Daily Archives: May 7, 2014

Former National Security Agency chief Gen. Keith Alexander. Photo: Evan Vucci/AP

The NSA has never said much about the open secret that it collects and sometimes even pays for information about hackable flaws in commonly used software. But in a rare statement following his retirement last month, former NSA chief Keith Alexander acknowledged and defended that practice. In doing so, he admitted the deeply contradictory responsibilities of an agency tasked with defending Americans security and simultaneously hoarding bugs in software they use every day.

I would love to have all the terrorists just use that one little sandbox over there so that we could focus on them. But they dont.

When the government asks NSA to collect intelligence on terrorist X, and he uses publicly available tools to encode his messages, it is not acceptable for a foreign intelligence agency like NSA to respond, Sorry we cannot understand what he is saying, Alexander told the Australian Financial Review, which he inexplicably granted a 16,000-word interview. To ask NSA not to look for weaknesses in the technology that we use, and to not seek to break the codes our adversaries employ to encrypt their messages is, I think, misguided. I would love to have all the terrorists just use that one little sandbox over there so that we could focus on them. But they dont.

The NSA has been widely criticized for using its knowledge of security flaws for spying, rather than working to patch those flaws and make internet users more secure.Alexanders defense of the practice boils down to the notion that separating friend and foe when seeking to break codes has become a nearly impossible task.

The interesting change has been the diffusion of encryption technologies into everyday life, he told AFR. It used to be that only, say, German forces used a crypto-device like Enigma to encipher their messages. But in todays environment encryption technology is embedded into all our communications.

At other points in his statement, Alexander argued that the NSA does disclose some of the vulnerabilities it finds in software to those who can patch the flaws, insisting that it focuses its bug-hunting primarily on defense, rather than using vulnerabilities for offensive purposes. He also went further, stating that the NSA categorically [does] not erode the defenses of U.S. communications, or water down security guidance in order to sustain access for foreign intelligence.

The latter claim contradicts numerous reports that the NSA is seeking to weaken encryption to give itself a backdoor into encrypted communications.

Last December, a group of advisers to the White House issued a report to President Obamacalling on him to rein-in the intelligence communitys use of so-called zero-day vulnerabilitiesnewly discovered hackable software bugs for which there exist no patch. The group went on to propose that zero-days only be used sparingly for high priority intelligence collection, and that those uses must be approved by a senior-level, interagency approval process.

In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection, the report reads. Eliminating the vulnerabilitiespatching themstrengthens the security of U.S. Government, critical infrastructure, andother computer systems.

Read this article:

Former NSA Chief Defends Stockpiling Software Flaws for Spying

WASHINGTON, May 7 (UPI) -- The high-profile cases of Edward Snowden and Chelsea Manning have turned a microscope onto the U.S. intelligence community, launching a serious discussion on the balance of civil liberties in a post-9/11 world.

Secondary to Snowden and Manning's revelations, but perhaps no less important, was the treatment of the whistleblowers themselves: Snowden lives exiled, and without a passport, in Russia, while Manning faces 35 years in federal prison. Both saw grievous abuses within the U.S. government that they felt must be revealed, and both paid for their consciences with their freedom.

Thomas Drake, a former NSA executive, was more fortunate. Drake witnessed what he said were privacy and Fourth Amendment violations, as well as a massive waste of funding on the Trailblazer project, which collected intelligence data off the Internet. He initially took his concerns to internal authorities, including the NSA Inspector General and the Defense Department Inspector General, then to the staff of the House Intelligence and Oversight Committees. He also passed his concerns on to a reporter at the Baltimore Sun, carefully avoiding divulging classified information.

In 2007, Drake's home was raided by the FBI, in 2010, he was indicted by a grand jury and charged with illegally holding sensitive information, obstruction of justice and making a false statement. All along, he refused to plead guilty or help the government prosecute fellow whistleblowers.

The 10 charges filed against him under the Espionage Act were ultimately dropped, in exchange for a guilty plea on a misdemeanor count of misusing the NSA's computer system.

Drake has since worked as a privacy activist, speaking out against the surveillance state. In an interview with UPI this week, he talked about what it takes to blow the whistle on the U.S. government and just how difficult it is to do.

(This interview has been edited and condensed for clarity.)

UPI: What would you have done differently?

Drake: I would not have spoken with the FBI at all. I was speaking to them to report high crimes and misdemeanors; I was expecting them to come to my house for quite some time. I would have hired an attorney sooner.

Even though I made a conscious choice [to go through the proper channels], I didn't have to. Under the NSA portion [of the Intelligence Community Whistleblower Protection Act], I could go directly to the Department of Defense or directly to Congress and not inform the NSA. That was the statute that you would exercise if you had a responsible belief as a whistleblower. Now there's huge cutout: Any national security position is not covered by that act.

Read this article:

Exclusive Interview: NSA whistleblower on what he'd do differently now

IBM has denied any involvement with the US National Security Agency's surveillance programs, and the company claims it has never handed over any client data to governmental bodies.

In response to allegations concerning the NSA's PRISM surveillance program, Big Blue has posted a response in the form of a blog post written by Robert C. Weber, IBM's senior vice president of Legal and Regulatory Affairs. Weber writes that IBM has never handed over client data to any third party, and would send the US agency to the client rather than assist the governmental body:

IBM has not provided client data to the National Security Agency or any other government agency under the program known as PRISM."

PRISM, which stands for "Planning Tool for Resource Integration, Synchronization, and Management," is designed to collect and process "foreign intelligence" that passes through American servers. Due to documents leaked by ex-NSA contractor Edward Snowden, IBM is reportedly being probed by China over security issues, as so many of the country's systems are dominated by IBM, Oracle, and EMC. The document leak alleges that the NSA hacked into Chinese telecommunications companies in order to steal text messages and attack Chinese university servers for spying purposes.

IBM says that while it complies with local laws in the countries in which it operates, it has not provided client data to "the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata," and "has not provided client data stored outside the United States to the US government under a national security order, such as a FISA order or a National Security Letter."

Furthermore, the tech giant says that you won't find any "backdoor" entry within its products, and nothing has been put in place to help government agencies spy on consumers -- and IBM also claims it does not provide source code or encryption keys to governments.

"In general, if a government wants access to data held by IBM on behalf of an enterprise client, we would expect that government to deal directly with that client," the company added. "If the US government were to serve a national security order on IBM to obtain data from an enterprise client and impose a gag order that prohibits IBM from notifying that client, IBM will take appropriate steps to challenge the gag order through judicial action or other means."

The company took the opportunity to make recommendations to surveillance-happy governmental bodies, stating that such entities need to "act to restore trust," and should "not subvert commercial technologies, such as encryption, that are intended to protect business data."

This story originally appeared as "IBM denies assisting NSA in customer spying" on ZDNet.

See original here:

IBM: No, we did not help NSA spy on customers

No, the National Security Agency's Twitter account was not drunk last night.

A Twitter account run by the NSA's recruitment office sent out a coded tweet on Monday with the hashtag #MissionMonday, sending the Internet abuzz with speculation over what the message meant.

The NSA account tweeted: "tpfccdlfdtte pcaccplircdt dklpcfrp?qeiq lhpqlipqeodf gpwafopwprti izxndkiqpkii krirrifcapnc dxkdciqcafmd vkfpcadf."

Twitter user @DanielShealey says he deciphered the message, which reads: "Want to know what it takes to work at NSA? Check back each month to explore careers essential to protect in your nation."

This isn't the first coded message tweeted out by the recruitment office. In February, a similar coded tweet was posted in honor of Presidents Day. According to the Washington Post, the tweet uses a substitution cipher that swaps letters of the alphabet with another.

A spokesperson for the NSA told CBS News via email that the Twitter feed is focused on career opportunities at the agency, and released this statement:

NSA is known as the code makers and code breakers. As part of our recruitment efforts to attract the best and the brightest, we will post mission related coded tweets on Mondays in the month of May. Today's Tweet announces this effort - Every Monday in May, we'll explore careers essential to protecting our nation. #NSA #news #MissionMonday

Code-breaking mysteries aren't new to the Internet. One of the most bizarre unsolved mysteries on the Web, Cicada 3301, involves ciphers, cryptography and number theory.

2014 CBS Interactive Inc. All Rights Reserved.

Read more from the original source:

NSA's coded tweet deciphered -- read what it says

WASHINGTON, May 7 (UPI) -- A bipartisan bill to prohibit the bulk collection of phone records by the NSA was put on the fast-track to passage in the House, despite lingering skepticism from Democrats and civil liberties advocates who say the bill didn't go far enough to protect privacy.

An amendment to the USA Freedom Act, which was unanimously voted out of the House Judiciary Committee Wednesday, appeared to pave the way to avoid a clash between it and a similar bill from the House Intelligence Committee. The amendment allows the government to collect phone data on U.S. citizens in cases where "reasonable, articulable suspicion" of wrongdoing can be proved, which would in turn allow the government to collect metadata on individuals who are two "hops," or degrees of separation, from the suspect.

House Intelligence Committee Chairman Mike Rogers, R-Mich., a key defender of the NSA's surveillance and a co-author of the competing bill, called the change a "huge improvement" and hinted he would sink his own legislation in favor of the USA Freedom Act if passed.

Judiciary Committee leadership on both sides of the aisle touted the bipartisan effort to craft legislation that could make it through both houses and to the president's desk for signature, incorporating some of the recommendations made by the president's panel in December. Additional effort was made to please both those who supported the NSA surveillance, if perhaps not the method of collection revealed through leaks of classified information by former NSA contractor Edward Snowden last year, and those who decried it as a gross violation of privacy and civil liberties.

"Today's bill unequivocally ends bulk collection," said bill sponsor (and USA Patriot Act author) Jim Sensenbrenner, R-Wis. "Let me repeat, there is no bulk collection."

The congressman's comments were likely directed at critics of the amendment who interpreted the language of the amendment would reopen the very loophole originally exploited by the NSA to conduct so-called "back-door" searches of American citizens' data.

"It ends up basically outsourcing mass surveillance strategy," explained Thomas Drake, a former NSA executive who faced espionage charges in 2010 for exposing waste and privacy violations at the agency, in an interview Tuesday.

Drake said he had supported the USA Freedom Act, changed his mind with the introduction of the manager's amendment.

"It's totally compromised," he said. "That's faux reform, that's kabuki dance reform. That's shadow reform."

Rep. Zoe Lofgren, D-Calif., perhaps trying to give Sensenbrenner an opportunity to reverse course, offered an amendment to the amendment that suggested omitting the content collection language was a "clerical error." She later withdrew her suggestion after Committee Chair Bob Goodlatte, R-Va., said he "wasn't aware" of a such a mistake.

See the original post:

Weakened NSA bill passes out of House committee