Privacy experts fear Donald Trump running global surveillance network

 The NSA. Obama’s approach has been to offer a modicum of transparency, much of it forced on him by the courts, in place of reform. Photograph: Patrick Semansky/AP

The NSA. Obama’s approach has been to offer a modicum of transparency, much of it forced on him by the courts, in place of reform. Photograph: Patrick Semansky/AP

Privacy activists, human rights campaigners and former US security officials have expressed fears over the prospect of Donald Trump controlling the vast global US and UK surveillance network.

Privacy and human rights campaigners in the US and UK say a Trump presidency will tip the balance between surveillance and privacy decisively towards the former. The UK surveillance agency GCHQ is so tied up with America’s NSA, often doing work on its behalf, it could find itself facing a series of ethical dilemmas.

On the campaign trail, Trump made an ambiguous remark about wishing he had access to surveillance powers.

“I wish I had that power,” he said while talking about the hack of Democratic National Committee emails. “Man, that would be power.”

“I think many Americans are waking up to the fact we have created a presidency that is too powerful.”

John Napier Tye, a former state department official who became a reluctant whistleblower in 2014, warning of NSA dragnets, said: “Obama and Bush could have set the best possible privacy protections in place, but the trouble is, it’s all set by executive order, not statute.

“So Trump could revise the executive order as he pleases. And since it’s all done in secret, unless you have someone willing to break the law to tell you that it happened, it’s not clear the public will ever learn it did. Consider that even now, the American people still do not know how much data on US persons the NSA actually collects.”

Thomas Drake, an NSA whistleblower who predated Snowden, offered an equally bleak assessment. He said: “The electronic infrastructure is fully in place – and ex post facto legalised by Congress and executive orders – and ripe for further abuse under an autocratic, power-obsessed president. History is just not kind here. Trump leans quite autocratic. The temptations to use secret NSA surveillance powers, some still not fully revealed, will present themselves to him as sirens.”

One specific surveillance measure Trump proposed on the campaign trail was surveilling mosques and keeping a database of Muslims. “A grave concern we have is that his rhetoric is going to be perceived in some corners as a green light for unfettered surveillance activities. Our concern is not just about the NSA but also the FBI. The FBI doesn’t exactly have a great record over the last 15 years,” said Farhana Khera, the president and executive director of the US-based civil rights group Muslim Advocates.

The next flashpoint over the NSA’s powers will come late in 2017, when a major surveillance law permitting collection of Americans’ international communications is set for expiration, the legal basis for the NSA’s Prism programme which siphons information from the technology giants.

According to documents released by Snowden, now years out of date as technological advancements have developed, the NSA vacuums 5bn daily records just of cellphone locations. In April 2011, it was collecting an average of 194m text messages every day.

Goodbye privacy, hello ‘Alexa’: Amazon Echo, the home robot who hears it all

The Guardian has an article on the latest Amazon device to snoop on your privacy, which Amazon calls ‘Amazon Echo’. Here is part of the article. The full article is available at the link at bottom of page.

It was not that Alexa seemed human, exactly, or evoked the operating system voiced by Scarlett Johansson in the film Her, but that it – she – seemed to merit respect. Yes, partly out of anthropomorphism. And partly out of privacy concerns. Don’t mess with someone who knows your secrets.

The device, after all, was uploading personal data to Amazon’s servers. How much remains unclear. Alexa streams audio “a fraction of a second” before the “wake word” and continues until the request has been processed, according to Amazon. So fragments of intimate conversations may be captured.

A few days after my wife and I discussed babies, my Kindle showed an advertisement for Seventh Generation diapers. We had not mooched for baby products on Amazon or Google. Maybe we had left digital tracks somewhere else? Even so, it felt creepy. Quizzed, the little black obelisk in the corner shrugged off any connection. “Hmm, I’m afraid I can’t answer that.”

With dozens of daily interactions recorded in the app’s history it grows to quite an archive, giving the dates and times I asked Alexa, for instance, to play John Lennon, or add garlic to the grocery list, or check on the weather in Baja California, where I was planning a vacation. Banal footnotes to life, mostly, but potentially lucrative intelligence for a retail behemoth dubbed the “everything store”.

In the app settings you can delete specific voice interactions, or the whole lot. But doing so, the settings warn, “may degrade your Alexa experience”. It is unclear if deleting audio purges all related data from the company’s servers.

This was on a lengthy list of questions I had for the people who designed the Echo and run its servers. Amazon initially seemed open to granting the interviews, then scaled it down to one interview with a departmental vice-president in October. October came and went and Amazon’s press representative went silent, killing the interview without explanation.

Which, to paraphrase Alexa, was not very nice to do.

You may read the full article on The Guardian newspaper site here.

•••

To protect my privacy I’ve stopped using Google

Google, Bing, Yahoo and most other search engines store, track, and sell your search terms and is why you get ads for cold medication displayed on your search results page when you searched a few months ago using search terms like ‘cold’ or ‘flu’.

Did you know you may have been turned down for insurance because of your searches? Read this article from the Wall Street Journal.

Didn’t know your search terms are tracked and sold? Read this.

I switched to using a relatively new search engine called Duck Duck Go which doesn’t track, store or sell your search profiles. Then I found a better search engine that provides similar service but better. It’s called Startpage. Goofy name. Anonymous searches.

Learn more about Duck Duck Go here.

If you want to protect your privacy you should use Duck Duck Go. I do.

How to Remain Secure Against the NSA

Spies and Espionage

“How to Remain Secure Against the NSA” is from a recent newsletter by Bruce Schneier, a recognized authority on Internet security. I’ve been a fan of his for many years and have recommended him to others.

The following is a direct quote from a recent newsletter by Bruce. You may find it useful.

The primary way the NSA eavesdrops on Internet communications is in the network. That’s where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.

Leveraging its secret agreements with telecommunications companies — all the US and UK ones, and many other “partners” around the world — the NSA gets access to the communications trunks that move Internet traffic. In cases where it doesn’t have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.

That’s an enormous amount of data, and the NSA has equivalently enormous capabilities to quickly sift through it all, looking for interesting traffic. “Interesting” can be defined in many ways: by the source, the destination, the content, the individuals involved, and so on. This data is funneled into the vast NSA system for future analysis.

The NSA collects much more metadata about Internet traffic: who is talking to whom, when, how much, and by what mode of communication. Metadata is a lot easier to store and analyze than content. It can be extremely personal to the individual, and is enormously valuable intelligence.

The Systems Intelligence Directorate is in charge of data collection, and the resources it devotes to this is staggering. I read status report after status report about these programs, discussing capabilities, operational details, planned upgrades, and so on. Each individual problem — recovering electronic signals from fiber, keeping up with the terabyte streams as they go by, filtering out the interesting stuff — has its own group dedicated to solving it. Its reach is global.

The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability.

The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO — Tailored Access Operations — group. TAO has a menu of exploits it can serve up against your computer — whether you’re running Windows, Mac OS, Linux, iOS, or something else — and a variety of tricks to get them onto your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.

The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. First, there’s a lot of bad cryptography out there. If it finds an Internet connection protected by MS-CHAP, for example, that’s easy to break and recover the key. It exploits poorly chosen user passwords, using the same dictionary attacks hackers use in the unclassified world.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically: CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. A few people have told me some recent stories about their experiences, and I plan to write about them soon. Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.

TAO also hacks into computers to recover long-term keys. So if you’re running a VPN that uses a complex shared secret to protect your data and the NSA decides it cares, it might try to steal that secret. This kind of thing is only done against high-value targets.

How do you communicate securely against such an adversary? Snowden said it in an online Q&A soon after he made his first document public: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

I believe this is true, despite today’s revelations and tantalizing hints of “groundbreaking cryptanalytic capabilities” made by James Clapper, the director of national intelligence in another top-secret document. Those capabilities involve deliberately weakening the cryptography.

Snowden’s follow-on sentence is equally important: “Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

Endpoint means the software you’re using, the computer you’re using it on, and the local network you’re using it in. If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn’t matter at all. If you want to remain secure against the NSA, you need to do your best to ensure that the encryption can operate unimpeded.

With all this in mind, I have five pieces of advice:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections — and it may have explicit exploits against these protocols — you’re much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA — so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the Internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my Internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I’m not going to write about. There’s an undocumented encryption feature in my Password Safe program from the command line; I’ve been using that as well.

I understand that most of this is impossible for the typical Internet user. Even I don’t use all these tools for most everything I am working on. And I’m still primarily on Windows, unfortunately. Linux would be safer.

The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.

This essay originally appeared in the “Guardian.”
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

NSA links:
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
http://online.wsj.com/article/SB10001424127887324108204579022874091732470.html
http://www.theguardian.com/business/2013/aug/02/telecoms-bt-vodafone-cables-gchq
http://www.washingtonpost.com/business/technology/agreements-with-private-companies-protect-us-access-to-cables-data-for-surveillance/2013/07/06/aa5d017a-df77-11e2-b2d4-ea6d8f477a01_story.html
http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
http://www.theguardian.com/world/2013/jun/27/nsa-data-mining-authorised-obama
http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/
http://www.foreignpolicy.com/articles/2013/06/10/inside_the_nsa_s_ultra_secret_china_hacking_group
http://www.informationweek.com/security/government/want-nsa-attention-use-encrypted-communi/240157089 or http://tinyurl.com/kdxaytf

Other NSA backdoors:
http://www.schneier.com/blog/archives/2008/01/nsa_backdoors_i.html
http://www.heise.de/tp/artikel/2/2898/1.html
http://www.heise.de/tp/artikel/5/5263/1.html

Snowden’s interview:
http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower

Clapper’s comments:
http://www.wired.com/threatlevel/2013/08/black-budget/

Surveillance built in to the routers:
https://www.rfc-editor.org/rfc/rfc3924.txt

My tools:
http://www.gnupg.org/
https://silentcircle.com/
https://tails.boum.org/
http://www.cypherpunks.ca/otr/
http://www.truecrypt.org/
http://bleachbit.sourceforge.net/
https://www.schneier.com/passsafe.html

NSA ‘touches’ half the communication on the Net.

Fear not, says the NSA, we “touch” only 1.6% of daily internet traffic. If, as they say, the net carries 1,826 petabytes of information per day, then the NSA “touches” about 29 petabytes a day. They don’t say what “touch” means. Ingest? Store? Analyze?

For context, Google in 2010 said it had indexed only 0.004% of the data on the net. So, by inference from the percentages, does that mean that the NSA is equal to 400 Googles?

Seven petabytes of photos are added to Facebook each month. That’s .23 petabytes per day. So that means the NSA is 126 Facebooks.

Keep in mind that most of the data passing on the net is not email or web pages. It’s media. According to Sandvine data (pdf) for the US fixed net from 2013, real-time entertainment accounted for 62% of net traffic, P2P file-sharing for 10.5%.

HTTP – the web – accounts for only 11.8% of aggregated and download traffic in the US, Sandvine says. Communications – the part of the net the NSA really cares about – accounts for 2.9% in the US.

So, by very rough, beer-soaked-napkin numbers, the NSA’s 1.6% of net traffic would be half of the communication on the net. That’s one helluva lot of “touching”.

Keep in mind that, by one estimate, 68.8% of email is spam.

And, of course, metadata doesn’t add up to much data at all; it’s just a few bits per file – who sent what to whom – and that’s where the NSA finds much of its supposedly incriminating information. So, these numbers are meaningless when it comes to looking at how much the NSA knows about who’s talking to whom. With the NSA’s clearance to go three hops out from a suspect, it doesn’t take very long at all before this law of large numbers encompasses practically everyone.

Read the full article on The Guardian here.

How Microsoft handed the NSA access to encrypted messages

Skype worked with intelligence agencies last year to allow Prism to collect video and audio conversations. Photograph: Patrick Sinkel/AP

Skype worked with intelligence agencies last year to allow Prism to collect video and audio conversations. Photograph: Patrick Sinkel/AP

Microsoft has collaborated closely with US intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption, according to top-secret documents obtained by the Guardian.

The documents show that:

• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;

• The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;

• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;

• Microsoft also worked with the FBI’s Data Intercept Unit to “understand” potential issues with a feature in Outlook.com that allows users to create email aliases;

• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;

• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a “team sport”.

Read the full article on The Guardian.

Cyber Intelligence Sharing and Protection Act, looms ahead.

CISPA, which emerged in 2012, has been reborn this week as an even bigger threat to online freedom. If CISPA is passed, the US government gains the power to shut off Internet traffic and empowers the US government to ask your ISP about your online activities in the efforts to learn about possible cyber security threats and Internet attacks. Advocated under the premise of anti-terrorism legislation, this legislation is so broad that it threatens to endanger the privacy of every individual and ordinary and law abiding citizens. This act makes your private online activity now public, giving ISPs the right to share your personal information completely without your knowledge, due process, or authorization.

The Electronic Frontier Foundation and namecheap are fighting this act.

For each tweet or Facebook share about this threat, using the buttons on the link below, you will increase the amount namecheap donates to the EFF foundation by $0.10.

Please take a moment and follow this link to the namecheap page containing more information and the Facebook/Twitter buttons. Thank you.