The Guardian and Washington Post win Pulitzer

From The Guardian:

The Pulitzer Prize for public service was awarded Monday to The Washington Post and The Guardian, which broke the story of National Security Agency surveillance programs leaked by Edward Snowden.

In giving U.S. journalism’s top prize to the Guardian and the Post, the Pulitzer committee delivered support for Snowden and Glenn Greenwald, the former Guardian journalist most associated with the story, while offering a rebuke of the government.

Obama allows NSA to keep security “backdoors” open

According to the New York Times, Obama has specifically allowed the NSA to keep Internet “backdoors” open so they can be exploited by the agency, without disclosure to outsiders that could reduce the risk to everyone. Such breaches are often referred to as “0-days,” in that they are breaches not known to software companies. The White House tries to downplay the dangers and costs of such an approach by claiming that they will generally try to disclose the breaches.

. . . elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers.

Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.

“This process is biased toward responsibly disclosing such vulnerabilities,” she said.

This is a total outrage. The NSA is supposed to protect Americans. It is not supposed to destroy the Internet or allow it to be destroyed.

Selected Tweets:

 

 

The NSA knew about Heartbleed (updated)

According to Bloomberg, the NSA has known about the Heartbleed bug that destroys encrypted Internet communications for about 2 years and the NSA has exploited the bug. The NSA never reported that it knew about the problem because it doesn’t give a damn about users, including US citizens that it is supposed to be protecting. The biggest security problem ever, and the NSA stayed mum despite its knowledge.

Update: The New York Times is reporting that the Obama administration and the NSA are denying the government knew about the Heartbleed security hole.

. . . Caitlin Hayden, the spokeswoman for the National Security Council, said in a statement: “Reports that N.S.A. or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The federal government was not aware of the recently identified vulnerability in OpenSSL” — the freely available encryption methodology — “until it was made public in a private sector cybersecurity report.”

In my view, this story is not over yet. It would be quite interesting if Glenn Greenwald and the other reporters who have access to the Edward Snowden documents would search the files to see if there is any evidence that the NSA accessed problems with OpenSSL.

Surveillance state quote of the day

. . . the flip side of representation is surveillance: by 1851, the French political theorist Pierre-Joseph Proudhon could observe that “to be governed is to be noted, registered, enumerated, accounted for, stamped, measured, classified, audited, patented, licensed, authorized, endorsed, reprimanded, prevented, reformed, rectified, and corrected, in every operation, every transaction, every movement.”

Kathryn Schulz, writing in The New Yorker.

ACLU launches NSA documents database

This is a real service the country. The ACLU has launched a new public database that tracks all the available (i.e., released) leaked NSA documents.

This tool will be an up-to-date, complete collection of previously secret NSA documents made public since last June. The database is designed to be easily searchable – by title, category, or content – so that the public, researchers, and journalists can readily home in on the information they are looking for.

More details here and the database itself can be accessed here.

Snowden wins prize for disclosures

Via The New York Times:

The Ridenhour prize for truth-telling will be given to Edward J. Snowden and Laura Poitras, the filmmaker and journalist who helped Mr. Snowden disclose his trove of documents on government surveillance.

The award, named for the Vietnam veteran who helped expose the My Lai massacre and later became an investigative journalist, is expected to be announced on Monday morning. It’s the latest honor for the reporting based on the top-secret material leaked by Mr. Snowden, who was a contractor for the National Security Agency.

* * *

The Ridenhour Prizes, established by the Nation Institute and the Fertel Foundation in honor of the veteran and journalist Ronald L. Ridenhour, who died in 1998, have been given to a range of government critics. In 2011, before the Snowden disclosures, Thomas Drake, a former N.S.A. official accused of leaking classified information, was given the truth-telling prize.

Clapper reveals (part of) the truth

James Clapper, Director of National Intelligence, in response to a question from Sen. Ron Wyden (D-Ore), seems to have admitted that the NSA has read the content of communications of United States citizens without warrants of any kind, notwithstanding previous denials. Here is what he said:

There have been queries, using U.S. person identifiers, of communications lawfully acquired to obtain foreign intelligence by targeting non-U.S. persons reasonably believed to be located outside the U.S. pursuant to Section 702 of FISA.

Here is the response from Wyden and Sen. Mark Udall, which pulls no punches:

Senior officials have sometimes suggested that government agencies do not deliberately read Americans’ emails, monitor their online activity or listen to their phone calls without a warrant. However, the facts show that those suggestions were misleading, and that intelligence agencies have indeed conducted warrantless searches for Americans’ communications using the ‘back-door search’ loophole in section 702 of the Foreign Intelligence Surveillance Act. Today’s admission by the Director of National Intelligence is further proof that meaningful surveillance reform must include closing the back-door searches loophole and requiring the intelligence community to show probable cause before deliberately searching through data collected under section 702 to find the communications of individual Americans.

More at Roll Call.

Surveillance state quote of the day

I find it ironic that the first African-American president has without compunction allowed this vast exercise of raw power by the N.S.A.,

Certainly J. Edgar Hoover’s illegal spying on Martin Luther King and others in the civil rights movement should give us all pause. Now if President Obama were here, he would say he’s not J. Edgar Hoover, which is certainly true. But power must be restrained because no one knows who will next hold that power.

Rand Paul, speaking at UC, Berkeley, of all places.

Surveillance state quote of the day

The need for another thorough, independent, and public congressional investigation of intelligence activity practices that affect the rights of Americans is apparent. There is a crisis of public confidence. Misleading statements by agency officials to Congress, the courts, and the public have undermined public trust in the intelligence community and in the capacity for the branches of government to provide meaningful oversight.

The scale of domestic communications surveillance the NSA engages in today dwarfs the programs revealed by the Church Committee. Indeed, 30 years ago, the NSA’s surveillance practices raised similar concerns as those today.

– From a public letter written by former members and staff of the Church committee, which investigated abuses by the NSA in the 1970s.

Non-denial denials at the NSA

I have called out several incidents (like this one) where the the NSA offers what appear to be denials of wrongdoing, but which are actually non-denial denials filled with Orwellian double-speak.  The latest example was last week’s NSA’s denial of claims that it was effectively pretending to be Facebook to insert malware in users’ systems, and that it had the capability to insert malware into “millions” of computers. My reaction was that anyone could look at the NSA documents released at The Intercept and see that their non-denial denial was undercut by the NSA’s own words and claims.

The Intercept has now released a follow-up piece citing chapter and verse untruthfulness of the latest NSA denial, in the NSA’s own words. Worth a full read.

Surveillance state quote of the day (updated)

The US government should be the champion for the internet, not a threat. They need to be much more transparent about what they’re doing, or otherwise people will believe the worst.

– Mark Zuckerberg, Facebook Founder and CEO, via re/code. Zuckerberg’s full statement, including his call to the President, is here.

Update:  The NSA has issued a statement in response.

NSA PAO Statement – 13 Mar 2014
Statement in Response to Press Allegations

Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which the capability must be employed.

NSA’s authorities require that its foreign intelligence operations support valid national security requirements, protect the legitimate privacy interests of all persons, and be as tailored as feasible. NSA does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any user of global Internet services without appropriate legal authority. Reports of indiscriminate computer exploitation operations are simply false.

Of course, they deny all wrongdoing and provide their boilerplate statements that they comply with all laws and oversight. And, of course, they deny “indiscriminate computer exploitation,” but their own documents claim such capability and activity. For example, check out the following via The Intercept:

In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.

And the New York Times reports the following:

A White House spokeswoman confirmed that the president spoke with Mr. Zuckerberg on Wednesday night but declined further comment beyond the N.S.A.’s statement.

NSA operates massive malware injection program

Here is the latest from The Intercept. It describes a massive program operated by the NSA and its partners to implant malware on computers around the world.

Excerpt:

Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.

The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.

The covert infrastructure that supports the hacking efforts operates from the agency’s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic.

In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer’s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.

The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”