NSA

All posts tagged NSA

After  9/11, the U.S. government didn’t have much trouble blasting away any expectation of privacy when conducting financial transactions or traveling across the country.    It’s a little harder to justify destroying fundamental freedoms when it comes to spying on people’s email and instant messaging conversations.  What is the state to do?  If recent actions by the NSA and CIA are any indication, it is to invent ridiculous threats about the danger that “hackers” pose to us all.

First, Michael McConnell, Director of National Intelligence of the United States claimed that “the U.S. government should have unfettered and warrantless access to U.S. citizens’ Google search histories, private e-mails and file transfers” in the January 21st edition of the New Yorker.

One of his claims is that cyber crime costs $100 billion per year.  This number was made up by Valerie McNevin, who happened to have once served as an advisor to the U.S. Treasury department.  Wired reports that “within two hops, CNN was reporting the $105 billion as an official Treasury Department estimate of global cyber crime profits.”  Before long, the number was used by Information Week, Slashdot, Reuters, reputable security firms such as McAfee  – and the Director of the NSA.

The second preposterous claim is that “a massive cyber-attack on a single U.S. bank would be worse for the economy than the deadly terrorist attacks of September 11.” It takes a computer security specialist to appreciate the sheer ignorance of that claim.  The head of the NSA is surely familiar with highly secure computing environments.  Just like the government, banks employ data centers that are both physically and cryptographically isolated – you have to physically break into the bank’s data center before you can even think about causing havoc in a large scale.  The website you use to access your bank
account is far removed from the servers that actually hold your account information.
It’s easy to steal bank account information, and maybe even take away your online account access for a day.  But that is hardly a “911” type of event.  Without physical access to the data centers, hackers
cannot erase traces of their work, so the transactions can be easily reversed.
It’s hard to withdraw $100 billion of cash from a bank in a day.

Regardless, McConnel believes that a recent federal ruling which decided that “any telephone transmission or e-mail that incidentally flowed into U.S. computer systems was potentially subject to judicial oversight” has reduced the “capacity of the NSA to monitor foreign-based communications … by seventy per cent.”  No worries, because the Protect America Act passed this summer, and allows
“Gmail’s servers and AT&T’s switches [to be] de facto
arms of the surveillance industrial complex
without any court oversight.”

This latest attack on American’s privacy is just the latest act for McConnell – he was one of the main backers of the Clipper Chip, a plan to force an NSA backdoor into encryption product.  More recently, the NSA has attempted to sneak in a backdoor into encryption by creating flawed security standards.

In case you still think that this attack on American’s privacy has anything to do with terrorism, the testimony of Qest CEO Joseph Nacchio makes clear that the NSA was out to spy on
Americans at least
seven months before September 11, 2001
.

Michael Tanji, an ex-spook who spent 20 years in the intelligence community observes that
monitoring all traffic is basically an admission that the government has no
effective means of detecting or stopping legitimate threats, cyber or otherwise:

It’s bad enough that the Director of
National Intelligence is trotting out a bogus threat so the government can snoop on all Internet traffic.  What’s worse is that
this kind of mass surveillance is a pretty lame way to catch the honest-to-God
bad guys.

Of more interest to observers of intelligence activities is the issue of quality vs. quantity and the slow creep towards doom that these efforts foretell. The fact that we are essentially
attempting to gill-net bad guys is a fairly strong indicator that the intelligence community has yet to come up with an effective strategy against information-age threats.

The NSA is not alone in scaremongering Americans.  The CIA claims that hackers “turned
out the lights in multiple [foreign] cities after breaking into electrical
utilities and demanding extortion payments before disrupting the power.”  Of course, no details on where or when the outages occurred were provided, so it’s hard to evaluate this claim.  I wonder whether some power utilities around the globe are really dumb enough to connect critical components to the
public Internet, or whether the “hackers” simply broke into the facilities and flipped a switch.

The Dept of Homeland Security wants a piece of the horror-fest action too:  it “produced
a video showing commands quietly triggered by simulated hackers having such a violent reaction that an enormous generator shudders as it flies apart and belches black-and-white smoke.”  “Simulated” hackers?

Some people might look at the relentless attack by governments on privacy and personal liberty and ascribe it to some kind of enormous, sinister plot.  Yet reality is much more ordinary and mundane.  Countless nameless bureaucrats are just doing what they always do — fighting for power and influence using the only currency they have – the public’s money and liberty.

Various tech bloggers are
reporting
that Microsoft will
include
the NSA-recommended random algorithm suspected of containing
a backdoor vulnerability
in the upcoming Windows Vista service pack. 
According to Microsoft, the “Dual Elliptical Curve (Dual EC) PRNG from SP
800-90 is also available for customers who prefer to use it,” so this
algorithm is an option, not the default.  Why would Microsoft
intentionally include an inefficient and unsecure algorithm?  Very likely, because it will eventually be
required in governments contracts. 

It is hard to blame Microsoft for not wanting to lose government contracts,
or to alienate customers who depend on them. 
The real danger is the (inevitable?) attempts by the state to force this
algorithm on everyone else, including requirements that make it mandatory for
government contracts, and thus attempt to influence the default configuration
by virtue of the state’s dominant market share.