Tag: NSA

NSA makes many become one

Posted on August 11, 2014 by - News

shoe phoneBoffins at Carnegie Mellon University, sponsored by the US’s number one spying outfit, has come up with a programming Esperanto which unites all different programming languages under a single umbrella.

Any excitement about the development is that since it is funded by the NSA it will be full of backdoors which can harvest personal details on behalf of the US government, but you can still admire the technology.

Dubbed Wyvern which was a mythical dragon-like thing that only has two legs instead of four it helps programmers design apps and websites without having to rely on a whole bunch of different stylesheets and different amalgamations spread across different files.

Jonathan Aldrich, the researcher developing the language, wrote in his blog that Web applications are written as a poorly-coordinated mishmash of artifacts written in different languages, file formats, and technologies. For example, a web application may consist of JavaScript code on the client, HTML for structure, CSS for presentation, XML for AJAX-style communication, and a mixture of Java, plain text configuration files, and database software on the server.

“This diversity increases the cost of developers learning these technologies. It also means that ensuring system-wide safety and security properties in this setting is difficult, he said.

This creates security problems, which was why the NSA was interested. After all it has protect its own systems from hackers.

Wyvern can automatically tell what language a person is programming in, based solely on the type of data that’s being manipulated. That means that if the language detects you are editing a database, for instance, it’ll automatically assume you’re using SQL. The language is still a prototype and is all open saucy

Keith Alexander is a programming genius

Posted on August 7, 2014 by - News

KeithAlexanderThe former head of the NSA, Keith Alexander, has been getting into trouble for charging companies millions of dollars to tell them how to keep his former employers out of their systems.

The argument is that he is using all the material he gathered at the NSA to make a nice little earner in retirement. If he were a whistle-blower, they would lock him up, but since he is an adviser to corporates and is not giving out military operations details he can do what he likes.

However we think that the security community and the Senate is being a little hard on Keith, after all if a patent application is correct he is clearly a programming genius.

In the six months since he left the NSA, Alexander has come up with brand new anti-hacking concept that will have shedloads of patents. The former NSA chief said that IronNet has already signed contracts with three companies and that he hopes to finish testing the system by the end of September.

Now he could not have come up with that idea when he was at the NSA, because he would have been expected to use it for his job and to help his country, which is more or less what he was paid for.

This means that he had to come up with it after he left office in March. This means he not only wrote the code managed to make it work. This makes him a software genius and an organisational wiz-kid who displays skills we have not seen in a former military man.

In an interview to the Associated Press he said that if he retired from the Army as a brain surgeon, it be OK for him to go into private practice and make money doing brain surgery.

“I’m a cyber-guy. Can’t I go to work and do cyber stuff,” he asked. But he’s not. In the Army, he just managed “cyber guys.”

His system involves “behavioural modelling” as its secret sauce. The technology has been looked at by security experts but so far no one has got it go. Well other than Alexander which shows what sort of genius he must have been.

Dutch can outsource spying

Posted on July 25, 2014 by - News

dutch-childrenThe Dutch courts have ruled that while the government is forbidden to snoop on its citizens over the internet, it is allowed to use data stolen from them by the American spooks.

The Hague District Court Dutch ruled that intelligence services can receive bulk data that might have been obtained by the US National Security Agency (NSA) through mass data interception programs, even though collecting data that way is illegal under Dutch law.

A civil case filed by a coalition of defence lawyers, privacy advocates and journalists who sued the Dutch government wanted a court order to stop the AIVD and MIVD from obtaining data from foreign intelligence agencies that was not obtained in accordance with European and Dutch law.

NSA’s mass data collection programs violate human rights guaranteed by international and European treaties including the European Convention on Human Rights (ECHR), the lawyers argued.

However, the court said that under Dutch law, Dutch intelligence services are allowed to collaborate with the NSA. The NSA in turn is bound by US law which, in general, does not conflict with the human rights convention privacy requirements.

Since raw data is shared in bulk, less stringent safeguards are necessary than would apply when the data is examined and used, the court said. It added that there would be a big difference between receiving data and using it for individual cases.

The court said it only ruled on general grounds, assessing the actions of the state in general. It suggested the outcome could be different when individual lawsuits or complaints were filed with the relevant institutions.

The lawyers bringing the case were furious and dubbed it “incomprehensible.”

In a statement, they said that innocent citizens’ privacy rights should prevail over the interests of intelligence services. Because the data exchanged in bulk involves information on many innocent people, safeguards that are more stringent are needed.

They plan to appeal the ruling.

NSA snooping is not targeted at terrorists

Posted on July 7, 2014 by - News

skullkThe Washington Post  has poured cold water on the idea that ordinary people have nothing to fear from NSA snooping.

After a four month investigation it turns out that ordinary internet users, American and non-American alike, far outnumber legally targeted foreigners in the communications intercepted by the National Security Agency from US digital networks.

Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.

Nearly half of the surveillance files, contained names, e-mail addresses or other details that the NSA marked as belonging to US citizens or residents.

The reason for this is because to be effective the spooks have to track alias accounts. Months of tracking communications across more than 50 alias accounts, the files show, led directly to the 2011 capture in Abbottabad of Muhammad Tahir Shahzad, a Pakistan-based bomb builder, and Umar Patek, a suspect in a 2002 terrorist bombing on the Indonesian island of Bali.

But a huge chunk of useless files have been retained. This include what the Post calls “stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes “.

The daily lives of more than 10,000 people who were not targeted, not connected to any terrorist activity are catalogued and recorded.

The sweep is huge.  If a real target entered an online chat room, the NSA collected the words and identities of every person who posted there, as well as every person who simply “lurked.”

Flat battery? You don’t fly

Posted on July 7, 2014 by - News

pressieThe self-feeding paranoia of US airport security checks has just reached a new level as Homeland Security has become worried about computers which do not switch on.

According to Gizmodo, Homeland Security Secretary Jeh Johnson woke up in a cold sweat worried about all those people who get onto planes with flat batteries on their electronic devices.
Johnson said devices that won’t turn on will be confiscated, and passengers may be diverted for “additional questioning”.

The fear is that a terrorist will be on a plane with smartphone or laptop with a flat battery and this will mean… well we are not quite sure. The whole point of checking electronic gear was to make sure that it could not be used as part of a terrorist attack, however if it does not work then it can’t be.

However Johnson thinks that people who don’t charge their gear before they get on a flight must be terrorists and should not be allowed to board a plane.  Our next bet is that he will wake up in the morning with a fear that those who don’t wash their hands before they get on board a plane are terrorists.

Practically this means that if you are dumb enough to bring any electronics on a plane on US soil you should have it fully charged beforehand.   It is much safer to stick your electronics inside your suitcase, where if it is a bomb it is not going to be probed by TSA officials.

AP mentions that American intelligence officials have been worried about terrorists finding new ways to bring explosives onto airplanes undetected and apparently they have vivid imaginations.  Already we have that dumb rule about water bottles, and toiletries, you can’t wear a belt, or high heels.  The process of getting on the plane is now longer than the flight.

NSA dubs Linux forum a home for terrorists

Posted on July 4, 2014 by - News

National-Security-Agency--008US spooks have classed an open source Linux forum alongside Al-Qaeda and the Taliban and is targeting its visitors for special treatment.

The Linux Journal is a happy place where weirdy beardy types can get together to discuss the Linux operating system and slag off Microsoft.  IT is the go-to site for headlines like “How YARN Changed Hadoop Job Scheduling” and “rc.local, Cron Style”.

It turns out that NSA has a programme called XKEYSCORE which decides which traffic to keep indefinitely. XKEYSCORE uses specific selectors to flag traffic, and the article reveals that Web searches for Tor and Tails software.

It is something that the Linux Journal has run a number of articles on because it helps to protect a user’s anonymity and privacy on the Internet.

According to DasErste.de which found the XKEYSCORE source code, and if you look closely at the rule definitions, you will see linuxjournal.com/content/linux* listed alongside Tails and Tor. This means that the NSA considers Linux Journal an “extremist forum”,

This means that merely looking for any Linux content on Linux Journal, not just content about anonymizing software or encryption, is considered suspicious and means your Internet traffic may be stored indefinitely.

Ironically it means that the best way to peruse the Linux Journal is to use Tor, which actually does look jolly suspicious and might flag a response from a curious NSA.

Encryption foils coppers nine times in the US

Posted on July 4, 2014 by - News

pressieIt appears that while coppers using wiretaps are fairly effective, streetwise criminals are starting to adopt better encryption mentions.

According to Wired in nine cases during 2013, state police were unable to break the encryption used by criminal suspects they were investigating.

This is not high, but it is more than twice as many cases as in 2012, when police reported encryption preventing them from successfully spying on a criminal suspect for the first time.

To put the figure into perspective, Federal and state police eavesdropped on US suspects’ phone calls, text messages, and other communications at least 3,500 times in 2013. Of those thousands of cases, only 41 involved encryption at all. In 32 cases police managed to get around suspects’ privacy protections to eavesdrop on their targets.

The figures seem to suggest that warnings from government agencies like the FBI that the free availability of encryption tools will eventually lead to a dystopian future where criminals and terrorists use privacy tools to make their communications invisible to police.

This complaint has become common. Last year the Drug Enforcement Agency leaked an internal report complaining that Apple’s iMessage encryption was blocking their investigations of drug dealers.

However the statistics from police reports shows that encryption use is on the rise, even if the number of cases remains small and most encryption use is pointless.

Supply chain standard aims to eliminate counterfeit gear

Posted on April 18, 2013 by - News

server-racksCounterfeit iPhones, sunglasses and handbags have been around for years, but so have counterfeit IT products, and they tend to be a bit more dangerous and costly than a fake Gucci bag crafted from genuine imitation faux leather.

The Open Group has published a new technical security standard with the aim of improving supply chain safety and weeding out counterfeit products, or gear that has been tampered with. The Open Trusted Technology Provider Standard (O-TTPS) is a 32-page document containing a set of guidelines, requirements and recommendations that should mitigate the risk of acquiring counterfeit products, or products that were “maliciously tainted.”

The standard is being backed by the likes of IBM and Cisco. It should address concerns raised by governments and the US Department of Defense, which tends to be rather picky when it comes to networking gear. Junipar, Huawei, EMC, Raytheon, HP, Microsoft, the NSA, Booz-Allen Hamilton, Boeing and NASA are also on board, reports Network World.

It is still unclear when the group will start issuing accreditations, or how it plans to go about it, but the backers feel that the IT industry should get acquainted with the new standards. With such high profile names on board, the industry should listen closely.

Big outfits are expected to embrace the new standard first, but in doing so they will also reduce the risk for smaller businesses. Still, the best way of steering clear from dodgy routers and switches is to simply avoid buying gear from unknown companies altogether.