09/06/2013 archive

In a joint report by The Guardian, the New York Times, and ProPublica, courtesy of the documents leaked by Edward Snowden, it was revealed how the NSA and British GCHQ broke encryption to unlock unlock encryption used to protect emails, banking and medical records. The detailed article describes how the program, called “Bulrun,” foils the safeguards of our internet privacy:

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

A cryptographer and research professor at Johns Hopkins University, Michael Green summerizes some of the “bad things” that the NSA and GCHQ have been doing with the joint cost of $250 million per year:

   (1.) Tampering with national standards (NIST is specifically mentioned) to promote weak, or otherwise vulnerable cryptography.

   (2.) Influencing standards committees to weaken protocols.

   (3.) Working with hardware and software vendors to weaken encryption and random number generators.

   (4.) Attacking the encryption used by ‘the next generation of 4G phones‘.

   (5.) Obtaining cleartext access to ‘a major internet peer-to-peer voice and text communications system’ (Skype?)

   (6.) Identifying and cracking vulnerable keys.

   (7.) Establishing a Human Intelligence division to infiltrate the global telecommunications industry.

   (8.) And worst of all (to me): somehow decrypting SSL connections.

Columnist on civil liberties and U.S. national security issues for The Guardian, Glenn Greenwald discussed this latest revelation with Amy Goodman and Juan González of DemocracyNow!.

“It’s what lets you enter your credit card number, check your banking records, buy and sell things online, get your medical tests online, engage in private communications. It’s what protects the sanctity of the Internet.” [..]

“The entire system is now being compromised by the NSA and their British counterpart, the GCHQ,” Greenwald says. “Systematic efforts to ensure that there is no form of human commerce, human electronic communication, that is ever invulnerable to their prying eyes.”

Security technologist and a fellow at the Berkman Center for Internet and Society at Harvard Law School, Bruce Schneiner said, in an article at The Guardian, that the public has been betrayed by the US government and that the NSA has undermined the social contract with the public. He proposes that since it was engineers who built the internet, it is time that they “fix it”.

One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don’t cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers. [..]

Two, we can design. We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.

We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.

Prof. Schneiner also offers a guide to staying secure and gives five piece of advice:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you’re much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

These are some of the programs he has been using: GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit and Password Safe. He also advises the use of a Linux operating system.

President Barack Obama concluded his meetings at the G-20 in Moscow where he sought support for bombing Syria over the alleged use of chemical weapons by President Bashir al-Assad. Unable to persuade Russian President Vladimir Putin, Pres. Obama took his lobbying to the G-20 dinner.

Syria divides deepen during Putin’s G20 dinner

by Patrick Wintour, The Guardian

Leaders fail to reach agreement over military action as UN called on to fulfil its obligations while Russia maintains position

The majority of leaders at a summit dinner on Thursday evening in Peterhof, near Saint Petersburg, were not in favour of any punitive action unless it was agreed by the UN security council, although strong calls for the UN to live up to its responsibilities were made by the Americans, the Turkish, Canadians, French and British. [..]

During the dinner, Putin told Barack Obama and François Hollande that the chances of reviving peace talks soon after a punitive bombing strike would be minimal.

The Russian leader won the support of the Chinese, a long-term ally of Putin on Syria, but backing also came from the UN secretary general, Ban Ki-moon, Argentina, Brazil and several European leaders, including Angela Merkel. One German diplomat said “Putin did not need to toughen his tone at the dinner. There were enough sceptics.”

At his press conference after the closing of the summit, Pres. Obama would not say if he would strike it congress did not give him the authorization. Two of the more conservative Democratic senators, Joe Manchin (D-WV) and Heidi Heitkamp (D-ND), have drafted a resolution in a move to appeal to those senators  who are reluctant to either approve strikes or reject the use of force outright. The resolution, assuming that it was Assad who ordered the use of chemical weapons, would give President Bashar Assad’s regime a 45-day window to avoid a strike if it signs a chemical weapons ban.

President Obama’s major opposition lies in the House, where, if the vote on the Senate resolution were held today, it would fail.

Representative Alan Grayson (D-FL) who is adamantly opposed to attacking Syria, appeared Democracy Now! with Amy Goodman and Juan González to discuss the US roll as the world’s police force and his website, DontAttackSyria.com, which is gathering signatures for a petition calling on Congress to deny permission to attack Syria

“I am very disturbed by this general idea that every time we see something bad in the world, we should bomb it,” Grayson says. “The president has criticized that mindset, and now he has adopted it. It’s simply not our responsibility to act alone and punish this.”

Secretary of State John Kerry keeps repeating that drooping a few Tomahowk missiles on Syria is not a war. I suggest that Sec. Kerry not try to sell that to the Syrian civilians.

“Punting the Pundits” is an Open Thread. It is a selection of editorials and opinions from around the news medium and the internet blogs. The intent is to provide a forum for your reactions and opinions, not just to the opinions presented, but to what ever you find important.

Thanks to ek hornbeck, click on the link and you can access all the past “Punting the Pundits”.

Follow us on Twitter @StarsHollowGzt

William Rivers Pitt: It’s Not War, So Stop Saying That

John Boehner and Eric Cantor think attacking Syria is a great idea, and have encouraged all congressional Republicans to support President Obama in the upcoming vote to authorize such an action, though they don’t intend to actually whip votes or anything. John McCain was for attacking Syria, but against it, yet for it, but refused to vote for it unless his amendment making the resolution more fulsomely war-ish was added to the final text. Sheldon Adelson, the right-wing billionaire who spent $70 million trying to defeat Obama in the 2012 election, is firmly in the president’s corner when it comes to saving Syrian civilians by dropping bombs on them. [..]

Secretary of State John Kerry made it abundantly clear during a congressional hearing on Tuesday that he is ready to ask someone to be the first to die for a mistake, and did so with a barrage of gibberish so vast that it bent the light in the hearing room.

He insisted with table-pounding vehemence that the president is not asking America to go to war by asking America to flip missiles and bombs into Syria, because it totally won’t seem like war to us. No one bothered to ask what it will seem like to the people on the receiving end of our non-war armaments. It won’t be like war, though, so stop saying that.

New York Times Editorial Board: The Federal Reserve Nomination

In July, when news broke that President Obama might nominate Lawrence Summers to be the next chairman of the Federal Reserve, several Democratic senators wrote a letter to the president in praise of Janet Yellen, the current Fed vice chairwoman who many presumed would be the nominee. The letter didn’t mention Mr. Summers; rather, it recounted Ms. Yellen’s formidable qualifications and urged the president to nominate her. Perhaps it was too subtle.

Mr. Obama is expected to announce his nominee soon, and, by all accounts, Mr. Summers is still a contender. It is time for senators of both parties who appreciate the importance of this nomination to tell the president that Mr. Summers would be the wrong choice.

This is your morning Open Thread. Pour your favorite beverage and review the past and comment on the future.

September 6 is the 249th day of the year (250th in leap years) in the Gregorian calendar. There are 116 days remaining until the end of the year.

On this day in 1995, Cal Ripken Jr of the Baltimore Orioles plays in his 2,131st consecutive game, breaking a record that stood for 56 years.

Calvin Edwin “Cal” Ripken, Jr. (born August 24, 1960) is a former Major League Baseball shortstop and third baseman who played his entire career (1981-2001) for the Baltimore Orioles.

During his baseball career, he earned the nickname “Iron Man” for doggedly remaining in the lineup despite numerous minor injuries and for his reliability to “show up” to work every day. He is perhaps best known for breaking New York Yankees first baseman Lou Gehrig’s record for consecutive games played, a record many deemed unbreakable. Ripken surpassed the 56-year-old record when he played in his 2,131st consecutive game on September 6, 1995 between the Orioles and the California Angels in front of a sold-out crowd at Oriole Park at Camden Yards. To make the feat even more memorable, Ripken hit a home run in the previous night’s game that tied Gehrig’s record and another home run in his 2,131st game, which fans later voted as Major League Baseball’s “Most Memorable Moment” in MLB history. Ripken played in an additional 502 straight games over the next three years, and his streak ended at 2,632 games when he voluntarily removed his name from the lineup for the final Orioles home game of the 1998 season. His record 2,632 straight games spanned over seventeen seasons, from May 30, 1982 to September 20, 1998.