Boing Boing 

How can you trust your browser?


Tim Bray's Trusting Browser Code explores the political and technical problems with trusting your browser, especially when you're using it to do sensitive things like encrypt and decrypt your email. In an ideal world, you wouldn't have to trust Google or any other "intermediary" service to resist warrants forcing it to turn over your sensitive communications, because it would be technically impossible for anyone to peek into the mail without your permission. But as Bray points out, the complexity and relative opacity of Javascript makes this kind of surety difficult to attain.

Bray misses a crucial political problem, though: the DMCA. Under US law (and similar laws all over the world), telling people about vulnerabilities in DRM is illegal, meaning that a bug in your browser that makes your email vulnerable to spying might be illegal to report, and will thus potentially never be fixed. Now that the World Wide Web Consortium and all the major browser vendors (even including Mozilla) have capitulated on adding DRM to the Web, this is the most significant political problem in the world of trusting your browser.

Read the rest

Time-capsule crypto to help journalists protect their sources


Jonathan Zittrain writes, "I published an op-ed in the Boston Globe today musing on the prospects for 'time capsule encryption,' one of several ways of storing information that renders it inaccessible to anyone until certain conditions -- such as the passage of time -- are met. I could see libraries and archives offering such technology as part of accepting papers and manuscripts, especially in the wake of the "Belfast Project" situation, where a library promised confidentiality for accounts of the Troubles in North Ireland, and then found itself amidst subpoenas from law enforcement looking to solve long-cold cases. But the principle could apply to any person or company thinking that there's a choice between leaving information exposed to leakage, or destroying it entirely."

I'm less enthusiastic about this than Jonathan is. I think calibrating the strength of your time-capsule is very hard. If the NSA might be an order of magnitude faster than the rest of us at brute-force cryptanalysis, that means you need to make your 10-year capsule strong enough to last for 100 years just to be on the safe side. Same goes for proof-of-work.

Read the rest

'NSA vs. USA,' anti-spying dance music video

An anti-mass-surveillance music video by Shahid Buttar, director of the Bill of Rights Defense Committee.

Download the extended dance floor mix. Read the lyrics (annotated with hyperlinks to help you learn more). [HT: Rainey Reitman]

Today is the day we Reset the Net

Today is the day we Reset the Net! It's been one year since the Edward Snowden disclosures hit the news and the whole world woke up to the scale of mass, indiscriminate Internet surveillance -- a spying campaign that was only possible because our own tools leak our private information in great gouts. Reset the Net provides you with a technical, political, and social toolkit to harden our Internet against the spies; and Boing Boing is proud to be playing a role. Read the rest

Tomorrow: Berlin sunrise mass whistle-in to commemorate Snowden leaks


A reader writes, "Just after sunrise on June 5, the NK Projekt in Berlin is leading a massive whistle-blowing session to commemorate the one-year anniversary of Edward Snowden's own whistle blowing activities."

(Image: I want you to blow the whistle, Mike, CC-BY-SA)

Five dumb things that NSA apologists should really stop saying


The Electronic Frontier Foundation has rounded up the five most discredited arguments advanced by apologists for NSA spying, including "The NSA has Stopped 54 Terrorist Attacks with Mass Spying"; Just collecting call detail records isn’t a big deal"; "There Have Been No Abuses of Power"; "Invading Privacy is Okay Because It’s Done to Prevent Terrorist Attacks"; and "There’s Plenty of Oversight From Congress, the Foreign Intelligence Surveillance Court, and Agency Watchdogs." Each of these claims is meticulously debunked in the post.

Read the rest

Snowden, one year after: Now we know the NSA's secrets

Josh from the ACLU writes, "To mark this Thursday's one-year anniversary of the first NSA revelation from Edward Snowden, we've made a very cool video showing what's happened so far (and yes that is Snowden's voice at the end). You've not seen an NSA video like this before. We've also created a guide (PDF) to what we think needs to be done for surveillance reform by Congress, the president, the courts, and tech companies."

They Knew Our Secrets. One Year Later, We Know Theirs.

NSA facial recognition: combining national ID cards, Internet intercepts, and commercial facial databases for millions of people

A newly released set of slides from the Snowden leaks reveals that the NSA is harvesting millions of facial images from the Web for use in facial recognition algorithms through a program called "Identity Intelligence." James Risen and Laura Poitras's NYT piece shows that the NSA is linking these facial images with other biometrics, identity data, and "behavioral" data including "travel, financial, behaviors, social network."

The NSA's goal -- in which it has been moderately successful -- is to match images from disparate databases, including databases of intercepted videoconferences (in February 2014, another Snowden publication revealed that NSA partner GCHQ had intercepted millions of Yahoo video chat stills), images captured by airports of fliers, and hacked national identity card databases from other countries. According to the article, the NSA is trying to hack the national ID card databases of "Pakistan, Saudi Arabia and Iran."

This news is likely to be rhetorically useful to campaigners against national ID cards in countries like the UK, where the issue has been hotly debated for years (my own Member of Parliament, Meg Hillier, was the architect of one such programme, and she, along with other advocates for national ID cards, dismissed fears of this sort of use as paranoid ravings).

The development of the's NSA facial recognition technology has been accompanied by a mounting imperative to hack into, or otherwise gain access to, other databases of facial images. For example, the NSA buys facial images from Google's Pittpatt division, while another program scours mass email interceptions for images that appear to be passport photos.

An interesting coda to the piece is that the NSA has developed the capability to infer location by comparing scenery in terrestrial photos to satellite images, which sounds like a pretty gnarly computer-vision problem.

Read the rest

House approves 'media shield' amendment, as reporter reveals 2011 subpoena fight

houseofrep232way_wide-4bac6d92f39d630d0f94f3c708ca06710a717d2f-s6-c30The House of Representatives today voted 225-183 to approve an appropriations bill amendment that bars the Justice Department from forcing reporters to testify about their confidential sources.

Read the rest

Majority of Americans think Snowden was right to leak


A forthcoming Yougov survey found that 55 percent of Americans believe Edward Snowden was right to leak the details of Prism (it's not clear whether they were surveyed on other leaks).

Read the rest

NSA can't find any emails from Snowden, then it can (convenient, no?)

Yesterday, the NSA released an email from Edward Snowden to his superiors asking about the legality of NSA spying, claiming it was the only evidence they had that he ever tried to go through channels before turning leaker; on its face, this is pretty damning. But there's one problem: six months ago, the NSA claimed that they had no emails of the sort from Snowden, and then this one happened to turn up just in time to counter Snowden's allegations on US TV that he'd tried to blow the whistle from inside. My guess? Someone as canny as Snowden kept copies of all the communiques he made and flags he raised, and will be shortly making the NSA look like pathetic liars (again).

Read the rest

Warrantless spying makes spying-with-a-warrant impossible

Tim Bray's taxonomy of privacy levels makes a compact and compelling argument that the existence of warrantless spying and security sabotage is what drives people to adopt cryptographic techniques that can't be broken even with a warrant.

Jonathan Lethem and Lars Eidinger's claustrophobic, Snowden-commemorating short film

Jonathan Lethem and Lars Eidinger star in Lars and Jonathan: A Berlin Friendship , a short, paranoid, quirky film made for Transmediale's Snowden-leak-commemorating Magical Secrecy Tour.

Watch the full-length NBC News interview with Edward Snowden

140528-snowden-interview-mn-1447_4c31342b0b39224722c815ad79f0ceea.nbcnews-fp-720-320

NBC News has released an online version of its featured interview with NSA whistleblower Edward Snowden, a first for US TV.

Read the rest

Mysterious announcement from Truecrypt declares the project insecure and dead

The abrupt announcement that the widely used, anonymously authored disk-encryption tool Truecrypt is insecure and will no longer be maintained shocked the crypto world--after all, this was the tool Edward Snowden himself lectured on at a Cryptoparty in Hawai'i. Cory Doctorow tries to make sense of it all. Read the rest

NBC airs Edward Snowden's first US TV interview

140527-edward-snowden-jms-1846_6908feb78dc51d2345105e53cf6cb759.nbcnews-fp-1440-600

NBC released a preview clip from a widely-promoted Brian Williams interview with whistleblower Edward Snowden, which airs tonight, Wednesday May 28, at 10pm EDT. The hour-long interview is the former NSA contractor’s first US television interview since leaking NSA documents to reporters.

Read the rest

Greenwald's "No Place to Hide": a compelling, vital narrative about official criminality

Cory Doctorow reviews Glenn Greenwald's long-awaited No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. More than a summary of the Snowden leaks, it's a compelling narrative that puts the most explosive revelations about official criminality into vital context.Read the rest

Privacy vs network effects


Respected cryptographer and security researcher Ross Anderson has a fascinating new paper, Privacy versus government surveillance: where network effects meet public choice [PDF], which explores the "privacy economics" of mass surveillance, pointing out the largely overlooked impact of "network effects" on the reality of who spies, who is spied upon, and under what circumstances.

My first big point is that all the three factors which lead to monopoly – network effects, low marginal costs and technical lock-in – are present and growing in the national-intelligence nexus itself. The Snowden papers show that neutrals like Sweden and India are heavily involved in information sharing with the NSA, even though they have tried for years to pretend otherwise. A non-aligned country such as India used to be happy to buy warplanes from Russia; nowadays it still does, but it shares intelligence with the NSA rather then the FSB. If you have a choice of joining a big spy network like America's or a small one like Russia's then it's like choosing whether to write software for the PC or the Mac back in the 1990s. It may be partly an ideological choice, but the economics can often be stronger than the ideology.

Second, modern warfare, like the software industry, has seen the bulk of its costs turn from variable costs into fixed costs. In medieval times, warfare was almost entirely a matter of manpower, and society was organised appropriately; as well as rent or produce, tenants owed their feudal lord forty days’ service in peacetime, and sixty days during a war. Barons held their land from the king in return for an oath of fealty, and a duty to provide a certain size of force on demand; priests and scholars paid a tax in lieu of service, so that a mercenary could be hired in their place. But advancing technology brought steady industrialisation. When the UK and the USA attacked Germany in 1944, we did not send millions of men to Europe, as in the first world war, but a combat force of a couple of hundred thousand troops – though with thousands of tanks and backed by larger numbers of men in support roles in tens of thousands of aircraft and ships. Nowadays the transition from labour to capital has gone still further: to kill a foreign leader, we could get a drone fire a missile that costs $30,000. But that's backed by colossal investment – the firms whose data are tapped by PRISM have a combined market capitalisation of over $1 trillion.

Third is the technical lock-in, which operates at a number of levels. First, there are lock-in effects in the underlying industries, where (for example) Cisco dominates the router market: those countries that have tried to build US-free information infrastructures (China) or even just government information infrastructures (Russia, Germany) find it’s expensive. China went to the trouble of sponsoring an indigenous vendor, Huawei, but it’s unclear how much separation that buys them because of the common code shared by router vendors: a vulnerability discovered in one firm’s products may affect another. Thus the UK government lets BT buy Huawei routers for all but its network’s most sensitive parts (the backbone and the lawful-intercept functions). Second, technical lock-in affects the equipment used by the intelligence agencies themselves, and is in fact promoted by the agencies via ETSI standards for functions such as lawful intercept.

Just as these three factors led to the IBM network dominating the mainframe age, the Intel/Microsoft network dominating the PC age, and Facebook dominating the social networking scene, so they push strongly towards global surveillance becoming a single connected ecosystem.

Privacy versus government surveillance: where network effects meet public choice (via Schneier)

(Image: Friendwheel, Steve Jurvetson, CC-BY)

The Internet With a Human Face: Maciej Cegłowski on the things we need to fix


Maciej Cegłowski's latest talk, The Internet With A Human Face, is a perfect companion to both his Our Comrade the Electron and Peter Watts's Scorched Earth Society: A Suicide Bomber's Guide to Online Privacy: a narrative that explains how the Internet of liberation became the Internet of inhuman and total surveillance. Increasingly, I'm heartened by the people who understand that the right debate to have is "How do we make the Internet a better place for human habitation?" and not "Is the Internet good or bad for us?" I'm also heartened to see the growth of the view that aggregated personal data is a kind of immortal toxic waste and that the best way to prevent spills is to not collect it in the first place.

Read the rest

Greenwald to release list of Americans under illegal NSA surveillance

Glenn Greenwald has pre-announced his next Snowden-doc publication: a list of US citizens the NSA has subjected to illegal surveillance. I keep hearing that there's a huge bang at the end of the Snowden files, and there certainly seems to be a sense of controlled heightening drama in the disclosures. I assume that if Greenwald has pre-announced this publication that it's bound to have some bombshells lurking in it.

US gov may block Chinese nationals from Defcon hacker event

A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. Picture taken January 2, 2014. REUTERS/Edgar Su

The US government may use visa restrictions to ban hackers from China from participating in the 2014 Defcon hacker conference in Las Vegas. The move is part of a larger effort by the US to combat Chinese internet espionage.

Read the rest

Wikileaks says NSA recording all calls in Afghanistan

Glenn Greenwald. [Reuters]


Glenn Greenwald, of The Intercept. [Reuters]

The National Security Agency records the entire content of every phone call in Afghanistan, claims WikiLeaks.

Read the rest

Must-see: Michael Geist on the state of surveillance in Canada

Here's a riveting talk by Michael Geist on the state of Canadian surveillance. Geist broke the story that Canadian telcos hand over personal information to government agencies every 27 seconds, without a warrant. Canada is one of the "Five Eyes" countries that participated in the NSA's surveillance build-out, and the Canadian government is once again considering a massive expansion of warrantless surveillance powers for police, government agencies, and even private companies working for the government.

Visualizing inspiring quotes about privacy


Kevin writes, "With the Privacy is a right project I try to visualize the global privacy debate by using quotes on the subject and turn them into large (in real life) visuals. I started out with key figures in this debate (such as Edward Snowden, Kirsty Hughes and even Cory Doctorow) but now everyone can react and share their view on the subject by submitting a quote on the site. Any inspiring quote will then be turned into art by me. Some of the visuals will be part of my graduation exposition (25th - 29th of June) for the Willem de Kooning Rotterdam University of Applied Sciences in Rotterdam, the Netherlands."

Read the rest

House leaders gut NSA-curbing USA FREEDOM Act


The Snowden revelations kickstarted a national dialog on surveillance and a Congressional promise to rein in mass spying through a bill called the USA FREEDOM Act. But as the Electronic Frontier Foundation reports, the cowardly leaders of the House have capitulated to Big Spook, gutting the bill so thoroughly that it might actually make things worse.

Read the rest

Surveillance state: the NSA doesn't stand alone


The NSA is supposed to be America's offshore spy agency, forbidden from spying on Americans. But as an important article by the Electronic Frontier Foundation's Nadia Kayyali points out, the FBI, DEA and other US agencies have closely integrated the NSA into their own efforts, using the NSA's mass surveillance to gather intelligence on Americans -- as Glenn Greenwald's No Place to Hide discloses, the NSA isn't a stand-alone agency, it is part of an overarching surveillance state.

Read the rest

Schneier: NSA's offense leaves Americans undefended

Writing in the Atlantic, Bruce Schneier explains the NSA's insane program of creating, discovering and hoarding vulnerabilities in computer systems in order to weaponize them. These vulnerabilities allow the NSA to attack its enemies (everyone), but let other states, hackers, and crooks attack Americans. The NSA claims it is "securing" cyberspace, but its dominant tactic requires that everyone be made less secure so that the NSA can attack them if they feel the need.

Read the rest

Kafka, meet Orwell: Lavabit's founder explains why he shut down his company

Writing in the Guardian, Lavabit founder Ladar Levison recounts the events that led to his decision to shutter his company in August 2013. Lavabit provided secure, private email for over 400,000 people, including Edward Snowden, and the legal process by which the FBI sought to spy on its users is a terrifying mix of Orwell -- wanting to snoop on all 400,000 -- and Kafka -- not allowing Levison legal representation and prohibiting him from discussing the issue with anyone who might help him navigate the appropriate law.

Levison discloses more than I've yet seen about the nature of the feds' demands, but more important are the disclosures about the legal shenanigans he was subjected to. In fact, his description of the legal process is a kind of bas relief of the kind of legal services that those of us fighting the excesses of the global war on terror might need: a list of attorneys who are qualified to represent future Lavabits, warrant canaries for the services we rely upon; and, of course, substantive reform to the judicial processes laid out in the Patriot Act.

Read the rest

The lie about Edward Snowden that just won't die

Edward Snowden

We’ve fact-checked statements in the media about Edward Snowden and the NSA before, but by far the biggest falsehood being spread by government advocates is the alleged fact that he took 1.7 million documents from the NSA.

All the parties involved—Snowden, the journalists, and even the government—either deny it or have said they have no reason to believe it is true, yet it has become the go-to number when discussing Snowden's case. It's time news organizations start issuing corrections.

Glenn Greenwald wrote about this last week, showing that news outlets have taken the statement by an NSA official on 60 Minutes that Snowden—at one point or another in his career—“accessed” or “touched” millions of documents and warped it into a claim that he’d stolen that many:

Ever since then, that Snowden “stole” 1.7 or 1.8 million documents from the NSA has been repeated over and over again by US media outlets as verified fact. The Washington Post‘s Walter Pincus, citing an anonymous official source, purported to tell readers that “among the roughly 1.7 million documents he walked away with — the vast majority of which have not been made public — are highly sensitive, specific intelligence reports”. Reuters frequently includes in its reports the unchallenged assertion that “Snowden was believed to have taken 1.7 million computerized documents.” Just this week, the global news agency told its readers that “Snowden was believed to have taken 1.7 million computerized documents.”

As Greenwald pointed out, in an interview given to the Australian Financial Review, former NSA chief Keith Alexander was asked point blank if the NSA can really say how many documents Snowden took. Here's what he said:

Well, I don’t think anybody really knows what he actually took with him, because the way he did it, we don’t have an accurate way of counting. What we do have an accurate way of counting is what he touched, what he may have downloaded, and that was more than a million documents.

Read that again. They do not know how many documents he took. But this actually isn’t anything new, we’ve known this for months. After the New York Times reported Snowden “accessed” 1.7 million files in February, they also wrote, albeit a dozen paragraphs later, that DIA head General Michael Flynn admitted in Congressional testimony they still had “a great deal of uncertainty about what Mr. Snowden possessed. ‘Everything that he touched, we assume that he took,’ said General Flynn.” In other words, they have no idea.

Despite these known facts, even this week, the Wall Street Journal has published an incredibly irresponsible piece by Edward Jay Epstein, who based an entire op-ed around the false 1.7 million statement as a way to claim that Snowden is working for a foreign goverment. And look what happens when you Google the phrase “Snowden 1.7 million”: He either “took,” “has,” or “stole” nearly 2 million documents is all over the entire front page.

So to sum up, Edward Snowden has said the number is made up, the journalists involved deny they have 1.7 million documents, and the government has stated multiple times they do not know how many documents he took. Literally no party in the NSA story believes the 1.7 million number is true, yet most media organizations claim it’s a fact.

We look forward to Reuters, the Wall Street Journal, and others who have been peddling this fictitious number issuing corrections.

Photo of NSA technicians sabotaging Cisco router prior to export


One of the Snowden documents published by Glenn Greenwald with the release of his new book is a photo showing an actual NSA Tailored Access Operations team sabotaging a Cisco router before it is exported, a practice reported earlier this week in a story Greenwald wrote for the Guardian.

The great irony is that this kind of sabotage is exactly the sort of thing that the USA has repeatedly accuse Chinese authorities of doing to Huawei routers, something for which we have no evidence. Unlike the photographic evidence we have here of the NSA doing this to a Cisco router.

Read the rest