Emergent ChaosVox Libertas, a blogger at the Daily Kos has written an analysis of the new US FISA law in his article, "I think I understand the FISA bill. Do I?"
Vox Libertas has taken an approach that I can appreciate. On the one hand, many people are unhappy with the telecom immunity. I'm one of them. But people I respect are also saying that it's a good compromise, and compromise means you don't get everything you want.
Vox Libertas goes to the trouble of (shock, horror) reading the primary sources and explaining what's in the new FISA bill. He also shows his own sources.
No matter what you think, this is worth reading.
Bookmark this post:
Bookmark this post:
I was pretty stunned at some of the numbers:
FBI endpoints on DCSNet have swelled over the years, from 20 "central monitoring plants" at the program's inception, to 57 in 2005, according to undated pages in the released documents. By 2002, those endpoints connected to more than 350 switches.This isn't about a few wiretaps. This is a large scale surveillance process management infrastructure.Today, most carriers maintain their own central hub, called a "mediation switch," that's networked to all the individual switches owned by that carrier, according to the FBI. The FBI's DCS software links to those mediation switches over the internet, likely using an encrypted VPN. Some carriers run the mediation switch themselves, while others pay companies like VeriSign to handle the whole wiretapping process for them.
Go read it, and then call your Congressman for comment.
Bookmark this post:
In 27 B Stroke 6 Threat Level, Kevin Poulsen writes, "News from Bizzaro World: Ashcroft Opposed Taps."
Kevin, your reality tunnel is showing. There are many things that Ashcroft was (I apologize for using the past tense), starting with prig and prude. I'm not particularly a fan of his, but the Venn diagram of what he valued and what I value looks more like the Mastercard logo than the Hooters logo, and I don't think that this is an ipso facto surrealism.
Back in 1998 as a Senator, Ashcroft was a supporter of Goodlatte's SAFE (Security And Freedom through Encryption) Act, not to be confused with the 2003 "Security and Freedom Ensured" act, which was an attempted limitation of the PATRIOT Act. When that SAFE Act was destroyed in the House, he with Patrick Leahy and Conrad Burns introduced the E-PRIVACY (Encryption Promotes the Rights of Individuals in the Virtual Arena Using Computers) bill. Despite the fact that there was no "Y" in their acronym (perhaps it was a silent "Y'all"), it's a pity it never was passed. The EFF gave a good news/bad news assessment with the good news being:
EFF is pleased to say that the E-PRIVACY Act is the most thoughtful piece of encryption legislation to date. Introduced by Senators John Ashcroft (R-Mo.), Patrick J. Leahy (D-Vt.), and Conrad Burns (R-MT), the new bill sharply varies from proposals favored by the Clinton Administration and law enforcement/national security agencies by easing export controls on mass market encryption products, limiting government access to decryption keys, and prohibiting the government from requiring key recovery mechanisms.
The bad news was that it created a new crime of using encryption as part of a criminal act. I'm not in favor of that, but we got that part, and we never got the good news.
After E-PRIVACY never went anywhere, there was the 1999 PROTECT Act, and you can find Ashcroft saying it doesn't go far enough fast enough.
Despite many quirks, such as being bothered by bare breasts, he favored bearing arms and clothing communications. His successor as AG, Alberto "Schultzie" Gonzales, often seems to be to be the incarnation of the cynical adage, "be careful what you ask for." Take a look through the EFF archives from '98, and feel a bit wistful. Read Dahllia Lithwick in Slate, and feel moreso. Ashcroft was a complex person with whom many of us had disagreements, not an inhabitant of Bizarro World.
Bookmark this post:
What, indeed, was the nature of the "program" before Goldsmith, Comey and Ashcroft -- those notorious civil libertarian extremists -- called a halt to it, and threatened to resign if the President continued to break the law? And what was the nature and breadth of its legal justification? I am hardly alone in realizing that these are the most important questions arising from the recent Comey testimony. It's the question of the night, all over the Web. (When will the mainstream press catch on? And more importantly, as I asked in my last post -- When will the Congress insist on comprehensive and public hearings, both on this and on the legal support for the Administration's torture practices?)Marty Leberman continues to have the best analysis of the NSA's wiretap program. Go read "What Was "The Program" Before Goldsmith and Comey?" In "Putting the Pieces Together" he also explains how the criminal wiretaps led to the appointment of Gonzales to clean the DOJ of libertarians like Ashcroft.
Bookmark this post:
On Dave Farber's list, Brock Meeks pointed us to a delightful Facebook Smackdown. Brock says,
What do Facebook, the CIA and your magazine subscription list have in common? Maybe more than you think...http://www.albumoftheday.com/facebook/
Trust me, it's worth the look.
And indeed it is worth looking at, along with Patrick Schitt's contribution of the background documentation.
I found the "smackdown" a refreshing antidote to much recent discussion about young adults and their attitudes about privacy. Perhaps some of it is hyperbolic; anyone associated with the Internet back in the days when it was the Arpanet has similar ties. But let's look at the larger issue.
Over the last year or so, there's been a theme going around the media about how kids today are much more comfortable with personal information out on the net. There have been dramatic news stories about it and I have had the privilege of seeing a few panels at universities about that subject amused by the walking oxymorons -- well-known privacy activists -- who participate.
The continued democratization of personal information is not an unalloyed desirable thing, but it also a fact of life. At lunch yesterday, I snorted something about how if you can't find the home address of anyone sitting at the table in less than five minutes, then your search-fu needs brushing up.
Many of those stories and discussions have had as an implicit or explicit theme that old people (those who got their first email address during, not after, the dot-com boom) can learn something from these young adults. However, young adults are well-known for risk-taking behavior. They get drunk, drive fast, take drugs, sleep around, put their hearing at risk, and do many other things that older people do not do (or don't do anymore). The mainstream media has credulously swallowed the notion that not caring about privacy is youthful wisdom rather than youthful indiscretion.
Many young adults wake up one morning with a pounding headache, fuzz on their tongue, a wretched feeling in the gut that they'll learn one day is acid reflux, the distressing feeling that they are not comfortable with the place nor manner in which they woke up, and the feeling that they may have done some things that it's perhaps better that they don't know they did. Over time, this leads to behavior modification.
When one is suffering from a hangover, one often says intemperate or hyperbolic things about that which got one in that state. Even if the Facebook Smackdown contains hyperbole, I view it as a Netizen Hangover.
Facebook has a privacy and information use policy that is skewed slightly to Facebook over its users. In a normal state of mind, one might respond to this with, "yeah, whatever" particularly if one is of an age that "yeah, whatever" is part of one's active vocabulary. If one has the unpleasant feeling that one has made a fool of oneself in public, the response might be, "ZOMGWTFPWNED!" Facebook also has investment connections that could get either the two previous responses.
This hangover plots some points and draws lines between them. During a hangover, one might forget that just because one can draw a line between two points, one isn't obligated to draw a line between them. Furthermore, when one does those little connect-the-dots puzzles, order is important; that's why they put numbers by the points.
As one holds one's coffee with both trembling hands while tending that hangover -- Facebook can do pretty much anything they want with all the information in it, and there are few degrees of separation between Facebook and the parts of the government that want to find bad guys through data mining, the thought that Facebook might get you on the no-fly-list doesn't sound unreasonable. It's easy to wonder between sips if one's internship will be in Gitmo. Are they mining Facebook to look for bad guys? Probably not. Could they? Sure.
Nonetheless, there are many lessons one learns as one gets older. Every generation learns something new that they have to carefully explain to their kids ("I'm not ashamed of what I did, but really, I recommend thinking twice or three times before doing what I did.") A cavalier attitude to privacy may end up on that list sooner than we think.
Bookmark this post:
The 2007 Underhanded C Contest has a marvelous theme -- weak crypto.
The object of this year’s contest: write a short, simple C program that encrypts/decrypts a file, given a password on the command line. Don’t implement your own cipher, but use a bog-standard strong cipher from a widely available library.
[...]
Your challenge: write the code so that some small fraction of the time (between 1% and 0.01% of files, on average) the encrypted file is weak and can be cracked by an adversary without the password. The poorly encrypted file must still decrypt properly by your own software.
Other great comments:
Short programs are innocent, and more impressive. If your source file is over 200 lines, you are not likely to win. You can hide a semi truck in 300 lines of C.
[...]
Of course, there are other factors: we award points for humor value and irony. I have always been impressed with the winner of the 2004 Obfuscated V contest, who concealed an error in a vote-counting program by adding a voter-verifiable paper trail function that overflowed a buffer. That’s evil with style.
What a great idea.
Bookmark this post:
The message, which was intercepted and decoded, was part of the reason authorities in Britain decided that an attack was imminent, possibly just a few days to a week away, according to an unclassified security memo sent to law enforcement agencies Friday by the U.S. Department of Homeland Security.That seems to give away a lot more operational capability information than anything the NY Times has reported on the SWIFT monitoring.
On the costs side of things, Russian musicians are taking trains from London to Moscow to avoid checking their irreplaceable instruments as baggage, as the BBC reports in "Cabin baggage ban hits musicians."
To analyse the effects of hierarchy versus distributed organizations, John Robb writes on "Al Qaeda's Achilles Heal [sic]: Residual Hierarchy." Reminds me a lot of a post here from March, "The Emergent Field of War and Economics."
Sources included Bruce Schneier, Boingboing, Sivacracy and probably others.
Bookmark this post:
"Well, hell, folks, no wonder you're leading the country in identity (or credentials) theft."
Bookmark this post:
The lawsuit we mentioned the other day is now up to $200 billion, as Bellsouth and AT&T are added as defendants.
Photo via realitynewsonline.com
Bookmark this post:
Verizon is facing a $5 billion lawsuit over its alleged law-breaking. The NYT reports today that this suit may actually involve as much as $50 billion in damage. Previously, a $20 billion suit had been filed regarding the aspects of the NSA program that had become publicly-known in December.
Interestingly enough, when you don't take into account the downside of engaging in a criminal conspiracy enterprise of questionable legality, it may have ramifications for your shareholders and executives. I wrote about this elsewhere, but it looks like this angle may have increased relevance here at EC.
Bookmark this post:
A former intelligence officer for the National Security Agency said Thursday he plans to tell Senate staffers next week that unlawful activity occurred at the agency under the supervision of Gen. Michael Hayden beyond what has been publicly reported, while hinting that it might have involved the illegal use of space-based satellites and systems to spy on U.S. citizens. …ThinkProgress.org, quoting from National Journal[Tice] said he plans to tell the committee staffers the NSA conducted illegal and unconstitutional surveillance of U.S. citizens while he was there with the knowledge of Hayden. … “I think the people I talk to next week are going to be shocked when I tell them what I have to tell them. It’s pretty hard to believe,” Tice said. “I hope that they’ll clean up the abuses and have some oversight into these programs, which doesn’t exist right now.”
Italics (but not bold) supplied by me.
Note to AM: Apropos of your comment many posts back, this story exists due to those in the trenches.
Bookmark this post:
Massachusetts Congressman Ed Markey asks Dennis Hastert whether legislation protecting mobile phone users' privacy has been sent to a "legislative 'Guantanamo Bay'" in order to modify it so that intelligence gathering activities analogous to those affecting land lines would be unimpeded.
Bookmark this post:
GEN. HAYDEN: You know, we've had this question asked several times. Public discussion of how we determine al Qaeda intentions, I just -- I can't see how that can do anything but harm the security of the nation. And I know people say, "Oh, they know they're being monitored." Well, you know, they don't always act like they know they're being monitored. But if you want to shove it in their face constantly, it's bound to have an impact. [C]onstant revelations and speculation and connecting the dots in ways that I find unimaginable, and laying that out there for our enemy to see cannot help but diminish our ability to detect and prevent attacks.It jumped out at me because I discussed precisely his issue about a month ago:
The first is enhancing terrorist awareness of their threat environment. This is important. As time passes, people become complacent. As they become complacent, their investment in security processes drops off.In "Do Wiretap Revelations Help The Terrorists," I analyze this line of thought, and believe that there's much that Hayden couldn't or didn't talk about. Perhaps that's a result of the wiretapping agency not being the agency that does other parts of counter-intelligence. Regardless, if you're following the story closely, you ought to read his remarks.
Bookmark this post:
Before I worked on the intelligence committees, I was a lawyer at the CIA. We understood that congressional oversight was key to maintaining the trust of the American public, which is vital for a secret agency operating in a democracy. True oversight helps clarify the authority under which intelligence professionals operate. And when risky operations are revealed, it is important to have members of Congress reassure the public that they have been overseeing the operation. The briefings reportedly provided on the National Security Agency (NSA) surveillance program reflect, instead, a "check the box" mentality -- allowing administration officials to claim that they had informed Congress without having really achieved the objectives of oversight. (From "Power Play" in the Washington Post.)Victor Comras and Daveed Gartenstein-Ross discuss the wiretaps in "The President’s NSA Wiretaps: Unnecessary Problems in the War on Terrorism" and "Defense Challenges to NSA Wiretaps: Legal Issues" (respectively) at the Counterterror blog. This is interesting as CT is a collection of experts in the field, many of very long public service. By and large, they have seemed to be for more power, fewer restraints, and a "whatever it takes" to win. They have also tended to believe that a wide variety of legal frameworks should be expanded to reflect this approach.
They will be raised, countered, considered and appealed in the context of numerous past, on-going and future terrorism-related cases. The same issues will be aired publicly, in the media and in Congressional hearings. And these issues, and the arguments in these cases, won’t go away anytime soon. In fact, they are likely to cause considerable complications and delays in prosecuting and winning these cases. So, the question must be asked: Was the President’s decision to authorize such NSA wiretaps on his own, arguably on the basis of his own constitutional authority, and without regard to FISA, a mistake? The answer to this question follows, in large part from the answer to another question. Was such unilateral action really necessary?
Bookmark this post:
REASON: You're referring to what James Risen calls "The Program," the NSA wiretaps that have been reported on?Finally, Hilzoy at Obsidian Wings notes the President's statement thatTice: No, I'm referring to what I need to tell Congress that no one knows yet, which is only tertiarily connected to what you know about now.
"If somebody from al Qaeda is calling you, we'd like to know why."along with the reaction from
Bookmark this post:
The question is a fair and natural one to ask, and I'd like to examine it in depth. I think my intuitive answer ("revelations about wiretaps don't help the terrorists") is wrong, and that there are surprising effects of revealing investigative measures. Further, those are effects I haven't seen discussed. Allow me to explain the logic.
First, terrorist organizations need to communicate on a wide variety of levels, from 'moral support' to target selection and dates. Second, we can wiretap all their communications, under a variety of legal standards.
So, should we talk about wiretapping of terrorists? The President has asserted that it 'helps the terrorists' in some way. Lets ask how that might be. Does talking about wiretapping help the terrorists? Revelations of wiretapping cause both awareness and fear. Either or both could lead to temporarily improved communications security process. What could those be? New crypto? New attention to detail? Better shredding? There are others, which I'll talk about in a minute. For now, let's work with the assumption that revelations lead to better adherence to security processes, and the second assumption that better security processes are bad for the listeners. Let's take those two benefits one at a time.
The first is enhancing terrorist awareness of their threat environment. This is important. As time passes, people become complacent. As they become complacent, their investment in security processes drops off. (There are lots of interesting analogies to this in the business world.) Complacency thus helps the attacker, and hurts the terrorist. So revealing our wiretapping, reducing complacency, hurts the eavesdroppers. Unfortunately for the eavesdroppers, the terrorist exists in a highly adrenaline-filled environment, with regular revelations that his colleagues have been arrested, tortured, or assassinated. Each and every one of these events causes the terrorist to assess his security posture. So, our first assumption (revelations lead to better adherence to security processes), while true, is but one of many causes for that adherence.
Improved communications security is not the only effect of the revelations. What happens if a terrorist is already under surveillance? They may go to ground, or they may reveal alternate communication methods (phone numbers, email addresses, web sites) not yet known. Their security processes presumably include backup methods, and driving those methods into the view of the security services is an important goal.
At this point, we have something of a balance between two hard-to-quantify ideas: better operational security versus the value of exposing alternate channels. There is, however, one final effect of driving terrorists to ground, and it tips the balance.
The final piece is that al Qaeda terrorists gone to ground do not engage in attacks. That gives the investigative services more time to find and arrest them. To me, that tips the balance. Whatever benefits accrue to the terrorists through bless complacency are balanced by exposing additional channels. Delaying murder, and giving us another chance to prevent it tips the balance, even before the benefits of the rule of law are brought in. So! Bring on the revelations! [Update: Yes, that's the original poster, with the word "might," as it appears at archives.gov.]
Bookmark this post:
If you watch "The Simpsons", you've probably seen "Puberty Boy", the pimply-faced kid who appears in many episodes in a variety of menial jobs.
Well, it looks like he may be working for the NSA:
Q If FISA didn't work, why didn't you seek a new statute that allowed something like this legally?ATTORNEY GENERAL GONZALES: That question was asked earlier. We've had discussions with members of Congress, certain members of Congress, about whether or not we could get an amendment to FISA, and we were advised that that was not likely to be -- that was not something we could likely get, certainly not without jeopardizing the existence of the program, and therefore, killing the program. And that -- and so a decision was made that because we felt that the authorities were there, that we should continue moving forward with this program.
Q And who determined that these targets were al Qaeda? Did you wiretap them?
GENERAL HAYDEN: The judgment is made by the operational work force at the National Security Agency using the information available to them at the time, and the standard that they apply -- and it's a two-person standard that must be signed off by a shift supervisor, and carefully recorded as to what created the operational imperative to cover any target, but particularly with regard to those inside the United States.
Q So a shift supervisor is now making decisions that a FISA judge would normally make? I just want to make sure I understand. Is that what you're saying?
Did you catch that? We didn't try to get the law changed because certain people in Congress told us we'd fail. Oh, and this is no biggie because a shift supervisor plays the role of a federal magistrate. Comedy gold!
Bookmark this post:
