Category: Writing

Categories
Writing

FUD and NSA Cybersecurity

I’ve been in too many meetings where popular articles led to a string of false – and intensely problematic – baseline ‘truths’ that subsequently led to damaging policy proposals. One of the worst recent articles was by Marc Ambinder, who wrote a piece for Foreign Policy about why the NSA has to support Deep Packet Inspection (DPI) appliances in businesses network. The general premise is that NSA assistance is critical if American companies are to effectively filter out foreign nations’ espionage behaviour. This ‘support’ is supposedly driven by the most recent revelations concerning Chinese attacks against predominantly American business interests.

So, in what follows I’ll pull out offending paragraphs and explain what’s factually problematic and, then, the significance of the false or misleading claims.

[The NSA] has some pretty nifty tools to use in terms of protecting cyberspace. In theory, it could probe devices at critical Internet hubs and inspect the patterns of data packets coming into the United States for signs of coordinated attacks. The recently declassified Comprehensive National Cyberspace Initiative describes the government’s plan, informally known as Einstein 3, to address the threats to government data that run through private computer networks – an admission that the NSA will have to perform deep packet inspection on private networks at some point. But, currently, the NSA only does this for a select group of companies that work with the Department of Defense. It is legally prohibited from setting up filters around all of the traffic entry points.

The issue is that Einstein, even if it is working (which remains unclear, at best), is invasive and isn’t a panacea. It might identify some traffic, but the core kind of data analysis that is required today isn’t so much inbound network traffic as outbound; what is leaving the network, why is it leaving, and do characteristics of the data exiting the network correspond with the authorized users’ normal network behaviours? To be blunt, there is no DPI appliance on the market that is genuinely capable of this kind of user- and network-centric surveillance. There are lots of companies that sell things claiming to perform these actions, but the sales language has not yet met the hype. Moreover, if you’re dealing with state-level actors it isn’t clear why, with their immense resources, they can’t simply purchase the DPI appliances and figure out how they work, and how to subvert their analytics protocols.

Why does this quoted section matter? Because it preps an audience for a magic (networked) bullet, and one that to-date doesn’t exist. And because it convinces an audience that if we just brought NSA-grade Einstein surveillance to bear that we’re figure out how to stop the evil hackers.

The next step may be letting the NSA conduct deep-packet monitoring of private networks. It’s undeniable that Congress and the public probably wouldn’t be comfortable knowing that the NSA has its hardware at the gateways to the Internet. And yet there may be no other workable way to detect and defeat major attacks. Thanks to powerful technology lobbies, Congress is debating a bill that would give the private sector the tools to defend itself, and it has been slowly peeling back the degree of necessary government intervention. As it stands, DHS lacks the resources to secure the dot-com top-level domain even if it wanted to. It competes for engineering minds with the NSA and with private industry; the former has more cachet and the latter has better pay.

The NSA already has it’s hardware at the core choke points of the American Internet infrastructure. This deployment led the Congress to retroactively grant immunity to American ISPs for participating in the NSA’s warrantless wiretapping. It’s what’s led a host of whistleblowers to come forward and disclose the extent of the NSA’s surveillance on Americans. The Agency is already using DPI appliances at Internet choke points: what is being proposed is extending the surveillance to the networks of corporations that are not Internet companies. This means that, rather than just filtering at AT&T’s network, The NSA will also filter at Ford’s network.

The author also asserts that it’s important to leave this to NSA on the basis that DHS cannot presently fulfil this defensive task. NSA knows this. DHS knows this. And, on the mutual basis of this knowledge, NSA is already permitted to assist DHS in securing American companies’ networks so long as DHS takes the lead. What is really changing here is that a foreign intelligence body would be given authority to act independently of DHS. Such a move would be intensely problematic on the basis that NSA is highly secretive, even more than DHS, and is routinely involved in bypassing or finding ways around American’s existing legal protections. The notion that the institution’s ongoing bad behaviour should lend credence and authority to its missions is absurd.

Some private-sector companies are good corporate citizens and spend money and time to secure their networks. But many don’t. It’s costly, both in terms of buying the protection systems necessary to make sure critical systems don’t fail and also in terms of the interaction between the average employee and the software. Security and efficiency diverge, at least in the short run.

While this is true, to an extend, it fails to account for the magnitude of scale. Most large-sized businesses have security staff and dedicated network administrators; there is some defence taking place. It’s the mid-sized businesses that tend to be disastrously under protected. Is the proposal that pretty well all businesses with under, say, 1,000 people will get the benefit of NSA-grade security and surveillance? If so, that’s an awful lot of NSA-compliant gear.

If the NSA were simply to share with the private sector en masse the signatures its intelligence collection obtains about potential cyber-attacks, cybersecurity could measurably improve in the near term. But outside the companies who regularly do business with the intelligence community and the military, few firms have people with the clearances required by the NSA to distribute threat information. (Under the new initiative, the NSA’s intelligence will be filtered through the FBI and DHS.)

It’s important to recognize the DPI equipment isn’t cheap. In addition to NSA signatures you’d likely need an ongoing service contract with the appliance manufacturer. Moreover, to actually run the appliance you’ll either need in house staff or contract out the job; in either case, businesses will see an increase in the cost of business. They may not see a return. Moreover, DPI signatures are not foolproof, and they are often particular to specific appliance vendors. So…will your appliance be ‘compatible’ with NSA intelligence? Moreover, how do you check the NSA’s own signatures to ensure that the Agency isn’t doing something sneaky?

By the end of the article what we’re really missing is critical any analysis of the security properties of the DPI appliances themselves or of the NSA in general. DPI devices exploit the vulnerability of data packets to run analyses/modifications of data either in real-time or, if offloaded to a temporary storage device, offline. In either case, when and if these devices are compromised all of the network traffic coursing through the appliances becomes compromised. So, you can in effect move from dealing with significantly placed compromised devices in your network or dealing with that plus having your sophisticated routers turned against you. And the author’s final lines in the article – yeah, NSA’s been bad in the past, but hey: they’re really on ‘our’ side now! – doesn’t exactly fill a reader with much confidence.

 

Categories
Quotations

2013.3.10

But documents released by the Electronic Privacy Information Center (and an unredacted version of the same unearthed by CNET) late last week show that the DHS has been doing a lot more with drones in the intervening ten years, including tricking them out with cellphone sniffing equipment, sensors that can distinguish between humans and animals, and technology that tells authorities whether someone on the ground is packing a gun.

Frighteningly, the records also show that the DHS’ Predator drones are ready to be equipped with weapons, although a spokesman for DHS sub-agency Customs, Border Protection (CBP) told CNET’s Declan McCullagh that the drones are currently unarmed. McCullagh reports that the DHS has been loaning its drones to domestic law enforcement agencies with criminal justice missions, “including the FBI, the Secret Service, the Texas Rangers, and local police.” Requests from those agencies are becoming more and more common, he writes:

“[DHS drone] use domestically by other government agencies has become routine enough – and expensive enough – that Homeland Security’s inspector general said (pdf) last year that CBP needs to sign agreements ‘for reimbursement of expenses incurred fulfilling mission requests’.”

The DHS told McCullagh that it isn’t using “signals interception” on its drones – yet – and that “[a]ny potential deployment of such technology in the future would be implemented in full consideration of civil rights, civil liberties, and privacy interests and in a manner consistent with the law and long-standing law enforcement practices.” But if “longstanding law enforcement practices” are any indication of where the DHS is headed, we are in trouble.

That’s because often “long-standing law enforcement practice” has been to get away with whatever it can using the loosest interpretation of the fourth amendment possible, before legislators or courts act to correct the problem (if they ever do).

Kade Crockford, “Drones are coming home to skies near you: feel safer?
Categories
Quotations

2013.3.9

…nowhere does he raise the possibility that feedback loops produced by digital technologies might also be harming governance. Consider a 2011 survey by a British insurance company in which 11 percent of respondents claimed to have seen an incident but chose not to report it, worried that higher crime statistics for their neighborhood would significantly reduce the value of their properties. In this case, the quality of future data is intricately dependent on how much of the current data is disclosed; unconditional “openness” is the wrong move here—precisely because of feedback loops.

Evgeny Morozov, review of Future Shock

I would note that this failure to appreciate the social implications of novel monitoring technologies is something that is drastically unappreciated by public policy planners.

Categories
Quotations

2013.3.8

An often-overlooked dimension of cyber espionage is the targeting of civil society actors. NGOs, exile organizations, political movements, and other public interest coalitions have for many years encountered serious and persistent cyber assaults. Such threats — politically motivated and often with strong links to authoritarian regimes — include website defacements, denial-of-service attacks, targeted malware attacks, and cyber espionage. For every Fortune 500 company that’s breached, for every blueprint or confidential trade secret stolen, it’s a safe bet that at least one NGO or activist has been compromised in a similar fashion, with highly sensitive information such as networks of contacts exfiltrated. Yet civil society entities typically lack the resources of large industry players to defend against or mitigate such threats; you won’t see them hiring information security companies like Mandiant to conduct expensive investigations. Nor will you likely see Mandiant paying much attention to their concerns, either: if antivirus companies do encounter attacks related to civil society groups, they may simply discard that information as there is no revenue in it.

Rob Deibert and Sarah McKune, “Civil Society Hung Out To Dry in Global Cyber Espionage
Categories
Writing

Don’t Risk Model for Aged, Wealthy, Americans

Data security and communicative privacy matters. The boons of the contemporary computer era has led to people across the world using common services for security, for data processing, and for communications generally despite users’ radically different risk profiles. Few users are savvy enough to engage in code-level audits, fewer to ascertain the validity of improperly issued security certificates, and likely even fewer to guarantee that programs’ and operating systems’ updates are from the actual developers. These are problems – important problems – that need to be directly addressed by developers.

It’s always been morally wrong to be cavalier about your software’s security profile, and to just discount the potential vulnerabilities or bugs linked to your tools. Things aren’t getting better, however, on account of state actors becoming more and more sophisticated in how they target and monitor their citizens’ and residents’ communications. Consequently, the blasé attitude towards security that has (largely) focused on successful engineering over successful security in depth is a larger and larger problem. This attitude, especially when it comes to anti-circumvention and encryption software, is leading to individual users ending up seriously hurt, imprisoned, or dead.

Security is important. Speech is important. And ensuring that secure, private, speech is possible is an increasingly critical issue for parties throughout the world. Developers and companies and individuals ought to take the severity of the consequences of their actions to heart, or risk having very real blood on their hands.

Categories
Quotations

2013.3.5

Once your life is inside a federal investigation, there is no space outside of it. The only private thing is your thoughts, and even they don’t feel safe anymore. Every word you speak or write can be used, manipulated, or played like a card against your future and the future of those you love. There are no neutral parties, no sources of unimpeachable wisdom and trust.

The lawyers tell you: take no notes.

The lawyers tell you: talk to no one.

It is the loneliest of lonely things to be surrounded by your loved ones, in danger, and forced to be silent.

May you never experience a Federal investigation. I did, and it consumed me, and changed everyday that will come after it for the rest of my life.

Quinn Norton, “Life Inside the Aaron Swartz Investigation
Categories
Quotations

2013.3.4

Security signs that begin with ‘For your protection…’ essentially end with ‘…we will restrict freedoms & invade privacy’.

Neil deGrasse Tyson (via kateoplis)

You tell em Neil, we need working and relevant services, not to be babied.

(via scinerds)

This, this is a case of Neil not thinking about the children, right? Right?

Categories
Quotations

2013.3.4

The traditionally advocated uses for NFC have been to replace RFID chips in travel cards, such as the Oyster card in the UK, and RFID chips in credit cards, such as MasterCard’s PayPass.

The problem with these replacements is a simple one, however. Smartphone batteries run out. They do so with alarming regularity, and they do so at inopportune moments. I don’t care what phone you say you have, and I don’t care if you say it doesn’t happen to you, because it does. You end up staying out late, or you leave your charger at home by accident, or you just plain use the phone too much during the day, and then when you need the phone to work, it doesn’t because it’s out of juice.

The phone running out of power is bad enough when it means you don’t have maps and directions. That’s annoying. But even worse is the battery going flat when you need the phone for mass transit or paying for stuff.

And yet that’s precisely the value proposition that NFC offers: go out for a night on the town and get stranded with no money, no subway ride home. The only way to be safe is to take your credit card and travel card with you anyway, and if you’re doing that? Well you don’t exactly need NFC then, do you?

Peter Bright, “Mobile World Congress is Mean Girls, and NFC isn’t going to happen”
Categories
Quotations

2013.3.3

Being crass should not be a crime, but that’s essentially what Andrew Auernheimer was convicted of. This was the case where AT&T accidentally published the emails and device ideas of the first iPad customers. Andrew downloaded them and published proof of the problem to Gawker. His “coconspirator” pled guilty, testified against Andrew, and provided private emails to prosecutors that “proved” Andrew’s bad intentions. These emails disclose things like Andrew talking about stealing the information and wanting to profit from the event. That made his simple actions look very nefarious.

But that’s how we in the cybersec community always talk. When we find cybersec problems, we dream of the worst ways we can be horrible people and exploit them. If you listened to any of our private conversations, you’d be convinced that we were all secretly one step away from triggering World War III.

I’m pretty sure had I been in Andrew’s place, the prosecutors would’ve found much worse to hang me by. Indeed, you’ll find much in my public Twitter feed and blog posts to convict me of. When the Mars Curiosity Rover landed last August, and the first pictures arrived from the planet, I was about to tweet the URL to view those pictures. But the site was already failing under the load of all the nerds worldwide getting those pictures. Therefore, I changed my tweet to comment on the fact that this was essentially a DDoS attack – the sort of attack that activists do against large corporations they don’t like. I therefore made the humorous tweet “Join our DDoS against NASA and click” on their website.

Of course, I’m not against NASA, nor do I think anybody else is. I can’t imagine why anybody would want to DDoS them. It should be obvious that my tweet is humor. But, prosecutors taking this out of context might use it to try to convict me, to prove to jurors of my evil intent.

Robert Graham, “Context matters: we only appear to be blackhats
Categories
Links Quotations

2013.3.2

At least Britain sort of got it half right. There, to make life easier for stores selling age-restricted items there’s a “Challenge 21″ programme, so anyone looking 21 or under is asked for ID, even if the products are restricted to over-18s. Tesco and other large chain stores championed a “Challenge 25″ programme just in case someone slipped through the net. Finally some idiot in the seaside resort of Blackpool came up with the idea of “Challenge 30″, which is roundly lambasted across Britain.

But at least these outlets demand high-integrity forms of ID such as driving licences. In the US you can show a picture of your dog pasted on the back of a chocolate biscuit and they’re likely to accept it.

That’s because no-one really knows why they are asking for ID in the first place, and no-one up the chain tells them – mainly because they don’t know either. Everyone just goes through the motions. There’s no way to verify the validity of ID, so everyone just plods along with the security theatre.

Simon Davis, “How a dog and some chocolate biscuits reveal an identity crisis in America