Monthly Archives: September 2013

QOTD (NSA Fallout Edition)

Posted on September 8, 2013 by Michael Froomkin

Bruce Schneier, explaining to Financial Times why US tech companies will get hurt by news that NSA got some of them to put back doors into their products while others complied with the FISA court orders — even setting up automated systems transfer the data:

“How would it be if your doctor put rat poison in your medicine? Highly damaging,” said Bruce Schneier, a US computer security expert.

Might make you shop around a just a little bit. When the dust settles though, it’s not clear what other country’s tech providers will seem more trustworthy. China? Korea? UK? France? Unlikely all. Not Switzerland. Certainly not Russia. Who then? Can Iceland grow a big enough tech sector?

Posted in Cryptography | 8 Comments

Freedom in Action

Posted on September 7, 2013 by Michael Froomkin

Two reminders of what freedom in action looks like:

Posted in Civil Liberties, Law: Free Speech | Comments Off on Freedom in Action

NSA Responds to Petition to Conduct Rulemaking on Domestic Surveillance

Posted on September 6, 2013 by Michael Froomkin

Back in June I signed on to EPIC‘s request to the NSA (formally a ‘petition’ under 5 U.S.C. § 553(e)). Here is the text:

Dear General Alexander and Secretary Hagel:

The undersigned individuals and organizations, concerned about the rule of law and the protection of Constitutional freedoms, hereby petition the National Security Agency to conduct a public rulemaking on the agency’s monitoring and collection of communications traffic within the United States. 5 U.S.C. § 553(e).

We believe that the NSA’s collection of domestic communications contravenes the First and Fourth Amendments to the United States Constitution, and violates several federal privacy laws, including the Privacy Act of 1974, and the Foreign Intelligence Surveillance Act of 1978 as amended.

The NSA’s collection of solely domestic communications, which has been acknowledged by the President, the Director of National Intelligence, and the Chair and Ranking Member of the Senate Select Committee on Intelligence, also constitutes a legislative rule that “substantively affects the public to a degree sufficient to implicate the policy interests animating notice-and-comment rulemaking” under the Administrative Procedure Act. EPIC v. DHS, 653 F.3d 1, 6 (D.C. Cir. 2011). Accordingly, the NSA’s collection of domestic communications, absent the opportunity for public comment, is unlawful.

We hereby petition the National Security Agency, a component of the Department of Defense, for relief. We ask the NSA to immediately suspend collection of solely domestic communications pending the completion of a public rulemaking as required by law.

We intend to renew our request each week until we receive your response.

The NSA Responded. No prizes for guessing what they said:
Continue reading

Posted in Civil Liberties, Law: Administrative Law | Comments Off on NSA Responds to Petition to Conduct Rulemaking on Domestic Surveillance

Somewhere Tim May Is Laughing His A** Off

Posted on September 6, 2013 by Michael Froomkin

Dilbert today is rather timely.

(About Tim May.)

Posted in Civil Liberties, Cryptography | Comments Off on Somewhere Tim May Is Laughing His A** Off

Remember the _NSAKEY ?

Posted on September 6, 2013 by Michael Froomkin

In light of the revelations that the NSA has collaborated with — or if you prefer subverted — major technology manufacturers in order to get them to introduce NSA-friendly backdoors into their products, is it time to revisit the controversy over the _NSAKEY?

The _NSAKEY, you may recall, was a public key accidentally left in a Microsoft release of an update to Windows NT. It was discovered by 1999 by Andrew Fernandes. At the time Microsoft denied that the key had anything to do with the NSA, but was just a name they gave it as the product had to comply with export control law. And, at the time, the better view seemed to be that it was all just an accident of nomenclature, as there were much better ways to subvert the product.

Still, you gotta wonder.

Posted in Cryptography | Comments Off on Remember the _NSAKEY ?

Encryption: The Sky *IS* Falliing

Posted on September 5, 2013 by Michael Froomkin

The latest revelations about the NSA’s ability to undermine most encryption used online dwarf anything we have learned previously. What is worse, the NSA has worked to insert weaknesses into products — backdoors.

the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – “the use of ubiquitous encryption across the internet”.

Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.

It’s everything, everything that Cypherpunks ever muttered about over their beer.

This is the secret that likely explains why the Obama and Cameron administrations were willing to do almost anything to try to get Snowden, the reporters he leaked to, and the anyone who touched their data.

This is the nuclear winter of data security.

What do we do?

I used to say, we don’t really care if the NSA is reading our traffic, because if they are, the secret is so valuable they won’t waste it on anything but the most important national security matters. The Snowden revelations suggest that wasn’t completely right — there was some information sharing with civilian domestic law enforcement, although it was obfuscated in ways that undermined the constitutional guarantee of the right to confront witnesses against you. More importantly, the fact of the Snowden revelations mean that the cat is out of the bag, so the disincentive to use the information will be greatly reduced.

Bruce Schneier has given this some thought — he had an advance look at the documents — and he says that the IETF and other engineers need to re-engineer the internet to make it safer from surveillance. Meanwhile, there are things we can do individually.

For now, however, it is not hyperbole to say, as Schneier does, that “[b]y subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract.” It’s going to be tough, hard work to rebuild the Internet, and even harder work afterwards to rebuild trust in systems not to mention both public and private institutions.

Are we up to either job?

Posted in Cryptography | 13 Comments