WebProNews

Tag: NSA

  • The NSA Pushes for Adoption of Memory Safe Coding Languages

    The NSA Pushes for Adoption of Memory Safe Coding Languages

    The National Security Agency (NSA) is pushing for the adoption of memory safe coding languages in an effort to improve security.

    Software memory issues constitute one of the biggest sources of vulnerabilities for bad actors to exploit. Older, more established programming languages often lack automated means of managing memory, putting additional burdens on programmers to ensure no memory errors creep in.

    “How a software program manages memory is core to preventing many vulnerabilities and ensuring a program is robust,” writes the NSA in its Cybersecurity Information Sheet. “Exploiting poor or careless memory management can allow a malicious cyber actor to perform nefarious acts, such as crashing the program at will or changing the instructions of the executing program to do whatever the actor desires. Even un-exploitable issues with memory management can result in incorrect program results, degradation of the program’s performance over time, or seemingly random program crashes.”

    The NSA is now pushing for the adoption of languages that offer better memory management features, so-called “memory safe languages.” Memory safe languages include C#, Go, Java®, Ruby™, Rust®, and Swift.

    “Using a memory safe language can help prevent programmers from introducing certain types of memory-related issues,” the NSA adds. “Memory is managed automatically as part of the computer language; it does not rely on the programmer adding code to implement memory protections. The language institutes automatic protections using a combination of compile time and runtime checks. These inherent language features protect the programmer from introducing memory management mistakes unintentionally. Examples of memory safe languages include C#, Go, Java, Ruby, Rust, and Swift.”

    Rust, in particular, has gained publicity and adoption for being a memory safe language. Rust has been making its way into the Linux kernel and was chosen by System76, makers of the popular Pop!_OS Linux distro, to create their new COSMIC desktop environment.

  • Worldwide Government Agencies Warn of MSP Cyberattacks

    Managed service providers (MSPs) are coming under increased cyberattack, according to multiple government agencies worldwide.

    A new advisory issued by CISA, NSA, FBI, and various international cyber authorities is warning MSPs and their customers are being increasingly targeted by bad actors. MSPs are prime targets, since they provide a single attack vector that can be used to compromise multiple organizations.

    Government agencies are advising these companies to take a number of actions in an effort to mitigate these threats, including:

    • Implementing mitigation resources to help prevent initial compromise.
    • Enable monitoring and at least six months of logging, as well as endpoint detection and network defense monitoring.
    • Use multifactor authentication and other measures to secure remote access applications.
    • Have incident response and recover plans in place.
    • Understand and manage the risks associated with software and services supply chains.

    “As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” said CISA Director Jen Easterly. “Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

    “We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that,” said NCSC CEO Lindy Cameron. “Our joint advisory with CISA is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk. I strongly encourage both managed service providers and their customers to follow this and our wider guidance – ultimately this will help protect not only them but organisations globally.” 

    Organizations are encouraged to review the entire advisory as soon as possible.

  • Russian Sanctions Are Dampening Ransomware Attacks

    Russian Sanctions Are Dampening Ransomware Attacks

    Sanctions imposed on Russia by the international community are having an unforeseen side effect: ransomware has taken a hit.

    Ransomware has become one of the biggest cybersecurity threats, impacting organizations of all sizes. Government agencies and educational institutions have been hit hard as well, with Lincoln College recently closing its doors in large part because of a ransomware attack.

    It’s no secret that Russia is the home base of many ransomware gangs, with the Russian government turning a blind eye to their activities. According to ZDNet, the sanctions Russia is under are making it difficult for ransomware gangs to carry out their operations and receive payment.

    “One interesting trend we see is, in the last month or two ransomware is actually down. There’s probably a lot of different reasons why that is, but I think one impact is the fallout of Russia-Ukraine,” said NSA director of cybersecurity Rob Joyce.

    “As we do sanctions and it’s harder to move money and it’s harder to buy infrastructure on the web, we’re seeing them less effective – and ransomware is a big part of that,” he added.

  • AWS Survives Review Process to Win NSA Contract

    AWS Survives Review Process to Win NSA Contract

    AWS has won a major contract with the National Security Agency (NSA), after the contract award came under review.

    AWS was awarded a $10 billion contract with the NSA, but Microsoft immediately challenged the award, much as AWS had challenged Microsoft winning a major contract with the Department of Defense. According to FedScoop, the Government Accountability Office (GAO) instructed the NSA to review the bid after concerns in how Microsoft’s bid was evaluated. Despite the review, the NSA has once again awarded AWS the win.

    “NSA recently awarded a contract to Amazon Web Services that delivers cloud computing services to support the Agency’s mission,” said an NSA spokesperson. “This contract is a continuation of NSA’s Hybrid Compute Initiative to modernize and address the robust processing and analytical requirements of the Agency.”

    “We’re honored that after thorough review, the NSA selected AWS as the cloud provider for the Hybrid Compute Initiative, and we’re ready to help deliver this critical national security capability,” said an AWS spokesperson.

  • What’s Good for the Goose: Microsoft Challenges AWS NSA Contract

    What’s Good for the Goose: Microsoft Challenges AWS NSA Contract

    Microsoft is turning the tables on AWS, challenging a $10 billion contract award from the National Security Agency (NSA).

    Microsoft won the $10 billion JEDI contract from the Pentagon in October 2019, beating out AWS in the process. AWS immediately filed a lawsuit, winning an injunction against Microsoft moving forward with deployment. The legal challenge drug out for so long that the Pentagon was forced to abandon the project in the interests of not falling further behind in their efforts to modernize their systems.

    AWS has won a $10 billion contract with the NSA, and Microsoft is launching a legal challenge of its own, according to Nextgov. The project, codenamed “WildandStormy,” appears to be aimed at modernizing the agency’s classified data repository.

    When Nextgov reached to AWS, they referred questions to the NSA and the NSA provided the following statement:

    “NSA recently awarded a contract for cloud computing services to support the Agency. The unsuccessful offeror has filed a protest with the Government Accountability Office. The Agency will respond to the protest in accordance with appropriate federal regulations.” 

    Microsoft also confirmed the situation in a statement to Nextgov:

    “Based on the decision we are filing an administrative protest via the Government Accountability Office. We are exercising our legal rights and will do so carefully and responsibly,” a Microsoft spokesperson said.

    Microsoft is in challenging situation. On the one hand, while they obviously see some merit to challenging the decision, the company was vocal in criticizing AWS for allegedly abusing the system when it fought Microsoft’s win. Microsoft said AWS was using the legal discovery process to learn what it had bid — in what should have been a closed-bid process — and then lower its own bid to undercut.

    Microsoft will no doubt want to be careful not to give the appearance of doing the very thing it accused AWS of.

  • NSA Hacking Tool Was Stolen by Chinese Hackers and Used Against US

    NSA Hacking Tool Was Stolen by Chinese Hackers and Used Against US

    A National Security Agency (NSA) hacking tool was stolen by Chinese hackers in 2014 and used against US targets, according to researchers.

    The NSA is tasked with protecting US digital communications and resources, as well as trying to crack the communications of entities the US considers hostile. The agency also engages in signal intelligence gathering, both foreign and domestic. As part of its activities, the NSA develops tools to help it crack encryption and hack into systems. The Tailored Access Operations (TAO) NSA unit, also known as the “Equation Group,” is primarily responsible for the latter realm of operations.

    According to researchers at Check Point Research, it appears that one of the Equation Group’s tools was stolen by Chinese hackers in 2014. The group, APT31, is a state-sponsored hacking group.

    This isn’t the first time NSA tools have been suspected of being stolen and used. In 2017, a group called the “Shadow Brokers” managed to gain access to and leak Equation Group tools. What makes this latest revelation so interesting, and disturbing, is that it predates the Shadow Brokers leak by more than two years.

    APT31 used the NSA’s code and modified it to create their own version of the exploit called “Jian.”

    We began with analyzing “Jian”, the Chinese (APT31 / Zirconium) exploit for CVE-2017-0005, which was reported by Lockheed Martin’s Computer Incident Response Team. To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called “EpMe”. This means that an Equation Group exploit was eventually used by a Chinese-affiliated group, probably against American targets.

    Check Point Research came to some disturbing conclusions regarding exactly how APT31 gained access to the NSA code.

    The case of EpMe / Jian is different, as we clearly showed that Jian was constructed from the actual 32-bits and 64-bits versions of the Equation Group exploit. This means that in this scenario, the Chinese APT acquired the exploit samples themselves, in all of their supported versions. Having dated APT31’s samples to 3 years prior to the Shadow Broker’s “Lost in Translation” leak, our estimate is that these Equation Group exploit samples could have been acquired by the Chinese APT in one of these ways:

    • Captured during an Equation Group network operation on a Chinese target.
    • Captured during an Equation Group operation on a 3rd-party network which was also monitored by the Chinese APT.
    • Captured by the Chinese APT during an attack on Equation Group infrastructure.

    Needless to say, it’s disconcerting that an agency with the goal of protecting US communications seems to have such an issue keeping its most dangerous tools secure — tools that end up being used against the very targets its tasked with protecting.

  • NSA Warning of On-Premise to Cloud Attacks

    NSA Warning of On-Premise to Cloud Attacks

    The National Security Agency is warning of attacks that target the local network and ultimately compromise organizations’ cloud resources.

    As companies migrate to the cloud, improved security is one of the top selling points. While that is generally true, many security processes need to be reworked to account for cloud computing. This is especially true as many cloud systems and platforms are designed to interoperate with each other.

    One security measure that has become popular is federated single sign-on (SSO). SSO is a way for an individual to use a single set of credentials to log into any number of authorized applications and services. Federated SSO advances that concept to allow a user to log into services across networks and platforms with the same trusted credentials.

    Unfortunately, hackers appear to be using federated SSOs to escalate attacks from compromised local networks to cloud resources.

    The NSA has documented two such type of attacks:

    In the first TTP, the actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens (TA00061, T1552, T1552.004). Using the private keys, the actors then forge trusted authentication tokens to access cloud resources. A recent NSA Cybersecurity Advisory warned of actors exploiting a vulnerability in VMware Access®2 and VMware Identity Manager®3 that allowed them to perform this TTP and abuse federated SSO infrastructure. While that example of this TTP may have previously been attributed to nation-state actors, a wealth of actors could be leveraging this TTP for their objectives. This SAML forgery technique has been known and used by cyber actors since at least 2017.

    In a variation of the first TTP, if the malicious cyber actors are unable to obtain an on-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.

    In the second TTP, the actors leverage a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious (T1114, T1114.002).

    The NSA’s document contains migration techniques and should be read immediately by all systems admins.

  • T-Mobile Achieves Several Standalone 5G Milestones

    T-Mobile Achieves Several Standalone 5G Milestones

    T-Mobile has announced several important milestones in its standalone (SA) 5G rollout.

    5G networks are currently built on non-standalone (NSA) technology, meaning that the backbone is based on the 4G LTE core, giving compatible devices the ability to connect to with 5G and LTE simultaneously. While still faster than straight LTE, NSA 5G can’t match the potential of an SA 5G network, where all the components are based on the newer tech.

    According to T-Mobile, the company has successfully completed a number of significant steps involving SA 5G testing, including the first data session using multi-vendor modems, the first “voice call using Evolved Packet System (EPS) fallback to VoLTE,” and the first low-band voice calls (VoNR) and video calls (ViNR) over production networks. ViNR is particularly significant, as it allows native, high-quality video calls without an app.

    “Powerful and reliable wireless networks are more important than ever, and these milestones mark a huge step forward for the entire wireless ecosystem,” said Neville Ray, President of Technology at T-Mobile. “Standalone 5G, paired with the broad and deep network we’re building by combining the assets of T-Mobile and Sprint, will accelerate 5G adoption and services and transform wireless!”

    T-Mobile is wasting no time moving forward in their 5G rollout following their merger with Sprint. These latest announcements will pave the way for significant improvements for customers of the magenta network.

  • PSA: NSA Issues Warning About Windows 10 Vulnerability

    PSA: NSA Issues Warning About Windows 10 Vulnerability

    The National Security Agency (NSA) has issued a press release detailing a severe vulnerability in Windows 10 and encouraging all users to update immediately.

    According the NSA’s press release, the agency discovered the vulnerability in the Windows 10 cryptography functionality. “The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality.”

    It is relatively unusual for the NSA to issue a press release about a vulnerability, but the severity of this particular one warranted it.

    “The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

    The agency recommends all users immediately apply all January 2020 Patch Tuesday patches to mitigate the danger.

  • ToTok Removed From Apple and Google Stores Amid Claims It’s a Government Spying App

    ToTok Removed From Apple and Google Stores Amid Claims It’s a Government Spying App

    ToTok was released only months ago and has climbed the charts to become one of the most popular messaging apps in Britain, India, Saudi Arabia and Sweden, as well as becoming one of the most downloaded social media apps in the U.S. last week.

    According to a report by the New York Times, however, the app is actually a spying tool for the United Arab Emirates government, giving it the ability to “track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.” The allegation is based on American officials who were aware of classified intelligence, as well as the NYT’s own investigation.

    The app is distributed by a company called Breej Holding. However, investigation indicates the firm is likely a front company associated with DarkMatter, a cyberintelligence and hacking firm located in Abu Dhabi. DarkMatter is staffed with individuals who previously worked for the NSA, Israeli intelligence and Emirate intelligence, and is under FBI investigation for possible cyber crimes.

    In the wake of these revelations, both Apple and Google have removed the app from their respective stores. ToTok released a post to their user community to address the allegations, but stopped short of denying them outright. In fact, their privacy policy expressly says they may share data with “group companies,” as well as “to comply with a legal obligation to which we are subject.” Either of those clauses come into play if the allegations are correct and the app is actually backed by the government.

    As the NYT comments, this is a significant “escalation in a digital arms race among wealthy authoritarian governments.” Whereas many governments have banned apps like WhatsApp and Signal, since they employ end-to-end encryption, the UAE took it a step further by lulling their citizens into a false sense of security with an app deliberately designed to spy on them and anyone else using it.

  • Edward Snowden: All Criminal Charges Should Be Dropped, Votes EU Parliament

    In a very close vote, the EU Parliament has decided to recommend member states drop any and all charges against NSA whistleblower Edward Snowden.

    The body called on countries to “drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistle-blower and international human rights defender.”

    The vote was 285 to 281.

    The vote came alongside a larger resolution urging the EU Commission to “ensure that all data transfers to the US are subject to an “effective level of protection.”

    The EU Parliament called on the Commission to “immediately take the necessary measures to ensure that all personal data transferred to the US are subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU”. It invites the Commission to reflect immediately on alternatives to Safe Harbour and on the “impact of the judgment on any other instruments for the transfer of personal data to the US, and to report on the matter by the end of 2015.”

    Snowden has responded on Twitter, calling it a “game-changer.”

    “We welcome today’s decision of the European Parliament recognizing Edward Snowden as a human rights defender and calling upon member states to grant him protection from prosecution,” said Wolfgang Kaleck, Snowden’s EU lawyer. “It is an overdue step and we urge the member States to act now to implement the resolution.”

    Edward Snowden is still in Russia, and still being sought by the US government. In July, the Obama administration responded to a petition to pardon Snowden with a resounding no thanks.

  • Edward Snowden Joins Twitter

    Edward Snowden Joins Twitter

    With a “Can you hear me now”, NSA whistleblower Edward Snowden has joined Twitter.

    “I used to work for the government, Now I work for the public,” reads his bio.

    He’s already making some high-profile Twitter buddies:

    It was actually Neil Tyson who prompted Snowden to get on Twitter.

    “You kind of need a Twitter handle. So like @Snowden, maybe? Is this something you might do?” asked Tyson in a recent StarTalk Radio interview.

    “That sounds good, I think we’ve got to make it it happen,” said Snowden

    “You and I will be Twitter buddies. Your followers will be: the Internet, me, and the NSA.”

    Snowden is only following one account – the NSA. He’s amassed over 215,000 followers in about an hour.

    I guess Snowden finally realized that it’s easier to say what you want to say with a Twitter account. I guess that’s what prompted him to join, I mean, he does have a big movie coming out soon.

  • The White House Just Responded to the Pardon Edward Snowden Petition – Two Years Later

    It only took two years, but the White House has finally gotten around to providing a response to a petition asking for the pardon of NSA whistleblower Edward Snowden.

    Official answer: nope.

    “As the President said in announcing recent intelligence reforms, ‘We have to make some important decisions about how to protect ourselves and sustain our leadership in the world, while upholding the civil liberties and privacy protections that our ideals and our Constitution require.’ Instead of constructively addressing these issues, Mr. Snowden’s dangerous decision to steal and disclose classified information had severe consequences for the security of our country and the people who work day in and day out to protect it,” says Lisa Monaco, President Obama’s Advisor on Homeland Security and Counterterrorism.

    “If he felt his actions were consistent with civil disobedience, then he should do what those who have taken issue with their own government do: Challenge it, speak out, engage in a constructive act of protest, and — importantly – accept the consequences of his actions. He should come home to the United States, and be judged by a jury of his peers – not hide behind the cover of an authoritarian regime. Right now, he’s running away from the consequences of his actions.”

    The original petition, on the White House’ We The People site, was published on June 9th, 2013. Here’s what it says:

    Edward Snowden is a national hero and should be immediately issued a a full, free, and absolute pardon for any crimes he has committed or may have committed related to blowing the whistle on secret NSA surveillance programs.

    The petition has garnered nearly 168,000 signatures, although it’s been closed for a while.

    “We will do our best to respond to petitions that cross the signature threshold in a timely fashion, however, depending on the topic and the overall volume of petitions from We the People, responses may be delayed,” the White House says on the site.

    This usually means 60 days from when said petition hits the signature threshold – which is 100,000 in 30 days.

    But as we’ve seen for many years, the White House isn’t that punctual.

    It did take the administration only three months to respond to the deport Justin Bieber petition, however.

  • Obama Urged to Reject Encryption Backdoors in Tech-Backed Letter

    President Obama is about to receive a letter signed by dozens upon dozens of companies and organizations, urging him to resist giving government agencies access to citizens’ personal data via backdoors in encrypted devices.

    “We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad,” says the letter.

    “We are writing today to respond to recent statements by some Administration officials regarding the deployment of strong encryption technology in the devices and services offered by the U.S. technology industry. Those officials have suggested that American companies should refrain from providing any products that are secured by encryption, unless those companies also weaken their security in order to maintain the capability to decrypt their customers’ data at the government’s request. Some officials have gone so far as to suggest that Congress should act to ban such products or mandate such capabilities.”

    The idea that devices should be encrypted but not that encrypted is one that’s been gloated around as of late by officials like U.S. Secretary of Homeland Security Jeh Johnson.

    The “current course [the technology industry is on], toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security,” said Johnson recently. “Encryption is making it harder for your government to find criminal activity and potential terrorist activity.”

    The consortium argues against backdoors (or front doors or whatever you want to call them) that would allow access to encrypted devices.

    “Encryption thereby protects us from innumerable criminal and national security threats. This protection would be undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them ‘front doors’ or ‘back doors’, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts,” says the letter.

    The letter is signed by companies like Apple, Facebook, Microsoft, Google, Twitter, and Yahoo – as well as privacy organizations like the ACLU, Human Rights Watch, the Electronic Frontier Foundation, and over 50 security and policy experts.

    According to the Washington Post, the letter is also signed by “three of the five members of a presidential review group appointed by Obama in 2013 to assess technology policies in the wake of leaks by former intelligence contractor Edward Snowden.”

    “The Administration faces a critical choice: will it adopt policies that foster a global digital ecosystem that is more secure, or less? That choice may well define the future of the Internet in the 21st century,” they say.

    Image via White House, Twitter

  • Skynet Is Real, and the NSA Uses It To Track Locations with Phone Metadata

    When a spy agency decides to call one of its various tracking programs Skynet, it’s just screwing with us, right?

    A troubling report about a journalist misidentified as a terrorist from The Intercept has revealed that the National Security Agency actually has a program called Skynet.

    If you’ve never seen the Terminator movies, here’s a crash course. If you have, you understand why this is so morbidly hilarious.

    The NSA’s Skynet is unlikely to become self-aware and wipe out humanity, but it is tracking people’s whereabouts using phone metadata. The reveal was provided by documents from none other than Edward Snowden.

    The Intercept calls Skynet “a program that analyzes location and communication data (or “metadata”) from bulk call records in order to detect suspicious patterns … the NSA uses its version of SKYNET to identify people that it believes move like couriers used by Al Qaeda’s senior leadership.”

    But Skynet doesn’t always get it right, as would be expected. You know who also “moves like couriers”? Journalists reporting on said activity.

    From The Intercept:

    The briefing singles out Ahmad Muaffaq Zaidan, Al Jazeera’s longtime Islamabad bureau chief, as a member of the terrorist group. A Syrian national, Zaidan has focused his reporting throughout his career on the Taliban and Al Qaeda, and has conducted several high-profile interviews with senior Al Qaeda leaders, including Osama bin Laden.

    A slide dated June 2012 from a National Security Agency PowerPoint presentation bears his photo, name, and a terror watch list identification number, and labels him a “member of Al-Qa’ida” as well as the Muslim Brotherhood. It also notes that he “works for Al Jazeera.”

    Zaidan has denied being part of Al-Qaeda. He has, however, spent a lot of time in Pakistan and Afghanistan – conducting interviews and such.

    Earlier this week, a federal appeals court ruled that the NSA’s bulk metadata collection is illegal.

  • NSA’s Bulk Phone Data Collection Illegal, Court Rules

    A federal appeals court has ruled that the bulk collections of your phone records is illegal.

    In a nearly 100-page ruling, the court vacated a lower court’s decision and stated that the bulk collection of metadata is not authorized by section 215 of The Patriot Act – the section upon which the surveillance programs have been operating for years.

    “The district court held that § 215 of the PATRIOT Act impliedly precludes judicial review; that plaintiffs‐appellants’ statutory claims regarding the scope of § 215 would in any event fail on the merits; and that § 215 does not violate the Fourth or First Amendments to the United States Constitution.  We disagree in part, and hold that § 215 and the statutory scheme to which it relates do not preclude judicial review, and that the bulk telephone metadata program is not authorized by § 215,” said the federal appeals court.

    The case was originally filed in 2013 by the ACLU, and subsequently thrown out. This ruling amends that error.

    “This appeal concerns the legality of the bulk telephone metadata collection program (the “telephone metadata program”), under which the National Security Agency (“NSA”) collects in bulk “on an ongoing daily basis” the metadata associated with telephone calls made by and to Americans, and aggregates those metadata into a repository or data bank that can later be queried.  Appellants challenge the program on statutory and constitutional grounds. Because we find that the program exceeds the scope of what Congress has authorized, we vacate the decision below dismissing the complaint without reaching appellants’ constitutional arguments,” said Circuit judge Gerard E. Lynch.

    Glenn Greenwald, the journalist who has shepherded NSA whistleblower Edward Snowden’s revelations to the public, was pleased with the ruling and suggested that it should make many rethink their views on Snowden.

    Rand Paul is already using the ruling in a campaign tweet:

    As Wired points out, this decision could pave the way for a full legal challenge of the NSA and its surveillance initiatives.

    You can read the entire ruling below:

    Clapper Ca2 Opinion

    Image via Trevor Paglen, Wikimedia Commons

  • John Oliver, Edward Snowden Talk Surveillance, Hot Pockets, Dick Pics

    On Sunday’s Last Week Tonight, HBO’s John Oliver took a long, hilarious, but ultimately frightening look into the Patriot Act, government surveillance, and the man who revealed it all a couple summers ago – Edward Snowden.

    But the show wasn’t your typical show. Oliver actually flew to Russia to conduct an interview with the former NSA contractor.

    Oliver offered a brief refresher on exactly what Snowden leaked and why we should all care (even though many of us don’t).

    “I’m not saying this is an easy conversation,” said Oliver, “but we have to have it. I know this is confusing. And unfortunately, the most obvious person to talk to about this is Edward Snowden – but he currently lives in Russia, meaning if you wanted to ask him about any of these issues you’d have to fly all the way there to do it. And it is not a pleasant flight. And the reason I know that is last week I went to Russia to speak to Edward Snowden, and this is what happened.

    You should watch the whole segment, but the Snowden interview starts at around the 14-minute mark. Leave it to John Oliver to boil a complicated concept down to your nude cellphone pics – and have it work beautifully as an explainer.

    Image via Last Week Tonight with John Oliver, YouTube

  • Tech Companies Call for End to Mass Surveillance in Letter to Obama, Congress

    The group Reform Government Surveillance, which includes Apple, AOL, Facebook, Google, Microsoft, Twitter, Yahoo, and more, has joined dozens of other organizations in calling on the US government to reform mass surveillance and end the bulk data collection programs revealed over two years ago by Edward Snowden.

    Google explains in a blog post that with sections of the Patriot Act concerning bulk metadata collections expiring, now is the time for reform.

    “At the end of May, Section 215 of the USA Patriot Act is set to expire. Section 215 is one of the legal authorities relied upon by the U.S. government to conduct surveillance through the bulk collection of communications metadata. Earlier we joined other companies in the Reform Government Surveillance coalition, civil society groups, and trade associations in a letter that underscores the essential elements of any surveillance reform legislation,” says Google Chief Legal Officer David Drummond.

    In that letter, addressed to President Obama, Eric Holder, Director of National Intelligence James Clapper, NSA Director Michael Roger, members of Congress, and more, the coalition admits that its members probably don’t agree on the exact course of reform, but two things must happen.

    “Many of us have differing views on exactly what reforms must be included in any bill reauthorizing USA PATRIOT Act Section 215, which currently serves as the legal basis for the National Security Agency’s bulk collection of telephone metadata and is set to expire on June 1, 2015. That said, our broad, diverse, and bipartisan coalition believes that the
    status quo is untenable and that it is urgent that Congress move forward with reform,” it reads.

    Here’s what the group says must be included in reform:

    There must be a clear, strong, and effective end to bulk collection practices under the USA PATRIOT Act, including under the Section 215 records authority and the Section 2 214 authority regarding pen registers and trap & trace devices. Any collection that does occur under those authorities should have appropriate safeguards in place to protect privacy and users’ rights.

    The bill must contain transparency and accountability mechanisms for both government and company reporting, as well as an appropriate declassification regime for Foreign Intelligence Surveillance Court decisions.

    This isn’t the first time that this group of companies has pushed for a curbing of mass government surveillance

  • People Aren’t That Concerned About Government Surveillance, Even Post Snowden

    Pew has just published a new report on Americans and how they protect their privacy in the post-Edward Snowden era. Long story short – most don’t do much of anything to even attempt to keep out the prying government eyes.

    Most people have heard at least something about Edward Snowden’s leaks, and the massive government surveillance programs he exposed to the public – 87 percent, in fact. Basically, you really have to be living under as rock to have missed this (it’s been about two years since Snowden first came forward).

    Despite having at least some level of familiarity with the government’s data collection initiatives, many Americans haven’t really taken any steps (however pointless they might be) to protect their data.

    From Pew:

    34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide or shield their information from the government. For instance, 17% changed their privacy settings on social media; 15% use social media less often; 15% have avoided certain apps and 13% have uninstalled apps; 14% say they speak more in person instead of communicating online or on the phone; and 13% have avoided using certain terms in online communications.

    25% of those who are aware of the surveillance programs (22% of all adults) say they have changed the patterns of their own use of various technological platforms “a great deal” or “somewhat” since the Snowden revelations. For instance, 18% say they have changed the way they use email “a great deal” or “somewhat”; 17% have changed the way they use search engines; 15% say they have changed the way they use social media sites such as Twitter and Facebook; and 15% have changed the way they use their cell phones.

    That leaves a whole lot of Americans who heard what Mr. Snowden had to say, and from then on felt no desire to modify their online behavior in the slightest.

    According to Pew, half of all surveyed have not even considered using a footprint-free search engine, using email encryption, or installing DoNotTrack plugins.

    Why? If not ignorance, is it laziness?

    Sort of. In reality, a large portion of the American public simply doesn’t care. They aren’t concerned about government surveillance and data collection in email, search, cellphones, or social media.

    However, Pew found that 57% of people think it’s “unacceptable” for the government to monitor US citizens’ private communications.

    Image via Pew

  • Edward Snowden: I Wish I Would Have Come Forward Sooner

    Edward Snowden: I Wish I Would Have Come Forward Sooner

    NSA whistleblower Edward Snowden is currently doing a reddit AMA with journalist Glenn Greenwald and Laura Poitras, the filmmaker who just won an Oscar for her Snowden documentary Citizenfour.

    Apart from some technical difficulties (mods accidentally banning his primary account), Snowden is giving some pretty thorough answers to users’ questions.

    Here are some of the best:

    TheJackal8: Mr. Snowden, if you had a chance to do things over again, would you do anything differently? If so, what?

    Snowden: I would have come forward sooner. I talked to Daniel Ellsberg about this at length, who has explained why more eloquently than I can.

    Had I come forward a little sooner, these programs would have been a little less entrenched, and those abusing them would have felt a little less familiar with and accustomed to the exercise of those powers. This is something we see in almost every sector of government, not just in the national security space, but it’s very important:

    Once you grant the government some new power or authority, it becomes exponentially more difficult to roll it back. Regardless of how little value a program or power has been shown to have (such as the Section 215 dragnet interception of call records in the United States, which the government’s own investigation found never stopped a single imminent terrorist attack despite a decade of operation), once it’s a sunk cost, once dollars and reputations have been invested in it, it’s hard to peel that back.

    Don’t let it happen in your country.

    masondog13: What’s the best way to make NSA spying an issue in the 2016 Presidential Election? It seems like while it was a big deal in 2013, ISIS and other events have put it on the back burner for now in the media and general public. What are your ideas for how to bring it back to the forefront?

    Snowden:

    This is a good question, and there are some good traditional answers here. Organizing is important. Activism is important.

    At the same time, we should remember that governments don’t often reform themselves. One of the arguments in a book I read recently (Bruce Schneier, “Data and Goliath”), is that perfect enforcement of the law sounds like a good thing, but that may not always be the case. The end of crime sounds pretty compelling, right, so how can that be?

    Well, when we look back on history, the progress of Western civilization and human rights is actually founded on the violation of law. America was of course born out of a violent revolution that was an outrageous treason against the crown and established order of the day. History shows that the righting of historical wrongs is often born from acts of unrepentant criminality. Slavery. The protection of persecuted Jews.

    But even on less extremist topics, we can find similar examples. How about the prohibition of alcohol? Gay marriage? Marijuana?

    Where would we be today if the government, enjoying powers of perfect surveillance and enforcement, had — entirely within the law — rounded up, imprisoned, and shamed all of these lawbreakers?

    Ultimately, if people lose their willingness to recognize that there are times in our history when legality becomes distinct from morality, we aren’t just ceding control of our rights to government, but our agency in determing thour futures.

    How does this relate to politics? Well, I suspect that governments today are more concerned with the loss of their ability to control and regulate the behavior of their citizens than they are with their citizens’ discontent.
    How do we make that work for us? We can devise means, through the application and sophistication of science, to remind governments that if they will not be responsible stewards of our rights, we the people will implement systems that provide for a means of not just enforcing our rights, but removing from governments the ability to interfere with those rights.

    You can see the beginnings of this dynamic today in the statements of government officials complaining about the adoption of encryption by major technology providers. The idea here isn’t to fling ourselves into anarchy and do away with government, but to remind the government that there must always be a balance of power between the governing and the governed, and that as the progress of science increasingly empowers communities and individuals, there will be more and more areas of our lives where — if government insists on behaving poorly and with a callous disregard for the citizen — we can find ways to reduce or remove their powers on a new — and permanent — basis.

    Our rights are not granted by governments. They are inherent to our nature. But it’s entirely the opposite for governments: their privileges are precisely equal to only those which we suffer them to enjoy.

    We haven’t had to think about that much in the last few decades because quality of life has been increasing across almost all measures in a significant way, and that has led to a comfortable complacency. But here and there throughout history, we’ll occasionally come across these periods where governments think more about what they “can” do rather than what they “should” do, and what is lawful will become increasingly distinct from what is moral.

    In such times, we’d do well to remember that at the end of the day, the law doesn’t defend us; we defend the law. And when it becomes contrary to our morals, we have both the right and the responsibility to rebalance it toward just ends.

    cahaseler: We’ve now known about the scary stuff happening at the NSA for quite some time. And yet from what I’ve seen, there’s been no real effort to stop it.
    What are your thoughts on what we, as regular citizens, can do now?

    Snowden: One of the biggest problems in governance today is the difficulty faced by citizens looking to hold officials to account when they cross the line. We can develop new tools and traditions to protect our rights, and we can do our best to elect new and better representatives, but if we cannot enforce consequences on powerful officials for abusive behavior, we end up in a system where the incentives reward bad behavior post-election.

    That’s how we end up with candidates who say one thing but, once in power, do something radically different. How do you fix that? Good question.

    moizsyed: How did you guys feel about about Neil Patrick Harris’ “for some treason” joke last night?

    Snowden: Wow the questions really blew up on this one. Let me start digging in…

    To be honest, I laughed at NPH. I don’t think it was meant as a political statement, but even if it was, that’s not so bad. My perspective is if you’re not willing to be called a few names to help out your country, you don’t care enough.

    “If this be treason, then let us make the most of it.”

    LegalNerd1940: What validation do we have that Putin is being honest about NOT spying in Russia?

    Snowden: To tag on to the Putin question: There’s not, and that’s part of the problem world-wide. We can’t just reform the laws in one country, wipe our hands, and call it a day. We have to ensure that our rights aren’t just being protected by letters on a sheet of paper somewhere, or those protections will evaporate the minute our communications get routed across a border. The only way to ensure the human rights of citizens around the world are being respected in the digital realm is to enforce them through systems and standards rather than policies and procedures.

    boingeh: Don’t you find it kind of depressing how little the world was actually moved by the revelations? I do. For a few days at a time it was the biggest news story ever but barely anything has changed and people are still using Google, Apple et al. in the same ways. The news in general is just so transient, watching the documentary just brought it all back. It felt like it might actually amount to something but as far as I can tell, even with the courts recently ruling that GCHQs actions were illegal for many years and NSAs whole program amounting to nothing, no significant legislation has passed and for all we know they are still rapidly expanding their programs.

    Snowden: To dogpile on to this, many of the changes that are happening are invisible because they’re happening at the engineering level. Google encrypted the backhaul communications between their data centers to prevent passive monitoring. Apple was the first forward with an FDE-by-default smartphone (kudos!). Grad students around the world are trying to come up with ways to solve the metadata problem (the opportunity to monitor everyone’s associations — who you talk to, who you sleep with, who you vote for — even in encrypted communications).

    The biggest change has been in awareness. Before 2013, if you said the NSA was making records of everybody’s phonecalls and the GCHQ was monitoring lawyers and journalists, people raised eyebrows and called you a conspiracy theorist.

    Those days are over. Facts allow us to stop speculating and start building, and that’s the foundation we need to fix the internet. We just happened to be the generation stuck with fighting these fires.

    ba_dumtshhh: First, congrats to the Oscar! Mr. Snowden, what do you think about the latest News, kaspersky broke? I understand they don’t talk about victims and aggressors because it’s their business model. But do you think they should name the nsa as an aggressor when they now about?

    Snowden: The Kaspersky report on the “Equation Group” (they appear to have stopped short of naming them specifically as NSA, although authorship is clear) was significant, but I think more significant is the recent report on the joint UK-UK hacking of Gemalto, a Dutch company that produces critical infrastructure used around the world, including here at home.

    Why? Well, although firmware exploitation is nasty, it’s at least theoretically reparable: tools could plausibly be created to detect the bad firmware hashes and re-flash good ones. This isn’t the same for SIMs, which are flashed at the factory and never touched again. When the NSA and GCHQ compromised the security of potentially billions of phones (3g/4g encryption relies on the shared secret resident on the sim), they not only screwed the manufacturer, they screwed all of us, because the only way to address the security compromise is to recall and replace every SIM sold by Gemalto.

    Our governments – particular the security branches – should never be weighing the equities in an intelligence gathering operation such that a temporary benefit to surveillance regarding a few key targets is seen as more desireable than protecting the communications of a global system (and this goes double when we are more reliant on communications and technology for our economy productivity than our adversaries).

    Updating…

    Image via Imgur, Edward Snowden

  • Joseph Gordon-Levitt Will Play Snowden in Oliver Stone Film

    Back in September it was rumored that Joseph Gordon-Levitt had been offered the role of NSA whistleblower Edward Snowden in an upcoming Oliver Stone film.

    Now, the news has been confirmed. Speaking to Russian new site RIA Novosti, Oliver Stone said that the part will indeed be played by Gordon-Levitt, who he called “a very good actor, popular with the young people.”

    The project, which has yet to start filming, is still untitled. We do know that it will be based on two different books, to which Stone acquired the rights – The Snowden Files: The Inside Story of the World’s Most Wanted Man, by journalist Luke Harding and Time of the Octopus, by Russian lawyer Anatoly Kucherena.

    Stone also confirmed that shooting could begin as soon as early 2015.

    “We are working on the script. We hope to shoot early next year, we’ve been working on it for almost a year now … and we’re very pleased it’s coming along,” Stone told RIA Novosti.

    Stone has already met with Snowden, who was recently granted a three-year residence permit in Russia. In the summer of 2013, the 31-year-old former NSA analyst famously leaked (and continues to leak) documents and anecdotes about the US government’s massive surveillance initiative.

    Image via Wikimedia Commons