Group items tagged

But while the interviewer focused on the Skype revelation, I thought the most interesting part was the other claim, “that the National Security Agency already had pre-encryption stage access to email on Outlook.”  Say what??  They can see the plaintext on my computer before I encrypt it? That defeats any/all encryption methods. How could they do that? Bypass Encryption While most outside observers think the NSA’s job is cracking encrypted messages, as the Prism disclosures have shown, the actual mission is simply to read all communications. Cracking codes is a last resort.

The NSA has a history of figuring out how to get to messages before or after they are encrypted. Whether it was by putting keyloggers on keyboards and recording the keystrokes or detecting the images of the characters as they were being drawn on a CRT. Today every desktop and laptop computer has another way for the NSA to get inside. Intel Inside It’s inevitable that complex microprocessors have bugs in them when they ship. When the first microprocessors shipped the only thing you could hope is that the bug didn’t crash your computer. The only way the chip vendor could fix the problem was to physically revise the chip and put out a new version. But computer manufacturers and users were stuck if you had an old chip. After a particularly embarrassing math bug in 1994 that cost Intel $475 million, the company decided to fix the problem by allowing it’s microprocessors to load fixes automatically when your computer starts.

Starting in 1996 with the Intel P6 (Pentium Pro) to today’s P7 chips (Core i7) these processors contain instructions that are reprogrammable in what is called microcode. Intel can fix bugs on the chips by reprogramming a microprocessors microcode with a patch. This patch, called a microcode update, can be loaded into a processor by using special CPU instructions reserved for this purpose. These updates are not permanent, which means each time you turn the computer on, its microprocessor is reset to its built-in microcode, and the update needs to be applied again (through a computer’s BIOS.). Since 2000, Intel has put out 29 microcode updates to their processors. The microcode is distributed by 1) Intel or by 2) Microsoft integrated into a BIOS or 3) as part of a Windows update. Unfortunately, the microcode update format is undocumented and the code is encrypted. This allows Intel to make sure that 3rd parties can’t make unauthorized add-ons to their chips. But it also means that no one can look inside to understand the microcode, which makes it is impossible to know whether anyone is loading a backdoor into your computer.

"When NSA whistleblower Edward Snowden came forth last year with U.S. government spying secrets, it didn't take long to realize that some of the information revealed could bring on serious repercussions — not just for the U.S. government, but also for U.S.-based companies. The latest to feel the hit? None other than Apple, and in a region the company has been working hard to increase market share: China. China, via state media, has today declared that Apple's iPhone is a threat to national security — all because of its thorough tracking capabilities. It has the ability to keep track of user locations, and to the country, this could potentially reveal "state secrets" somehow. It's being noted that the iPhone will continue to track the user to some extent even if the overall feature is disabled. China's iPhone ousting comes hot on the heels of Russia's industry and trade deeming AMD and Intel processors to be untrustworthy. The nation will instead be building its own ARM-based "Baikal" processor.

MOSCOW, June 19. /ITAR-TASS/. Russia’s Industry and Trade Ministry plans to replace US microchips Intel and AMD, used in government’s computers, with domestically-produced micro processor Baikal in a project worth dozens of millions of dollars, business daily Kommersant reported Thursday. The Baikal micro processor will be designed by a unit of T-Platforms, a producer of supercomputers, next year, with support from state defense conglomerate Rostec and co-financing by state-run technological giant Rosnano.

The first products will be Baikal M and M/S chips, designed on the basis of 64-bit nucleus Cortex A-57 made by UK company ARM, with frequency of 2 gigahertz for personal computers and micro servers. The Baikal chips will be installed on computers of government bodies and in state-run firms, which purchase some 700,000 personal computers annually worth $500 million and 300,000 servers worth $800 million. The total volume of the market amounts to about 5 million devices worth $3.5 billion.

The European data protection activists behind the Europe v Facebook (evf) campaign group, that has long been a thorn in Facebook’s side in Europe, have filed new complaints under regional data protection law targeting Facebook, Apple, Microsoft, Skype and Yahoo for their alleged collaboration with the NSA’s Prism data collection program. The student activist organisation is targeting the European subsidiaries of these five U.S. companies, arguing that their corporate structure means they fall fully under European privacy laws despite being U.S. headquartered companies. And yet, being as they are U.S. companies, they are required to comply with U.S. surveillance laws — putting them in the “tricky” situation of having to comply with potentially conflicting legal requirements. It’s that legal conflict evf is now probing.

Evf takes the view that the law needs clarifying — and it using these new data protection complaints as the vehicle to obtain clarification from the various regional data protection agencies. Facebook and Apple; Microsoft and Skype; and Yahoo have subsidiaries in Ireland, Luxembourg and Germany respectively. ”We want a clear statement by the authorities if a European company may simply give foreign intelligence agencies access to its customer data. If this turns out to be legal, then we might have to change the laws,” noted evf speaker, Max Schrems, in a statement. The key question, as evf sees it, is whether “mass transfer” of personal data from to a foreign intelligence agency is legal under European law.  ”Many journalists have asked us in recent weeks if PRISM is legal from a EU perspective. We have looked at that a little closer. The result was – after consulting with legal experts – that it is very likely illegal under EU data protection laws, because of the corporate structure of the companies,” added Schrems. Google and YouTube have not been included in this first round of evf complaints being as they have a different corporate structure that does not include European subsidiaries. However it notes they do have datacenters in European countries, which will give evf a route to filing Prism-related data protection complaints against both at a later date.

Writing in a press notice announcing its new action, evf added: If a European subsidiary sends user data to the American parent company, this is considered an “export” of personal data. Under EU law, an export of data is only allowed if the European subsidiary can ensure an “adequate level or protection” in the foreign country. After the recent disclosures on the “PRISM” program such trust in an “adequate level of protection” by the involved companies can hardly be upheld. There can in no way be an adequate level of protection if they cooperate with the NSA on the other end of the line. Right now an export of data to the US must be seen as illegal if the involved companies cannot disprove the reports on the PRISM program. According to evf, the subsidiaries being targeted by these complaints have “the burden of proof” — to either “credibly assure” that the Prism program is a hoax, or “explain how mass access by a foreign intelligence agency interplays with EU data protection laws”. Evf cites a 2006 case precedent involving payment processor SWIFT which had forwarded transaction details to U.S. authorities. In that case it says a group of EU data protection authorities decided that such a mass data transfer is illegal under EU law, leading to SWIFT to move European data to a server in Switzerland. The case also led to an agreement between the U.S. and the EU on the use of payment data to combat crime.

Nearly half (50 out of 101) of all federal agencies have still not updated their Freedom of Information Act regulations to comply with Congress's 2007 FOIA amendments, and even more agencies (55 of 101) have FOIA regulations that predate and ignore President Obama's and Attorney General Holder's 2009 guidance for a "presumption of disclosure," according to the new National Security Archive FOIA Audit released today to mark Sunshine Week. Congress amended the Freedom of Information Act in 2007 to prohibit agencies from charging processing fees if they missed their response deadlines, to include new online journalists in the fee waiver category for the media, to order agencies to cooperate with the new FOIA ombudsman (the Office of Government Information Services, OGIS), and to require reports of specific data on their FOIA output, among other provisions co-authored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX). But half the government has yet to incorporate these changes in their regulations, according to the latest National Security Archive FOIA Audit. After President Obama's "Day One" commitments to open government, Attorney General Eric Holder issued new FOIA guidance on March 19, 2009, declaring that agencies should adopt a "presumption of disclosure," encourage discretionary releases if there was no foreseeable harm (even if technically covered by an exemption), proactively post the records of greatest public interest online, and remove "unnecessary bureaucratic hurdles" from the FOIA process. But five years later, the Archive found a majority of agencies have old regulations that simply ignore this guidance.

The Archive's FOIA Audit also highlights some good news this Sunshine Week: New plans from both the House of Representatives and White House have the potential to compel delinquent agencies to update their regulations. "Both Congress and the White House now recognize the problem of outdated FOIA regulations, and that is something to celebrate," said Archive director Tom Blanton. "But new regs should not follow the Justice Department's terrible lead, they must follow the best practices already identified by the FOIA ombuds office and FOIA experts." "If and when this important FOIA reform occurs, open government watchdogs must be vigilant to ensure that the agencies' updated regulations are progressive, rather than regressive, and embrace best practices to ensure that more documents are released to requesters, more quickly" said Nate Jones, the Archive's FOIA coordinator.

In 2011, the back-to-back Rosemary Award-winning Department of Justice proposed FOIA regulations that would have — among many other FOIA setbacks — allowed the Department to lie to FOIA requesters, eliminated online-only publications from receiving media fee status, and made it easier to destroy records. After intense pushback by openness advocates, the DOJ temporarily pulled these regulations, and Pustay claimed, "some people misinterpreted what we were trying to do, misconstrued some of the provisions, and didn't necessarily understand some of the fee guidelines." Pustay also claimed — to an incredulous Senate Judiciary Committee — that updating FOIA regulations to conform with the 2007 OPEN Government Act was merely optional and "not required." National Security Archive director Tom Blanton warned in his own 2013 Senate testimony that these terrible "vampire" regulations were not gone for good. This year, Pustay testified that the Department of Justice has indeed resubmitted its FOIA regulations for OMB approval; their content is unknown to the public.

In the interconnected, instantaneous and byte-sized world of internet journalism, both cyber-space and real-time often bend and warp into a self-referential wormhole.

And one of those fascinating wormholes just opened on Twitter as super neo-journalist Glenn Greenwald and 9/11 whistleblower Sibel Edmonds exchanged a series of increasingly vitriolic and accusatory tweets over Edmonds’ latest blog on Boiling Frogs Post:  BFP Breaking News–Omidyar’s PayPal Corporation Said To Be Implicated in Withheld NSA Document. In it, Edmonds claims that Greenwald’s soon-to-be financial partner and backer—PayPal billionaire Pierre Omidyar—was, in effect, a knowing partner with NSA spying and financial data-mining efforts: The 50,000-pages of documents obtained by NSA whistleblower Edward Snowden contain extensive documentation of PayPal Corporation’s partnership and cooperation with the National Security Agency (NSA), according to three NSA veterans.

Once again, Greenwald’s point is well taken. Neither Edmonds nor her interviewees can state as fact that there is anything in the Snowden docs that shows PayPal-NSA cooperation. However, their point is that—given the statement that only 1% of the documents have been released—the apparent trickle of the information from the trove highlights the need for transparency. Particularly if, in fact, there is anything in there that implicates PayPal. In fact, Greenwald doesn’t really challenge the claim of PayPal-NSA cooperation, just the claim that he is covering it up by withholding Snowden docs that implicate PayPal

Developers of the FreeBSD operating system will no longer allow users to trust processors manufactured by Intel and Via Technologies as the sole source of random numbers needed to generate cryptographic keys that can't easily be cracked by government spies and other adversaries. The change, which will be effective in the upcoming FreeBSD version 10.0, comes three months after secret documents leaked by former National Security Agency (NSA) subcontractor Edward Snowden said the US spy agency was able to decode vast swaths of the Internet's encrypted traffic. Among other ways, The New York Times, Pro Publica, and The Guardian reported in September, the NSA and its British counterpart defeat encryption technologies by working with chipmakers to insert backdoors, or cryptographic weaknesses, in their products. The revelations are having a direct effect on the way FreeBSD will use hardware-based random number generators to seed the data used to ensure cryptographic systems can't be easily broken by adversaries. Specifically, "RDRAND" and "Padlock"—RNGs provided by Intel and Via respectively—will no longer be the sources FreeBSD uses to directly feed random numbers into the /dev/random engine used to generate random data in Unix-based operating systems. Instead, it will be possible to use the pseudo random output of RDRAND and Padlock to seed /dev/random only after it has passed through a separate RNG algorithm known as "Yarrow." Yarrow, in turn, will add further entropy to the data to ensure intentional backdoors, or unpatched weaknesses, in the hardware generators can't be used by adversaries to predict their output.

"For 10, we are going to backtrack and remove RDRAND and Padlock backends and feed them into Yarrow instead of delivering their output directly to /dev/random," FreeBSD developers said. "It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more." In separate meeting minutes, developers specifically invoked Snowden's name when discussing the change. "Edward Snowdon [sic] -- v. high probability of backdoors in some (HW) RNGs," the notes read, referring to hardware RNGs. Then, alluding to the Dual EC_DRBG RNG forged by the National Institute of Standards and Technology and said to contain an NSA-engineered backdoor, the notes read: "Including elliptic curve generator included in NIST. rdrand in ivbridge not implemented by Intel... Cannot trust HW RNGs to provide good entropy directly. (rdrand implemented in microcode. Intel will add opcode to go directly to HW.) This means partial revert of some work on rdrand and padlock."

Security researcher Jacob Appelbaum dropped a bombshell of sorts earlier this week when he accused American tech companies of placing government-friendly backdoors in their devices. Now Texas-based Dell Computers is offering an apology. Or to put it more accurately, Dell told an irate customer on Monday that they “regret the inconvenience” caused by selling to the public for years a number of products that the intelligence community has been able to fully compromise in complete silence up until this week. Dell, Apple, Western Digital and an array of other Silicon Valley-firms were all name-checked during Appelbaum’s hour-long presentation Monday at the thirtieth annual Chaos Communication Congress in Hamburg, Germany. As RT reported then, the 30-year-old hacker-cum-activist unveiled before the audience at the annual expo a collection of never-before published National Security Agency documents detailing how the NSA goes to great lengths to compromise the computers and systems of groups on its long list of adversaries.

Spreading viruses and malware to infect targets and eavesdrop on their communications is just one of the ways the United States’ spy firm conducts surveillance, Appelbaum said. Along with those exploits, he added, the NSA has been manually inserting microscopic computer chips into commercially available products and using custom-made devices like hacked USB cables to silently collect intelligence. One of the most alarming methods of attack discussed during his address, however, comes as a result of all but certain collusion on the part of major United States tech companies. The NSA has information about vulnerabilities in products sold by the biggest names in the US computer industry, Appelbaum said, and at the drop off a hat the agency has the ability of launching any which type of attack to exploit the flaws in publically available products.

The NSA has knowledge pertaining to vulnerabilities in computer servers made by Dell and even Apple’s highly popular iPhone, among other devices, Appelbaum told his audience. “Hey Dell, why is that?” Appelbaum asked. “Love to hear your statement about that.”