The document titled "ECI Compartments" is interesting:
* It's possible work out the geographic region of certain compartments based on the organizational code attached to it.
* The redactions in the "Control Authority" column are variable size, possibly even proportionate to character length.
* The fact that document was merely classified "confidential" is odd.
* I was able to identify[0][1] all but one item listed in the "Organization" column.
The sole item that eluded identification was "S0242". It is listed alone under two compartments. I couldn't find anything on it; one can only surmise it is something within the Signals Intelligence Directorate (probably something boring, despite the mystique).
"The NSA/CSS Commercial Solutions Center (NCSC) addresses the strategic needs of NSA/CSS and the national security community by harnessing the power of U.S. commercial technology."
Two pieces of information that add up to a larger story:
* The NSA/CSS Commercial Solutions Center (NCSC) is specifically built around Elliptic Curve Cryptography that they acquired from Certicom.
>The NCSC also manages the Elliptic Curve Cryptography (ECC) program on behalf of the NSA/CSS. Elliptic curve provides greater security and more efficient performance than first generation public key techniques currently in use. NSA/CSS purchased a license that covers intellectual property in a restricted field of use to assist in the implementation of elliptic curves to protect U.S. and allied government information. - https://www.nsa.gov/business/programs/ncsc.shtml
* Certicom designed the Elliptic Curve DRBG (Dual_EC) algorithm including the backdoor (Certicom patented the backdoor functionality in 2005)[0]. The NSA then included this algorithm + backdoor into NIST standard and payed RSA 10 million dollars to make it the default DRBG.
Putting these two facts together suggests that the NCSC was responsible for the Dual_EC backdoor.
“The facts contained in this program constitute a combination of the greatest number of highly sensitive facts related to NSA/CSS’s overall cryptologic mission,” the briefing document states. “Unauthorized disclosure…will cause exceptionally grave damage to U.S. national security. The loss of this information could critically compromise highly sensitive cryptologic U.S. and foreign relationships, multi-year past and future NSA investments, and the ability to exploit foreign adversary cyberspace while protecting U.S. cyberspace.”
Maybe they could have not published this one.
I'm very much interested in the Snowden Documents and am a strong advocate for civil liberties (look at some of my other posts, and the ones under the handle 'xnull').
I also repeatedly explain, on Hacker News, and other places, that there is a global cyber intelligence war and that the Snowden Leaks showed us key insights into what was going on, how it's not 'about terrorism' and a great number of other things.
But I'm bewildered by this article. It seems really damaging, and like it doesn't really add very much to the corpus they've already published.
Any ideas?
Edit: Glenn Greenwald, Laura Poitras, Edward Snowden, etc all decide what material to publish and what material not to publish. Greenwald, by his own admission, works with US officials to redact information and to choose which stories make it out of the gate. He's also said that he isn't revealing (paraphrasing) 'the most horrendous material in the Snowden documents, for fear of the fallout'. My question should not be thought of a challenge to revealing Snowden documents as a whole. Contrary to this I think it is of the very highest service. My question is only 'why this document'?
You summarized already in your sentences ("I'm bewildered by this article. It seems really damaging, and like it doesn't really add very much to the corpus they've already published") how you feel and why you feel that way: it appears damaging because it contains the paragraphs that explicitly contain the words "it's damaging." But it's just a general introduction to the "juicy bits" without the bits themselves.
In fact you recognized this too writing: "it doesn't really add very much to the corpus they've already published." Once you attempt to identify the new information, you can recognize that 99.5% of it appeared in some other form before.
The older published documents already were marked "top secret." This markings are given to the content that is considered "damaging" by these who write the documents. You just percieved it differently because these markings were just markings for you, not the sentences spelling out "damaging."
Still, the value to the public of this very document is that it's a single document summarizing nicely the previously disclosed ones in much less words. By its nature though it doesn't contain the details published previously. (Edit: technically, it's a set of the documents but all of them together appear to me just as a big table of contents for the disclosures already published.)
Now let's discuss the new 0.5% of information, even if it's very general.
Of course, but to be honest, that was the previous expectation of the NSA. It's not that apparent that there is anything useful to gain by leaking their attempts to spy on foreign counties like every other country does.
Since when is sabotage an act of spying, or for that matter acceptable behavior in peace time?
Lets say Swedish spies was sent to the US in order to infiltrate and weaken the 911 system, the power grid, or other key infrastructures of the US. Would you shrug at that also, since after all, what should people expect from spies?
Sabotage and spying is two different activities. Sabotage is a tactic employed during war. Spying is a tactic employed during peace. Confusing the two simply states that peace is war, and war is peace, and anything goes so long its against foreigners.
>On the other hand it deals a pretty big blow geopolitically/internationally.
So? For me (Godwin's law be damned) it's like leaked documents about Nazi germany practices. If you were not a German you'd cheer, and if you were a non-Nazi German you'd also cheer.
SENTRY EAGLE and the 13 page draft (summarized in the article) is new.
SENTRY EAGLE is the protection program outlined jointly by the NSA and the U.S. Strategic Command.
The first line reads:
"SENTRY EAGLE... compartmented program protecting the highest and most sensitive level [by] NSA/JFCC to support the U.S. government's efforts to protect America's cyberspace."
The document goes on to specify the broad U.S. cyber protection strategy broken down into Sentry Hawk, Sentry Falcon, Sentry Osprey, Sentry Raven, Sentry Condor, and Sentry Owl - all of which are new.
Add on top data about infiltration into (allied) South Korea and Germany. Not a good day for the NSA.
The names are certainly new, but AFAIK the names themselves aren't classified. What's behind the names is classified, but more details about such actions were already published. We just learn more names, that is, how they call these actions internally. And we get a nice summary of the previous disclosures. Written by the authorities who otherwise denied the parts of it even as the specific documents were published. It's that everything is written together that's new. The new potential to embarrasment of the officials is in having it all in one document, which makes the denials much harder.
It's like seeing certain plays from a sport team before, and then after a game seeing their notebook with their general game strategy. Yeah everything we saw before 'fits in' to what was released today - for example we already knew from examples that the NSA works to break encryption - but now we also know that it is considered one of six key investments and that it probably has its own leadership separate from the others. This is useful because you know what programs have more overhead talking to each other/partnering. For example to speculate that corporations probably aren't helping very much with the crypto breaking effort.
Wrong, the names aren't classified, contrary to your claim "the names are most definitely classified." Look in the document, the title "Sentry Eagle Data Sheet" is clearly marked "U" which according to Wikipedia
One line before the one where you've probably found that combination is just "(U) Sentry Eagle Data Sheet" clearly without the FOUO (which, if existed, would mean "for official use only"). The markings specify the following not the previous content. So the title I quoted as containing the name is just and only "U" unclassified.
As the terms are not classified there are minimal standards regarding using the names in less secured conversation. If another country has intercepted communications or documents with some mention of SENTRY EAGLE, now that this has been released they know some of the conversation/document context.
Almost correct, FOUO is a designation used to effectively classify the unclassified information from the public (really! [1]) but he looked at the wrong line.
------
[1] "unclassified but which the government does not believe should be subject to Freedom of Information Act requests" (wikipedia)
Come on, it's been 13 years now of this "grave damage to national security" talk. They claim it for everything.
I'm reasonably sure every thinking person has started, in their mind, to replace any invocation of "national security" with "covering up either incompetence, negligence or breaches of law". Theres zero reasons we should be paying any attention to that label.
(I like to remind people of the case of Ibrahim vs. DHS, where the government spent all its time invoking various secrets related laws and privileges, citing national security, even having Holder sign a declaration to that purpose, and what for? To cover up the clerical error of some lowly FBI agent, who checked a wrong box.)
The "grave damage to national security" wasn't something an official said. It was a warning inside the document.
Certainly there are instances where this is the case. I can think of a few others to add to your example.
But there's no good reason to assume that all invocations of classified and politically or strategically sensitive material are excuses to cover up incompetence, negligence or breaches of law. And in fact in this case I'm not sure what it would be covering up. What's listed here is hardly incompetence nor negligence and the argument for breach of law, while slightly stronger, wouldn't pass a smell test.
Because of this. It's likely the NSA is actively subverting American companies.
"The most controversial revelation in Sentry Eagle might be a fleeting reference to the NSA infiltrating clandestine agents into “commercial entities.” The briefing document states that among Sentry Eagle’s most closely guarded components are “facts related to NSA personnel (under cover), operational meetings, specific operations, specific technology, specific locations and covert communications related to SIGINT enabling with specific commercial entities (A/B/C).”
It is not clear whether these “commercial entities” are American or foreign or both. Generally the placeholder “(A/B/C)” is used in the briefing document to refer to American companies, though on one occasion it refers to both American and foreign companies. Foreign companies are referred to with the placeholder “(M/N/O).” The NSA refused to provide any clarification to The Intercept."
This article seems a bit speculative. They don't seem to know for sure that "(A/B/C)" means American companies in this case. Everything else just seems like commentary from themselves and other security experts.
As for foreign companies, it's pretty obvious that NSA and CIA have been conducting operations like these for many decades.
I'm not going to argue that the NSA has not subverted American companies before (see DUAL_EC_DRBG), but this does not provide definitive proof that they're actively infiltrating homeland companies with human spies.
It's not all that speculative - it agrees what was in prior leaks that claim that American companies are routinely infiltrated. Also remember that the authors of these articles have read huge volumes of Snowden documents have have not been publicly released and that the security experts (likely referencing Schneier here) are not just guys working in private industry. If you work in the security space you very quickly begin to interoperate with past- and current- military and government personnel. Schneier testifies as an expert witness on these things before congress and Greenwald is an ex-Constitutional lawyer. In short they have the pedigree to make these assertions.
For the record I don't agree with the parent. I think the important thing about this document is that it lays out the broad tactical tools used in US cyberintelligence strategy. It's handing off some major tactical playbook material.
It looks pretty speculative to me. Directly from this article: "The most controversial revelation in Sentry Eagle might be a fleeting reference to the NSA infiltrating clandestine agents into “commercial entities.”", "It is not clear whether these “commercial entities” are American or foreign or both." and "The document makes no other reference to NSA agents working under cover. It is not clear whether they might be working as full-time employees at the “commercial entities,” or whether they are visiting commercial facilities under false pretenses."
The author is also picking quotes from different programs and mashing them together to come up with their speculation. Note how the commercial entities are discussed under the "Sentry Owl" program on page 7, but the "covert or under cover" quote comes from the "Sentry Osprey" section on the last page, which appears to be talking about the NSA working with the CIA. If NSA employees were working with the CIA on anything outside the US, it would make sense that they'd be undercover. Maybe they are infiltrating companies, but the source document doesn't support that assertion.
Schneier isn't name-dropped at all in the article. I find it odd that they would quote Matt Green and Chris Soghoian by name, but mix in the opinions of someone as well-known as Bruce Schneier without mentioning his name anywhere.
It's not really speculative. Remember that previous leaks showed definitively that the NSA had broken into Google and Yahoo, notwithstanding they had some partnerships/participation from them.
Bruce Schneier was given an opportunity to meet and review a large collection of documents but yes its true we don't really know.
The previous leaks did not definitely show anything like that. In fact its not clear they showed anything beyond an informational briefing on issues with intercepting Google related data.
There's a Chinese whispers effect to all this where vague assertions are repeated over and over until they become considered definite facts.
That's Facebook. The Yahoo and Google stuff has been very widely reported and are direct from Greenwald and the Snowden leaks. Other links (in particular the PKH link) contain other information.
Right. But that's not new information. Prior Snowden leaks (and leaks by others) have showed conclusively that the NSA targets and infiltrates American corporations and also partners heavily with them.
Somewhat sad to see the cyber security war narrative becoming the top voted comment on hackernews.
Until the public realize that they are themselves the target of those cyber security war activities by their own government, those revelations can not be damaging enough.
Just to support the point: Today the new Snowden movie is all over the news, while practically nobody seems to care bout those revelations you claim being really damaging.
> Until the public realize that they are themselves the target of those cyber security war activities by their own government, those revelations can not be damaging enough
This is entirely true. Us plebes have been caught in the middle. And the surveillance programs are not just about cyber warfare. The NSA/DHS use them for other things as well (handing off to CIA/FBI/DEA, building profiles of people, social manipulation, etc). But this article from firstlook IS about cyber warfare.
The leaked document itself says "U.S. Strategic Command - Joint Function Component Command - Network Warfare".
> Today the new Snowden movie is all over the news, while practically nobody seems to care bout those revelations you claim being really damaging
Isn't that argumentum ad populum? The news media coverage of the Snowden revelations has been horrendous, limited and misleading through and through. In fact the Snowden movie being in the news is a great example of how the public is disconnected with what's going on. It's not a "Snowden documentary" or a "Snowden lecture" or a "Snowden document analysis". It's a short hour and change person story with a bleached narrative devoid of the content of the actual documents.
While that is an excellent talk, it seems worth pointing out that it's speculative fiction, these things aren't necessarily happening (though it is quite plausible).
I'm really starting to take an issue with declaring all this stuff as "cyber war" or "cyber warfare" (here and everywhere else in this thread). It's not a war if there is no intend of actually killing people. Even something as intense as the "cold war", had the qualifier cold in it, because there was no open confrontation. And what is now summarized as cyber (intelligence) warfare is orders of magnitude less deadly (though not necessarily less damaging to our civil rights). It's not a war if I steal your trade secrets and undermine your negotiation positions in international treaties.
If you frame it as a "war" you get a whole different solution space. Instead of strengthening the IT security of domestic companies that build your core infrastructure you end up with "offense is the best defense" strategies and undermine the IT security of everyone. If you stop using war rhetoric this kind of statement:
> If you didn't see it, there's a link on another branch of the conversation containing (at least) 37 other countries involved in cyber [espionage].
> I'm really starting to take an issue with declaring all this stuff as "cyber war" or "cyber warfare" (here and everywhere else in this thread). It's not a war if there is no intend of actually killing people.
Countries are owning each others' communications, power, transportation, energy, food production, etc infrastructure. Sabotaging these can cripple a nation, not to mention kill people (check out damage from the recent Great Northeast Blackout - note here that it is not known whether this was a cyber attack).
The military and defense contractors are targets of attacks as well as industry. Titan Rain, Moonlight Maze and Operation Aurora are some well know geopolitically motivated attacks that breached defense contractors (includingLockheed Martin, Sandia), US internet infrastructure (including Rackspace, Google), aerospace (including NASA) and military (including the DoD).
You may remember this year that Wall Street and JP Morgan was hacked, that the DoD was hacked, that several hundred defense contractors were hacked, and that the list of people with top secret clearance was hacked. You may remember this year that Israel's "Iron Dome" missile defense system schematics were hacked.
In the eyes of the military, these things constitute an attack. They give it the name warfare. It certainly isn't classical warfare. Maybe we need a new term. I do like the "cold" term.
>But I'm bewildered by this article. It seems really damaging, and like it doesn't really add very much to the corpus they've already published.
Really damaging for whom? 99% of the worlds population are victims (them or their countries) to the stuff described in the article, not cheering for its continuation.
It is really damaging, but that's from a perspective that, as a superpower, they were benefiting from control and domination. The same perspective implies that the target was being damaged by these actions. Targets that are not always adversaries. Targets that could contribute if not being controlled, dominated, and damaged.
It's not easy to see, but damaging others denies them the contributions they could bring, ultimately damaging themselves.
Right, and I hope nobody thinks Russia or China are saints, because they use their technical abilities to suppress dissent in frightening ways.
While there's definitely a cyber war going on, you have to ask, why isn't the NSA actively disseminating knowledge to Americans on how to secure themselves? Why are they instead actively weakening encryption standards? America companies have the most to lose from weak encryption. It just doesn't add up, and the American people have enough confidence to call their government out, unlike countries who have allowed themselves to become pretty enslaved by their government, like China and Russia.
In summary, the NSA should participate in the global cyber intelligence war by educating the American public, instead of weakening them.
> why isn't the NSA actively disseminating knowledge to Americans on how to secure themselves?
In fact, the NSA is disseminating such knowledge. You can find guides to secure operating systems (Windows, Linux, and OS X) and commonly used applications (Chrome, Adobe Reader). To what I assume is the chagrin of the FBI, you can even find guidance on full-disk encryption.
>While there's definitely a cyber war going on, you have to ask, why isn't the NSA actively disseminating knowledge to Americans on how to secure themselves?
> they use their technical abilities to suppress dissent in frightening ways
I'm just going to mention so called "Fusion Centers", which have been used to investigate and disrupt the organization of The Tea Party movement and Occupy Wall Street but spare my usual rant. No it does not compare to Russia or China.
> NSA threatening domestic jobs, companies, individuals, and most of all innocents, that leads to an upset.
The NSA's view, and in fact several of the last presidential offices, is that these programs and capabilities are important for the country because they give American companies and domestic jobs a leg up.
"The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances." - NSA Mission Statement
> While there's definitely a cyber war going on, you have to ask, why isn't the NSA actively disseminating knowledge to Americans on how to secure themselves?
Because it is essentially impossible to secure yourself on the internet. This isn't a fine point. It's a blanket fact.
> Why are they instead actively weakening encryption standards?
They have a concept called "NOBUS" which means that the weaknesses they introduce should only be exploitable by them. DUAL_EC_DRBG, the goto example of an NSA backdoor, is a perfect example of NOBUS.
> In summary, the NSA should participate in the global cyber intelligence war by educating the American public, instead of weakening them.
Oh I agree. Actually if you look back Clinton and first term Bush era they kept proclaiming that there was a cyber intelligence war but it never really caught on. So they made it about 'cyber terrorists'. Nobody caught on. They made it about actual terrorists. Now we listen. I do hope that investments are made in defensive capabilities rather than offensive. The Obama administration released a series of strategic documents funding longer term research into the protection of domestic computer networks, programs and technologies. But right now you can't play the game of cyber intelligence war without attacking. When it comes to hacking, the attacker always wins. Just playing defense is a losing game.
> The NSA's actions since 9/11 have been more consistent with a power grab than any authentic desire to empower & protect Americans.
This has been going on much longer than since 9/11. PREDATOR and MAINWAY are examples of programs that existed years before the 9/11 attacks.
Thanks for the response. Sorry for editing mine while you were writing yours.
> Oh I agree. Actually if you look back Clinton and first term Bush era they kept proclaiming that there was a cyber intelligence war but it never really caught on.
Interesting point. Now, in the 90s, wasn't the government trying to prevent encryption from being used by the public though?
> When it comes to hacking, the attacker always wins. Just playing defense is a losing game.
Still, there are a lot of defensive measures the public can take from hackers. For instance, using OTR, Tor/VPNs, and moving sites to HTTPS whenever possible.
Bruce Schneier has an interesting metaphor for this period in human evolution. He compares the information revolution to the industrial revolution. At first, people didn't realize how bad pollution could be, amongst other things like food safety. Books like "The Jungle" helped prompt people to stand up for themselves and demand better, and healthier ways of conduct. Overall, humanity evolved to handle the new technologies and their side effects. Snowden's revelations are like "The Jungle" of our time.
> Now, in the 90s, wasn't the government trying to prevent encryption from being used by the public though?
Oh yeah. They did before the 90s, during the 90s and are also doing it now. We won some serious ground in the 90s, allowing us to use stronger algorithms. But companies are still required to keep copies of all of your encryption keys at the ready if they want access to your data. If you haven't seen it the FOIA requested document from the CIA posted here a week or so ago has a pretty good history.
> Still, there are a lot of defensive measures the public can take from hackers. For instance, using OTR, Tor/VPNs, and moving sites to HTTPS whenever possible.
These things do help, but minimally. OTR is good if you want some privacy on your chats. Tor is good if you want a little anonymity. Some baseline level of encryption should be standard everywhere. If you look at the extensiveness of the backdoors though these don't really matter. For example take the FBI mass exploitation of Tor this year. In many instances (Apple iPhone/Microsoft Skydrive/etc with PRISM), copies of data are stored directy from a partner's product for inspection, whether it was originally encrypted during transit or no. And computer exploits that target operating systems are able to see everything on your computer that you see.
> When it comes to hacking, the attacker always wins. Just playing defense is a losing game.
Firstly, why only hacking? What is true for a cyber-attack is true for a physical attack as well. Both sides lose resources in both types of attacks.
Secondly, the reason for defending something is because something is worth defending. If it has been defended in an unsuccessful attack, that is a win.
And thirdly, the thing being defended often includes a higher-moral-ground. Resorting to attack is a definite loss for the defending party.
> why only hacking? What is true for a cyber-attack is true for a physical attack as well.
A couple reasons. One is that 0day vulnerabilities have no defense. There is no way to defend against certain vulnerabilities.
The second is that there are no international rules of conduct that apply to cyber warfare. After the Georgia/Russia event there was an effort to pass agreements in NATO but AFAIK nothing came of it.
The third is that that a successful attack usually means the victim remains in a compromised state for months or years (look up advanced persistent threat).
Finally, it's also usually the case that cyber attacks go completely undetected.
> the reason for defending something is because something is worth defending
Right, well the NSA does engage in defense as well. There's just less that can be done. There are hundreds of millions of devices in America with an extremely long tail of software/update state and configuration, saying nothing of networks. There's a ton to protect and even protecting small amounts is costly. This is one of the main reasons companies (and governments) are looking to the cloud - you can consolidate your threat area if you concentrate operations and run broadly the same configuration/state across many systems.
> thing being defended often includes a higher-moral-ground
But this is espionage and sabotage. It's dirty business. I don't think it's a good thing. I don't really advocate for it. I'm just here explaining the broader context of the Snowden disclosures and this article. If you missed it there was a link containing 37 other countries that have cyberwar programs (the list is not exhaustive).
I actually condone a lot of the NSA's activities, but I take serious issue with:
-Warantless surveillance of US citizens (this is bad whether it's by law enforcement, intelligence agencies, or anyone).
-Infiltration of foreign companies in allied or neutral nations purely for economic or geopolitical insight, not for military purposes (Brazil's Petrobras oil company, all sorts of spying in Germany and Norway and other places).
Personally I'm all for the kind of operations they're conducting in Iran and China, as these countries have been doing the same to us and to others for a long time. But they've become far too greedy in their desire for information domination and power, to the point where there is clearly no line that shouldn't be crossed. To them, if anything anywhere in the world is open for exploitation or surveillance, then they feel like they have a right to use it.
> Warantless surveillance of US citizens (this is bad whether it's by law enforcement, intelligence agencies, or anyone).
Agreed very strongly.
> Infiltration of foreign companies in allied or neutral nations purely for economic or geopolitical insight, not for military purposes (Brazil's Petrobras oil company, all sorts of spying in Germany and Norway and other places).
See this is where the NSA really shines. We (The US) delayed Iran's nuclear program by THREE YEARS with Stuxnet! Three! And after they finally figured out it was sabotage the US and Israel had the director assassinated for further delays.
Having Merkle's cell phone? During the Eurozone crisis? It would have been awful (financially) for the United States not to have that information. It's fun to look back and read the confused reports during the time "European Union suffering considerably from Eurozone crisis; America sees only limited effects."
PETROBRAS? We won offshore oil drilling locations because we had that information. Energy security for the country going forward decades.
Unfortunately geopolitics are important and you can't just not participate. Hacking is (one important way) that modern espionage, surveillance and sabotage are done.
It seems you've decided that US hegemony is a "good thing" regardless of the moral implications for ourselves and the world. However, some find actions like the following to be dangerous, immoral, unnecessary:
* "the US and Israel had the director assassinated"
* "we won offshore drilling"
* the blase assertion that a nuclear Iran is any worse than the existing nuclear powers (especially Israel!!!)
"Energy security" is oil company nonsense, hilarious considering their tireless efforts to block any kind of clean alternative. The OPEC crisis saved us from gas guzzlers, and now we're back to having SUV's everywhere. We could use some "energy insecurity" but with fracking we're now an exporter. Oil forever!! Climate be damned.
I disagree also with attempts to close off the discussion by saying "geopolitics are important." The US does not have to subvert governments, install dictators across the globe, prop up Saudi Arabia, blindly support Israel, be the muscle for Big Oil (and assassinate and imprison folks at home, too).
The moral hazards that have created this situation are to blame, but it doesn't help that our leaders are as a group paranoid and uncreative, all too willing to let militaristic fascists (accurate, not name-calling here) drive their decision-making.
Edward Snowden is a hero, full stop. You can't do enough damage to the NSA, these types must be resisted at all times.
I'm trying to explain broader context. The US is not hacking in a vacuum. It has to make strategic decisions. We can arm chair the US strategic command all we want.
There seems to be a presumption that the US is doing these things 'just because'. What I believe is that the US is making decisions based on incentives, costs, benefits and other tradeoffs. I believe that if we don't participate in cyber intelligence warfare, we'll lose.
There are certain principles I don't want to give up in the process for sure - civil liberties of all people everyone is #1.
Presumably, I could better my negotiation position on pretty much any deal by spying or sabotaging the other party. Say I am negotiating a salary offer from a company, having access to the CEO email and that of other key decision makers (even just the prospective team and the HR reps) would presumably give me information I can use to secure a higher comp package, no? Without disrupting their operations in general, if I don't make a mistake in the process.
Is the previous an ethically valid way of conducting business? Should I not expect to be scrutinized if/when I got caught doing that, because it might imperil my interests? If I do the same, not for me but for a collective (a company, a union), would that be any less unethical? If not, why would it be different if I did it for my country?
Why is it that we consider that sort of behavior pathological for individuals, criminal for organizations and "just the way things are" when talking about (advanced, inter-dependent, presumably-friendly) nations?
These are all really good questions and I don't have answers other than to say there's a 'prisoner's dilemma'/'tragedy at the commons'/'cold war' situation. If you do no espionage and no sabotage, even though it is a higher moral ground, you don't exist for very long as a country.
Except I suspect many countries actually do without effective espionage or sabotage, if only because they lack the capability.
I guess you can argue that many of these countries rely on allies who perform espionage and sabotage, thus benefiting from those activities despite not doing them themselves. But that still means that closely-aligned countries can survive without spying on each other. I might not have all the facts, but it seems unlikely that Germany or Brazil would be considered an existential threat to the US in the foreseeable future, so why spy on those countries? Slight economic advantages don't seem to justify the breach of ethics.
I guess I can see what you are saying and I don't think we can have a world without spying any time soon. But that doesn't mean all international spying is justified.
Having Merkle's cell phone? During the Eurozone crisis? It would have been awful (financially) for the United States not to have that information.
The cost of this sort of machiavellian policy is of course the opprobrium of former allies and friends, and a loss of moral standing.
The US loses a lot of soft power if it chooses this route, and the consequences will be felt for decades in mistrust and distance from her allies. A dangerous course both for the US and for the world.
I fluxuate with how I feel about it (it = 'machiavellian policy'). I'm not going to defend US policy in this case, nor claim to understand all of the nuances required to make global strategic geopolitical decisions.
But I will say that the NSA's perspective is that: it is only because of the Snowden leaks if we have lost face with allies. To the NSA, the secrets were kept well enough until Snowden and friends disclosed them.
This is my basic issue with this article. America and the NSA ate mud pie for the actions disclosed in the leaks. This article has the very real possibility of doing a lot more damage. One could say it is good because justice has been served, but one could also suggest that it is bad because similar disclosures of German surveillance programs (a touchy subject given the history), Chinese capabilities, Russian objectives etc haven't been disclosed by a Snowden-like actor.
Really the whole situation is bad. I don't like being at war, cyber or otherwise.
This is my basic issue with this article. America and the NSA ate mud pie for the actions disclosed in the leaks. This article has the very real possibility of doing a lot more damage.
Not because of the leaks, but because of their actions. That's an important distinction.
If you take actions like this, you should be prepared for them to be exposed, and if you use the argument the NSA and you yourself have made here (it would be ok if we were evil and no-one knew about it), you should expect no one to trust you. You've just declared yourself untrustworthy and a bad ally in perpetuity, because you think this is ok as long as no-one knew about it.
> Not because of the leaks, but because of their actions. That's an important distinction.
Right. I agree with that. There's actually sort of a boolean AND. Because we did them AND we got caught.
My guess is that all major players are doing the same stuff and that if the US doesn't participate it loses. I doubt the US hacked Germany on a whim - I bet it was a pretty labored decision with cost-benefit analysis (one being chance of getting caught).
>But I will say that the NSA's perspective is that: it is only because of the Snowden leaks if we have lost face with allies. To the NSA, the secrets were kept well enough until Snowden and friends disclosed them.
Of course that's their perspective, as is the perspective of anyone committing an embarrassing or morally unscrupulous act.
"The thing I regret most is getting caught."
Secrets of this nature have a tendency to leak. If it wasn't Snowden, it could've been anyone else.
I don't think all of the NSA's capabilities or actions should be leaked, but reporting of confirmed infiltrations of US and allied companies and systems is fine by my book. All's fair in love and war, but we are not at war with Germany or Brazil or, hopefully, ourselves.
Could you provide direct citations or quotes of allied countries infiltrating our government or private infrastructure? Excluding Israel, because they have the same mindset as the NSA/CIA (in which case I also don't take issue with us hacking Israel).
If your excuse for doing plainly immoral things is 'geopolitics is important', where do you draw the line? Your excuse can be used to justify pretty much any form of self-serving barbarity. How about if we just don't do evil shit and deal with the lack of an ill-gotten advantage? Works well enough in everyday life (assuming you aren't a mafioso). Why hold people who work for government agencies to such a pitifully lower standard of decency?
>See this is where the NSA really shines. We (The US) delayed Iran's nuclear program by THREE YEARS with Stuxnet! Three! And after they finally figured out it was sabotage the US and Israel had the director assassinated for further delays.
I'm honestly okay with this (except for the assassination part, though it was speculated that was Mossad and not US).
The other things though are simply to gain an unfair advantage in political and economic situations, even against countries that are supposedly our allies. Realistically, these things happen all around the world and have been forever, but ethically I don't think it's a good thing for the NSA or CIA to be doing.
It is on the face of it ridiculous to say "everybody has a blue-water navy." It is equally ridiculous to say "everybody runs surveillance comparable to the NSA."
Page 123 of the documents released in Glenn Greenwald's "No Place To Hide" lists at least 37 countries (that the United States has cyber partnerships with).
Of those 37 countries, only a minor fraction have the budget to operate the way NSA does. That leaves approximately 160 other sovereign entities. Let's say half of them are despotic and don't count. That leaves 80. Out of those I'd wager that more than half are have governments too under-resourced to have the ability to put their people in the kind of panopticon Americans live in. In other words there may be hundreds of milllions of people who are more free than Americans. Who are not fearful Hobbeseans suckling at NSA'a teat. Somehow, those people have not yet succumbed to "terrorism" of whatever the scare du jour is.
>Of those 37 countries, only a minor fraction have the budget to operate the way NSA does.
There will be differences in cost and budget for each nation. The United States has 25% of the world GDP (compared to 4%) of the population. That we can afford to fund the Lamborghini of intelligence operations isn't to discount other states that have less well funded capabilities.
You'll see plenty of parallels with traditional warfare: like that countries with smaller budgets ally themselves with countries that have more capabilities.
> Let's say half of them are despotic and don't count
Let's not. Those are some awfully large numbers for one. But more fundamentally why don't the armies and intelligence capabilities of tyrannies count?
> Out of those I'd wager that more than half are have governments too under-resourced to have the ability to put their people in the kind of panopticon Americans live
The nice thing is that surveillance, if done right, is reasonably cheap. Many other countries, especially in the ones you 'don't count' have laws preventing citizen use of any reasonable encryption whatsoever.
I'm not saying it's retribution, I'm saying it's shortsighted to consider it damaging to themselves and be okay with the damage that was detailed in the leaks.
I'm not okay with either, but being blind to others' "suffering" doesn't get my sympathy. In this order of events, your sympathy gets mine. In this case, you pointing the finger at others hacking innocents as a justification for hacking innocents makes me entirely unsympathetic to your "damage". See how that works?
There is nothing damaging in these latest documents. The documents reference programs that if revealed (which they were not) would be extremely harmful to national security.
I read the entire article with the hopes that company names would be mentioned. Let's see who took cash to weaken encryption. Let's see who helped the government create back doors. That would have made this article stand out. But alas it contained more of the same things we already knew or assumed was going on.
Why even let the companies know? The NSA should just have very talented people working for those companies. It's not far fetched to think they'd find a great candidate that's patriotic, and help their career any way possible (perhaps even sabotage other employees, if needed). I'd imagine other governments would do the same thing, too. Looking on a decade+ timeframe, it shouldn't be hard to get a few people into key positions. Companies would have to really try hard to avoid this type of compromise. For instance, run multiple, independent build labs, with multiple people comparing outputs. And then, an engineer or pair of engineers in collusion could probably easily slip a difficult to notice security bug into some code somewhere.
> All large corporations weaken encryption for the government
This is simply false. It is untrue to claim that all U.S. companies have somehow "weakened" encryption or inserted backdoors in their products for the Feds. I normally wouldn't waste my time correcting conspiracy theories, but sometimes it's necessary to stop the more credulous from believing them.
Yes, the NSA has boasted of having a surveillance "partnership" with certain U.S. companies, but those are telecommunications carriers -- AT&T, Verizon, Sprint, etc., not Silicon Valley firms: http://www.cnet.com/news/surveillance-partnership-between-ns....
For an additional indictment of AT&T, look at the sworn affidavit that EFF obtained from local SF bay area whistleblower Mark Klein -- an AT&T technician who revealed the existence of the NSA's fiber taps at the 2nd & Folsom Street SF facility.
But the Silicon Valley companies that we know and more-or-less love have done the opposite. Look at the announcements about device encryption by Google and Apple in the last month (that have irked the Feds so much they're threatening new laws). Look at Google's Adam Langley, Wan-Teh Chang, Ben Laurie, and Elie Bursztein deploying a better TLS cipher suite in Chrome. Look at Twitter's surveillance lawsuit this week against the Feds over, apparently, the legality of a warrant canary.
And of course the two links in the conspiracy theory posted above prove the opposite of the "weaken encryption" claim. First, CALEA doesn't apply to web companies. And even the carriers it does apply to are permitted to (at 47 USC 1002(b)(3)) provide secure end-to-end encryption: "A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
Second, the FOIA'd doc was written in the late 1990s before the Feds liberalized encryption export controls. It's 15+ years out of date. You can now freely export strong crypto. And even in the dark days of the 1990s, there were no domestic controls on encryption use, though the TLAs did give it a shot at one point.
A better argument for the conspiracy theory set is the very odd relationship between EMC Corporation's RSA business unit and NSA. But even if allegations of intentional security flaws are true, EMC is a Massachusetts company, not a left coast firm, and a cozy relationship between the NSA and EMC/AT&T/VZ/etc. certainly does not indict all companies and their founders.
It's funny you call it a conspiracy theory. There's no conspiracy. And it is not a theory. The NSA currently requires companies (like Microsoft, Apple) to provide encryption keys corresponding to devices where pertinent. If you look at Bush era legislation most of the pen register, tap-and-trace laws and rulings were precisely pulling existing laws for telecommunication onto the domain of the internet by arguing technical equivalence. It is also true today that essentially all telecommunications are done over digital lines.
Finally Apple isn't a "web company", nor is Microsoft or the majority of 'large corporations'.
> "...unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication"
I don't think I need to say very much here.
Regarding Apple's encryption there's lots of good information about how very little it actually does and can do. There was also a hacker news thread with yours truly. https://news.ycombinator.com/item?id=8389365
Regarding the 'antiquated' FOIA doc - you can export strong crypto but you backdoor it, keep the keys, or provide other ways to access the data. Blackberry's entire business model was secure communications and look where they are today. RSA is now in a similar boat.
"Weaken encryption" does not mean 'lower the bit security under the standard attacker model' here. In this case it means 'subvert encryption through design or implementation flaws, key repositories, controlled PRNGs, side channel access or designed-in systems level access to the data'. "Weaken encryption" doesn't mean "choose smaller key sizes", it means "make the fact that something is encrypted a weak guarantee of security and privacy."
> But the Silicon Valley companies that we know and more-or-less love have done the opposite
Image management, nothing more. Why the public showdown? That doesn't make any sense at all. No sir, I'm certain that corporations would like to provide security and privacy for their customers. And they do. But not against federal law enforcement. There are no new laws that need passing right now. The machinery is there and we've witnessed it in action multiple times. There is no David and Goliath story here, no heroes to be heralded. It's romantic, alright. I wish it were realistic.
Google (and others, that we are supposed to love) fought several battles that made it to the highest levels of court in the United States but lost. They were then forced to comply. The United States used extreme financial leverage to get QWest to comply (and when they still wouldn't, let/forced them to go bankrupt).
What's changed since then? Where there some new Supreme or Circuit Court decisions that have depreciated the former?
"They can promise strong encryption. They just need to figure out how they can provide us plain text." - FBI General Counsel Valerie Caproni, September 27, 2010
Didn't we already chat about key escrow requirements, CALEA, etc?
The Clinton Administration's big thing was key escrow. Clipper, of course, and as that policy failed the administration moved control of encryption from Military/Exports and Munitions to the Department of Commerce under the agreement that key escrow systems would be put in place where weak cryptography had been previously. Major companies (including RSA, IBM, Apple, Sun, HP, AOL, others) collaboratively drafted industry standard key escrow systems (aside: crypto key escrow patents are a fun things to look up on patent searches).
Additional pressure was exerted of course because the United States had seen a very strong rise in geopolitical espionage and sabotage and strong crypto was becoming a problem for the NSA.
That's where things were at the end of the Clinton Administration. During Bush's administration we saw nothing but an expansion of powers and budgets for intelligence agencies and reclassification of laws applying to other media (for tap and trace/pen register) to the internet (although CALEA already applies to broadband internet) and to computers, 'computer systems and networks' and electronic equipment. Bush (and Clinton before him) warned of rising international cyberwarfare, but couldn't get the populace concerned about it. Anyway, you do NOT see a reversal on escrow requirements during the Bush or the Obama administration - rather you see an expansion of escrow and an expansion of hardware, software and standard backdoors as well as the leaks from Snowden.
There are a number of ways that escrow is done (we're ignoring backdoors right now). The TPM is one novel way that keys are stored in a way that gives access for law enforcement. TPMs are in essentially every computer, 'spooks' showed up at the standardization meetings for the chip, Germany announced they provided backdoor access during diplomatic troubles (and have since 'rescinded the announcement' whatever that means), China blocks all electronics with TPM chips coming from the United States (and allies) and after a bunch of international and technical/commercial problems the TPM 2.0 spec (again attended by Five Eyes spooks) it was for the most part abandoned. And honestly, does a low end consumer device ($650 laptop or $300 phone) require a self destructing chip that can't be examined using standard equipment or at room temperature? The TPM also almost always resides on the low pin count bus (the spec does not specify where it needs to sit), which gives it DMA (TPMs do NOT need DMA).
Or check out Microsoft's Cryptographic Service Provider (CSPs). This is where you store, provision, can generate, access, and utilize your keys in a Microsoft system. It's also famous for being where the NSAKEY gave access. Microsoft will tell you that it keeps your keys secured, but it is well known to any pentester that access to admin on a box can dump all of the keys, including those that are so-called 'marked non-exportable'. From what I can tell by the public MSDN articles on the subject contents of the CSPs can be controlled via group policies, and interops with other management systems.
This isn't to mention that bitlocker keys are automatically synchronized with Skydrive (Onedrive) accounts and that Onedrive was onboarded to PRISM for NSA access. Well, that's only if you have a Microsoft Account. Oh, one is automatically made for you and you're essentially required to sign up for an account to use any new Microsoft OS.
Well, that and bitlocker keys are also backed up inside of organizations to Active Directory (i.e. don't 'domain join' your personal computer).
Anyway.
Check the flurry of Apple news items recently. The narrative would like to use that as some sort of David vs. Goliath story of the good guy capitalist protecting his consumer. But check the details. The addition of encryption is not new. What's new is that they are publicly claiming that with this encryption system they will not have access to the private keys, and so can not comply with requests. Now we don't have to believe them (I don't), but we do have to acknowledge that -not having a facility for escrow- is their 'dangerous game'. Encryption is not a 'dangerous game'. Not providing escrow is.
Thanks for your reply. I'm aware of what the FBI was asking for (Val Caproni is no longer there, FYI) four years ago. My reporting before I founded recent.io was the first to disclose some elements of the bureau's demands and strategy, in fact.
You're right that it's unreasonable to place blind trust in a closed encryption system, even Apple's, that we're unable to review or audit. Even if their intentions are pure, it could be poorly implemented.
But my point is simply this: there is no U.S. law mandating key escrow for Apple, Google, Microsoft, etc. One was proposed in the 1990s. It didn't pass. One was proposed in the Going Dark era 4-5 years ago. It didn't pass. One is being quasi-proposed now. It hasn't passed.
I actually think I'll agree with you on a lot of issues based on your post above -- but it is nevertheless a conspiracy theory to claim that Silicon Valley companies somehow engage in key escrow for the NSA or that there is a legal requirement for them to do so. As I said before, if you claim otherwise, URL, please.
>NSA currently requires companies (like Microsoft, Apple) to provide encryption keys corresponding to devices
PS: ^^^ I'm still waiting for the link that backs up this claim too.
AFAIK there is no explicit law requiring every company that sells cryptography (in the general case, i.e. not as a service provider) to provide key escrow.
However, this is not to discount law in praxis, how CALEA is interpreted and enforced, the history of key escrow, current technology considerations, known and suspected escrow mechanisms, and pressures exerted by federal law enforcement (e.g. the removal of effective crypto from Skype when it captured its market), and how all of this hangs together.
My (reasonably, educated and technically informed :p) suspicion is that companies at a certain size, federal agents will come to your company and make demands for data, which you must comply with and slowly as you are compelled by law to give keys and data on a regular basis it becomes the best thing for your business to install automatic escrow mechanisms.
It is my assertion that law enforcement interprets laws that read as "...unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication" as enough to force companies to create escrow mechanisms.
I would argue some of this story played out very publicly with Google. Another great example here would be the NSL of Lavabit - how they asked for far more than was legally obligated and the forcefulness and non-public nature of the demands made it impossible to put forward a reasonable defense.
To summarize it is apparent to me that the difference in our perspectives is whether a specific law (another being proposed again now, as you point out) is required in the current climate of practice of law, along with the leverage and the compliance requirements that exist inside it, for key escrow to be 'required of companies'.
I come down on the side of 'no'. I believe they have what they need now to get escrow.
Maybe this Apple and Google thing will clarify it. But somehow I doubt it. Prediction: no explicit law on key escrow will be passed (it would be entirely too harmful for US exports) but it will continue to be practiced.
Oops, here's a Microsoft "cloud storage" key escrow system from 2011-2012.
"Some of the files stored on the network server may be sensitive or confidential. The user may wish to restrict access to those files. The files may then be encrypted or otherwise protected with a password or other key. The user may not trust the network server to store the key, and may thus desire to retain sole possession of the key. Such users, however, often lose (or forget) their passwords or keys. Moreover, other third party users may legitimately require access to the stored, encrypted files."
"FIG. 3 illustrates a flowchart of an example method for providing third party data access to a user's encrypted data according to a predefined policy."
"In some cases, however, while the data storage system is not able to decrypt the user's data, it may be necessary for an outside entity (e.g. a governmental entity) to access the user's data."
"In cases where the encrypted data is a cryptographic key, that key may be stored as a plurality of shares. The shares are mathematical transformations of the user's private key, and each share is provided to one of the verified third parties. Each verified third party publishes his or her own public keys, and encrypts his or her share of the encrypted key using their published public key. The verified third party shares encrypted according to the third partys' public keys are then stored in the data storage system. Because the shares are encrypted according to the verified third parties' public/private key pair, the data storage system is prevented from accessing the encrypted shares, and is further prevented from accessing the user's data."
"In some cases, the user's data may comprise, at least in part, a cryptographic key. The user's data, including the key, may be stored in multiple different shares."
Encrypted data AND keys!
The patent examiner cited "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption" when doing his examination.
I have lost the ability to edit this post. I wanted to share some more information. All of these patents contains key escrow capabilities, which is defined by the US patent system as "Subject matter wherein the key is deposited or retrieved to or from a third party."
There are circumstances where this is not being used to give access to law enforcement, or the patent would not make sense in that context.
This is a last defense argument. Certainly it is the case for some escrow systems, and (especially with the patentese) are difficult to decipher.
But others are clear as day: "In order to receive the information, law enforcement may submit a request to each of the entities identifying the communication session and their basis for authorization."
Only some of the documents provided above have been read through by yours truly. They constitute only a minor fraction of patents by a minor fractions of companies in the US patent system.
The NSA has clearly recruited employees from companies like Google, Facebook, Cisco, etc to compromise and place vulnerabilities that the NSA can exploit. The fact that the NSA has decided that the legal channels to acquire data through warrants and actual investigations no longer applies must be stopped.
As an example, I have a small VoIP company. At one point, we were processing about a billion calls a week. A malicious employee could probably setup a trace and collect call records or record calls. I'd have no real defense against hiring someone that worked for the NSA.
An employee at a hosting company could do huge amounts of damage. Consider SSL certs can be issued just by checking email to prove "ownership". At some large ISPs/datacenters, it'd be "fairly easy" to intercept the confirmation email and get SSL issued in a company's name "legitimately" (that is, no bad effects to the CA and not traceable to the NSA).
Subverted employees is a huge threat and we should really consider that when looking at security in general.
Hey BugBrother,
I don't know who is downvoting all your comments, but they seem within scope and inoffensive to me, so don't let the cowardly phibjobblers get to you.
It is unfortunate the shadowing did not also go to homework and extra curricular activities. This is an area that is neglected too. If he had sat through a practice, then gone home to read 200 pages and do two hours of homework, his conclusions would be even more dramatic.
Thank God we are clustered with Germany and South Korea in this. I can only imagine the not-giving-a-fuckery if the targets were "China, Iran and Cuba"
Revealing mass surveillance is one thing (great!), but some of these leaks feels like revealing too much and some of whats meant to be protecting us...no??
I've been a Snowden supporter but this is the kind of information that gets people killed. I'm not sure how comfortable I am with this. He proved his point a long time ago is this really necessary?
You're not allowed to be imaginative or speculate here about topics that people have been conditioned to patriotically think non-critically about! Just give it up man! We all know that the official stories about 9/11 are 100% true!
(For a group that hates censorship as much as these "hackers" do, isn't it funny how they love a site that lets everybody censor each other by downvoting comments into invisibility? See? Help meeee I'm meltinggggg....)
When you speak in front of a crowd of people and are arrested by police for the things you're saying, that's censorship.
When the crowd boos you off the stage before you're finished, that's not censorship, it's other people also asserting their rights to free speech. Perhaps you should reconsider what you're saying or find a new group of people to say it to.
Your analogy doesn't work because 3 or 4 downvoters does not constitute a crowd. No, this is basically censorship by a small set of group-think leaders.
More like: the US can't get rid of its Cold War era habits.
The Cold War never ended. It was just extended from US vs the Soviet Union to US vs everybody else.
But what do you expect from a nation that is now de facto in a perpetual state of war with an amorphous, heterogeneous and strictly confidential blob of groups, nations and assorted individuals that includes its own citizens.
* It's possible work out the geographic region of certain compartments based on the organizational code attached to it.
* The redactions in the "Control Authority" column are variable size, possibly even proportionate to character length.
* The fact that document was merely classified "confidential" is odd.
* I was able to identify[0][1] all but one item listed in the "Organization" column.
The sole item that eluded identification was "S0242". It is listed alone under two compartments. I couldn't find anything on it; one can only surmise it is something within the Signals Intelligence Directorate (probably something boring, despite the mystique).
[0] http://en.wikipedia.org/wiki/National_Security_Agency#Struct...
[1] http://www.matthewaid.com/post/58339598875/organizational-st...