled governments’ feathers with a “surveillance-proof” smartphone app to allow people to make secure phone calls and send texts easily. Now, the company is pushing things even further—with a groundbreaking encrypted data transfer app that will enable people to send files securely from a smartphone or tablet at the touch of a button. (For now, it’s just being released for iPhones and iPads, though Android versions should come soon.) That means photographs, videos, spreadsheets, you name it—sent scrambled from one person to another in a matter of seconds.

“This has never been done before,” boasts Mike Janke, Silent Circle’s CEO. “It’s going to revolutionize the ease of privacy and security.”
Advertisement

True, he’s a businessman with a product to sell—but I think he is right.

The technology uses a sophisticated peer-to-peer encryption technique that allows users to send encrypted files of up to 60 megabytes through a “Silent Text” app. The sender of the file can set it on a timer so that it will automatically “burn”—deleting it from both devices after a set period of, say, seven minutes. Until now, sending encrypted documents has been frustratingly difficult for anyone who isn’t a sophisticated technology user, requiring knowledge of how to use and install various kinds of specialist software. What Silent Circle has done is to remove these hurdles, essentially democratizing encryption. It’s a game-changer that will almost certainly make life easier and safer for journalists, dissidents, diplomats, and companies trying to evade state surveillance or corporate espionage. Governments pushing for more snooping powers, however, will not be pleased.

By design, Silent Circle’s server infrastructure stores minimal information about its users. The company, which is headquartered in Washington, D.C., doesn’t retain metadata (such as times and dates calls are made using Silent Circle), and IP server logs showing who is visiting the Silent Circle website are currently held for only seven days. The same privacy-by-design approach will be adopted to protect the security of users’ encrypted files. When a user sends a picture or document, it will be encrypted, digitally “shredded” into thousands of pieces, and temporarily stored in a “Secure Cloud Broker” until it is transmitted to the recipient. Silent Circle, which charges $20 a month for its service, has no way of accessing the encrypted files because the “key” to open them is held on the users’ devices and then deleted after it has been used to open the files. Janke has also committed to making the source code of the new technology available publicly “as fast as we can,” which means its security can be independently audited by researchers.

The cryptographers behind this innovation may be the only ones who could have pulled it off. The team includes Phil Zimmermann, the creator of PGP encryption, which is still considered the standard for email security; Jon Callas, the man behind Apple’s whole-disk encryption, which is used to secure hard drives in Macs across the world; and Vincent Moscaritolo, a top cryptographic engineer who previously worked on PGP and for Apple. Together, their combined skills and expertise are setting new standards—with the results already being put to good use.

According to Janke, a handful of human rights reporters in Afghanistan, Jordan, and South Sudan have tried Silent Text’s data transfer capability out, using it to send photos, voice recordings, videos, and PDFs securely. It’s come in handy, he claims: A few weeks ago, it was used in South Sudan to transmit a video of brutality that took place at a vehicle checkpoint. Once the recording was made, it was sent encrypted to Europe using Silent Text, and within a few minutes, it was burned off of the sender’s device. Even if authorities had arrested and searched the person who transmitted it, they would never have found the footage on the phone. Meanwhile, the film, which included location data showing exactly where it was taken, was already in safe hands thousands of miles away—without having been intercepted along the way—where it can eventually be used to build a case documenting human rights abuses.

One of the few people to have tested the new Silent Circle invention is Adrian Hong, the managing director of Pegasus Strategies, a New York-based consulting firm that advises governments, corporations, and NGOs. Hong was himself ensnared by state surveillance in 2006 and thrown into a Chinese jail after getting caught helping North Korean refugees escape from the regime of the late Kim Jong Il. He believes that Silent Circle’s new product is “a huge technical advance.” In fact, he says he might not have been arrested back in 2006 “if the parties I was speaking with then had this [Silent Circle] platform when we were communicating.”

But while Silent Circle’s revolutionary technology will assist many people in difficult environments, maybe even saving lives, there’s also a dark side. Law enforcement agencies will almost certainly be seriously concerned about how it could be used to aid criminals. The FBI, for instance, wants all communications providers to build in backdoors so it can secretly spy on suspects. Silent Circle is pushing hard in the exact opposite direction—it has an explicit policy that it cannot and will not comply with law enforcement eavesdropping requests. Now, having come up with a way not only to easily communicate encrypted but to send files encrypted and without a trace, the company might be setting itself up for a serious confrontation with the feds. Some governments could even try to ban the technology.

Janke is bracing himself for some “heat” from the authorities, but he’s hopeful that they’ll eventually come round. The 45-year-old former Navy SEAL commando tells me he believes governments will eventually realize that “the advantages are far outweighing the small ‘one percent’ bad-intent user cases.” One of those advantages, he says, is that “when you try to introduce a backdoor into technology, you create a major weakness that can be exploited by foreign governments, hackers, and criminal elements.”

If governments don’t come round, though, Silent Circle’s solution is simple: The team will close up shop and move to a jurisdiction that won’t try to force them to comply with surveillance.

“We feel that every citizen has a right to communicate,” Janke says, “the right to send data without the fear of it being grabbed out of the air and used by criminals, stored by governments, and aggregated by companies that sell it.”

The new Silent Circle encrypted data transfer capability is due to launch later this week, hitting Apple’s App Store by Feb. 8. Expect controversy to follow.

This article arises from Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

[Crafty_Dog]

Though I have substantial disagreement with some of the points in this piece I found this to be both thoughtful and fair to and respectful of other points of view.

http://www.nationalreview.com/article/351128/national-security-right-goes-silent-andrew-c-mccarthy

[Crafty_Dog]

second post:

I hope I'm not posting too many pieces on this, but I am working on sorting out my thoughts and feelings on this:

http://www.theatlanticwire.com/politics/2013/06/other-nsa-whistleblowers-hope-time-different/66166/

http://www.wired.com/threatlevel/2013/06/general-keith-alexander-cyberwar/  (I'm thinking that if there is to be cyberwar then we should win, but there is much here of great concern)

[C-Kumu Dog]

Interesting Ill have to keep an eye out on the blogs about this subject.

[Crafty_Dog]

Given your technical expertise, I'd be particularly interested in your take on all this.

[C-Kumu Dog]

http://www.deseretnews.com/article/765632912/Al-Qaida-said-to-be-changing-its-ways-after-leaks.html

WASHINGTON — U.S. intelligence agencies are scrambling to salvage their surveillance of al-Qaida and other terrorists who are working frantically to change how they communicate after a National Security Agency contractor leaked details of two NSA spying programs. It's an electronic game of cat-and-mouse that could have deadly consequences if a plot is missed or a terrorist operative manages to drop out of sight.

Terrorist groups had always taken care to avoid detection — from using anonymous email accounts, to multiple cellphones, to avoiding electronic communications at all, in the case of Osama bin Laden. But there were some methods of communication, like the Skype video teleconferencing software that some militants still used, thinking they were safe, according to U.S. counterterrorism officials who follow the groups. They spoke anonymously as a condition of describing their surveillance of the groups. Those militants now know to take care with Skype — one of the 9 U.S.-based Internet servers identified by former NSA contractor Edward Snowden's leaks to The Guardian and The Washington Post.

Two U.S. intelligence officials say members of virtually every terrorist group, including core al-Qaida members, are attempting to change how they communicate, based on what they are reading in the media, to hide from U.S. surveillance. It is the first time intelligence officials have described which groups are reacting to the leaks. The officials spoke anonymously because they were not authorized to speak about the intelligence matters publicly.

The officials wouldn't go into details on how they know this, whether it's terrorists switching email accounts or cellphone providers or adopting new encryption techniques, but a lawmaker briefed on the matter said al-Qaida's Yemeni offshoot, al-Qaida in the Arabian Peninsula, has been among the first to alter how it reaches out to its operatives.

The lawmaker spoke anonymously because he would not, by name, discuss the confidential briefing.

Shortly after Edward Snowden leaked documents about the secret NSA surveillance programs, chat rooms and websites used by like-minded extremists and would-be recruits advised users how to avoid NSA detection, from telling them not to use their real phone numbers to recommending specific online software programs to keep spies from tracking their computers' physical locations.

House Intelligence Committee Chairman Mike Rogers, R-Mich., said there are "changes we can already see being made by the folks who wish to do us harm, and our allies harm."

Sen. Angus King, I-Maine, said Tuesday that Snowden "has basically alerted people who are enemies of this country ... (like) al-Qaida, about what techniques we have been using to monitor their activities and foil plots, and compromised those efforts, and it's very conceivable that people will die as a result."

Privacy activists are more skeptical of the claims. "I assume my communication is being monitored," said Andrew Prasow, senior counterterrorism counsel for Human Rights Watch. She said that's why her group joined a lawsuit against the Director of National Intelligence to find out if its communications were being monitored. The case was dismissed by the U.S. Supreme Court last fall. "I would be shocked if terrorists didn't also assume that and take steps to protect against it," she said.

"The government is telling us, 'This has caused tremendous harm.' But also saying, 'Trust us we have all the information. The US government has to do a lot more than just say it," Prasow said.

At the same time, NSA and other counterterrorist analysts have been focusing their attention on the terrorists, watching their electronic communications and logging all changes, including following which Internet sites the terrorist suspects visit, trying to determine what system they might choose to avoid future detection, according to a former senior intelligence official speaking anonymously as a condition of discussing the intelligence operations.

"It's frustrating. You have to start all over again to track the target," said M.E. "Spike" Bowman, a former intelligence officer and deputy general counsel of the FBI, now a fellow at the University of Virginia's Center for National Security Law. But the NSA will catch up eventually, he predicted, because there are only so many ways a terrorist can communicate. "I have every confidence in their ability to regain access."

Terror groups switching to encrypted communication may slow the NSA, but encryption also flags the communication as something the U.S. agency considers worth listening to, according to a new batch of secret and top-secret NSA documents published last week by The Guardian, a British newspaper. They show that the NSA considers any encrypted communication between a foreigner they are watching and a U.S.-based person as fair game to gather and keep, for as long as it takes to break the code and examine it.

Documents released last week also show measures the NSA takes to gather foreign intelligence overseas, highlighting the possible fallout of the disclosures on more traditional spying. Many foreign diplomats use email systems like Hotmail for their personal correspondence. Two foreign diplomats reached this week who use U.S. email systems that the NSA monitors overseas say they plan no changes, because both diplomats said they already assumed the U.S. was able to read that type of correspondence. They spoke on condition of anonymity because they were not authorized to discuss their methods of communication publicly.

The changing terrorist behavior is part of the fallout of the release of dozens of top-secret documents to the news media by Snowden, 30, a former systems analyst on contract to the NSA.

The Office of the Director for National Intelligence and the NSA declined to comment on the fallout, but the NSA's director, Gen. Keith Alexander, told lawmakers that the leaks have caused "irreversible and significant damage to this nation."

"I believe it will hurt us and our allies," Alexander said.

"After the leak, jihadists posted Arabic news articles about it ... and recommended fellow jihadists to be very cautious, not to give their real phone number and other such information when registering for a website," said Adam Raisman of the SITE Intelligence Group, a private analysis firm. They also gave out specific advice, recommending jihadists use privacy-protecting email systems to hide their computer's IP address, and to use encrypted links to access jihadi forums, Raisman said.

Other analysts predicted a two-track evolution away from the now-exposed methods of communication: A terrorist who was using Skype to plan an attack might stop using that immediately so as not to expose the imminent operation, said Ben Venzke of the private analysis firm IntelCenter.

But if the jihadi group uses a now-exposed system like YouTube to disseminate information and recruit more followers, they'll make a gradual switch to something else that wasn't revealed by Snowden's leaks — moving slowly in part because they'll be trying to determine whether new systems they are considering aren't also compromised, and they'll have to reach their followers and signal the change. That will take time.

"Overall, for terrorist organizations and other hostile actors, leaks of this nature serve as a wake-up call to look more closely at how they're operating and improve their security," Venzke said. "If the CIA or the FBI was to learn tomorrow that its communications are being monitored, do you think it would be business as usual or do you think they would implement a series of changes over time?"

Terrorist groups have already adapted after learning from books and media coverage of "how U.S. intelligence mines information from their cellphones found at sites that get raided in war zones," said Scott Swanson, a forensics intelligence expert with Osprey Global Solutions. "Many are increasingly switching the temporary phones or SIM cards they use and throw them away more often, making it harder to track their network."

The disclosure that intelligence agencies were listening to Osama bin Laden drove him to drop the use of all electronic communications.

"When it leaked that bin Laden was using a Thuraya cellphone, he switched to couriers," said Jane Harman, former member of the House Intelligence Committee and now director of the Woodrow Wilson International Center. "The more they know, the clearer the road map is for them."

It took more than a decade to track bin Laden down to his hiding place in Abbottabad, Pakistan, by following one of those couriers.

Follow Kimberly Dozier on Twitter at http://twitter.com/kimberlydozier

[Crafty_Dog]

http://www.cnn.com/2013/06/30/world/europe/eu-nsa/index.html

As disconcerting as the NSA Prism program is, worth noting is that other powers do this too. 

The question must be asked:

Are we to be the only who does not?

[Crafty_Dog]

second post

This is the most important email we’re going to send you this month. As you know, recent leaks have revealed that the U.S. Government has turned the Internet into the most massive modern surveillance tool in history, one that can constantly monitor and invade the privacy of people all over the world. Including you.
Click here if that pisses you off and you’re ready to do something about it.

UPDATE: just as we were sending this email, we saw the latest leaked documents that show that PRISM allowed the NSA to use FBI-operated equipment located at tech companies headquarters to eavesdrop on our conversations in real-time. See them for yourself, but read on.

Millions have already taken action, but it’s going to take more than just petition signatures to put a stop to unconstitutional NSA surveillance. The U.S. government wants to forget it’s own Constitution. We’re going to make that completely impossible.
There are national protests happening on July 4th -- online and off. Grassroots Internet users have organized Restore the Fourth protests on the ground all over the U.S. on the 4th of July. Building off the energy of the StopWatching.us coalition (which now has over 550,000 signers), and aiming to amplify the protests on the ground, we’re raising the Internet Defense League’s “Cat Signal” on July 4th, asking websites and organizations to show call out the NSA by displaying the text of the 4th Amendment. We just started outreach and we’ve already got EFF, Wordpress, 4chan, Reddit, Namecheap, Imgur, Mozilla, DuckDuckGo, Fark, and Cheezburger signed up to participate. We need you too!
If you already have the IDL’s “all campaigns” code installed, you’re all set. The Cat Signal will be raised at midnight on July 4th and will turn off at midnight on July 5th. We’ll send out campaign specific code on Tuesday, for those who just want to participate in this action, but what we need you to do right now is help spread the word. We need to ramp this up and get everyone on board. If you have Twitter or Facebook, click the link below, if not, please blog, share, call your friends and tell them. This is going to be epic, so get everyone.
We need you on this one. Click here to join our Thunderclap and help make this protest HUGE.
This is a watershed moment for our basic rights to free speech, freedom of association, and privacy. What the NSA is doing is illegal. We are at the moment where we decide if the government should have the power to track, target, profile, and deem suspicious any one of us based on our small everyday movements. The first in line are probably the journalists we depend on, any of our friends or family who are even slightly political. This is why privacy matters -- it does not allow the government to unreasonably persecute anyone.
Click here to join our Thunderclap to spread the word about the protests!
It’s time to leave behind the politics that have failed us. These government dragnet programs started under Bush, but Obama made them even worse, and his administration has mounted an unprecedented attack on journalists and whistleblowers, using the Espionage Act to stifle free speech more times than all other presidents combined. Republicans and Democrats have both failed to uphold the Constitution -- they’re defending the NSA’s programs, or outright lying about it -- and as a result, the foundation of our democracy is in question.
There’s many ways to fight the NSA. Click here to see all the ways that you can participate on July 4th, online and in the streets.
Can you forward this to 10 people right now and ask them to do the same?
We’re counting on you. Everyone is. Last chance: click here to join the movement.
Sincerely,
Tiffiniy, Holmes, Evan, and the whole FFTF team
You can also:
*Donate to make all this happen.
*Like us on Facebook
*Follow us on Twitter

SOURCES:
1) The Guardian, “NSA collected U.S. email records in bulk for more than 2 years under Obama”
2) Washington Post, “Here’s everything we know about how the NSA’s secret programs work”
3) Slate, “Obama Has Charged More Under Espionage Act Than All Other Presidents Combined”
4) Watch Glen Greenwald on Democracy Now as he proves that Dianne Feinstein lied to the camera

5) The Atlantic, “2 Senators Say the NSA is Still Feeding us False Information”

[Crafty_Dog]

third post

http://www.newsmax.com/newswidget/Germany-spying-Snowden-Cold-War/2013/07/01/id/512725?promo_code=12390-1&utm_source=12390PJ_Media&utm_medium=nmwidget&utm_campaign=widgetphase1

What she has in mind:

http://news.yahoo.com/u-bugged-eu-offices-computer-networks-german-magazine-162017024.html

The Green chime in:

http://www.nytimes.com/2013/06/30/opinion/sunday/germans-loved-obama-now-we-dont-trust-him.html?pagewanted=1&_r=1&hp&

[DougMacG]

Who Helped Snowden Steal State Secrets?
The preparations began before he took the job that landed him at the NSA.

http://online.wsj.com/article/SB10001424127887323873904578573382649536100.html?mod=WSJ_Opinion_LEFTTopOpinion

Before taking the job in Hawaii, Mr. Snowden was in contact with people who would later help arrange the publication of the material he purloined. Two of these individuals, filmmaker Laura Poitras and Guardian blogger Glenn Greenwald, were on the Board of the Freedom of the Press Foundation that, among other things, funds WikiLeaks.

In January 2013, according to the Washington Post, Mr. Snowden requested that Ms. Poitras get an encryption key for Skype so that they could have a secure channel over which to communicate.

In February, he made a similar request to Mr. Greenwald, providing him with a step-by-step video on how to set up encrypted communications.

[Crafty_Dog]

Please post that on the Intel thread as well.  TIA.

[Crafty_Dog]

http://www.zdnet.com/eu-votes-to-support-suspending-u-s-data-sharing-agreements-including-passenger-flight-data-7000017677/

[C-Kumu Dog]

5 page article.

http://www.vanityfair.com/culture/2013/07/new-cyberwar-victims-american-business

[ccp]

Well its kind of hard to feel sorry for the likes of MSFT and Google and the like who hire teams of hackers and investigators to snoop all over the place when it is in their interests.

It is surely the case of the pot calling the kettle black.  I am not for any of it; corporate or governmental.   That said, I lament, there is no stopping it.

 

[C-Kumu Dog]

http://www.cnn.com/2013/06/30/world/europe/eu-nsa/index.html

As disconcerting as the NSA Prism program is, worth noting is that other powers do this too. 

The question must be asked:

Are we to be the only who does not?

http://www.nytimes.com/2013/07/05/world/europe/france-too-is-collecting-data-newspaper-reveals.html?_r=0&pagewanted=print

By STEVEN ERLANGER
PARIS — Days after President François Hollande sternly told the United States to stop spying on its allies, the newspaper Le Monde disclosed on Thursday that France has its own large program of data collection, which sweeps up nearly all the data transmissions, including telephone calls, e-mails and social media activity, that come in and out of France.

Le Monde reported that the General Directorate for External Security does the same kind of data collection as the American National Security Agency and the British GCHQ, but does so without clear legal authority.

The system is run with “complete discretion, at the margins of legality and outside all serious control,” the newspaper said, describing it as “a-legal.”

Nonetheless, the French data is available to the various police and security agencies of France, the newspaper reported, and the data is stored for an indeterminate period. The main interest of the agency, the paper said, is to trace who is talking to whom, when and from where and for how long, rather than in listening in to random conversations. But the French also record data from large American networks like Google and Facebook, the newspaper said.

Le Monde’s report, which French officials would not comment on publicly, appeared to make some of the French outrage about the revelations of Edward J. Snowden, a former N.S.A. contractor, about the American data-collection program appear somewhat hollow.

But French officials did say privately on Thursday that there was a difference between data collection in the name of security and spying on allied nations and the European Union. While French officials have said that they do not spy on the American Embassy in France, American officials are skeptical of those reassurances, and have pointed out that France has an aggressive and amply financed espionage system of its own.

The French interior minister, Manuel Valls, said Thursday at the July 4 reception at the American ambassador’s residence in Paris that Mr. Hollande’s demands for clear explanations about the reports of American spying were justified because “such practices, if proven, do not have their place between allies and partners.” He said that “in the name of our friendship, we owe each other honesty.”

Separately, in a statement, Mr. Valls said that France had received an asylum request from Mr. Snowden, but that it would be rejected.

The European Parliament, meeting in Strasbourg, France, to debate the Snowden disclosures, overwhelmingly passed a resolution that “strongly condemns the spying on E.U. representations,” warned of its “potential impact on trans-Atlantic relations” and demanded “immediate clarification from the U.S. authorities on the matter.”

The legislators rejected an amendment calling for the postponement of talks scheduled for Monday on a potential European-American free-trade agreement. France and Mr. Hollande had called for the talks to be delayed, but the European Commission said that they would go ahead in parallel with talks on the American spying programs.

Many Europeans have been shocked and outraged less by the idea of American espionage than the sheer scale of the data-collection abroad. According to Mr. Snowden’s revelations, between 15 million and 60 million transmissions are collected by the Americans every day from Germany alone.

American officials had privately warned French officials to be careful about speaking with too much outrage about American espionage given that major European countries like France spy, too, and not just on their enemies.

[Crafty_Dog]

http://www.theblaze.com/stories/2013/07/14/snowden-docs-contain-nsa-blueprint-an-instruction-manual-for-agencys-inner-workings-guardian-journalist-reveals/

[C-Kumu Dog]

http://www.theblaze.com/stories/2013/07/14/snowden-docs-contain-nsa-blueprint-an-instruction-manual-for-agencys-inner-workings-guardian-journalist-reveals/

Just taking a wild guess but I would assume Tactics, Techniques & Procedures (TTP), Standard Operating Procedures (SOP) and many other internal documents about how things or done \ carried out.

Probably Network Diagrams and more too.

Not going to look at anything Snowden related while at work, I think some of its blocked anyway.  

[C-Kumu Dog]

http://www.google.com/search?hl=en&source=hp&q=Technical+Tactical+Procedures+&gbv=2&oq=Technical+Tactical+Procedures+&gs_l=heirloom-hp.13..0i22i30.641.641.0.2953.1.1.0.0.0.0.281.281.2-1.1.0...0.0...1ac.1.15.heirloom-hp.KIZwIFt223U


Michael Mimoso    July 12, 2013 , 2:25 pm
For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a “time-out” and not attend DEF CON this year.

This will give everybody time to think about how we got here, and what comes next.

—Jeff Moss

Those are the 105 words that have polarized the hacker community.

DEF CON founder Jeff Moss turned the annual hacker conference on its ear Wednesday night when he asked federal government employees to stay away from this year’s show, which starts Aug.1 in Las Vegas. Strained by the revelations of surveillance by the National Security Agency and accusations of unwarranted access to Americans’ online activities, Moss decided to ask for a timeout.

The reaction since has been mixed, if not predictable. Some think events such as DEF CON should be open and collaborative, and that includes with the feds, while others find it counterintuitive to include the feds at an event that fosters technology and thinking that leads to secure and private communication and enterprise.

Moss, who is currently ICANN’s chief security officer, told Reuters that it was a tough call for him to make.

“The community is digesting things that the Feds have had a decade to understand and come to terms with,” Moss told the news agency. “A little bit of time and distance can be a healthy thing, especially when emotions are running high.”

Moss told Threatpost that he is in Durban, South Africa for the ICANN 45 meetings and was not available for comment at the time of publication.

The fallout has begun already, however, with two researchers pulling out of DEF CON after Moss’ decision. Kevin Johnson and James Jardine of Secure Ideas were scheduled to deliver a talk on SharePoint security, but instead decided against giving the talk at the show. Johnson saw the post on Wednesday night from Moss and slept on it a night before meeting with Jardine and other colleagues and making their final decision.

“It sat wrong with me,” Johnson said. “My immediate reaction was that I don’t want to be part of this.”

“I had the same reaction,” Jardine said. “I said I don’t want to be part of something disallowing or not bringing certain groups invited in.”

Jardine and Johnson explained their position in a blogpost, stating that DEF CON is a neutral ground that encourage open communication regardless of industry.

“We believe the exclusion of the “feds” this year does the exact opposite at a critical time. James and I do not feel that this should be about anti/pro government, but rather a continuation of openness that this event has always encouraged,” Johnson wrote. “We both have much respect for DEF CON and the entire organization and security community. It is with this respect that we are pulling our talk from the DEF CON 21 lineup. We understand that this may cause unfortunate change of plans for some, but feel we have to support our beliefs of cooperative collaboration to improve the state of information security technology.”

Robert Graham, CEO of Errata Security, steered the discussion away from politics and said Moss and DEF CON are simply heading off conflict.

“A highly visible fed presence is likely to trigger conflict with people upset over Snowden-gate. From shouting matches, to physical violence, to ‘hack the fed’, something bad might occur. Or, simply attendees will choose to stay away. Any reasonable conference organizer, be they pro-fed or anti-fed, would want to reduce the likelihood of this conflict,” Graham, a past DEF CON presenter, wrote on his company’s blog. “The easiest way to do this is by reducing the number of feds at DEF CON, by asking them not to come. This is horribly unfair to them, of course, since they aren’t the ones who would be starting these fights. But here’s the thing: it’s not a fed convention but a hacker party. The feds don’t have a right to be there — the hackers do. If bad behaving hackers are going to stir up trouble with innocent feds, it’s still the feds who have to go.”

Nick Selby, another security professional and frequent speaker at industry events, said Moss’ decision is self-defeating. He points out that most hackers understand full well the depths of surveillance by the signals intelligence community.

“The relationship between hackers and feds is symbiotic,” Selby wrote. “To deny this is shortsighted, wrong and panders to a constituency that is irrelevant to our shared goals. It also defies the concept that, ‘Our community operates in the spirit of openness, verified trust, and mutual respect.’”

Black Hat, which precedes DEF CON, features NSA director Gen. Keith B. Alexander as its keynote speaker and several sessions given by employees of government agencies. Black Hat general manager Trey Ford said he would not consider a similar decision to the one made by Moss.

“Black Hat strives to cultivate interaction, innovation, and partnership within the security ecosystem—offense and defense, public and private,” Ford said via email, adding that he hopes Black Hat will move the conversation forward regarding the revelations of NSA surveillance of Americans.

“I think the Prism announcement got more attention than prior leaks to the general population, but we in InfoSec have no excuse for acting like we didn’t know this was possible or happening. (it is done inside companies every day),” Ford said. “Privacy is a very real concern for both the security and intelligence communities and we look forward to encouraging conversations about this very topic onsite. Everyone that comes to Black Hat is serious about security, has a professional level of interest, and is here to engage and improve that conversation.”

Alexander, meanwhile, is still scheduled to deliver his keynote and Ford would not comment on a contingency plan should he pull out, nor did he have specifics on what the general will be speaking about.

“General Alexander faces hard decisions about where privacy and security cross, a way of thinking that the security community is also very familiar with,” Ford said. “I am hoping we get a glimpse into his world and thinking.”

Meanwhile, Johnson said he and Jardine did not make their decision to pull out of DEF CON lightly and their intention is not to have others follow suit.

“[Moss’] decision seems really opposite of what DEF CON stands for. From the reaction of some people, I find it hypocritical where some are saying that [the hacker community’s] idea of openness doesn’t involve the feds. I think that’s naïve,” Johnson said. “Openness has to involve everybody. People have been overwhelmed by political issues and the outing of spying and surveillance. They’re letting their feelings toward that overshadow what the DEF CON message has always been which is to get together, break stuff and learn together.”

Johnson and Jardine said they will still release a paper on their talk which covers an overarching plan for assessing SharePoint installations, including a tool they will release as open source, and guidelines for SharePoint assessments for pen-testers and internal teams to help them understand risks associated with the Microsoft collaboration platform.

*DEF CON image via leduardo‘s Flickr photostream, Creative Commons

[C-Kumu Dog]

I thought it might be of use for people who are curious of how some attacks work.  I always like to look at \ read new stuff.

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Dubious HTTP II - Unusual HTTP Content-Encodings:
http://noxxi.de/research/unusual-http-content-encoding.html

Another year, another rogue. Not what the doctor ordered:
http://blogs.technet.com/b/mmpc/archive/2013/06/27/another-year-another-rogue-not-what-the-doctor-ordered.aspx

Skype for Android lockscreen bypass:
http://seclists.org/fulldisclosure/2013/Jul/6

Cybercriminals experiment with Tor-based C&C, ring-3 rootkit empowered, SPDY form-grabbing bot:
http://blog.webroot.com/2013/07/02/cybercriminals-experiment-with-tor-based-cc-ring-3-rootkit-empowered-spdy-form-grabbing-malware-bot/

Securing Microsoft Windows 8: AppContainers:
http://news.saferbytes.it/analisi/2013/07/securing-microsoft-windows-8-appcontainers/

A penetration tester's guide to IPMI and BMCs:
https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi

Analysis of CVE-2013-0809:
http://axtaxt.wordpress.com/2013/07/06/analysis-of-cve-2013-0809/

Postpwnium writeup:
http://rpw.io/blog/2013/06/11/postpwnium_writeup/

[Crafty_Dog]

 Keeping the NSA in Perspective
Geopolitical Weekly
Tuesday, July 16, 2013 - 04:01 Print Text Size
Stratfor

By George Friedman

In June 1942, the bulk of the Japanese fleet sailed to seize the Island of Midway. Had Midway fallen, Pearl Harbor would have been at risk and U.S. submarines, unable to refuel at Midway, would have been much less effective. Most of all, the Japanese wanted to surprise the Americans and draw them into a naval battle they couldn't win.

The Japanese fleet was vast. The Americans had two carriers intact in addition to one that was badly damaged. The United States had only one advantage: It had broken Japan's naval code and thus knew a great deal of the country's battle plan. In large part because of this cryptologic advantage, a handful of American ships devastated the Japanese fleet and changed the balance of power in the Pacific permanently.

This -- and the advantage given to the allies by penetrating German codes -- taught the Americans about the centrality of communications code breaking. It is reasonable to argue that World War II would have ended much less satisfactorily for the United States had its military not broken German and Japanese codes. Where the Americans had previously been guided to a great extent by Henry Stimson's famous principle that "gentlemen do not read each other's mail," by the end of World War II they were obsessed with stealing and reading all relevant communications.

The National Security Agency evolved out of various post-war organizations charged with this task. In 1951, all of these disparate efforts were organized under the NSA to capture and decrypt communications of other governments around the world -- particularly those of the Soviet Union, which was ruled by Josef Stalin, and of China, which the United States was fighting in 1951. How far the NSA could go in pursuing this was governed only by the extent to which such communications were electronic and the extent to which the NSA could intercept and decrypt them.

The amount of communications other countries sent electronically surged after World War II yet represented only a fraction of their communications. Resources were limited, and given that the primary threat to the United States was posed by nation-states, the NSA focused on state communications. But the principle on which the NSA was founded has remained, and as the world has come to rely more heavily on electronic and digital communication, the scope of the NSA's commission has expanded.

What drove all of this was Pearl Harbor. The United States knew that the Japanese were going to attack. They did not know where or when. The result was disaster. All American strategic thinking during the Cold War was built around Pearl Harbor -- the deep fear that the Soviets would launch a first strike that the United States did not know about. The fear of an unforeseen nuclear attack gave the NSA leave to be as aggressive as possible in penetrating not only Soviet codes but also the codes of other nations. You don't know what you don't know, and given the stakes, the United States became obsessed with knowing everything it possibly could.

In order to collect data about nuclear attacks, you must also collect vast amounts of data that have nothing to do with nuclear attacks. The Cold War with the Soviet Union had to do with more than just nuclear exchanges, and the information on what the Soviets were doing -- what governments they had penetrated, who was working for them -- was a global issue. But you couldn't judge what was important and what was unimportant until after you read it. Thus the mechanics of assuaging fears about a "nuclear Pearl Harbor" rapidly devolved into a global collection system, whereby vast amounts of information were collected regardless of their pertinence to the Cold War.

There was nothing that was not potentially important, and a highly focused collection strategy could miss vital things. So the focus grew, the technology advanced and the penetration of private communications logically followed. This was not confined to the United States. The Soviet Union, China, the United Kingdom, France, Israel, India and any country with foreign policy interests spent a great deal on collecting electronic information. Much of what was collected on all sides was not read because far more was collected than could possibly be absorbed by the staff. Still, it was collected. It became a vast intrusion mitigated only by inherent inefficiency or the strength of the target's encryption.
Justified Fear

The Pearl Harbor dread declined with the end of the Cold War -- until Sept. 11, 2001. In order to understand 9/11's impact, a clear memory of our own fears must be recalled. As individuals, Americans were stunned by 9/11 not only because of its size and daring but also because it was unexpected. Terrorist attacks were not uncommon, but this one raised another question: What comes next? Unlike Timothy McVeigh, it appeared that al Qaeda was capable of other, perhaps greater acts of terrorism. Fear gripped the land. It was a justified fear, and while it resonated across the world, it struck the United States particularly hard.

Part of the fear was that U.S. intelligence had failed again to predict the attack.  The public did not know what would come next, nor did it believe that U.S. intelligence had any idea. A federal commission on 9/11 was created to study the defense failure. It charged that the president had ignored warnings. The focus in those days was on intelligence failure. The CIA admitted it lacked the human sources inside al Qaeda. By default the only way to track al Qaeda was via their communications. It was to be the NSA's job.

As we have written, al Qaeda was a global, sparse and dispersed network. It appeared to be tied together by burying itself in a vast new communications network: the Internet. At one point, al Qaeda had communicated by embedding messages in pictures transmitted via the Internet. They appeared to be using free and anonymous Hotmail accounts. To find Japanese communications, you looked in the electronic ether. To find al Qaeda's message, you looked on the Internet.

But with a global, sparse and dispersed network you are looking for at most a few hundred men in the midst of billions of people, and a few dozen messages among hundreds of billions. And given the architecture of the Internet, the messages did not have to originate where the sender was located or be read where the reader was located. It was like looking for a needle in a haystack. The needle can be found only if you are willing to sift the entire haystack. That led to PRISM and other NSA programs.

The mission was to stop any further al Qaeda attacks. The means was to break into their communications and read their plans and orders. To find their plans and orders, it was necessary to examine all communications. The anonymity of the Internet and the uncertainties built into its system meant that any message could be one of a tiny handful of messages. Nothing could be ruled out. Everything was suspect. This was reality, not paranoia.

It also meant that the NSA could not exclude the communications of American citizens because some al Qaeda members were citizens. This was an attack on the civil rights of Americans, but it was not an unprecedented attack. During World War II, the United States imposed postal censorship on military personnel, and the FBI intercepted selected letters sent in the United States and from overseas. The government created a system of voluntary media censorship that was less than voluntary in many ways. Most famously, the United States abrogated the civil rights of citizens of Japanese origin by seizing property and transporting them to other locations. Members of pro-German organizations were harassed and arrested even prior to Pearl Harbor. Decades earlier, Abraham Lincoln suspended the writ of habeas corpus during the Civil War, effectively allowing the arrest and isolation of citizens without due process.

There are two major differences between the war on terror and the aforementioned wars. First, there was a declaration of war in World War II. Second, there is a provision in the Constitution that allows the president to suspend habeas corpus in the event of a rebellion. The declaration of war imbues the president with certain powers as commander in chief -- as does rebellion. Neither of these conditions was put in place to justify NSA programs such as PRISM.

Moreover, partly because of the constitutional basis of the actions and partly because of the nature of the conflicts, World War II and the Civil War had a clear end, a point at which civil rights had to be restored or a process had to be created for their restoration. No such terminal point exists for the war on terror. As was witnessed at the Boston Marathon -- and in many instances over the past several centuries -- the ease with which improvised explosive devices can be assembled makes it possible for simple terrorist acts to be carried out cheaply and effectively. Some plots might be detectable by intercepting all communications, but obviously the Boston Marathon attack could not be predicted.

The problem with the war on terror is that it has no criteria of success that is potentially obtainable. It defines no level of terrorism that is tolerable but has as its goal the elimination of all terrorism, not just from Islamic sources but from all sources. That is simply never going to happen and therefore, PRISM and its attendant programs will never end. These intrusions, unlike all prior ones, have set a condition for success that is unattainable, and therefore the suspension of civil rights is permanent. Without a constitutional amendment, formal declaration of war or declaration of a state of emergency, the executive branch has overridden fundamental limits on its powers and protections for citizens.

Since World War II, the constitutional requirements for waging war have fallen by the wayside. President Harry S. Truman used a U.N resolution to justify the Korean War. President Lyndon Johnson justified an extended large-scale war with the Gulf of Tonkin Resolution, equating it to a declaration of war. The conceptual chaos of the war on terror left out any declaration, and it also included North Korea in the axis of evil the United States was fighting against. Former NSA contractor Edward Snowden is charged with aiding an enemy that has never been legally designated. Anyone who might contemplate terrorism is therefore an enemy. The enemy in this case was clear. It was the organization of al Qaeda but since that was not a rigid nation but an evolving group, the definition spread well beyond them to include any person contemplating an infinite number of actions. After all, how do you define terrorism, and how do you distinguish it from crime?

Three thousand people died in the 9/11 attacks, and we know that al Qaeda wished to kill more because it has said that it intended to do so. Al Qaeda and other jihadist movements -- and indeed those unaffiliated with Islamic movements -- pose threats. Some of their members are American citizens, others are citizens of foreign nations. Preventing these attacks, rather than prosecuting in the aftermath, is important. I do not know enough about PRISM to even try to guess how useful it is.

At the same time, the threat that PRISM is fighting must be kept in perspective. Some terrorist threats are dangerous, but you simply cannot stop every nut who wants to pop off a pipe bomb for a political cause. So the critical question is whether the danger posed by terrorism is sufficient to justify indifference to the spirit of the Constitution, despite the current state of the law. If it is, then formally declare war or declare a state of emergency. The danger of PRISM and other programs is that the decision to build it was not made after the Congress and the president were required to make a clear finding on war and peace. That was the point where they undermined the Constitution, and the American public is responsible for allowing them to do so.
Defensible Origins, Dangerous Futures

The emergence of programs such as PRISM was not the result of despots seeking to control the world. It had a much more clear, logical and defensible origin in our experiences of war and in legitimate fears of real dangers. The NSA was charged with stopping terrorism, and it devised a plan that was not nearly as secret as some claim. Obviously it was not as effective as hoped, or the Boston Marathon attack wouldn't have happened. If the program was meant to suppress dissent it has certainly failed, as the polls and the media of the past weeks show.

The revelations about PRISM are far from new or interesting in themselves. The NSA was created with a charter to do these things, and given the state of technology it was inevitable that the NSA would be capturing communications around the world. Many leaks prior to Snowden's showed that the NSA was doing this. It would have been more newsworthy if the leak revealed the NSA had not been capturing all communications. But this does give us an opportunity to consider what has happened and to consider whether it is tolerable.

The threat posed by PRISM and other programs is not what has been done with them but rather what could happen if they are permitted to survive. But this is not simply about the United States ending this program. The United States certainly is not the only country with such a program. But a reasonable start is for the country that claims to be most dedicated to its Constitution to adhere to it meticulously above and beyond the narrowest interpretation. This is not a path without danger. As Benjamin Franklin said, "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

Read more: Keeping the NSA in Perspective | Stratfor
Follow us: @stratfor on Twitter | Stratfor on Facebook

[C-Kumu Dog]

http://www.infoworld.com/print/222266

By Roger A. Grimes
Created 2013-07-09 03:00AM

Much of the world is just learning that every major industrialized nation has a state-sponsored cyber army [1] -- though many of the groups, including team USA, have been around for decades.

I've met a few cyber warriors. As you might imagine, they can't talk much about their duties. But if you work shoulder to shoulder with them long enough, certain patterns emerge. For starters, there are a lot of them. They are well armed with cyber weaponry, and they're allowed to experiment and hack in ways that, as we all now know, might be considered illegal in some circles.

[ It's over: All private data is public [2] | Learn how to secure your systems with the Web Browser Deep Dive PDF special report [3] and Security Central newsletter [4], both from InfoWorld. ]

I've been a longtime friend to one cyber warrior. On condition of anonymity, he agreed to be interviewed about what he does for a living and allowed me to record our conversation on a device he controlled, from which I transcribed our conversation. I was able to ask clarifying questions the next day.

We met in person in my boat off the coast of Florida, which might sound very clandestine, except that our primary goal was to catch some fish. It's interesting to note that he did not want me to contact him by email or phone during the months leading up to this interview or for a few months after, even though what he revealed does not disclose any national security secrets. The following is an edited version of our conversation. Certain inconsequential details have been altered to protect his identity.

Grimes: Describe yourself and your occupation.

Cyber warrior: Middle-aged, white male, not married. Somewhat smart. Music lover. Lifetime hacker of all things. Currently working on behalf of armed services to break into other countries' computer systems.

Grimes: What is your background? How did you learn to hack?

Cyber warrior: I got into computers fairly early in my life, though I grew up in a foreign country. My dad split when I was young, and my mom worked a lot. I got into computers by visiting one of the few Radio Shacks near my neighborhood. The sales guy hated me at first because I was always on their computers, but after I taught him a few things, we became good friends for years. I realized I had an aptitude for computers ... that most of the adults around me did not have. By the time I was 15, I had dropped out of school (it wasn't as big of a deal in the country I was in, as it is in most developed countries), and I was working a full-time job as the head IT guy at a federal hospital.

I was hacking everything. I hacked their systems, which wasn't too much of a problem because I was already the head IT guy. They had lost some of the admin passwords to the network and other computer systems, so I had to use my hacking skills to reclaim those systems. I hacked everything: door locks, Master locks, burglar alarms -- anything. For a while, I thought I was a master spy and thief, even though I never stole anything. I would spend all my earnings on buying security systems, install them in my house, then spend all my time trying to bypass them without getting caught. I got pretty good, and soon I was breaking into any building I liked at night. I never got caught, although I did have to run from security guards a few times.

Grimes: What did you like hacking the most: security systems or computer systems?

Cyber warrior: Actually, I loved hacking airwaves the most.


Grimes: You mean 802.x stuff?

Cyber warrior: How cute. How quaint. No, I liked hacking everything that lives in the sky. Computer wireless networks are such a small part of the spectrum. I bought literally dozens of antennas, of all sizes, from small handheld stuff to multi-meter-long, steel antennas. I put them all in a storage shed I rented. I put the antennas up on the roof. I don't know how I didn't get in trouble or why the storage shed people didn't tell me to remove the antennas. I had to learn about electricity, soldering, and power generation. I had dozens of stacked computers. It was my own little cloud, way back when. I would listen for all the frequencies I could. I was next to an airbase and I captured everything I could.

Back then a lot more was open on the airwaves than today. But even the encrypted stuff wasn't that hard to figure out. I would order the same manuals as the equipment they were using and learn about backdoors in their equipment. I could readily break into most of their equipment, including their high-security telephone system. It was fun and heady stuff. I was maybe 16 or 17 then. I was living and sleeping in the shed more than at my home.

One day I started to see strange cars show up: black cars and trucks, with government markings, like out of movie. They cut the lock off my shed and came in the door. My loft was up near the rafters, so I scooted over into the next storage area, climbed down, and went out the side door at the far end of the shed area. I walked off into desert and never went back. I must have left $100,000 worth of computers, radio equipment, and oscilloscopes. To this day, I don't know what happened or would have happened had I stayed -- probably not as much as I was worried about.

Grimes: Then what did you do?

Cyber warrior: My mom got married to my stepdad, and we moved back to the States. I was able to get a computer network admin job pretty quickly. Instead of hacking everything, I started to build operating systems. I'm a big fan of open source, and I joined one of the distros. I wrote laptop drivers for a long time and started writing defensive tools. That evolved into hacking tools, including early fuzzers.

Eventually I got hired by a few of the big penetration-testing companies [5]. I found out that I was one of the elite, even in a group of elites. Most of those I met were using tools they found on the Internet or by the companies that hired us, but all that code was so [messed up]. I started writing all my own tools. I didn't trust any of the hacking tools that most penetration testers rely on. I loved to hack and break into to things, but to be honest, it was pretty boring. Everyone can break into everywhere -- so I made it a game. I would only break in using tools that I built, and I would only consider it a success if none of my probes or attacks ended up in a firewall or other log. That at least made it more challenging.

Grimes: How did you get into cyber warfare?

Cyber warrior: They called me up out of the blue one day -- well, an employment agency on behalf of the other team. They were offering a lot more money, which surprised me, because I had heard that the guys working on behalf of the feds made a lot less than we did. Not true -- it's certainly not true anymore, if you're any good.

I had to take a few tests. I had a few problems getting hired at first because I literally didn't have a background: no credit, no high school or college transcripts. Even the work I had done was not something you could easily verify. But I scored really well on the tests and I was honest on what I had done in the past. They didn't seem to care that I had hacked our own government years ago or that I smoked pot. I wasn't sure I was going to take the job, but then they showed me the work environment and introduced me to a few future coworkers. I was impressed.


Grimes: Explain.

Cyber warrior: They had thousands of people just like me. They had the best computers. They had multiple supercomputers. They had water-cooled computers running around on handtrucks like you would rent library books. The guys that interviewed me were definitely smarter than I was. I went from always being the smartest guy wherever I worked to being just one of the regular coworkers. It didn't hurt my ego. It excited me. I always want to learn more.

Grimes: What happened after you got hired?

Cyber warrior: I immediately went to work. Basically they sent me a list of software they needed me to hack. I would hack the software and create buffer overflow exploits. I was pretty good at this. There wasn't a piece of software I couldn't break. It's not hard. Most of the software written in the world has a bug every three to five lines of code. It isn't like you have to be a supergenius to find bugs.

But I quickly went from writing individual buffer overflows to being assigned to make better fuzzers. You and I have talked about this before. The fuzzers were far faster at finding bugs than I was. What they didn't do well is recognize the difference between a bug and an exploitable bug or recognize an exploitable bug from one that could be weaponized or widely used. My first few years all I did was write better fuzzing modules.

Grimes: How many exploits does your unit have access to?

Cyber warrior: Literally tens of thousands -- it's more than that. We have tens of thousands of ready-to-use bugs in single applications, single operating systems.

Grimes: Is most of it zero-days?

Cyber warrior: It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.

Grimes: What do you like hacking now?

Cyber warrior: Funny enough, it's a lot of wireless stuff again: public equipment that everyone uses, plus a lot of military stuff that the general public knows nothing about. It's mostly hardware and controller hacking. But even that equipment is easy to exploit.

Grimes: Does your team sometimes do illegal things?

Cyber warrior: Not that I know of. We get trained in what we can and can't do. If we do something illegal, it's not on purpose. Well, I can't speak for everyone or every team, but I can tell you the thousands of people I work with will not do anything intentionally illegal. I'm sure it happens, but if it happens, it's by mistake. For instance, I know we accidentally intercepted some government official's conversations one day, someone high-level. We had to report it to our supervisors and erase the digital recordings, plus put that track on our red filter list.

Grimes: You say you don't do anything illegal, but our federal laws distinctly say what we cannot offensively hack other nations. And we are hacking other nations [6].

Cyber warrior: They say we can't hack other nations without oversight. John Q. Public and John Q. Corporation can't hack other nations, but our units operate under laws that make what we are doing not illegal.


Grimes: I know you from many years ago, and I think the young you would revile hacking any government by any government. I think I heard you say this many times, and you were passionate about it.

Cyber warrior: I'm still passionate about it, but the older self realizes that the young self didn't have all the facts. We have to do what we do because [other nation states and other armies] are doing it. If we didn't, we would literally be dead. It's already something that I don't know if we are winning. I know we have the best tools, the best people, but our laws actually stop us from being as good as we could be.

Grimes: What about your job would surprise the average American?

Cyber warrior: Nothing.

Grimes: I really think the average American would be surprised you do what you do.

Cyber warrior: I don't agree. I think everyone knows what we have to do to keep up.

Grimes: What does your work location look like?

Cyber warrior:  I work in obscure office park in Northern Virginia. It's close to DC. There's no lettering or identifiers on the building. We park our cars in an underground garage. There are about 5,000 people on my team. I still work for the same staffing company I was hired by. My badge does not say "U.S. government" on it. We are not allowed to bring any computers, electronics, or storage USB drives into the building. They aren't even allowed in our cars, so I'm the guy at lunch without a cellphone. If people were to look around, they could spot us. Look for the group of people being loud that don't have a single cellphone out -- no one texting. Heck, they should let us carry cellphones just so we don't look so obvious.

Grimes: What do you do for a hobby?

Cyber warrior: I play in a hardcore rap/EDM band, if you can imagine that. I play lots of instruments, make beats and percussion stuff. I wish I could make more money doing music than hacking. I'm even considering now leaving my job and doing music. I don't need much money. I have enough for retirement and enough to support my lifestyle.

Grimes: What do you wish we, as in America, could do better hacking-wise?

Cyber warrior: I wish we spent as much time defensively as we do offensively. We have these thousands and thousands of people in coordinate teams trying to exploit stuff. But we don't have any large teams that I know of for defending ourselves. In the real world, armies spend as much time defending as they do preparing for attacks. We are pretty one-sided in the battle right now.

Grimes: What do you think of Snowden [7]?

Cyber warrior: I don't know him.

Grimes: Let me clarify, what do you think of Snowden for revealing secrets [8]?

Cyber warrior: It doesn't bother me one way or the other.

Grimes: What if it could lead to your program shutting down? You'd be without a job.

Cyber warrior: There's no way what we do will be shut down. First, I don't intentionally do anything that involves spying on domestic communications. I don't think anyone in my company does that, although I don't know for sure. Second, it would be very dangerous to stop what we do. We are the new army. You may not like what the army does, but you still want an army.

If I was out of job I'd just get better at playing my instruments. I like to hack them, too.

This story, "In his own words: Confessions of a cyber warrior [9]," was originally published at InfoWorld.com [10]. Keep up on the latest developments in network security [11] and read more of Roger Grimes' Security Adviser blog [12] at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter [13].

Security Hacking Government Security

--------------------------------------------------------------------------------

Source URL (retrieved on 2013-07-17 03:40PM): http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-222266
Links:
[1] http://www.infoworld.com/t/data-security/us-china-please-stop-hacking-our-companies-if-you-dont-mind-214322
[2] http://www.infoworld.com/d/security/its-over-all-private-data-public-220901?source=fssr
[3] http://www.infoworld.com/browser-security-deep-dive?idglg=?ifwelg_fssr
[4] http://www.infoworld.com/newsletters/subscribe?showlist=infoworld_sec_rpt&source=ifwelg_fssr
[5] http://www.infoworld.com/d/security/penetration-testing-the-cheap-and-not-so-cheap-050
[6] http://www.infoworld.com/d/security-central/stuxnet-marks-the-start-the-next-security-arms-race-282
[7] http://www.infoworld.com/t/cringely/snowden-has-answers-nsa-still-holds-the-questions-220881
[8] http://www.infoworld.com/t/government/nsa-leaker-snowden-leaves-hong-kong-reportedly-russia-221306
[9] http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-222266?source=footer
[10] http://www.infoworld.com/?source=footer
[11] http://www.infoworld.com/d/security?source=footer
[12] http://www.infoworld.com/blogs/roger-a.-grimes?source=footer
[13] http://twitter.com/infoworld

[Crafty_Dog]

http://www.washingtontimes.com/news/2013/jul/17/nsa-phone-program-will-expire-next-year-patriot-ac/

[bigdog]

http://www.whiteoliphaunt.com/duckofminerva/2013/08/what-should-you-read-on-cyber-security.html

[C-Kumu Dog]

LAS VEGAS National Security Agency director Gen. Keith Alexander was met with cheers and heckling Wednesday at the Black Hat conference in Las Vegas, an annual meeting of hackers and cybersecurity professionals.

Alexander was asked to give the keynote address at the conference before former NSA contractor Edward Snowden leaked documents to the media about PRISM -- a government surveillance program that collected metadata over telecommunication lines. Black Hat organizers say that he could have easily backed out, but chose to attend open a dialog with the hacking community.

The mood was one of respectful skepticism among a majority of audience members. But halfway through the address, which promised to answer tough questions in the wake of the PRISM leak, some in the audience decided they had heard enough.

Alexander was speaking about ways the controversial initiative FAA 702 has thwarted terrorism plots, when he said of the NSA: "We stand for freedom."

"Bulls***," a heckler in an audience of hundreds yelled out. After a handful of claps, he continued, "You lied to Congress. Why should we believe you're not lying to us?"

Unfazed by the comment, Alexander calmly replied, "I did not lie to Congress."

 
Play VIDEO
Rogers: NSA program stops real terrorist attacks
Alexander spent the majority of his speech explaining how the U.S. government arrived at its current cybersecurity posture and where to go next. The director pointed at some of the major terrorist attacks in the last 20 years, like the first World Trade Center bombing in 1993, the U.S.S. Cole bombing in 2000, and the September 11th attacks as examples of why the intelligence community had to step up its data gathering.

"The intelligence community failed to connect the dots," Alexander said.

Addressing the concerns that NSA analysts can access the personal data of Americans at will, Alexander said there is a misconception about how much information is being accessed, adding that the program can be completely audited.

Leaked documents give new insight into NSA searches
Administration declassifies more NSA surveillance documents
Alexander said there are only 22 people at the NSA who can approve the surveillance of a phone number, and 35 analysts who are authorized to review the queries. Of 300 phone numbers that were approved for query, 12 were reported to the Federal Bureau of Investigation.

The director said that if a query appeared unrelated to national security, its auditing tools would detect it and the analyst would have to explain their intent. He added that an audit conducted by Congress found no incidences of abuse of the program.

Alexander shared a slide that revealed a sample of what a document with metadata looks like. A snippet of a spreadsheet reveals columns including date, time, from address, to address, length, site and source -- not the content of the communication itself. The director added that the NSA does not "collect everything."

"It's focused," Alexander said. "We don't want to collect everything."

Alexander ended his speech with a plea to the audience, saying, "help us defend the country and find a greater solution.The whole reason I came here is to ask you to make it better."

"Read the constitution," a heckler in the audience yelled out.

"I have. You should too," Alexander calmly responded. His comment was followed by cheering from the audience.

[Crafty_Dog]

This site's reliability is  unknown.

http://gizmodo.com/chinese-hackers-just-got-caught-hijacking-a-decoy-water-1012520726?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow

[bigdog]

http://www.foreignaffairs.com/print/136836

From the article:

These days, most of Washington seems to believe that a major cyberattack on U.S. critical infrastructure is inevitable. In March, James Clapper, U.S. director of national intelligence, ranked cyberattacks as the greatest short-term threat to U.S. national security. General Keith Alexander, the head of the U.S. Cyber Command, recently characterized “cyber exploitation” of U.S. corporate computer systems as the “greatest transfer of wealth in world history.” And in January, a report by the Pentagon’s Defense Science Board argued that cyber risks should be managed with improved defenses and deterrence, including “a nuclear response in the most extreme case.”

Although the risk of a debilitating cyberattack is real, the perception of that risk is far greater than it actually is. No person has ever died from a cyberattack, and only one alleged cyberattack has ever crippled a piece of critical infrastructure, causing a series of local power outages in Brazil. In fact, a major cyberattack of the kind intelligence officials fear has not taken place in the 21 years since the Internet became accessible to the public.

[Crafty_Dog]

Hmmm , , , so we don't need to worry about all the "stuxnets" the Chinese have inserted into our infrastructure awaiting further command?  I'm so relieved , , ,

[Crafty_Dog]

http://finance.yahoo.com/news/terrifying-search-engine-finds-internet-143500735.html

[Crafty_Dog]

http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/

[Crafty_Dog]

      More on the NSA Commandeering the Internet



If there's any confirmation that the US government has commandeered the
Internet for worldwide surveillance, it is what happened with Lavabit
earlier this month.

Lavabit is -- well, was -- an e-mail service that offered more privacy
than the typical large-Internet-corporation services that most of us
use.  It was a small company, owned and operated by Ladar Levison, and
it was popular among the tech-savvy. NSA whistleblower Edward Snowden
among its half-million users.

Last month, Levison reportedly received an order -- probably a National
Security Letter -- to allow the NSA to eavesdrop on everyone's e-mail
accounts on Lavabit.  Rather than "become complicit in crimes against
the American people," he turned the service off.  Note that we don't
know for sure that he received a NSL -- that's the order authorized by
the Patriot Act that doesn't require a judge's signature and prohibits
the recipient from talking about it -- or what it covered, but Levison
has said that he had complied with requests for individual e-mail access
in the past, but this was very different.

So far, we just have an extreme moral act in the face of government
pressure.  It's what happened next that is the most chilling.  The
government threatened him with arrest, arguing that shutting down this
e-mail service was a violation of the order.

There it is.  If you run a business, and the FBI or NSA want to turn it
into a mass surveillance tool, they believe they can do so, solely on
their own initiative.  They can force you to modify your system.  They
can do it all in secret and then force your business to keep that
secret.  Once they do that, you no longer control that part of your
business.  You can't shut it down.  You can't terminate part of your
service.  In a very real sense, it is not your business anymore.  It is
an arm of the vast US surveillance apparatus, and if your interest
conflicts with theirs then they win.  Your business has been commandeered.

For most Internet companies, this isn't a problem.  They are already
engaging in massive surveillance of their customers and users --
collecting and using this data is the primary business model of the
Internet -- so it's easy to comply with government demands and give the
NSA complete access to everything.  This is what we learned from Edward
Snowden.  Through programs like PRISM, BLARNEY and OAKSTAR, the NSA
obtained bulk access to services like Gmail and Facebook, and to
Internet backbone connections throughout the US and the rest of the
world.  But if it were a problem for those companies, presumably the
government would not allow them to shut down.

To be fair, we don't know if the government can actually convict someone
of closing a business.  It might just be part of their coercion tactics.
  Intimidation, and retaliation, is part of how the NSA does business.

Former Qwest CEO Joseph Nacchio has a story of what happens to a large
company that refuses to cooperate.  In February 2001 -- before the 9/11
terrorist attacks -- the NSA approached the four major US telecoms and
asked for their cooperation in a secret data collection program, the one
we now know to be the bulk metadata collection program exposed by Edward
Snowden.  Qwest was the only telecom to refuse, leaving the NSA with a
hole in its spying efforts.  The NSA retaliated by canceling a series of
big government contracts with Qwest.  The company has since been
purchased by CenturyLink, which we presume is more cooperative with NSA
demands.

That was before the Patriot Act and National Security Letters.  Now,
presumably, Nacchio would just comply.  Protection rackets are easier
when you have the law backing you up.

As the Snowden whistleblowing documents continue to be made public,
we're getting further glimpses into the surveillance state that has been
secretly growing around us.  The collusion of corporate and government
surveillance interests is a big part of this, but so is the government's
resorting to intimidation.  Every Lavabit-like service that shuts down
-- and there have been several -- gives us consumers less choice, and
pushes us into the large services that cooperate with the NSA.  It's
past time we demanded that Congress repeal National Security Letters,
give us privacy rights in this new information age, and force meaningful
oversight on this rogue agency.

This essay previously appeared in "USA Today."
http://www.usatoday.com/story/opinion/2013/08/27/nsa-snowden-russia-obama-column/2702461/

[Crafty_Dog]

Second post

      Take Back the Internet



Government and industry have betrayed the Internet, and us.

By subverting the Internet at every level to make it a vast,
multi-layered and robust surveillance platform, the NSA has undermined a
fundamental social contract. The companies that build and manage our
Internet infrastructure, the companies that create and sell us our
hardware and software, or the companies that host our data: we can no
longer trust them to be ethical Internet stewards.

This is not the Internet the world needs, or the Internet its creators
envisioned. We need to take it back.

And by we, I mean the engineering community.

Yes, this is primarily a political problem, a policy matter that
requires political intervention.

But this is also an engineering problem, and there are several things
engineers can -- and should -- do.

One, we should expose. If you do not have a security clearance, and if
you have not received a National Security Letter, you are not bound by a
federal confidentially requirements or a gag order. If you have been
contacted by the NSA to subvert a product or protocol, you need to come
forward with your story. Your employer obligations don't cover illegal
or unethical activity. If you work with classified data and are truly
brave, expose what you know. We need whistleblowers.

We need to know how exactly how the NSA and other agencies are
subverting routers, switches, the Internet backbone, encryption
technologies and cloud systems. I already have five stories from people
like you, and I've just started collecting. I want 50. There's safety in
numbers, and this form of civil disobedience is the moral thing to do.

Two, we can design. We need to figure out how to re-engineer the
Internet to prevent this kind of wholesale spying. We need new
techniques to prevent communications intermediaries from leaking private
information.

We can make surveillance expensive again. In particular, we need open
protocols, open implementations, open systems -- these will be harder
for the NSA to subvert.

The Internet Engineering Task Force, the group that defines the
standards that make the Internet run, has a meeting planned for early
November in Vancouver. This group needs to dedicate its next meeting to
this task. This is an emergency, and demands an emergency response.

Three, we can influence governance. I have resisted saying this up to
now, and I am saddened to say it, but the US has proved to be an
unethical steward of the Internet. The UK is no better. The NSA's
actions are legitimizing the Internet abuses by China, Russia, Iran and
others. We need to figure out new means of Internet governance, ones
that makes it harder for powerful tech countries to monitor everything.
For example, we need to demand transparency, oversight, and
accountability from our governments and corporations.

Unfortunately, this is going play directly into the hands of
totalitarian governments that want to control their country's Internet
for even more extreme forms of surveillance. We need to figure out how
to prevent that, too. We need to avoid the mistakes of the International
Telecommunications Union, which has become a forum to legitimize bad
government behavior, and create truly international governance that
can't be dominated or abused by any one country.

Generations from now, when people look back on these early decades of
the Internet, I hope they will not be disappointed in us. We can ensure
that they don't only if each of us makes this a priority, and engages in
the debate. We have a moral duty to do this, and we have no time to lose.

Dismantling the surveillance state won't be easy. Has any country that
engaged in mass surveillance of its own citizens voluntarily given up
that capability? Has any mass surveillance country avoided becoming
totalitarian? Whatever happens, we're going to be breaking new ground.

Again, the politics of this is a bigger task than the engineering, but
the engineering is critical. We need to demand that real technologists
be involved in any key government decision making on these issues. We've
had enough of lawyers and politicians not fully understanding
technology; we need technologists at the table when we build tech policy.

To the engineers, I say this: we built the Internet, and some of us have
helped to subvert it. Now, those of us who love liberty have to fix it.


This essay originally appeared in the "Guardian."
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

[Crafty_Dog]

Third post

Conspiracy Theories and the NSA



I've recently seen two articles speculating on the NSA's capability, and
practice, of spying on members of Congress and other elected officials.
The evidence is all circumstantial and smacks of conspiracy thinking --
and I have no idea whether any of it is true or not -- but it's a good
illustration of what happens when trust in a public institution fails.

The NSA has repeatedly lied about the extent of its spying program.
James R. Clapper, the director of national intelligence, has lied about
it to Congress. Top-secret documents provided by Edward Snowden, and
reported on by the "Guardian" and other newspapers, repeatedly show that
the NSA's surveillance systems are monitoring the communications of
American citizens. The DEA has used this information to apprehend drug
smugglers, then lied about it in court. The IRS has used this
information to find tax cheats, then lied about it. It's even been used
to arrest a copyright violator. It seems that every time there is an
allegation against the NSA, no matter how outlandish, it turns out to be
true.

"Guardian" reporter Glenn Greenwald has been playing this well,
dribbling the information out one scandal at a time. It's looking more
and more as if the NSA doesn't know what Snowden took. It's hard for
someone to lie convincingly if he doesn't know what the opposition
actually knows.

All of this denying and lying results in us not trusting anything the
NSA says, anything the president says about the NSA, or anything
companies say about their involvement with the NSA. We know secrecy
corrupts, and we see that corruption. There's simply no credibility, and
-- the real problem -- no way for us to verify anything these people
might say.

It's a perfect environment for conspiracy theories to take root: no
trust, assuming the worst, no way to verify the facts. Think JFK
assassination theories. Think 9/11 conspiracies. Think UFOs. For all we
know, the NSA *might* be spying on elected officials. Edward Snowden
said that he had the ability to spy on anyone in the US, in real time,
from his desk. His remarks were belittled, but it turns out he was right.

This is not going to improve anytime soon. Greenwald and other reporters
are still poring over Snowden's documents, and will continue to report
stories about NSA overreach, lawbreaking, abuses, and privacy violations
well into next year. The "independent" review that Obama promised of
these surveillance programs will not help, because it will lack both the
power to discover everything the NSA is doing and the ability to relay
that information to the public.

It's time to start cleaning up this mess. We need a special prosecutor,
one not tied to the military, the corporations complicit in these
programs, or the current political leadership, whether Democrat or
Republican. This prosecutor needs free rein to go through the NSA's
files and discover the full extent of what the agency is doing, as well
as enough technical staff who have the capability to understand it. He
needs the power to subpoena government officials and take their sworn
testimony. He needs the ability to bring criminal indictments where
appropriate. And, of course, he needs the requisite security clearance
to see it all.

We also need something like South Africa's Truth and Reconciliation
Commission, where both government and corporate employees can come
forward and tell their stories about NSA eavesdropping without fear of
reprisal.

Yes, this will overturn the paradigm of keeping everything the NSA does
secret, but Snowden and the reporters he's shared documents with have
already done that. The secrets are going to come out, and the
journalists doing the outing are not going to be sympathetic to the NSA.
If the agency were smart, it'd realize that the best thing it could do
would be to get ahead of the leaks.

The result needs to be a public report about the NSA's abuses, detailed
enough that public watchdog groups can be convinced that everything is
known. Only then can our country go about cleaning up the mess: shutting
down programs, reforming the Foreign Intelligence Surveillance Act
system, and reforming surveillance law to make it absolutely clear that
even the NSA cannot eavesdrop on Americans without a warrant.

Comparisons are springing up between today's NSA and the FBI of the
1950s and 1960s, and between NSA Director Keith Alexander and J. Edgar
Hoover. We never managed to rein in Hoover's FBI -- it took his death
for change to occur. I don't think we'll get so lucky with the NSA.
While Alexander has enormous personal power, much of his power comes
from the institution he leads. When he is replaced, that institution
will remain.

Trust is essential for society to function. Without it, conspiracy
theories naturally take hold. Even worse, without it we fail as a
country and as a culture. It's time to reinstitute the ideals of
democracy: The government works for the people, open government is the
best way to protect against government abuse, and a government keeping
secrets from its people is a rare exception, not the norm.


This essay originally appeared on TheAtlantic.com.
http://www.theatlantic.com/politics/archive/2013/09/the-only-way-to-restore-trust-in-the-nsa/279314/
or http://tinyurl.com/luuvnd4

[Crafty_Dog]

fourth post

      How to Remain Secure Against the NSA



Now that we have enough details about how the NSA eavesdrops on the
Internet, including recent disclosures of the NSA's deliberate weakening
of cryptographic systems, we can finally start to figure out how to
protect ourselves.

For the past two weeks, I have been working with the Guardian on NSA
stories, and have read hundreds of top-secret NSA documents provided by
whistleblower Edward Snowden. I wasn't part of today's story -- it was
in process well before I showed up -- but everything I read confirms
what the Guardian is reporting.

At this point, I feel I can provide some advice for keeping secure
against such an adversary.

The primary way the NSA eavesdrops on Internet communications is in the
network. That's where their capabilities best scale. They have invested
in enormous programs to automatically collect and analyze network
traffic. Anything that requires them to attack individual endpoint
computers is significantly more costly and risky for them, and they will
do those things carefully and sparingly.

Leveraging its secret agreements with telecommunications companies --
all the US and UK ones, and many other "partners" around the world --
the NSA gets access to the communications trunks that move Internet
traffic. In cases where it doesn't have that sort of friendly access, it
does its best to surreptitiously monitor communications channels:
tapping undersea cables, intercepting satellite communications, and so on.

That's an enormous amount of data, and the NSA has equivalently enormous
capabilities to quickly sift through it all, looking for interesting
traffic. "Interesting" can be defined in many ways: by the source, the
destination, the content, the individuals involved, and so on. This data
is funneled into the vast NSA system for future analysis.

The NSA collects much more metadata about Internet traffic: who is
talking to whom, when, how much, and by what mode of communication.
Metadata is a lot easier to store and analyze than content. It can be
extremely personal to the individual, and is enormously valuable
intelligence.

The Systems Intelligence Directorate is in charge of data collection,
and the resources it devotes to this is staggering. I read status report
after status report about these programs, discussing capabilities,
operational details, planned upgrades, and so on. Each individual
problem -- recovering electronic signals from fiber, keeping up with the
terabyte streams as they go by, filtering out the interesting stuff --
has its own group dedicated to solving it. Its reach is global.

The NSA also attacks network devices directly: routers, switches,
firewalls, etc. Most of these devices have surveillance capabilities
already built in; the trick is to surreptitiously turn them on. This is
an especially fruitful avenue of attack; routers are updated less
frequently, tend not to have security software installed on them, and
are generally ignored as a vulnerability.

The NSA also devotes considerable resources to attacking endpoint
computers. This kind of thing is done by its TAO -- Tailored Access
Operations -- group. TAO has a menu of exploits it can serve up against
your computer -- whether you're running Windows, Mac OS, Linux, iOS, or
something else -- and a variety of tricks to get them onto your
computer. Your anti-virus software won't detect them, and you'd have
trouble finding them even if you knew where to look. These are hacker
tools designed by hackers with an essentially unlimited budget. What I
took away from reading the Snowden documents was that if the NSA wants
in to your computer, it's in. Period.

The NSA deals with any encrypted data it encounters more by subverting
the underlying cryptography than by leveraging any secret mathematical
breakthroughs. First, there's a lot of bad cryptography out there. If it
finds an Internet connection protected by MS-CHAP, for example, that's
easy to break and recover the key. It exploits poorly chosen user
passwords, using the same dictionary attacks hackers use in the
unclassified world.

As was revealed today, the NSA also works with security product vendors
to ensure that commercial encryption products are broken in secret ways
that only it knows about. We know this has happened historically:
CryptoAG and Lotus Notes are the most public examples, and there is
evidence of a back door in Windows. A few people have told me some
recent stories about their experiences, and I plan to write about them
soon. Basically, the NSA asks companies to subtly change their products
in undetectable ways: making the random number generator less random,
leaking the key somehow, adding a common exponent to a public-key
exchange protocol, and so on. If the back door is discovered, it's
explained away as a mistake. And as we now know, the NSA has enjoyed
enormous success from this program.

TAO also hacks into computers to recover long-term keys. So if you're
running a VPN that uses a complex shared secret to protect your data and
the NSA decides it cares, it might try to steal that secret. This kind
of thing is only done against high-value targets.

How do you communicate securely against such an adversary? Snowden said
it in an online Q&A soon after he made his first document public:
"Encryption works. Properly implemented strong crypto systems are one of
the few things that you can rely on."

I believe this is true, despite today's revelations and tantalizing
hints of "groundbreaking cryptanalytic capabilities" made by James
Clapper, the director of national intelligence in another top-secret
document. Those capabilities involve deliberately weakening the
cryptography.

Snowden's follow-on sentence is equally important: "Unfortunately,
endpoint security is so terrifically weak that NSA can frequently find
ways around it."

Endpoint means the software you're using, the computer you're using it
on, and the local network you're using it in. If the NSA can modify the
encryption algorithm or drop a Trojan on your computer, all the
cryptography in the world doesn't matter at all. If you want to remain
secure against the NSA, you need to do your best to ensure that the
encryption can operate unimpeded.

With all this in mind, I have five pieces of advice:

1) Hide in the network. Implement hidden services. Use Tor to anonymize
yourself. Yes, the NSA targets Tor users, but it's work for them. The
less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's
true that the NSA targets encrypted connections -- and it may have
explicit exploits against these protocols -- you're much better
protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take
work and risk on the part of the NSA -- so it probably isn't. If you
have something really important, use an air gap. Since I started working
with the Snowden documents, I bought a new computer that has never been
connected to the Internet. If I want to transfer a file, I encrypt the
file on the secure computer and walk it over to my Internet computer,
using a USB stick. To decrypt something, I reverse the process. This
might not be bulletproof, but it's pretty good.

4) Be suspicious of commercial encryption software, especially from
large vendors. My guess is that most encryption products from large US
companies have NSA-friendly back doors, and many foreign ones probably
do as well. It's prudent to assume that foreign products also have
foreign-installed backdoors. Closed-source software is easier for the
NSA to backdoor than open-source software. Systems relying on master
secrets are vulnerable to the NSA, through either legal or more
clandestine means.

5) Try to use public-domain encryption that has to be compatible with
other implementations. For example, it's harder for the NSA to backdoor
TLS than BitLocker, because any vendor's TLS has to be compatible with
every other vendor's TLS, while BitLocker only has to be compatible with
itself, giving the NSA a lot more freedom to make changes. And because
BitLocker is proprietary, it's far less likely those changes will be
discovered. Prefer symmetric cryptography over public-key cryptography.
Prefer conventional discrete-log-based systems over elliptic-curve
systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden's documents, I have been using GPG,
Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things
I'm not going to write about. There's an undocumented encryption feature
in my Password Safe program from the command line; I've been using that
as well.

I understand that most of this is impossible for the typical Internet
user. Even I don't use all these tools for most everything I am working
on. And I'm still primarily on Windows, unfortunately. Linux would be safer.

The NSA has turned the fabric of the Internet into a vast surveillance
platform, but they are not magical. They're limited by the same economic
realities as the rest of us, and our best defense is to make
surveillance of us as expensive as possible.

Trust the math. Encryption is your friend. Use it well, and do your best
to ensure that nothing can compromise it. That's how you can remain
secure even in the face of the NSA.


This essay originally appeared in the "Guardian."
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

NSA links:
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
http://online.wsj.com/article/SB10001424127887324108204579022874091732470.html
http://www.theguardian.com/business/2013/aug/02/telecoms-bt-vodafone-cables-gchq
http://www.washingtonpost.com/business/technology/agreements-with-private-companies-protect-us-access-to-cables-data-for-surveillance/2013/07/06/aa5d017a-df77-11e2-b2d4-ea6d8f477a01_story.html
http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
http://www.theguardian.com/world/2013/jun/27/nsa-data-mining-authorised-obama
http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/
http://www.foreignpolicy.com/articles/2013/06/10/inside_the_nsa_s_ultra_secret_china_hacking_group
http://www.informationweek.com/security/government/want-nsa-attention-use-encrypted-communi/240157089
or http://tinyurl.com/kdxaytf

Other NSA backdoors:
http://www.schneier.com/blog/archives/2008/01/nsa_backdoors_i.html
http://www.heise.de/tp/artikel/2/2898/1.html
http://www.heise.de/tp/artikel/5/5263/1.html

Snowden's interview:
http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower

Clapper's comments:
http://www.wired.com/threatlevel/2013/08/black-budget/

Surveillance built in to the routers:
https://www.rfc-editor.org/rfc/rfc3924.txt

My tools:
http://www.gnupg.org/
https://silentcircle.com/
https://tails.boum.org/
http://www.cypherpunks.ca/otr/
http://www.truecrypt.org/
http://bleachbit.sourceforge.net/
https://www.schneier.com/passsafe.html

[Crafty_Dog]

http://fortunascorner.wordpress.com/2013/10/05/snowdenu-s-intelligence-communitys-cyber-911/

[bigdog]

http://www.lawfareblog.com/wp-content/uploads/2013/10/preliminary-cybersecurity-framework.pdf

[Crafty_Dog]

http://www.familysecuritymatters.org/publications/detail/american-blackout-a-real-life-nightmare-nearer-than-you-think?f=must_reads

Note that one of the authors here used to head the CIA , , ,

[bigdog]

http://www.washingtonpost.com/blogs/monkey-cage/wp/2013/11/11/cyber-pearl-harbor-is-a-myth/?wpisrc=nl_cage

From the article:

Of course, cyberattacks can still be used for specific and limited goals. For example, the so-called Stuxnet/Olympic Games attack on the Iranian nuclear program was apparently mounted jointly by the United States and Israel. However, here too, military force is important. Gartzke argues that one of the reasons that the U.S. and Israel could carry out this attack is because they are militarily powerful in conventional terms, making it unattractive for Iran (or other adversaries) to attack them back directly.

More generally, Gartkze’s arguments imply that cyberwar isn’t a weapon of the weak. Instead, it’s a weapon of the strong — it will be most attractive to those who already have powerful conventional militaries

[bigdog]

http://www.lawfareblog.com/2013/12/foreign-policy-essay-erik-gartzke-on-fear-and-war-in-cyberspace/


From the article:

Should we fear cyberspace?  The internet is said to be a revolutionary leveler, reducing the hard won military advantages of western powers, even as the dependence of developed nations on computer networks leaves them vulnerable to attack.  Incidents like the Stuxnet worm and cyber attacks against U.S. government computers, apparently launched from servers in China, seem to testify to the need for concern.  Yet, even if these details are correct—and some are not—there is no reason to believe that the internet constitutes an Achilles heel for the existing world order.  To the contrary, cyberwar promises major advantages for status quo powers like the United States.

[bigdog]

http://www.washingtonpost.com/blogs/monkey-cage/wp/2014/01/14/cybersecurity-and-cyberwar-a-qa-with-peter-singer/

From the article:

 In “Cybersecurity and Cyberwar: What Everyone Needs to Know,” we try to provide the kind of easy-to-read yet deeply informative resource book that has been missing on this crucial issue. The book is structured around the key questions of cybersecurity: how it all works, why it all matters, and what we can do? Along the way, we take readers on a tour of the important (and entertaining) issues and characters of cybersecurity, from the “Anonymous” hacker group and the Stuxnet computer virus to the new cyberunits of the Chinese and US militaries.

[Crafty_Dog]

Ah, the reading I could and would do if I were a wealthy man , , ,

[Crafty_Dog]

http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?nl=todaysheadlines&emc=edit_th_20140115&_r=0

[Crafty_Dog]

http://www.nytimes.com/2014/02/25/world/middleeast/obama-worried-about-effects-of-waging-cyberwar-in-syria.html?nl=todaysheadlines&emc=edit_th_20140225&_r=0

[Crafty_Dog]

http://www.nytimes.com/2014/03/12/opinion/the-future-of-internet-freedom.html?emc=edit_th_20140312&nl=todaysheadlines&nlid=49641193

[Crafty_Dog]

LEGALITY IN CYBERSPACE: AN ADVERSARY VIEW
Keir Giles with Andrew Monaghan

Executive Summary

The United States and its allies are in general agreement on the legal status of conflict in cyberspace. Although key principles remain unresolved, such as what precisely constitutes an armed attack or use of force in cyberspace, overall there is a broad legal consensus among Euro-Atlantic nations, that existing international law and international commitments are sufficient to regulate cyber conflict.

This principle is described in a range of authoritative legal commentaries. But these can imply misleadingly that this consensus is global and unchallenged. In fact, China, Russia, and a number of like-minded nations have an entirely different concept of the applicability of international law to cyberspace as a whole, including to the nature of conflict within it. These nations could therefore potentially operate in cyberspace according to entirely different understandings of what is permissible under international humanitarian law, the law of armed conflict, and other legal baskets governing conduct during hostilities.

U.S. policymakers cannot afford to underestimate the extent to which Russian concepts and approaches differ from what they may take for granted. This includes the specific question of when, or whether, hostile action in cyberspace constitutes an act or state of war. Recent Russian academic and military commentary stresses the blurring of the distinction between war and peace, and asks to what extent this distinction still exists. This suggestion of a shifting boundary between war and peace is directly relevant to consideration of at what point Russia considers itself to be at war and therefore subject to specific legal constraints on actions in cyberspace.

Conversely, a range of actions that are considered innocent and friendly by the United States and European nations are parsed as hostile actions by Russia, leading to Russian attempts to outlaw “interference in another state’s information space.” The Russian notion of what constitutes a cyber weapon—or in Russian terminology, an information weapon—is radically different from our assumptions.

Initiatives put forward by Russia for international cooperation on legal initiatives governing cyber activity have received a mixed response from other states. But they need to be taken into account because of the alternative consensus on cyber security opposing the views of the United States and its close allies, which is growing as a result of an effective Russian program of ticking up support for Moscow’s proposals from third countries around the world.

This monograph explores the Russian approach to legal constraints governing actions in cyberspace within the broader framework of the Russian understanding of the nature of international law and commitments, with the aim of informing U.S. military and civilian policymakers of views held by a potential adversary in cyberspace. Using a Russian perspective to examine the legal status of a range of activities in cyberspace, including what constitutes hostile activity, demonstrates that assumptions commonly held in the United States may need to be adjusted to counter effectively—or engage with—Russian cyber initiatives.

cont. at

Strategic Studies Institute and U.S. Army War College Press, U.S. Army War College

http://strategicstudiesinstitute.arm...cfm?pubID=1193

[Crafty_Dog]

http://www.foreignpolicy.com/articles/2014/04/24/the_blue_screen_of_death_at_30000_feet

[Crafty_Dog]

Hat tip to BigDog

http://www.washingtonpost.com/world/national-security/us-to-announce-first-criminal-charges-against-foreign-country-for-cyberspying/2014/05/19/586c9992-df45-11e3-810f-764fe508b82d_story.html?wpisrc=al_national

From the article:
The Justice Department is charging members of the Chinese military with conducting economic cyber-espionage against American companies, U.S. officials familiar with the case said Monday, marking the first time that the United States is leveling such criminal charges against a foreign country.

[DougMacG]

I agree with Rogers and Ruppersberger (China thread), a good first step, and applaud the administration for everything it gets right including this.

Noted that they hurt their credibility with previous mis-steps, but their history of acting unpredictably and arguably psychotically in other pursuits could leave the adversary with the uncertainty of whether they will be appeased like a Syrian tyrant or pursued relentlessly like a filmmaker or neighborhood tea party leader.

[Crafty_Dog]

http://www.capoliticalreview.com/capoliticalnewsandviews/cisco-to-obama-nsa-policies-killing-american-technology-companies-selling-to-other-nations/