![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneThe NSA, PRISM, and trying to keep your information private and secure
This is a whole bunch of links that I've been accumulating that talks about a lot of different facets of what's been going on since Edward Snowden blew the lid off of the PRISM spying and what the NSA and federal government has been doing.
First up, my fav security guy, Bruce Schneier. In this article “How to Remain Secure Against the NSA”, Bruce talks about precautions that you can take to improve your security, while acknowledging that if the NSA et al wants information about you, there's precious little that you can do about it.
https://www.schneier.com/blog/archives/2013/09/how_to_remain_s.html
Here we have a story by a man who was Microsoft's privacy chief from 2002 to 2011 who says he no longer trusts the company since the existence of PRISM was revealed. ”In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source.”
There's only one problem with that: 99%+ of people can't read source code or really have the expertise to understand it and to also understand all of the other source code that it ties in to, as you have to evaluate every single part of the system to know whether or not it's secure. So we have to rely on others to tell us that this code is secure. Linux is probably secure, but lots of its code that relates to cryptography and communications is being reevaluated to look for back doors and a lot of the crypto code is being replaced with code that is more public and not backed by NIST.
http://hothardware.com/News/Former-Microsoft-Privacy-Chief-Says-He-No-Longer-Trusts-The-Company/
MUCH more under the cut
In a related article, there is a company called Silent Circle who offered a lot of secure ways of communicating. They took down their email service post-Snowden as they offered a lot of the features that Lavabit offered, they are now in the process of reevaluating and replacing crypto code that is not based on NIST standards. They don't think those standards have been compromised, but they believe that NSA has too much influence on NIST and that could lead to future trouble.
http://silentcircle.wordpress.com/2013/09/30/nncs/
http://yro.slashdot.org/story/13/10/01/1215244/silent-circle-moving-away-from-nist-cipher-suites-after-nsa-revelations
Another Schneier article, this one on how the NSA lies to Congress and gets away with it. If a committee asks the Director “Does Program X do ABC?” He can answer no, because X does not. But Y and Z do, but since they didn't know to ask about Y and Z, he didn't perjure himself.
https://www.schneier.com/blog/archives/2013/10/nsa_storing_int.html
How about a sensor the size of a matchstick that can record conversations, outdoors, at a range of up to 25 meters? And it can capture raw data so that if it is recording a parade or in a park, it can be re-tuned, after the fact, to listen to anybody? And it works.
I have no idea if a white noise generator would spoof it.
http://www.newscientist.com/article/mg21929364.400-matchsticksized-sensor-can-record-your-private-chats.html#.UlMbMBafShC
The usage of The Onion Router (TOR) network doubled in August in the wake of Snowden's revelations, which indicates that a lot of people are taking this seriously. That's a good thing.
http://www.paritynews.com/2013/08/29/2534/tor-usage-more-than-doubles-in-august/
Also in August, malware went out that exploited a JavaScript zero-day vulnerability in the Firefox browser that identified TOR users. It is believed that the FBI is behind the malware. It only affected Windows users, though it could theoretically be targeted against OS-X and Linux users.
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
As a result of this, it is believed that half of TOR sites, including the TORMail email system, is compromised.
http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail
TOR is telling people that if they want to remain private, stop using Windows and disable JavaScript. The problem is that disabling JavaScript will cause some web sites to not work right.
http://www.itworld.com/software/367979/tor-project-stop-using-windows-disable-javascript
http://it.slashdot.org/story/13/08/06/1350206/tor-wants-you-to-stop-using-windows-disable-javascript
Oh! Look! The FBI admitted that it was behind the TOR malware attack. Surprise, surprise. You see, the malware was being used to identify and take down a kiddie porn ring, so it was all for the sake of the children.
http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
http://yro.slashdot.org/story/13/09/14/0122218/fbi-admits-it-controlled-tor-servers-behind-mass-malware-attack
The problem is that the NSA has pre-computed encryption key hashes for certain known ciphers, such as the one used by default for TOR. You can replace this with the stronger, newer, elliptical-curve encryption, but that's known to also have problems.
http://yro.slashdot.org/story/13/09/07/0028217/most-tor-keys-may-be-vulnerable-to-nsa-cracking
Meanwhile, the Foreign Intelligence Surveillance Court, who are tasked with monitoring surveillance, says they are limited in their ability to oversee the activities of the NSA. Basically it must trust the government to self-report if they are violating the secret FISC orders.
http://www.washingtonpost.com/politics/court-ability-to-police-us-spying-program-limited/2013/08/15/4a8c8c44-05cd-11e3-a07f-49ddc7417125_story.html
http://yro.slashdot.org/story/13/08/16/2058238/fisc-chief-judge-we-cant-effectively-oversee-the-nsa
And Snowden documents claim that the NSA has violated privacy rules thousands of times a year since 2008.
http://www.wired.com/threatlevel/2013/08/nsa-violated-privacy-rules/
A startup is making a new browser called Epic that has built-in code for providing proxy service along with lots of other safeguards to keep your browsing private. I do question that it's built upon Google's Chrome code, so I wonder how confident they are that the underlying code is safe. It's available for Macs and PCs now, looks like they're also working on a Linux version.
Their web page is quite interesting because it tells you about the various techniques that companies use to track you, and also how they try to defeat them. Presumably they are going to update their software as new tracking methodologies are developed.
https://epicbrowser.com
http://yro.slashdot.org/story/13/09/06/1411215/epic-a-privacy-focused-web-browser
I found this one particularly amusing: the National Rifle Association is joining a lawsuit filed by the American Civil Liberties Union against the NSA, saying that the NSA's collection of telephone metadata constitutes a gun registry. There is a law in place that forbids the creation of a gun registry on computers. Since the metadata that the NSA has been collecting has been demonstrated to be able to show links and valuable information about people, so if they know a person calls hunting lodges, gun stores, shooting ranges, the NRA, other known gun owners, it's a pretty safe bet that they're a gun owner, therefore the government is breaking the law and building a database of gun owners.
FYI: this URL does an auto-start video: http://thehill.com/blogs/hillicon-valley/technology/320357-nra-claims-nsa-illegally-created-a-gun-database
Google is speeding up a new encryption project to provide end-to-end encryption for users and all the Google servers, and it will be impervious to government snooping. They will still have to fulfill court-ordered subpoenas, but it will defeat sniffing packets off the internet backbones to bulk collect information.
Now, I am of two minds with Google. The basic problem is that if you are not paying for a service, then you are the item being sold. We don't pay for Gmail, Google collects analytical data and provides it, anonymized, to keyword advertisers. We are a commodity, and Google needs that to be able to sell ads. Google has tremendous in-house talent, including cryptography experts. So Google seems to be addressing this in a good way and the end result will be more privacy for its users.
http://www.ibtimes.com/google-speeding-new-encryption-project-after-edward-snowden-revealed-projects-bullrun-edgehill
http://yro.slashdot.org/story/13/09/09/1154209/google-speeding-up-new-encryption-project-after-latest-snowden-leaks
Because of the demands that the government made on Lavabit email and others, the legal reporting site Groklaw is also shutting down. They rely on anonymous emailed information from people about weird legal shenanigans in the tech world, and anonymity is dead, at least for now. So no more Groklaw. They were invaluable when it came to the SCO vs The Known Universe lawsuits and more recently dove in to the plethora of suits between cell phone makers. They will be missed. Their site is still up, so you can still read their older posts, but it hasn't been updated since August.
http://yro.slashdot.org/story/13/08/20/0750237/joining-lavabit-et-al-groklaw-shuts-down-because-of-nsa-dragnet
Going back to March and pre-dating Snowden, the Obama administration is drawing up plans to allow U.S. Spy agencies to look over details of the financial data of Americans and people banking with American banks.
http://www.reuters.com/article/2013/03/13/usa-banks-spying-idINDEE92C0EH20130313
And I'll wrap this up with more Bruce Schneier, this is a piece, also from March, that he wrote for CNN titled The Internet Is A Surveillance State.
http://www.cnn.com/2013/03/16/opinion/schneier-internet-surveillance/index.html
http://yro.slashdot.org/story/13/03/16/222250/schneier-the-internet-is-a-surveillance-state
WHEEEE!
This is a whole bunch of links that I've been accumulating that talks about a lot of different facets of what's been going on since Edward Snowden blew the lid off of the PRISM spying and what the NSA and federal government has been doing.
First up, my fav security guy, Bruce Schneier. In this article “How to Remain Secure Against the NSA”, Bruce talks about precautions that you can take to improve your security, while acknowledging that if the NSA et al wants information about you, there's precious little that you can do about it.
https://www.schneier.com/blog/archives/2013/09/how_to_remain_s.html
Here we have a story by a man who was Microsoft's privacy chief from 2002 to 2011 who says he no longer trusts the company since the existence of PRISM was revealed. ”In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source.”
There's only one problem with that: 99%+ of people can't read source code or really have the expertise to understand it and to also understand all of the other source code that it ties in to, as you have to evaluate every single part of the system to know whether or not it's secure. So we have to rely on others to tell us that this code is secure. Linux is probably secure, but lots of its code that relates to cryptography and communications is being reevaluated to look for back doors and a lot of the crypto code is being replaced with code that is more public and not backed by NIST.
http://hothardware.com/News/Former-Microsoft-Privacy-Chief-Says-He-No-Longer-Trusts-The-Company/
MUCH more under the cut
In a related article, there is a company called Silent Circle who offered a lot of secure ways of communicating. They took down their email service post-Snowden as they offered a lot of the features that Lavabit offered, they are now in the process of reevaluating and replacing crypto code that is not based on NIST standards. They don't think those standards have been compromised, but they believe that NSA has too much influence on NIST and that could lead to future trouble.
http://silentcircle.wordpress.com/2013/09/30/nncs/
http://yro.slashdot.org/story/13/10/01/1215244/silent-circle-moving-away-from-nist-cipher-suites-after-nsa-revelations
Another Schneier article, this one on how the NSA lies to Congress and gets away with it. If a committee asks the Director “Does Program X do ABC?” He can answer no, because X does not. But Y and Z do, but since they didn't know to ask about Y and Z, he didn't perjure himself.
https://www.schneier.com/blog/archives/2013/10/nsa_storing_int.html
How about a sensor the size of a matchstick that can record conversations, outdoors, at a range of up to 25 meters? And it can capture raw data so that if it is recording a parade or in a park, it can be re-tuned, after the fact, to listen to anybody? And it works.
I have no idea if a white noise generator would spoof it.
http://www.newscientist.com/article/mg21929364.400-matchsticksized-sensor-can-record-your-private-chats.html#.UlMbMBafShC
The usage of The Onion Router (TOR) network doubled in August in the wake of Snowden's revelations, which indicates that a lot of people are taking this seriously. That's a good thing.
http://www.paritynews.com/2013/08/29/2534/tor-usage-more-than-doubles-in-august/
Also in August, malware went out that exploited a JavaScript zero-day vulnerability in the Firefox browser that identified TOR users. It is believed that the FBI is behind the malware. It only affected Windows users, though it could theoretically be targeted against OS-X and Linux users.
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
As a result of this, it is believed that half of TOR sites, including the TORMail email system, is compromised.
http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail
TOR is telling people that if they want to remain private, stop using Windows and disable JavaScript. The problem is that disabling JavaScript will cause some web sites to not work right.
http://www.itworld.com/software/367979/tor-project-stop-using-windows-disable-javascript
http://it.slashdot.org/story/13/08/06/1350206/tor-wants-you-to-stop-using-windows-disable-javascript
Oh! Look! The FBI admitted that it was behind the TOR malware attack. Surprise, surprise. You see, the malware was being used to identify and take down a kiddie porn ring, so it was all for the sake of the children.
http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
http://yro.slashdot.org/story/13/09/14/0122218/fbi-admits-it-controlled-tor-servers-behind-mass-malware-attack
The problem is that the NSA has pre-computed encryption key hashes for certain known ciphers, such as the one used by default for TOR. You can replace this with the stronger, newer, elliptical-curve encryption, but that's known to also have problems.
http://yro.slashdot.org/story/13/09/07/0028217/most-tor-keys-may-be-vulnerable-to-nsa-cracking
Meanwhile, the Foreign Intelligence Surveillance Court, who are tasked with monitoring surveillance, says they are limited in their ability to oversee the activities of the NSA. Basically it must trust the government to self-report if they are violating the secret FISC orders.
http://www.washingtonpost.com/politics/court-ability-to-police-us-spying-program-limited/2013/08/15/4a8c8c44-05cd-11e3-a07f-49ddc7417125_story.html
http://yro.slashdot.org/story/13/08/16/2058238/fisc-chief-judge-we-cant-effectively-oversee-the-nsa
And Snowden documents claim that the NSA has violated privacy rules thousands of times a year since 2008.
http://www.wired.com/threatlevel/2013/08/nsa-violated-privacy-rules/
A startup is making a new browser called Epic that has built-in code for providing proxy service along with lots of other safeguards to keep your browsing private. I do question that it's built upon Google's Chrome code, so I wonder how confident they are that the underlying code is safe. It's available for Macs and PCs now, looks like they're also working on a Linux version.
Their web page is quite interesting because it tells you about the various techniques that companies use to track you, and also how they try to defeat them. Presumably they are going to update their software as new tracking methodologies are developed.
https://epicbrowser.com
http://yro.slashdot.org/story/13/09/06/1411215/epic-a-privacy-focused-web-browser
I found this one particularly amusing: the National Rifle Association is joining a lawsuit filed by the American Civil Liberties Union against the NSA, saying that the NSA's collection of telephone metadata constitutes a gun registry. There is a law in place that forbids the creation of a gun registry on computers. Since the metadata that the NSA has been collecting has been demonstrated to be able to show links and valuable information about people, so if they know a person calls hunting lodges, gun stores, shooting ranges, the NRA, other known gun owners, it's a pretty safe bet that they're a gun owner, therefore the government is breaking the law and building a database of gun owners.
FYI: this URL does an auto-start video: http://thehill.com/blogs/hillicon-valley/technology/320357-nra-claims-nsa-illegally-created-a-gun-database
Google is speeding up a new encryption project to provide end-to-end encryption for users and all the Google servers, and it will be impervious to government snooping. They will still have to fulfill court-ordered subpoenas, but it will defeat sniffing packets off the internet backbones to bulk collect information.
Now, I am of two minds with Google. The basic problem is that if you are not paying for a service, then you are the item being sold. We don't pay for Gmail, Google collects analytical data and provides it, anonymized, to keyword advertisers. We are a commodity, and Google needs that to be able to sell ads. Google has tremendous in-house talent, including cryptography experts. So Google seems to be addressing this in a good way and the end result will be more privacy for its users.
http://www.ibtimes.com/google-speeding-new-encryption-project-after-edward-snowden-revealed-projects-bullrun-edgehill
http://yro.slashdot.org/story/13/09/09/1154209/google-speeding-up-new-encryption-project-after-latest-snowden-leaks
Because of the demands that the government made on Lavabit email and others, the legal reporting site Groklaw is also shutting down. They rely on anonymous emailed information from people about weird legal shenanigans in the tech world, and anonymity is dead, at least for now. So no more Groklaw. They were invaluable when it came to the SCO vs The Known Universe lawsuits and more recently dove in to the plethora of suits between cell phone makers. They will be missed. Their site is still up, so you can still read their older posts, but it hasn't been updated since August.
http://yro.slashdot.org/story/13/08/20/0750237/joining-lavabit-et-al-groklaw-shuts-down-because-of-nsa-dragnet
Going back to March and pre-dating Snowden, the Obama administration is drawing up plans to allow U.S. Spy agencies to look over details of the financial data of Americans and people banking with American banks.
http://www.reuters.com/article/2013/03/13/usa-banks-spying-idINDEE92C0EH20130313
And I'll wrap this up with more Bruce Schneier, this is a piece, also from March, that he wrote for CNN titled The Internet Is A Surveillance State.
http://www.cnn.com/2013/03/16/opinion/schneier-internet-surveillance/index.html
http://yro.slashdot.org/story/13/03/16/222250/schneier-the-internet-is-a-surveillance-state
WHEEEE!
no subject
Date: 2013-10-08 04:01 am (UTC)