NSA has direct access to tech giants' systems for user data, secret files reveal

While that last post is obviously touted by many, snail mail would leave me uncomfortable as hell. I do have the 10 plus years with crypto. The "loose ends" with physical paper out in the "wild" would cause me to lose sleep. My personal take would be go to "crypto school" of sorts and protect yourself accordingly. NO way physical paper going through snail mail is safe. I do understand why the statement was made though. Many, if not most, will just refuse to learn what is needed to be safe. My .02

 

The big advantage of snail mail is that its interception requires a warrant with probable cause - which, in my view, has always been the constitutional, ethical, and legal position for interception of communication - and which has been so comprehensively flouted in the digital realm. Add to that the cost of doing so, and you're less likely to have the over-reach and empire building seen with the TLAs.

Of course, even that is being eroded with the recording of snail mail metadata in the US.

 

Funny, but to make my point; over the weekend I received my neighbor's bank statement in the mail. I was the nice neighbor and took it over to her, but I could easily have just opened it and no person would have known. Little fluke mistakes like this make physical paper a no go for me!! In my case I don't allow my bank to send ANY paper notices, offers, statements, etc... but this neighbor blindly could care less for her privacy.

 

"Former U.S. National Security Agency Director Keith Alexander's cyber security startup, IronNet Cybersecurity Inc, said on Monday it had raised $32.5 million in a "Series A" funding round led by Trident Capital Cybersecurity."

http://in.reuters.com/article/2015/10/26/ironnetcybersecurity-funding-idINKCN0SK23520151026?rpc=401

LOL:Will his company do offensive or defensive work or both ? Or perhaps another NSA Extension ala Booze Allen.*

* " Some 1,271 government organizations and 1,931 private companies work on programs related to counterterrorism, homeland security and intelligence in about 10,000 locations across the United States."

http://projects.washingtonpost.com/...ticles/a-hidden-world-growing-beyond-control/

 

Indeed, snafus abound. Thing is though, most people are actually honest & trustworthy. The equivalent snafu on the electronic front tends to be rather more damaging, e.g. the sad case of an administrator sending out a bulk email with no Bcc of all the Hiv registered individuals being dealt with by a charity. All too easily done.
And then there's the mass surveillance databases like Xks, fully equipped with a google-like search engine and opened up to all and sundry. Like a radioactive toxic waste dump, with accidents, breaches and insider dealing obviously going to happen. So I think the original advice remains sound, particularly if the communication is just to set up a meeting, and avoid the automatic metadata gathering you get with the electronic form.

 

Top German official infected by highly advanced spy trojan with NSA ties

-- Tom

 

Senate Passes CISA [The Cybersecurity Information Sharing Act]

"...........The bill, which would expand liability protections to companies that choose to voluntarily share cyber-threat data with the government,.....
..............A round of amendments intended to strengthen some of the bill's privacy protections failed on Tuesday..........

Skeptics of CISA have said it would do little to prevent malicious breaches like the kind that crippled Sony Pictures last year............

The bill's passage through the Senate was a defeat for digital privacy activists who celebrated the passage in June of a law effectively ending the NSA's bulk collection of U.S. call metadata....."

http://www.huffingtonpost.com/entry...e-in-bipartisan-vote_562fe3b6e4b00aa54a4baeb9

"............[P]rivacy advocates and civil liberties groups see CISA as a free pass that allows companies to monitor users and share their information with the government without a warrant, while offering a backdoor that circumvents any laws that might protect users’ privacy. “The incentive and the framework it creates is for companies to quickly and massively collect user information and ship it to the government,” says Mark Jaycox, a legislative analyst for the civil liberties group the Electronic Frontier Foundation. 'As soon as you do, you obtain broad immunity, even if you’ve violated privacy law.'

The version of CISA passed Tuesday, in fact, spells out that any broadly defined 'cybersecurity threat' information gathered can be shared “notwithstanding any other provision of law......”

http://www.wired.com/2015/10/cisa-c...ng-act-passes-senate-vote-with-privacy-flaws/

".....there are worries that companies in a hurry might not wipe the data enough before law enforcement gets it, expanding how much authorities and spies know about Americans. There's also concern that this bill gives the FBI another tool to investigate Americans for crimes that have nothing to do with hacking...

'CISA will do very little, if anything, to protect our national cyber-security interests,' said Ben Johnson, a former NSA analyst who now works with cybersecurity firm Bit9.

Ex-NSA contractor Edward Snowden, who exposed widespread spying on Americans and remains in hiding in Russia, criticized CISA. He said the FBI and NSA already collect this kind of hacking data all over the Internet -- but CISA would allow them to collect even more directly from companies.

http://money.cnn.com/2015/10/27/tec...n-sharing-act/index.html?section=money_latest

"....Cisa was negotiated and marked up in secret......

The data in question would come from private industry, which mines everything from credit card statements to prescription drug purchase records to target advertising and tweak product lines. Indeed, much of it is detailed financial and health information the government has never had access to in any form.....

Cisa would create a program at the Department of Homeland Security (DHS) through which corporations could share user data in bulk with several US government agencies..........

Apple didn’t mince words in its opposition to the proposed law: “We don’t support the current CISA proposal,”'the company said in an unattributed statement last week. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.' .......

Atypically, security researchers have come out against Cisa, as well, saying it would do little to improve surveillance and would instead spread user information broadly across a threadbare patchwork of government IT systems. ............"

http://www.theguardian.com/world/2015/oct/27/cisa-cybersecurity-bill-senate-vote

Note: An amendment notifying citizens that their data was being examined was struck down.

There is no truth to the rumor that the publishers of Webster's have decided to remove the word "privacy" from their 2016 edition. Webster's includes many antiquated words.

 

They still have other fictional items in the dictionary like unicorns

CISA doesnt really change much for me. I already assumed as much when I go online.

The concerning thing is what money changes hands. For Facebook and Google it is loose change. Think about sites such as pornhub.com that holds very sensitive information and earns relatively less revenue. The government probably has provisions for compensating for reasonable costs which are typically inflated by the provider of the information.

Legislators should concentrate on useful legislation such as requiring encryption of customer data. I know this is in the UK, but when the CEO of TalkTalk said it wasnt legally required to encrypt customer data I was shocked (probably the same in the US). Why not start with legislation that strengthens security. Why not make Diceware password generation lessons compulsory for all high school students. There is strong evidence that these two measures could have a far more tangible benefit to cyber security than CISA.

 

Well, I think I've banged on enough here that the ICO has been negligent in not demanding routine encryption at rest and in transit, for ALL B2B. I've bored my wife so much with my rants over the years, that she finally admitted maybe I was right (for once), given the TalkTalk debacle!
My feeling is though that "encryption" on its own is not enough, because authorised people and processes (which can both be subverted), still get bulk indiscriminate access. Encrypted databases (which allow search) and have reasonable performance are available, but are essentially research projects and do have serious vulnerabilities of their own, and of course, still give access to rogue processes.
But the overall scene will not improve because the ICO will not do the necessary, and because the security services have said they want to read everything easily anyway (the huge collateral cost of their misjudged bulk surveillance) - or is it the US saying it wants to read B2B easily so it can do economic espionage? Then we have the disgraceful attacks on encryption both sides of the pond, and this is the inevitable cost. The corporates interested in the bottom line, and the director's having no real skin in the game.
And the cost is not borne by the spooks, or by the companies, or by the directors. It's the asymmetric risk problem of a rent-seeking economy, which will only decay through lack of productivity.

 

Security trumps privacy as Senate passes controversial cyber bill

-- Tom

 

CISA worsens both security and privacy.

 

European Parliament vote urges EU countries to protect Edward Snowden

http://www.scmagazine.com/eu-parliament-wants-to-grant-snowden-asylum/article/450216/

 

I didn't see this coming. 285 to 281 is pretty close!! I wonder where this goes from here?

 

It really was close vote. I thought he would get better support. He exposed some info about NSA spying on EU governments so this might be their payback. He didn't break any EU law AFAIK, so giving him protection shouldn't be a problem.
We'll see what happens next.

 

Where it goes from here? As the US did with Germany when factions of the government wanted Snowden to testify in person (let alone give him asylum and immunity from extradition) - they will threaten them with withdrawing the Xks drug and intelligence sharing, and the government will cave.
The EU being what it is, each government can be divided and ruled.

 

British NCA revealed to have hacking abilities, aka equipment interference

http://securityaffairs.co/wordpress/41844/cyber-crime/uk-nca-equipment-interference.html

 

The Home Office already tried to slip in "Equipment Interference" into a code of practice back in February.

One of the obvious problems with giving this class of hacking tool to law enforcement (as opposed to the spooks), is that the standards of evidence are hopelessly compromised, or else they will not provide that as evidence (and may deny they have used these techniques) and use some form of parallel construction. For example, with seizure of computer disks, the disk is at least forensically frozen, but there's no such situation (the opposite really) in hacking. There's also the issue of recompense for the breach - when the cops knock your door down, for example, they have to make it good, but you're hard pushed to prove anything in the circumstances.

Clearly, the capability to alter the affected systems and plant files is a big problem for justice.

 

I realize I am only covering part of the story here, but this is another reason for solid disk encryption. At least it makes it exponentially more difficult to plant files on a disk they cannot access. I wish I could believe this never happened, but LE has been caught putting stuff on a disk and then calling it evidence.

Posts along this line really add to the need for a TAILS approach, and of course guarding your hardware somehow when you are not around to keep your eyes on it.

 

Decent read, but it brings up more questions than it answers.

 

Trouble is, we've learned from bitter experience to dissect any of their statements with the eyes of a shyster lawyer. So when they say, we disclose 91% of bugs we find, that doesn't really detail the timescales over which they do so, and maybe they themselves don't find many, they get told about them by others, or by the vendors, and exploit them awhile. Note the figure also excludes any non-US product.

The division between attack and defence still hasn't been structurally sorted, so the easy attack side wins.

 

The problem though is the game is different to conventional attacks where we seem to rely on mutually assured destruction. Strengthening our defence by disclosing bugs reduces our ability to attack others because it also strengthens the opponents defence. It also greatly increases the cost of an attack and puts it out of the reach of less resourced attackers. I would argue the benefit far outweighs the drawback.

 

Its so tough to find the balance!!

 

By Micah Lee,

Edward Snowden Explains How To Reclaim Your Privacy

 

Thanks Dermot7. That was a good read. I have made a note to go and investigate "Signal" for Android. Snowden really likes it and its free.