PRISM

WRECK TANGLE

Walker34 wrote: »

Ed Snowden might go through Shannon on route to Cuba.

On what sort of flight though?:eek:

http://www.therenditionproject.org.uk/global-rendition/the-flights/index.html

[-0-] wrote: »

The drunken ramblings are a bit much.

I was wondering what was going on.

Walker34

blatantrereg wrote: »

Microsoft say they do not allow direct access to user content or encryption keys, and only share data when required to by a specific valid demand.

http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/16/responding-to-government-legal-demands-for-customer-data.aspx

one thing you learn over time is that official White House or Corporate statements are very carefully worded and each word used has a very precise meaning and context. It takes someone like Noam Chompsky to elucidate their precise meaning and purpose.

They are designed to provide the maximum flexibility or elasticity of future interpretation so that the US can use them as "Told you so" responses at any future date. Like software they need to be regularly updated or revised to stay useful.

Capt'n Midnight

http://www.theregister.co.uk/2013/07/17/intelligence_and_security_committee_prism_and_gchq/

Claims that Britain's intelligence agency GCHQ circumvented UK legislation by using America's controversial PRISM programme to access the content of private communications are false, parliamentarians concluded today.

But it's nice to know it's technically possible

Walker34

Capt'n Midnight wrote: »

Why ?

Spies get sent home or to jail. Even the Rosenbergs might have just got a prison sentence had they confessed like the others did.


But the Rosenbergs were not spies.....they were totally innocent, its just Hoover needed someone to make an example of......just like the SS would go in a town and leave a few corpses hanging in the town square.....its called a deterrent, much like whats going on now.

jmcc

Walker34 wrote: »

Spies get sent home or to jail. Even the Rosenbergs might have just got a prison sentence had they confessed like the others did.

Given the times, that would have been unlikely.

But the Rosenbergs were not spies.....they were totally innocent,

Not exactly.

Regards...jmcc

Amirani

Snowden granted temporary asylum in Russia: http://rt.com/news/snowden-entry-airport-asylum-521/

wolf99

Capt'n Midnight wrote: »

http://www.theregister.co.uk/2013/07/17/intelligence_and_security_committee_prism_and_gchq/

But it's nice to know it's technically possible

That's not to say the NSA doesn't use the GCHQ data to circumvent US legislation, which is a more likely scenario.

Capt'n Midnight

wolf99 wrote: »

That's not to say the NSA doesn't use the GCHQ data to circumvent US legislation, which is a more likely scenario.

likely ?

The US has used extraordinary rendition to outsource torture to other countries, from there it's a slippery slope to getting a judge to sign off on eavesdropping

http://www.wired.com/dangerroom/2013/02/54-countries-rendition/

Capt'n Midnight

http://www.theregister.co.uk/2013/07/24/kiwis_set_to_get_new_spook_law/

New Zealand's Government Communications Security Bureau (GCSB), which illegally spied on resident Kim Dotcom, is on the cusp of gaining sweeping new powers that include wiretapping NZ citizens.

The GCSB's domestic spying first came to light last year when it mistakenly tapped Dotcom's communications, not realising that his residency status at the time meant its actions were illegal. Rather than punish the organisation for its domestic snooping blunders, the New Zealand government has spent some time steering new laws through parliament to increase the GCSB's powers.

900913

How much space would the filing cabinets of the Stasi and the NSA use up, if the NSA would print out their 5 Zettabytes?

http://apps.opendatacity.de/stasi-vs-nsa/english.html

AnCatDubh

Apple and Facebook ’not breaking EU law’ by transferring personal data to US - via Irish Times

I always expected this to be the case when covered in a companies terms and conditions and really to me you either accept their T&C's or you don't use the services. I'm more miffed at legal provisions which enable systematic snooping to happen in a jurisdiction considered a 'safe harbour'. In fact, it kinda makes a bit of a mockery of EU data protection if a company can put its data outside of the EU (under the Safe Harbour guise) and then systematically allow/be obliged to/have that data abused (albeit legally abused) by a third party nation -- particularly when (and rightly so) use of personal data within our own state is quite regulated (and set to become more so) in line with the various EU directives.

wolf99

If Assange is elected would he not be able to avail of diplomatic immunity to leave the UK?

Nika Bolokov

More information released by the Guardian

http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data

XKeyscore: NSA tool collects 'nearly everything a user does on the internet'

Looks like there is a big red dot on Ireland in the picture.

AnCatDubh

Don't worry, Trust Us. via TechCrunch.

NSA Director General Keith Alexander, head of the NSA, gave the keynote speech at the Black Hat security conference in Las Vegas today.

General Alexander is the same man who said, one year ago, to this same audience: “Anybody who would tell you that we’re keeping files or dossiers on the American people knows that’s not true.” You may adjust your interpretations of his speech today accordingly.

:rolleyes:

Capt'n Midnight

Nika Bolokov wrote: »

Looks like there is a big red dot on Ireland in the picture.

FYI our role in this seeing as how lots of multinationals have their EU base here.

http://www.theregister.co.uk/2013/07/30/irish_watchdog_wont_probe_apple_facebook_over_prism/

On Friday, Reuters reported that the Irish Office of the Data Protection Commissioner (ODPC) had refused to look at the transfers of personal data undertaken by Apple and Facebook to the United States.
...
Reuters reports that an ODPC spokesperson said: "We not consider that there are grounds for an investigation under the Irish Data Protection Acts given that 'Safe Harbour' requirements have been met".

That spokesperson added: "If something is agreed by the European Commission for the purpose of providing safeguards, that ticks a box under our jurisdiction."
...
A final comment: if the Regulation goes ahead, it will be the Irish Commissioner who will be batting for all of Europe’s data subjects. I can’t be the only data subject who thinks that this prospect is getting more unattractive by the hour.

blatantrereg

NY woman visited by police after researching pressure cookers online

http://www.boards.ie/vbulletin/showthread.php?t=2057005799

wolf99

Capt'n Midnight wrote: »

That spokesperson added: "If something is agreed by the European Commission for the purpose of providing safeguards, that ticks a box under our jurisdiction."

I wish they'd apply that logic to other things a well, say, um, maybe the citizenry instead of just multi-national corps!! F*!$%£g C*$%s

Khannie

blatantrereg wrote: »

NY woman visited by police after researching pressure cookers online

http://www.boards.ie/vbulletin/showthread.php?t=2057005799

Just came in here to post this. Saw it on reddit. Shocking stuff.

Capt'n Midnight

http://www.theregister.co.uk/2013/07/31/prism_put_in_the_shade_by_leak_about_even_more_powerful_snoop_tool/

The cover has been blown on an NSA program which collects data on “nearly everything a user does on the internet” even as the debate rages over the secretive US agency's mass surveillance of innocent people.

The XKeyscore program covers emails, social media activity and browsing history and is accessible to NSA analysts with little or no prior authorisation, according to a leaked presentation published by The Guardian today.

Walker34

HI,
has anyone contacted NTL regarding this US Spying/Snooping scandal and what their official and ACTUAL position is on it. Do they participate ?, and is it mentioned anywhere in their stated T&C`s, and if it is could NTL please specify the text, so its legality can be determined relitave to irelands constitution. Russia Today "the only credible news source now" is challenging the NSA`s basis for demanding the extradition of Snowden, and strangly enough no reply to the letter to Eric Holder has so far been receivedas yet.
Jim

Dermot Illogical

Khannie wrote: »

Just came in here to post this. Saw it on reddit. Shocking stuff.

http://openareas.tumblr.com/post/57110075747/clarification-and-update

http://www.valuewalk.com/2013/08/suffolk-county-police-tipped-off-by-employer-not-google/

Capt'n Midnight

http://www.bbc.co.uk/news/technology-23536936

Moto X 'always listening' phone launched by Google's Motorola :pac:



Also there is this site

http://stopprism.eu/index.php?seite=uk&menu=menuu&navi=naviu

Maybe it'll let the EU know how people feel about PRISM

Maybe it's the snoops harvesting email addresses

Who knows ?

Walker34

Hi,
don't be overly surprised if there is a terrorist incident somewhere in the US or Europe which will give the NSA grounds to justify continued and even escalated surveillance of all communication systems. This would be a standard response to the herd starting to get too difficult to deal with. Of course that is a "dammed if you do" and "dammed if you dont" kinda dilemma. The counter argument is that Prism did not prevent the four big attacks of the last 10 years.
John

Capt'n Midnight

Walker34 wrote: »

Hi,
don't be overly surprised if there is a terrorist incident somewhere in the US or Europe which will give the NSA grounds to justify continued and even escalated surveillance of all communication systems. This would be a standard response to the herd starting to get too difficult to deal with. Of course that is a "dammed if you do" and "dammed if you dont" kinda dilemma. The counter argument is that Prism did not prevent the four big attacks of the last 10 years.
John

What do you mean surprised ?

There were mass escapes of prisoners recently and there's embassys shut and travel warnings. Have a read up on the Patriot act, what new powers do you think they need that they don't already have ??

And what of the six* big attacks that they prevented ?


*number may vary according to how much they are looking for in next years budget

Walker34

But there is huge discontent worldwide with this Spying debacle, as revealed by Snowden......so to protect Prism and prevent Obama from being forced to scrap it, the CIA/NSA will need to create incidents to justify its retention. I`m old enough to remember "The Gulf Of Tonkin incident", which was the false flag manufactured to justify the escalation of the war in Vietnam. This is just the same procedure all over again.

They will do something similar now which will also give Nethenyahoo an excuse to attack Iran........we haven't had a war in over 3 years. we just cant go on like this!

Amirani

This say a hell of a lot: http://www.irishtimes.com/news/world/us/encrypted-email-service-thought-to-be-used-by-snowden-shuts-1.1489372

Pretty much implies that every content host in the US is co-operating with the Federal Government in providing information. If there was any doubt before, there's not now. Content privacy can't be protected by US companies.

This sets a massive precedent with a company in "free-market" USA being effectively forced to shut down because it doesn't do what the Federal Government wants.

wolf99

looks like th eFBi are cracking down on darknet:
http://www.independent.ie/irish-news/courts/fbi-name-irishman-as-largest-facilitator-of-child-porn-on-net-29468433.html

Looking at the articles on the dailydot though, it seems that they dont have the same access to this corner of the web as they do to the likes of Google, Apple, etc

Also... Does anyone know if the US made a second extradition request of Ireland for Snowden after the last one failed?

Capt'n Midnight

If there is one other tip people can take from all this

If you want privacy don't use Windows. It's a safe bet that there are always some vulnerabilities that allow remote code execution on windows systems. It's just a question of whether anyone is going to bother targeting you specifically, and even that doesn't offer any protection against random attacks or systematic trawling or targeting groups.

http://bit.ly/17dkgQk :pac:

I'm not saying that MacOSX or other OS's are any better, just saying that there is no point in being paranoid if you are going to use windows.


eg: If you're using the Tor Browser Bundle

http://www.bbc.co.uk/news/technology-23587620

Legitimate users of the Tor anonymous browsing service are being advised to stop using Windows if they want to keep their identity hidden.

The advisory comes after an attack on Tor that targeted Windows users sought to gather data that could be used to identify people.

https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html

SUMMARY:
This is a critical security announcement.

An attack that exploits a Firefox vulnerability in JavaScript [1]
has been observed in the wild. Specifically, Windows users using the
Tor Browser Bundle (which includes Firefox plus privacy patches [2])
appear to have been targeted.

...

IMPACT:
The vulnerability allows arbitrary code execution, so an attacker
could in principle take over the victim's computer

wolf99

With the recent splurge of malware targeted at Linux and mac platforms it is reasonable to assume that whoever is exploiting the vulnerabilities could just as easy switch to targeting other platforms if that is where the majority of the target user base moves to.

To paraphrase Eric Schmidt, if you have something you don't want anyone to know, don't put in a place that's connected to everyone (i.e. a networked computer - whatever it's running).

Deliverance XXV

BBC report on U.S encrypted email services being forced to comply and slammed into silence.

Two encrypted email services have closed down for reasons linked to US intelligence leaker Edward Snowden.

Texas-based Lavabit service has shut down but said legal reasons prevented it explaining why.

Correspondents say Lavabit appears to have been in a legal battle to stop US officials accessing customer details.

In addition, secure communications firm Silent Circle has shut its email service because messages cannot be kept wholly secret.

http://www.bbc.co.uk/news/world-us-canada-23627656

900913

NSA cutting 90% of sysadmin jobs to beef up security

Didn't suggest that the move was caused by one particularly problematic sysadmin and his habit of leaking classified data about surveillance programs like PRISM and XKeyscore. The way chief spyguy General Keith Alexander, director of the US's National Security Agency (NSA) told a cybersecurity conference in New York City on Thursday, the project has been in the works for some time. The project being, namely, that the NSA plans to fire 90% of its sysadmins. According to Reuters, Alexander told the security crowd that automating sysadmin work would improve security - the sooner, the better:
"What we're in the process of doing - not fast enough - is reducing our system administrators by about 90 percent."

Link:http://nakedsecurity.sophos.com/2013/08/09/nsa-cutting-90-of-sysadmin-jobs-to-beef-up-security/

LoLth

hmmmm, suddenly my mental image of sysadmins wearing "I could replace you with a script" t-shirts doesnt seem quite so funny anymore......

Leader of the Furlings

Very long background story on why he picked Laura Poitras and Glenn Grennwald to release the story and a very short Q&A with Snowden himself.

http://www.nytimes.com/2013/08/18/magazine/laura-poitras-snowden.html?=_r=6&_r=1&

http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html?=_r=6&_r=1&

900913

Owner of Snowden’s Email Service on Why He Closed Lavabit Rather Than Comply With Gov’t

Lavabit, an encrypted email service believed to have been used by National Security Agency leaker Edward Snowden, has abruptly shut down. The move came amidst a legal fight that appeared to involve U.S. government attempts to win access to customer information. In a Democracy Now! broadcast exclusive, we are joined by Lavabit owner Ladar Levison and his lawyer, Jesse Binnall. "Unfortunately, I can’t talk about it. I would like to, believe me," Levison says. "I think if the American public knew what our government was doing, they wouldn’t be allowed to do it anymore." In a message to his customers last week, Levison said: "I have been forced to make a difficult decision: to become complicit in crimes against the American people, or walk away from nearly 10 years of hard work by shutting down Lavabit." Levison said he was barred from discussing the events over the past six weeks that led to his decision. Soon after, another secure email provider called Silent Circle also announced it was shutting down.

http://www.democracynow.org/2013/8/13/exclusive_owner_of_snowdens_email_service

900913

NSA FISA Surveillance: Experts Poke Holes In Administration's Legal Justification For Phone Records Program

No sooner had the Obama administration released a white paper laying out the legal justification for its mass phone data collection program than legal experts began to poke holes in it.

Last Friday, as part of President Barack Obama’s attempt to address criticism of the National Security Agency’s surveillance programs revealed by former intelligence contractor Edward Snowden, the administration released a document intended to explain the legal reasoning behind the collection of data on nearly all Americans' phone calls, including the numbers on the call, call time, and duration. But legal experts and civil liberties advocates were quick to point out that the legal reasoning behind the program is weak.

http://www.ibtimes.com/nsa-fisa-surveillance-experts-poke-holes-administrations-legal-justification-phone-records-program

AnCatDubh

Facebook government data requests released:

https://www.facebook.com/about/government_requests

(first six months of 2013)

Why did you report the numbers for the United States in ranges?

We have reported the numbers for all criminal and national security requests to the maximum extent permitted by law. We continue to push the United States government to allow more transparency regarding these requests, including specific numbers and types of national security-related requests. We will publish updated information for the United States as soon as we obtain legal authorisation to do so.

via RTÉ

AnCatDubh

Not terribly widely reported (I don't think) but interesting none the less - Microsoft, Google Push Forward with Lawsuit Against US Government.

There must be a tremendous reputation damage for US owned or located corporations for something which is being imposed on them. However, it may be a bit late for them to be pleading completely without blemish given the various approaches taken which have been reported on. That said at least they are starting to take notice of the discomfort that is out there as a result of such activities.

Dude111

Its good they are doing this!!!!!! -- I dont think it will get anywhere but its good to see an attempt!

oscarBravo

Khannie wrote: »

I had to assume that lastpass was compromised given all the recent revelations.

Is that a fair assumption, though? One of LastPass's selling points is that encryption and decryption only ever happen on the client: "No one at LastPass can ever access your sensitive data."

https://lastpass.com/whylastpass_technology.php

Khannie

oscarBravo wrote: »

Is that a fair assumption, though? One of LastPass's selling points is that encryption and decryption only ever happen on the client: "No one at LastPass can ever access your sensitive data."

https://lastpass.com/whylastpass_technology.php

It may not be of course, but it's closed source and given recent revelations about demands for back doors to be inserted in lavabit (and silent circle closing because they knew one would be demanded of them) I had zero confidence that they weren't compromised.

The safest thing to assume is that lastpass is compromised. Certainly if I were the NSA I would be hitting them up for an oul' back door. Sure you'd be mad not to in their shoes.

US service providers are going to lose customers through lack of trust (if they haven't lost a heap already).

Amirani

Putin describes Edward Snowden as a ‘a strange guy’: http://www.irishtimes.com/news/world/putin-describes-edward-snowden-as-a-a-strange-guy-1.1515914

Seems to be a decent assurance that he has no intention of handing him over though.

AnCatDubh

Bruce Schneier writing in the Guardian:: How to remain secure against NSA surveillance. The NSA has huge capabilities – and if it wants in to your computer, it's in. With that in mind, here are five ways to stay safe

Excerpt:

With all this in mind, I have five pieces of advice:

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

padmick

Hi all, you should all look at https://prism-break.org

[-0-]

Lads. Why is this not top news across the globe?

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Revealed: how US and UK spy agencies defeat internet privacy and security
• NSA and GCHQ unlock encryption used to protect emails, banking and medical records
• $250m-a-year US program works covertly with tech companies to insert weaknesses into products
• Security experts say programs 'undermine the fabric of the internet'

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – "the use of ubiquitous encryption across the internet".

Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force", and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.

The files, from both the NSA and GCHQ, were obtained by the Guardian, and the details are being published today in partnership with the New York Times and ProPublica. They reveal:

• A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made "vast amounts" of data collected through internet cable taps newly "exploitable".

• The NSA spends $250m a year on a program which, among other goals, works with technology companies to "covertly influence" their product designs.

• The secrecy of their capabilities against encryption is closely guarded, with analysts warned: "Do not ask about or speculate on sources or methods."

• The NSA describes strong decryption programs as the "price of admission for the US to maintain unrestricted access to and use of cyberspace".

• A GCHQ team has been working to develop ways into encrypted traffic on the "big four" service providers, named as Hotmail, Google, Yahoo and Facebook.



This network diagram, from a GCHQ pilot program, shows how the agency proposed a system to identify encrypted traffic from its internet cable-tapping programs and decrypt what it could in near-real time. Photograph: Guardian
The agencies insist that the ability to defeat encryption is vital to their core missions of counter-terrorism and foreign intelligence gathering.

But security experts accused them of attacking the internet itself and the privacy of all users. "Cryptography forms the basis for trust online," said Bruce Schneier, an encryption specialist and fellow at Harvard's Berkman Center for Internet and Society. "By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet." Classified briefings between the agencies celebrate their success at "defeating network security and privacy".

"For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies," stated a 2010 GCHQ document. "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable."

An internal agency memo noted that among British analysts shown a presentation on the NSA's progress: "Those not already briefed were gobsmacked!"

The breakthrough, which was not described in detail in the documents, meant the intelligence agencies were able to monitor "large amounts" of data flowing through the world's fibre-optic cables and break its encryption, despite assurances from internet company executives that this data was beyond the reach of government.

The key component of the NSA's battle against encryption, its collaboration with technology companies, is detailed in the US intelligence community's top-secret 2013 budget request under the heading "Sigint [signals intelligence] enabling".



Funding for the program – $254.9m for this year – dwarfs that of the Prism program, which operates at a cost of $20m a year, according to previous NSA documents. Since 2011, the total spending on Sigint enabling has topped $800m. The program "actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs", the document states. None of the companies involved in such partnerships are named; these details are guarded by still higher levels of classification.

Among other things, the program is designed to "insert vulnerabilities into commercial encryption systems". These would be known to the NSA, but to no one else, including ordinary customers, who are tellingly referred to in the document as "adversaries".

"These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact."

The document sets out in clear terms the program's broad aims, including making commercial encryption software "more tractable" to NSA attacks by "shaping" the worldwide marketplace and continuing efforts to break into the encryption used by the next generation of 4G phones.

Among the specific accomplishments for 2013, the NSA expects the program to obtain access to "data flowing through a hub for a major communications provider" and to a "major internet peer-to-peer voice and text communications system".

Technology companies maintain that they work with the intelligence agencies only when legally compelled to do so. The Guardian has previously reported that Microsoft co-operated with the NSA to circumvent encryption on the Outlook.com email and chat services. The company insisted that it was obliged to comply with "existing or future lawful demands" when designing its products.

The documents show that the agency has already achieved another of the goals laid out in the budget request: to influence the international standards upon which encryption systems rely.

Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.

"Eventually, NSA became the sole editor," the document states.

The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier.

A classification guide for NSA employees and contractors on Bullrun outlines in broad terms its goals.

"Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.

The document also shows that the NSA's Commercial Solutions Center, ostensibly the body through which technology companies can have their security products assessed and presented to prospective government buyers, has another, more clandestine role.

It is used by the NSA to "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into security products. Operatives were warned that this information must be kept top secret "at a minimum".

A more general NSA classification guide reveals more detail on the agency's deep partnerships with industry, and its ability to modify products. It cautions analysts that two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices "to make them exploitable", and that NSA "obtains cryptographic details of commercial cryptographic information security systems through industry relationships".

The agencies have not yet cracked all encryption technologies, however, the documents suggest. Snowden appeared to confirm this during a live Q&A with Guardian readers in June. "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on," he said before warning that NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.

The documents are scattered with warnings over the importance of maintaining absolute secrecy around decryption capabilities.



Strict guidelines were laid down at the GCHQ complex in Cheltenham, Gloucestershire, on how to discuss projects relating to decryption. Analysts were instructed: "Do not ask about or speculate on sources or methods underpinning Bullrun." This informaton was so closely guarded, according to one document, that even those with access to aspects of the program were warned: "There will be no 'need to know'."

The agencies were supposed to be "selective in which contractors are given exposure to this information", but it was ultimately seen by Snowden, one of 850,000 people in the US with top-secret clearance.A 2009 GCHQ document spells out the significant potential consequences of any leaks, including "damage to industry relationships".

"Loss of confidence in our ability to adhere to confidentiality agreements would lead to loss of access to proprietary information that can save time when developing new capability," intelligence workers were told. Somewhat less important to GCHQ was the public's trust which was marked as a moderate risk, the document stated.

"Some exploitable products are used by the general public; some exploitable weaknesses are well known eg possibility of recovering poorly chosen passwords," it said. "Knowledge that GCHQ exploits these products and the scale of our capability would raise public awareness generating unwelcome publicity for us and our political masters."

The decryption effort is particularly important to GCHQ. Its strategic advantage from its Tempora program – direct taps on transatlantic fibre-optic cables of major telecommunications corporations – was in danger of eroding as more and more big internet companies encrypted their traffic, responding to customer demands for guaranteed privacy.

Without attention, the 2010 GCHQ document warned, the UK's "Sigint utility will degrade as information flows changes, new applications are developed (and deployed) at pace and widespread encryption becomes more commonplace." Documents show that Edgehill's initial aim was to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs.

Another program, codenamed Cheesy Name, was aimed at singling out encryption keys, known as 'certificates', that might be vulnerable to being cracked by GCHQ supercomputers.

Analysts on the Edgehill project were working on ways into the networks of major webmail providers as part of the decryption project. A quarterly update from 2012 notes the project's team "continue to work on understanding" the big four communication providers, named in the document as Hotmail, Google, Yahoo and Facebook, adding "work has predominantly been focused this quarter on Google due to new access opportunities being developed".

To help secure an insider advantage, GCHQ also established a Humint Operations Team (HOT). Humint, short for "human intelligence" refers to information gleaned directly from sources or undercover agents.

This GCHQ team was, according to an internal document, "responsible for identifying, recruiting and running covert agents in the global telecommunications industry."

"This enables GCHQ to tackle some of its most challenging targets," the report said. The efforts made by the NSA and GCHQ against encryption technologies may have negative consequences for all internet users, experts warn.

"Backdoors are fundamentally in conflict with good security," said Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union. "Backdoors expose all users of a backdoored system, not just intelligence agency targets, to heightened risk of data compromise." This is because the insertion of backdoors in a software product, particularly those that can be used to obtain unencrypted user communications or data, significantly increases the difficulty of designing a secure product."

This was a view echoed in a recent paper by Stephanie Pell, a former prosecutor at the US Department of Justice and non-resident fellow at the Center for Internet and Security at Stanford Law School.

"[An] encrypted communications system with a lawful interception back door is far more likely to result in the catastrophic loss of communications confidentiality than a system that never has access to the unencrypted communications of its users," she states.

Intelligence officials asked the Guardian, New York Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read.

The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of internet users in the US and worldwide.

This changes everything

"Could the NSA be intercepting downloads of open source encryption software and silently replacing these with their own versions?" Yes, I believe so -- Bruce Schneier

Blowfish

[-0-] wrote: »

This changes everything

Not really, it's been known that the NSA have been backdooring things for at least 15 years.

People seem to care about it a lot more now though, which I suppose is nice.

[-0-]

Blowfish wrote: »

Not really, it's been known that the NSA have been backdooring things for at least 15 years.

People seem to care about it a lot more now though, which I suppose is nice.

This isn't simply backdooring things. It's everything!

"It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Techology approved for worldwide use in 2006."

I give up. I'm deleting Facebook, Twitter, everything. Screw this.

Blowfish

[-0-] wrote: »

This isn't simply backdooring things. It's everything!

"It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Techology approved for worldwide use in 2006."

Pushing through their standards is just a more formalized version of the of the 'you can only use the encryption we want you to use' they were at 10+ years beforehand.

Setun

AnCatDubh wrote: »

Bruce Schneier writing in the Guardian:: How to remain secure against NSA surveillance. The NSA has huge capabilities – and if it wants in to your computer, it's in. With that in mind, here are five ways to stay safe

And on his blog: http://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html

Schneier wrote:

Honestly, I'm skeptical. Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts.

Funnily enough, a couple of months before the Prism stuff broke this year, I was researching network surveillance (for a paper, I'm not a conspiracy theorist ) and came across the now prescient case of William Binney, NSA whistleblower back over 10 years ago. I read this publicly available document - his statement that the NSA were monitoring internet traffic, as presented in court in June 2012: http://info.publicintelligence.net/NSA-WilliamBinneyDeclaration.pdf In it, he states some now-familiar facts for those of us who have been following the current series of leaks:

Binney (2012) wrote:

FISA ceased to be an operative concern, and the individual liberties preserved in the U.S. Constitution were no longer a consideration.

Furthermore:

Binney (2012) wrote:

The NSA has the capability to do individualized searches, similar to Google, for particular electronic communications in real time through such criteria as target addresses, locations, countries and phone numbers, as well as watch-listed names, keywords, and phrases in email. The NSA also has the capability to seize and store most electronic communications passing through its U.S. intercept centers. The wholesale collection of data allows the NSA to identify and analyze Entities or Communities of lnterest later in a static database.

So, while the official quoted in today's Guardian that "it isn't news" is in essence true, it is still a surprise to many people outside of a specific net-security/activist/government set. Yet Binney's statement, and even the current thread of leaks, remains peculiarly under-reported. Is the Westminster spin-doctor's adage true - that "if you want to kill a story, give it to the Guardian"? Or is there pressure from above? The latter is not as tinfoil hat as it might first appear, given that the Guardian were visited by a few men in suits, and stuck around until they saw the destruction of a set of hard drives.

AnCatDubh

One thing doesn't quite add up with recent events.

Why, with all the capability the NSA/GCHQ have at decrypting/brute force super computer code breaking, with back doors into facebook, google and so forth, did they force David Miranda under 'legitimate' UK legislation to give them the passwords to something as basic as his facebook account, his laptop, and external drives.

oscarBravo

AnCatDubh wrote: »

Why, with all the capability the NSA/GCHQ have at decrypting/brute force super computer code breaking, with back doors into facebook, google and so forth, did they force David Miranda under 'legitimate' UK legislation to give them the passwords to something as basic as his facebook account, his laptop, and external drives.

Intimidation, pure and simple.