“Defense Wins”

Nicolas Weaver explains how a “defense wins” policy in a combined offense and defense environment doesn’t sound not very convincing (case in point: the NSA reorganization).

Instead, NSA seems intent on ensuring that they will never be trusted again. The objective reality is this: from the perception of those outside the government, merging the IAD and SIGINT missions is tantamount to eliminating IAD entirely. Trust is a matter of perception as much as reality.  “Defense wins?” Whatever the actual truth, for now, the rest of the world says “HA!”

NSA’s MITM attack on Cryptome

The moment you find out the NSA is performing MITM attacks on your website’s visitors from a leaked slide deck:

But here is the thing — and this is crucial — the address for Cryptome is listed to be the location of a fiber optic cable junction in Sterling, VA (next to an Amusement Machine company)… which is quite some distance away from your location in NYC, and a considerable distance from your ISP who hosts your file, and it is located away from any signal switching systems use in the area, but it is virtually next door to fiber that goes to a large NSA listening post nearby.

The reason it is notable, is that someone at or near the location in Sterling, VA is performing a MITM attack on Cryptome visitors, and this image out of the slidedeck with the two GPS coordinates is the U.S. Government performing a MITM attack against Cryptome and sharing the collected intelligence with the Brits, or the U.S. Government giving the British government backdoor access into the U.S. (illegal) collection systems.

NSA’s Speech-to-Text capabilities

The Intercept has a lengthy article on what we know on the NSA’s speech recognition capabilities. Putting aside the actual capabilities, just the fact that anything you say will be recorded, stored and may be accessed at any point in the future only protected by “policy” sends shivers down my spine.

“People still aren’t realizing quite the magnitude that the problem could get to,” Raj said. “And it’s not just surveillance,” he said. “People are using voice services all the time. And where does the voice go? It’s sitting somewhere. It’s going somewhere. You’re living on trust.” He added: “Right now I don’t think you can trust anybody.”

Also when all the voice data gets automatically transcribed, made keyword-searchable, flagged and presented to agents as “potentially interesting” there’s basically no way of producing any sort of indication for suspicion other than pointing at a black box and mumbling something vaguely resembling “correlation.”

“When the NSA identifies someone as ‘interesting’ based on contemporary NLP [Natural Language Processing] methods, it might be that there is no human-understandable explanation as to why beyond: ‘his corpus of discourse resembles those of others whom we thought interesting’; or the conceptual opposite: ‘his discourse looks or sounds different from most people’s.'”

No, You Go First

Bruce Schneier talks about how security companies sat on knowledge and research data about military-grade Regin malware for at least six years. They only decided to share their knowledge because the Intercept was about to publish an article about it. Their arguments for why they withheld their knowledge until now range from “our customers asked us not to disclose what had been found in their networks” to “we didn’t want to interfere with NSA/GHCQ operations”. :/ It’s safe to say that they sit on a bunch more.