Showing posts with label nsa. Show all posts
Showing posts with label nsa. Show all posts

26 July 2014

Will Monsanto Become The NSA Of Agriculture?

Monsanto is best-known for its controversial use of genetically-modified organisms, and less well-known for being involved in the story of the defoliant Agent Orange (the company's long and involved story is well told in the book and film "The World According to Monsanto", by Marie-Monique Robin.) Its shadow also looms large over the current TPP talks: the USTR's Chief Agricultural Negotiator is Islam A. Siddiqui, a former lobbyist for Monsanto. But it would seem that the company is starting to explore new fields, so to speak; as Salon reports in a fascinating and important post, Monsanto is going digital

On Techdirt.

NSA Spying Fallout Hits French Satellite Deal

Techdirt has already noted how the NSA's massive spying programs around the world are costing US companies money through lost business -- and are likely to cost them even more in the future. But it seems that the fallout is even wider, as this story from The Voice of Russia makes clear: 

On Techdirt.

Revelations About Massive UK Police Corruption Shows Why We Cannot -- And Must Not -- Trust The Spies

As Mike reported recently, the NSA has presented no credible evidence that its bulk metadata collection is stopping terrorist attacks, or keeping people safe. Instead, the argument in support of the secret activities of the NSA and its friends abroad has become essentially: "Trust us, we really have your best interests at heart." But that raises the question: Can we really do that? New revelations from The Independent newspaper about massive and thorough-going corruption of the UK police and judiciary a decade ago show that we can't: 

On Techdirt.

Could 'Tailored Access Operations' Be An Alternative To 'Collect It All'?

One of the most contentious aspects of the NSA's surveillance is the central belief by General Alexander and presumably many others at the agency that it must "collect it all" in order to protect the public. To stand a chance of overturning that policy, those against this dragnet approach need to come up with a realistic alternative. An interesting article by Matt Blaze in the Guardian offers a suggestion in this regard that takes as its starting point the recent leaks in Der Spiegel about the extensive spying capabilities of the NSA's Tailored Access Operations (TAO). As Blaze points out: 

On Techdirt.

Huawei's Global Head Of Cyber Security Wants The Government 'To Have As Much Data As Possible'

In Der Spiegel's recent revelations about the far-reaching nature of the NSA's spykit, it mentions several US companies, Samsung from South Korea, and one from China -- Huawei. Like the others, Huawei denied any knowledge of the modifications to its products that Der Spiegel claims are used by the NSA to break into systems. This isn't the first time that the finger has been pointed at Huawei. Some years back, Huawei was accused of facilitating spying for the Chinese government, but after an 18-month investigation, no evidence was found of this. That fact allowed John Suffolk, Global Head of Cyber Security for Huawei and the former UK Government CIO, to enjoy the irony of Snowden's leaks about backdoors in US products

On Techdirt.

Wireless Mesh Networks, The NSA, And Re-building The Internet

One of the bitter lessons we learned from Snowden's leaks is that the Internet has been compromised by the NSA (with some help from GCHQ) at just about every level, from our personal software and hardware, through ISPs to major online services. That has prompted some in the Internet engineering community to begin thinking about how to put back as much of the lost security as possible. But even if that's feasible, it's clearly going to take many years to make major changes to something as big and complex as the Net. 

On Techdirt.

25 July 2014

AllSeen's Internet of Things: All-Seeing Too?

A year ago, I wrote a piece about cloud computing's dark secret: that using it in Europe was probably equivalent to making all your files readily available to the US government. And that was before the Snowden revelations confirmed that this was no mere theoretical possibility. I'm not claiming any amazing prescience here: I certainly had no idea of the scale of what was going on, as I've explained in a series of posts on the NSA spying programme. But I can claim a deep and abiding unease about cloud computing, which is why I never jumped on that particular bandwagon, and have written relatively little about it on this blog. 

On Open Enterprise blog.
A year ago, I wrote a piece about cloud computing's dark secret: that using it in Europe was probably equivalent to making all your files readily available to the US government. And that was before the Snowden revelations confirmed that this was no mere theoretical possibility. I'm not claiming any amazing prescience here: I certainly had no idea of the scale of what was going on, as I've explained in a series of posts on the NSA spying programme. But I can claim a deep and abiding unease about cloud computing, which is why I never jumped on that particular bandwagon, and have written relatively little about it on this blog. - See more at: http://blogs.computerworlduk.com/open-enterprise/2013/12/allseens-internet-of-things-all-seeing-too/index.htm#sthash.7v5Wi5d5.dpuf

Why Mozilla Was Right: GCHQ & NSA Track Cookies

During 2013, I've written a few articles about Mozilla's attempt to give users greater control over the cookies placed on their systems, and how the European arm of the Interactive Advertising Bureau (IAB) tried to paint this as Mozilla "undermining the openness", or "hijacking" the Internet because it dared to stand up for us in this way. That makes this latest revelation from the Snowden treasure-trove of documents, published in the Washington Post, rather important:

On Open Enterprise blog. 

Legal Challenges To Spying Mount In UK

It's taken a while for Europeans to recover from the discovery that they are being spied upon by the NSA (with some help from its friends at GCHQ and elsewhere) pretty much everywhere online and all the time, but finally the legal fightback is beginning to gather pace, at least in the UK. Things got moving in October, with a case filed at the European Court of Human Rights

On Techdirt.

24 July 2014

Companies Developing Crowd Analysis Programs To Detect 'Abnormalities' In Behavior And Match Faces Against Giant Databases

One of the reasons that the total surveillance programs of the NSA and GCHQ are possible is that computers continue to become more powerful and cheaper, allowing ever-more complex analyses to be conducted, including those that were simply not feasible before. Here's another example of the kind of large-scale monitoring that is now possible, as reported by Nikkei Asian Review: 

On Techdirt.

Australia Spied On Japanese Companies To Help Its Industries Negotiate Trade Deals

As more information comes to light about the global snooping being conducted by the NSA and GCHQ, it is becoming clearer that much of it had little to do with combating terrorism, as a recent EFF article makes plain. But most damaging to the idea that massive surveillance was justified, because it was to protect people from extreme threats, is the revelation that commercial espionage was also being conducted. So far, the chief example of that is in Brazil, but The Sydney Morning Herald (SMH) now has information about large-scale industrial spying on Japanese companies carried out by Australian secret services: 

On Techdirt.

Is There Any Alternative To The NSA's 'Take It All' Approach?

At the moment, the only half-way serious attempt at justifying the NSA's "take it all" approach to surveillance is to claim that there is no alternative if we want intelligence agencies to spot and stop extreme threats like terrorism

On Techdirt.

Resisting Surveillance on a Unprecedented Scale III

(The previous two parts of this essay appeared earlier.)

Or maybe not. There is a rough consensus among cryptography experts that the theoretical underpinnings of encryption - the mathematical foundations - remain untouched. The problem lies in the implementation and the environment in which encryption is used. Edward Snowden probably knows better than most what the true situation is, and here's how he put it:

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

That's a hugely important clue as to what we need to do. It tells us that there is nothing wrong with crypto as such, just the corrupted implementations of otherwise strong encryption techniques. That is confirmed by recent leaks of information that show computer software companies complicit in weakening the supposedly safe products they sell - truly a betrayal of the trust placed in them by their customers.

The good news is that we have an alternative. For the last few decades, free software/open source has been building a software ecosystem that is outside the control of the traditional computer industry. That makes it much harder for the NSA to subvert, since the code is developed openly, which allows anyone to inspect it and look for backdoors - secret ways to spy on and control the software.

That's not to say free software is completely immune to security issues. Many open source products come from companies, and it's possible that some of them may have been pressured to weaken aspects of their work. Free software applications might be subverted as they are converted from the source code, which can be easily checked for backdoors, to the binaries - the versions that actually run on a computer - which can't. There is also potential for online holdings of open source programs to be broken into and tampered with in subtle ways.

Despite those problems, open source is still the best hope we have when it comes to using strong encryption. But in the wake of Snowden's revelations, the free software community needs to take additional precautions so as to minimise the risk that code is still vulnerable to attacks and subversion by spy agencies.

Beyond such measures, the open source world should also start thinking about writing a new generation of applications with strong crypto built in. These already exist, but are often hard to use. More needs to be done to make them appropriate for general users: the latter may not care much about the possibility that the NSA or GCHQ is monitoring everything they do online, but if they are offered great tools that make it easy to resist such efforts, more people may adopt them, just as millions have switched to the Firefox browser - not because it supports open standards, but because it is better.

Although the scale of the spying revealed by Snowden's leaks is staggering, and the leaks about the thoroughgoing and intentional destruction of the Internet's entire trust and security systems are shocking, there is no reason for despair. Even in the face of widespread public ignorance and indifference to the threat such total surveillance represents to democracy, as far as we know we can still use strong encryption implemented in open source software to protect our privacy.

Indeed, this may be an opportunity for open source to be embraced by a wider public, since we now know definitively that commercial software cannot be trusted, and is effectively spyware that you have to pay for. And just as Moore's Law allows the NSA and GCHQ to pull in and analyse ever-more of our data, so free software, too, can benefit.

For as Moore's Law continues to drive down the prices of personal computing devices - whether PCs, smartphones or tablets - so more people in developing countries around the world are able to acquire them. Many will adopt free software, since Western software companies often price their products at unreasonably-high levels compared to local disposable income. As open source is used more widely, so the number of people keen and able to contribute to such projects will grow, the software will improve, and more people will use it. In other words, there is a virtuous circle that produces its own kind of scaling that will help to counteract the more malign kind that underlies the ever-expanding surveillance activities of the NSA and GCHQ. As well as tools of repression, computers can also be tools of resistance when powered by free software, which is called that for a reason.

Resisting Surveillance on a Unprecedented Scale II

(The first part of this three-part essay appeared yesterday.)

The gradual but relentless shift from piecemeal, small-scale analogue eavesdropping to constant and total surveillance may also help to explain the public's relative equanimity in the face of these revelations. Once we get beyond the facile idea that if you have nothing to hide, you have nothing to fear - everybody has something to hide, even if it is only the private moments in their lives - there is another common explanation that people offer as to why they are not particularly worried about the activities of the NSA and GCHQ. This is that "nobody would be interested" in what they are up to, and so they are confident that they have not been harmed by the storage and analysis of the Internet data.

This is based on a fundamentally analogue view of what is going on. These people are surely right that no spy is sitting at a keyboard reading their emails or Facebook posts. That's clearly not possible, even if the will were there. But it's not necessary, since the data can be "read" by tireless programs that extract key information at an accelerating pace and diminishing cost thanks to Moore's Law.

People are untroubled by this because most of them can't imagine what today's top computers can do with their data, and think again in analogue terms - the spy sifting slowly through so much information as to be swamped. And that's quite understandable, since even computer experts struggle to keep up with the pace of development, and to appreciate the ramifications.

A post on the Google Search blog from last year may help to provide some sense of just how powerful today's systems are:

When you enter a single query in the Google search box, or just speak it to your phone, you set in motion as much computing as it took to send Neil Armstrong and eleven other astronauts to the moon. Not just the actual flights, but all the computing done throughout the planning and execution of the 11-year, 17 mission Apollo program. That’s how much computing has advanced.

Now add in the fact that three billion Google queries are entered each day, and that the NSA's computing capability is probably vastly greater than Google's, and you have some idea of the raw power available for the analysis of the "trivial" data gathered about all of us, and how that might lead to very non-trivial knowledge about our most intimate lives.

In terms of how much information can be held, a former NSA technical director, William Binney, estimates that one NSA data centre currently being built in Utah will be able to handle and process five zettabytes of data - that's five million million gigabytes. If you were to print out that information as paper documents, and store them in traditional filing cabinets, it would require around 42 million million cabinets occupying 17 million square kilometres of floor space.

Neither computing power nor the vast holdings of personal data on their own are a direct threat to our privacy and freedom But putting them together means that the NSA can not only find anything in those 42 million million virtual cabinets more or less instantly, but that it can cross-reference any word on any piece of paper in any cabinet - something that can't even be contemplated as an option for human operators, let alone attempted.

It is this unprecedented ability to consolidate all the data about us, along with the data of our family, friends and acquaintances, and their family, friends and acquaintances (and sometimes even the acquaintances of our acquaintances' acquaintances) that creates the depth of knowledge the NSA has at its disposal whenever it wants it. And while it is unlikely to call up that knowledge for most of us, it only takes a tiny anomalous event somewhere deep in the chain of acquaintance for a suspicion to propagate back through the links to taint all our innocent records, and to cause them to be added to the huge pile of data that will cross-referenced and sifted and analysed in the search for significant patterns so deep that we are unlikely to be aware of them.

Given this understandable, if regrettable, incomprehension on the part of the public about the extraordinary power at the disposal of the NSA, and what it might be able to extract as a result, the key question then becomes: what can we do to bolster our privacy? Until a few weeks ago, most people working in this field would have said "encrypt everything". But the recent revelations that the NSA and GCHQ have succeeded in subverting just about every encryption system that is widely used online seem to destroy even that last hope.

(In tomorrow's instalment: the way forward.)

Resisting Surveillance on a Unprecedented Scale I

Netzpolitik.org is the leading site covering digital rights in German. It played a key role in helping to stop ACTA last year, and recently has been much occupied with the revelations about NSA spying, and its implications. As part of that, it has put together a book/ebook (in German) as a first attempt to explore the post-Snowden world we now inhabit. I've contributed a new essay, entitled "Resisting Surveillance on a Unprecedented Scale", which is my own attempt to sum up what happened, and to look forward to what our response should be. I'll be publishing it here, split up into three parts, over the next few days.


Despite being a journalist who has been writing about the Internet for 20 years, and a Briton who has lived under the unblinking eye of millions of CCTV cameras for nearly as long, I am nonetheless surprised by the revelations of Edward Snowden. I have always had a pretty cynical view of governments and their instruments of power such as the police and secret services; I have always tried to assume the worst when it comes to surveillance and the assaults on my privacy. But I never guessed that the US and UK governments, aided and abetted to varying degrees by other countries, could be conducting what amounts to total, global surveillance of the kind revealed by Snowden's leaked documents.

I don't think I'm alone in this. Even though some people are now claiming this level of surveillance was "obvious", and "well-known" within the industry, that's not my impression. Judging by the similarly shocked and outraged comments from many defenders of civil liberties and computer experts, particularly in the field of security, they, like me, never imagined that things were quite this bad. That raises an obvious question: how did it happen?

Related to that outrage in circles that concern themselves with these issues, is something else that needs explaining: the widespread lack of outrage among ordinary citizens. To be sure, some countries are better than others in understanding the implications of what has been revealed to us by Snowden (and some are worse - the UK in particular). But given the magnitude and thoroughgoing nature of the spying that is being conducted on our online activities, the response around the world has been curiously muted. We need to understand why, otherwise the task of rolling back at least some of the excesses will be rendered even more difficult.

The final question that urgently requires thought is what can, in fact, be done? Since the level of public concern is relatively low, even in those countries that are traditionally sensitive about privacy issues - Germany, for example - what are the alternatives to stricter government controls, which seem unlikely to be forthcoming?

Although there was a Utopian naivety in the mid-1990s about what the Internet might bring about, it has been clear for a while that the Internet has its dark side, and could be used to make people less, not more, free. This has prompted work to move from a completely open network, with information sent unencrypted, to one where Web connections using the HTTPS technology shield private information from prying eyes. It's remarkable that it has only been in recent years that the pressure to move to HTTPS by default has grown strong.

That's perhaps a hint of how the current situation of total surveillance has arisen. Although many people knew that unencrypted data could be intercepted, there was a general feeling that it wouldn't be possible to find the interesting streams amongst the huge and growing volume flooding every second of the day through the series of digital tubes that make up the Internet.

But that overlooked one crucial factor: Moore's Law, and its equivalents for storage and connectivity. Crudely stated, this asserts that the cost of a given computational capability will halve every 18 months or so. Put another way, for a given expenditure, the available computing power doubles every year and half. And it's important to remember that this is geometric growth: after ten years, Moore's Law predicts computing power increases by a factor of around 25 for a given cost.

Now add in the fact that the secret services are one of the least constrained when it comes to spending money on the latest and fastest equipment, since the argument can always be made that the extra power will be vitally important in getting information that could save lives and so on. One of the first and most extraordinary revelations conveyed from Snowden by the Guardian gave an insight into how that extra and constantly increasing computing power is being applied, in what was called the Tempora programme:

By the summer of 2011, GCHQ had probes attached to more than 200 internet links, each carrying data at 10 gigabits a second. "This is a massive amount of data!" as one internal slideshow put it. That summer, it brought NSA analysts into the Bude trials. In the autumn of 2011, it launched Tempora as a mainstream programme, shared with the Americans.

The intercept probes on the transatlantic cables gave GCHQ access to its special source exploitation. Tempora allowed the agency to set up internet buffers so it could not simply watch the data live but also store it - for three days in the case of content and 30 days for metadata.

As that indicates, two years ago the UK's GCHQ was pulling in data at the rate of 2 terabits a second: by now it is certain to be far higher than that. Thanks to massive storage capabilities, GCHQ could hold the complete Internet flow for three days, and its metadata for 30 days.

There is one very simple reason why GCHQ is doing this: because at some point it realised it could, not just practically, because of Moore's Law, but also legally. The UK legislation that oversees this activity - the Regulation of Investigatory Powers Act (RIPA) - was passed in 2000, and drawn up based on the experience of the late 1990s. It was meant to regulate one-off interception of individuals, and most of it is about carrying out surveillance of telephones and the postal system. In other words, it was designed for an analogue world. The scale of the digital surveillance now taking place is so far beyond what was possible ten years ago, that RIPA's framing of the law - never mind its powers - are obsolete, and GCHQ is essentially able to operate without either legal or technical constraints.

(In tomorrow's instalment: why isn't the public up in arms over this?)

Bruce Schneier On The Feudal Internet And How To Fight It

There aren't many upsides to Snowden's revelations that NSA is essentially spying on the entire Internet, all the time, but if one good thing has already come out of that sorry state of affairs it's the emergence of security expert Bruce Schneier as a mainstream commentator on the digital world. That's largely because his core expertise has been shoved into the very center of our concerns, making his thoughts on what's going on particularly valuable.

On Techdirt.

EU Data Protection Proposal Gets Stronger, But With Big Loopholes

One of the most important pieces of legislation wending its way through the European Parliament concerns data protection. Because of its potential impact on major US companies like Google and Facebook, this has become one of the most fought-over proposals in the history of the EU, with lobbyists apparently writing large chunks of suggested amendments more favorable to online services. And all of that was before Snowden's revelations about NSA spying in the EU made data protection an even more politically-sensitive area. 

On Techdirt.

24 November 2013

Key Internet Institutions Ditch US Leadership; Brazil To Host Global Summit To Draw Up New Governance Model

Here's a hugely important story that brings together three major threads. First, the continuing wrangling over the form that Internet governance should take. Second, the fact that NSA's massive surveillance operations around the world have included economic espionage. And third, Brazil's increasingly angry reaction to that spying. As a post from the Internet Governance Project explains

On Techdirt.

Europe's Largest Internet Exchange Decides To Open US Office, Risks Making Itself Subject To NSA Demands

The Internet may be a series of tubes, but those tubes have to be joined together. That takes place at Internet exchanges (IXs), where different ISPs can pass on and receive data. One of the largest and most important such IXs is AMS-IX, which is based in the capital of the Netherlands, Amsterdam. Techdirt reader Dirk Poot points out that AMS-IX has just made the following move

On Techdirt.

23 November 2013

Brazilian President Blasts NSA Spying In Front Of World Leaders -- Including Obama -- At UN

It was expected that the Brazilian President, Dilma Rousseff, would raise the issue of NSA spying when she addressed the opening session of the UN General Assembly in New York this week. But few would have predicted that her speech would be quite so excoriating (pdf), especially since it was given in the presence of President Obama, who spoke immediately after her. 

On Techdirt.