Slashdot Deals: Cyber Monday Sale! Courses ranging from coding to project management - all eLearning deals 25% off with coupon code "CYBERMONDAY25". ×

NSA To End Bulk Phone Surveillance By Sunday ( 132

An anonymous reader writes: The White House announced today that the NSA will be shutting down the program responsible for the bulk collection of phone records by the end of tomorrow. The program will be immediately replace with a new, scaled back version as enumerated by the USA Freedom Act. "Under the Freedom Act, the NSA and law enforcement agencies can no longer collect telephone calling records in bulk in an effort to sniff out suspicious activity. Such records, known as "metadata," reveal which numbers Americans are calling and what time they place those calls, but not the content of the conversations. Instead analysts must now get a court order to ask telecommunications companies ... to enable monitoring of call records of specific people or groups for up to six months."

Whistleblowers: How NSA Created the 'Largest Failure' In Its History ( 118

An anonymous reader writes: Former NSA whistleblowers contend that the agency shut down a program that could have "absolutely prevented" some of the worst terror attacks in memory. According to the ZDNet story: "Weeks prior to the September 11 terrorist attacks, a test-bed program dubbed ThinThread was shut down in favor of a more expensive, privacy-invasive program that too would see its eventual demise some three years later -- not before wasting billions of Americans' tax dollars. Four whistleblowers, including a congressional senior staffer, came out against the intelligence community they had served, after ThinThread. designed to modernize the agency's intelligence gathering effort, was cancelled. Speaking at the premier of a new documentary film A Good American in New York, which chronicles the rise and demise of the program, the whistleblowers spoke in support of the program, led by former NSA technical director William Binney."

File Says NSA Found Way To Replace Email Program ( 93

schwit1 writes: Newly disclosed documents show that the NSA had found a way to create the functional equivalent of programs that had been shut down. The shift has permitted the agency to continue analyzing social links revealed by Americans' email patterns, but without collecting the data in bulk from American telecommunications companies — and with less oversight by the Foreign Intelligence Surveillance Court.

The disclosure comes as a sister program that collects Americans' phone records in bulk is set to end this month. Under a law enacted in June, known as the USA Freedom Act, the program will be replaced with a system in which the NSA can still gain access to the data to hunt for associates of terrorism suspects, but the bulk logs will stay in the hands of phone companies.

The newly disclosed information about the email records program is contained in a report by the NSA's inspector general that was obtained through a lawsuit under the Freedom of Information Act. One passage lists four reasons the NSA decided to end the email program and purge previously collected data. Three were redacted, but the fourth was uncensored. It said that "other authorities can satisfy certain foreign intelligence requirements" that the bulk email records program "had been designed to meet."


How Cisco Is Trying To Prove It Can Keep NSA Spies Out of Its Gear ( 130

itwbennett writes: A now infamous photo [leaked by Edward Snowden] showed NSA employees around a box labeled Cisco during a so-called 'interdiction' operation, one of the spy agency's most productive programs,' writes Jeremy Kirk. 'Once that genie is out of the bottle, it's a hell of job to put it back in,' said Steve Durbin, managing director of the Information Security Forum in London. Yet that's just what Cisco is trying to do, and early next year, the company plans to open a facility in the Research Triangle Park in North Carolina where customers can test and inspect source code in a secure environment. But, considering that a Cisco router might have 30 million lines of code, proving a product hasn't been tampered with by spy agencies is like trying 'to prove the non-existence of god,' says Joe Skorupa, a networking and communications analyst with Gartner.

Snowden Says It's Your Duty To Use an Ad Blocker (for Security) 342

AmiMoJo writes: In a long interview about reclaiming your privacy online, ex-NSA whistleblower Edward Snowden states that it's not just a good idea to use ad blocking software, it's your duty: "Everybody should be running adblock software, if only from a safety perspective. We've seen internet providers like Comcast, AT&T, or whoever it is, insert their own ads into your plaintext http connections. As long as service providers are serving ads with active content that require the use of JavaScript to display, that have some kind of active content like Flash embedded in it, anything that can be a vector for attack in your web browser — you should be actively trying to block these. Because if the service provider is not working to protect the sanctity of the relationship between reader and publisher, you have not just a right but a duty to take every effort to protect yourself in response." Other recommendations include encrypting your hard drive and using Tor to keep your internet use private.
United Kingdom

UK PM Wants To Speed Up Controversial Internet Bill After Paris Attacks ( 167

An anonymous reader writes: Less than three days after the attacks in Paris, UK prime minister David Cameron has suggested that the process of review for the controversial Draft Investigatory Powers Bill should be accelerated. The controversial proposal, which would require British ISPs to retain a subset of a user's internet history for a year and in effect outlaw zero-knowledge encryption in the UK, was intended for parliamentary review and ratification by the end of 2016, but at the weekend ex-terrorist watchdog Lord Carlile was in the vanguard of demands to speed the bill into law by the end of this year, implicitly criticizing ex-NSA whistleblower Edward Snowden for having 'shown terrorists ways to hide their electronic footprints'.
United States

US Judge Rules Against NSA In Phone Spying Case ( 93

An anonymous reader writes with news that a federal judge ordered the NSA to immediately end its collection of call records associated with a California lawyer and his law firm. Reuters reports: "Opponents of mass surveillance cheered the ruling by U.S. District Court Judge Richard Leon, who granted an injunction to bar the NSA from collecting the phone metadata of California attorney J.J. Little and his small legal practice. Unlike previous rulings against the NSA's program to vacuum up Americans' call data, which was exposed publicly by former NSA contractor Edward Snowden in 2013, Leon's opinion does not grant a stay, meaning it will take effect immediately."

NSA Uses Vulnerabilities Before It Discloses Them, Keeps Some To Itself ( 121

An anonymous reader writes: The NSA, perhaps seeking to repair its reputation, has started talking about how it handles vulnerabilities in computer software. But in doing so, they've only confirmed their own questionable behavior. The agency says it discloses zero-day flaws about 91% of the time. This means, of course, that they hold back about 9% of the flaws for their own use. They also don't mention when they disclose these flaws — which is damning, given statements from several current and former government officials indicating the NSA frequently waits and takes advantage of the vulnerabilities before notifying the companies who make the compromised software. This is the NSA's argument: "[T]here are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."

Ask Slashdot: Secure, Yet Accessible E-mail Archive Storage? 74

New submitter mlts writes: As of now, I just leave E-mail in a 'received-2015' subfolder on my provider's server, adding a new folder yearly. With the rise of E-mail account intrusions (where even though I'm likely not a primary target, but it is a concern), what is a secure, but yet accessible way to archive E-mail? I'm far less worried about the FBI/NSA/Illuminati, as I am about having stuff divulged to all and sundry if a mass breach happens. A few alternative I've considered: 1) Running my own physical IMAP server. The server would run on a hypervisor (likely ESXi), have Dovecot limited to the VPN I use, and use other sane techniques to limit access. 2) Archive the E-mail files through a cloud provider, with a client encryption utility (EncFS, BoxCryptor, etc.) In this case, E-mail would be stored in a different file a week. 3) Move it to local storage on a virtual machine, and if access is needed, use LogMeIn or another remote access item to fire up Thunderbird to access it. What would be a recommended way to secure E-mail that sits around, for the long haul, but still have it accessible? Even if you're not specifically worried about it, keeping older email around on a provider's server opens you up to warrantless access by U.S. law enforcement officials.

Why the Snowden Situation Shows 'Protected Disclosure' Is Critical ( 239

An anonymous reader writes: In the wake of NSA leaks debacle, New Zealand's Inspector General of Security and Intelligence has developed a process to enable whistleblowers to act safely. "The Edward Snowden disclosures demonstrate how critical it is to have a clear path, with appropriate protections, for disclosing information about suspected wrongdoing (PDF) within an intelligence and security agency," Cheryl Gwyn says. The Inspector General's powers were boosted after it was discovered New Zealand's Government Communications Security Bureau had been spying illegally on Kim Dotcom and others. "Edward Snowden has consistently said it was impossible for him to make internal disclosures about what he believed was wrongdoing due to the lack of whistleblower protections he faced in the U.S."

Why Avast Won't Show Source Code To the Government, But Others Do ( 79

An anonymous reader writes: Avast, a security and antivirus company based in Prague, says they refuse to share their source code, and that the U.S. government hasn't even asked them. This is not necessarily the case for the rest of the industry. Over the summer we learned from a report at The Intercept that GCHQ and the NSA had a project to subvert security software so they could use vulnerabilities and exploits to their own advantage. Antivirus firms McAfee and Symantec were notably absent from the list of targets, and Symantec later confirmed over email that they "permitted source code review in controlled environments to meet government requirements." In addition to raising questions about whether a security product can be trusted under such circumstances, it also causes political problems: "Giving assurances to one country, and receiving government certification, can harm a security company in another. China, a known cyber-adversary of the US, accused Symantec last year of including backdoors that could allow outside access -- though it did not specifically say how -- and banned the product from the country."

EU Parliament: Citizens' Rights Still Endangered By Mass Surveillance 53

New submitter hughankers writes with this slice of a press release from the European Parliament:: Too little has been done to safeguard citizens' fundamental rights following revelations of electronic mass surveillance, say MEPs in a resolution voted on Thursday. They urge the EU Commission to ensure that all data transfers to the US are subject to an "effective level of protection" and ask EU member states to grant protection to Edward Snowden, as a "human rights defender". Parliament also raises concerns about surveillance laws in several EU countries.

This resolution, approved by 342 votes to 274, with 29 abstentions, takes stock of the (lack of) action taken by the European Commission, other EU institutions and member states on the recommendations set out by Parliament in its resolution of 12 March 2014 on the electronic mass surveillance of EU citizens, drawn up in the wake of Edward Snowden's revelations.

Fewer IPsec Connections At Risk From Weak Diffie-Hellman ( 28

msm1267 writes: A challenge has been made against one of the conclusions in an academic paper on cryptographic weaknesses that may be the open door through which intelligence agencies are breaking encrypted connections. The paper, 'Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,' claims that a massively resourced agency such as the NSA could build enough custom hardware that would crack the prime number used to derive an encryption key. Once enough information is known about the prime, breaking Diffie-Hellman connections that use that same prime is relatively trivial. In the paper, the team of 14 cryptographers and academics who wrote it claim that upwards of 66 percent of IPsec VPN connections can be passively decrypted in this manner. Paul Wouters, a founding member and core developer of the Libreswan Project, as well as a Red Hat associate, said that researchers are jumping to a conclusion because of the way they scanned and tested VPN servers, and that the number is likely too high.

Non-Binding Resolution: EU States Should Protect Snowden 210

The New York Times reports that the European Parliament has voted to adopt "a nonbinding but nonetheless forceful resolution" urging the EU's member nations to recognize Edward Snowden as a whistleblower, rather than aid in prosecuting him on behalf of the United States government. From the article: Whether to grant Mr. Snowden asylum remains a decision for the individual European governments, and thus far, none have done so. Still, the resolution was the strongest statement of support seen for Mr. Snowden from the European Parliament. At the same time, the close vote — 285 to 281 — suggested the extent to which some European lawmakers are wary of alienating the United States. ... The resolution calls on European Union members to "drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties." Also at Wired, USA Today and many others; Snowden himself has tweeted happily about the news.
United Kingdom

UK Government Says App Developers Won't Be Forced To Implement Backdoors ( 86

Mark Wilson writes: The UK government is sending mixed messages about how it views privacy and security. Fears have been mounting since Prime Minister David Cameron wondered aloud 'in our country, do we want to allow a means of communication between people which we cannot read?' — his view obviously being that, no, we don't want to allow such a thing. Following the revelations about the spying activities of the NSA and GCHQ, public attention has been focused more than ever on privacy and encryption, Cameron having also suggested a desire to ban encryption. Today, some fears were allayed when it was announced that the government was not seeking to require software developers to build backdoors into their products. That said, the government said that companies should be able to decrypt 'targeted' data when required, and provide access to it.
The Courts

Judge Tosses Wikimedia's Anti-NSA Lawsuit Because Wikipedia Isn't Big Enough ( 213

An anonymous reader writes: A federal judge has dismissed a lawsuit filed by the Wikimedia Foundation, Amnesty International, and others against the NSA and other U.S. intelligence agencies for their surveillance of internet communications. The judge used some odd reasoning in his ruling to absolve the NSA of any constitutional violations. He said that since the plaintiffs couldn't prove that all upstream internet communications were monitored, they didn't have standing to challenge whatever communications were monitored. This is curious, given that tech companies are known to be under gag orders preventing them from discussing certain types of government data collection. The judge also made a strange argument about Wikipedia's size: "For one thing, plaintiffs insist that Wikipedia's over one trillion annual Internet communications is significant in volume. But plaintiffs provide no context for assessing the significance of this figure. One trillion is plainly a large number, but size is always relative. For example, one trillion dollars are of enormous value, whereas one trillion grains of sand are but a small patch of beach."

Irish Data Protection Commissioner Ordered To Investigate Facebook Data ( 18

New submitter bigtomrodney writes: Following last week's ruling by the European Court of Justice ruling on Safe Harbor, the Irish High Court has quashed the former decision of the Data Protection Commissioner not to investigate Facebook. In the current vacuum of legislation and given that this challenge is directly focused on U.S. intelligence agency's gathering of European citizen's data, this makes for interesting times ahead. See this story from earlier this month for a bit more background; all this fuss comes down mostly to efforts by one determined gadfly (Max Schrems) and the attention he's brought to the issue of privacy when data crosses national (or at least notional) borders.
United States

Documents Expose the Inner Workings of Obama's Drone Wars 169

An anonymous reader writes: A little over two years ago, Edward Snowden leaked a giant batch of NSA documents. Chelsea Manning handed Wikileaks a pile of government secrets in 2010, and now another source has leaked an equally impressive cache of papers focusing on Obama's drone program. The Intercept published the documents covering the U.S.'s use of drones to kill targets. Perhaps most eye-opening is the disclosure that as much as 90% of attacks over a five-month period hit the wrong targets. According to The Intercept: "When the Obama administration has discussed drone strikes publicly, it has offered assurances that such operations are a more precise alternative to boots on the ground and are authorized only when an 'imminent' threat is present and there is 'near certainty' that the intended target will be eliminated. Those terms, however, appear to have been bluntly redefined to bear almost no resemblance to their commonly understood meanings."

How Is the NSA Breaking So Much Crypto? ( 217

schwit1 writes: There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a "computing breakthrough" that gave them "the ability to crack current public encryption." The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.

However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community. Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.

If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn't just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to "crack" a particular prime, then easily break any individual connection that uses that prime.