Group items tagged

The NSA's mass surveillance is just the beginning. Documents from Edward Snowden show that the intelligence agency is arming America for future digital wars -- a struggle for control of the Internet that is already well underway.

The Birth of D Weapons According to top secret documents from the archive of NSA whistleblower Edward Snowden seen exclusively by SPIEGEL, they are planning for wars of the future in which the Internet will play a critical role, with the aim of being able to use the net to paralyze computer networks and, by doing so, potentially all the infrastructure they control, including power and water supplies, factories, airports or the flow of money.

From a military perspective, surveillance of the Internet is merely "Phase 0" in the US digital war strategy. Internal NSA documents indicate that it is the prerequisite for everything that follows. They show that the aim of the surveillance is to detect vulnerabilities in enemy systems. Once "stealthy implants" have been placed to infiltrate enemy systems, thus allowing "permanent accesses," then Phase Three has been achieved -- a phase headed by the word "dominate" in the documents. This enables them to "control/destroy critical systems & networks at will through pre-positioned accesses (laid in Phase 0)." Critical infrastructure is considered by the agency to be anything that is important in keeping a society running: energy, communications and transportation. The internal documents state that the ultimate goal is "real time controlled escalation". One NSA presentation proclaims that "the next major conflict will start in cyberspace." To that end, the US government is currently undertaking a massive effort to digitally arm itself for network warfare. For the 2013 secret intelligence budget, the NSA projected it would need around $1 billion in order to increase the strength of its computer network attack operations. The budget included an increase of some $32 million for "unconventional solutions" alone.

Four former Blackwater Worldwide security guards were convicted and immediately jailed Wednesday for their roles in a deadly 2007 shooting in Baghdad’s Nisour Square that marked a bloody nadir in America’s war in Iraq.A jury in Federal District Court found that the deaths of 17 Iraqis in the shooting, which began when a convoy of the guards suddenly began firing in a crowded intersection, was not a battlefield tragedy, but the result of a criminal act.The convictions on murder, manslaughter and weapons charges represented a legal and diplomatic victory for the United States government, which had urged Iraqis to put their faith in the American court system. That faith was tested repeatedly over seven years as the investigation had repeated setbacks, leaving Iraqis deeply suspicious that anyone would be held responsible for the deaths.

One defendant, Nicholas A. Slatten, a sniper who the government said fired the first shots, was convicted of murder. The others — Dustin L. Heard, Evan S. Liberty and Paul A. Slough — were convicted of voluntary manslaughter and using a machine gun to carry out a violent crime. A fifth contractor, Jeremy Ridgeway, previously pleaded guilty to manslaughter and cooperated with prosecutors.Jurors could not reach verdicts on several of the counts against Mr. Heard, but that will have little bearing on the sentencing. The machine-gun charges carry mandatory 30-year minimum prison sentences, more than the manslaughter charges. Mr. Slatten faces possible life in prison. No sentencing date has been set.

The trial was an epilogue to the story of Blackwater, which began as a police- and military-training facility in North Carolina and came to symbolize the country’s outsourcing of its wartime responsibilities.About 1,000 of Blackwater’s contractors guarded diplomats in Iraq. Others loaded bombs onto Predator drones. The company’s founder, Erik Prince, tapped retired Central Intelligence Agency officials for executive positions, and at one point, the C.I.A. hired Blackwater contractors to covertly track and kill Qaeda operatives worldwide, a program that was shelved before any killings were conducted. While the company’s security guards were involved in scores of shootings in Iraq, it was the 2007 incident in Nisour Square that helped cement Blackwater’s image as a company that operated with impunity because of its lucrative contracts with the American government. The company became the subject of several Justice Department investigations, all of which the company and its executives survived. But ultimately, public outrage over the shooting contributed to Blackwater’s demise. It lost its contracts and was renamed, sold and renamed again.

The last few weeks and months have been awash in media coverage of two cases before magistrate judges involving the federal government seeking to use the All Writs Act to compel Apple’s cooperation with ongoing criminal investigations. The older case, in the Eastern District of New York, involves a drug case where the phone’s owner has pleaded guilty to the charges against him. The more recent case, in the Central District of California, involves an iPhone used by Syed Farook, one of the alleged San Bernardino shooters. While the two cases involve different different phone models, operating systems, alleged crimes, and legal postures, they touch on similar questions related to the scope of the All Writs Act. In an attempt to create a one-stop shop for our coverage and the related documents and some useful sources, we’ve compiled this readers’ guide. We will update it as the cases progress to include the latest filings and posts, so check back for more as things unfold.

When the greed, recklessness, and illegal behavior on Wall Street drove this country into the deepest recession since the 1930s, the largest financial institutions in the United States took every advantage of being American. They just loved their country - and the willingness of the American people to provide them with the largest bailout in world history. In 2008, Congress approved a $700 billion gift to Wall Street. Another $16 trillion in virtually zero interest loans and other financial assistance came from the Federal Reserve. America. What a great country. But just two years later, as soon as these giant financial institutions started making record-breaking profits again, they suddenly lost their love for their native country. At a time when the nation was suffering from a huge deficit, largely created by the recession that Wall Street caused, the major financial institutions did everything they could to avoid paying American taxes by establishing shell corporations in the Cayman Islands and other tax havens.

In 2010, Bank of America set up more than 200 subsidiaries in the Cayman Islands (which has a corporate tax rate of 0.0 percent) to avoid paying U.S. taxes. It worked. Not only did Bank of America pay nothing in federal income taxes, but it received a rebate from the IRS worth $1.9 billion that year. They are not alone. In 2010, JP Morgan Chase operated 83 subsidiaries incorporated in offshore tax havens to avoid paying some $4.9 billion in U.S. taxes. That same year Goldman Sachs operated 39 subsidiaries in offshore tax havens to avoid an estimated $3.3 billion in U.S. taxes. Citigroup has paid no federal income taxes for the last four years after receiving a total of $2.5 trillion in financial assistance from the Federal Reserve during the financial crisis. On and on it goes. Wall Street banks and large companies love America when they need corporate welfare. But when it comes to paying American taxes or American wages, they want nothing to do with this country. That has got to change.

Offshore tax abuse is not just limited to Wall Street. Each and every year corporations and the wealthy are avoiding more than $100 billion in U.S. taxes by sheltering their income offshore. Pharmaceutical companies like Eli Lilly and Pfizer have fought to make it illegal for the American people to buy cheaper prescription drugs from Canada and Europe. But, during tax season, Eli Lilly and Pfizer shift drug patents and profits to the Netherlands and other offshore tax havens to avoid paying U.S. taxes.

The National Security Agency has implanted software in nearly 100,000 computers around the world that allows the United States to conduct surveillance on those machines and can also create a digital highway for launching cyberattacks.While most of the software is inserted by gaining access to computer networks, the N.S.A. has increasingly made use of a secret technology that enables it to enter and alter data in computers even if they are not connected to the Internet, according to N.S.A. documents, computer experts and American officials.The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.

The radio frequency technology has helped solve one of the biggest problems facing American intelligence agencies for years: getting into computers that adversaries, and some American partners, have tried to make impervious to spying or cyberattack. In most cases, the radio frequency hardware must be physically inserted by a spy, a manufacturer or an unwitting user.

The N.S.A. and the Pentagon’s Cyber Command have implanted nearly 100,000 “computer network exploits” around the world, but the hardest problem is getting inside machines isolated from outside communications.

One security start-up that had an encounter with the FBI was Wickr, a privacy-forward text messaging app for the iPhone with an Android version in private beta. Wickr's co-founder Nico Sell told CNET at Defcon, "Wickr has been approached by the FBI and asked for a backdoor. We said, 'No.'" The mistrust runs deep. "Even if [the NSA] stood up tomorrow and said that [they] have eliminated these programs," said Marlinspike, "How could we believe them? How can we believe that anything they say is true?" Where does security innovation go next? The immediate future of information security innovation most likely lies in software that provides an existing service but with heightened privacy protections, such as webmail that doesn't mine you for personal data.

Wickr's Sell thinks that her company has hit upon a privacy innovation that a few others are also doing, but many will soon follow: the company itself doesn't store user data. "[The FBI] would have to force us to build a new app. With the current app there's no way," she said, that they could incorporate backdoor access to Wickr users' texts or metadata. "Even if you trust the NSA 100 percent that they're going to use [your data] correctly," Sell said, "Do you trust that they're going to be able to keep it safe from hackers? What if somebody gets that database and posts it online?" To that end, she said, people will start seeing privacy innovation for services that don't currently provide it. Calling it "social networks 2.0," she said that social network competitors will arise that do a better job of protecting their customer's privacy and predicted that some that succeed will do so because of their emphasis on privacy. Abine's recent MaskMe browser add-on and mobile app for creating disposable e-mail addresses, phone numbers, and credit cards is another example of a service that doesn't have access to its own users' data.

Stamos predicted changes in services that companies with cloud storage offer, including offering customers the ability to store their data outside of the U.S. "If they want to stay competitive, they're going to have to," he said. But, he cautioned, "It's impossible to do a cloud-based ad supported service." Soghoian added, "The only way to keep a service running is to pay them money." This, he said, is going to give rise to a new wave of ad-free, privacy protective subscription services.

Security researcher Jacob Appelbaum dropped a bombshell of sorts earlier this week when he accused American tech companies of placing government-friendly backdoors in their devices. Now Texas-based Dell Computers is offering an apology. Or to put it more accurately, Dell told an irate customer on Monday that they “regret the inconvenience” caused by selling to the public for years a number of products that the intelligence community has been able to fully compromise in complete silence up until this week. Dell, Apple, Western Digital and an array of other Silicon Valley-firms were all name-checked during Appelbaum’s hour-long presentation Monday at the thirtieth annual Chaos Communication Congress in Hamburg, Germany. As RT reported then, the 30-year-old hacker-cum-activist unveiled before the audience at the annual expo a collection of never-before published National Security Agency documents detailing how the NSA goes to great lengths to compromise the computers and systems of groups on its long list of adversaries.

Spreading viruses and malware to infect targets and eavesdrop on their communications is just one of the ways the United States’ spy firm conducts surveillance, Appelbaum said. Along with those exploits, he added, the NSA has been manually inserting microscopic computer chips into commercially available products and using custom-made devices like hacked USB cables to silently collect intelligence. One of the most alarming methods of attack discussed during his address, however, comes as a result of all but certain collusion on the part of major United States tech companies. The NSA has information about vulnerabilities in products sold by the biggest names in the US computer industry, Appelbaum said, and at the drop off a hat the agency has the ability of launching any which type of attack to exploit the flaws in publically available products.

The NSA has knowledge pertaining to vulnerabilities in computer servers made by Dell and even Apple’s highly popular iPhone, among other devices, Appelbaum told his audience. “Hey Dell, why is that?” Appelbaum asked. “Love to hear your statement about that.”

Internet service providers from around the world are lodging formal complaints against the UK government's monitoring service, GCHQ, alleging that it uses "malicious software" to break into their networks.The claims from seven organisations based in six countries – the UK, Netherlands, US, South Korea, Germany and Zimbabwe – will add to international pressure on the British government following Edward Snowden's revelations about mass surveillance of the internet by UK and US intelligence agencies.The claims are being filed with the investigatory powers tribunal (IPT), the court in London that assesses complaints about the agencies' activities and misuse of surveillance by government organisations. Most of its hearings are held at least partially in secret.

The IPT is already considering a number of related submissions. Later this month it will investigate complaints by human rights groups about the way social media sites have been targeted by GCHQ.The government has defended the security services, pointing out that online searches are often routed overseas and those deemed "external communications" can be monitored without the need for an individual warrant. Critics say that such a legal interpretation sidesteps the need for traditional intercept safeguards.The latest claim is against both GCHQ, located near Cheltenham, and the Foreign Office. It is based on articles published earlier this year in the German magazine Der Spiegel. That report alleged that GCHQ had carried out an attack, codenamed Operation Socialist, on the Belgian telecoms group, Belgacom, targeting individual employees with "malware (malicious software)".One of the techniques was a "man in the middle" attack, which, according to the documents filed at the IPT, bypasses modern encryption software and "operates by interposing the attacker [GCHQ] between two computers that believe that they are securely communicating with each other. In fact, each is communicating with GCHQ, who collect the communications, as well as relaying them in the hope that the interference will be undetected."The complaint alleges that the attacks were a breach of the Computer Misuse Act 1990 and an interference with the privacy rights of the employees under the European convention of human rights.

The organisations targeted, the submission states, were all "responsible and professional internet service providers". The claimants are: GreenNet Ltd, based in the UK, Riseup Networks in Seattle, Mango Email Service in Zimbabwe, Jinbonet in South Korea, Greenhost in the Netherlands, May First/People Link in New York and the Chaos Computer Club in Hamburg.

Snowden: That’s the key—to maintain the garden of liberty, right? This is a generational thing that we must all do continuously. We only have the rights that we protect. It doesn’t matter what we say or think we have. It’s not enough to believe in something; it matters what we actually defend. So when we think in the context of the last decade’s infringements upon personal liberty and the last year’s revelations, it’s not about surveillance. It’s about liberty. When people say, “I have nothing to hide,” what they’re saying is, “My rights don’t matter.” Because you don’t need to justify your rights as a citizen—that inverts the model of responsibility. The government must justify its intrusion into your rights. If you stop defending your rights by saying, “I don’t need them in this context” or “I can’t understand this,” they are no longer rights. You have ceded the concept of your own rights. You’ve converted them into something you get as a revocable privilege from the government, something that can be abrogated at its convenience. And that has diminished the measure of liberty within a society.

From the very beginning, I said there are two tracks of reform: there’s the political and the technical. I don’t believe the political will be successful, for exactly the reasons you underlined. The issue is too abstract for average people, who have too many things going on in their lives. And we do not live in a revolutionary time. People are not prepared to contest power. We have a system of education that is really a sort of euphemism for indoctrination. It’s not designed to create critical thinkers. We have a media that goes along with the government by parroting phrases intended to provoke a certain emotional response—for example, “national security.” Everyone says “national security” to the point that we now must use the term “national security.” But it is not national security that they’re concerned with; it is state security. And that’s a key distinction. We don’t like to use the phrase “state security” in the United States because it reminds us of all the bad regimes. But it’s a key concept, because when these officials are out on TV, they’re not talking about what’s good for you. They’re not talking about what’s good for business. They’re not talking about what’s good for society. They’re talking about the protection and perpetuation of a national state system. I’m not an anarchist. I’m not saying, “Burn it to the ground.” But I’m saying we need to be aware of it, and we need to be able to distinguish when political developments are occurring that are contrary to the public interest. And that cannot happen if we do not question the premises on which they’re founded. And that’s why I don’t think political reform is likely to succeed. [Senators] Udall and Wyden, on the intelligence committee, have been sounding the alarm, but they are a minority.

The Nation: Every president—and this seems to be confirmed by history—will seek to maximize his or her power, and will see modern-day surveillance as part of that power. Who is going to restrain presidential power in this regard? Snowden: That’s why we have separate and co-equal branches. Maybe it will be Congress, maybe not. Might be the courts, might not. But the idea is that, over time, one of these will get the courage to do so. One of the saddest and most damaging legacies of the Bush administration is the increased assertion of the “state secrets” privilege, which kept organizations like the ACLU—which had cases of people who had actually been tortured and held in indefinite detention—from getting their day in court. The courts were afraid to challenge executive declarations of what would happen. Now, over the last year, we have seen—in almost every single court that has had this sort of national-security case—that they have become markedly more skeptical. People at civil-liberties organizations say it’s a sea change, and that it’s very clear judges have begun to question more critically assertions made by the executive. Even though it seems so obvious now, it is extraordinary in the context of the last decade, because courts had simply said they were not the best branch to adjudicate these claims—which is completely wrong, because they are the only nonpolitical branch. They are the branch that is specifically charged with deciding issues that cannot be impartially decided by politicians. The power of the presidency is important, but it is not determinative. Presidents should not be exempted from the same standards of reason and evidence and justification that any other citizen or civil movement should be held to.

Micah Lee: What are some operational security practices you think everyone should adopt? Just useful stuff for average people. Edward Snowden: [Opsec] is important even if you’re not worried about the NSA. Because when you think about who the victims of surveillance are, on a day-to-day basis, you’re thinking about people who are in abusive spousal relationships, you’re thinking about people who are concerned about stalkers, you’re thinking about children who are concerned about their parents overhearing things. It’s to reclaim a level of privacy. The first step that anyone could take is to encrypt their phone calls and their text messages. You can do that through the smartphone app Signal, by Open Whisper Systems. It’s free, and you can just download it immediately. And anybody you’re talking to now, their communications, if it’s intercepted, can’t be read by adversaries. [Signal is available for iOS and Android, and, unlike a lot of security tools, is very easy to use.] You should encrypt your hard disk, so that if your computer is stolen the information isn’t obtainable to an adversary — pictures, where you live, where you work, where your kids are, where you go to school. [I’ve written a guide to encrypting your disk on Windows, Mac, and Linux.] Use a password manager. One of the main things that gets people’s private information exposed, not necessarily to the most powerful adversaries, but to the most common ones, are data dumps. Your credentials may be revealed because some service you stopped using in 2007 gets hacked, and your password that you were using for that one site also works for your Gmail account. A password manager allows you to create unique passwords for every site that are unbreakable, but you don’t have the burden of memorizing them. [The password manager KeePassX is free, open source, cross-platform, and never stores anything in the cloud.]

The other thing there is two-factor authentication. The value of this is if someone does steal your password, or it’s left or exposed somewhere … [two-factor authentication] allows the provider to send you a secondary means of authentication — a text message or something like that. [If you enable two-factor authentication, an attacker needs both your password as the first factor and a physical device, like your phone, as your second factor, to login to your account. Gmail, Facebook, Twitter, Dropbox, GitHub, Battle.net, and tons of other services all support two-factor authentication.]

We should armor ourselves using systems we can rely on every day. This doesn’t need to be an extraordinary lifestyle change. It doesn’t have to be something that is disruptive. It should be invisible, it should be atmospheric, it should be something that happens painlessly, effortlessly. This is why I like apps like Signal, because they’re low friction. It doesn’t require you to re-order your life. It doesn’t require you to change your method of communications. You can use it right now to talk to your friends.