Meet the spooky tech companies getting rich by making NSA surveillance possible

Wildly profitable companies like Neustar, Subsentio, and Yaana do the feds' dirty work for them, slurping huge amounts of unconstitutionally requisitioned data out of telcos' and ISPs' data-centers in response to secret, sealed FISA warrants -- some of them publicly traded, too, making them a perfect addition to the Gulag Wealth Fund. Read the rest

Why the FBI's plan to require weak security in all American technology is a terrible, terrible idea

Bruce Schneier's editorial on CALEA-II is right on. In case you missed it, CALEA II is the FBI's proposal to require all American computers, mobile devices, operating systems, email programs, browsers, etc, to have weak security so that they can eavesdrop on them (as a side note, a CALEA-II rule would almost certainly require a ban on free/open source software, since code that can be modified is code that can have the FBI back-doors removed).

The FBI believes it can have it both ways: that it can open systems to its eavesdropping, but keep them secure from anyone else's eavesdropping. That's just not possible. It's impossible to build a communications system that allows the FBI surreptitious access but doesn't allow similar access by others. When it comes to security, we have two options: We can build our systems to be as secure as possible from eavesdropping, or we can deliberately weaken their security. We have to choose one or the other.

This is an old debate, and one we've been through many times. The NSA even has a name for it: the equities issue. In the 1980s, the equities debate was about export control of cryptography. The government deliberately weakened U.S. cryptography products because it didn't want foreign groups to have access to secure systems. Two things resulted: fewer Internet products with cryptography, to the insecurity of everybody, and a vibrant foreign security industry based on the unofficial slogan "Don't buy the U.S. stuff -- it's lousy."

In 1994, the Communications Assistance for Law Enforcement Act mandated that U.S.

Read the rest

Computer scientists to FBI: don't require all our devices to have backdoors for spies

In an urgent, important blog post, computer scientist and security expert Ed Felten lays out the case against rules requiring manufacturers to put wiretapping backdoors in their communications tools. Since the early 1990s, manufacturers of telephone switching equipment have had to follow a US law called CALEA that says that phone switches have to have a deliberate back-door that cops can use to secretly listen in on phone calls without having to physically attach anything to them. This has already been a huge security problem -- through much of the 1990s, AT&T's CALEA controls went through a Solaris machine that was thoroughly compromised by hackers, meaning that criminals could listen in on any call; during the 2005/6 Olympic bid, spies used the CALEA backdoors on the Greek phone company's switches to listen in on the highest levels of government.

But now, thanks to the widespread adoption of cryptographically secured messaging services, law enforcement is finding that its CALEA backdoors are of declining utility -- it doesn't matter if you can intercept someone else's phone calls or network traffic if the data you're captured is unbreakably scrambled. In response, the FBI has floated the idea of "CALEA II": a mandate to put wiretapping capabilities in computers, phones, and software.

As Felten points out, this is a terrible idea. If your phone is designed to secretly record you or stream video, location data, and messages to an adverse party, and to stop you from discovering that it's doing this, it puts you at huge risk when that facility is hijacked by criminals. Read the rest

Brochures from the companies that sell malware to governments

Ars Technica has a small gallery of the latest Wikileaks dump, consisting of brochures from companies that sell malicious software to governments for use in spying on their citizens. I spoke at length with one of the sources for these and we agreed that it was freakishly weird and scary -- I've spent the past two months in a bit of a paranoid stupor as a result. On the other hand, I have seen enough product brochures to know that companies often stretch the truth when they're pimping their products, and I wouldn't expect truth-in-advertising ethics from vichy nerds that specialize in violating the UN Declaration of Human Rights.

One product marketed by HackingTeam is the Remote Control System, malware that infects computers and smartphones in order to enable covert surveillance. The company says that its trojan can intercept encrypted communication, including Skype voice calls. They prominently advertise the fact that the malware can be installed remotely. They say that it can scale up to monitor "hundreds of thousands of targets" and is capable of being deployed to Apple, Android, Symbian, and Blackberry mobile devices.

Gallery: how the surveillance industry markets spyware to governments Read the rest