Communications

NSA-Reform Bill Fails In US Senate 135

Posted by timothy
from the couldn't-have-happened-to-a-nicer-bill dept.
New submitter Steven King writes with a link to The Daily Dot's report that the U.S. Senate has rejected the controversial USA Freedom Act, thus "all but guaranteeing that key provisions of the USA Patriot Act will expire"; had it passed, the bill would have allowed continued use of some mass data-collection practices, but with the addition of stronger oversight. From the article: The Senate failed to reach agreement on passage of the USA Freedom Act, a bill to reauthorize and reform Section 215 of the USA Patriot Act, which the government has used to conduct bulk surveillance of Americans' phone records. The House of Representatives passed the bill last week by an overwhelming bipartisan majority, but Senate Democrats, who unified behind the bill, did not get enough Republican votes to assure passage. The linked piece also mentions that the EFF shifted its position on this bill, after a panel of Federal judges ruled that the Feds at the NSA had overstepped their bounds in collecting a seemingly unlimited trove of metadata relating to American citizen's phone calls.
Google

NSA Planned To Hijack Google App Store To Hack Smartphones 93

Posted by samzenpus
from the all-the-better-to-see-you-with dept.
Advocatus Diaboli writes: A newly released top secret document reveals that the NSA planned to hijack Google and Samsung app stores to plant spying software on smartphones. The report on the surveillance project, dubbed "IRRITANT HORN," shows the U.S. and its "Five Eyes" alliance: Canada, the United Kingdom, New Zealand and Australia, were looking at ways to hack smartphones and spy on users. According to The Intercept: "The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News in collaboration with The Intercept. The document outlines a series of tactics that the NSA and its counterparts in the Five Eyes were working on during workshops held in Australia and Canada between November 2011 and February 2012."
United States

What Was the Effect of Rand Paul's 10-Hour "Filibuster"? 360

Posted by samzenpus
from the lets-keep-talking dept.
An anonymous reader writes: Sen. Rand Paul held up a vote on the Fast Track Authority for an eleven hour dissertation on the flaws of: the Patriot Act, the replacement the USA Freedom Act, bulk data collection including credit card purchases, the DEA and IRS's use of NSA intel. for "parallel construction", warrant-less GPS bugs on vehicles, as well as the important distinction of a general warrant versus a specific one. "There is a general veil of suspicion that is placed on every American now. Every American is somehow said to be under suspicion because we are collecting the records of every American," Paul said. The questions is what did the "filibuster" really accomplish? The speeches caused a delay in Senate business but it's unclear what larger effect, if any, that will have.
Communications

Academics Build a New Tor Client Designed To Beat the NSA 60

Posted by timothy
from the non-spy-vs-spy dept.
An anonymous reader writes: In response to a slew of new research about network-level attacks against Tor, academics from the U.S. and Israel built a new Tor client called Astoria designed to beat adversaries like the NSA, GCHQ, or Chinese intelligence who can monitor a user's Tor traffic from entry to exit. Astoria differs most significantly from Tor's default client in how it selects the circuits that connect a user to the network and then to the outside Internet. The tool is an algorithm designed to more accurately predict attacks and then securely select relays that mitigate timing attack opportunities for top-tier adversaries.
Encryption

'Logjam' Vulnerability Threatens Encrypted Connections 71

Posted by Soulskill
from the another-day-another-vulnerability dept.
An anonymous reader writes: A team of security researchers has revealed a new encryption vulnerability called 'Logjam,' which is the result of a flaw in the TLS protocol used to create encrypted connections. It affects servers supporting the Diffie-Hellman key exchange, and it's caused by export restrictions mandated by the U.S. government during the Clinton administration. "Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties."

Internet Explorer is the only browser yet updated to block such an attack — patches for Chrome, Firefox, and Safari are expected soon. The researchers add, "Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break." Here is their full technical report (PDF).
Privacy

House Votes To End Spy Agencies' Bulk Collection of Phone Data 142

Posted by timothy
from the big-brother-has-his-eye-on-you-just-the-same dept.
An anonymous reader writes with this excerpt from a story at Reuters that gives a rare bit of good news for the Fourth Amendment: The U.S. House of Representatives approved a bill on Wednesday that would end spy agencies' bulk collection of Americans' telephone data, setting up a potential showdown with the U.S. Senate over the program, which expires on June 1. The House voted 338-88 for the USA Freedom Act, which would end the bulk collection and instead give intelligence agencies access to telephone data and other records only when a court finds there is reasonable suspicion about a link to international terrorism.
Cloud

Anonymous Tor Cloud Project Closes Down 23

Posted by timothy
from the use-sneakernet-cloud dept.
Mark Wilson writes: The Tor browser is used by many to stay anonymous online — and it's something that has been embraced by the likes of WikiLeaks as a way to safely gather information whilst hopefully avoiding the surveillance of the NSA. One lesser known project from the same stables is the Tor Cloud service, and Tor has announced that it is closing down. From the linked article: Based on the Amazon EC2 cloud computing platform, Tor Cloud provided a way to share computing resources and allow faster uncensored access to the internet. However, the project is plagued with 'at least one major bug ... that makes it completely dysfunctional' and after failing to find anyone to undertake the work, the decision was taken to shutter Tor Cloud. This does not mean that Tor itself is dead — far from it — and developers are being encouraged to create their own forked versions of Tor Cloud.
Government

Senators Demand CIA Director Admit He Lied About Spying On Senate Computers 148

Posted by timothy
from the don't-you-wish-they'd-extrapolate-to-everyone-else? dept.
blottsie writes with a link to a story at The Daily Dot which begins: CIA Director John Brennan lied when he denied ordering agency employees to search Senate computers to trace a leak. Frustrated with his unwillingness to admit the obvious, three Senate Democrats on Friday called on Brennan to admit that his agency crossed the line. The Senate Intelligence Committee was preparing a report on the CIA's Bush-era torture programs when the spy agency discovered that the committee had somehow acquired an internal CIA report on the program. To determine how the report had leaked, Brennan ordered CIA officers to pry into the computers used by committee staffers. The heart of the story is in the letter in which the Senators call for Brennan to 'fess up, also linked from the story. Drawing from that letter: When you were asked publicly about the CIA's search in March 2014, you denied that any improper access had occurred, stating that "As fas the allegations of, you know, CIA hacking into, you know, Senate computers, nothing could be further from the truth. I mean, that's -- that's just beyond the -- you know, the scope of reason in terms of what we could do." The reports of both the Inspector General and your review board demonstrate that this denial was at odds with the facts.

In June 2014, senior officials from the FBI, NSA, and the Office of the Director of National Intelligence all testified that it would be inappropriate for their agencies to secretly search Senate files without external authorization. To date, however, there has been no public acknowledgement from you or any other CIA official (outside the Office of Inspector General) that this search was improper, nor even a commitment that the CIA will not conduct such searches in the future. This is entirely unacceptable.
Cloud

Dropbox Moves Accounts Outside North America To Ireland 135

Posted by timothy
from the which-is-technically-outside-of-north-america dept.
monkeyzoo writes: Similar to a previous announcement by Twitter, Dropbox has changed its Terms of Service for users outside of North America (USA/Canada/Mexico) such that services will now be provided out of Ireland. Will other companies follow this trend and leave the USA (and the jurisdiction of the NSA)? Note, the announcement states that North American users are not able to opt into the Irish Terms of Service.
Encryption

James Comey: the Man Who Wants To Outlaw Encryption 241

Posted by samzenpus
from the man-with-a-terrible-plan dept.
Patrick O'Neill writes: "There has not been a tradeoff between liberty and security in our response to terrorism in this country and in our efforts to offer security to the people of the United States," said James Comey, now the director of the FBI. Comey was the number two man in the Department of Justice during the Bush years when NSA and law enforcement surveillance of Americans grew to unprecedented heights. Now he's pushing to stop encryption by default on Apple and Android devices.
United States

US Appeals Court Says NSA Phone Surveillance Is Not Authorized By Congress 237

Posted by timothy
from the slightly-less-whelming-than-I'd-like dept.
New submitter IronOxen writes: A panel of three federal judges for the second circuit overturned an earlier ruling. The court has ruled that the bulk collection of telephone metadata is unlawful, in a landmark decision that clears the way for a full legal challenge against the National Security Agency: "'We hold that the text of section 215 cannot bear the weight the government asks us to assign to it, and that it does not authorize the telephone metadata program,' concluded their judgement." That's not exactly saying that such bulk collection is unconscionable or per se unconstitutional, but it's a major step toward respecting privacy as a default.
Communications

How the NSA Converts Spoken Words Into Searchable Text 164

Posted by timothy
from the message-could-not-be-lawfullly-transcribed dept.
Presto Vivace writes: Dan Froomkin reports at The Intercept: "Though perfect transcription of natural conversation apparently remains the Intelligence Community's 'holy grail,' the Snowden documents describe extensive use of keyword searching as well as computer programs designed to analyze and 'extract' the content of voice conversations, and even use sophisticated algorithms to flag conversations of interest." I am torn between admiration of the technical brilliance of building software like this and horror as to how it is being used. It can't just be my brother and me who like to salt all phone conversations with interesting keywords.
Government

NSA Reform Bill Backed By Both Parties Set To Pass House of Representatives 121

Posted by Soulskill
from the don't-stop-yelling dept.
HughPickens.com writes: The NY Times reports that after more than a decade of wrenching national debate over the intrusiveness of government intelligence agencies, a bipartisan wave of support has gathered to sharply limit the federal government's sweeps of phone and Internet records. A bill that would overhaul the Patriot Act and curtail the metadata surveillance exposed by Edward Snowden overwhelmingly passed the House Judiciary Committee by a vote of a 25-2, and is heading to almost certain passage in the House of Representatives. An identical bill in the Senate — introduced with the support of five Republicans — is gaining support over the objection of Senate Majority Leader Mitch McConnell, who is facing the prospect of his first policy defeat since ascending this year to majority leader. "The bill ends bulk collection, it ends secret law," says Rep. Jim Sensenbrenner, the original author of the Patriot Act who has now helped author the Freedom Act. "It increases the transparency of our intelligence community and it does all this without compromising national security."

The Patriot Act is up for its first reauthorization since the revelations about bulk data collection. The impending June 1 deadline for reauthorization, coupled with an increase of support among members of both parties, pressure from technology companies and a push from the White House, have combined to make changes to the provisions more likely. The Snowden disclosures, along with data breaches at Sony Pictures, Target and the insurance giant Anthem, have unsettled voters and empowered those in Congress arguing for greater civil liberties protection — who a few years ago "could have met in a couple of phone booths," says Senator Ron Wyden. The Freedom Act very nearly passed both chambers of Congress last year, but it failed to garner the 60 votes to break a filibuster in the Senate. It fell short by two votes.

However some say the bill doesn't go far enough. The bill leaves intact surveillance programs conducted by the Drug Enforcement Agency and levies high penalties against those offering "material support" to terrorists. It also renews the expiring parts of the Patriot Act through 2019. "This bill would make only incremental improvements, and at least one provision – the material-support provision – would represent a significant step backwards," says American Civil Liberties Union Deputy Legal Director Jameel Jaffer. "The disclosures of the last two years make clear that we need wholesale reform."
Encryption

Why Crypto Backdoors Wouldn't Work 105

Posted by Soulskill
from the because-math dept.
An anonymous reader writes: Your devices should come with a government backdoor. That's according to the heads of the FBI, NSA, and DHS. There are many objections, especially that backdoors add massive security risks.

Would backdoors even be effective, though? In a new writeup, a prominent Stanford security researcher argues that crypto backdoors "will not work." Walking step-by-step through a hypothetical backdoored Android, he argues that "in order to make secure apps just slightly more difficult for criminals to obtain, and just slightly less worthwhile for developers, the government would have to go to extraordinary lengths. In an arms race between cryptographic backdoors and secure apps, the United States would inevitably lose."
United States

Declassified Report From 2009 Questions Effectiveness of NSA Spying 56

Posted by Soulskill
from the moving-at-the-speed-of-government dept.
schwit1 writes: With debate gearing up over the coming expiration of the Patriot Act surveillance law, the Obama administration on Saturday unveiled a 6-year-old report examining the once-secret program code-named Stellarwind, which collected information on Americans' calls and emails. The report was from the inspectors general of various intelligence and law enforcement agencies.

They found that while many senior intelligence officials believe the program filled a gap by increasing access to international communications, others including FBI agents, CIA analysts and managers "had difficulty evaluating the precise contribution of the [the surveillance system] to counterterrorism efforts because it was most often viewed as one source among many available analytic and intelligence-gathering tools in these efforts."

"The report said that the secrecy surrounding the program made it less useful. Very few working-level C.I.A. analysts were told about it. ... Another part of the newly disclosed report provides an explanation for a change in F.B.I. rules during the Bush administration. Previously, F.B.I. agents had only two types of cases: "preliminary" and "full" investigations. But the Bush administration created a third, lower-level type called an "assessment." This development, it turns out, was a result of Stellarwind.
China

Github DDoS Attack As Seen By Google 52

Posted by Soulskill
from the i-can-see-my-house-from-here dept.
New submitter opensec writes: Last month GitHub was hit by a massive DDoS attack originating from China. On this occasion the public discovered that the NSA was not the only one with a QUANTUM-like capability. China has its own "Great Cannon" that can inject malicious JavaScript inside HTTP traffic. That weapon was used in the GitHub attack. People using Baidu services were unwitting participants in the denial of service, their bandwidth used to flood the website. But such a massive subversion of the Internet could not evade Google's watchful eye. Niels Provos, engineer at Google, tells us how it happened. Showing that such attacks cannot be made covertly, Provos hopes that the public shaming will act as a deterrent.
Government

German Intelligence Helped NSA Spy On EU Politicians and Companies 80

Posted by Soulskill
from the der-rubberschtampen dept.
An anonymous reader writes: We've known for some time already that intelligence agencies operate beyond rules, laws, and regulations. Now, we learn that the NSA and the German intelligence service, BND, lied and withheld information about misuse from the German Chancellor's Office.

"The BND realized as early as 2008 that some of the selectors were not permitted according to its internal rules, or covered by a 2002 US-Germany anti-terrorism "Memorandum of Agreement" on intelligence cooperation. And yet it did nothing to check the NSA's requests systematically. It was only in the summer of 2013, after Edward Snowden's revelations of massive NSA and GCHQ surveillance, that the BND finally started an inquiry into all the selectors that had been processed. According to Der Spiegel, investigators found that the BND had provided information on around 2,000 selectors that were clearly against European and German interests. Not only were European businesses such as the giant aerospace and defense company EADS, best-known as the manufacturer of the Airbus planes, targeted, so were European politicians—including German ones.

However, the BND did not inform the German Chancellor's office, which only found out about the misuse of the selector request system in March 2015. Instead, the BND simply asked the NSA to make requests that were fully covered by the anti-terrorism agreement between the two countries. According to Die Zeit, this was because the BND was worried that the NSA might curtail the flow of its own intelligence data to the German secret services if the selector scheme became embroiled in controversy.
United States

Except For Millennials, Most Americans Dislike Snowden 686

Posted by samzenpus
from the no-sir-I-don't-like-him dept.
HughPickens.com writes: Newsmax reports that according to KRC Research, about 64 percent of Americans familiar with Snowden hold a negative opinion of him. However 56 percent of Americans between the ages of 18 and 34 have a positive opinion of Snowden which contrasts sharply with older age cohorts. Among those aged 35-44, some 34 percent have positive attitudes toward him. For the 45-54 age cohort, the figure is 28 percent, and it drops to 26 percent among Americans over age 55, U.S. News reported. Americans overall say by plurality that Snowden has done "more to hurt" U.S. national security (43 percent) than help it (20 percent). A similar breakdown was seen with views on whether Snowden helped or hurt efforts to combat terrorism, though the numbers flip on whether his actions will lead to greater privacy protections. "The broad support for Edward Snowden among Millennials around the world should be a message to democratic countries that change is coming," says Anthony D. Romero, executive director of the American Civil Liberties Union. "They are a generation of digital natives who don't want government agencies tracking them online or collecting data about their phone calls." Opinions of millennials are particularly significant in light of January 2015 findings by the U.S. Census Bureau that they are projected to surpass the baby-boom generation as the United States' largest living generation this year.
United States

McConnell Introduces Bill To Extend NSA Surveillance 209

Posted by samzenpus
from the lets-see-what-you're-doing dept.
jriding sends word that the majority leader of the U.S. Senate has introduced a bill that would extend the surveillance provisions of the Patriot Act until 2020: Senate Majority Leader Mitch McConnell introduced a bill Tuesday night to extend through 2020 a controversial surveillance authority under the Patriot Act. The move comes as a bipartisan group of lawmakers in both chambers is preparing legislation to scale back the government's spying powers under Section 215 of the Patriot Act. It puts McConnell (R-Ky.) and Senate Intelligence Committee Chairman Richard Burr (R-N.C.), the bill’s co-sponsor, squarely on the side of advocates of the National Security Agency’s continued ability to collect millions of Americans’ phone records each day in the hunt for clues of terrorist activity.
Businesses

Twitter Moves Non-US Accounts To Ireland, and Away From the NSA 153

Posted by timothy
from the be-right-over-here-guys dept.
Mark Wilson writes Twitter has updated its privacy policy, creating a two-lane service that treats U.S. and non-U.S. users differently. If you live in the U.S., your account is controlled by San Francisco-based Twitter Inc, but if you're elsewhere in the world (anywhere else) it's handled by Twitter International Company in Dublin, Ireland. The changes also affect Periscope. What's the significance of this? Twitter Inc is governed by U.S. law; it is obliged to comply with NSA-driven court requests for data. Data stored in Ireland is not subject to the same obligation. Twitter is not alone in using Dublin as a base for non-U.S. operations; Facebook is another company that has adopted the same tactic. The move could also have implications for how advertising is handled in the future.