addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscontroller-playcredit-cardcrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobe--smallglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1launch-new-window--smalllight-bulblinklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonprintShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

The 912 Project-Nebraska Message Board › Big Brother

Big Brother

Richard E.
Conservative_Vet
Plattsmouth, NE
Post #: 1,331
NSA collected thousands of emails from Americans, rebuked by court
Published August 21, 2013
FoxNews.com

The National Security Agency was rebuked by a secret court in 2011 for collecting thousands of emails and other online details from Americans with no ties to terrorism, according to court opinions which were declassified for the first time on Wednesday.

The Office of the Director of National Intelligence took the unusual step of declassifying more than 100 pages of documents, amid the escalating public debate about government surveillance programs. The release comes several days after a report showed that the NSA had violated privacy rules and overstepped its authority thousands of times.

Some of those incidents were minor, but the documents released Wednesday detail major compliance problems.

In 2011, the Foreign Intelligence Surveillance Court was notified of a problem involving "upstream collection," which is the collection of Internet traffic outside of the service providers. The NSA was collecting bundled email communications under a provision which focuses on foreign Internet traffic. The NSA, though, was not effectively segregating all the traffic from Americans.

The court rebuked the NSA for the violation.

"For the first time the government has now advised the Court that the volume and nature of the information it has been collecting is fundamentally different from what the court had been led to believe," John D. Bates, a judge on the surveillance court, said in October 2011.

The NSA reported the problems it discovered in how it was gathering Internet communications to the court and shortly thereafter to Congress in the fall of 2011.

Three senior U.S. intelligence officials said Wednesday that the NSA realized that when it was gathering up bundled Internet communications from fiber optic cables, with the cooperation of telecommunications providers like AT&T, it was often collecting thousands of emails or other Internet transactions by Americans who had no connection to the intended terror target being tracked.

The documents show the NSA scooped up as many as 56,000 emails and other communications by Americans with no connection to terrorism annually over three years.

While the NSA is allowed to keep the metadata -- the address or phone number and the duration, but not the content, of the communication -- of Americans for up to five years, the court ruled that when it gathered up such large packets of information, they included actual emails between American citizens, and it violated the Constitution's ban against unauthorized search and seizure.

For instance, two senior intelligence officials said, when an American logged into an email server and looked at the emails in his or her inbox, that screen shot of the emails could be collected, together with Internet transactions by a terrorist suspect being targeted by the NSA -- because that suspect's communications were being sent on the same fiber optic cable by the same Internet provider, in a bundled packet of data.

The NSA then worked with Congress and the court to correct the problem but ultimately decided it could not salvage the data it collected. It was purged in 2012.

Fox News reviewed the documents along with several other news agencies before their release on Wednesday. Based on the documents, at least 75 million Internet communications were purged.

The NSA claims the problem was technical in nature because the pulling of Internet traffic is automated.

The NSA disclosed that it gathers some 250 million Internet communications each year, with some 9 percent from these "upstream" channels, amounting to between 20 million to 25 million emails a year.

Under court order, the NSA resolved the problem by creating new ways to detect when emails by people within the U.S. were being intercepted, and separated those batches of communications. It also developed new ways to limit how that data could be accessed or used. The agency also agreed to only keep these bundled communications for possible later analysis for a two-year period, instead of the usual five-year retention period.

The newly released court opinions revealed the court signed off on the new procedures, deeming them constitutionally acceptable.

The Wall Street Journal, meanwhile, reported on Wednesday that NSA surveillance programs have the potential to reach 75 percent of U.S. Internet traffic.

The agency maintains it is protecting privacy rights.

The latest documents were released in response to President Obama's directive for the NSA to be more transparent, according to senior intelligence officials. It also seemed designed to answer growing criticism that the NSA oversight is inadequate by the surveillance court, and its own internal reporting systems are lacking.
Richard E.
Conservative_Vet
Plattsmouth, NE
Post #: 1,332
Report: NSA pays tech companies for data
Published August 24, 2013
The Wall Street Journal
Facebook288 Twitter200 LinkedIn1

The National Security Agency has paid millions of dollars to reimburse technology firms for complying with requests for user data, according to documents from former NSA contractor Edward Snowden shared with the Guardian newspaper.

MicrosoftMSFT +7.29%, GoogleGOOG -0.40%, YahooYHOO +0.32% and FacebookFB +5.30% all supply user data to the NSA based on secret ordered from the Foreign Intelligence Surveillance court under a program known as Prism. Although U.S. law mandates compliance, the government usually helps pay for it.

U.S. law allows firms to seek reimbursement for complying with law enforcement records request. U.S. telecommunications companies have been reimbursed for giving the government data related to U.S. phone calls and Internet traffic, former intelligence officials say. Silicon Valley is no different when they hand over data on users’ social media accounts, according to the latest Snowden documents.

The document, an NSA newsletter dated December 2012, says that the tech companies faced extensive costs for meeting new certification demands following a secret court ruling. The Obama administration Wednesday declassified the October 2011 ruling, which found the agency violated the Constitution for three years by collecting tens of thousands domestic communications without adequate privacy protections.

“Last year’s problems resulted in multiple extensions to the certifications’ expiration dates which cost millions of dollars for Prism providers to implement each successive extension – costs covered by Special Source Operations,” the document says, referring to a division of the NSA.

The NSA declined to comment.

Earlier this year, Microsoft acknowledged that it charges law enforcement for passing on data. “Microsoft only complies with court orders because it is legally ordered to, not because it is reimbursed for the work,” the company said in a statement Friday.

A Yahoo spokeswoman referred questions to its Friday comment in the Guardian. “Federal law requires the US government to reimburse providers for costs incurred to respond to compulsory legal process imposed by the government,” the company told the newspaper. “We have requested reimbursement consistent with this law.”
Richard E.
Conservative_Vet
Plattsmouth, NE
Post #: 1,334
Feds tell Web firms to turn over user account passwords

Secret demands mark escalation in Internet surveillance by the federal government through gaining access to user passwords, which are typically stored in encrypted form.
by Declan McCullagh
July 25, 2013 11:26 AM PDT



The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'"

Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?"
--Jennifer Granick, Stanford University

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."

Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has "never" turned over a user's encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. "We take the privacy and security of our users very seriously," the spokesperson said.

A Yahoo spokeswoman would not say whether the company had received such requests. The spokeswoman said: "If we receive a request from law enforcement for a user's password, we deny such requests on the grounds that they would allow overly broad access to our users' private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law."

Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users' passwords and how they would respond to them.

Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said he doesn't recall receiving any such requests but that the company still has a relatively small number of users compared with its larger rivals. Because of that, he said, "we don't get a high volume" of U.S. government demands.

The FBI declined to comment.

Some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps. The Patriot Act has been used to demand entire database dumps of phone call logs, and critics have suggested its use is broader. "The authority of the government is essentially limitless" under that law, Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence committee, said at a Washington event this week.

Large Internet companies have resisted the government's requests by arguing that "you don't have the right to operate the account as a person," according to a person familiar with the issue. "I don't know what happens when the government goes to smaller providers and demands user passwords," the person said.

An attorney who represents Internet companies said he has not fielded government password requests, but "we've certainly had reset requests -- if you have the device in your possession, than a password reset is the easier way."

Richard E.
Conservative_Vet
Plattsmouth, NE
Post #: 1,335
continued:

Cracking the codes
Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user's original password is hardly guaranteed. The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password.

Algorithms, known as hash functions, that are viewed as suitable for scrambling stored passwords are designed to be difficult to reverse. One popular hash function called MD5, for instance, transforms the phrase "National Security Agency" into this string of seemingly random characters: 84bd1c27b26f7be85b2742817bb8d43b. Computer scientists believe that, if a hash function is well-designed, the original phrase cannot be derived from the output.

But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes.

The best practice among Silicon Valley companies is to adopt far slower hash algorithms -- designed to take a large fraction of a second to scramble a password -- that have been intentionally crafted to make it more difficult and expensive for the NSA and other attackers to test every possible combination.

One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500.

But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion.

As computers have become more powerful, the cost of cracking bcrypt passwords has decreased. "I'd say as a rough ballpark, the current cost would be around 1/20th of the numbers I have in my paper," said Percival, who founded a company called Tarsnap Backup, which offers "online backups for the truly paranoid." Percival added that a government agency would likely use ASICs -- application-specific integrated circuits -- for password cracking because it's "the most cost-efficient -- at large scale -- approach."

While developing Tarsnap, Percival devised an algorithm called scrypt, which he estimates can make the "cost of a hardware brute-force attack" against a hashed password as much as 4,000 times greater than bcrypt.

Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google's infrastructure group, and David Mazières, an associate professor of computer science at Stanford University.

With the computers available today, "bcrypt won't pipeline very well in hardware," Mazières said, so it would "still be very expensive to do widespread cracking."

Even if "the NSA is asking for access to hashed bcrypt passwords," Mazières said, "that doesn't necessarily mean they are cracking them." Easier approaches, he said, include an order to extract them from the server or network when the user logs in -- which has been done before -- or installing a keylogger at the client.

Sen. Ron Wyden warned this week that "the authority of the government is essentially limitless" under the Patriot Act's business records provision.

Questions of law
Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.

"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I don't know."

Granick said she's not aware of any precedent for an Internet company "to provide passwords, encrypted or otherwise, or password algorithms to the government -- for the government to crack passwords and use them unsupervised." If the password will be used to log in to the account, she said, that's "prospective surveillance," which would require a wiretap order or Foreign Intelligence Surveillance Act order.

If the government can subsequently determine the password, "there's a concern that the provider is enabling unauthorized access to the user's account if they do that," Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act.

Orin Kerr, a law professor at George Washington University and a former federal prosecutor, disagrees. First, he said, "impersonating someone is legal" for police to do as long as they do so under under court supervision through the Wiretap Act.

Second, Kerr said, the possibility that passwords could be used to log into users' accounts is not sufficient legal grounds for a Web provider to refuse to divulge them. "I don't know how it would violate the Wiretap Act to get information lawfully only on the ground that the information might be used to commit a Wiretap violation," he said.

The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility.

The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors' demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man "could not be compelled to decrypt the drives."

In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.

Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation -- and don't address when a hashed password is stored on the servers of a company that's an innocent third party.

"If you can figure out someone's password, you have the ability to reuse the account," which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.

Richard E.
Conservative_Vet
Plattsmouth, NE
Post #: 1,339
MikeatWired writes:
"It wasn't ever seriously in doubt, but the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors. Freedom Hosting's operator, Eric Eoin Marques, had rented the servers from an unnamed commercial hosting provider in France, and paid for them from a bank account in Las Vegas. It's not clear how the FBI took over the servers in late July, but the bureau was temporarily thwarted when Marques somehow regained access and changed the passwords, briefly locking out the FBI until it gained back control. The new details emerged in local press reports from a Thursday bail hearing in Dublin, Ireland, where Marques, 28, is fighting extradition to America on charges that Freedom Hosting facilitated child pornography on a massive scale. He was denied bail today for the second time since his arrest in July. On August 4, all the sites hosted by Freedom Hosting — some with no connection to child porn — began serving an error message with hidden code embedded in the page. Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle, reporting back to a mysterious server in Northern Virginia. The FBI was the obvious suspect, but declined to comment on the incident. The FBI also didn't respond to inquiries from WIRED today. But FBI Supervisory Special Agent Brooke Donahue was more forthcoming when he appeared in the Irish court yesterday to bolster the case for keeping Marque behind bars."
Richard E.
Conservative_Vet
Plattsmouth, NE
Post #: 1,344
Dianne Feinstein Accidentally Confirms That NSA Tapped The Internet Backbone

Mike Masnick
TechDirt
September 28, 2013

It’s widely known that the NSA has taps connected to the various telco networks, thanks in large part to AT&T employee Mark Klein who blew the whistle on AT&T’s secret NSA room in San Francisco. What was unclear was exactly what kind of access the NSA had. Various groups like the EFF and CDT have both been asking the administration to finally come clean, in the name of transparency, if they’re tapping backbone networks to snarf up internet communications like email. So far, the administration has declined to elaborate. Back in August, when the FISA court declassified its ruling about NSA violations, the third footnote, though heavily redacted, did briefly discuss this “upstream” capability:

In short, “upstream” capabilities are tapping the backbone itself, via the willing assistance of the telcos (who still have remained mostly silent on all of this) as opposed to “downstream” collection, which requires going to the internet companies directly. The internet companies have been much more resistant to government attempts to get access to their accounts. And thus, it’s a big question as to what exactly the NSA can collect via its taps on the internet backbone, and the NSA and its defenders have tried to remain silent on this point, as you can see from the redactions above.

However, as Kevin Bankston notes, during Thursday’s Senate Intelligence Committee hearing, Dianne Feinstein more or less admitted that they get emails via “upstream” collection methods. As you can see in the following clip, Feinstein interrupts a discussion to read a prepared “rebuttal” to a point being made, and in doing so clearly says that the NSA can get emails via upstream collections:

Upstream collection… occurs when NSA obtains internet communications, such as e-mails, from certain US companies that operate the Internet background, i.e., the companies that own and operate the domestic telecommunications lines over which internet traffic flows.

She clearly means “backbone” rather than “background.” She’s discussing this in an attempt to defend the NSA’s “accidental” collection of information it shouldn’t have had. But that point is not that important. Instead, the important point is that she’s now admitted what most people suspected, but which the administration has totally avoided admitting for many, many years since the revelations made by Mark Klein.

So, despite years of trying to deny that the NSA can collect email and other communications directly from the backbone (rather than from the internet companies themselves), Feinstein appears to have finally let the cat out of the bag, perhaps without realizing it.

Richard E.
Conservative_Vet
Plattsmouth, NE
Post #: 1,345
What you say on Twitter doesn't stay on Twitter
By Richard Chirgwin, 30th September 2013

In the latest round of increasingly-hyperbolic leaks about what spy agencies are doing with data, reports are emerging that the NSA has been graphing connections between American individuals. Moreover, it's using stuff that people publish on their social media timelines to help the case along.

According to this item in the New York Times, the NSA extended its analysis of phone call and e-mail logs in 2010 “to examine Americans' networks of associations for foreign intelligence purposes”, something that was previously prevented because the agency was only allowed to snoop on foreigners.

While great emphasis is given to the use of software to “sophisticated graphs” of the connections between individuals, the latest “Snowden revelation”, for the leaker handed the paper some documents, seems to be more about whether the NSA persuaded its masters that it should be able to feed vast sets of phone and e-mail records into its analysis software without having to “check foreignness” of the individuals covered by a search.

More spooky but less surprising: the NSA seems to have worked out that if punters are already publishing information about themselves on social networks like Facebook or Twitter, it might be able to scoop that information into its databases (and from there into its analysis) without a warrant.

In the outside world, The Register notes that the mass collection and analysis of Twitter information is used by all sorts of people, nearly always without government oversight or warrant, to provide everything from detecting rainfall to earthquakes.

Other so-called “enrichment data” cross-matched by the NSA can include “bank codes, insurance information … passenger manifests, voter registration rolls and GPS location information … property records and unspecified tax data”, some of which may be more troubling since each of these carries different privacy expectations.

A “foreign intelligence justification” is needed for the data collection, and the NYT notes NSA spooks weren't allowed to use any data they could get their hands on:

“Analysts were warned to follow existing “minimization rules,” which prohibit the N.S.A. from sharing with other agencies names and other details of Americans whose communications are collected, unless they are necessary to understand foreign intelligence reports or there is evidence of a crime.”

The project, called Mainway, receives “vast amounts of data … daily from the agency’s fiber-optic cables”, the article states. Which demonstrates that the NSA hasn't get gotten around to implementing either RFC 1149 or its successor, RFC 2549.

While The Register would not try to minimise the legitimate concern that a vast amount of information can be derived from communications metadata alone, beyond the name of the project, it's hard to see what's new in the latest leak. ®
Richard E.
Conservative_Vet
Plattsmouth, NE
Post #: 1,346

Former Microsoft Privacy Chief Doesn't Trust Company, Uses Open Source Software
timothy posted 6 hours ago | from MojoKid
From Slashdot:

MojoKid writes "Microsoft's onetime Chief Privacy Adviser, Caspar Bowden, has come out with a vote of no-confidence in the company's long-term privacy measures and ability or interest to secure user data in the wake of the NSA's PRISM program. From 2002 — 2011, Bowden was in charge of privacy at Microsoft, and oversaw the company's efforts in that area in more than 40 countries, but claims to have been unaware of the PRISM program's existence while he worked at the company. In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source."
Richard E.
Conservative_Vet
Plattsmouth, NE
Post #: 1,347
I used to joke about the old "saw" about being paranoid. Now it's really true: I'm being constantly watched by forces I formerly trusted. What has happened to this former bastion of freedom?
Richard E.
Conservative_Vet
Plattsmouth, NE
Post #: 1,352
NSA secretly tapped Google, Yahoo data centers worldwide, new report claims
Published October 30, 2013
FoxNews.com

Massive cloud networks from companies like Google and Yahoo cache and serve up much of the data on the Internet -- and the NSA has secretly tapped into the unencrypted links behind those company’s enormous servers, according to a new report from the Washington Post.

By tapping into that link, the NSA can collect data at will from hundreds of millions of user accounts, the Post reported -- including not just foreign citizens and “metadata” but emails, videos and audio from American citizens.

Operation MUSCULAR, a joint program of the NSA and its British equivalent GCHQ, relies on an unnamed telecommunications provider outside of the U.S. to offer secret access to a cable or switch through with Google and Yahoo pass unencrypted traffic between their servers. The massive servers run by the company are carefully guarded and strictly audited, the companies say; according to Google, buildings housing its servers are guarded around the clock by trained personnel, and secured with heat-sensitive cameras, biometric verification, and more.

Two engineers with close ties to Google exploded in profanity when they saw a drawing of the NSA’s hack revealed by Edward Snowden; the drawing includes a smiley face next to the point at which the agency apparently was able to tap into the world’s data.

“I hope you publish this,” one of them said.

White House officials and the Office of the Director of National Intelligence, which oversees the NSA, declined to confirm, deny or explain why the agency infiltrates Google and Yahoo networks overseas.

However, NSA director Gen. Keith Alexander said Wednesday his agency doesn't access such networks servers without a court order, according to Politco.

In a statement, Google said it was “troubled by allegations of the government intercepting traffic between our data centers, and we are not aware of this activity.”

“We have long been concerned about the possibility of this kind of snooping, which is why we continue to extend encryption across more and more Google services and links,” the company said.

At Yahoo, a spokeswoman said: “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”

Obama said in an interview in June "unequivocally" that the NSA cannot and has not listened to the telephone calls nor target the e-mails of a U.S. person
Powered by mvnForum

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy