So is “watching” a verb, or is “NSA Watching” a noun? Sometimes I love the ambiguity of English… ;-)
First, a bit of humor. Seems that at the end of May something odd happened at the NSA building in Fort Meade.
Cross-dressing blokes storm NSA HQ: One shot dead, one hurt
Fort Meade scene of bizarre and fatal Monday morning
Yes, attack of the Cross Dressers… Somehow I missed that on the nightly news. I would have expected it to get more air play…
30 Mar 2015 at 17:41, Iain Thomson
One man is dead and another seriously hurt after they tried ramming a car into the gates of the NSA’s headquarters in Fort Meade, Maryland.
Just before 9am on Monday, Eastern Time, the two men – dressed as women – attempted to smash through a checkpoint and into the data center complex using a stolen Ford Explorer, NBC reports.
NSA cops opened fire after the pair refused to stop, the agency said in a statement to The Register. One man in the car was shot and killed, the other was seriously wounded and airlifted to hospital. A security guard was mildly hurt. The Ford also careered into an NSA motor.
“The shooting scene is contained and we do not believe it is related to terrorism,” the FBI’s Baltimore office said in a statement. “We are working with the US Attorney’s Office in Maryland to determine if federal charges are warranted.”
I’m sorry, I’m just at a loss for words…
Then, in more recent news, The NSA Giant Data Vacuum Cleaner Program takes a hit:
Appeals court rules that NSA phone surveillance program is illegal
The judges didn’t address whether the program violated the Constitution.
By JOSH GERSTEIN 5/7/15 9:54 AM EDT Updated 5/7/15 12:30 PM EDT
A federal appeals court has ruled that the National Security Agency program to collect information on billions of telephone calls made or received by Americans is illegal.
In an opinion issued Thursday, a three-judge panel from the New York-based 2nd Circuit U.S. Court of Appeals held that a law Congress passed allowing collection of information relevant to terrorism investigations does not authorize the so-called “bulk collection” of phone records on the scale of the NSA program. The judges did not address whether the program violated the Constitution.
Writing for a unanimous panel, Judge Gerard Lynch said allowing the government to gather data in a blanket fashion was not consistent with the statute used to carry out the program: Section 215 of the PATRIOT Act.
“The interpretation that the government asks us to adopt defies any limiting principle. The same rationale that it proffers for the ‘relevance’ of telephone metadata cannot be cabined to such data, and applies equally well to other sets of records,” Lynch added. “If the government is correct, it could use § 215 to collect and store in bulk any other existing metadata available anywhere in the private sector, including metadata associated with financial records, medical records, and electronic communications (including email and social media information) relating to all Americans.”
From the “well Duh!” department… They are sucking up anything not nailed down and using crowbars and small explosives to knock them loose. (Electronically speaking).
The 2nd Circuit, which acted on a lawsuit brought by the American Civil Liberties Union, is the first appeals court to rule on the legality of the telephone metadata program that came to light after leaks from former NSA contractor Edward Snowden. The program was repeatedly authorized by a special intelligence court in Washington. Two other federal appeals courts are currently considering similar challenges.
The legal provision the 2nd Circuit found inadequate is set to expire on June 1. Language in the court’s ruling allows the program to continue through that time.
So it’s illegal, for now, but they can keep doing it until June 1, when it expires, and by when Congress will have passed something new, that might or might not be illegal, but we’ll find out in about 15 years when THAT law and the cases brought against it finally get through the court challenge process. Data suckage not included in telco ruling. Oh, and any bets on how much of the illegal data will be erased?
Sheesh. But at least it is one small step. Even if it doesn’t do much more than a step in a “moon walk” dance…
Then there is just what all they are gathering:
Reports: NSA has compromised most internet encryption
There goes the neighborhood
5 Sep 2013 at 21:44, Jack Clark
The NSA and the GCHQ have compromised much encryption used on the internet through a potent mix of technological theft, spycraft, and collaboration with major technology companies, according to new reports.
The GCHQ are the British equivalent of the USA NSA. They work closely together so that when one nation has a law saying “but you can’t spy on your own people” the other one can do it instead and then they “share”…
Then the PRISM program is where they have “worked with” companies like Cisco, Microsoft and as of 2012 Apple (per one report) to make “official access” easier… and folks wonder why I’m interested in “roll your own” systems… and will NOT use an EUFI boot loader box for anything I want really secure (it layers about 100 MB of an operating system you can not control nor really watch between you and the hardware…).
In a series of news articles that highlight how the code-breaking crypto-fiddling agencies NSA and GCHQ are doing their job, ProPublica, The New York Times, and The Guardian, disclosed on Thursday a wide-ranging campaign by the spies to smash internet crypto methods so to better slurp data from the world+dog.
The NSA “has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show,” the NYT reports.
Though thin on specifics, the stories clearly outline that the agencies have developed a variety of methods to attack and gain access to data secured by either SSL, or inside a virtual private network (VPN). They also imply that they have put backdoors into crypto-systems and potentially widely used digital components, as well.
The spies have also worked with technology companies to gain a direct line to data stored in their servers, though the documents do not specify which companies in particular. Analysts can slurp away at the decrypted data through a highly classified program named “Bullrun”.
“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies. … Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable,” one memo from 2010 given to the spies at GCHQ, says.
The gist of the reports is that the agencies have probably compromised SSL via gaining certificates and encryption keys to the point where they can perform man-in-the-middle attacks on widely used applications. GCHQ is alleged to have broken the security on some 30 VPN systems, and has plans to get into 300 by 2015.
And that, my friends, is why I hate using email for anything, really; why I don’t do text messages if at all possible and try to limit them to “OK” and “Nope” and the occasional “Coffee at the usual”…
It is also why I’m glad to say I have 5 “main” compute engines at the moment, with 3 operating systems on 2 of them, and able to boot another half dozen. Many with NO disk storage and lots of encryption, along with at least 3 browsers on most of them. Bits scattered far and wide. At any one time, 90% of my “compute space” is powered down (and often, when powered up, the router is down…). That is also why “my stuff” tends to be stored encrypted on external media (taking the machine doesn’t help, and a powered down external drive is hard to decrypt…especially over a wire remotely).
Then there is the router that sits right under the monitor where I can watch the “blinky lights”. IF I’m not actively moving data, those lights need to not blink much at all. More than once I’ve pulled the plug until I could figure out what “automated update” or overly aggressive web page w/video was abusing their privileges on my box…
So anyone TRYING to suck out a 100 GB encrypted lump will: a) find it hard to discover when it is even connected and powered up. b) Not be able to pick and choose bits but it’s “all or nothing”. c) Can’t get it all without a long visible connection / traffic that will be interrupted. d) Mostly get useless crap if they do ‘go looking’ (as I have Easter Eggs scattered around). e) Be confronted with a constantly mutating “attack surface” as which machines, OS types, applications, hardware, software et. al. change from day to day and moment to moment. (Or: Go ahead and put a hack into “my web browser”; it is one of a dozen, and gets used about once a week or two, and for 1/2 of them come up from fresh bits off of a CD each time…)
I’ve not gone so far as to do HASH signatures on the binaries and compare them every so often. (We did that at a former employer as an assurance that the bits had not been twiddled) Nor do I have a separate “intrusion detection station” (that constantly monitors honey pots, network traffic profiles, binaries, etc.) as, frankly, I’m not that interesting and it takes some work; but I’ve done that for companies on contracts. (Oh, and adding an automated pen-test system to look for “the usual vulnerabilities” can help too.) But those things are likely in my future.
In large part I’ve just depended on not doing anything very interesting over the internet. Things like “on line banking” or buying much of anything. Nor do I have any interesting email (it being heavily infested with SPAM also has made it uninteresting to me). So on the one hand, my level of “professional sysadmin paranoia” isn’t really warranted for my life style. Then add in that the REAL issue is trying to block snooping by TLAs (Three Letter Agencies) with official access to all levels, including your hard disk controller manufacturer and your OS maker and your internet service provider, and… So the easiest real security has simply been “don’t use it”. But that gets a little harder every year.
Now I’m “using variable hardware / software configs” and rotate the shields every so often, mixed with “nothing that matters left on line”, and “one box for downloads, a different box for doing things”, mixed with… and that breaks up the connectivity what I hope is “enough”. Oh, and doing sporadic re-installs of a variety of Linux releases keeps things mixed…
When you have folks buggering the crypto cypher box (as was done at Microsoft that turned what was advertised as ‘triple DES’ into effectively single DES and an empty round) or attacking SSL hard core with $Millions of budget, or recording ALL encrypted traffic for all time to decrypt later when another order of magnitude of performance in available, and inserting back doors everywhere from the computer manufacturer to the router maker to the ISP / Telco; well, frankly, it’s not easy defending against that kind of wholesale assault on privacy.
And folks wonder why I’ll do things like encrypt a file with AES 256 then do it again with Blowfish, then put that in an SSL link to move it… and unplug my end node box from the internet when I do the encryption / decryption… and use hardware I’ve made myself or is being used in non-standard ways ( i.e. never use a Microsoft box for your personal ‘workstation’ if you can avoid it, and certainly not for anything you want private). But instead “blow away” everything but the BIOS and do a clean install of a known LINUX (and then often to somewhere other than the default disk).
FWIW, after 9/11 I sent my resume to NSA. Had they been interested I’d have been working for them as an employee and would have been bound by whatever oath they have and by my own sense of professional ethics to not discuss them at all. Yes, I volunteered to be a ‘white hat’ for them. Now you know. However, since they didn’t want me, I have no such agreement with them, so I can “speak my mind”. Basically, it isn’t that I’m against what they do. I offered to help them do it. I just don’t want them doing it to ME or my friends.
So you can take my “complaints” about them with however much salt you deem appropriate, be you of the “they are evil” or of the “they are saving us” school of thought. As a professional sysadmin / manager type, my POV is largely directed at the tech and methods while the end political means are only a secondary issue and usually “not in my pay grade”. Someone hires me to do a job, it’s not my business why.
( Rather Jobert like in that regard ;-)
[after Joubert unexpectedly kills someone]
Joe Turner: Why?
Joubert: I don’t interest myself in “why”. I think more often in terms of “when”, sometimes “where”; always “how much”.
(I know I was supposed to relate to Robert Redford, but I find Jobert compelling too in some ways …)
But recently they have started pointing their data vacuums at absolutely everything, including me and friends. That, IMHO, warrants a complaint or two. And it looks like at least one Federal Judge agrees with me.