Wednesday, October 30, 2013

MUSCULAR Spasm: Let’s Blame Canada for NSA Surveillance

Back in August, I e-mailed a Guy Who Knows Stuff:

> In order to fudge the legal limitations on collection of strictly intra-US phone calls by US persons, could the US gov ask ATT (which, I expect, has a pretty close working relationship with Bell Canada) to route calls either by number or in bulk to Canada and then back to the USA?  Then the NSA could pick up the traffic on the outbound or inbound end, or the Canadians could rummage through it on our behalf.  Unfortunately, I have no concrete information to back up this brainwave, but it would seem to be a logical way for the NSA to advance its goal of getting all the data.  Any thoughts on this?

And he replied:

Yes.  They could certainly do that.

But then I came across:

David Skillicorn, a professor in the School of Computing at Queen’s University, says this is one piece of the data-sharing relationship "that has always been carefully constructed."

"The Americans will not use Canadians to collect data on U.S. persons, nor will any of the other Five Eyes countries," Skillicorn says.

"In fact, in practice, it’s as if the five countries’ citizens were one large, collective group, and their mutual communications are not intercepted by any in the Five Eyes community."

Poked around a bit, came up empty, didn’t pursue it.

Then, today, courtesy of Barton Gellman at the Washington Post, there’s this, describing an NSA program that circumvents limits on domestic surveillance by intercepting Google and Yahoo! traffic between their data centers through our Anglophone allies/proxies:

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, GCHQ. From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.

As for that “undisclosed intercept point”, I vote for Canada as the most likely suspect.  North American traffic traverses Canada, gets bundled off to Blighty, and stored for sharing with the NSA.
Naturally, we’re treated to generous descriptions of Google outrage and privacy heroism:

In order to obtain free access to data center traffic, the NSA had to circumvent gold standard security measures. Google “goes to great lengths to protect the data and intellectual property in these centers,” according to one of the company’s blog posts, with tightly audited access controls, heat sensitive cameras, round-the-clock guards and biometric verification of identities.

Google and Yahoo also pay for premium data links, designed to be faster, more reliable and more secure. In recent years, each of them is said to have bought or leased thousands of miles of fiber optic cables for their own exclusive use. They had reason to think, insiders said, that their private, internal networks were safe from prying eyes. 

In an NSA presentation slide on “Google Cloud Exploitation,” however, a sketch shows where the “Public Internet” meets the internal “Google Cloud” where their data resides. In hand-printed letters, the drawing notes that encryption is “added and removed here!” The artist adds a smiley face, a cheeky celebration of victory over Google security. 

Two engineers with close ties to Google exploded in profanity when they saw the drawing. “I hope you publish this,” one of them said. 

Publish what?  Evidence that Google's security is cracked?  Or document Google's hyperbolic anger at NSA transgressions to reassure Google Cloud customers?

If you’re searching for privacy heroes, I think you’d better scratch Google off your list.  Per Gellman:

Last month, long before The Post approached Google to discuss the penetration of its cloud, vice president for security engineering Eric Grosse announced that the company is racing to encrypt the links between its data centers. “It’s an arms race,” he said then. “We see these government agencies as among the most skilled players in this game.”

Google knew, kids.  Get used to it.

Another guy I’m crossing off my personal list together with David Skillicorn is John Schindler, whose tweets, posts, and sneers are a mainstay of defenders of the NSA:

John Schindler, a former NSA chief analyst and frequent defender who teaches at the Naval War College, said it was obvious why the agency would prefer to avoid restrictions where it can.

“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,” he said. “It’s fair to say the rules are less restrictive under Executive Order 12333 than they are under FISA.”

But what about that "honesty" elixir you were peddling to the NSA in that smarmy open letter that appeared the same day Gellman's piece came out?

[H]ey, I’m fine with secrecy in principle – intelligence is conducted in secret by its very nature. But the current crisis has exposed the Agency to scrutiny based on falsehoods proffered by Kremlin-backed scoundrels and their useful idiots among activists masquerading as journalists. Time to beat that back with some honesty, what might seem scarily radical honesty to old SIGINT hands.


Rebrand now while you still can and regain the public’s trust. I’m confident that, once they understand what NSA really does, the vast majority of Americans will be glad the Agency is on watch. 

Good luck with that rebranding, "Dash":
I also think the NSA has platoons of shills and their entire job is figuring out how to stay within the realm of plausible deniability and minimize transparency by exploiting every loophole.  But, given their commitment to suppressing instead of informing public debate about surveillance, I don’t see any reason to trust them or listen to them.  Why anyone would rely on Schindler for objective and honest insight into the scope and implementation of the US surveillance regime is beyond me.

Monday, October 28, 2013

Shinzo Abe: “Japan’s Thatcher” or “The Netanyahu of Asia”?

Update:  According to the Japanese Coast Guard via AFP, the PRC did its bit to escalate tensions by dispatching two Coast Guard vessels to loiter in the territorial waters of the Senkakus for two hours.   AFP also added this tidbit concerning Abe's defense posture: 
On Sunday, he told troops the "security environment surrounding Japan is becoming increasingly severe".
"You will have to completely rid yourselves of the conventional notion that just the existence of a defence force could act as a deterrent."
 Global Times weighed in with a ferocious editorial addressing Abe's remarks to the Wall Street Journal:

Should one drone of China be fired upon, hostility between Beijing and Tokyo will be fully activated and the situation of Northeast Asia will topple like dominoes. The outbreak of a regional war is possible. Although the US' support to Japan is obvious, it's uncertain how the US will interfere. There is too much variance concerning where a China-Japan military clash will go.

China has not been involved in war for a long time but a war looms following Japan's radical provocation. China's comprehensive military power, including the navy, air force and the Second Artillery Force of the PLA, is stronger than Japan's. Once a war breaks out, China will also be able to bear the economic blow better than Japan. 

Since the real game in Asia is economic, not military, hopefully the legendary "cooler heads" will prevail.  PL 10/28/2013]

As far as I can tell, the pundit community is continuing to peg the needle on the obliviousness meter concerning Shinzo Abe’s China posture.

Conventional wisdom: Abe is chugging along with domestic economic reforms while occasionally and not particularly enthusiastically pandering to his nationalist base with chesty responses to relentless Chinese provocations.

What’s really going on: Encouraging tensions with China is an integral element of Abe’s strategy to redefine the role of the Japanese government both domestically and internationally.

Abe welcomes a polarizing environment in Asia, because it allows Japan to position itself as the protector of the smaller Pacific states against the Chinese behemoth.  And I think this has more—a lot more—to do with an attempt to block the extension of PRC trade and investment hegemony in East Asia and aggrandize Japan’s economic role at China’s expense than it does with genuine fears of a Chinese military threat.  But the Chinese military threat must be hyped, since it enables the re-emergence of Japan as a regional military power (and put some backbone into the anti-China alliance) despite the anxieties of the United States, many nations in the region, and a significant chunk of the Japanese electorate.

Lest you think I’m just acting as a Chinese homer (reflexive Chinese partisan) in this matter, I think China is happily abetting the whole confrontation cycle—because it sees conspicuous Japanese security unilateralism as a wedge between Japan and the United States, and an opportunity to isolate Japan as a disturbing and destabilizing would-be hegemon in the eyes of the United States and the nations of the region, and not a loyal American ally.

With this perspective, let’s consider the latest iteration of this sorry cycle of provocations, per an October 26 BBC report in which Abe does his best to exploit the opportunities for unchallengeable assertions offered by the passive voice, anonymous allies, straw men, hypothetical scenarios, and reflexive international dislike for the PRC (my italics for emphasis):

Japan will stand up to China, says PM Shinzo Abe
Japan's Prime Minister Shinzo Abe says other countries want Japan to adopt a more assertive leadership role in Asia to counter the growing power of China. 

Mr Abe told the Wall Street Journal there were "concerns that China was trying to change the status quo by force, rather than by the rule of law".
China said on Saturday that if Japan shot down Chinese drones, this would be considered "an act of war" by Beijing.

The statement was referring to reports that Mr Abe had approved defence plans that envisaged using air force planes to shoot down unmanned Chinese aircraft in Japanese airspace.
In the interview, Mr Abe said he had realised that "Japan is expected to exert leadership not just on the economic front, but also in the field of security in the Asia-Pacific".

He promised policies to counter Japan's waning influence.

Other countries wanted Japan to stand up to China, Mr Abe said without naming any

"There are concerns that China is attempting to change the status quo by force, rather than by rule of law. But if China opts to take that path, then it won't be able to emerge peacefully," Mr Abe says.

"So it shouldn't take that path, and many nations expect Japan to strongly express that view. And they hope that as a result, China will take responsible action in the international community."

The interview comes days after Mr Abe was reported to approved defence plans to intercept and shoot down foreign unmanned aircraft that ignore warnings to leave Japanese airspace.

On Saturday, China's defence ministry responded saying: "If Japan does resort to enforcement measures like shooting down aircraft, that is a serious provocation to us, an act of war. 

"We will undertake decisive action to strike back, with every consequence borne by the side that caused the trouble," spokesman Geng Yansheng said on the ministry's website.

And, courtesy of Bloomberg, the beat goes on:

Abe Warns China on Island Spat as Japan Dispatches Jets

Japanese Prime Minister Shinzo Abe warned he wouldn’t permit China to use force to resolve territorial spats, as the renewed presence of Chinese aircraft near disputed islands led its neighbor to dispatch fighter jets.

Japan sent up fighter jets for a third day yesterday after Chinese aircraft flew between its southern islands without entering Japanese airspace, the Self-Defense Forces said on their website.  [emphasis added]

Since the Obama administration is quietly displeased with Japan’s display of initiative (which seems to be slighting US security and diplomatic leadership while presuming the US military might will remain on tap if Japan gets in over its head), maybe Abe will be reframed in the Western media as the “Netanyahu of Asia”—a tireless but self-interested and increasingly distrusted fomenter of regional destabilization—rather than “Japan’s Thatcher” as a recent profile chose to style him.

Sunday, October 27, 2013

Article in CounterPunch Magazine on NSA Encryption Follies

Also, Snowden Derangement Syndrome and Andrea Merkel’s Phone

I have an article in the current subscription-only CounterPunch magazine on the NSA encryption follies.  

The takeaway from the article is that, thanks to fiddling by the NSA and its corporate partners, Internet security is a jury-rigged omnishambles.  It’s as if the National Transportation Safety Board, with the garages and auto parts suppliers playing along, had undermined the safety standards for brakes and facilitated the insertion of multiple points of failure in the braking system, and then encouraged everybody to drive down the Information Superhighway at 120 miles per hour in order to give more business to the auto repair industry.

With the powers vested in me by the Internet, I command everyone to subscribe…now!  Here’s the link.

The piece has a different take on the NSA’s surveillance excesses than what readers are probably accustomed to.

Edward Snowden’s core concern, and the basis of a lot of the coverage, is anxiety over the massive scope of NSA surveillance.  It looks like the US government never abandoned the goal of Total Information Awareness, articulated during the George W. Bush era by John Poindexter, and simply decided to implement it clandestinely.  NSA wants it all: metadata, unencrypted data, encrypted data, the correlations, whatever.  

Even for those of us who have “nothing to hide and nothing to fear” a.k.a. nobody, this raises the specter of the Panopticon state, where the hidden eye may be everywhere and anywhere, and the subject is pre-emptively cowed into compliance by the fear of being observed.

I have to admit I already feel that way, to a degree.  I look at the computer on my desk and see it as a window in—to me—as well as a window out onto the WWW.

Not just for the US government which, quite frankly, I don’t think devotes a lot of time to worrying about me.  Also for Google.  For instance, the web ads aren’t mass advertising like TV commercials; they are targeted ads based on my Google searches.  Instead of telling me what’s out there, they are trying to get inside me and push my buy buttons based on what they think what’s in there.  Instead of surfing the web, I’m getting enmeshed in my personalized web of preconceptions and plans, spun courtesy of Google, Facebook, etc.  And for botnets.  I assume I’ve got one.  Maybe just one.  I hope so.  Recently, the FBI and Microsoft took down a botnet infecting 2 million computers.  I look at my computer as a device on loan to me from the botnet when it isn’t using the CPU cycles for its own nefarious ends.

The NSA and the US IT industry have a shared interest in exploiting me as a data asset.  The information, services, and connectivity benefits of the Internet is just the honey pot that lures us in.  Just like newspapers and magazines are advertising circulars with just enough journalism and entertainment to get us to crack open the pages.

If we want to restore our digital privacy, it’s going to take a new network: new hardware, new software, new protocols, and billions of dollars (without any government and corporate subvention!).
Good luck with that.

Short of that, enhanced transparency and accountability from the entities degrading the security functionality of the Internet might help.

It looks like the only way we’re going to get that is via whistleblowers.

When the Edward Snowden revelations hit, my first reaction was Wow.  Somebody’s really stuck it to the Man.

However, on some liberal and conservative sections of the Intertubes, something that I call Snowden Derangement Syndrome erupted.  It was as if Snowden had posted dirty pictures of him having sex with mom.  Some seemed to take the position of Don’t you understand?  We’re the Man.  Edward Snowden is sticking it to us!

Well, my general take is that Edward Snowden is a whistleblower, not a spy.  It’s not my job to help the Man sideline, discredit, silence, or incarcerate whistleblowers in order to make His job easier.

Of course, there has been a persistent bubbling of efforts to discredit Snowden along the lines of naif/narcissist/traitor.  Things quieted down when the carefully managed revelations of NSA domestic surveillance undercut the Snowden as hysterical dingbat narrative, but hotted up again with the reports on US spying on allies.  You know, hurts American interests, old news, everybody does it and, in Mike Rogers’ iteration, Europe should be grateful because Nobody Does It Better than the US of A.

These people obviously lost the Lord Acton memo about the corrupting nature of power—including the power bestowed on the NSA by an open-ended and generously funded mandate, secrecy, and sufficient legal impunity to initiate and perpetuate massive, compounded clusterfucks beyond the reach of congressional oversight.

Consider this revelation about the bugging of Andrea Merkel’s phone:

The Economic Times writes the “high-ranking” NSA official spoke to Bild am Sonntag on the condition of anonymity, saying the president, “not only did not stop the operation, but he also ordered it to continue.”

The Economic Times also reports the official told Bild am Sonntag that Obama did not trust Merkel, wanted to know everything about her, and thus ordered the NSA to prepare a dossier on the politician.

I don’t think that’s Edward Snowden talking.  Maybe it’s the Acela Babbler, Michael Hayden, passing on third-hand tittle-tattle.  Maybe Keith Alexander is sticking the boot in as he stomps off into retirement.  

In any case, that high level gossip, my friends, is probably more damaging to US diplomacy than the Snowden revelations, and also an indication of the culture of impunity and malice that seems to permeate the upper levels of the NSA and is now directed at President Obama for his equivocal defense of the agency.

Angela Merkel is probably seriously pissed that the NSA tapped her phone--and bragging about it.  In July, Merkel, an East German native who has tried to draw a clear, bright line between the security excesses of East Germany and practices in the West, had defended NSA surveillance as qualitatively different from the Stasi since the NSA was interested in protecting American security.  By that reading, Merkel has been considered a security risk for over a decade.

The revelation has done Germany the favor of alerting it to the fact that its communications security technology—in which it has reposed a high level of confidence—has been compromised.

As discussed in this article from Spiegel, German government communications were supposedly protected by world-class non-USA encryption and security products delivered by ex-Stasi technicians rolled into a company called Rohde & Schwarz.  The implication of the bugging of Merkel’s phone is that the US government has suborned and compromised Germany’s own data security apparatus.  Since Rohde & Schwarz is also a NATO supplier, perhaps the prospect of NATO contracts might have enticed them to hand over the goodies.  Or maybe the NSA hacked and fiddled its way in without corporate assistance from R&S.

For whatever reason, one can speculate that the NSA has done as good a job of fucking up German and NATO secure communications as it has done with overall Internet security.