UK intelligence agencies are claiming that they are having to move agents who are endangered in the field, and according to this report the reason is… Edward Snowden!
I must say, this has the stink of the barnyard. Information about the nature of surveillance programs, which is what Snowden revealed, is so far from operational info about field agents that it might as well be the 1997 Minnesota Twins’ box scores. If agencies are having their networks compromised they should look to the flaws in their protocols that allowed Snowden to take any files out, not to the actual files Snowden took out.
Assuming they are not flat-out lying about having to roll up field networks (a BIG-ass-umption), they are simply scapegoating the man they love to hate.
The Chinese just breached a carload of US government data from security clearance applications. So now they know:
Who has clearance
At what level
What is all the garbage those people had in their background that had to be vetted out to give them the clearance.
Now which one is more likely to have compromised field agents? That? Or a detailed description of how Verizon rolls over and gives the gov’t all your call data?
But wait – what could the government POSSIBLY want with distracting you from the Chinese breach and turning attention back on Snowden? Such a mystery.
Email I received from the ACLU this morning. Timely!
Also attributed to Mr. Snowden – and I love this one:
Saying privacy doesn’t matter to you because you have nothing to hide is like saying freedom of speech doesn’t matter to you because you have nothing to say.
———- Forwarded message ———-
From: Edward Snowden, ACLU Action <email@example.com>
Date: Fri, Jun 5, 2015 at 7:47 AM
Subject: Simple truths
Today is the two year anniversary of the first of Edward Snowden’s revelations about the NSA’s mass surveillance programs. And on Tuesday, the Senate overwhelmingly passed the USA Freedom Act – a bill that limited mass surveillance under Section 215 of the Patriot Act and other authorities.
While USA Freedom Act is a start, no one should mistake it for comprehensive reform – it leaves many of the government’s most intrusive surveillance powers untouched, and it leaves disclosure and transparency loopholes.
Two years ago today, in a Hong Kong hotel room, three journalists and I waited nervously to see how the world would react to the revelation that the National Security Agency had been collecting records of nearly every phone call in the United States.
Though we have come a long way, the right to privacy remains under attack.
Last month, the NSA’s invasive call-tracking program was declared unlawful by a federal appeals court in ACLU v. Clapper, and it was disowned by Congress. And, after a White House investigation found that the program never stopped a single terrorist attack, even President Obama ordered it terminated.
This is because of you. This is the power of an informed public.
Ending mass surveillance of private phone calls under the Patriot Act is a historic victory for the rights of every citizen. Yet while we have reformed this one program, many others remain.
We need to push back and challenge the lawmakers who defend these programs. We need to make it clear that a vote in favor of mass surveillance is a vote in favor of illegal and ineffective violations of the right to privacy for all Americans.
As I said on Reddit last month, arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.
We can’t take the right to privacy for granted, just like we can’t take the right to free speech for granted. We can’t let these invasions of our rights stand.
While we worked away in that hotel room in Hong Kong, there were moments when we worried we might have put our lives at risk for nothing – that the public would react with apathy to the publication of evidence that revealed that democratic governments had been collecting and storing billions of intimate records of innocent people.
Never have I been so grateful to have been so wrong.
Edward Snowden for ACLU Action
Read Edward’s Reddit “Ask Me Anything” conversation with the ACLU’s Jameel Jaffer, and check out his op-ed in today’s New York Times – Anthony
We website developers put up with a lot from those security folks. We’re constantly hearing them nag us to do boring things like scrub inputs to prevent SQL injection flaws. Enforce up-to-date encryption standards. Quit putting auth tokens into URLs. All of these things would make our web applications more genuinely secure. None of them, however, is visible to the user as evidence that we Take Security Very Seriously™. What shall we do?
Well, nothing says “Security!” to our users who know nothing about security like passwords. Long, inconvenient, hard-to-remember passwords. Let’s make our password authentication as difficult as possible! Then they will know that we Take Security Very Seriously™!
We’ll require a diverse character set. Their passwords will have to have two capital letters, three lowercase letters, two numerals and a special character. Donald Duck, perhaps? Brad wanted it also to have to include the tears of a virgin, but HR sent us a really nasty email about the test we were going to implement for that.
We’ll not allow passwords shorter than 8 characters, but also no longer than 14 — the DBAs are worried about the space it will require for that. Why aren’t we hashing the passwords? Well, yes, that would make the storage a non-issue, since all we’d ever store for each password is a constant-length hash. But then how will we be able to send users those friendly reminder emails when they forget their passwords, with the password in clear text?
Of course, they won’t be able to use that clear text password to log in, because we have not yet finished demonstrating that we Take Security Very Seriously™! See, now that we’ve made the passwords inhumane, we’re going to fix the front end to be sure that the ONLY way they can enter those inhumane passwords is to type them, one agonizing character at a time. Never mind the users who want to use really random passwords, so they get password managers that load the clipboard or fill in passwords for them. That black magic seems like a hacking tool to us, we won’t allow it. No sir, only human fingers on a keyboard will be permitted here!
When the FBI or some other government agency comes a-calling at any custodian of your private information, from Google or Yahoo! to the local public library, they bring something called a National Security Letter (NSL). This not only serves as a warrant for the information they seek, but it also includes a gag order — the institution is not permitted to disclose that they have been served, or what information they handed over.
But companies are fighting back, in a passive-aggressive way (don’t worry, this time it’s a good thing). As detailed in this article on ZDNet, companies have realized that post-Snowden, customer trust in protection of their data is quite important. And so many of them are implementing what is called a “warrant canary.” The name derives from the old practice of taking a canary down with coal miners, so that if gases start to accumulate the more-sensitive canary would die and hopefully give the miners sufficient warning to escape the local buildup of carbon monoxide or similar.
Low-tech warrant canary
A warrant canary is a statement that a company makes proactively that they have not received a demand for data — and silence — bundled into a NSL. Then, we in the public watch for the statement to go away. It can be a line in the text of a webpage, or a periodic statement perhaps in a quarterly report for a public corporation. It can also be a sign on a bulletin board as in the picture to the left.
Legal scholars wonder whether the NSL’s gag order can also be interpreted to require the subject organization to actively lie to the public, and continue to say, “no, they have not been here.” Moxie Marlinspike has stated his opinion that removing a warrant canary would “likely have the same legal consequences as simply posting something that explicitly says you’ve received something.”
But the Electronic Frontier Foundation (EFF) believes that a law specifically outlawing this practice would be required, and there is no such thing on the books as of now. So they have established a website, Canary Watch, that maintains a list of existing canaries and monitors them for changes.
ZDNet quotes EFF staff attorney Mark Rumold as saying, “No court has ever publicly addressed the issue,” and that it would be “unprecedented” for the government to force a company to keep that warrant canary in place. “I’m skeptical it would ever happen….”
Once a company has been served with a gag order, though, it’s too late. Verizon was forced to comply with a Section 215 order for phone records data of every one of its customers. And Twitter is suing with the Justice Department aiming to settle whether or not warrant canaries are protected under the First Amendment right to free speech.
Visit Canary Watch for more on this. I check it a couple times a week.
What price do we pay to play our favorite games? Especially the “free” ones?
Privacy. It’s not that we don’t value it. We do; we treat it as currency. And it’s sobering how lavishly we spend it.
I just sampled the permissions requested by the following apps on my Android phone or tablet:
Unblock Me FREE
Bubble Blast 2
Except for Pandora, a music-streaming service, all are free games. Some support in-game purchases but I am disregarding that.
Here are the permissions they require, in aggregate:
access Bluetooth settings
add or modify calendar events and send email to guests without owners’ knowledge *
approximate location (network-based)
change network connectivity
change your audio settings
connect and disconnect from Wi-Fi
find accounts on the device
full network access
modify or delete the contents of your USB storage
pair with Bluetooth devices
precise location (GPS and network-based)
prevent device from sleeping
read call log
read Google service configuration
read phone status and identity
read sync settings
read sync statistics
read the contents of your USB storage
read your contacts
receive data from Internet
retrieve running apps
run at startup
toggle sync on and off
use accounts on the device
view network connections
view Wi-Fi connections
* – I uninstalled the one that needs to be allowed to do that. ~~shudder~~
For some of these games, some of these permissions make sense. Obvious example: Ingress is simply not going to “do what it says on the tin” if it cannot know your exact location. On the other hand, what the heck does a simple cutting-puzzle game like Slice It! need with my phone’s call history?
Not to mention, the fact that a given permission seems aligned with the game’s function does not mean that is the only use to which that info is being put. Imagine if all of the information in the listing above were being compiled in one building. We’d think that was the NSA and we were on some terror watch-list.
I’m not saying, don’t play free games. Or even don’t use a smartphone, which really has all the same issues. I’m saying, be aware of what you’re paying for those things.