Archive for the ‘Law and Disorder’ Category
“Dissonance gives rise to hermeneutics.” – Claude Levi-Strauss
Even for the murky world of hacking, rife with moral ambiguity, the appearance of NSA at Def Con XX this year in Las Vegas was difficult to parse.
General Keith Alexander, director of NSA and commander of US CyberCommand, delivered a speech entitled “Shared Values, Shared Responsibility” to a standing-room-only crowd. I attended the second half of his speech, rushing over from a panel discussion entitled “Can You Track Me Now? Government and Corporate Surveillance of Mobile Geolocation Data.”
NSA also staffed a booth in the vendor’s area, across the aisle from the Electronic Frontier Foundation. The Agency brought a genuine, operational Enigma console from the National Cryptologic Museum, which was very cool.
Their mission was unambiguous: they were there to build sympathy for the organization and, if possible, to recruit.
“Attention DefCon 20 attendees,” reads their dedicated recruitment page, “If you’re up on your game, you already know the National Security Agency and what we do …. Around here, it’s all about the endgame: keeping you and your family safe and secure, so we can all enjoy the simple things in life, like buying new gear and going to DEF CON®21 – without the threat of harm from foreign adversaries.”
“By the way, if you think you saw cool things at DEF CON® 20, just wait until you cross the threshold to NSA, ’cause you ain’t seen nothing yet.”
I got the impression that their planners regard hackers as something like brilliant, troubled orphans who can benefit from an indulgent father-figure stepping in to help direct their energies in productive ways, like fighting the “bad guys,” as General Alexander put it.
Unfortunately, as Dan Kaminsky noted in his talk at the conference, there is a conspicuous lack of consensus regarding who the bad guys actually are.
My father Richard Thieme, who spoke at Def Con for his seventeenth year, noted in his speech that he was stunned to see the NSA booth display a list of the agency’s core values, including “transparency.” Some may find that incongruous.
A common theme of criticism among conference attendees was that law enforcement personnel come to conventions like Black Hat or Def Con to learn, but they give nothing back to the community in return.
At the “Meet the Feds” panel, an audience member identifying himself as a former security employee at a “top-five financial institution” complained that federal security information sharing resources disclose very little useful information to participating organizations, though they absorb large amounts of data.
Celebrity security expert Bruce Schneier made a similar point during his Q and A session, observing that feds have come to Def Con for many years, but they never present papers or tell anyone about what they’re doing. “It’s like a back-and-forth without the forth,” he noted sardonically.
“I’ve spent 20 years trying to get someone from the NSA,” Def Con founder Jeff Moss (aka The Dark Tangent) told CNN. “It’s eye-opening to see the world from their view.” Moss was appointed to the Homeland Security Advisory Council in 2009.
I was troubled to see that NSA was manifestly disingenuous at times. The Agency made a legitimate argument that their mission to promote and defend the Internet has beneficial effects for everyone around the world. But when faced with criticism, their response was, at times, transparent obfuscation.
During General Alexander’s talk, several audience members asked about recent allegations by NSA whistleblowers Thomas Drake, Kirk Wiebe, and William Binney that the agency has conducted massive dragnet communication surveillance across the country since 9/11.
The three have alleged that the information NSA gathers from monitoring Internet traffic and telecommunications allows them to compile detailed profiles of vast numbers of law-abiding American citizens, including information about their relationships and social networks.
General Alexander’s response was that NSA simply could not generate, maintain and analyze files on every American. I felt that this mischaracterized the allegations, implying that the whistleblowers accuse NSA of literally creating static files in an enormous file room somewhere.
At a panel discussion, former NSA official William Binney countered along similar lines, accusing Alexander of playing a “word game” by mischaracterizing their allegations.
I spoke with Trevor Timm of the Electronic Frontier Foundation, who agreed that Alexander’s response was consistent with the way NSA has responded to privacy criticisms in the past. If an automated script or routine is harvesting data, the agency has argued, that does not constitute a surveillance act, until such time as a human actually looks at the report.
General Alexander also argued that the oversight NSA receives from the Senate Select Committee on Intelligence, the Director of National Intelligence and the FISA courts would prevent unconstitutional abuses. This strikes me as unpersuasive on its face, given that NSA unquestionably carried out large numbers of warrantless wiretaps for years in violation of FISA and in spite of oversight.
The EFF launched a lawsuit against private telecom companies for conspiring with NSA to illegally implement warrantless surveillance, and litigation is ongoing. Their case was dealt a setback when the Senate amended FISA to retroactively confer immunity from civil suits to complicit telecom companies.
Timm said NSA staff approached the EFF at their booth and suggested that the two organizations partner on cybercrime issues. Perhaps they are aware of EFF’s direction of projects such as the SSL Observatory, which has played a key role in identifying and analyzing fraudulent HTTPS certificate requests.
While EFF welcomes any overture by NSA to establish a dialog between the organizations, Timm emphasized that for such a relationship to work, NSA would have to show a genuine interest in addressing civil liberties concerns.
Ars Technica has an interesting article called “No Safe Haven,” about the US Secret Service’s efforts to track down an ring that used packet sniffing to nab credit card data for sale on the black market, where they were used to ring up hundreds of millions of dollars of bogus charges.
Law enforcement action was frustrated at times by the international character of the ring, whose members were scattered around the world and traveled from country to country. Maksym “Maksik” Yastremskiy was busted in Turkey, where undercover Secret Service agents arranged to meet him on a putative buy, Aleksandr “JonnyHell” Suvorov was arrested in Frankfurt, Germany on a US warrant, and Albert Gonzales was arrested and flipped by the Secret Service, who reportedly paid him $75,000 a year to bring down other crackers.
According to Ars Technical, the US government wanted to project the message that “the ‘borderless’ internet won’t save you from prosecution,” but what interests me is that the principle of asymmetry of attack works both ways.
It’s often noted that there is an intrinsic asymmetry in computer security insofar as systems are much easier to attack and to defend. To compromise a system requires only one weakness, while to defend it means to guard against countless possible avenues of attack.
The same is true in cases of criminal prosecution. If the suspect resides in a non-extradition country, wait till they travel. If you can’t get them for the violation you want them for, get them for something else.
The problem, of course, usually lies in knowing who is attacking your system.
Last week I saw a talk by Ahmed Al Omran, a Saudi journalist who maintains the excellent Saudi Jeans blog, offering eye-on-the-ground information on the Saudi political scene. The talk was part of the Electronic Frontier Foundation‘s Geek Reading series.
Al Omran was early on the scene in the Saudi blogosphere. His wide readership and use of English, in a post-9/11 Saudi Arabia that is eager to improve its international image, give him some latitude to write critically of his government at times, even when comparable work in Arabic may result in arrest. Al Omran compared his own work to that of blogger Fouad al-Farhan, an Arab-language blogger who was arrested by Saudi authorities until international pressure prompted his release. The two are shown together in this Washington Post article with Al Omran on the far left.
Al Omran’s presentation could perhaps be characterized by short-term sobriety and long-term optimism. He noted a number of factors supportive of movement toward gender equality, representative democracy, freedom of speech, and free access to information in Saudi Arabia, especially including the prevalence of Internet access. He noted that the Saudi government ordered a media blackout on the news of the Iraqi invasion of Kuwait in 1990 – no one in the country knew about it for a week. That would be unthinkable today, he observed, because of the decentralized nature of the Internet and the difficulty in effectively blocking access to sites.
In addition, many young Saudis are abroad earning a higher education – around 60,000 in the US alone, and as many in Europe and elsewhere. Many of these young people become accustomed to free access to information.
However, Al Omran cautioned, we should not be overly optimistic about the short-term. We do not know to what degree exposure to foreign ideas will result in commitment to political reform by the “scholarship generation,” as he called the current wave of students abroad. Many of whom will remain abroad, and many more will return to Saudi Arabia with the intention of leading quiet lives.
The Arab Spring did not effectively reach Saudi Arabia, and one high-profile scheduled protest, the Day of Rage, fizzled badly. Al Omran attributes the failure to reach critical mass to a number of factors, including the relative affluence of Saudi Arabia, the effectiveness of the Saudi education system in discouraging the idea of political reform, and the conservative culture of the country as a whole.
Nonetheless, 70% of Saudi Arabia’s population is under the age of thirty, and many of the nation’s rulers are in their 80s and 90s. Women are making largely-symbolic but significant gains, such as winning the right to vote and run in municipal elections, and a movement working toward the right to drive appears to be gaining traction.
This morning Der Spiegel ran an article (auf Deutsch) on Saudi Princess Basma Bin Saud Al Saud, who has been calling for a constitutional monarchy and greater equality for freedom. So who knows what the future holds? Political reform sometimes comes like bankruptcy – gradually, then suddenly.