thewayne: (Cyranose)
PRISM is/was an NSA intelligence-gathering program. It has been widely speculated that friendly governments spy on other countries so that said country doesn't violate laws about spying on their own people. And this happened in NZ. The activist was from Fiji, and was very active in trying to get democracy for Fiji and get rid of the prime minister. So in sweeps the NSA and PRISM to try and find dirt on him, which they did not find.

First Confirmed Prism Surveillance Target Was Democracy Activist (fortune.com)

Posted by manishs on Monday August 15, 2016 @08:00AM from the truth-is-out-there dept.
A new report by Television New Zealand in collaboration with The Intercept, based on leaks of former U.S. National Security Agency worker Edward Snowden has for the first time named a target of the NSA's controversial Prism program. The target was a middle-aged civil servant and pro-democracy activist named Tony Fullman. Fullman, who is originally from Fiji but has lived in New Zealand for decades, is an advocate for democracy in Fiji and a critic of Fijian prime minister Frank Bainimarama, who took power in a 2006 coup.

From a Fortune report:
According to The Intercept, the NSA in 2012 monitored Fullman's communications through the Prism program and passed on information to the New Zealand intelligence services. Around the same time, the New Zealand authorities raided Fullman's home and revoked his passport. The New Zealand intelligence services were not themselves allowed to spy on Fullman, who was a New Zealand citizen. However, as Snowden has repeatedly described, the agencies of many Anglophone countries spy on each other's behalf, in order to bypass their national legal restrictions. Fullman suggested in the article that people in the group may well have said violent things about Bainimarama, but this was just venting, not a plot. According to the report, they never suspected someone was listening into their communications. The NSA was said to be helping by analyzing Fullman's Facebook and Gmail activities. The 190 pages of intercepted documentation seen by The Intercept apparently didn't reveal evidence of a plot.

https://yro.slashdot.org/story/16/08/15/1341241/first-confirmed-prism-surveillance-target-was-democracy-activist
thewayne: (Cyranose)
It was called the Terrorist Surveillance Program, and apparently was superseded by PRISM.

Here's my question. I remember a few years ago a person proposed a program, I believe it was a retired Navy Admiral (are there any other kind? the Navy Admiral bit), and it was called the Total Surveillance Program. Both are TSP. It was rumored after the first TSP (Total, not Terrorist) was shut down that there were efforts to break it in to smaller pieces. I wonder if one of them is the Terrorist TSP in whole or in part.

http://www.npr.org/blogs/thetwo-way/2013/12/21/256101601/new-nsa-documents-make-case-for-keeping-programs-secret
thewayne: (Cyranose)
The NSA, PRISM, and trying to keep your information private and secure

This is a whole bunch of links that I've been accumulating that talks about a lot of different facets of what's been going on since Edward Snowden blew the lid off of the PRISM spying and what the NSA and federal government has been doing.

First up, my fav security guy, Bruce Schneier. In this article “How to Remain Secure Against the NSA”, Bruce talks about precautions that you can take to improve your security, while acknowledging that if the NSA et al wants information about you, there's precious little that you can do about it.

https://www.schneier.com/blog/archives/2013/09/how_to_remain_s.html


Here we have a story by a man who was Microsoft's privacy chief from 2002 to 2011 who says he no longer trusts the company since the existence of PRISM was revealed. ”In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source.”

There's only one problem with that: 99%+ of people can't read source code or really have the expertise to understand it and to also understand all of the other source code that it ties in to, as you have to evaluate every single part of the system to know whether or not it's secure. So we have to rely on others to tell us that this code is secure. Linux is probably secure, but lots of its code that relates to cryptography and communications is being reevaluated to look for back doors and a lot of the crypto code is being replaced with code that is more public and not backed by NIST.

http://hothardware.com/News/Former-Microsoft-Privacy-Chief-Says-He-No-Longer-Trusts-The-Company/

MUCH more under the cut
Read more... )
thewayne: (Cyranose)
This is pretty funny, actually. Lavabit is a secure email provider: the only people with your crypto keys is you with your public and private keys and the recipient with their public and private keys. The way that this encryption works is that everyone gives their public key to anyone who wants it, but keeps their private key a closely-guarded secret. If I want to send you an email, I get your public key and encrypt the message with YOUR PUBLIC key and MY PRIVATE key. When you receive the email, you decrypt it with MY PUBLIC key and YOUR PRIVATE key. This is an automatic process controlled by the software, and it's almost impossible to crack. And don't ask me how it works, it has to do with generating huge prime numbers, but this is how it works in a nutshell. In fact, it is considered utterly secure and unbreakable: basically with sufficiently large keys, which are easy to generate, it would take computer power running until pretty much our sun goes nova to crack it. I never know your private key, the private key is never transmitted across the internet, so unless you machine is compromised with malware, you're pretty darn secure.

That's how Lavabit worked. Apparently the FBI was on to Snowden before he fled the country and they served Lavabit with a subpoena for all of their crypto keys so they could read this email. Lavabit had no choice but to comply, so they did. They provided the FBI with five SSL keys, each of which are 2,560 characters.

They printed them. In four-point type. Eleven pages of extremely small gibberish. And if you get one character wrong, the key is invalid and can't be used to decrypt messages.

The court was not amused and two months later demanded that he hand over the crypto keys in digital form. That was the day that Lavabit announced that it was shutting down, because once the keys were surrendered, the communications of their customers would no longer be secure.


I think what they did was absolutely brilliant. I'm also sure that the FBI will amend their information demands to state "...in DIGITAL form." The article has a sample page of what they keys look like that were given to the FBI.


http://www.npr.org/blogs/thetwo-way/2013/10/03/228878659/how-snowdens-email-provider-tried-to-foil-the-fbi-using-tiny-font?sc=17&f=1001
thewayne: (Cyranose)
Interesting story. Guy steals woman's purse, then begins stalking her. She recognizes his car in the neighborhood, tells a cop, they get a district attorney to issue a subpoena to the phone company for a pen recording on the guy's phone line. Snatcher is arrested, sentenced to a decade in prison. Appeals ultimately to the Supreme Court that the phone calls were protected info under the 4th Amendment, SCOTUS says it ain't and that any records transmitted to a business are not protected.

Thus all Americans and most people around the world get spied upon wholesale by the United States government.

http://www.wired.com/threatlevel/2013/10/nsa-smith-purse-snatching/
thewayne: (Cyranose)
Basically, the NSA doesn't want to watch communications on a computer-by-computer basis. They tap backbones, the connections where huge amounts of information flows between internet servers. They tap major ISPs. Your computer? Chump change. If they know what you're saying to other people, they don't really need to tap your computer. And the thing that makes this possible?

Weak routers.

A router takes the packets generated from all of the computers on your network, wired or wireless, aggregates them, and sends them upstream across your connection to another router at your ISP that has a faster connection, which sends them upstream to another router with a faster connection, etc. Eventually your traffic gets to your destination and information comes back, and the routers (also known as hops) between your PC and the server/site that you wanted to access, can deconstruct the information and get it back to its origin. The problem is that routers are not easy to configure, it takes some specialized information, and that if you need to patch it, you risk breaking the configuration. And a broken configuration means down-time, a bad thing.

So most of the time, once a router is working well and the configuration is backed up, it's pretty rare that they're upgraded. The upgrades are risky because a vast majority of businesses don't have a duplicate network set up so that router patches can be tested.

And a router that is not upgraded, just like your computer, is vulnerable to being compromised and exploited.

So the NSA's money is best spent compromising and monitoring the routers upstream of your connection, because there is a lot more information present at that point, so it's more efficient.

Which is not to say that they can't compromise your computer and get in and look at things directly.

There is an old maxim about what defines a secure computer: it's not connected to any communication device, it's turned off, buried in 10' of concrete, and in a locked room with an armed guard. It's highly unlikely that a computer thus secure can be compromised.

http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/
thewayne: (Cyranose)
From Bruce Schneier's blog:

Lavabit E-Mail Service Shut Down

http://www.schneier.com/blog/archives/2013/08/lavabit_e-mail.html

Lavabit, the more-secure e-mail service that Edward Snowden -- among others -- used, has abruptly shut down. From the message on their homepage:

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot....
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

In case something happens to the homepage, the full message is recorded here.

More about the public/private surveillance partnership. And another news article.

Also yesterday, Silent Circle shut down its email service:

We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.
More news stories.

This illustrates the difference between a business owned by a person, and a public corporation owned by shareholders. Ladar Levison can decide to shutter Lavabit -- a move that will personally cost him money -- because he believes it's the right thing to do. I applaud that decision, but it's one he's only able to make because he doesn't have to answer to public shareholders. Could you imagine what would happen if Mark Zuckerberg or Larry Page decided to shut down Facebook or Google rather than answer National Security Letters? They couldn't. They would be fired.

When the small companies can no longer operate, it's another step in the consolidation of the surveillance society.


http://bruce-schneier.livejournal.com/1234935.html


In related news, Deutsche Telekom announced that they're moving all of their email servers in to Germany to try to avoid PRISM spying.

"Germany's leading telecom provider announced on Friday that it will only use German servers to handle any email traffic over its systems, citing privacy concerns arising from the recent PRISM leak and its 'public outrage over U.S. spy programs accessing citizens' private messages.' In a related move, DT has also announced that they will be providing email services over SSL to further secure their customers' communications. Sandro Gaycken, a professor of cyber security at Berlin's Free University, said 'This will make a big difference...Of course the NSA could still break in if they wanted to, but the mass encryption of emails would make it harder and more expensive for them to do so.'"

http://yro.slashdot.org/story/13/08/09/2252206/deutsche-telekom-moves-email-traffic-in-country-in-wake-of-prism
thewayne: (Cyranose)
I don't find that the least surprising. It's going to take lawsuits and new elections to shut it down, and even then, can we be sure? This started over a decade ago with things like the Total Information Awareness program, and when those were screamed down, quietly got broken in to little unnoticeable pieces and became things like PRISM.

The interesting thing about this particular article is that Wired hired a research agency to break down votes by how much money each representative receives from defense and intelligence contractors. Not terribly surprising, those who received the most money voted against the amendment. Only one person in the top 10 money recipients voted for the amendment.

http://www.wired.com/threatlevel/2013/07/money-nsa-vote/

And I would suggest that you not bother wasting your time with the comments, they rapidly devolved in to 'a new civil war is coming' and it's all white against black. Where race entered in to this problem I do not know, it's more of a poor vs uber-rich.
thewayne: (Cyranose)
A federal judge today rejected the assertion from President Barack Obama’s administration that the state secrets defense barred a lawsuit alleging the government is illegally siphoning Americans’ communications to the National Security Agency.

U.S. District Judge Jeffrey White in San Francisco, however, did not give the Electronic Frontier Foundation the green light to sue the government in a long-running case that dates to 2008, with trips to the appellate courts in between.


It's complex, but there's no way lawsuits over things like PRISM will be simple. But this judge has knocked out the basic defense the administration has been using, so now we'll see how things will proceed.

http://www.wired.com/threatlevel/2013/07/state-secrets-defense/
thewayne: (Cyranose)
In 2006, Mark Klein was working for AT&T in San Francisco and learned about a room that only a very small group of techs had access to that all internet lines passed through. He suspected that it was being used to siphon all data on the internet and pass it to the government. He later learned that similar/identical rooms were installed in other major switching centers across the country.

Turns out he was correct, his suspicions were vindicated by Snowden's release of information on PRISM.

Mark Klein, a retired AT&T communications technician, revealed in 2006 that his job duties included connecting internet circuits to a splitting cabinet that led to a secret room in AT&T’s San Francisco office. During the course of that work, he learned from a co-worker that similar cabins were being installed in other cities, including Seattle, San Jose, Los Angeles and San Diego, he said.

The split circuits included traffic from peering links connecting to other internet backbone providers, meaning that AT&T was also diverting traffic routed from its network to or from other domestic and international providers, Klein said.

That’s how the data was being vacuumed to the government, Klein said today.

“This is a complete vindication,” Klein, a San Francisco Bay area retired man, said in a telephone interview.


http://www.wired.com/threatlevel/2013/06/nsa-whistleblower-klein/
thewayne: (Cyranose)
This is sort of an open secret that wasn't widely known. The United States developed techniques for tapping Soviet military cables, the Soviets were so confident in the physical security of their cables that they didn't bother encrypting most of the traffic passing over them. A submarine and special techniques were used to drop a 20' long piece of equipment that could record all traffic over the cable, initially the unit was recovered every month and delivered to the NSA, as technology improved it only needed to be recovered annually.

Underseas communications eventually have to come up to land, these sites are called shore stations. The UK Government Communications Headquarters, GCHQ, got the cooperation of the cable operators and has been tapping these end-points, according to the article, it began in 2008. The intelligence is also passed to the NSA for their delectation.

I wouldn't be in the least surprised if the United States has similar arrangements with the cables that terminate here.

Another open little secret is in the sharing of intelligence. According to U.S. law, the CIA cannot spy on American citizens, especially within the United States. England has a similar law. But there's nothing in English law preventing them from spying on American citizens, and vice-versa. So they've been known to spy on each other's citizenry and give the information to the appropriate country. A cute little dodge, eh?

http://www.wired.com/threatlevel/2013/06/gchq-tapped-200-cables/
thewayne: (Cyranose)
A very cogent take from conservatives in another country as to the PRISM et al surveillance state that was slid in to our country with little knowledge of the citizenry.

I especially liked the first comment: "...ONLY credible suspicion should drive surveillance."

http://www.economist.com/news/leaders/21579455-governments-first-job-protect-its-citizens-should-be-based-informed-consent
thewayne: (Cyranose)
Edward Snowden did a heck of a job breaking the law, and he will be investigated to the Nth degree. But his employer, Booz Allen? Wow. They have a bad habit of repeatedly screwing the Feds over billing and also over leaking data.

Will this happen? Yah, and monkeys might fly out of my butt.

http://www.guardian.co.uk/commentisfree/2013/jun/14/edward-snowden-investigate-booz-allen
thewayne: (Cyranose)
Excellent article from the former director of application security at Twitter.

It focuses on several points. First, Federal criminal statute is spread over 27,000 pages. Even the Feds don't know how many laws there are, but it's estimated to be in excess of 10,000. For example, it is illegal to poses a lobster under a certain size. Doesn't matter how you got it, and ignorance of the law is no excuse. It also talks about the sometimes necessity of violating the law to encourage change. In Minnesota, sodomy was illegal until 2001, they recently approved same-sex marriage. If we had 100% effective law enforcement, it would be extremely difficult to get such laws changed because everyone who would benefit from that change would be a branded criminal.

Another: manpower. It used to require law enforcement to commit one or more persons to follow someone. Now we all carry our very own tracking devices, and last year cell carrier Sprint, by itself, responded to 8 million tracking requests from law enforcement. That's pretty much the entire city of New York. It's much easier for law enforcement to relax their standards and be profligate in their information requests since they don't have to invest the manpower resources to follow someone. Myself, I've become tempted to put my phone in to airplane mode just to screw up my tracking data. I have no reason to believe that law enforcement would be interested in me, but I also see no reason to make their jobs easier if they do take an interest. Of course, the question then becomes would me turning off their ability to track me pique their interest in me?

She also mentions license plate scanners. I actually saw those in use in El Paso, 100 miles south of me and a place that we visit every couple of months. If I ever see Phoenix or any of the places that I regularly spend time in getting them, I'm buying one of those LED license plate frames.


I especially like two paragraphs in her conclusion: Some will say that it’s necessary to balance privacy against security, and that it’s important to find the right compromise between the two. Even if you believe that, a good negotiator doesn’t begin a conversation with someone whose position is at the exact opposite extreme by leading with concessions.

And that’s exactly what we’re dealing with. Not a balance of forces which are looking for the perfect compromise between security and privacy, but an enormous steam roller built out of careers and billions in revenue from surveillance contracts and technology. To negotiate with that, we can’t lead with concessions, but rather with all the opposition we can muster.
.


I was recently discussing this topic with a friend, who is part of the "I have nothing to hide" attitude. He surfs porn on the internet. He's also a teacher. I have no idea what flavors of porn he's interested in, and I'm sure they're perfectly kid-safe. But what would happen to his career if that information were released? It could certainly be a career-ending revelation.

I don't have anything in my computers that I'm particularly ashamed of, including browser history, but I don't want it to become public knowledge. The fact that I have nothing in particular to hide doesn't give law enforcement or anyone else the right to stick their nose in it without probable cause and a search warrant. My laptop is encrypted, so is my desktop and all of my backups, also my iPhone backups which do not back up to the cloud. I will not allow my equipment to be casually examined. I will not go gently in to that good night if they take an interest in me, they're going to have to produce a valid search warrant before I unlock anything.


http://www.wired.com/opinion/2013/06/why-i-have-nothing-to-hide-is-the-wrong-way-to-think-about-surveillance/
thewayne: (Cyranose)
Metadata is what is being collected by PRISM, the NSA, et al. It shows who you called and how long you talked to them, and maybe your and their location, I don't know if they've revealed what the specifics of what metadata are being collected. As far as we know they are not collecting actual call contents, and considering what a flood of information that would be, it's unlikely. If they need that info, they can execute specific taps, whether or not they have a warrant for that, I won't bother exploring.

This article shows how by taking a person's name and what social clubs or organizations that they belong to that you can identify a likely suspect, just by looking at metadata. Using the names of 254 people and their potential memberships in seven different organizations, Revere pops to the top using different sorts of mathematical analysis.

This is a technique called Social Network Analysis and it's used by Google and Facebook, and probably LiveJournal, to try to target advertising. If most of my LJ friends are science fiction fans as indicated in our profiles, it could be extrapolated that all of my friends are fans of SF/F. And they would probably be mostly right. But not 100% correct, which leads to some weird ads popping up occasionally.

http://kieranhealy.org/blog/archives/2013/06/09/using-metadata-to-find-paul-revere/
thewayne: (Cyranose)
http://bruce-schneier.livejournal.com/1211785.html

Edward Snowden broke the law by releasing classified information. This isn't under debate; it's something everyone with a security clearance knows. It's written in plain English on the documents you have to sign when you get a security clearance, and it's part of the culture. The law is there for a good reason, and secrecy has an important role in military defense.

But before the Justice Department prosecutes Snowden, there are some other investigations that ought to happen.

We need to determine whether these National Security Agency programs are themselves legal. The administration has successfully barred anyone from bringing a lawsuit challenging these laws, on the grounds of national secrecy. Now that we know those arguments are without merit, it's time for those court challenges. ...


Do I think Schneier's investigations will happen? Sadly, no. I think Snowden will be pilloried and then we'll end up in an extradition tussle, not unlike Julian Asange. It'll take years, and perhaps there will be enough change in politics that such an investigation can happen.
thewayne: (Cyranose)
"He's a traitor."
-- House Speaker John Boehner on Edward Snowden

"Hero of the Year."
-- Michael Moore

"Treason...Bring back the death penalty."
-- Fox News analyst Ralph Peters

"The man for which I have waited. Earmarks of a real hero."
-- Glenn Beck

"An act of treason."
-- Sen. Dianne Feinstein

"When you have a dictatorship or an authoritarian government, truth becomes treasonous...For somebody to tell the American people the truth is a heroic effort."
-- Ron Paul

I really, REALLY, hate agreeing with Glenn Beck about something! At least it's over something worthwhile.

July 2017

S M T W T F S
       1
23 4567 8
910 11 1213 14 15
16 17 18 19 202122
23242526272829
3031     

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 22nd, 2017 12:47 pm
Powered by Dreamwidth Studios