NSA leak reveal plans to subvert mobile network security around the world

The NSA's AURORAGOLD program -- revealed in newly released Snowden docs -- used plundered internal emails to compromise nearly every mobile carrier in the world, and show that the agency had planned to introduce vulnerabilities into future improvements into mobile security. Read the rest

What's the best way to weaken crypto?

Daniel Bernstein, the defendant in the landmark lawsuit that legalized cryptography (over howls of protest from the NSA) engages in a thought-experiment about how the NSA might be secretly undermining crypto through sabotage projects like BULLRUN/EDGEHILL.

Making sure crypto stays insecure [PDF/Daniel J Bernstein]

(via O'Reilly Radar) Read the rest

Mobile ad

Spyware increasingly a part of domestic violence

Australian Simon Gittany murdered his girlfriend, Lisa Harnum, after an abusive relationship that involved his surveillance of her electronic communications using off-the-shelf spyware marketed for purposes ranging from keeping your kids safe to spotting dishonest employees. As Rachel Olding writes in The Age, surveillance technology is increasingly a factor in domestic violence, offering abusive partners new, thoroughgoing ways of invading their spouses' privacy and controlling them.

The spyware industry relies upon computers -- laptops, mobile devices, and soon, cars and TVs and thermostats -- being insecure. In this, it has the same goals as the NSA and GCHQ, whose BULLRUN/EDGEHILL program sought to weaken the security of widely used operating systems, algorithms and programs. Every weakness created at taxpayer expense was a weakness that spyware vendors could exploit for their products.

Likewise, the entertainment industry wants devices that are capable of running code that users can't terminate or inspect, so that they can stop you from killing the programs that stop you from saving Netflix streams, running unapproved apps, or hooking unapproved devices to your cable box.

And Ratters, the creeps who hijack peoples' webcams in order to spy on them and blackmail them into sexual performances, also want computers that can run code that users can't stop. And so do identity thieves, who want to run keyloggers on your computer to get your banking passwords. And so do cops, who want new powers to insert malware into criminals' computers.

There are a lot of ways to slice the political spectrum -- left/right, authoritarian/anti-authoritarian, centralist/decentralist. Read the rest

Why DRM is the root of all evil

In my latest Guardian column, What happens with digital rights management in the real world?, I explain why the most important fact about DRM is how it relates to security and disclosure, and not how it relates to fair use and copyright. Most importantly, I propose a shortcut through DRM reform, through a carefully designed legal test-case. Read the rest

Random NSA program generator, with denials

The NSA-O-Matic generates eerily plausible leaked NSA programs at the click of a mouse, including non-denial denials from NSA shills and spokesjerks. For example "STUMPVIEW, a searchable database that bugs conversations within earshot of laptop microphones. Senator Dianne Feinstein assured the public that the program discards information as soon it is determined to be irrelevant." It's hosted on Github and ready for your forking and contributions. Read the rest

FreeBSD won't use Intel & Via's hardware random number generators, believes NSA has compromised them

The maintainers of the security-conscious FreeBSD operating system have declared that they will no longer rely on the random number generators in Intel and Via's chips, on the grounds that the NSA likely has weakened these opaque hardware systems in order to ease surveillance. The decision is tied to the revelations of the BULLRUN/EDGEHILL programs, wherein the NSA and GCHQ spend $250M/year sabotaging security in standards, operating systems, software, and networks. Read the rest

Six ways that NSA and GCHQ spying violated your rights, and six things you can do about it

Ruth from the Open Rights Group sez, "With the huge amount of evidence leaked by Edward Snowden on surveillance by the NSA and the GCHQ, the Open Rights Group has compiled a list of the top 6 points that everyone should know about how their rights have been violated. To combat this tide of privacy-invasions ORG also list the 6 key things that they want to do in response, and how you can help the biggest year of campaigning against mass surveillance. We believe that if enough people speak up we can change how surveillance is done."

ORG is great organisation (I helped to found it, but am not involved in its daily operations in any way, apart from marvelling at the staffers and volunteers there) and their game-plan for mapping and securing redress for spy agencies' lawlessness is exemplary. I hope you'll join the group and help out. Read the rest

Mobile ad

David Cameron threatens injunction against the Guardian to stop further Snowden leak publications

UK prime minister David Cameron has threatened to get a court order against the Guardian if it continues to publish the Snowden leaks. He accused the Guardian of having a "lah-di-dah, airy-fairy view" about the dangers of leaks, and said the if the paper didn't voluntarily censor itself out of a sense of "social responsibility" he would seek court injunctions against it.

The majority of the Snowden leaks have revealed crimes -- illegal spying, lying to Congress and Parliament, violation of international law. That these crimes were committed with the knowledge and approval of the highest levels of the US and UK government doesn't make them any less criminal. And what wasn't criminal was absolutely depraved in its indifference to the public good: for example, the UK government's Edgehill programme, which, with the US government's Bullrun program, sabotaged the security of software, hardware and cryptographic standards to the tune of USD250M/year.

There is nothing more cowardly and corrupt than a lawbreaking political leader who threatens the free press when they call him to account. I never liked Cameron, but with this, he's taken the Tories beyond their reputation of being "the nasty party" and turned them into full-blown Stalinists. Read the rest

Huawei: unlike western companies, we've never been told to weaken our security

Huawei, the Chinese electronics giant that was accused of being "a security risk" in a paper by the House Intelligence Committee (its chair, Mike Rogers [R-MI], said "find another vendor if you care about your intellectual property, if you care about your consumers' privacy, and you care about the national security of the United States of America") has come out swinging in a new cybersecurity paper.

In the paper's foreword, the company's deputy chair Ken Hu writes:

[Huawei] never received any instructions or requests from any government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability.

“We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies."

Unlike the companies that were on the target of the NSA and GCHQ's BULLRUN/EDGEHILL programs, which spent $250,000,000 a year to subvert security standards, and to convince western electronics companies to sabotage their own security. Read the rest

EFF: the NSA has endangered us all by sabotaging security

The Electronic Frontier Foundation's Cindy Cohn and Trevor Timm look at the NSA's Bullrun program, through which the US and UK governments have spent $250M/year sabotaging computer security. Cindy is the lawyer who argued the Bernstein case, which legalized civilian access to strong cryptography -- in other words, it's her work that gave us all the ability to communicate securely online. And so she's very well-situated to comment on what it means to learn that the NSA has deliberately weakened the security that ensures the integrity of the banking system, aviation control, embedded systems in everything from cars to implanted defibrillators, as well as network infrastructure, desktop computers, cloud servers, laptops, phones, tablets, TVs, and other devices. Read the rest

Firsthand account of NSA sabotage of Internet security standards

On the Cryptography mailing list, John Gilmore (co-founder of pioneering ISP The Little Garden and the Electronic Frontier Foundation; early Sun employee; cypherpunk; significant contributor to GNU/Linux and its crypto suite; and all-round Internet superhero) describes his interactions with the NSA and several obvious NSA stooges on the IPSEC standardization working groups at the Internet Engineering Task Force. It's an anatomy of how the NSA worked to undermine and sabotage important security standards. For example, "NSA employees explicitly lied to standards committees, such as that for cellphone encryption, telling them that if they merely debated an actually-secure protocol, they would be violating the export control laws unless they excluded all foreigners from the room (in an international standards committee!)." Read the rest

Report: NSA works with security vendors to thwart encryption, according to 'Bullrun' docs leaked by Snowden

This undated photo released by the United States government shows the National Security Agency campus in Fort Meade, Md.

In the New York Times, a report based on documents leaked by Edward Snowden says the National Security Agency is "winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications."

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

Read the rest: N.S.A. Foils Much Internet Encryption - NYTimes.com.

The Guardian has a related report out today. The leaked docs show that NSA and GCHQ (UK intel agency) have spent hundreds of millions to defeat Internet encryption.

Pro Publica's take on the information is here. Read the rest