Archive for August 2012
“Dissonance gives rise to hermeneutics.” – Claude Levi-Strauss
Even for the murky world of hacking, rife with moral ambiguity, the appearance of NSA at Def Con XX this year in Las Vegas was difficult to parse.
General Keith Alexander, director of NSA and commander of US CyberCommand, delivered a speech entitled “Shared Values, Shared Responsibility” to a standing-room-only crowd. I attended the second half of his speech, rushing over from a panel discussion entitled “Can You Track Me Now? Government and Corporate Surveillance of Mobile Geolocation Data.”
NSA also staffed a booth in the vendor’s area, across the aisle from the Electronic Frontier Foundation. The Agency brought a genuine, operational Enigma console from the National Cryptologic Museum, which was very cool.
Their mission was unambiguous: they were there to build sympathy for the organization and, if possible, to recruit.
“Attention DefCon 20 attendees,” reads their dedicated recruitment page, “If you’re up on your game, you already know the National Security Agency and what we do …. Around here, it’s all about the endgame: keeping you and your family safe and secure, so we can all enjoy the simple things in life, like buying new gear and going to DEF CON®21 – without the threat of harm from foreign adversaries.”
“By the way, if you think you saw cool things at DEF CON® 20, just wait until you cross the threshold to NSA, ’cause you ain’t seen nothing yet.”
I got the impression that their planners regard hackers as something like brilliant, troubled orphans who can benefit from an indulgent father-figure stepping in to help direct their energies in productive ways, like fighting the “bad guys,” as General Alexander put it.
Unfortunately, as Dan Kaminsky noted in his talk at the conference, there is a conspicuous lack of consensus regarding who the bad guys actually are.
My father Richard Thieme, who spoke at Def Con for his seventeenth year, noted in his speech that he was stunned to see the NSA booth display a list of the agency’s core values, including “transparency.” Some may find that incongruous.
A common theme of criticism among conference attendees was that law enforcement personnel come to conventions like Black Hat or Def Con to learn, but they give nothing back to the community in return.
At the “Meet the Feds” panel, an audience member identifying himself as a former security employee at a “top-five financial institution” complained that federal security information sharing resources disclose very little useful information to participating organizations, though they absorb large amounts of data.
Celebrity security expert Bruce Schneier made a similar point during his Q and A session, observing that feds have come to Def Con for many years, but they never present papers or tell anyone about what they’re doing. “It’s like a back-and-forth without the forth,” he noted sardonically.
“I’ve spent 20 years trying to get someone from the NSA,” Def Con founder Jeff Moss (aka The Dark Tangent) told CNN. “It’s eye-opening to see the world from their view.” Moss was appointed to the Homeland Security Advisory Council in 2009.
I was troubled to see that NSA was manifestly disingenuous at times. The Agency made a legitimate argument that their mission to promote and defend the Internet has beneficial effects for everyone around the world. But when faced with criticism, their response was, at times, transparent obfuscation.
During General Alexander’s talk, several audience members asked about recent allegations by NSA whistleblowers Thomas Drake, Kirk Wiebe, and William Binney that the agency has conducted massive dragnet communication surveillance across the country since 9/11.
The three have alleged that the information NSA gathers from monitoring Internet traffic and telecommunications allows them to compile detailed profiles of vast numbers of law-abiding American citizens, including information about their relationships and social networks.
General Alexander’s response was that NSA simply could not generate, maintain and analyze files on every American. I felt that this mischaracterized the allegations, implying that the whistleblowers accuse NSA of literally creating static files in an enormous file room somewhere.
At a panel discussion, former NSA official William Binney countered along similar lines, accusing Alexander of playing a “word game” by mischaracterizing their allegations.
I spoke with Trevor Timm of the Electronic Frontier Foundation, who agreed that Alexander’s response was consistent with the way NSA has responded to privacy criticisms in the past. If an automated script or routine is harvesting data, the agency has argued, that does not constitute a surveillance act, until such time as a human actually looks at the report.
General Alexander also argued that the oversight NSA receives from the Senate Select Committee on Intelligence, the Director of National Intelligence and the FISA courts would prevent unconstitutional abuses. This strikes me as unpersuasive on its face, given that NSA unquestionably carried out large numbers of warrantless wiretaps for years in violation of FISA and in spite of oversight.
The EFF launched a lawsuit against private telecom companies for conspiring with NSA to illegally implement warrantless surveillance, and litigation is ongoing. Their case was dealt a setback when the Senate amended FISA to retroactively confer immunity from civil suits to complicit telecom companies.
Timm said NSA staff approached the EFF at their booth and suggested that the two organizations partner on cybercrime issues. Perhaps they are aware of EFF’s direction of projects such as the SSL Observatory, which has played a key role in identifying and analyzing fraudulent HTTPS certificate requests.
While EFF welcomes any overture by NSA to establish a dialog between the organizations, Timm emphasized that for such a relationship to work, NSA would have to show a genuine interest in addressing civil liberties concerns.
Ars Technica has an interesting article called “No Safe Haven,” about the US Secret Service’s efforts to track down an ring that used packet sniffing to nab credit card data for sale on the black market, where they were used to ring up hundreds of millions of dollars of bogus charges.
Law enforcement action was frustrated at times by the international character of the ring, whose members were scattered around the world and traveled from country to country. Maksym “Maksik” Yastremskiy was busted in Turkey, where undercover Secret Service agents arranged to meet him on a putative buy, Aleksandr “JonnyHell” Suvorov was arrested in Frankfurt, Germany on a US warrant, and Albert Gonzales was arrested and flipped by the Secret Service, who reportedly paid him $75,000 a year to bring down other crackers.
According to Ars Technical, the US government wanted to project the message that “the ‘borderless’ internet won’t save you from prosecution,” but what interests me is that the principle of asymmetry of attack works both ways.
It’s often noted that there is an intrinsic asymmetry in computer security insofar as systems are much easier to attack and to defend. To compromise a system requires only one weakness, while to defend it means to guard against countless possible avenues of attack.
The same is true in cases of criminal prosecution. If the suspect resides in a non-extradition country, wait till they travel. If you can’t get them for the violation you want them for, get them for something else.
The problem, of course, usually lies in knowing who is attacking your system.