the nsa resources deployed on the war on water / drugs:
Agencies working to curb drug trafficking, cyberattacks, money laundering, counterfeiting and even copyright infringement complain that their attempts to exploit the security agency’s vast resources have often been turned down because their own investigations are not considered a high enough priority, current and former government officials say.
2013-08-14: Hipster NSA stopped 50 terrorist attacks. You’ve probably never heard of them.
2013-09-11: Calling the NSA
2013-09-16:
What can we do to roll back this aggressive expansion of the surveillance state, and to lower the probability of it happening again in the near future? The best answer is the simplest one: abolish the NSA. Abolish it, and create an easy mechanism for abolishing agencies like it in the future.
a test if we can still muster the power to dismantle organizations that have outlived their purpose and crossed too many lines.
2013-10-30: and good luck with decrypting the network now, assholes.
This is the big story in tech today:
NSA infiltrates links to Yahoo, Google data centers worldwide
I’m just going to post my thoughts on this. Standard disclaimer: They are my own thoughts, and not those of my employer.
Fuck these guys.
I’ve spent the last 10 years of my life trying to keep Google’s users safe and secure from the many diverse threats Google faces.
I’ve seen armies of machines DOS-ing Google. I’ve seen worms DOS’ing Google to find vulnerabilities in other people’s software. I’ve seen criminal gangs figure out malware. I’ve seen spyware masquerading as toolbars so thick it breaks computers because it interferes with the other spyware.
I’ve even seen oppressive governments use state sponsored hacking to target dissidents.
But even though we suspected this was happening, it still makes me terribly sad. It makes me sad because I believe in America.
Not in that flag-waving bullshit we’ve-got-our-big-trucks-and-bigger-tanks sort of way, but in the way that you can looked a good friend who has a lot of flaws, but every time you meet him, you think, “That guy still has some good ideas going on”.
But after spending all that time helping in my tiny way to protect Google — one of the greatest things to arise from the internet — seeing this, well, it’s just a little like coming home from War with Sauron, destroying the One Ring, only to discover the NSA is on the front porch of the Shire chopping down the Party Tree and outsourcing all the hobbit farmers with half-orcs and whips.
The US has to be better than this; but I guess in the interim, that security job is looking a lot more like a Sisyphus thing than ever.
Also of note, this article from September may call some recent technical decisions into relief:
2013-11-01:
Despite Dianne Feinstein’s supposed “conversion” earlier this week about the NSA being out of control with its spying, and the associated performance of NSA folks claiming that they were screwed, it’s quickly become apparent that this was all pure theater to make people think that real reform might be coming.
2013-12-08: the low-level thugs at the NSA are polishing their resumes as we speak.
Morale has taken a hit at the National Security Agency in the wake of controversy over the agency’s surveillance activities. Former officials are dismayed that President Obama has not visited the agency to show his support.
2013-12-16: the nsa must be in deep crisis mode that they feel they have to ask for the help of this thug. tl;dr: yes we lied to congress but don’t worry, we don’t care about your data. also, please help out with my mayonnaise kickstarter.
2013-12-22:
The US national security establishment didn’t even attempt to protect us from this. Why? The folks running the show down in Washington don’t, and still don’t, consider the biggest cyber attack on US citizens to date a national security issue. As with 9/11, our expensive national defense system was totally ineffective when we needed it.
A bit hyperbolic but he is right that the thugs at the NSA had one job, and blew even that.
2013-12-26:
a time will come, someday, when we are terrified, once again. When all the “Orwellian” talk will seem far less important than empowering our protectors with any powers they claim to need. Shall we ride this roller-coaster helplessly, oscillating between submission and indignation?
2014-02-24: it’s great to see that other leakers are coming forward. a NSA busy with internal purges and ultra-paranoia will be less of a threat.
the NSA, forbidden by President Obama from tapping German Chancellor Angela Merkel’s phone directly, has ramped up its spying on her senior government officials
2014-03-20: high drama, with response by Richard Ledgett: The NSA responds to Edward Snowden’s TED Talk
2014-04-09:
Hackers are addicted to the power of controlling machines. Almost every time they compromise a new machine, their “compromise boundary” grows. The drug gets better the more you take – unlike “regular” drugs. SIGINT organizations seem to behave like addicts: Making up excuses to escalate the consumption of their favorite drug.
2014-05-09:
the NSA set themselves up for it by preventing the early internet specifications from including transport layer encryption. At every step in the development of the public internet the NSA systematically lobbied for weaker security, to enhance their own information-gathering capabilities. The trouble is, the success of the internet protocols created a networking monoculture that the NSA themselves came to rely on for their internal infrastructure. The same security holes that the NSA relied on to gain access to your (or Osama bin Laden’s) email allowed gangsters to steal passwords and login credentials and credit card numbers. And ultimately these same baked-in security holes allowed Edward Snowden—who, let us remember, is merely 1 guy: a talented system administrator and programmer, but no Clark Kent—to rampage through their internal information systems.
2015-05-23:
piecing this story together took a team that was willing to do everything from learning some fairly difficult number theory to coding up simulations to poring over the Snowden documents for clues about the NSA’s budget
Interesting musings on the diffie-hellman vulnerability.
2017-05-01:
It’s possible that someone penetrated the internal NSA network. We’ve already seen NSA tools that can do that kind of thing to other networks. That would be huge, and explain why there were calls to fire NSA Director Mike Rogers last year.
The CIA leak is both similar and different. It consists of a series of attack tools from ~1 year ago. The most educated guess amongst people who know stuff is that the data is from an almost-certainly air-gapped internal development wiki and either someone on the inside was somehow coerced into giving up a copy of it, or someone on the outside hacked into the CIA and got themselves a copy. They turned the documents over to WikiLeaks, which continues to publish it.
This is also a really big deal, and hugely damaging for the CIA. Those tools were new, and they’re impressive. The CIA is desperately trying to hire coders to replace what was lost.
For both of these leaks, one big question is attribution: who did this? A whistleblower wouldn’t sit on attack tools for years before publishing. A whistleblower would act more like Snowden or Manning, publishing immediately — and publishing documents that discuss what the US is doing to whom, not simply a bunch of attack tools. It just doesn’t make sense. Neither does random hackers. Or cybercriminals. I think it’s being done by a country or countries.
My guess was, and is still, Russia in both cases. Here’s my reasoning. Whoever got this information years before and is leaking it now has to 1) be capable of hacking the NSA and/or the CIA, and 2) willing to publish it all. Countries like Israel and France are certainly capable, but wouldn’t ever publish. Countries like North Korea or Iran probably aren’t capable.
Gregor J. Rothfuss 