* It's possible work out the geographic region of certain compartments based on the organizational code attached to it.
* The redactions in the "Control Authority" column are variable size, possibly even proportionate to character length.
* The fact that document was merely classified "confidential" is odd.
* I was able to identify all but one item listed in the "Organization" column.
The sole item that eluded identification was "S0242". It is listed alone under two compartments. I couldn't find anything on it; one can only surmise it is something within the Signals Intelligence Directorate (probably something boring, despite the mystique).
"The NSA/CSS Commercial Solutions Center (NCSC) addresses the strategic needs of NSA/CSS and the national security community by harnessing the power of U.S. commercial technology."
* The NSA/CSS Commercial Solutions Center (NCSC) is specifically built around Elliptic Curve Cryptography that they acquired from Certicom.
>The NCSC also manages the Elliptic Curve Cryptography (ECC) program on behalf of the NSA/CSS. Elliptic curve provides greater security and more efficient performance than first generation public key techniques currently in use. NSA/CSS purchased a license that covers intellectual property in a restricted field of use to assist in the implementation of elliptic curves to protect U.S. and allied government information. - https://www.nsa.gov/business/programs/ncsc.shtml
* Certicom designed the Elliptic Curve DRBG (Dual_EC) algorithm including the backdoor (Certicom patented the backdoor functionality in 2005). The NSA then included this algorithm + backdoor into NIST standard and payed RSA 10 million dollars to make it the default DRBG.
Putting these two facts together suggests that the NCSC was responsible for the Dual_EC backdoor.
Maybe they could have not published this one.
I'm very much interested in the Snowden Documents and am a strong advocate for civil liberties (look at some of my other posts, and the ones under the handle 'xnull').
I also repeatedly explain, on Hacker News, and other places, that there is a global cyber intelligence war and that the Snowden Leaks showed us key insights into what was going on, how it's not 'about terrorism' and a great number of other things.
But I'm bewildered by this article. It seems really damaging, and like it doesn't really add very much to the corpus they've already published.
Edit: Glenn Greenwald, Laura Poitras, Edward Snowden, etc all decide what material to publish and what material not to publish. Greenwald, by his own admission, works with US officials to redact information and to choose which stories make it out of the gate. He's also said that he isn't revealing (paraphrasing) 'the most horrendous material in the Snowden documents, for fear of the fallout'. My question should not be thought of a challenge to revealing Snowden documents as a whole. Contrary to this I think it is of the very highest service. My question is only 'why this document'?
In fact you recognized this too writing: "it doesn't really add very much to the corpus they've already published." Once you attempt to identify the new information, you can recognize that 99.5% of it appeared in some other form before.
The older published documents already were marked "top secret." This markings are given to the content that is considered "damaging" by these who write the documents. You just percieved it differently because these markings were just markings for you, not the sentences spelling out "damaging."
Still, the value to the public of this very document is that it's a single document summarizing nicely the previously disclosed ones in much less words. By its nature though it doesn't contain the details published previously. (Edit: technically, it's a set of the documents but all of them together appear to me just as a big table of contents for the disclosures already published.)
Now let's discuss the new 0.5% of information, even if it's very general.
On the other hand it deals a pretty big blow geopolitically/internationally.
The big deal about this article is that it reveals the major tactical capabilities and efforts the NSA has invested in the intelligence war.
Edit: Right now HN is limiting the number of replies I can initiate. Will reply as I can.
As a foreigner, I'm actually more interested in non-domestic stuff.
Lets say Swedish spies was sent to the US in order to infiltrate and weaken the 911 system, the power grid, or other key infrastructures of the US. Would you shrug at that also, since after all, what should people expect from spies?
Sabotage and spying is two different activities. Sabotage is a tactic employed during war. Spying is a tactic employed during peace. Confusing the two simply states that peace is war, and war is peace, and anything goes so long its against foreigners.
So? For me (Godwin's law be damned) it's like leaked documents about Nazi germany practices. If you were not a German you'd cheer, and if you were a non-Nazi German you'd also cheer.
It does? What is actually new and specific I fail to see. But it's a really, really nice summary.
SENTRY EAGLE is the protection program outlined jointly by the NSA and the U.S. Strategic Command.
The first line reads:
"SENTRY EAGLE... compartmented program protecting the highest and most sensitive level [by] NSA/JFCC to support the U.S. government's efforts to protect America's cyberspace."
The document goes on to specify the broad U.S. cyber protection strategy broken down into Sentry Hawk, Sentry Falcon, Sentry Osprey, Sentry Raven, Sentry Condor, and Sentry Owl - all of which are new.
Add on top data about infiltration into (allied) South Korea and Germany. Not a good day for the NSA.
(The names are most definitely classified.)
Unclassified. For official use only.
Yup the names are not classified.
As the terms are not classified there are minimal standards regarding using the names in less secured conversation. If another country has intercepted communications or documents with some mention of SENTRY EAGLE, now that this has been released they know some of the conversation/document context.
 "unclassified but which the government does not believe should be subject to Freedom of Information Act requests" (wikipedia)
I'm reasonably sure every thinking person has started, in their mind, to replace any invocation of "national security" with "covering up either incompetence, negligence or breaches of law". Theres zero reasons we should be paying any attention to that label.
(I like to remind people of the case of Ibrahim vs. DHS, where the government spent all its time invoking various secrets related laws and privileges, citing national security, even having Holder sign a declaration to that purpose, and what for? To cover up the clerical error of some lowly FBI agent, who checked a wrong box.)
Certainly there are instances where this is the case. I can think of a few others to add to your example.
But there's no good reason to assume that all invocations of classified and politically or strategically sensitive material are excuses to cover up incompetence, negligence or breaches of law. And in fact in this case I'm not sure what it would be covering up. What's listed here is hardly incompetence nor negligence and the argument for breach of law, while slightly stronger, wouldn't pass a smell test.
"The most controversial revelation in Sentry Eagle might be a fleeting reference to the NSA infiltrating clandestine agents into “commercial entities.” The briefing document states that among Sentry Eagle’s most closely guarded components are “facts related to NSA personnel (under cover), operational meetings, specific operations, specific technology, specific locations and covert communications related to SIGINT enabling with specific commercial entities (A/B/C).”
It is not clear whether these “commercial entities” are American or foreign or both. Generally the placeholder “(A/B/C)” is used in the briefing document to refer to American companies, though on one occasion it refers to both American and foreign companies. Foreign companies are referred to with the placeholder “(M/N/O).” The NSA refused to provide any clarification to The Intercept."
As for foreign companies, it's pretty obvious that NSA and CIA have been conducting operations like these for many decades.
I'm not going to argue that the NSA has not subverted American companies before (see DUAL_EC_DRBG), but this does not provide definitive proof that they're actively infiltrating homeland companies with human spies.
For the record I don't agree with the parent. I think the important thing about this document is that it lays out the broad tactical tools used in US cyberintelligence strategy. It's handing off some major tactical playbook material.
The author is also picking quotes from different programs and mashing them together to come up with their speculation. Note how the commercial entities are discussed under the "Sentry Owl" program on page 7, but the "covert or under cover" quote comes from the "Sentry Osprey" section on the last page, which appears to be talking about the NSA working with the CIA. If NSA employees were working with the CIA on anything outside the US, it would make sense that they'd be undercover. Maybe they are infiltrating companies, but the source document doesn't support that assertion.
Schneier isn't name-dropped at all in the article. I find it odd that they would quote Matt Green and Chris Soghoian by name, but mix in the opinions of someone as well-known as Bruce Schneier without mentioning his name anywhere.
Bruce Schneier was given an opportunity to meet and review a large collection of documents but yes its true we don't really know.
There's a Chinese whispers effect to all this where vague assertions are repeated over and over until they become considered definite facts.
"...by exploiting inherent weaknesses in Facebook's security model." - GCHQ
That's Facebook. The Yahoo and Google stuff has been very widely reported and are direct from Greenwald and the Snowden leaks. Other links (in particular the PKH link) contain other information.
When will Americans realize that 96% of the global population are "foreigners", and are still considered human.
Until the public realize that they are themselves the target of those cyber security war activities by their own government, those revelations can not be damaging enough.
Just to support the point: Today the new Snowden movie is all over the news, while practically nobody seems to care bout those revelations you claim being really damaging.
This is entirely true. Us plebes have been caught in the middle. And the surveillance programs are not just about cyber warfare. The NSA/DHS use them for other things as well (handing off to CIA/FBI/DEA, building profiles of people, social manipulation, etc). But this article from firstlook IS about cyber warfare.
The leaked document itself says "U.S. Strategic Command - Joint Function Component Command - Network Warfare".
> Today the new Snowden movie is all over the news, while practically nobody seems to care bout those revelations you claim being really damaging
Isn't that argumentum ad populum? The news media coverage of the Snowden revelations has been horrendous, limited and misleading through and through. In fact the Snowden movie being in the news is a great example of how the public is disconnected with what's going on. It's not a "Snowden documentary" or a "Snowden lecture" or a "Snowden document analysis". It's a short hour and change person story with a bleached narrative devoid of the content of the actual documents.
I'm off to create a few phony shell corporations to get some free NSA money and get paid to surf the web!
Plenty of leaks before on infiltrating companies and backdooring encryption. Was there anything in particular?
Edit: Nothing in particular then I guess... :(
I'm really starting to take an issue with declaring all this stuff as "cyber war" or "cyber warfare" (here and everywhere else in this thread). It's not a war if there is no intend of actually killing people. Even something as intense as the "cold war", had the qualifier cold in it, because there was no open confrontation. And what is now summarized as cyber (intelligence) warfare is orders of magnitude less deadly (though not necessarily less damaging to our civil rights). It's not a war if I steal your trade secrets and undermine your negotiation positions in international treaties.
If you frame it as a "war" you get a whole different solution space. Instead of strengthening the IT security of domestic companies that build your core infrastructure you end up with "offense is the best defense" strategies and undermine the IT security of everyone. If you stop using war rhetoric this kind of statement:
> If you didn't see it, there's a link on another branch of the conversation containing (at least) 37 other countries involved in cyber [espionage].
becomes far less of an existential threat.
Countries are owning each others' communications, power, transportation, energy, food production, etc infrastructure. Sabotaging these can cripple a nation, not to mention kill people (check out damage from the recent Great Northeast Blackout - note here that it is not known whether this was a cyber attack).
The military and defense contractors are targets of attacks as well as industry. Titan Rain, Moonlight Maze and Operation Aurora are some well know geopolitically motivated attacks that breached defense contractors (includingLockheed Martin, Sandia), US internet infrastructure (including Rackspace, Google), aerospace (including NASA) and military (including the DoD).
You may remember this year that Wall Street and JP Morgan was hacked, that the DoD was hacked, that several hundred defense contractors were hacked, and that the list of people with top secret clearance was hacked. You may remember this year that Israel's "Iron Dome" missile defense system schematics were hacked.
In the eyes of the military, these things constitute an attack. They give it the name warfare. It certainly isn't classical warfare. Maybe we need a new term. I do like the "cold" term.
No matter what we call it, it is serious.
As a country we are invested in it.
Really damaging for whom? 99% of the worlds population are victims (them or their countries) to the stuff described in the article, not cheering for its continuation.
It's not easy to see, but damaging others denies them the contributions they could bring, ultimately damaging themselves.
Everybody is hacking everybody. Every major country has a cyberintelligence arm. The NSA is just one actor of dozens.
While there's definitely a cyber war going on, you have to ask, why isn't the NSA actively disseminating knowledge to Americans on how to secure themselves? Why are they instead actively weakening encryption standards? America companies have the most to lose from weak encryption. It just doesn't add up, and the American people have enough confidence to call their government out, unlike countries who have allowed themselves to become pretty enslaved by their government, like China and Russia.
In summary, the NSA should participate in the global cyber intelligence war by educating the American public, instead of weakening them.
In fact, the NSA is disseminating such knowledge. You can find guides to secure operating systems (Windows, Linux, and OS X) and commonly used applications (Chrome, Adobe Reader). To what I assume is the chagrin of the FBI, you can even find guidance on full-disk encryption.
When they can, states prefer to use public exploits, phishing emails and other leverage to break into targets - mostly because 0days are expensive.
> they use their technical abilities to suppress dissent in frightening ways
I'm just going to mention so called "Fusion Centers", which have been used to investigate and disrupt the organization of The Tea Party movement and Occupy Wall Street but spare my usual rant. No it does not compare to Russia or China.
Oh and I'm also going to link this: https://firstlook.org/theintercept/2014/07/14/manipulating-o...
And this: http://minerva.dtic.mil/
> NSA threatening domestic jobs, companies, individuals, and most of all innocents, that leads to an upset.
The NSA's view, and in fact several of the last presidential offices, is that these programs and capabilities are important for the country because they give American companies and domestic jobs a leg up.
"The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances." - NSA Mission Statement
A good example is the hacking of Brazilian PETROBOL (PETROBRAS?). Or actually, here's a firstlook link: https://firstlook.org/theintercept/2014/09/05/us-governments...
> While there's definitely a cyber war going on, you have to ask, why isn't the NSA actively disseminating knowledge to Americans on how to secure themselves?
Because it is essentially impossible to secure yourself on the internet. This isn't a fine point. It's a blanket fact.
> Why are they instead actively weakening encryption standards?
They have a concept called "NOBUS" which means that the weaknesses they introduce should only be exploitable by them. DUAL_EC_DRBG, the goto example of an NSA backdoor, is a perfect example of NOBUS.
> In summary, the NSA should participate in the global cyber intelligence war by educating the American public, instead of weakening them.
Oh I agree. Actually if you look back Clinton and first term Bush era they kept proclaiming that there was a cyber intelligence war but it never really caught on. So they made it about 'cyber terrorists'. Nobody caught on. They made it about actual terrorists. Now we listen. I do hope that investments are made in defensive capabilities rather than offensive. The Obama administration released a series of strategic documents funding longer term research into the protection of domestic computer networks, programs and technologies. But right now you can't play the game of cyber intelligence war without attacking. When it comes to hacking, the attacker always wins. Just playing defense is a losing game.
> The NSA's actions since 9/11 have been more consistent with a power grab than any authentic desire to empower & protect Americans.
This has been going on much longer than since 9/11. PREDATOR and MAINWAY are examples of programs that existed years before the 9/11 attacks.
> Oh I agree. Actually if you look back Clinton and first term Bush era they kept proclaiming that there was a cyber intelligence war but it never really caught on.
Interesting point. Now, in the 90s, wasn't the government trying to prevent encryption from being used by the public though?
> When it comes to hacking, the attacker always wins. Just playing defense is a losing game.
Still, there are a lot of defensive measures the public can take from hackers. For instance, using OTR, Tor/VPNs, and moving sites to HTTPS whenever possible.
Bruce Schneier has an interesting metaphor for this period in human evolution. He compares the information revolution to the industrial revolution. At first, people didn't realize how bad pollution could be, amongst other things like food safety. Books like "The Jungle" helped prompt people to stand up for themselves and demand better, and healthier ways of conduct. Overall, humanity evolved to handle the new technologies and their side effects. Snowden's revelations are like "The Jungle" of our time.
Oh yeah. They did before the 90s, during the 90s and are also doing it now. We won some serious ground in the 90s, allowing us to use stronger algorithms. But companies are still required to keep copies of all of your encryption keys at the ready if they want access to your data. If you haven't seen it the FOIA requested document from the CIA posted here a week or so ago has a pretty good history.
> Still, there are a lot of defensive measures the public can take from hackers. For instance, using OTR, Tor/VPNs, and moving sites to HTTPS whenever possible.
These things do help, but minimally. OTR is good if you want some privacy on your chats. Tor is good if you want a little anonymity. Some baseline level of encryption should be standard everywhere. If you look at the extensiveness of the backdoors though these don't really matter. For example take the FBI mass exploitation of Tor this year. In many instances (Apple iPhone/Microsoft Skydrive/etc with PRISM), copies of data are stored directy from a partner's product for inspection, whether it was originally encrypted during transit or no. And computer exploits that target operating systems are able to see everything on your computer that you see.
I love his analogy to Digital Feudalism the most.
Firstly, why only hacking? What is true for a cyber-attack is true for a physical attack as well. Both sides lose resources in both types of attacks.
Secondly, the reason for defending something is because something is worth defending. If it has been defended in an unsuccessful attack, that is a win.
And thirdly, the thing being defended often includes a higher-moral-ground. Resorting to attack is a definite loss for the defending party.
A couple reasons. One is that 0day vulnerabilities have no defense. There is no way to defend against certain vulnerabilities.
The second is that there are no international rules of conduct that apply to cyber warfare. After the Georgia/Russia event there was an effort to pass agreements in NATO but AFAIK nothing came of it.
The third is that that a successful attack usually means the victim remains in a compromised state for months or years (look up advanced persistent threat).
Finally, it's also usually the case that cyber attacks go completely undetected.
> the reason for defending something is because something is worth defending
Right, well the NSA does engage in defense as well. There's just less that can be done. There are hundreds of millions of devices in America with an extremely long tail of software/update state and configuration, saying nothing of networks. There's a ton to protect and even protecting small amounts is costly. This is one of the main reasons companies (and governments) are looking to the cloud - you can consolidate your threat area if you concentrate operations and run broadly the same configuration/state across many systems.
> thing being defended often includes a higher-moral-ground
But this is espionage and sabotage. It's dirty business. I don't think it's a good thing. I don't really advocate for it. I'm just here explaining the broader context of the Snowden disclosures and this article. If you missed it there was a link containing 37 other countries that have cyberwar programs (the list is not exhaustive).
-Warantless surveillance of US citizens (this is bad whether it's by law enforcement, intelligence agencies, or anyone).
-Infiltration of foreign companies in allied or neutral nations purely for economic or geopolitical insight, not for military purposes (Brazil's Petrobras oil company, all sorts of spying in Germany and Norway and other places).
Personally I'm all for the kind of operations they're conducting in Iran and China, as these countries have been doing the same to us and to others for a long time. But they've become far too greedy in their desire for information domination and power, to the point where there is clearly no line that shouldn't be crossed. To them, if anything anywhere in the world is open for exploitation or surveillance, then they feel like they have a right to use it.
Agreed very strongly.
> Infiltration of foreign companies in allied or neutral nations purely for economic or geopolitical insight, not for military purposes (Brazil's Petrobras oil company, all sorts of spying in Germany and Norway and other places).
See this is where the NSA really shines. We (The US) delayed Iran's nuclear program by THREE YEARS with Stuxnet! Three! And after they finally figured out it was sabotage the US and Israel had the director assassinated for further delays.
Having Merkle's cell phone? During the Eurozone crisis? It would have been awful (financially) for the United States not to have that information. It's fun to look back and read the confused reports during the time "European Union suffering considerably from Eurozone crisis; America sees only limited effects."
PETROBRAS? We won offshore oil drilling locations because we had that information. Energy security for the country going forward decades.
Unfortunately geopolitics are important and you can't just not participate. Hacking is (one important way) that modern espionage, surveillance and sabotage are done.
* "the US and Israel had the director assassinated"
* "we won offshore drilling"
* the blase assertion that a nuclear Iran is any worse than the existing nuclear powers (especially Israel!!!)
"Energy security" is oil company nonsense, hilarious considering their tireless efforts to block any kind of clean alternative. The OPEC crisis saved us from gas guzzlers, and now we're back to having SUV's everywhere. We could use some "energy insecurity" but with fracking we're now an exporter. Oil forever!! Climate be damned.
I disagree also with attempts to close off the discussion by saying "geopolitics are important." The US does not have to subvert governments, install dictators across the globe, prop up Saudi Arabia, blindly support Israel, be the muscle for Big Oil (and assassinate and imprison folks at home, too).
The moral hazards that have created this situation are to blame, but it doesn't help that our leaders are as a group paranoid and uncreative, all too willing to let militaristic fascists (accurate, not name-calling here) drive their decision-making.
Edward Snowden is a hero, full stop. You can't do enough damage to the NSA, these types must be resisted at all times.
Nah that's not what I think or believe.
I'm trying to explain broader context. The US is not hacking in a vacuum. It has to make strategic decisions. We can arm chair the US strategic command all we want.
There seems to be a presumption that the US is doing these things 'just because'. What I believe is that the US is making decisions based on incentives, costs, benefits and other tradeoffs. I believe that if we don't participate in cyber intelligence warfare, we'll lose.
There are certain principles I don't want to give up in the process for sure - civil liberties of all people everyone is #1.
Is the previous an ethically valid way of conducting business? Should I not expect to be scrutinized if/when I got caught doing that, because it might imperil my interests? If I do the same, not for me but for a collective (a company, a union), would that be any less unethical? If not, why would it be different if I did it for my country?
Why is it that we consider that sort of behavior pathological for individuals, criminal for organizations and "just the way things are" when talking about (advanced, inter-dependent, presumably-friendly) nations?
So it's damned if you do and damned if you don't.
I guess you can argue that many of these countries rely on allies who perform espionage and sabotage, thus benefiting from those activities despite not doing them themselves. But that still means that closely-aligned countries can survive without spying on each other. I might not have all the facts, but it seems unlikely that Germany or Brazil would be considered an existential threat to the US in the foreseeable future, so why spy on those countries? Slight economic advantages don't seem to justify the breach of ethics.
I guess I can see what you are saying and I don't think we can have a world without spying any time soon. But that doesn't mean all international spying is justified.
The cost of this sort of machiavellian policy is of course the opprobrium of former allies and friends, and a loss of moral standing.
The US loses a lot of soft power if it chooses this route, and the consequences will be felt for decades in mistrust and distance from her allies. A dangerous course both for the US and for the world.
But I will say that the NSA's perspective is that: it is only because of the Snowden leaks if we have lost face with allies. To the NSA, the secrets were kept well enough until Snowden and friends disclosed them.
This is my basic issue with this article. America and the NSA ate mud pie for the actions disclosed in the leaks. This article has the very real possibility of doing a lot more damage. One could say it is good because justice has been served, but one could also suggest that it is bad because similar disclosures of German surveillance programs (a touchy subject given the history), Chinese capabilities, Russian objectives etc haven't been disclosed by a Snowden-like actor.
Really the whole situation is bad. I don't like being at war, cyber or otherwise.
Not because of the leaks, but because of their actions. That's an important distinction.
If you take actions like this, you should be prepared for them to be exposed, and if you use the argument the NSA and you yourself have made here (it would be ok if we were evil and no-one knew about it), you should expect no one to trust you. You've just declared yourself untrustworthy and a bad ally in perpetuity, because you think this is ok as long as no-one knew about it.
Right. I agree with that. There's actually sort of a boolean AND. Because we did them AND we got caught.
My guess is that all major players are doing the same stuff and that if the US doesn't participate it loses. I doubt the US hacked Germany on a whim - I bet it was a pretty labored decision with cost-benefit analysis (one being chance of getting caught).
Of course that's their perspective, as is the perspective of anyone committing an embarrassing or morally unscrupulous act.
"The thing I regret most is getting caught."
Secrets of this nature have a tendency to leak. If it wasn't Snowden, it could've been anyone else.
I don't think all of the NSA's capabilities or actions should be leaked, but reporting of confirmed infiltrations of US and allied companies and systems is fine by my book. All's fair in love and war, but we are not at war with Germany or Brazil or, hopefully, ourselves.
In this instance it was embarrassing because it brought into question how well the US would be able to keep secret strategic information.
And yeah hacking into allies is pretty unscrupulous. A bunch of the Snowden leaks showed that Israel, France, Germany and others have hacked into us.
It's the way it all works.
> Secrets of this nature have a tendency to leak. If it wasn't Snowden, it could've been anyone else
There were many such leaks, e.g. Binney.
> reporting of confirmed infiltrations of US and allied companies and systems is fine by my book
I agree wholeheartedly with this.
Could you elaborate? As far as I know, Germany has some kind of agreement to not spy on the US.
http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPl... (pg 40/125)
Why the downvote here? The comment contributes to the conversation...
Could you provide direct citations or quotes of allied countries infiltrating our government or private infrastructure? Excluding Israel, because they have the same mindset as the NSA/CIA (in which case I also don't take issue with us hacking Israel).
I don't know where they draw the line.
If you didn't see it, there's a link on another branch of the conversation containing (at least) 37 other countries involved in cyberwarfare.
It's happening. I'm not excusing it. Honestly, it really sucks.
I'm honestly okay with this (except for the assassination part, though it was speculated that was Mossad and not US).
The other things though are simply to gain an unfair advantage in political and economic situations, even against countries that are supposedly our allies. Realistically, these things happen all around the world and have been forever, but ethically I don't think it's a good thing for the NSA or CIA to be doing.
Damned if you do and damned if you don't.
It is on the face of it ridiculous to say "everybody has a blue-water navy." It is equally ridiculous to say "everybody runs surveillance comparable to the NSA."
(on page 16 of the link)
There will be differences in cost and budget for each nation. The United States has 25% of the world GDP (compared to 4%) of the population. That we can afford to fund the Lamborghini of intelligence operations isn't to discount other states that have less well funded capabilities.
You'll see plenty of parallels with traditional warfare: like that countries with smaller budgets ally themselves with countries that have more capabilities.
> Let's say half of them are despotic and don't count
Let's not. Those are some awfully large numbers for one. But more fundamentally why don't the armies and intelligence capabilities of tyrannies count?
> Out of those I'd wager that more than half are have governments too under-resourced to have the ability to put their people in the kind of panopticon Americans live
The nice thing is that surveillance, if done right, is reasonably cheap. Many other countries, especially in the ones you 'don't count' have laws preventing citizen use of any reasonable encryption whatsoever.
http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPl... (pg 124)
I'm not okay with either, but being blind to others' "suffering" doesn't get my sympathy. In this order of events, your sympathy gets mine. In this case, you pointing the finger at others hacking innocents as a justification for hacking innocents makes me entirely unsympathetic to your "damage". See how that works?
Two wrongs don't make a right. Would be awesome if we could just have secure and private computing and communication machines for the masses.
Here's hoping for next time.
This is simply false. It is untrue to claim that all U.S. companies have somehow "weakened" encryption or inserted backdoors in their products for the Feds. I normally wouldn't waste my time correcting conspiracy theories, but sometimes it's necessary to stop the more credulous from believing them.
Yes, the NSA has boasted of having a surveillance "partnership" with certain U.S. companies, but those are telecommunications carriers -- AT&T, Verizon, Sprint, etc., not Silicon Valley firms: http://www.cnet.com/news/surveillance-partnership-between-ns....
For an additional indictment of AT&T, look at the sworn affidavit that EFF obtained from local SF bay area whistleblower Mark Klein -- an AT&T technician who revealed the existence of the NSA's fiber taps at the 2nd & Folsom Street SF facility.
But the Silicon Valley companies that we know and more-or-less love have done the opposite. Look at the announcements about device encryption by Google and Apple in the last month (that have irked the Feds so much they're threatening new laws). Look at Google's Adam Langley, Wan-Teh Chang, Ben Laurie, and Elie Bursztein deploying a better TLS cipher suite in Chrome. Look at Twitter's surveillance lawsuit this week against the Feds over, apparently, the legality of a warrant canary.
And of course the two links in the conspiracy theory posted above prove the opposite of the "weaken encryption" claim. First, CALEA doesn't apply to web companies. And even the carriers it does apply to are permitted to (at 47 USC 1002(b)(3)) provide secure end-to-end encryption: "A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
Second, the FOIA'd doc was written in the late 1990s before the Feds liberalized encryption export controls. It's 15+ years out of date. You can now freely export strong crypto. And even in the dark days of the 1990s, there were no domestic controls on encryption use, though the TLAs did give it a shot at one point.
A better argument for the conspiracy theory set is the very odd relationship between EMC Corporation's RSA business unit and NSA. But even if allegations of intentional security flaws are true, EMC is a Massachusetts company, not a left coast firm, and a cozy relationship between the NSA and EMC/AT&T/VZ/etc. certainly does not indict all companies and their founders.
Finally Apple isn't a "web company", nor is Microsoft or the majority of 'large corporations'.
> "...unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication"
I don't think I need to say very much here.
Regarding Apple's encryption there's lots of good information about how very little it actually does and can do. There was also a hacker news thread with yours truly. https://news.ycombinator.com/item?id=8389365
Regarding the 'antiquated' FOIA doc - you can export strong crypto but you backdoor it, keep the keys, or provide other ways to access the data. Blackberry's entire business model was secure communications and look where they are today. RSA is now in a similar boat.
"Weaken encryption" does not mean 'lower the bit security under the standard attacker model' here. In this case it means 'subvert encryption through design or implementation flaws, key repositories, controlled PRNGs, side channel access or designed-in systems level access to the data'. "Weaken encryption" doesn't mean "choose smaller key sizes", it means "make the fact that something is encrypted a weak guarantee of security and privacy."
> But the Silicon Valley companies that we know and more-or-less love have done the opposite
Image management, nothing more. Why the public showdown? That doesn't make any sense at all. No sir, I'm certain that corporations would like to provide security and privacy for their customers. And they do. But not against federal law enforcement. There are no new laws that need passing right now. The machinery is there and we've witnessed it in action multiple times. There is no David and Goliath story here, no heroes to be heralded. It's romantic, alright. I wish it were realistic.
Google (and others, that we are supposed to love) fought several battles that made it to the highest levels of court in the United States but lost. They were then forced to comply. The United States used extreme financial leverage to get QWest to comply (and when they still wouldn't, let/forced them to go bankrupt).
What's changed since then? Where there some new Supreme or Circuit Court decisions that have depreciated the former?
Didn't we already chat about key escrow requirements, CALEA, etc?
The Clinton Administration's big thing was key escrow. Clipper, of course, and as that policy failed the administration moved control of encryption from Military/Exports and Munitions to the Department of Commerce under the agreement that key escrow systems would be put in place where weak cryptography had been previously. Major companies (including RSA, IBM, Apple, Sun, HP, AOL, others) collaboratively drafted industry standard key escrow systems (aside: crypto key escrow patents are a fun things to look up on patent searches).
Additional pressure was exerted of course because the United States had seen a very strong rise in geopolitical espionage and sabotage and strong crypto was becoming a problem for the NSA.
That's where things were at the end of the Clinton Administration. During Bush's administration we saw nothing but an expansion of powers and budgets for intelligence agencies and reclassification of laws applying to other media (for tap and trace/pen register) to the internet (although CALEA already applies to broadband internet) and to computers, 'computer systems and networks' and electronic equipment. Bush (and Clinton before him) warned of rising international cyberwarfare, but couldn't get the populace concerned about it. Anyway, you do NOT see a reversal on escrow requirements during the Bush or the Obama administration - rather you see an expansion of escrow and an expansion of hardware, software and standard backdoors as well as the leaks from Snowden.
There are a number of ways that escrow is done (we're ignoring backdoors right now). The TPM is one novel way that keys are stored in a way that gives access for law enforcement. TPMs are in essentially every computer, 'spooks' showed up at the standardization meetings for the chip, Germany announced they provided backdoor access during diplomatic troubles (and have since 'rescinded the announcement' whatever that means), China blocks all electronics with TPM chips coming from the United States (and allies) and after a bunch of international and technical/commercial problems the TPM 2.0 spec (again attended by Five Eyes spooks) it was for the most part abandoned. And honestly, does a low end consumer device ($650 laptop or $300 phone) require a self destructing chip that can't be examined using standard equipment or at room temperature? The TPM also almost always resides on the low pin count bus (the spec does not specify where it needs to sit), which gives it DMA (TPMs do NOT need DMA).
Or check out Microsoft's Cryptographic Service Provider (CSPs). This is where you store, provision, can generate, access, and utilize your keys in a Microsoft system. It's also famous for being where the NSAKEY gave access. Microsoft will tell you that it keeps your keys secured, but it is well known to any pentester that access to admin on a box can dump all of the keys, including those that are so-called 'marked non-exportable'. From what I can tell by the public MSDN articles on the subject contents of the CSPs can be controlled via group policies, and interops with other management systems.
This isn't to mention that bitlocker keys are automatically synchronized with Skydrive (Onedrive) accounts and that Onedrive was onboarded to PRISM for NSA access. Well, that's only if you have a Microsoft Account. Oh, one is automatically made for you and you're essentially required to sign up for an account to use any new Microsoft OS.
Well, that and bitlocker keys are also backed up inside of organizations to Active Directory (i.e. don't 'domain join' your personal computer).
Check the flurry of Apple news items recently. The narrative would like to use that as some sort of David vs. Goliath story of the good guy capitalist protecting his consumer. But check the details. The addition of encryption is not new. What's new is that they are publicly claiming that with this encryption system they will not have access to the private keys, and so can not comply with requests. Now we don't have to believe them (I don't), but we do have to acknowledge that -not having a facility for escrow- is their 'dangerous game'. Encryption is not a 'dangerous game'. Not providing escrow is.
You're right that it's unreasonable to place blind trust in a closed encryption system, even Apple's, that we're unable to review or audit. Even if their intentions are pure, it could be poorly implemented.
But my point is simply this: there is no U.S. law mandating key escrow for Apple, Google, Microsoft, etc. One was proposed in the 1990s. It didn't pass. One was proposed in the Going Dark era 4-5 years ago. It didn't pass. One is being quasi-proposed now. It hasn't passed.
I actually think I'll agree with you on a lot of issues based on your post above -- but it is nevertheless a conspiracy theory to claim that Silicon Valley companies somehow engage in key escrow for the NSA or that there is a legal requirement for them to do so. As I said before, if you claim otherwise, URL, please.
>NSA currently requires companies (like Microsoft, Apple) to provide encryption keys corresponding to devices
PS: ^^^ I'm still waiting for the link that backs up this claim too.
However, this is not to discount law in praxis, how CALEA is interpreted and enforced, the history of key escrow, current technology considerations, known and suspected escrow mechanisms, and pressures exerted by federal law enforcement (e.g. the removal of effective crypto from Skype when it captured its market), and how all of this hangs together.
My (reasonably, educated and technically informed :p) suspicion is that companies at a certain size, federal agents will come to your company and make demands for data, which you must comply with and slowly as you are compelled by law to give keys and data on a regular basis it becomes the best thing for your business to install automatic escrow mechanisms.
It is my assertion that law enforcement interprets laws that read as "...unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication" as enough to force companies to create escrow mechanisms.
I would argue some of this story played out very publicly with Google. Another great example here would be the NSL of Lavabit - how they asked for far more than was legally obligated and the forcefulness and non-public nature of the demands made it impossible to put forward a reasonable defense.
To summarize it is apparent to me that the difference in our perspectives is whether a specific law (another being proposed again now, as you point out) is required in the current climate of practice of law, along with the leverage and the compliance requirements that exist inside it, for key escrow to be 'required of companies'.
I come down on the side of 'no'. I believe they have what they need now to get escrow.
Maybe this Apple and Google thing will clarify it. But somehow I doubt it. Prediction: no explicit law on key escrow will be passed (it would be entirely too harmful for US exports) but it will continue to be practiced.
HP obtained a patented backdoor system in 2008 (filed mid 2000 and approved around the start of 2001).
Certicom (the same company DUAL_EC was filed under) has a new key escrow system patented.
Key escrow system filed in 2004 and published in 2011:
2008-2012 stateless key escrow patent:
"Automatic recovery of TPM keys" - Lenovo
Oops, here's a Microsoft "cloud storage" key escrow system from 2011-2012.
"Some of the files stored on the network server may be sensitive or confidential. The user may wish to restrict access to those files. The files may then be encrypted or otherwise protected with a password or other key. The user may not trust the network server to store the key, and may thus desire to retain sole possession of the key. Such users, however, often lose (or forget) their passwords or keys. Moreover, other third party users may legitimately require access to the stored, encrypted files."
"FIG. 3 illustrates a flowchart of an example method for providing third party data access to a user's encrypted data according to a predefined policy."
"In some cases, however, while the data storage system is not able to decrypt the user's data, it may be necessary for an outside entity (e.g. a governmental entity) to access the user's data."
"In cases where the encrypted data is a cryptographic key, that key may be stored as a plurality of shares. The shares are mathematical transformations of the user's private key, and each share is provided to one of the verified third parties. Each verified third party publishes his or her own public keys, and encrypts his or her share of the encrypted key using their published public key. The verified third party shares encrypted according to the third partys' public keys are then stored in the data storage system. Because the shares are encrypted according to the verified third parties' public/private key pair, the data storage system is prevented from accessing the encrypted shares, and is further prevented from accessing the user's data."
"In some cases, the user's data may comprise, at least in part, a cryptographic key. The user's data, including the key, may be stored in multiple different shares."
Encrypted data AND keys!
The patent examiner cited "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption" when doing his examination.
Some Raytheon for good measure. A bit older, but certainly Bush era.
Motorola . Certicom . Honeywell . Motorola . Deutsche Telekom Ag . IBM . Apple . Fujitsu . Red hat . F-Secure . Sony . Seagate . Dell . Sprint . Nokia . Gemalto . Intel . Samsung . Symantec . Sun Microsystems . Toshiba . Cinea . General Dynamics . Citicorp . Siemens . Ericsson . VMWare . Facebook . HP . Cisco . Liquid Machines . GIC . Microsoft . Novell .
And of course the US patent system has a classification for key escrow systems: 380/286.
 https://www.google.com/patents/US8195959 & https://www.google.com/patents/US7856664 & https://www.google.com/patents/US7873170
 https://www.google.com/patents/US6754349 & https://www.google.com/patents/US8055911 & https://www.google.com/patents/US7752318
 https://www.google.com/patents/US8144876 & https://www.google.com/patents/US8494169 & https://www.google.com/patents/US20070280483
 https://www.google.com/patents/US8315386 & https://www.google.com/patents/US20070172069 & https://www.google.com/patents/US7492895
 https://www.google.com/patents/US7050589 & https://www.google.com/patents/US7660423 & https://www.google.com/patents/US20100142713
There are circumstances where this is not being used to give access to law enforcement, or the patent would not make sense in that context.
This is a last defense argument. Certainly it is the case for some escrow systems, and (especially with the patentese) are difficult to decipher.
But others are clear as day: "In order to receive the information, law enforcement may submit a request to each of the entities identifying the communication session and their basis for authorization."
Only some of the documents provided above have been read through by yours truly. They constitute only a minor fraction of patents by a minor fractions of companies in the US patent system.
An employee at a hosting company could do huge amounts of damage. Consider SSL certs can be issued just by checking email to prove "ownership". At some large ISPs/datacenters, it'd be "fairly easy" to intercept the confirmation email and get SSL issued in a company's name "legitimately" (that is, no bad effects to the CA and not traceable to the NSA).
Subverted employees is a huge threat and we should really consider that when looking at security in general.
- Kennedy was assassinated by CIA
- Aliens transferred technology to US government
- Former strongman of South Korea was assassinated by CIA
- List of other assassinations by CIA
- Iraq WMD was made up and knew about it but went ahead with war anyway.
(For a group that hates censorship as much as these "hackers" do, isn't it funny how they love a site that lets everybody censor each other by downvoting comments into invisibility? See? Help meeee I'm meltinggggg....)
When the crowd boos you off the stage before you're finished, that's not censorship, it's other people also asserting their rights to free speech. Perhaps you should reconsider what you're saying or find a new group of people to say it to.
Thanks for the unsolicited advice though!
The Cold War never ended. It was just extended from US vs the Soviet Union to US vs everybody else.
But what do you expect from a nation that is now de facto in a perpetual state of war with an amorphous, heterogeneous and strictly confidential blob of groups, nations and assorted individuals that includes its own citizens.