Used to work with a subsidiary of FEMA , I can categorically state that we have no current plans to put Americans into camps.
http://www.fema-online.eu/
http://www.fema-online.eu/
-
Happy Birthday ICMag! Been 20 years since Gypsy Nirvana created the forum! We are celebrating with a 4/20 Giveaway and by launching a new Patreon tier called "420club". You can read more here.
-
Important notice: ICMag's T.O.U. has been updated. Please review it here. For your convenience, it is also available in the main forum menu, under 'Quick Links"!
The SNOWDEN Saga continues...
- Thread starter gaiusmarius
- Start date
careful what truths you tell bro, in this thread I was accused by a crackpot of a member of trolling the site and neg repping his posts (I PROVED that I did not neg rep him), and also of being leo which he announced TWICE in here, TWICE!!! All the while said offensive/offending member had his hand held through all his boohoo, cry baby drama & trauma by a mod and yet he never even suffered a ban for the things he said about me.
The thread had to be cleaned of all the bullshit posts so that it could continue in all its glory.
and btw, I never ONCE said anything bad about Snowden in this thread, my opinion since day one has been this: "Snowden did a great thing in exposing the NSA tactics, but he went about it in the worst way." Otherwise an American hero wouldn't be exiled to Russia.
So watch what you say here foomar, and which mods you might piss off. idk why I was accused of being a neg repping troll & a cop but if you post here long enough you'll likely suffer much of the same.
As soon as you're making sense so irrefutable it can't be denied they'll change the point of the issue to something completely different, they'll quickly & angrily challenge you to answer some new bullshit because they have NO VALID response to the way you'd just shot down the point they'd made; next comes the insults to your intelligence, then accusations that you're one of the sheeple and finally that you get your news/info from mainstream media (MSM).
Enjoy your say and then leave these kiddies to play in their very own icmag sandbox amongst themselves.......
EDIT:
btw, this would be the same MSM that exposed racism, segregation, KKK activities (ALL w/govt knowledge & involvement), war atrocities and unseated Nixon. And so much more over the decades, they sound inept & corrupt to me.
Last edited:
careful what truths you tell bro, in this thread I was accused by a crackpot of a member of trolling the site and neg repping his posts (I PROVED that I did not neg rep him), and also of being leo which he announced TWICE in here, TWICE!!! All the while said offensive/offending member had his hand held through all his boohoo, cry baby drama & trauma by a mod and yet he never even suffered a ban for the things he said about me.
The thread had to be cleaned of all the bullshit posts so that it could continue in all its glory.
and btw, I never ONCE said anything bad about Snowden in this thread, my opinion since day one has been this: "Snowden did a great thing in exposing the NSA tactics, but he went about it in the worst way." Otherwise an American hero wouldn't be exiled to Russia.
So watch what you say here foomar, and which mods you might piss off. idk why I was accused of being a neg repping troll & a cop but if you post here long enough you'll likely suffer much of the same.
As soon as you're making sense so irrefutable it can't be denied they'll change the point of the issue to something completely different, they'll quickly & angrily challenge you to answer some new bullshit because they have NO VALID response to the way you'd just shot down the point they'd made; next comes the insults to your intelligence, then accusations that you're one of the sheeple and finally that you get your news/info from mainstream media (MSM).
Enjoy your say and then leave these kiddies to play in their very own icmag sandbox amongst themselves.......
EDIT:
btw, this would be the same MSM that exposed racism, segregation, KKK activities (ALL w/govt knowledge & involvement), war atrocities and unseated Nixon. And so much more over the decades, they sound inept & corrupt to me.
wtf? there is no drama no fights nothing, why are you bringing all the old conflicts up here? as for your insinuations about mods holding people hands, it's just a bunch of bs, posts were reported and said posts got deleted when it was called for, like i said then, i don't just ban people for getting heated in an argument. some mods might, but i try and respect free speech as much as i can inside the tos, people get a warning or 2 before they are banned in my book if poss. so like i told you back then, if you want some one banned for an opinion they hold or calling you a name, go report them to someone else. if that means i'm holding said members hand then so be it. have held your hand too before now in that case. i really thought we were past that episode, have no idea what brought it all up again, but in my humble opinion it's totally off topic and not posted in the friendly way this thread has been running in.
Foomar give up on the sarcasm 
its not working for you, but that is funny if you follow the link
its not working for you, but that is funny if you follow the link
just warning foomar w/my experiences is all.
if this were my thread a moderator would have shut it long ago.
I've learned quite some time ago to always check for sources before getting my knickers in a bunch. Touche, fumar, well played.
why do you dislike this thread so much? i just don't get it, it's in all our interest to know about this stuff. i for one am glad people are still keeping up with this subject, as it's not been resolved yet, the mass surveillance is still going on. in fact its seems that the rabbit hole just keeps getting deeper, is that the time to close the discussion in your opinion?
insinuation and inference hiding intent.
jmo fwiw...
foomar is a big boy.
jmo fwiw...
foomar is a big boy.
no, I didn't say it should be shut, not in Feb/Mar or this part of Apr so far, back in January I did, but I'd earned the right to that opinion back then.
Snowden, Greenwald urge caution of wider government monitoring at Amnesty event.
CHICAGO (Reuters) - Edward Snowden and reporter Glenn Greenwald, who brought to light the whistleblower's leaks about mass U.S. government surveillance last year, appeared together via video link from opposite ends of the earth on Saturday for what was believed to be the first time since Snowden sought asylum in Russia.
A sympathetic crowd of nearly 1,000 packed a downtown Chicago hotel ballroom at Amnesty International USA's annual human rights meeting and gave Greenwald, who dialed in from Brazil, a raucous welcome before Snowden was patched in 15 minutes later to a standing ovation.
The pair cautioned that government monitoring of "metadata" is more intrusive than directly listening to phone calls or reading emails and stressed the importance of a free press willing to scrutinize government activity.
Metadata includes which telephone number calls which other numbers, when the calls were made and how long they lasted. Metadata does not include the content of the calls.
Amnesty International is campaigning to end mass surveillance by the U.S. government and calling for Congressional action to further rein in the collection of information about telephone calls and other communications.
Last year, Snowden, who had been working at a NSA facility as an employee of Booz Allen Hamilton, leaked a raft of secret documents that revealed a vast U.S. government system for monitoring phone and Internet data.
The leaks deeply embarrassed the Obama administration, which in January banned U.S. eavesdropping on the leaders of friendly countries and allies and began reining in the sweeping collection of Americans' phone data in a series of limited reforms triggered by Snowden's revelations.
Snowden faces arrest if he steps foot on U.S. soil.
President Barack Obama said last month he plans to ask Congress to end the bulk collection and storage of phone records by the NSA but allow the government to access metadata when needed.
Snowden and Greenwald said that such data is in fact more revealing than outright government spying on phone conversations and emails.
"Metadata is what allows an actual enumerated understanding, a precise record of all the private activities in all of our lives. It shows our associations, our political affiliations and our actual activities," said Snowden, dressed in a jacket with no tie in front of a black background.
A Reuters/Ipsos poll this week showed the majority of Americans were concerned that Internet companies were encroaching on too much of their lives.
Greenwald, who met with Snowden 10 months ago and wrote about the leaked documents in the Guardian and other media outlets, promised further revelations of government abuses of power at his new media venture the Intercept.
"My hope and my belief is that as we do more of that reporting and as people see the scope of the abuse as opposed to just the scope of the surveillance they will start to care more," he said.
"Mark my words. Put stars by it and in two months or so come back and tell me if I didn't make good on my word."
http://news.msn.com/science-technol...-wider-government-monitoring-at-amnesty-event
CHICAGO (Reuters) - Edward Snowden and reporter Glenn Greenwald, who brought to light the whistleblower's leaks about mass U.S. government surveillance last year, appeared together via video link from opposite ends of the earth on Saturday for what was believed to be the first time since Snowden sought asylum in Russia.
A sympathetic crowd of nearly 1,000 packed a downtown Chicago hotel ballroom at Amnesty International USA's annual human rights meeting and gave Greenwald, who dialed in from Brazil, a raucous welcome before Snowden was patched in 15 minutes later to a standing ovation.
The pair cautioned that government monitoring of "metadata" is more intrusive than directly listening to phone calls or reading emails and stressed the importance of a free press willing to scrutinize government activity.
Metadata includes which telephone number calls which other numbers, when the calls were made and how long they lasted. Metadata does not include the content of the calls.
Amnesty International is campaigning to end mass surveillance by the U.S. government and calling for Congressional action to further rein in the collection of information about telephone calls and other communications.
Last year, Snowden, who had been working at a NSA facility as an employee of Booz Allen Hamilton, leaked a raft of secret documents that revealed a vast U.S. government system for monitoring phone and Internet data.
The leaks deeply embarrassed the Obama administration, which in January banned U.S. eavesdropping on the leaders of friendly countries and allies and began reining in the sweeping collection of Americans' phone data in a series of limited reforms triggered by Snowden's revelations.
Snowden faces arrest if he steps foot on U.S. soil.
President Barack Obama said last month he plans to ask Congress to end the bulk collection and storage of phone records by the NSA but allow the government to access metadata when needed.
Snowden and Greenwald said that such data is in fact more revealing than outright government spying on phone conversations and emails.
"Metadata is what allows an actual enumerated understanding, a precise record of all the private activities in all of our lives. It shows our associations, our political affiliations and our actual activities," said Snowden, dressed in a jacket with no tie in front of a black background.
A Reuters/Ipsos poll this week showed the majority of Americans were concerned that Internet companies were encroaching on too much of their lives.
Greenwald, who met with Snowden 10 months ago and wrote about the leaked documents in the Guardian and other media outlets, promised further revelations of government abuses of power at his new media venture the Intercept.
"My hope and my belief is that as we do more of that reporting and as people see the scope of the abuse as opposed to just the scope of the surveillance they will start to care more," he said.
"Mark my words. Put stars by it and in two months or so come back and tell me if I didn't make good on my word."
http://news.msn.com/science-technol...-wider-government-monitoring-at-amnesty-event
NSA logs reveal flood of post-Snowden FOIA requests
Al Jazeera has obtained access to full list of Freedom of Information Act queries submitted to security agency
April 8, 2014 6:00AM ET
by Jason Leopold - @JasonLeopold
The National Security Agency (NSA) has been flooded with thousands of Freedom of Information Act (FOIA) requests from journalists, civil rights groups and private citizens who have asked the agency to turn over the top-secret records that former contractor Edward Snowden leaked to the media, Al Jazeera can reveal.
In response to an open records request filed in November, the NSA has just released its FOIA logs to Al Jazeera. The hundreds of pages of documents describe post-Snowden requests that have been filed with the agency — on matters from its bandwidth consumption and it sprawling new data center in Utah to metadata records and contracts with Booz Allen Hamilton, Snowden’s former employer.
Since details about the NSA’s spy capabilities were revealed by The Guardian and The Washington Post 10 months ago, the agency’s FOIA office has been the subject of several national news stories noting that the leaks have resulted in thousands of new FOIA requests.
Details of those requests are revealed here for the first time and illustrate their extent as well as the logistical demands it has placed on the NSA. "FOIA requests continue to be received at a higher rate than in past years, although it has tapered off from the initial surge extremes in June and July 2013,” said Pamela Phillips, the NSA's FOIA chief.
"We have received over 5,200 requests since June 6, 2013," she told Al Jazeera. "We received just over 800 requests for the same period last year. For the one-year period from June 2012 through May 2013, we received an average of 83 requests per month. Since June 2013, we’ve received an average of 521 requests per month. Omitting June through August, which were extremely high, the monthly average for September 2013 through March 2014 is 283 — more than three times what it was in prior years.”
To deal with the surge in requests, Phillips said the NSA's FOIA office has requested additional staff, "but to date, the staff has not been augmented."
FOIA requests to the NSA skyrocketed the day The Guardian published its first report based on the documents Snowden leaked: a top-secret court order requiring Verizon to hand over call data to the NSA.
“FOIA requests continue to be received at a higher rate than in past years, although it has tapered off from the initial surge extremes in June and July 2013.”
The NSA said the fiscal year 2013 logs went through a declassification review. The agency, citing a privacy exemption, withheld information about requests it received from individuals who sought information on themselves. Those types of requests, the FOIA logs indicated, make up a bulk of the requests the NSA has received since the Snowden leaks.
FOIA logs are usually of interest to transparency enthusiasts and government watchdog groups, which use the materials to measure whether Barack Obama's administration is adhering to promises of increased openness.
The initial Guardian report on Snowden prompted one person to file a FOIA request asking the NSA for a copy of “the phone records that have been obtained through this order” as well as “any other personal information that has been collected by the government without my permission and without just cause that may infringe on my right to privacy and my right against illegal search and seizure.”
The logs do not say how the NSA responded to that request and others like it, but a report published by McClatchy in February said the NSA has implemented a blanket policy of issuing "Glomars" to requesters who ask for records about whether they were the subject of surveillance. Named for the legal precedent set by the case over press coverage of the CIA's Glomar Explorer vessel, such responses deny requests because the agency can neither confirm nor deny that those records exist.
more:
http://america.aljazeera.com/articles/2014/4/8/nsa-after-snowden.html
Al Jazeera has obtained access to full list of Freedom of Information Act queries submitted to security agency
April 8, 2014 6:00AM ET
by Jason Leopold - @JasonLeopold
The National Security Agency (NSA) has been flooded with thousands of Freedom of Information Act (FOIA) requests from journalists, civil rights groups and private citizens who have asked the agency to turn over the top-secret records that former contractor Edward Snowden leaked to the media, Al Jazeera can reveal.
In response to an open records request filed in November, the NSA has just released its FOIA logs to Al Jazeera. The hundreds of pages of documents describe post-Snowden requests that have been filed with the agency — on matters from its bandwidth consumption and it sprawling new data center in Utah to metadata records and contracts with Booz Allen Hamilton, Snowden’s former employer.
Since details about the NSA’s spy capabilities were revealed by The Guardian and The Washington Post 10 months ago, the agency’s FOIA office has been the subject of several national news stories noting that the leaks have resulted in thousands of new FOIA requests.
Details of those requests are revealed here for the first time and illustrate their extent as well as the logistical demands it has placed on the NSA. "FOIA requests continue to be received at a higher rate than in past years, although it has tapered off from the initial surge extremes in June and July 2013,” said Pamela Phillips, the NSA's FOIA chief.
"We have received over 5,200 requests since June 6, 2013," she told Al Jazeera. "We received just over 800 requests for the same period last year. For the one-year period from June 2012 through May 2013, we received an average of 83 requests per month. Since June 2013, we’ve received an average of 521 requests per month. Omitting June through August, which were extremely high, the monthly average for September 2013 through March 2014 is 283 — more than three times what it was in prior years.”
To deal with the surge in requests, Phillips said the NSA's FOIA office has requested additional staff, "but to date, the staff has not been augmented."
FOIA requests to the NSA skyrocketed the day The Guardian published its first report based on the documents Snowden leaked: a top-secret court order requiring Verizon to hand over call data to the NSA.
“FOIA requests continue to be received at a higher rate than in past years, although it has tapered off from the initial surge extremes in June and July 2013.”
The NSA said the fiscal year 2013 logs went through a declassification review. The agency, citing a privacy exemption, withheld information about requests it received from individuals who sought information on themselves. Those types of requests, the FOIA logs indicated, make up a bulk of the requests the NSA has received since the Snowden leaks.
FOIA logs are usually of interest to transparency enthusiasts and government watchdog groups, which use the materials to measure whether Barack Obama's administration is adhering to promises of increased openness.
The initial Guardian report on Snowden prompted one person to file a FOIA request asking the NSA for a copy of “the phone records that have been obtained through this order” as well as “any other personal information that has been collected by the government without my permission and without just cause that may infringe on my right to privacy and my right against illegal search and seizure.”
The logs do not say how the NSA responded to that request and others like it, but a report published by McClatchy in February said the NSA has implemented a blanket policy of issuing "Glomars" to requesters who ask for records about whether they were the subject of surveillance. Named for the legal precedent set by the case over press coverage of the CIA's Glomar Explorer vessel, such responses deny requests because the agency can neither confirm nor deny that those records exist.
more:
http://america.aljazeera.com/articles/2014/4/8/nsa-after-snowden.html
Instead of fixing Heartbleed when they discovered it TWO YEARS AGO, the NSA thought it would be better utilized as a way to further their agenda. Our national SECURITY agency found a door, opened it, and left the keys on the table for anyone to find. For two years. Can we please pull their funding and use it for something more useful?
http://www.wired.com/2014/04/nsa-exploited-heartbleed-two-years/
The NSA knew about and exploited the Heartbleed vulnerability for two years before it was publicly exposed this week, and used it to steal account passwords and other data, according to a news report.
Speculation had been rampant this week that the spy agency might have known about the critical flaw in OpenSSL that would allow hackers to siphon passwords, email content and other data from the memory of vulnerable web servers and other systems using the important encryption protocol.
That speculation appears to be confirmed by two unnamed sources who told Bloomberg that the NSA discovered the flaw shortly after it was accidentally introduced into OpenSSl in 2012 by a programmer.
The flaw “became a basic part of the agency’s toolkit for stealing account passwords and other common tasks,” the publication reports. [See NSA response below]
OpenSSL is used by many websites and systems to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to 10, cryptographer Bruce Schneier ranks the flaw an 11.
The flaw is critical because it’s at the core of SSL, the encryption protocol so many have trusted to protect their data, and can be used by hackers to steal usernames and passwords — for sensitive services like banking, ecommerce, and web-based email.
There are also concerns that the flaw can be used to steal the private keys that vulnerable web sites use to encrypt traffic to them, which would make it possible for the NSA or other spy agencies to decipher encrypted data in some cases and to impersonate legitimate web sites in order to conduct a man-in-the-middle attack and trick users into revealing passwords and other sensitive data to fake web sites they control.
Heartbleed allows an attacker to craft a query to vulnerable web sites that tricks the web server into leaking up to 64kb of data from the system’s memory. The data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data. But this means that any passwords, spreadsheets, email, credit card numbers or other data that’s in the memory at the time of the query could be siphoned. Although the amount of data that can be siphoned in one query is small, there’s no limit to the number of queries an attacker can make, allowing them to collect a lot of data over time.
Although some researchers have reported on Twitter and in online forums that they were able to siphon the private keys in some cases from servers that were vulnerable to the flaw, the security firm CloudFlare announced today in a blog post that it was unable to siphon a private key after multiple days of testing the flaw.
Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt the data in near-real time, and there were suggestions that they might have succeeded.
According to documents that Edward Snowden provided the paper, the spy agencies have used a number of methods under a program codenamed “Project BULLRUN” to undermine encryption or do end-runs around it — including efforts to compromise encryption standards and work with companies to install backdoors in their products. But at least one part of the program focused on undermining SSL. Under BULLRUN, the Guardian noted, the NSA “has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.”
Bloomberg does not say if the NSA or its counterparts succeeded in siphoning private keys using the Heartbleed vulnerability. The paper only mentions using it to steal passwords and “critical intelligence.”
Update: The NSA has issued a statement denying any knowledge of Heartbleed prior to its public disclosure this week. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokesperson wrote in a statement. “Reports that say otherwise are wrong.”
The White House National Security Council spokesperson Caitlin Hayden also denied that federal agencies knew about the bug. “If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” Caitlin Hayden said in a statement.
http://www.wired.com/2014/04/nsa-exploited-heartbleed-two-years/
The NSA knew about and exploited the Heartbleed vulnerability for two years before it was publicly exposed this week, and used it to steal account passwords and other data, according to a news report.
Speculation had been rampant this week that the spy agency might have known about the critical flaw in OpenSSL that would allow hackers to siphon passwords, email content and other data from the memory of vulnerable web servers and other systems using the important encryption protocol.
That speculation appears to be confirmed by two unnamed sources who told Bloomberg that the NSA discovered the flaw shortly after it was accidentally introduced into OpenSSl in 2012 by a programmer.
The flaw “became a basic part of the agency’s toolkit for stealing account passwords and other common tasks,” the publication reports. [See NSA response below]
OpenSSL is used by many websites and systems to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to 10, cryptographer Bruce Schneier ranks the flaw an 11.
The flaw is critical because it’s at the core of SSL, the encryption protocol so many have trusted to protect their data, and can be used by hackers to steal usernames and passwords — for sensitive services like banking, ecommerce, and web-based email.
There are also concerns that the flaw can be used to steal the private keys that vulnerable web sites use to encrypt traffic to them, which would make it possible for the NSA or other spy agencies to decipher encrypted data in some cases and to impersonate legitimate web sites in order to conduct a man-in-the-middle attack and trick users into revealing passwords and other sensitive data to fake web sites they control.
Heartbleed allows an attacker to craft a query to vulnerable web sites that tricks the web server into leaking up to 64kb of data from the system’s memory. The data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data. But this means that any passwords, spreadsheets, email, credit card numbers or other data that’s in the memory at the time of the query could be siphoned. Although the amount of data that can be siphoned in one query is small, there’s no limit to the number of queries an attacker can make, allowing them to collect a lot of data over time.
Although some researchers have reported on Twitter and in online forums that they were able to siphon the private keys in some cases from servers that were vulnerable to the flaw, the security firm CloudFlare announced today in a blog post that it was unable to siphon a private key after multiple days of testing the flaw.
Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt the data in near-real time, and there were suggestions that they might have succeeded.
According to documents that Edward Snowden provided the paper, the spy agencies have used a number of methods under a program codenamed “Project BULLRUN” to undermine encryption or do end-runs around it — including efforts to compromise encryption standards and work with companies to install backdoors in their products. But at least one part of the program focused on undermining SSL. Under BULLRUN, the Guardian noted, the NSA “has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.”
Bloomberg does not say if the NSA or its counterparts succeeded in siphoning private keys using the Heartbleed vulnerability. The paper only mentions using it to steal passwords and “critical intelligence.”
Update: The NSA has issued a statement denying any knowledge of Heartbleed prior to its public disclosure this week. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokesperson wrote in a statement. “Reports that say otherwise are wrong.”
The White House National Security Council spokesperson Caitlin Hayden also denied that federal agencies knew about the bug. “If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” Caitlin Hayden said in a statement.
When you get to Costa Rica it has a little blurb on it's net and it says the ICE will be reading your net and when they don't like what you write they throttle your connection lol..headband 707
Trove of Software Flaws Used by U.S. Spies at Risk
By Michael Riley Apr 13, 2014 9:00 PM PT
The White House’s directive to limit the use of software flaws by U.S. intelligence agencies could require the disclosure of thousands of precious exploits now in the hands of elite spying units, intelligence professionals say.
The stockpile of exploits is derived from vulnerabilities not just in ordinary computer software, but also in industrial controllers, heating and cooling systems, printers, anti-virus software, video conferencing systems and encryption protocols.
The exploits, typically based on simple oversights and flaws in computer code that hackers can use to take control of most anything that runs with the help of a computer chip, are considered essential to gathering some of the most valuable U.S. intelligence.
Related:
jHeartbleed Fixes Taking Longer as Websites Plug Gaps
jNSA Said to Exploit Heartbleed Bug for Intelligence for Years
Richard Clarke, a member of a presidential panel reviewing National Security Agency practices, said the White House issued guidance to the entire intelligence community three weeks ago largely in line with his panel’s earlier recommendation that the vulnerabilities be used rarely and only for the most important intelligence goals. Otherwise, the security flaws could be disclosed to protect computer users everywhere from rogue hackers.
Elite Groups
Compliance with the directive will be a challenge within the NSA, a highly compartmentalized agency with elite groups who work on different missions and who guard their tools jealously.
Perhaps the biggest question is how much will change given the broad exception in the new policy that allows a computer vulnerability to be kept secret if it is justified for critical intelligence and law enforcement purposes.
Big Data Meets Big Surveillance»
Limiting the use of such exploits “would hamstring the ability of the intelligence organizations to do their mission,” said Jason Syversen, who formerly worked on cyberwar projects for the Pentagon and now runs a New Hampshire company called Siege Technologies that develops cyberwar tools. “That’s like saying spies are only allowed to lie some of the time but still have to do their job.”
The NSA review panel, which was created after leaks by former contractor Edward Snowden, released its recommendations in January. Although some of the recommendations were adopted quickly, the subject of disclosing flaws prompted an extensive debate that has continued.
New Director
The presidential guidance led to a high-level re-assessment of the policy, but substantive change in the process will be a task for the new NSA director, Admiral Michael S. Rogers, according to a senior administration official who declined to be quoted by name when discussing the process. The specific text of the guidance hasn’t been released. The panel’s suggestion was that the flaws be used only for short periods before being made public.
“We endorsed that recommendation and explained that we would use an NSC-led process to review and, as necessary, adjust existing processes related to this topic,” Caitlin Hayden, a spokeswoman for the National Security Council, said in a statement today. “That review is complete.”
Until now, NSA’s elite cyberspies have had great leeway to develop, stockpile and use vulnerabilities, according to three people familiar with the process. The agency’s main unit for gathering intelligence through hacking, Tailored Access Operations, or TAO, is among the groups that spend heavily to research and develop the flaws. It does so with the support of in-house experts as well as military contractors who use expensive and sophisticated tools that scan billions of lines of code.
Zero-Day Flaws
These zero-day flaws, so named because zero days pass between the attack and the public discovery, help government hackers to remain undetected and to proceed quickly if needed. Using other methods to hack systems stalls the process, and security experts warn that lag could be detrimental in a national emergency.
Some of these flawed systems go to the heart of the way any computer user communicates. In response to questions from Bloomberg News about the new presidential guidance, the NSA issued a statement again Sunday that it had never used the so-called Heartbleed bug, a glitch in a widely used form of Internet traffic called OpenSSL. “That is the ground truth,” said Vanee Vines, the agency’s spokeswoman.
Two people familiar with the matter said that the agency was aware of the flaw and had used it as part of the intelligence gathering toolkit, as reported by Bloomberg News last week.
Information released previously by Snowden showed that the agency had a program, codenamed BULLRUN, to try to crack SSL.
Circumvent Security
The NSA has more than one way to circumvent the security of SSL and OpenSSL, a free version of the protocol, according to new information provided by the two people, who asked not to be identified because they were not authorized to speak about it.
One work-around involves not defeating the SSL software itself but breaking into a different system on the targeted computer on which the software depends, according to one of the people. While disclosing that method might increase computer security generally, the NSA might consider that a hacking technique instead of an SSL vulnerability.
NSA spokeswoman Vines declined to comment on the NSA’s intelligence-gathering methods.
The matter is further complicated because a bug like Heartbleed has to be turned into a specific exploit, a process that can branch out quickly, creating a class of vulnerabilities rather than just a single one. Small differences in the way a platform like OpenSSL is exploited could lead to differing conclusions about whether the exploits are the same.
Alpha Green
“Maybe it’s not Heartbleed, maybe it’s what they call alpha green, and alpha green is something that sends a packet to OpenSSL and creates an information leak,” said Syversen. “It’s going to be challenging to conclude whether it’s the exact same technique or not.”
Implementing the new guidelines -- described by the White House as reinvigorating an existing process for determining when zero days should be disclosed -- will require institutional barriers to be swept away, said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council in Washington.
TAO, for example, is not required to share all the exploits it uses, even with other units in the NSA, according to two people familiar with the procedures, who asked not to be named because they weren’t authorized to speak on the matter. That includes the NSA Threat Operations Center, which is responsible for protecting government and military computers.
Disclosure Rules
Vines declined to comment on the NSA’s disclosure rules or changes planned as part of the new guidance.
The White House discussion about the government’s policy for its arsenal of zero days represents a major step forward despite shortcomings in the policy itself, said Christopher Soghoian, principal technologist with the American Civil Liberties Union. The government has reserved the right to stockpile bugs that it believes are in the interest of national security or law enforcement.
“The policy has a loophole so big that you could drive a truck through it,” Soghoian said in a telephone interview. Still, he said the presidential acknowledgment of the policy and the discussion about it is “a really big shift.”
Additionally, it’s unclear whether the agency will apply the new guidance only to newly discovered vulnerabilities or whether it will also include the existing stockpile, which represents millions of dollars of research and development, the Atlantic Council’s Healey said. “I could see them grandfathering all of that in,” he said.
If those vulnerabilities are disclosed, it will be discreetly, through direct contacts with software and hardware vendors, Healey said.
The only way to detect that may be through a sudden uptick in software patches from major vendors who are suddenly fixing flaws only known previously by the NSA, he said.
By Michael Riley Apr 13, 2014 9:00 PM PT
The White House’s directive to limit the use of software flaws by U.S. intelligence agencies could require the disclosure of thousands of precious exploits now in the hands of elite spying units, intelligence professionals say.
The stockpile of exploits is derived from vulnerabilities not just in ordinary computer software, but also in industrial controllers, heating and cooling systems, printers, anti-virus software, video conferencing systems and encryption protocols.
The exploits, typically based on simple oversights and flaws in computer code that hackers can use to take control of most anything that runs with the help of a computer chip, are considered essential to gathering some of the most valuable U.S. intelligence.
Related:
jHeartbleed Fixes Taking Longer as Websites Plug Gaps
jNSA Said to Exploit Heartbleed Bug for Intelligence for Years
Richard Clarke, a member of a presidential panel reviewing National Security Agency practices, said the White House issued guidance to the entire intelligence community three weeks ago largely in line with his panel’s earlier recommendation that the vulnerabilities be used rarely and only for the most important intelligence goals. Otherwise, the security flaws could be disclosed to protect computer users everywhere from rogue hackers.
Elite Groups
Compliance with the directive will be a challenge within the NSA, a highly compartmentalized agency with elite groups who work on different missions and who guard their tools jealously.
Perhaps the biggest question is how much will change given the broad exception in the new policy that allows a computer vulnerability to be kept secret if it is justified for critical intelligence and law enforcement purposes.
Big Data Meets Big Surveillance»
Limiting the use of such exploits “would hamstring the ability of the intelligence organizations to do their mission,” said Jason Syversen, who formerly worked on cyberwar projects for the Pentagon and now runs a New Hampshire company called Siege Technologies that develops cyberwar tools. “That’s like saying spies are only allowed to lie some of the time but still have to do their job.”
The NSA review panel, which was created after leaks by former contractor Edward Snowden, released its recommendations in January. Although some of the recommendations were adopted quickly, the subject of disclosing flaws prompted an extensive debate that has continued.
New Director
The presidential guidance led to a high-level re-assessment of the policy, but substantive change in the process will be a task for the new NSA director, Admiral Michael S. Rogers, according to a senior administration official who declined to be quoted by name when discussing the process. The specific text of the guidance hasn’t been released. The panel’s suggestion was that the flaws be used only for short periods before being made public.
“We endorsed that recommendation and explained that we would use an NSC-led process to review and, as necessary, adjust existing processes related to this topic,” Caitlin Hayden, a spokeswoman for the National Security Council, said in a statement today. “That review is complete.”
Until now, NSA’s elite cyberspies have had great leeway to develop, stockpile and use vulnerabilities, according to three people familiar with the process. The agency’s main unit for gathering intelligence through hacking, Tailored Access Operations, or TAO, is among the groups that spend heavily to research and develop the flaws. It does so with the support of in-house experts as well as military contractors who use expensive and sophisticated tools that scan billions of lines of code.
Zero-Day Flaws
These zero-day flaws, so named because zero days pass between the attack and the public discovery, help government hackers to remain undetected and to proceed quickly if needed. Using other methods to hack systems stalls the process, and security experts warn that lag could be detrimental in a national emergency.
Some of these flawed systems go to the heart of the way any computer user communicates. In response to questions from Bloomberg News about the new presidential guidance, the NSA issued a statement again Sunday that it had never used the so-called Heartbleed bug, a glitch in a widely used form of Internet traffic called OpenSSL. “That is the ground truth,” said Vanee Vines, the agency’s spokeswoman.
Two people familiar with the matter said that the agency was aware of the flaw and had used it as part of the intelligence gathering toolkit, as reported by Bloomberg News last week.
Information released previously by Snowden showed that the agency had a program, codenamed BULLRUN, to try to crack SSL.
Circumvent Security
The NSA has more than one way to circumvent the security of SSL and OpenSSL, a free version of the protocol, according to new information provided by the two people, who asked not to be identified because they were not authorized to speak about it.
One work-around involves not defeating the SSL software itself but breaking into a different system on the targeted computer on which the software depends, according to one of the people. While disclosing that method might increase computer security generally, the NSA might consider that a hacking technique instead of an SSL vulnerability.
NSA spokeswoman Vines declined to comment on the NSA’s intelligence-gathering methods.
The matter is further complicated because a bug like Heartbleed has to be turned into a specific exploit, a process that can branch out quickly, creating a class of vulnerabilities rather than just a single one. Small differences in the way a platform like OpenSSL is exploited could lead to differing conclusions about whether the exploits are the same.
Alpha Green
“Maybe it’s not Heartbleed, maybe it’s what they call alpha green, and alpha green is something that sends a packet to OpenSSL and creates an information leak,” said Syversen. “It’s going to be challenging to conclude whether it’s the exact same technique or not.”
Implementing the new guidelines -- described by the White House as reinvigorating an existing process for determining when zero days should be disclosed -- will require institutional barriers to be swept away, said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council in Washington.
TAO, for example, is not required to share all the exploits it uses, even with other units in the NSA, according to two people familiar with the procedures, who asked not to be named because they weren’t authorized to speak on the matter. That includes the NSA Threat Operations Center, which is responsible for protecting government and military computers.
Disclosure Rules
Vines declined to comment on the NSA’s disclosure rules or changes planned as part of the new guidance.
The White House discussion about the government’s policy for its arsenal of zero days represents a major step forward despite shortcomings in the policy itself, said Christopher Soghoian, principal technologist with the American Civil Liberties Union. The government has reserved the right to stockpile bugs that it believes are in the interest of national security or law enforcement.
“The policy has a loophole so big that you could drive a truck through it,” Soghoian said in a telephone interview. Still, he said the presidential acknowledgment of the policy and the discussion about it is “a really big shift.”
Additionally, it’s unclear whether the agency will apply the new guidance only to newly discovered vulnerabilities or whether it will also include the existing stockpile, which represents millions of dollars of research and development, the Atlantic Council’s Healey said. “I could see them grandfathering all of that in,” he said.
If those vulnerabilities are disclosed, it will be discreetly, through direct contacts with software and hardware vendors, Healey said.
The only way to detect that may be through a sudden uptick in software patches from major vendors who are suddenly fixing flaws only known previously by the NSA, he said.
