Archive for the ‘Cyber security’ Category

h1

Thanks, Obama

January 26, 2017

You know, I managed to avoid using this title for a post all through Obama’s term in office. But he finally roused me to use it.

In short, what gets collected in Utah doesn’t stay in Utah anymore.

Here’s Judge Andrew Napolitano writing at Reason about a recent order by former Attorney General Lynch. (My emphasis.)

President Obama’s Parting Shot at Personal Freedom
To make things more convenient for the government, the Obama administration makes it easier for agencies to spy on citizens.

On Jan. 3, outgoing Attorney General Loretta Lynch secretly signed an order directing the National Security Agency — America’s 60,000-person-strong domestic spying apparatus — to make available raw spying data to all other federal intelligence agencies, which then can pass it on to their counterparts in foreign countries and in the 50 states upon request. She did so, she claimed, for administrative convenience. Yet in doing this, she violated basic constitutional principles that were erected centuries ago to prevent just what she did.

Here is the back story. […]

This is the New York Times article Mr. Napolitano links in his post. (I assume it was the basis for his post. My emphasis again.)

N.S.A. Gets More Latitude to Share Intercepted Communications

WASHINGTON — In its final days, the Obama administration has expanded the power of the National Security Agency to share globally intercepted personal communications with the government’s 16 other intelligence agencies before applying privacy protections.

The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches.

The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people. […]

At the risk of saying this too many times, let me repeat that you should never expect privacy (or anonymity) when using electronic messaging – e-mail, text, voice, and (probably) internet chat as well.

That’s not just a projection based the news items above; it’s based on stories I’ve heard from people. Your past can come back to haunt you. You probably don’t want to happen when you’re up against an over-eager prosecutor.

Protect your privacy.

Advertisements
h1

You’re on your own. Act accordingly.

December 16, 2016

This post originally appeared October 5th, 2016. (My emphasis.)

surveillance, whistleblowing, and security engineering

[Update (12/14/16): Reuters has specified that the rootkit was implemented as a Linux kernel module. Wow.]

Yesterday morning, Reuters dropped a news story revealing that Yahoo installed a backdoor on their own infrastructure in 2015 in compliance with a secret order from either the FBI or the NSA. While we all know that the US government routinely asks tech companies for surveillance help, a couple aspects of the Yahoo story stand out:

1. The backdoor was installed in such a way that it was intercepting and querying all Yahoo Mail users’ emails, not just emails of investigation targets.

2. The program was implemented so carelessly that it could have allowed hackers to read all incoming Yahoo mail. Of course this also means FBI/NSA could have been reading all incoming Yahoo mail.

3. Yahoo execs deliberately bypassed review from the security team when installing the backdoor. In fact, when members of the security team found it within weeks of its installation, they immediately assumed it had been installed by malicious hackers, rather than Yahoo’s own mail team. (This says something about what the backdoor code may have looked like.)

4. Yahoo apparently made no effort to challenge this overly-broad surveillance order which needlessly put hundreds of millions of users at risk.

At the time this was happening, I was on the Yahoo Security team leading development on the End-to-End project. According to the Reuters report, the mail backdoor was installed at almost the exact same time that Alex Stamos and I announced the open-source launch of a Chrome extension for easy-to-use end-to-end encryption in Yahoo Mail at SXSW 2015. Ironically, if only we had been able to actually ship E2E, we would have given users a way to protect themselves from the exact backdoor scenario that they ended up in! […]

Most of all, keep pushing for end-to-end encryption.

H.T. Paul B

Since you can’t generally verify your e-mail provider’s security, you can’t trust their security. The only alternative is to provide your own security.

And the bigger lesson is that the U.S. government is relentless in its secret surveillance.

%d bloggers like this: