Crypto Wars: The Tech World vs. the NSA

cyber_securitySix years ago, something interesting took place at Microsoft’s Windows annual Crypto conference in Santa Barbara. In the course of the presentations, two members of the company’s security group (Dan Shumow and Niels Ferguson) gave a talk that dealt with internet security and the possibility that major systems could be hacked.

They called their presentation “On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng”. That’s a name few people outside of the techy community would recognize, as it refers to a pseudorandom number generating program that is used extensively in cryptography. And thought the presentation was only nine slides and a few minutes long, they managed to capture the attention of the crowd with some rather stark observations.

cyber_security1Basically, they laid out a case showing that the new encryption standard, given a stamp of approval by the U.S. government, possessed a glaring weakness that made one of the program’s algorithms susceptible to cracking. But the weakness they described wasn’t just an average vulnerability, it had the kind of properties one would want if one were intentionally inserting a backdoor to make the algorithm susceptible to cracking by design.

At the time, no one thought much of it. But today, that’s all changed, thanks to Edward Snowden. Apparently, cryptographers and journalists are seeing a connection between the talk given by Shumow and Ferguson and the classified NSA documents Snowden leaked. Apparently, some of that information confirms that the weakness in the Dual_EC_DRBG algorithm might be indeed a backdoor.

nsa_aerialEarlier this month, an article appeared in the New York Times that implied that the backdoor was intentionally put there by the NSA as part of a $250-million, decade-long covert operation by the agency to weaken and undermine the integrity of a number of encryption systems used by millions of people around the world.

Naturally, these allegations not only stoked the fires over the NSA’s long history of spying on databases, both domestic and foreign, it has also raised questions over the integrity of the rather byzantine process that produces security standards in the first place. The National Institute of Standards and Technology (NIST) approved Dual_EC_DRBG and the standard, is now facing criticism alongside the NSA.

nist_aerialbigAnd while NIST has since been forced to re-open the program to examination and public discussion, security and crypto firms around the world are scrambling to unravel just how deeply the suspect algorithm infiltrated their code, if at all. Some even went so far as to publicly denounce it, such as corporate giant RSA Security.

But of course, a number of crypto experts have noted that the Times hasn’t released the memos that purport to prove the existence of a backdoor. What’s more, the paper’s direct quotes from the classified documents don’t mention a backdoor or efforts by the NSA to weaken it or the standard, only the efforts of the agency to push the standard through NIST’s committees for approval.

nsasecurity_primary-100041064-largeOne such person is Jon Callas, the CTO of Silent Circle – a company that offers encrypted phone communication. Having attended the Crypto conference in 2007 and heard the presentation by Shumow, he believes that the real problem may lie in the fact that the algorithm was poorly made:

If [the NSA] spent $250 million weakening the standard and this is the best that they could do, then we have nothing to fear from them. Because this was really ham-fisted. When you put on your conspiratorial hat about what the NSA would be doing, you would expect something more devious, Machiavellian … and this thing is just laughably bad. This is Boris and Natasha sort of stuff.

Sources at Microsoft agree. In addition to the presenters – who never mention the NSA in their presentation and went out of their way to avoid accusing NIST of any wrongdoing – a manager who spoke with WIRED on condition of anonymity believes the reporters at the Times saw the classified documents dealing with the program, read about the 2007 talk, and assumed their was a connection.

cryptographyBut Paul Kocher, president and chief scientist of Cryptography Research, says that regardless of the lack of evidence in the Times story, he discounts the “bad cryptography” explanation for the weakness, in favor of the backdoor one:

Bad cryptography happens through laziness and ignorance. But in this case, a great deal of effort went into creating this and choosing a structure that happens to be amenable to attack.

Personally, I find it interesting that the NSA would be so committed to making sure a program passed inspection. Especially one that had a fatal flaw that, when exploited properly, could be used to give someone who knew about it access to encrypted information. But of course, it’s not like the NSA has been known to invade people’s privacy, right? RIGHT?

Clearly, all there is at this point is speculation. One thing is certain though. In the coming weeks and months, the NSA is going to be the recipient of even more flak over its monitoring and cryptographic activities. Whether this effects any change in policy remains to be seen, but I doubt anyone will be holding their breaths.

Sources: wired.com, nytimes.com

Cyberwars: U.S. Lawmakers Credit NSA for Uncovering Al-Qaeda Threat

bahrain-embassy-04818864In a statement made this past Sunday, the US State Department indicated that it will be extending its embassy and consulate closures until the end of the week. Offices were reopened in Iraq, Afghanistan and Algeria just yesterday, but another 19 will remain closed until Aug. 10 – including locations in Egypt, Yemen, Libya, Saudi Arabia and Kuwait.

These closures were made in response to an unspecified Al-Qaeda threat that indicated that an attack might be coming sometime in August, particularly in the Middle East and North Africa. According to the State Department, the decision to keep the embassies and consulates closed was “not an indication of a new threat,” but simply out of concern for the lives and safety of staff.

embassy-closure-mapAnd according to another State Department source, the credit for uncovering this supposed threat goes to the NSA and the PRISM program – i.e. the extensive new data mining operation that has garnered a great deal of controversy of late. Specifically, it was the agency’s ability to monitor communications on cellphones and emails that was is credited with making the difference.

Senator Saxby Chambliss, he top Republican on the Senate Intelligence Committee, claimed in an interview that “There is an awful lot of chatter out there”. This “chatter” apparently took the form of communications among terrorism suspects about the planning of a possible attack, which he claimed was “very reminiscent of what we saw pre-9/11.”

US embassy in Tel AvivNo indication was given as to the nature of the threat or whether or not an actual attack might take place. But Chambliss was very quick to draw the connection between the NSA’s ability to gather information and the warnings his department received.

[Those programs] allow us to have the ability to gather this chatter. If we did not have these programs then we simply wouldn’t be able to listen in on the bad guys. This is the most serious threat that I’ve seen in the last several years.

This information-gathering program was one of many aspects of the NSA’s broad surveillance identified by former spy agency contractor Edward Snowden in his testimony to major media outlets. So it comes as no surprise that the State Department would be coming to its defense at a time like this.

US-embassy-closures_010And Chambliss and the State Department are hardly the only ones singing the NSA’s praises right now. This past Sunday, several prominent Republicans and Democrats expressed their support for the NSA surveillance program. One such individual was Dutch Ruppersberger, the senior Democrat on the House Intelligence Committee, who told ABC’s This Week:

The good news is that we picked up intelligence. And that’s what we do. That’s what NSA does. We’ve received information that high-level people from al Qaeda in the Arabian Peninsula are talking about a major attack.

U.S. Representative Adam Schiff, another Democrat on the House Intelligence Committee, characterized the security threat as being based on specific intelligence rather than generalized anti-U.S. threats. While on CNN’s State of the Union program, he said:

This is not the usual type of chatter. It had to be corroborated or come from very reliable sources to take this kind of action.

Mideast Bahrain US Embassy ClosingsNaturally, there are those critics who would claim that the unspecified nature of the threat and the lack of oversight where PRISM is involved means that there is no way to tell if the “chatter” story is in fact real. Citing such examples as the “Orange Alert” controversy of 2004 – when Homeland Security Secretary Tom Ridge was pressured to raise the alert status leading up to the election – such critics would remind people that the US government has a history of issuing alerts based on factors other than hard data.

At the same time, it is important to note that the threat information also came ahead of the Eid celebration at the end of the Muslim holy month of Ramadan, which will be occurring later this week and just over a month before the anniversary of Al-Qaeda’s Sept. 11, 2001, attacks on a US ambassador and the American Embassy in Benghazi, Libya. In this sense, the alert may have been motivated by legitimate concern, even if hard data was lacking,

us_embassy_closings_yemenAnd the US is hardly the only nation responding to the warning seriously. The threat also has prompted some European countries to close their embassies in Yemen, where one of the most dangerous al-Qaeda affiliates is based. Interpol, the France-based international police agency, also issued a global security alert advising member states to increase vigilance against attacks after a series of prison breaks in Iraq, Libya and Pakistan.

The advisory prompted Canada’s Foreign Affairs Department to release its own warning this past Saturday for travelers and diplomats in the Middle East and North Africa region. In addition, the Canadian high commission office in Bangladesh was closed on Sunday, since Pakistan was one of several nations outside of the Middle East and North Africa to be named in the advisory.

A few things are certain at this point though: neither the threat of terrorism nor all that’s done in response to it are even close to being resolved. In addition, the controversy surrounding the response and whether or not it constitutes an overreaction or a calculated curtailment of people’s civil rights and liberties, is not over either. Not by a long shot.

Sources: cbc.ca, (2), washingtonpost.com, theguardian.com

 

The NSA’s New Super Computer Facilities

nsa_aerialThe extent and depth of the NSA’s snooping has been the subject of much scrutiny and controversy of late. And it seems that the more we come to learn about the issue, the worse it gets. In addition to the extensive access the NSA seems to have to our personal data, there’s also the staggering amount of power that is being concentrated in so fe hands, coupled with a serious lack of oversight. Worse yet, it appears the NSA is showing no signs of slowing down.

Just two months ago, the Army Corps of engineers began breaking ground on a new supercomputing facility in Fort Meade, Maryland – the center of the NSA’s cyber operations. Known as the High Performance Computing Center-2, this $860 million data center will span more than 600,000 square feet of space, including 70,000 square feet of technical space. The center is expected to be completed in 2016.

NSA_supercomputerBut worse yet is the fact that this is not the only center being built, nor it is even the largest. In addition to the Fort Meade facility, the NSA is also building a massive data center in Utah, a project that will feature up to 1 million square feet of facilities and cost a hefty $1.5 billion. The computers alone will take over 100,000 square feet and the facility will require its own electrical substation to power all the air conditions required.

In truth, the Fort Meade location is only necessary because of the planned facility being built in Utah. Once it is up and running, the NSA will need a separate location where analysts can look over the growing amounts of processed information and material, and in turn make reports and provide recommendations for policy-makers.

cyberwarfare1Of course, the purpose of these facilities go beyond the mere analysis and storage of information. In addition, the Utah Data Center will also employ new code-breaking capabilities. Given the extent to which modern, high-value information is encrypted – everything from commerce to diplomacy to personal information – the center will be employing the latest code-cracking tools developed by the NSA.

Naturally, the NSA’s tightly-controlled PR department has stated that the purpose of these centers is to protect national security networks and provide U.S. authorities with intelligence and warnings about cyber threats, as part of the Comprehensive National Cybersecurity Initiative (CNCI). However, this has done little to allay fears, and seems like the same song being played on repeat.

hackers_securityAs always, the NSA’s stated objective do not address the growing awareness that the NSA has and continues to conduct cyber attacks in foreign countries. As Snowden’s testimony and recent revelations about the US super-secret Cyber Command revealed, American agencies have been conducting far more than just defensive operations in recent years.

All of these efforts began in earnest during the 1990’s and expanded greatly after September 11th, 2001. Much of this has had to do with the staggering increase in the amount of data being transmitted and shared on a daily basis, and not just the issue of terrorism. But what is disturbing is the near-total removal of oversight that began after 9/11 and has continued unabated ever since.

Despite promises that the era of warrantless surveillance was at an end, all attempts to resolve the issue have become marred by what is meant by “electronic surveillance”. In the meantime, the NSA continues to enjoy some rather broad freedoms to monitor and process the information we transmit. And as those abilities continue to grow, we can only hold our breaths and pray they mean it when they say “innocent people need not be worried”.

Sources: policymic.com, datacenterknowledge.com, seattleweekly.com, wired.com

Cyberwars: Snowden Reveals NSA’s Been Hacking China

nsa_aerialEdward Snowden, the man who blew the whistle on the NSA and its domestic surveillance program – aka. PRISM – has reemerged to reveal some additional secrets. It seems that in addition to spying on their own citizens, the NSA has been using its resources to spy on tens of thousands of operations around the world. Not surprising, but what Snowden revealed showed that when it comes to nations like China, surveillance was just the tip of the iceberg.

Snowden, who has been hiding in Hong Kong since May 20th, revealed in an interview on Thursday with the South China Morning Post that the NSA has been hacking computers in Hong Kong and mainland China since 2009. Among the targets in Hong Kong were the Chinese University of Hong Kong, public officials, businesses and even students in the city.

?????????????All told, Snowden estimated that there are more than 61,000 NSA hacking operations globally, with at least hundreds of targets in Hong Kong and on the mainland. The tactics, he claimed, involve selecting large targets and infiltrating in many places at once:

We hack network backbones – like huge internet routers, basically – that give us access to the communications of hundreds of thousands of computers without having to hack every single one.

Snowden also explained his motivation for blowing the whistle on the NSA’s foreign operations. It seems that in light recent tensions between the US and China, which has been characterized by ongoing accusations and recrimination, he felt the need to tell the truth behind the lies. As he told the SCMP, his motivation was based on:

the hypocrisy of the U.S. government when it claims that it does not target civilian infrastructure, unlike its adversaries….Not only does it do so, but it is so afraid of this being known that it is willing to use any means, such as diplomatic intimidation, to prevent this information from becoming public.

Edward-Snowden-660x367Though Snowden also discussed possible plans to seek asylum in Iceland or elsewhere during an interview last week, he told the SCMP  that he’s staying put in Hong Kong for now. He emphasized that his stay in China was not an attempt to avoid justice, but to reveal criminal behavior.  He also expressed admiration for countries that have offered asylum (such as Russia), claiming that he was “glad there are governments that refuse to be intimidated by great power.”

The Guardian newspaper, which has published information from documents leaked by Snowden, has said that it has more than a thousand other documents that Snowden managed to smuggle out or download from the NSA using a series of laptops and a thumb drive. These documents are to be disclosed in the coming weeks, according to the paper, so more revelations are expected to come.

secret_documentsThough there are those who question his motivations and methods, no one can deny that thanks to Snowden, some very questionable  behavior has been revealed that involved people at the top echelons of government. One can’t help but be reminded of Richard Clarke, former head of the NSA, who came forward in 2004 to testify before to the 9/11 Commission and reveal the extent to which the Bush Administration failed to prevent the largest terrorist attack in history, or how it sought to pin that attack on the Iraqi government.

And for those who have lived long enough to remember, these events also call to mind the Pentagon Papers of 1969. In this case, it was another whistle blower named Daniel Ellsberg who, through the publication of hundreds of government documents, revealed that the US government had been lying about the Vietnam war, the number of casualties, and the likelihood of its success. And let’s not forget  former FBI Ass. Dir. Mark Felt – aka. “Death Throat” – the man who blew the whistle on the Nixon Administration.

whistleblower-protectionIn the end, whistle blowers have a long history of ending wars, exposing corruption, and force administrations to take responsibility for their secret, unlawful policies. Naturally, there were those who are critical men such as Felt, Clarke, and Ellsberg, both then and now, but they have never been able to refute the fact that the men acted out of conscience and achieved results. And while I’m sure that their will be fallout from Snowden’s actions, I too cannot dispute that what he did needed to be done.

As Edmund Burke famously said: “The only thing necessary for the triumph of evil  is for good men to do nothing.”

Sources: wired.com, scmp.com

Cyberwars: Massive Government Surveillance Uncovered!

wire_tappingOn Friday, Washington DC found itself embroiled in controversy as revelations were made about the extent to which US authorities have been spying on Americans in the last six years. This news came on the heels of the announcement that the federal government had been secretly cataloging all of Verizon’s phone records. No sooner had the dust settled on that revelation that it became known that the scope of the Obama administration’s surveillance programs was far greater than anyone had imagined.

According to updated information on the matter, it is now known that The National Security Agency (NSA) and the FBI have been tapping directly into the central servers of nine leading U.S. Internet companies, extracting everything from audio and video chats, photographs, e-mails, documents, and connection logs that would enable their analysts to track foreign targets.

prism3This information was revealed thanks to a secret document that was leaked to the Washington Post, which shows for the first time that under the Obama administration, the communication records of millions of US citizens are being collected indiscriminately and in bulk – regardless of whether they are suspected of any wrongdoing. Equally distressing is the names being named: U.S. Service Providers such as Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.

The document further indicates that all of this has been taking place since 2007, when news disclosures, lawsuits and the Foreign Intelligence Surveillance Court forced then-president George W. Bush to look for new authority to justify his program warrantless domestic surveillance. It’s continuance and expansion under Obama has created a great deal of understandable intrigue, and not only because of promises made that “illegal wiretapping” would not take place under his watch.

prism1The joint FBI-NSA program responsible for mining all the data is known as PRISM, and it may very well be the first of its kind. While the NSA and FBI have a long history of monitoring suspects via phone records and computer activity, and are both accustomed to corporate partnerships that help it divert data traffic or sidestep barriers, such a vast program has never before been possible. In the current information age, there is an immense wealth of information out there, and where better to access all of this than in Silicon Valley?

Not long after the news broke in Washington, London’s Guardian reported that GCHQ, Britain’s equivalent of the NSA, also has been secretly gathering intelligence from the same internet companies through an operation set up by the NSA. According to the same leaked information, PRISM appears to allow the GCHQ to circumvent the formal legal process required in Britain to seek personal material such as emails, photos and videos from an internet company based outside of the country.

prism2But perhaps worst of all is the fact that this process is entirely above board, at least for the companies involved. Back in 2007, Congress passed the Protect America Act, and then in 2008 followed it up with the FISA Amendments Act, both of which immunized private companies that cooperated voluntarily with U.S. intelligence collection against prosecution. And late last year, when critics in Congress sought changes in the FISA Amendments Act, the only lawmakers who knew about PRISM were bound by oaths of office to hold their tongues.

An anticipated, a bi-partisan amalgam of Senators came out to defend the initial reports of phone record monitoring shortly after it was announced. In a rare display of solidarity that cut across party lines, Democrats and Republicans from both the Senate and House came forward to say that the program was justified, only spied on terrorists, and that law-abiding citizens need not worry.

National Security Agency - aerial view
National Security Agency – aerial view

Once again, the argument “if you’ve done nothing wrong, you’ve got nothing to fear” finds itself employed by people who do not want to voice criticisms about a government spying program. Echoes of the Bush administration and McCarthy era all over again. Needless to say, all of this has many people worried, not the least of which are people opposed to government intrusion and the protection of privacy for the past decade.

Ever since it became possible to “mine data”  from numerous online digital sources, there has been fear that corporations or governments might try to ascertain the habits and comings and goings of regular people in order to effectively monitor them. For some time now, this sort of monitoring has been somewhat benign, in the form of anticipating their spending habits and using targeted advertising. But always, the fear that something more sinister and totalitarian might emerge.

government-surveillanceAnd with the “War on Terror”, the Patriot Act, domestic warrantless wiretapping, the legitimization of torture, and a slew of other crimes the Bush administration was indicted in, people all over the world have become convinced that “Big Brother” government is just around the corner, if indeed it is not already here.

The fact that such processes have continued and even expanded under Obama, a man who originally pledged not to engage in such behavior, has made a bad situation worse. In many ways, it demonstrates that fears that he too would succumb to internal pressure were justified. Much as he was won over by the Pentagon and CIA to continue the war in Afghanistan and UAV programs, it seems that the constellation of FBI and NSA specialists advising him on domestic surveillance has managed to sway him here as well.

Stealth-Wear1One can only hope that this revelation causes the federal government and the Obama administration to reconsider their stances. After all, these are the same people who were convinced to stand down on the use of UAVs in oversees operations and to take measures that would ensure transparency in the future. We can also hope that the NSA and FBI will be required to once again have to rely on the court system and demonstrate “just cause” before initiating any domestic surveillance in the future.

Otherwise, we might all need to consider getting our hands on some stealth wear and personal cameras, to shield ourselves and create an environment of “sousveillance” so we can spy on everything the government does. Might not hurt to start monitoring the comings and goings of every telecommunications and Silicon Valley CEO while were at it! For as the saying goes, “who watches the watchers?” I’ll give you a hint: we do!

Also, be sure to check out the gallery of artist Adam Harvey, the man who pioneered “stealth wear” as a protest against the use of drones and domestic surveillance. To learn more about sousveillance, the concept of a society monitored by common people, check out Steve Mann’s (inventor of the EyeTap) blog.

Sources: washingtonpost.com, guardian.co.uk, policymic.com, ahprojects.com, eyetap.blogspot.ca