10.16.13

NSA Roundup: New Evidence of Crimes, Greenwald Moves Towards Independence, and More

Posted in Action at 11:29 am by Dr. Roy Schestowitz

Summary: Newest stories about the NSA and its allies

THE NSA saga is far from over. There are new revelations all the time and the corporate press is trying to distract us by speaking about China [1] and Russia [2]. Don’t take this hypocritical bait.

As an MI5 whistleblower puts it, “US/UK spy chiefs cover up NSA surveillance scandal” [3] while Glenn Greenwald, a US citizen living in Brazil, finds independence by forming a new media outlet with help from eBay’s founder [4]. He will hopefully help nations which are victims of NSA espionage [5] without getting censored by The Guardian.

Tor, which is a project that came from the US military and is run by pseudonyms, is getting more attention from the NSA [6] and is becoming less safe to use [7], despite Edward Snowden’s promotion of it.

Snowden, the whistleblower who shamed the NSA, has his father visit him in Russia (despite or because of warnings about collaborations with the FBI) [8] and personal awards are being granted [9], with more possibly on the way [10]. Snowden is a hot target for the US government right now [11].

Richard Stallman has just published a long article about surveillance [12] and the EU Parliament, a famous victim of espionage managed by the NSA, is now turning its back on privacy [13,14].

Moves are being made to decentralise the US-centric Internet [15,16] as the NSA’s mischiefs go deeper and deeper [17,18], with complicity from US tech giants [19-22]. Lavabit is in the headline again, mostly for being the exception when it comes to selling customers down the river, only to be hunted down by the US government [23,24].

More interesting revelations come out of Britain, the US’ ally in espionage [25-28], with similar actions seen in Canada (also “Conservatives” [29]).

The NSA is fortunately having some growing pains [30]. The leaks can’t be helping Big Brother. █

Related/contextual items from the news:

1. China has more internet monitors than soldiers

2. Russian embassy set up to intercept secrets: ASIO

   Russia used its embassy in Canberra to intercept Australian intelligence and political communications, targeting the capital’s main telecommunications tower, the Defence Department, Australian electronics firms and the Tidbinbilla space tracking station, according to confidential accounts of ASIO counter-espionage in the Cold War obtained by Fairfax Media.

3. US/UK spy chiefs cover up NSA surveillance scandal

   The dis­par­ity in response to Edward Snowden’s dis­clos­ures within the USA and the UK is aston­ish­ing. In the face of right­eous pub­lic wrath, the US admin­is­tra­tion is con­tort­ing itself to ensure that it does not lose its treas­ured data-mining cap­ab­il­it­ies: con­gres­sional hear­ings are held, the media is on the warpath, and senior securo­crats are being forced to admit that they have lied about the effic­acy of endemic sur­veil­lance in pre­vent­ing ter­ror­ism.

   Just this week Gen­eral Alex­an­der, the head of the NSA with a long track record of mis­lead­ing lying to gov­ern­ment, was forced to admit that the endemic sur­veil­lance pro­grammes have only helped to foil a couple of ter­ror­ist plots. This is a big dif­fer­ence from the pre­vi­ous num­ber of 54 that he was tout­ing around.

   Cue calls for the sur­veil­lance to be reined in, at least against Amer­ic­ans. In future such sur­veil­lance should be restric­ted to tar­geted indi­vidu­als who are being act­ively invest­ig­ated. Which is all well and good, but would still leave the rest of the global pop­u­la­tion liv­ing their lives under the bale­ful stare of the US pan­op­ticon. And if the cap­ab­il­ity con­tin­ues to exist to watch the rest of the world, how can Amer­ic­ans be sure that the NSA et al won’t stealth­ily go back to watch­ing them once the scan­dal has died down — or just ask their best bud­dies in GCHQ to do their dirty work for them?

4. Glenn Greenwald announces departure from the Guardian

   Journalist who broke stories about widespread NSA surveillance leaving to pursue ‘once-in-a-career journalistic opportunity’

5. Glenn Greenwald to publish Snowden leaks on France and Spain

6. Report: NSA has little success cracking Tor

   The agency has attacked other software, including Firefox, in order to compromise the anonymity tool, according to documents

7. How the NSA identifies Tor users in 6 easy steps

8. Snowden’s father arrives in Russia

9. Snowden Accepts Whistleblower Award

   Though former NSA contractor Edward Snowden has been indicted for leaking secrets about the U.S. government’s intrusive surveillance tactics, he was honored by a group of former U.S. intelligence officials as a courageous whistleblower during a Moscow ceremony, reports ex-CIA analyst Ray McGovern who was there.

10. Open letter by 23 European organisations in support of Snowden’s nomination for the Sakharov prize

    Today, 23 European non-governmental organisations released an open letter to the Conference of Presidents of the European Parliament in support of Edward Snowden’s nomination for the Sakharov Prize for Freedom of Thought 2013.

11. Snowden: DOJ Won’t Prosecute Official For Lying, But Will Stop At Nothing To Persecute Someone For Telling The Truth

12. Stallman: How Much Surveillance Can Democracy Withstand?

    The current level of general surveillance in society is incompatible with human rights. To recover our freedom and restore democracy, we must reduce surveillance to the point where it is possible for whistleblowers of all kinds to talk with journalists without being spotted. To do this reliably, we must reduce the surveillance capacity of the systems we use.

    Using free/libre software, as I’ve advocated for 30 years, is the first step in taking control of our digital lives. We can’t trust non-free software; the NSA uses and even creates security weaknesses in non-free software so as to invade our own computers and routers. Free software gives us control of our own computers, but that won’t protect our privacy once we set foot on the internet.

13. Will EU Parliament Sacrifice our Privacy for Electoral Reasons?

    A crucial vote for EU Citizens fundamental right to privacy will take place on October 21st, in the “Civil Liberties” committee (LIBE) of the European Parliament. The future of the EU Regulation on the protection of individuals to the processing of their personal data will be decided by a vote on “compromise amendments”1. The rapporteur seems willing to request a mandate to enter closed-doors negotiations to severely cut short any chance of public debate. La Quadrature du Net calls on all citizens to contact the members of the LIBE committee to urge them to refuse this obscure hijacking of the democratic debate.

14. [Video] Will EU Parliament Sacrifice our Privacy for Electoral Reasons?

15. The US is losing control of the internet

16. NSA Blowback Spreads to Internet Governance Organizations

    The unexpected disclosures of NSA activities by Edward Snowden presents a splendid example of U.S. government, as well as popular, indifference to world opinion. As part of its efforts to control the political damage of the embarrassing revelations, the Obama administration repeatedly stressed that only foreign nationals had been the targeted. As the breathtaking breadth of the data accessed and analyzed became clear, this rationale raised the question of how the foreign citizens – and even leaders – of U.S. allies might feel about being considered to be fair game for the NSA’s attention.

    The answer to that question is that they weren’t happy. Nor, as we will see, were a group of NGOs that had no reason to think they were targeted at all.

    Some foreign governments doubtless communicated their concerns privately through diplomatic channels. But others made their displeasure very public indeed. Brazil’s President Dima Rouseff, for one, cancelled a bilateral summit with President Obama after it was reported that her telephone calls and email had been intercepted. Late last week, she went a step further, announcing that Brazil will host a global summit to oppose U.S. surveillance.

17. The NSA’s New Codebreakers

    But TAO doesn’t just spy on America’s rivals. In 2012, the group reportedly compromised the encryption system used by an important G8 country to transmit sensitive diplomatic communications via satellite to its embassies around the world. The same is true with a number of countries in the Middle East and South Asia, including Egypt, Syria, Iran, and Pakistan, although the details of these successes are not yet known. And finally, sources report that TAO has successfully compromised the privacy protection systems currently used on a range of 4G cell phones and hand-held devices, thanks in large part to help from a major American telecommunications company.

18. NSA Has Spurred Renewed Interest In Thorough Security Audits Of Popular ‘Secure’ Software

    In yet another bit of fallout from the NSA surveillance efforts — and, specifically, the NSA’s covert takeover of security standards to insert vulnerabilities — it appears that there’s suddenly much more skepticism towards well-known security offerings. This is a good thing. There have already been some revelations concerning attempts to compromise Tor, and security researcher Matthew Green has now called for a thorough security audit of TrueCrypt, the (very) popular disk encryption tool. Green and some others have kicked off the project on the aptly named website IsTrueCryptAuditedYet.com.

19. If the Internet were a game of Risk, Facebook and Google would be winning

20. Tech titans’ muted response on NSA data mining

21. Latest NSA revelation is black eye for Yahoo

    Yahoo plans to make encryption a default setting for all Yahoo Mail users in January — four years after rival Google took what is considered a basic security step.

22. NSA collects millions of e-mail address books globally

    The National Security Agency is harvesting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world, many of them belonging to Americans, according to senior intelligence officials and top-secret documents provided by former NSA contractor Edward Snowden.

    The collection program, which has not been disclosed before, intercepts e-mail address books and “buddy lists” from instant messaging services as they move across global data links. Online services often transmit those contacts when a user logs on, composes a message, or synchronizes a computer or mobile device with information stored on remote servers.

23. Meet Lavabit’s founder: An American hero hiding in plain sight

24. Lavabit Case Shows Why We Need Tech Literate Judges

    While there’s plenty of attention being paid to Lavabit’s temporary re-opening for the sake of letting people export their accounts, a much more interesting issue is the recent development in the legal case. Lavabit has filed its latest brief, and there are some interesting discussions about the details of the case. From my reading, Lavabit makes a very strong argument that the government has no right to demand the production of Lavabit’s private SSL keys, as it’s an overreach way beyond what traditional wiretapping laws allow. Lawyer Orin Kerr’s analysis argues that Lavabit’s case is weak, mainly arguing that the federal government can subpoena whatever the hell they want, and just because it conflicts with your business model: too bad. Lavabit argues that complying with the government’s order is oppressive because it would effectively mean it would be committing fraud on all its customers…

25. Interview on London Real TV

26. The Empire Strikes Back

    Sir Andrew Parker, the recently elev­ated Dir­ector Gen­eral of the UK’s domestic secur­ity Ser­vice (MI5) yes­ter­day made both his first pub­lic speech and a super­fi­cially robust defence of the work of the intel­li­gence agen­cies. Read­ing from the out­side, it sounds all pat­ri­otic and noble.

27. Snowden leaks: David Cameron urges committee to investigate Guardian

    David Cameron speaks during prime minister’s questions, where he said: ‘The plain fact is that what has happened has damaged national security.’ Photograph: PA

28. Parliamentarians warn of ‘deliberate failiure’ to conceal GCHQ capability

    Shortly after Lord Macdonald, the former director of public prosecutions, condemned the way the new head of MI5 had dismissed calls for greater scrutiny several senior figures involved in the scrutiny of the draft communications data bill have said that Britain’s spy agencies may be operating outside the law in the mass internet surveillance programmes uncovered by Edward Snowden.

29. Conservatives Set To Kill Growing VPN Industry

30. Windows Becomes Freeware, Adobe Cracked & More…

    This week we were treated to the surprising news (not) that the NSA has been going after users of TOR. We also learned that the opening of the huge data center the agency is building in the Utah desert has been again delayed, this time due to power surges that have been burning out about $100,000 in equipment with each incident. Meanwhile, as more items revealed by Edward Snowdon are released, companies offering online anonymity find their business booming.

Permalink Leave Your Comment      Send this to a friend

After Attacking GNU/Linux at Microsoft’s Behalf (and Hiring Executives From Microsoft) HP Pretends to be Against Microsoft

Posted in Deception, GNU/Linux, HP, Microsoft at 11:05 am by Dr. Roy Schestowitz

Meg Whitman talks nonsense

Author: Max Morse

Summary: HP says Microsoft is a rival, but evidence suggests that HP is being occupied by Microsoft managers and that it attacks GNU/Linux, not Windows

People should not be taking HP’s claims at face value. Realising what the cash cows are, HP is trying to sell as many servers as possible (many will use GNU/Linux), so it tries to appeal to system administrators while quietly spreading Microsoft’s anti-GNU/Linux FUD [1, 2] to derail government migrations to GNU/Linux. Perhaps the inefficiently of Windows helps sell more such servers (for the same task).

Either way, HP sure is suffering from the decline of Microsoft’s desktop empire, but publicly HP wants us to think that “Microsoft Is At War With Its OEM Partners” (such as HP). More “sock puppetry,” calls it iophk, saying that “Microsoft Hilf is still inside HP, Ray Ozzie is still on the board, so this is just noise.” There are more such examples, including Vice Presidents. HP is gradually becoming somewhat of a proxy to Microsoft — a bit like Nokia.

Microsoft is hardly a competitor of HP; those two are partners and actions at the management level show this. Here is another article which blindly repeats HP’s claims:

APPARENTLY NOT CONTENT with making her employees draw lots or arm-wrestle for desks by banning telecommuting, HP CEO Meg Whitman has decided to let loose the hounds on Microsoft, declaring that it and Intel have changed from being “partners to outright competitors”.

HP is still using x86 and Windows, so how are Intel and Microsoft competitors really? Sheer nonsense.

Speaking of Microsoft and pretense, the company pretended to be “nice” to FOSS while essentially banning particular FOSS licence — an action which it quietly steps away from:

With little fanfare, Microsoft — or at least one part of it — has gone from considering the GNU General Public License v.3 (GPLv3) “evil” to “acceptable.”

That’s because this licence is popular, unlike Microsoft. “A company spokesperson didn’t provide a direct answer,” says Microsoft Mary, whose inquiry helps show just how Microsoft really feels about the GPLv3. Public statements are the area controlled by marketing people and professional spinners. In order to find out what’s true we need to investigate actions — not words — for ourselves. █

Permalink Leave Your Comment      Send this to a friend

Linux Backdoors Revisited (New Revelations and Old Revelations)

Posted in GNU/Linux, Kernel, Security at 10:43 am by Dr. Roy Schestowitz

Claude Elwood Shannon, the man who introduced entropy

Summary: An anonymous backdooring attempt against Linux goes a decade back, but a randomisation problem in today’s Linux also seems possible (subverting encryption)

Jonathan Allen wrote this article about an incident mentioned also by Freedom to Tinker. Slashdot’s summary goes like this, documenting news from one decade ago:

“Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn’t like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: ‘if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) …’ A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said ‘= 0′ rather than ‘== 0′ so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it’s a classic backdoor. We don’t know who it was that made the attempt—and we probably never will. But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. ‘Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,’ writes Felton. ‘Unless somebody confesses, or a smoking-gun document turns up, we’ll never know.’”

Backdoors in Linux are a subject for jokes in Torvalds' mind, but given the above we should take this subject very seriously. In any system, for example, having no mechanism for randomness (like in some embedded devices) typically means that strong encryption (with high entropy) is not possible. Given new alleged “insecurities in the Linux /dev/random,” as Bruce Schneier put it, Linux backdoors seem possible again. David Benfell said:

I’m guessing Schneier knows what the fuck he’s talking about. If it is the same vulnerability, then Torvalds’ defense is that the vulnerable source of entropy is only one of many. But if I read Schneier correctly, the result was still too predictable.

“On the other hand,” says Benfell, “here’s Theodore T’so from the comments:”

So I’m the maintainer for Linux’s /dev/random driver. I’ve only had a chance to look at the paper very quickly, and I will at it more closely when I have more time, but what the authors of this paper seem to be worried about is not even close to the top of my list in terms of things I’m worried about.

First of all, the paper is incorrect in some minor details; the most significant error is its (untrue) claim that we stop gathering entropy when the entropy estimate for a given entropy pool is “full”. Before July 2012, we went into a trickle mode where we only took in 1 in 096 values. Since then, the main way that we gather entropy, which is via add_interrupt_randomness(), has no such limit. This means that we will continue to collect entropy even if the input pool is apparently “full”.

This is critical, because *secondly* their hypothetical attacks presume certain input distributions which have an incorrect entropy estimate —| that is, either zero actual entropy but a high entropy estimate, or a high entropy, but a low entropy estimate. There has been no attempt by the paper’s authors to determine whether the entropy gathered by Linux meets either of their hypothetical models, and in fact in the “Linux Pseudorandom Number Generator Revisited”[1], the analysis showed that our entropy estimator was actually pretty good, given the real-life inputs that we are able to obtain from an actual running Linux system.

[1]http://eprint.iacr.org/2012/251.pdf

The main thing which I am much more worried about is that on various embedded systems, which do not have a fine-grained clock, and which is reading from flash which has a much more deterministic timing for their operations, is that when userspace tries to generate long-term public keys immediately after the machine is taken out of the box and plugged in, that there isn’t a sufficient amount of entropy, and since most userspace applications use /dev/urandom since they don’t want to block, that they end up with keys that aren’t very random. We had some really serious problems with this, which was written up in the “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices” [2]paper, and the changes made in July 2012 were specifically designed to address these worries.

[2]https://www.factorable.net/paper.html

However, it may be that on certain systems, in particular ARM and MIPS based systems, where a long-term public key is generated very shortly after the first power-on, that there’s enough randomness that the techniques used in [2]would not find any problems, but that might be not enough randomness to prevent our friends in Fort Meade from being able to brute force guess the possible public-private key pairs.

Speaking more generally, I’m a bit dubious about academic analysis which are primarily worried about recovering from the exposure of the state of the random pool. In practice, if the bad guy can grab the state of random pool, they probably have enough privileged access that they can do many more entertaining things, such as grabbing the user’s passphrase or their long-term private key. Trying to preserve the amount of entropy in the pool, and making sure that we can extract as much uncertainty from the system as possible, are much higher priority things to worry about.

That’s not to say that I might not make changes to /dev/random in reaction to academic analysis; I’ve made changes in reaction to [2], and I have changes queued for the next major kernel release up to make some changes to address concerns raised in [1]. However, protection against artificially constructed attacks is not the only thing which I am worried about. Things like making sure we have adequate entropy collection on all platforms, especially embedded ones, and adding some conservatism just in case SHA isn’t a perfect random function are some of the other things which I am trying to balance as we make changes to /dev/random.

T’so, who is the former CTO of the Linux Foundation, at least acknowledges the possibility that there is a real issue here. █

Permalink Leave Your Comment      Send this to a friend