Resistance is futile....more NSA stuff

[wvjohn]

Law & Disorder / Civilization & Discontents
Bypassing oversight, NSA collects details on American connections
New York Times reports that NSA has complex maps of social ties based on metadata.

by Megan Geuss - Sept 28 2013, 4:35pm EST



The New York Times reported on Saturday that the National Security Agency has been collecting social data pertaining to Americans for the past three years, using 94 different “entity types” of metadata, “including phone numbers, e-mail addresses, and IP addresses.” With this, the agency has been able to construct maps of an individual's personal associations “for foreign intelligence purposes,” even if that person is a US citizen.

This latest news is based on former NSA contractor Edward Snowden's leaked documents, one of which is a January 2011 memorandum from the NSA. That memo addressed a November 2010 policy shift that allowed the agency to conduct “large-scale graph analysis on very large sets of communications metadata without having to check foreignness,” the memo said. Prior to that change in policy, such analysis was permitted only for foreigners.

"[T]he decision to revise the limits concerning Americans was made in secret, without review by the nation’s intelligence court or any public debate,” wrote NYT reporters James Risen and Laura Poitras.

An NSA spokeswoman told the NYT that “all data queries must include a foreign intelligence justification, period,” and that “our activities are centered on counterterrorism, counterproliferation, and cybersecurity.” The spokeswoman went on to cite a 1979 Supreme Court ruling, which stated that Americans could not expect privacy regarding which phone numbers they had dialed, as justification of the policy shift. Because of that ruling, the NSA decided that any vast collection of metadata on an American person was permitted. As long as the content of communications is not included, “the agency is not required to seek warrants for the analyses from the Foreign Intelligence Surveillance Court.”

Documents viewed by the NYT show that the NSA asked for such power as early as 1999, but the request was rejected due to privacy concerns. The agency asked again in 2006, and in 2008 the Bush administration approved the policy shift. The NSA then performed a year-and-a-half long pilot program before making the policy shift official in November 2010 as “Sigint [Signals Intelligence] Management Directive 424.”

The NSA did tell the NYT that its database of domestic phone call records, which was revealed in the first Snowden leak back in June, was not used in mapping social connections. Still, former officials who spoke on anonymity due to the classified nature of the information, told the NYT that the “social networking analyses relied on both domestic and international metadata” from “multiple collection programs and databases.” These databases include a tool called “Mainway” which chains phone numbers and e-mail addresses in a repository populated by “the agency’s fiber-optic cables, corporate partners, and foreign computer networks that have been hacked.”

In August 2011, Mainway was receiving up to 1.8 billion cellphone records daily under “Section 702 of the 2008 FISA Amendments Act, which allows for the collection of the data of Americans if at least one end of the communication is believed to be foreign.”

The social graphs also include a vast amount of publicly available and commercial information, as the NYT describes:

The agency can augment the communications data with material from public, commercial and other sources, including bank codes, insurance information, Facebook profiles, passenger manifests, voter registration rolls and GPS location information, as well as property records and unspecified tax data, according to the documents. They do not indicate any restrictions on the use of such “enrichment” data, and several former senior Obama administration officials said the agency drew on it for both Americans and foreigners.

A top secret document obtained by the NYT explains that the agency looks for 94 different "entity types" of metadata and “correlates 164 'relationship types' to build social networks and what the agency calls 'community of interest' profiles, using queries like 'travelsWith, hasFather, sentForumMessage, employs.'” With such vast connection terms, it seems like it would be easy to end up three hops away from a person pertaining to foreign intelligence.

***Some of the comments on the 3-hop rule are pretty interesting and worth reading.

http://arstechnica.com/tech-policy/2013 ... nnections/

[FlyingPenguin]

This will make you feel even worse. Keep in mind, RSA is the biggest provider of encryption tools for government, banking, medicine, etc. When you see doctors logging into secure VPNs using little pocket dongles with one time pass numbers, that's an RSA device...

RSA Using Random Number Generator Compromised by NSA, by Default
http://www.wired.com/threatlevel/2013/0 ... algorithm/

Amidst all of the confusion and concern over an encryption algorithm that may contain an NSA backdoor, RSA Security released an advisory to developer customers today noting that the algorithm is the default in one of its toolkits and strongly advising them to stop using the algorithm.

The advisory provides developers with information about how to change the default to one of a number of other random number generator algorithms RSA supports and notes that RSA has also changed the default on its end in BSafe and in an RSA key management system.

The company is the first to go public with such an announcement in the wake of revelations by the New York Times that the NSA may have inserted an intentional weakness in the algorithm — known as Dual Elliptic Curve Deterministic Random Bit Generation (or Dual EC DRBG) — and then used its influence to get the algorithm added to a national standard issued by the National Institute of Standards and Technology.

[FlyingPenguin]

And even more....

Linus Torvalds Admits He's Been Asked To Insert Backdoor Into Linux
http://linux.slashdot.org/story/13/09/1 ... into-linux

[wvjohn]

Setting aside the issue of government surveillance, one other aspect off all of this is the apparent compromise of a lot of the basic encryption used in commerce, if the vulnerabilities are designed for and exist, you know that the black hats will find them sooner rather than later, esp. if they know where to look. It has been adequately demonstrated that the gov't isn't very good a keeping secrets. So basically all e-commerce is no longer secure. sigh.