NSA Watching

So is “watching” a verb, or is “NSA Watching” a noun? Sometimes I love the ambiguity of English… ;-)

First, a bit of humor. Seems that at the end of May something odd happened at the NSA building in Fort Meade.

http://www.theregister.co.uk/2015/03/30/nsa_hq_rammed/

Cross-dressing blokes storm NSA HQ: One shot dead, one hurt

Fort Meade scene of bizarre and fatal Monday morning

Yes, attack of the Cross Dressers… Somehow I missed that on the nightly news. I would have expected it to get more air play…

30 Mar 2015 at 17:41, Iain Thomson

One man is dead and another seriously hurt after they tried ramming a car into the gates of the NSA’s headquarters in Fort Meade, Maryland.

Just before 9am on Monday, Eastern Time, the two men – dressed as women – attempted to smash through a checkpoint and into the data center complex using a stolen Ford Explorer, NBC reports.

NSA cops opened fire after the pair refused to stop, the agency said in a statement to The Register. One man in the car was shot and killed, the other was seriously wounded and airlifted to hospital. A security guard was mildly hurt. The Ford also careered into an NSA motor.

“The shooting scene is contained and we do not believe it is related to terrorism,” the FBI’s Baltimore office said in a statement. “We are working with the US Attorney’s Office in Maryland to determine if federal charges are warranted.”

I’m sorry, I’m just at a loss for words…

Then, in more recent news, The NSA Giant Data Vacuum Cleaner Program takes a hit:

http://www.politico.com/story/2015/05/nsa-phone-data-collection-illegal-court-ruling-117725.html

Appeals court rules that NSA phone surveillance program is illegal

The judges didn’t address whether the program violated the Constitution.

By JOSH GERSTEIN 5/7/15 9:54 AM EDT Updated 5/7/15 12:30 PM EDT

A federal appeals court has ruled that the National Security Agency program to collect information on billions of telephone calls made or received by Americans is illegal.

In an opinion issued Thursday, a three-judge panel from the New York-based 2nd Circuit U.S. Court of Appeals held that a law Congress passed allowing collection of information relevant to terrorism investigations does not authorize the so-called “bulk collection” of phone records on the scale of the NSA program. The judges did not address whether the program violated the Constitution.

Writing for a unanimous panel, Judge Gerard Lynch said allowing the government to gather data in a blanket fashion was not consistent with the statute used to carry out the program: Section 215 of the PATRIOT Act.
[…]
“The interpretation that the government asks us to adopt defies any limiting principle. The same rationale that it proffers for the ‘relevance’ of telephone metadata cannot be cabined to such data, and applies equally well to other sets of records,” Lynch added. “If the government is correct, it could use § 215 to collect and store in bulk any other existing metadata available anywhere in the private sector, including metadata associated with financial records, medical records, and electronic communications (including email and social media information) relating to all Americans.”

From the “well Duh!” department… They are sucking up anything not nailed down and using crowbars and small explosives to knock them loose. (Electronically speaking).

The 2nd Circuit, which acted on a lawsuit brought by the American Civil Liberties Union, is the first appeals court to rule on the legality of the telephone metadata program that came to light after leaks from former NSA contractor Edward Snowden. The program was repeatedly authorized by a special intelligence court in Washington. Two other federal appeals courts are currently considering similar challenges.

The legal provision the 2nd Circuit found inadequate is set to expire on June 1. Language in the court’s ruling allows the program to continue through that time.

So it’s illegal, for now, but they can keep doing it until June 1, when it expires, and by when Congress will have passed something new, that might or might not be illegal, but we’ll find out in about 15 years when THAT law and the cases brought against it finally get through the court challenge process. Data suckage not included in telco ruling. Oh, and any bets on how much of the illegal data will be erased?

Sheesh. But at least it is one small step. Even if it doesn’t do much more than a step in a “moon walk” dance…

Then there is just what all they are gathering:

http://www.theregister.co.uk/2013/09/05/nsa_gchq_ssl_reports/

Reports: NSA has compromised most internet encryption

There goes the neighborhood

5 Sep 2013 at 21:44, Jack Clark

The NSA and the GCHQ have compromised much encryption used on the internet through a potent mix of technological theft, spycraft, and collaboration with major technology companies, according to new reports.

The GCHQ are the British equivalent of the USA NSA. They work closely together so that when one nation has a law saying “but you can’t spy on your own people” the other one can do it instead and then they “share”…

Then the PRISM program is where they have “worked with” companies like Cisco, Microsoft and as of 2012 Apple (per one report) to make “official access” easier… and folks wonder why I’m interested in “roll your own” systems… and will NOT use an EUFI boot loader box for anything I want really secure (it layers about 100 MB of an operating system you can not control nor really watch between you and the hardware…).

In a series of news articles that highlight how the code-breaking crypto-fiddling agencies NSA and GCHQ are doing their job, ProPublica, The New York Times, and The Guardian, disclosed on Thursday a wide-ranging campaign by the spies to smash internet crypto methods so to better slurp data from the world+dog.

The NSA “has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show,” the NYT reports.

Though thin on specifics, the stories clearly outline that the agencies have developed a variety of methods to attack and gain access to data secured by either SSL, or inside a virtual private network (VPN). They also imply that they have put backdoors into crypto-systems and potentially widely used digital components, as well.

The spies have also worked with technology companies to gain a direct line to data stored in their servers, though the documents do not specify which companies in particular. Analysts can slurp away at the decrypted data through a highly classified program named “Bullrun”.

“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies. … Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable,” one memo from 2010 given to the spies at GCHQ, says.
[…]
The gist of the reports is that the agencies have probably compromised SSL via gaining certificates and encryption keys to the point where they can perform man-in-the-middle attacks on widely used applications. GCHQ is alleged to have broken the security on some 30 VPN systems, and has plans to get into 300 by 2015.

And that, my friends, is why I hate using email for anything, really; why I don’t do text messages if at all possible and try to limit them to “OK” and “Nope” and the occasional “Coffee at the usual”…

It is also why I’m glad to say I have 5 “main” compute engines at the moment, with 3 operating systems on 2 of them, and able to boot another half dozen. Many with NO disk storage and lots of encryption, along with at least 3 browsers on most of them. Bits scattered far and wide. At any one time, 90% of my “compute space” is powered down (and often, when powered up, the router is down…). That is also why “my stuff” tends to be stored encrypted on external media (taking the machine doesn’t help, and a powered down external drive is hard to decrypt…especially over a wire remotely).

Then there is the router that sits right under the monitor where I can watch the “blinky lights”. IF I’m not actively moving data, those lights need to not blink much at all. More than once I’ve pulled the plug until I could figure out what “automated update” or overly aggressive web page w/video was abusing their privileges on my box…

So anyone TRYING to suck out a 100 GB encrypted lump will: a) find it hard to discover when it is even connected and powered up. b) Not be able to pick and choose bits but it’s “all or nothing”. c) Can’t get it all without a long visible connection / traffic that will be interrupted. d) Mostly get useless crap if they do ‘go looking’ (as I have Easter Eggs scattered around). e) Be confronted with a constantly mutating “attack surface” as which machines, OS types, applications, hardware, software et. al. change from day to day and moment to moment. (Or: Go ahead and put a hack into “my web browser”; it is one of a dozen, and gets used about once a week or two, and for 1/2 of them come up from fresh bits off of a CD each time…)

I’ve not gone so far as to do HASH signatures on the binaries and compare them every so often. (We did that at a former employer as an assurance that the bits had not been twiddled) Nor do I have a separate “intrusion detection station” (that constantly monitors honey pots, network traffic profiles, binaries, etc.) as, frankly, I’m not that interesting and it takes some work; but I’ve done that for companies on contracts. (Oh, and adding an automated pen-test system to look for “the usual vulnerabilities” can help too.) But those things are likely in my future.

In large part I’ve just depended on not doing anything very interesting over the internet. Things like “on line banking” or buying much of anything. Nor do I have any interesting email (it being heavily infested with SPAM also has made it uninteresting to me). So on the one hand, my level of “professional sysadmin paranoia” isn’t really warranted for my life style. Then add in that the REAL issue is trying to block snooping by TLAs (Three Letter Agencies) with official access to all levels, including your hard disk controller manufacturer and your OS maker and your internet service provider, and… So the easiest real security has simply been “don’t use it”. But that gets a little harder every year.

Now I’m “using variable hardware / software configs” and rotate the shields every so often, mixed with “nothing that matters left on line”, and “one box for downloads, a different box for doing things”, mixed with… and that breaks up the connectivity what I hope is “enough”. Oh, and doing sporadic re-installs of a variety of Linux releases keeps things mixed…

BUT…

When you have folks buggering the crypto cypher box (as was done at Microsoft that turned what was advertised as ‘triple DES’ into effectively single DES and an empty round) or attacking SSL hard core with $Millions of budget, or recording ALL encrypted traffic for all time to decrypt later when another order of magnitude of performance in available, and inserting back doors everywhere from the computer manufacturer to the router maker to the ISP / Telco; well, frankly, it’s not easy defending against that kind of wholesale assault on privacy.

And folks wonder why I’ll do things like encrypt a file with AES 256 then do it again with Blowfish, then put that in an SSL link to move it… and unplug my end node box from the internet when I do the encryption / decryption… and use hardware I’ve made myself or is being used in non-standard ways ( i.e. never use a Microsoft box for your personal ‘workstation’ if you can avoid it, and certainly not for anything you want private). But instead “blow away” everything but the BIOS and do a clean install of a known LINUX (and then often to somewhere other than the default disk).

Oh Well…

DISCLAIMER:

FWIW, after 9/11 I sent my resume to NSA. Had they been interested I’d have been working for them as an employee and would have been bound by whatever oath they have and by my own sense of professional ethics to not discuss them at all. Yes, I volunteered to be a ‘white hat’ for them. Now you know. However, since they didn’t want me, I have no such agreement with them, so I can “speak my mind”. Basically, it isn’t that I’m against what they do. I offered to help them do it. I just don’t want them doing it to ME or my friends.

So you can take my “complaints” about them with however much salt you deem appropriate, be you of the “they are evil” or of the “they are saving us” school of thought. As a professional sysadmin / manager type, my POV is largely directed at the tech and methods while the end political means are only a secondary issue and usually “not in my pay grade”. Someone hires me to do a job, it’s not my business why.

( Rather Jobert like in that regard ;-)
http://www.imdb.com/title/tt0073802/quotes

[after Joubert unexpectedly kills someone]
Joe Turner: Why?
Joubert: I don’t interest myself in “why”. I think more often in terms of “when”, sometimes “where”; always “how much”.

(I know I was supposed to relate to Robert Redford, but I find Jobert compelling too in some ways …)

But recently they have started pointing their data vacuums at absolutely everything, including me and friends. That, IMHO, warrants a complaint or two. And it looks like at least one Federal Judge agrees with me.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , . Bookmark the permalink.

8 Responses to NSA Watching

  1. omanuel says:

    Thanks for this report on a minor glitch in the steady march of our society into the totalitarian form of government that George Orwell described on the book he started writing in 1946, “Nineteen Eighty-Four.”

  2. tom0mason says:

    “…and folks wonder why I’m interested in “roll your own” systems… and will NOT use an EUFI boot loader box for anything I want really secure (it layers about 100 MB of an operating system you can not control nor really watch between you and the hardware…).”
    Slowly, slowly some things are changing –

    You may have already see these but there are 2 new EUFI free ‘solutions’, yes they are both at the crowd-funding level of operation but who knows with enough support …

    First off there’s Librem computer. This is basically a full spec laptop hacked together from commercial parts, their own motherboard pcb design, and as their sale pitch says —

    The Purism Librem 15 is the first high-end laptop in the world that ships without mystery software in the kernel, operating system, or any software applications. Every other consumer-grade laptop you can purchase comes with an operating system that includes suspect, proprietary software, and there’s no way for you to know what that software does.

    and

    There are many laptops that run Linux. The Librem 15 laptop is better in two main ways:

    1. The hardware used in the Librem 15 laptop was specifically selected so that no binary blobs are needed in the Linux kernel that ships with the laptop. All other Linux pre-installed devices include binary blobs in the Linux kernel.
    2. The Librem 15 is the first concrete step toward changing computer manufacturing in a fundamental way. We believe in users’ rights, and will continue to push upstream to free the BIOS and component firmware.

    It is a fully-fledged laptop running on standard chipsets. They have all hardware open sourced except the BIOS but that ongoing task should be cleared soon. A bit expensive and an unsure future but…

    The next idea is an ARM based PC called a Novena. A completely open design, FPGA running the hardware side but as far as I can see it’s only a PCB for sale — though a full PC *may* be on the market soon. Improvements over the usual RISC offerings as it is designed to be a laptop PC. Again not cheap for a motherboard, but again with support it could be the future…
    ~~~~~~~~~~~~~~~~
    On the software side Linux Qubes is a high security Linux distribution. From what you’ve said this is too large a distro but I would just like others to see that there are alternatives out there.
    This Linux attempts to secure each task area by running securely isolated virtual machines and sandboxing. As the very talented Joanna Rutkowska, the designer, says –

    Qubes is an open-source operating system designed to provide strong security for desktop computing using Security by Compartmentalization approach. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers.

    And here is a document about the design philosophy. The *big* thing with this operating system distribution is that it requires very specific processor types (I understand that the Librem PC has these.) And also this is not a small distribution!
    ~~~~~~~~~~~~~~~~
    Hopefully more of these types of systems will be forthcoming and will tweak the noses of NSA/GCHQ/DHS/ Security agencies. It’s early days yet (crowd-funding seems to have a few security orientated projects running), hopefully people will see the advantages of these types of systems, and more will be developed, eventually becoming cheaper and more mainstream.
    Well, I live in hope.

  3. E.M.Smith says:

    @Tomomason:

    Nice summary. If I don’t make my own laptop I will likely get one of those. IIRC Seabios it open and free… It can be used on a cbromebox with Linux. (my current investigation path…)

    My fantasy is a portable with plug in modules for cluster in a box… with things like the 16 cpu on a chip… Like a fat SD card where you can slide in 1 to 6 or so… That way you get the basic box and just add SD for more storage and CPU w/ memory to whatever capacy you want or can afford today… Upgrades preserve all the bits you like and only replace the parts that benefit. Sort of an erector set approach to computes… Bluetooth is making this much easier as peripherals are now universalized…

  4. punmaster52 says:

    What if you cross dress without attempting to break into any government facility? Will NSA leave you more or less alone then? And another thing: my wife cross dresses when she does plumbing work; that is, she dresses like a plumber, jeans and a t shirt. But she doesn’t wear jeans which show her backside.

    Well, that brings up a technical question, doesn’t it? If her backside doesn’t show when she is doing plumbing, is she dressing as a plumber? Can you cross dress into occupational attire? I suppose women can cross dress as lumberjacks; plaid flannel shirt, jeans, suspenders, steel toe work boots, and a watch cap. I guess if you are male and wearing a miniskirt, high heels, and bright red lipstick downtown on Friday night, you have.

    But, generally, women can’t cross dress, can they? Because we view it as conventional attire for women to wear jeans, but men don’t wear dresses. Well, except the Scots, and haven’t we covered that, thank goodness?

    Anyway, where are the equal rights feminists on this? Shouldn’t they be pushing for society to accept men wearing silk underwear, which is so cool and feels so pleasant next to your skin? That’s what I have been told, anyway, not by any man. The world isn’t just money and Tesla.

  5. E.M.Smith says:

    @Punmaster52:

    An interesting question… If a man gets a job in a nightclub with wait staff in slinky dresses, and he wears a slinky dress, is that “cross dressing” or “corporate uniform”?… How about a maids frilly outfit when working as a maid?

    Yet when women boxers enter the ring, they are NOT wearing just trunks. I think they ought to be called on that…

    And why do Airlines have sexist separate dress codes / uniforms for male vs female cabin attendants? Seems to me one of them needs to change…

    BTW, I’ve been assured that Scots in kilts certainly has not been covered… something… erk…

    Per the spouse and plumbing: As I’ve seen plumbers without the nearly-obligatory ‘exposure’, I think she was likely within the limits of appropriate, if only just.

    True Story:

    Once when working my way through College in the ’70s before any of this was common, I was the “weekend office” at a small hospital. Admissions, radio to ambulance, the whole works. I was typing a 7 part carbon (!) admissions form and my nails had gotten long enough to hit the keys and that increases error rate (that is hell on 7 part carbons with whiteout to fix it…). So I dug around in the drawer and found a nail file.

    I’m leaned back a bit in the chair, full glass wall to waiting room in front of me, working on my nails in the traditional secretary leg crossed hand in front of torso palm up pose… and I see the UPS delivery coming in brown uniform and all, package on shoulder to my side… about mid glass, the package comes down. I look. She looks. We BOTH double take… pause… smiles and chuckles…

    Not a word said about it. We both just knew…

  6. punmaster52 says:

    @E.M.Smith:

    Great Story! :-)
    Some things are just wrong. Women boxers are one of those things.

  7. Acres of Statuary says:

    ‘watching’ is the gerund form of a verb. gerunds act as nouns. no ambiguity in this case .

  8. Steve C says:

    There seem to be an awful lot of gender-bending stories lately. Used to be perhaps one every two or three years, now it seems hardly a day goes by without somebody “coming out”. Those xenoestrogens in the environment have a lot to answer for.

    And … you must know the old Scots underwear joke:
    Q: “What’s worn under the kilt?”
    A: “Nothing, it’s all in perrfect worrking orrderr …”

Comments are closed.