22 December 2013

This Week's Spylapalooza

It's been a busy week for developments in spying by the US state security apparatus.

First, we have the report from the President's hand picked panel, "Liberty and Security in a Changing World." (PDF)

From people who know the issues, the reviews have been this weak tea.

The EFF's conclusion was that, "The reportleft open the door for future mass surveillance and failed to address the constitutionality of the NSA's mass spying, recently questioned by the D.C. federal court and raised by EFF in its multiple lawsuits."

Marcy Wheeler, who is has perhaps the most knowledgeable on these sorts of issues, observes that the panel refused to address whether the NSA spying program was illegal.  There is simply nothing in the report about this.

When she looks what is in the report, she sees signs that the NSA is probably functioning as a domestic security agency:
Which is why I’m curious what’s behind the following language, offered in support of the recommendation to clearly designate NSA as a foreign intelligence organization and presented with two other things we know NSA does.
It should not be a domestic security service, a military command, or an information assurance organization.

[...] Like other agencies, there are situations in which NSA does and should provide support to the Department of Justice, the Department of Homeland Security, and other law enforcement entities. But it should not assume the lead for programs that are primarily domestic in nature.
That seems to suggest that, in addition to supporting DHS, DOJ, and other law enforcement entities (cough, DEA, as well as probably Secret Service in its cyber-role), NSA takes the lead on certain issues that are primarily domestic.I do hope we’ll learn what this refers to. Because if NSA is operating domestically (maybe to police IP?), it will be scandalous news.
Pro Publica notes that one of the more direct recommendations of the panel is that the NSA needs to stop undermining publicly available encryption algorithms:
The National Security Agency should not undermine encryption standards that are designed to protect the privacy of communications, the panel of experts appointed by President Obama to review NSA surveillance recommended in a report released today.

The recommendation, among the strongest of the many suggested changes laid out by the panel, comes several months after ProPublica, the Guardian, and the New York Times reported that the NSA has successfully worked to undercut encryption. The story was based on a set of documents provided by former NSA contractor Edward Snowden.

Outside of the intelligence review board, we have learned that the NSA paid RSA Security LLC to incorporate insecure encryption in its products:
As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
In total, this explains the flight from services like Google to non-US algernatives.

In a perfect world,  all of this might lead the White House, and the intelligence agencies to back off regarding their expansion of power, but you would be wrong.

They are at this time attempting to quash a court ruling on the constitutionality ofits domestic spying program by invoking the state-secrets privilege.

And for your amusement, we have Mark Fiore's comments on the difference between the data collection by the government and commercial interest.


Post a Comment