[tt] Crypto-Gram: August 15, 2013

Eugen Leitl eugen@leitl.org
Fri Aug 23 04:38:02 PDT 2013


----- Forwarded message from Frank Forman <checker@panix.com> -----

Date: Fri, 23 Aug 2013 00:10:17 +0000 (GMT)
From: Frank Forman <checker@panix.com>
To: Transhuman Tech <tt@postbiota.org>
Subject: [tt] Crypto-Gram: August 15, 2013

Lots of alarming stuff.

Crypto-Gram: August 15, 2013
http://www.schneier.com/crypto-gram-1308.html

by Bruce Schneier
BT Security Futurologist
schneier@schneier.com
http://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights,
and commentaries on security: computer and otherwise.

In this issue:
* The Public/Private Surveillance Partnership
* The NSA is Commandeering the Internet
* Restoring Trust in Government and the Internet
* News
* Book Review: "Rise of the Warrior Cop"
* Schneier News
* Michael Hayden on the Effects of Snowden's Whistleblowing
* Counterterrorism Mission Creep
----
The Public/Private Surveillance Partnership

Imagine the government passed a law requiring all citizens to carry
a tracking device. Such a law would immediately be found
unconstitutional. Yet we all carry mobile phones.

If the National Security Agency required us to notify it whenever we
made a new friend, the nation would rebel. Yet we notify Facebook.
If the Federal Bureau of Investigation demanded copies of all our
conversations and correspondence, it would be laughed at. Yet we
provide copies of our e-mail to Google, Microsoft or whoever our
mail host is; we provide copies of our text messages to Verizon,
AT&T and Sprint; and we provide copies of other conversations to
Twitter, Facebook, LinkedIn, or whatever other site is hosting them.

The primary business model of the Internet is built on mass
surveillance, and our government's intelligence-gathering agencies
have become addicted to that data. Understanding how we got here is
critical to understanding how we undo the damage.

Computers and networks inherently produce data, and our constant
interactions with them allow corporations to collect an enormous
amount of intensely personal data about us as we go about our daily
lives. Sometimes we produce this data inadvertently simply by using
our phones, credit cards, computers and other devices. Sometimes we
give corporations this data directly on Google, Facebook, Apple
Inc.'s iCloud and so on in exchange for whatever free or cheap
service we receive from the Internet in return.

The NSA is also in the business of spying on everyone, and it has
realized it's far easier to collect all the data from these
corporations rather than from us directly. In some cases, the NSA
asks for this data nicely. In other cases, it makes use of subtle
threats or overt pressure. If that doesn't work, it uses tools like
national security letters.

The result is a corporate-government surveillance partnership, one
that allows both the government and corporations to get away with
things they couldn't otherwise.

There are two types of laws in the U.S., each designed to constrain
a different type of power: constitutional law, which places
limitations on government, and regulatory law, which constrains
corporations. Historically, these two areas have largely remained
separate, but today each group has learned how to use the other's
laws to bypass their own restrictions. The government uses
corporations to get around its limits, and corporations use the
government to get around their limits.

This partnership manifests itself in various ways. The government
uses corporations to circumvent its prohibitions against
eavesdropping domestically on its citizens. Corporations rely on the
government to ensure that they have unfettered use of the data they
collect.

Here's an example: It would be reasonable for our government to
debate the circumstances under which corporations can collect and
use our data, and to provide for protections against misuse. But if
the government is using that very data for its own surveillance
purposes, it has an incentive to oppose any laws to limit data
collection. And because corporations see no need to give consumers
any choice in this matter--because it would only reduce their
profits--the market isn't going to protect consumers, either.

Our elected officials are often supported, endorsed and funded by
these corporations as well, setting up an incestuous relationship
between corporations, lawmakers and the intelligence community.

The losers are us, the people, who are left with no one to stand up
for our interests. Our elected government, which is supposed to be
responsible to us, is not. And corporations, which in a market
economy are supposed to be responsive to our needs, are not. What we
have now is death to privacy--and that's very dangerous to
democracy and liberty.

The simple answer is to blame consumers, who shouldn't use mobile
phones, credit cards, banks or the Internet if they don't want to be
tracked. But that argument deliberately ignores the reality of
today's world. Everything we do involves computers, even if we're
not using them directly. And by their nature, computers produce
tracking data. We can't go back to a world where we don't use
computers, the Internet or social networking. We have no choice but
to share our personal information with these corporations, because
that's how our world works today.

Curbing the power of the corporate-private surveillance partnership
requires limitations on both what corporations can do with the data
we choose to give them and restrictions on how and when the
government can demand access to that data. Because both of these
changes go against the interests of corporations and the government,
we have to demand them as citizens and voters. We can lobby our
government to operate more transparently--disclosing the opinions
of the Foreign Intelligence Surveillance Court would be a good start
--and hold our lawmakers accountable when it doesn't. But it's not
going to be easy. There are strong interests doing their best to
ensure that the steady stream of data keeps flowing.

This essay originally appeared on Bloomberg.com.
http://www.bloomberg.com/news/2013-07-31/...

Corporations collecting data:
http://www.schneier.com/essay-324.html
http://www.schneier.com/essay-423.html
http://www.nationaljournal.com/magazine/...

Corporations cooperating with the NSA:
http://news.cnet.com/8301-13578_3-57593538-38/...
http://news.cnet.com/8301-13578_3-57595202-38/...
http://www.newyorker.com/online/blogs/elements/2013/...
http://news.cnet.com/8301-13578_3-57595529-38/...

How the partnership manifests itself:
http://www.bloomberg.com/news/2013-06-28/...
http://www.bloomberg.com/news/2013-06-30/...

Congress attempt to rein in NSA:
http://www.nytimes.com/2013/07/25/us/politics/...

The death of privacy:
https://www.schneier.com/essay-418.html

Disclosing FISA opinions:
http://www.bloomberg.com/news/2013-07-09/...
----
The NSA is Commandeering the Internet

It turns out that the NSA's domestic and world-wide surveillance
apparatus is even more extensive than we thought. Bluntly: The
government has commandeered the Internet. Most of the largest
Internet companies provide information to the NSA, betraying their
users. Some, as we've learned, fight and lose. Others cooperate,
either out of patriotism or because they believe it's easier that
way.

I have one message to the executives of those companies: fight.

Do you remember those old spy movies, when the higher ups in
government decide that the mission is more important than the spy's
life? It's going to be the same way with you. You might think that
your friendly relationship with the government means that they're
going to protect you, but they won't. The NSA doesn't care about you
or your customers, and will burn you the moment it's convenient to
do so.

We're already starting to see that. Google, Yahoo, Microsoft and
others are pleading with the government to allow them to explain
details of what information they provided in response to National
Security Letters and other government demands. They've lost the
trust of their customers, and explaining what they do--and don't
do--is how to get it back. The government has refused; they don't
care.

It will be the same with you. There are lots more high-tech
companies who have cooperated with the government. Most of those
company names are somewhere in the thousands of documents that
Edward Snowden took with him, and sooner or later they'll be
released to the public. The NSA probably told you that your
cooperation would forever remain secret, but they're sloppy. They'll
put your company name on presentations delivered to thousands of
people: government employees, contractors, probably even foreign
nationals. If Snowden doesn't have a copy, the next whistleblower
will.

This is why you have to fight. When it becomes public that the NSA
has been hoovering up all of your users' communications and personal
files, what's going to save you in the eyes of those users is
whether or not you fought. Fighting will cost you money in the short
term, but capitulating will cost you more in the long term.

Already companies are taking their data and communications out of
the US.

The extreme case of fighting is shutting down entirely. The secure
e-mail service Lavabit did that last week, abruptly. Ladar Levison,
that site's owner, wrote on his homepage: "I have been forced to
make a difficult decision: to become complicit in crimes against the
American people or walk away from nearly ten years of hard work by
shutting down Lavabit. After significant soul searching, I have
decided to suspend operations. I wish that I could legally share
with you the events that led to my decision."

The same day, Silent Circle followed suit, shutting down their
e-mail service in advance of any government strong-arm tactics: "We
see the writing the wall, and we have decided that it is best for us
to shut down Silent Mail now. We have not received subpoenas,
warrants, security letters, or anything else by any government, and
this is why we are acting now." I realize that this is extreme. Both
of those companies can do it because they're small. Google or
Facebook couldn't possibly shut themselves off rather than cooperate
with the government. They're too large; they're public. They have to
do what's economically rational, not what's moral.

But they can fight. You, an executive in one of those companies, can
fight. You'll probably lose, but you need to take the stand. And you
might win. It's time we called the government's actions what they
really are: commandeering. Commandeering is a practice we're used to
in wartime, where commercial ships are taken for military use, or
production lines are converted to military production. But now it's
happening in peacetime. Vast swaths of the Internet are being
commandeered to support this surveillance state.

If this is happening to your company, do what you can to isolate the
actions. Do you have employees with security clearances who can't
tell you what they're doing? Cut off all automatic lines of
communication with them, and make sure that only specific, required,
authorized acts are being taken on behalf of government. Only then
can you look your customers and the public in the face and say that
you don't know what is going on--that your company has been
commandeered.

Journalism professor Jeff Jarvis recently wrote in the "Guardian":
"Technology companies: now is the moment when you must answer for
us, your users, whether you are collaborators in the US government's
efforts to 'collect it all'--our every move on the internet--or
whether you, too, are victims of its overreach."

So while I'm sure it's cool to have a secret White House meeting
with President Obama--I'm talking to you, Google, Apple, AT&T, and
whoever else was in the room--resist. Attend the meeting, but
fight the secrecy. Whose side are you on?

The NSA isn't going to remain above the law forever. Already public
opinion is changing, against the government and their corporate
collaborators. If you want to keep your users' trust, demonstrate
that you were on their side.

This essay originally appeared on TheAtlantic.com.
http://www.theatlantic.com/technology/archive/2013/...

Corporations and the NSA surveillance apparatus:
http://www.schneier.com/blog/archives/2013/08/...
http://www.schneier.com/essay-436.html
http://www.theatlanticwire.com/technology/2013/06/...
http://www.wired.com/threatlevel/2013/04/...
http://news.cnet.com/8301-13578_3-57593538-38/...
http://www.newyorker.com/online/blogs/elements/2013/...

Companies wanting more disclosure:
http://business.time.com/2013/07/18/...

Whistleblowing as civil disobedience:
http://www.zephoria.org/thoughts/archives/2013/07/...

Cooperating with NSA surveillance costs companies money:
http://boingboing.net/2013/08/08/...

Lavabit:
http://www.schneier.com/blog/archives/2013/08/...
http://boingboing.net/2013/08/08/...
http://lavabit.com/
http://www.forbes.com/sites/kashmirhill/2013/08/09/...

Silent Circle:
http://silentcircle.wordpress.com/2013/08/09/...

Jarvis essay:
http://www.theguardian.com/commentisfree/2013/aug/...

Tech companies meet with Obama:
http://www.huffingtonpost.com/2013/08/09/...

NSA is a criminal organization:
http://www.nytimes.com/2013/06/28/opinion/...

Regaining trust:
http://www.schneier.com/essay-435.html

Slashdot thread:
http://news.slashdot.org/story/13/08/12/1850229/...
----
Restoring Trust in Government and the Internet

In July 2012, responding to allegations that the video-chat service
Skype--owned by Microsoft--was changing its protocols to make it
possible for the government to eavesdrop on users, Corporate Vice
President Mark Gillett took to the company's blog to deny it.

Turns out that wasn't quite true.

Or at least he--or the company's lawyers--carefully crafted a
statement that could be defended as true while completely deceiving
the reader. You see, Skype wasn't changing its protocols to make it
possible for the government to eavesdrop on users, because the
government was already able to eavesdrop on users.

At a Senate hearing in March, Director of National Intelligence
James Clapper assured the committee that his agency didn't collect
data on hundreds of millions of Americans. He was lying, too. He
later defended his lie by inventing a new definition of the word
"collect," an excuse that didn't even pass the laugh test.

As Edward Snowden's documents reveal more about the NSA's
activities, it's becoming clear that we can't trust anything anyone
official says about these programs.

Google and Facebook insist that the NSA has no "direct access" to
their servers. Of course not; the smart way for the NSA to get all
the data is through sniffers.

Apple says it's never heard of PRISM. Of course not; that's the
internal name of the NSA database. Companies are publishing reports
purporting to show how few requests for customer-data access they've
received, a meaningless number when a single Verizon request can
cover all of their customers. The Guardian reported that Microsoft
secretly worked with the NSA to subvert the security of Outlook,
something it carefully denies. Even President Obama's justifications
and denials are phrased with the intent that the listener will take
his words very literally and not wonder what they really mean.

NSA Director Gen. Keith Alexander has claimed that the NSA's massive
surveillance and data mining programs have helped stop more than 50
terrorist plots, 10 inside the U.S. Do you believe him? I think it
depends on your definition of "helped." We're not told whether these
programs were instrumental in foiling the plots or whether they just
happened to be of minor help because the data was there. It also
depends on your definition of "terrorist plots." An examination of
plots that that FBI claims to have foiled since 9/11 reveals that
would-be terrorists have commonly been delusional, and most have
been egged on by FBI undercover agents or informants.

Left alone, few were likely to have accomplished much of anything.

Both government agencies and corporations have cloaked themselves in
so much secrecy that it's impossible to verify anything they say;
revelation after revelation demonstrates that they've been lying to
us regularly and tell the truth only when there's no alternative.

There's much more to come. Right now, the press has published only a
tiny percentage of the documents Snowden took with him. And
Snowden's files are only a tiny percentage of the number of secrets
our government is keeping, awaiting the next whistle-blower.

Ronald Reagan once said "trust but verify." That works only if we
can verify. In a world where everyone lies to us all the time, we
have no choice but to trust blindly, and we have no reason to
believe that anyone is worthy of blind trust. It's no wonder that
most people are ignoring the story; it's just too much cognitive
dissonance to try to cope with it.

This sort of thing can destroy our country. Trust is essential in
our society. And if we can't trust either our government or the
corporations that have intimate access into so much of our lives,
society suffers. Study after study demonstrates the value of living
in a high-trust society and the costs of living in a low-trust one.

Rebuilding trust is not easy, as anyone who has betrayed or been
betrayed by a friend or lover knows, but the path involves
transparency, oversight and accountability. Transparency first
involves coming clean. Not a little bit at a time, not only when you
have to, but complete disclosure about everything. Then it involves
continuing disclosure. No more secret rulings by secret courts about
secret laws. No more secret programs whose costs and benefits remain
hidden.

Oversight involves meaningful constraints on the NSA, the FBI and
others. This will be a combination of things: a court system that
acts as a third-party advocate for the rule of law rather than a
rubber-stamp organization, a legislature that understands what these
organizations are doing and regularly debates requests for increased
power, and vibrant public-sector watchdog groups that analyze and
debate the government's actions.

Accountability means that those who break the law, lie to Congress
or deceive the American people are held accountable. The NSA has
gone rogue, and while it's probably not possible to prosecute people
for what they did under the enormous veil of secrecy it currently
enjoys, we need to make it clear that this behavior will not be
tolerated in the future. Accountability also means voting, which
means voters need to know what our leaders are doing in our name.

This is the only way we can restore trust. A market economy doesn't
work unless consumers can make intelligent buying decisions based on
accurate product information. That's why we have agencies like the
FDA, truth-in-packaging laws and prohibitions against false
advertising.

In the same way, democracy can't work unless voters know what the
government is doing in their name. That's why we have
open-government laws. Secret courts making secret rulings on secret
laws, and companies flagrantly lying to consumers about the
insecurity of their products and services, undermine the very
foundations of our society.

Since the Snowden documents became public, I have been receiving
e-mails from people seeking advice on whom to trust. As a security
and privacy expert, I'm expected to know which companies protect
their users' privacy and which encryption programs the NSA can't
break. The truth is, I have no idea. No one outside the classified
government world does. I tell people that they have no choice but to
decide whom they trust and to then trust them as a matter of faith.
It's a lousy answer, but until our government starts down the path
of regaining our trust, it's the only thing we can do.

This essay originally appeared on CNN.com.
http://www.cnn.com/2013/07/31/opinion/...

Skype story:
http://blogs.skype.com/2012/07/26/...
http://www.bbc.co.uk/news/technology-19012415
http://www.nytimes.com/2013/06/20/technology/...
http://www.slate.com/blogs/future_tense/2013/07/12/...

Clapper story:
http://nymag.com/daily/intelligencer/2013/06/...
http://www.eff.org/deeplinks/2013/06/...

Government lies:
http://www.eff.org/nsa-spying/wordgames

How NSA sniffers actually work:
http://fabiusmaximus.com/2013/06/11/...

Published reports of NSA surveillance requests:
https://www.schneier.com/blog/archives/2013/06/...
http://www.wired.com/threatlevel/2013/06/nsa-numbers

Microsoft Outlook story:
http://www.guardian.co.uk/world/2013/jul/11/...
http://blogs.technet.com/b/microsoft_on_the_issues/...

General Alexander's justification:
http://www.washingtonpost.com/blogs/post-politics/...

Examining terrorist plots:
http://politicalscience.osu.edu/faculty/jmueller/...

The value of trust:
http://www.schneier.com/essay-412.html
http://www.worldvaluessurvey.org

Two more links describing how the US government lies about NSA
surveillance.
http://www.slate.com/articles/news_and_politics/...
https://projects.propublica.org/graphics/nsa-claims
----
News

A problem with the US Privacy and Civil Liberties Oversight Board:
http://www.schneier.com/blog/archives/2013/07/...

Interesting essay on the impossibility of being entirely lawful all
the time, the balance that results from the difficulty of law
enforcement, and the societal value of being able to break the law.
It is very much like my notion of "outliers" in my book "Liars and
Outliers."
http://www.thoughtcrime.org/blog/...

Good article on the longstanding practice of secretly tapping
undersea cables.
http://www.theatlantic.com/international/archive/...
This is news right now because of a new Snowden document.
http://www.washingtonpost.com/business/economy/...

An amazing e-mail from the DHS, instructing its employees not to
read Snowden's documents when they appear in the press.
http://www.schneier.com/blog/archives/2013/07/...

Edward Snowden has set up a dead man's switch. He's distributed
encrypted copies of his document trove to various people, and has
set up some sort of automatic system to distribute the key, should
something happen to him. Dead man's switches have a long history,
both for safety (the machinery automatically stops if the operator's
hand goes slack) and security reasons. WikiLeaks did the same thing
with the State Department cables. I'm not sure he's thought this
through, though. I would be more worried that someone would kill me
in order to get the documents released than I would be that someone
would kill me to prevent the documents from being released. Any
real-world situation involves multiple adversaries, and it's
important to keep all of them in mind when designing a security
system.
http://www.wired.com/threatlevel/2013/07/...

For a change, here's a good idea by the TSA:
http://www.schneier.com/blog/archives/2013/07/...

Violence as a source of trust in criminal societies:
http://themonkeycage.org/2013/07/11/...
http://rss.sagepub.com/content/25/3/263.abstract

I generally don't like stories about Snowden as a person, because
they distract from the real story of the NSA surveillance programs,
but this article on the costs and benefits of the US government
prosecuting Edward Snowden is worth reading.
http://www.lawfareblog.com/2013/07/...
Related is this article on whether Snowden can manage to avoid
arrest. Here's the ending:
http://www.cnn.com/2013/07/12/us/...

Marc Rotenberg of EPIC explains why he is suing the NSA in the
Supreme Court.
http://www.cnn.com/2013/07/17/opinion/...
And "USA Today" has a back and forth on the topic.
http://www.usatoday.com/story/opinion/2013/07/18/...
http://www.usatoday.com/story/opinion/2013/07/18/...

This is a succinct explanation of how the secrecy of the FISA court
undermines trust.
http://www.schneier.com/blog/archives/2013/07/...

In an effort to lock the barn door after the horse has escaped, the
NSA is implementing two-man control for sysadmins.
http://www.cbsnews.com/8301-250_162-57594486/...
This kind of thing has happened before. After USN Chief Warrant
Officer John Walker sold encryption keys to the Soviets, the Navy
implemented two-man control for key material. It's an effective, if
expensive, security measure--and an easy one for the NSA to
implement while it figures out what it really has to do to secure
information from IT insiders.

The story of people who poach and collect rare eggs, and the people
who hunt them down.
http://www.newyorker.com/reporting/2013/07/22/...
Securing wildlife against poachers is a difficult problem,
especially when the defenders are poor countries with not a lot of
resources.

We're starting to see Internet companies talk about the mechanics of
how the US government spies on their users. Here, a Utah ISP owner
describes his experiences with NSA eavesdropping:
http://www.buzzfeed.com/justinesharrock/...
Declan McCullagh explains how the NSA coerces companies to cooperate
with its surveillance efforts. Basically, they want to avoid what
happened with the Utah ISP.
http://news.cnet.com/8301-13578_3-57593538-38/...
And Brewster Kahle of the Internet Archive explains how he
successfully fought a National Security Letter.
http://www.newyorker.com/online/blogs/elements/2013/...

Secret information is more trusted:
http://www.nytimes.com/2013/06/30/opinion/sunday/...
Original paper abstract:
http://onlinelibrary.wiley.com/doi/10.1111/...

NSA cracked the Kryptos Sculpture (parts one, two, and three) years
before the CIA did.
http://www.wired.com/threatlevel/2013/07/...
The fourth part is still uncracked.
http://www.schneier.com/blog/archives/2013/06/...
http://www.schneier.com/blog/archives/2006/04/...

The Obama Administration has a comprehensive "insider threat"
program to detect leakers from within government. This is
pre-Snowden. Not surprisingly, the combination of profiling and "see
something, say something" is unlikely to work.
http://www.mcclatchydc.com/2013/06/20/194513/...
http://www.mcclatchydc.com/2013/07/09/196211/...
http://www.theatlantic.com/politics/archive/2013/07/...

This is a really clever social engineering attack against a
bank-card holder.
http://www.guardian.co.uk/money/blog/2013/jul/29/...

Research on why some neighborhoods feel safer.
http://www.theatlanticcities.com/neighborhoods/2013/...
http://www.plosone.org/article/...
I've written about the feeling and reality of security, and how
they're different.
https://www.schneier.com/essay-213.html
https://www.schneier.com/essay-170.html
That's also the subject of this TEDx talk.
http://www.ted.com/talks/bruce_schneier.html
Yes, it's security theater: things that make a neighborhood *feel*
safer rather than actually safer. But when the neighborhood is
actually safer than people think it is, this sort of security
theater has value.
https://www.schneier.com/blog/archives/2007/01/...
Two related links:
http://www.economist.com/news/briefing/...
http://blogsofwar.com/2013/05/01/...

This is what happens when you're a security writer and you piss off
the wrong people: they conspire to have heroin mailed to you, and
then to tip off the police. And that's after they've called in a
fake hostage situation.
https://krebsonsecurity.com/2013/07/...

The UK has banned researchers from revealing details of security
vulnerabilities in car locks. In 2008, Phillips brought a similar
suit against researchers who broke the Mifare chip. That time, they
lost. This time, Volkswagen sued and won.
http://www.guardian.co.uk/technology/2013/jul/26/...
http://www.telegraph.co.uk/technology/10205983/...
http://www.bbc.co.uk/news/technology-23487928
http://news.techworld.com/security/3461155/...
http://www.bailii.org/ew/cases/EWHC/Ch/2013/1832.html
This is bad news for security researchers. (Remember back in 2001
when security researcher Ed Felten sued the RIAA in the US to be
able to publish his research results?) We're not going to improve
security unless we're allowed to publish our results. And we can't
start suppressing scientific results, just because a big corporation
doesn't like what it does to their reputation.

Richard Bejtlich and Thomas Rid (author of the excellent book "Cyber
War Will Not Take Place") debate the cyberwar threat on "The
Economist" website.
http://www.economist.com/debate/overview/256

There was a story about how searching for a pressure cooker and
backpacks got one family investigated by the police. It was
initially reported as NSA eavesdropping, but it wasn't. And as more
of the facts came out, it seemed pretty reasonable overall.
http://www.schneier.com/blog/archives/2013/08/...

The "Guardian" discusses a new secret NSA program: XKeyscore. It's
the desktop system that allows NSA agents to spy on anyone over the
Internet in real time. It searches existing NSA databases--
presumably including PRISM--and can create fingerprints to search
for all future data collections from systems like TRAFFIC THIEF.
This seems to be what Edward Snowden meant when he said that he had
the ability to spy on any American, in real time, from his deck.
http://www.theguardian.com/world/2013/jul/31/...

There's speculation that the FBI is responsible for an exploit that
compromised the Tor anonymity service. Note that Tor Browser Bundles
installed or updated after June 26 are secure.
http://www.wired.com/threatlevel/2013/08/...
https://openwatch.net/i/200/...
http://www.twitlonger.com/show/n_1rlo0uu
http://www.bbc.co.uk/go/em/fr/-/news/...
http://www.metafilter.com/130629/...
https://blog.torproject.org/blog/...

The further Kip Hawley has gotten from running the TSA, the more
sense he has started to make. This is pretty good.
http://www.cnn.com/2013/08/06/opinion/hawley-tsa/...

Twitter just rolled out a pretty nice two-factor authentication
system using your smart phone as the second factor.
http://www.wired.com/threatlevel/2013/08/...

Latest movie-plot threat: explosive-dipped clothing. It's being
reported, although there's no indication of where this rumor is
coming from or what it's based on. I can see the trailer now. "In a
world where your very clothes might explode at any moment, Bruce
Willis is, Bruce Willis in a Michael Bay film: BLOW UP! Co-starring
Lindsay Lohan..." I guess there's nothing to be done but to force
everyone to fly naked.
http://abcnews.go.com/Blotter/...

Lots of sports stadiums have instituted draconian new rules. Here
are the rules for St. Louis Rams games.
http://blog.stlouisrams.com/2013/06/13/...
Of course, you're supposed to think this is about terrorism. My
guess is that this is to help protect the security of the profits at
the concession stands.

General Keith Alexander thinks he can improve security by automating
sysadmin duties such that 90% of them can be fired. Does anyone know
a sysadmin anywhere who believes it's possible to automate 90% of
his job? Or who thinks any such automation will actually improve
security? He's stuck. Computerized systems require trusted people to
administer them. And any agency with all that computing power is
going to need thousands of sysadmins. Some of them are going to be
whistleblowers.
http://www.businessinsider.com/...
Leaking secret information is the civil disobedience of our age.
Alexander has to get used to it.
http://www.zephoria.org/thoughts/archives/2013/07/...

The 2013 Cryptologic History Symposium, sponsored by the NSA, will
be held at Johns Hopkins University this October.
http://www.nsa.gov/about/cryptologic_heritage/...

Rangzen looks like a really interesting ad hoc mesh networking
system to circumvent government-imposed communications blackouts. I
am particularly interested in how it uses reputation to determine
who can be trusted, while maintaining some level of anonymity.
http://rangzen.denovogroup.org/wp/
http://www.eecs.berkeley.edu/Pubs/TechRpts/2013/...
This is exactly the sort of thing I was thinking about in this
essay.
https://www.schneier.com/essay-420.html

This essay is filled with historical MI5 stories--often bizarre,
sometimes amusing.
http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER
----
Book Review: "Rise of the Warrior Cop"

"Rise of the Warrior Cop: The Militarization of America's Police
Forces," by Radley Balko, PublicAffairs, 2013, 400 pages.

War as a rhetorical concept is firmly embedded in American culture.
Over the past several decades, federal and local law enforcement has
been enlisted in a war on crime, a war on drugs and a war on terror.
These wars are more than just metaphors designed to rally public
support and secure budget appropriations. They change the way we
think about what the police do. Wars mean shooting first and asking
questions later. Wars require military tactics and weaponry. Wars
mean civilian casualties.

Over the decades, the war metaphor has resulted in drastic changes
in the way the police operate. At both federal and state levels, the
formerly hard line between police and military has blurred. Police
are increasingly using military weaponry, employing military tactics
and framing their mission using military terminology. Right now,
there is a Third Amendment case--that's the one about quartering
soldiers in private homes without consent--making its way through
the courts. It involves someone who refused to allow the police to
occupy his home in order to gain a "tactical advantage" against the
house next-door. The police returned later, broke down his door,
forced him to the floor and then arrested him for obstructing an
officer. They also shot his dog with pepperball rounds. It's hard to
argue with the premise of this case; police officers are acting so
much like soldiers that it can be hard to tell the difference.

In "Rise of the Warrior Cop," Radley Balko chronicles the steady
militarization of the police in the U.S. A detailed history of a
dangerous trend, Mr. Balko's book tracks police militarization over
the past 50 years, a period that not coincidentally corresponds with
the rise of SWAT teams. First established in response to the armed
riots of the late 1960s, they were originally exclusive to big
cities and deployed only against heavily armed and dangerous
criminals. Today SWAT teams are nothing special. They've multiplied
like mushrooms. Every city has a SWAT team; 80% of towns between
25,000 and 50,000 people do as well. These teams are busy; in 2005
there were between 50,000 and 60,000 SWAT raids in the U.S. The
tactics are pretty much what you would expect--breaking down
doors, rushing in with military weaponry, tear gas--but the
targets aren't. SWAT teams are routinely deployed against illegal
poker games, businesses suspected of employing illegal immigrants
and barbershops with unlicensed hair stylists.

In Prince George's County, MD, alone, SWAT teams were deployed about
once a day in 2009, overwhelmingly to serve search or arrest
warrants, and half of those warrants were for "misdemeanors and
nonserious felonies." Much of Mr. Balko's data is approximate,
because police departments don't publish data, and they uniformly
oppose any attempts at transparency or oversight. But he has good
Maryland data from 2009 on, because after the mayor of Berwyn
Heights was mistakenly attacked and terrorized in his home by a SWAT
team in 2008, the state passed a law requiring police to report
quarterly on their use of SWAT teams: how many times, for what
purposes and whether any shots were fired during the raids.

Besides documenting policy decisions at the federal and state
levels, the author examines the influence of military contractors
who have looked to expand into new markets. And he tells some pretty
horrific stories of SWAT raids gone wrong. A lot of dogs get shot in
the book. Most interesting are the changing attitudes of police. As
the stories progress from the 1960s to the 2000s, we see police
shift from being uncomfortable with military weapons and tactics--
and deploying them only as the very last resort in the most extreme
circumstances--to accepting and even embracing their routine use.

This development coincides with the rhetorical use of the word
"war." To the police, civilians are citizens to protect. To the
military, we are a population to be subdued. Wars can temporarily
override the Constitution. When the Justice Department walks into
Congress with requests for money and new laws to fight a war, it is
going to get a different response than if it came in with a story
about fighting crime. Maybe the most chilling quotation in the book
is from William French Smith, President Reagan's first attorney
general: "The Justice Department is not a domestic agency. It is the
internal arm of national defense." Today we see that attitude in the
war on terror. Because it's a war, we can arrest and imprison
Americans indefinitely without charges. We can eavesdrop on the
communications of all Americans without probable cause. We can
assassinate American citizens without due process. We can have
secret courts issuing secret rulings about secret laws. The
militarization of the police is just one aspect of an increasing
militarization of government.

Mr. Balko saves his prescriptions for reform until the last chapter.
Two of his fixes, transparency and accountability, are good remedies
for all governmental overreach. Specific to police departments, he
also recommends halting mission creep, changing police culture and
embracing community policing. These are far easier said than done.
His final fix is ending the war on drugs, the source of much police
violence. To this I would add ending the war on terror, another
rhetorical war that costs us hundreds of billions of dollars, gives
law enforcement powers directly prohibited by the Constitution and
leaves us no safer.

This essay originally appeared in the "Wall Street Journal."
http://online.wsj.com/article/...

http://www.amazon.com/...

Related essay.
http://www.newyorker.com/online/blogs/comment/2013/...
----
Schneier News

My blog has made the "Time" magazine "25 Best Bloggers 2013 Edition"
list.
http://techland.time.com/2013/08/05/...

Good review of the strengths and weaknesses of "Cryptography
Engineering" and "Applied Cryptography." Best--at least to me--
is the list of things missing, which we'll have to address if we do
another edition.
http://sockpuppet.org/blog/2013/07/22/...

Mikko Hypponen and I answered questions about PRISM on the TED
website.
http://blog.ted.com/2013/07/17/...
----
Michael Hayden on the Effects of Snowden's Whistleblowing

Former NSA director Michael Hayden lists three effects of the
Snowden documents:

* "...the undeniable operational effect of informing adversaries of
American intelligence's tactics, techniques and procedures."

* "...the undeniable economic punishment that will be inflicted on
American businesses for simply complying with American law."

* "...the erosion of confidence in the ability of the United States
to do *anything* discreetly or keep *anything* secret."

It's an interesting list, and one that you'd expect from a NSA
person. Actually, the whole essay is about what you'd expect from a
former NSA person.

My reactions:

* This, I agree, is actual damage. From what I can tell, Snowden has
done his best to minimize it. And both the Guardian and the
Washington Post refused to publish materials he provided, out of
concern for US national security. Hayden believes that both the
Chinese and the Russians have Snowden's entire trove of documents,
but I'm less convinced. Everyone is acting under the assumption that
the NSA has compromised everything, which is probably a good
assumption.

* Hayden has it backwards--this is good. I hope that companies
that have cooperated with the NSA are penalized in the market. If we
are to expect the market to solve any of this, we need the cost of
cooperating to be greater than the cost of fighting. If we as
consumers punish companies that have complied with the NSA, they'll
be less likely to roll over next time.

* In the long run, this might turn out to be a good thing, too. In
the Internet age, secrecy is a lot harder to maintain. The countries
that figure this out first will be the countries that do well in the
coming decades.

And, of course, Hayden lists his "costs" without discussing the
benefits. Exposing secret government overreach, a secret agency gone
rogue, and a secret court that's failing in its duties are
enormously beneficial. Snowden has blown a whistle that long needed
blowing--it's the only way can ever hope to fix this. And Hayden
completely ignores the very real question as to whether these
enormous NSA data-collection programs provide any real benefits.

I'm also tired of this argument: "But it takes a special kind of
arrogance for this young man to believe that his moral judgment on
the dilemma suddenly trumps that of two (incredibly different)
presidents, both houses of the U.S. Congress, both political
parties, the U.S. court system and more than 30,000 of his
co-workers."

It's like President Obama claiming that the NSA programs are
"transparent" because they were cleared by a secret court that only
ever sees one side of the argument, or that Congress has provided
oversight because a few legislators were allowed to know some of
what was going on but forbidden from talking to *anyone* about it.

http://www.cnn.com/2013/07/19/opinion/...

The NSA has gone rogue:
http://www.nytimes.com/2013/06/28/opinion/...

NSA surveillance cost/benefits:
https://chronicle.com/blogs/conversation/2013/06/13/...

Obama's comments on NSA transparency:
http://www.usatoday.com/story/theoval/2013/06/18/...
----
Counterterrorism Mission Creep

One of the assurances I keep hearing about the U.S. government's
spying on American citizens is that it's only used in cases of
terrorism. Terrorism is, of course, an extraordinary crime, and its
horrific nature is supposed to justify permitting all sorts of
excesses to prevent it. But there's a problem with this line of
reasoning: mission creep. The definitions of "terrorism" and "weapon
of mass destruction" are broadening, and these extraordinary powers
are being used, and will continue to be used, for crimes other than
terrorism.

Back in 2002, the Patriot Act greatly broadened the definition of
terrorism to include all sorts of "normal" violent acts as well as
non-violent protests. The term "terrorist" is surprisingly broad;
since the terrorist attacks of 9/11, it has been applied to people
you wouldn't normally consider terrorists.

The most egregious example of this are the three anti-nuclear
pacifists, including an 82-year-old nun, who cut through a
chain-link fence at the Oak Ridge nuclear-weapons-production
facility in 2012. While they were originally arrested on a
misdemeanor trespassing charge, the government kept increasing their
charges as the facility's security lapses became more embarrassing.
Now the protestors have been convicted of violent crimes of
terrorism--and remain in jail.

Meanwhile, a Tennessee government official claimed that complaining
about water quality could be considered an act of terrorism. To the
government's credit, he was subsequently demoted for those remarks.

The notion of making a terrorist threat is older than the current
spate of anti-terrorism craziness. It basically means threatening
people in order to terrorize them, and can include things like
pointing a fake gun at someone, threatening to set off a bomb, and
so on. A Texas high-school student recently spent five months in
jail for writing the following on Facebook: "I think I'ma shoot up a
kindergarten. And watch the blood of the innocent rain down. And eat
the beating heart of one of them." Last year, two Irish tourists
were denied entry at the Los Angeles Airport because of some
misunderstood tweets.

Another term that's expanded in meaning is "weapon of mass
destruction." The law is surprisingly broad, and includes anything
that explodes, leading political scientist and terrorism-fear
skeptic John Mueller to comment:

As I understand it, not only is a grenade a weapon of mass
destruction, but so is a maliciously-designed child's rocket even
if it doesn't have a warhead. On the other hand, although a
missile-propelled firecracker would be considered a weapon of
mass destruction if its designers had wanted to think of it as a
weapon, it would not be so considered if it had previously been
designed for use as a weapon and then redesigned for pyrotechnic
use or if it was surplus and had been sold, loaned, or given to
you (under certain circumstances) by the secretary of the army
....

All artillery, and virtually every muzzle-loading military long
arm for that matter, legally qualifies as a WMD. It does make the
bombardment of Ft. Sumter all the more sinister. To say nothing
of the revelation that The Star Spangled Banner is in fact an
account of a WMD attack on American shores.

After the Boston Marathon bombings, one commentator described our
use of the term this way: "What the United States means by terrorist
violence is, in large part, 'public violence some weirdo had the
gall to carry out using a weapon other than a gun.' ... Mass
murderers who strike with guns (and who don't happen to be Muslim)
are typically read as psychopaths disconnected from the larger
political sphere." Sadly, there's a lot of truth to that.

Even as the definition of terrorism broadens, we have to ask how far
we will extend that arbitrary line. Already, we're using these
surveillance systems in other areas. A raft of secret court rulings
has recently expanded the NSA's eavesdropping powers to include
"people possibly involved in nuclear proliferation, espionage and
cyberattacks." A "little-noticed provision" in a 2008 law expanded
the definition of "foreign intelligence" to include "weapons of mass
destruction," which, as we've just seen, is surprisingly broad.

A recent "Atlantic" essay asks, somewhat facetiously, "If PRISM is
so good, why stop with terrorism?" The author's point was to discuss
the value of the Fourth Amendment, even if it makes the police less
efficient. But it's actually a very good question. Once the NSA's
ubiquitous surveillance of all Americans is complete--once it has
the ability to collect and process all of our emails, phone calls,
text messages, Facebook posts, location data, physical mail,
financial transactions, and who knows what else--why limit its use
to cases of terrorism? I can easily imagine a public groundswell of
support to use to help solve some other heinous crime, like a
kidnapping. Or maybe a child-pornography case. From there, it's an
easy step to enlist NSA surveillance in the continuing war on drugs;
that's certainly important enough to warrant regular access to the
NSA's databases. Or maybe to identify illegal immigrants. After all,
we've already invested in this system, we might as well get as much
out of it as we possibly can. Then it's a short jump to the trivial
examples suggested in the "Atlantic" essay: speeding and illegal
downloading. This "slippery slope" argument is largely speculative,
but we've already started down that incline.

Criminal defendants are starting to demand access to the NSA data
that they believe will exonerate themselves. How can a moral
government refuse this request?

More humorously, the NSA might have created the best backup system
ever.

Technology changes slowly, but political intentions can change very
quickly. In 2000, I wrote in my book "Secrets and Lies" about police
surveillance technologies: "Once the technology is in place, there
will always be the temptation to use it. And it is poor civic
hygiene to install technologies that could someday facilitate a
police state." Today we're installing technologies of ubiquitous
surveillance, and the temptation to use them will be overwhelming.

This essay originally appeared in TheAtlantic.com.
http://www.theatlantic.com/politics/archive/2013/07/...

The definition of terrorism has broadened:
http://www.aclu.org/national-security/...

The anti-nuclear pacifists:
http://www.commondreams.org/view/2013/05/15-7

Tennessee official story:
http://www.huffingtonpost.com/2013/06/22/...
http://www.memphisdailynews.com/news/2013/jul/4/...

Texas high-school student story:
http://www.nydailynews.com/news/national/...

Irish tourist story:
http://www.bbc.co.uk/news/technology-16810312

"Weapon of mass destruction" story:
http://www.law.cornell.edu/uscode/text/18/2332a

Mueller comment:
http://www.schneier.com/blog/archives/2009/04/...

Quote about what a terrorist is:
http://www.salon.com/2013/04/28/...

Secret court rulings on NSA power:
https://www.nytimes.com/2013/07/07/us/...

Atlantic article:
http://www.theatlantic.com/politics/archive/2013/07/...

Other agencies are already asking to use the NSA data: "Agencies
working to curb drug trafficking, cyberattacks, money laundering,
counterfeiting and even copyright infringement complain that their
attempts to exploit the security agencys vast resources have often
been turned down because their own investigations are not considered
a high enough priority, current and former government officials
say."
http://www.nytimes.com/2013/08/04/us/...

The Drug Enforcement Agency is already using this data, and lying
about it:
http://www.reuters.com/article/2013/08/05/...

Defendants demanding NSA data:
http://www.nbcnews.com/technology/...
http://rt.com/usa/nsa-surveillance-judge-records-900/

NSA as a backup system:
http://nesaranews.blogspot.com/2013/07/...

Ubiquitous surveillance:
https://www.schneier.com/essay-418.html
----
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security:
computer and otherwise. You can subscribe, unsubscribe, or change
your address on the Web at
<http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its
entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an
internationally renowned security technologist, called a "security
guru" by The Economist. He is the author of 12 books--including
"Liars and Outliers: Enabling the Trust Society Needs to Survive"--
as well as hundreds of articles, essays, and academic papers. His
influential newsletter "Crypto-Gram" and his blog "Schneier on
Security" are read by over 250,000 people. He has testified before
Congress, is a frequent guest on television and radio, has served on
several government committees, and is regularly quoted in the press.
Schneier is a fellow at the Berkman Center for Internet and Society
at Harvard Law School, a program fellow at the New America
Foundation's Open Technology Institute, a board member of the
Electronic Frontier Foundation, an Advisory Board Member of the
Electronic Privacy Information Center, and the Security Futurologist
for BT--formerly British Telecom. See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.
_______________________________________________
tt mailing list
tt@postbiota.org
http://postbiota.org/mailman/listinfo/tt

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the cypherpunks mailing list