Cyber security items.....
One of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn't safe to use.
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," text in red at the top of TrueCrypt page on SourceForge states. The page continues: "This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."
The advisory, which Ars couldn't immediately confirm was authentic, touched off a tsunami of comments on Twitter and other social media sites. For more than a decade, the open source and freely available TrueCrypt has been the program of choice of many security-minded people for encrypting sensitive files and even entire hard drives. Last year, amid revelations that the NSA can decode large swaths of the Internet's encrypted data, supporters ponied up large sums of money to audit TrueCrypt. Results from phase one of the audit released last month revealed no evidence of any backdoors. Additional audits were pending.
Matthew Green, a professor specializing in cryptography at Johns Hopkins University and one of the people who spearheaded the TrueCrypt audit, told Ars he had no advance notice of the announcement. He said the announcement appears to be authentic, an observation he repeated on Twitter. He told Ars he has privately contacted the largely secretive TrueCrypt developers in an attempt to confirm the site or get more more details.
The SourceForge page, which was delivered to people trying to view truecrypt.org pages, contained a new version of the program that, according to this "diff" analysis, appears to contain changes warning that the program isn't safe to use. Curiously, the new release also appeared to let users decrypt encrypted data but not create new volumes.
Significantly, TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key, suggesting that the page warning that TrueCrypt isn't safe wasn't a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn't squander that hack with a prank. Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers.
In either case, it's a good idea for TrueCrypt users to pay attention and realize that it may be necessary to move to a new crypto app. Ars will continue to cover this unfolding story as more information becomes available.
Cisco purchase of CIA-funded company may fuel distrust abroad
Few are talking about In-Q-Tel investment in ThreatGRIDBy Paul McNamara on Fri, 05/30/14 - 1:26pm.
The CIA's non-profit venture capital arm, In-Q-Tel, has been pumping millions of dollars into technology startups since its launch in 2000, meaning it's not the least bit unusual for major vendors to have acquired and assimilated one of these CIA-nurtured seedlings.
So what would make Cisco's recent acquisition of In-Q-Tel-backed security company ThreatGRID any more noteworthy than all the others?
You've probably seen the pictures of NSA employees apparently intercepting and bugging Cisco equipment, and read of the letter sent by Cisco CEO John Chambers to President Obama suggesting the obvious: that this kind of thing is bad for business.
In short, Cisco's acquisition of ThreatGRID is different because Cisco is today scrambling to counter the impression - especially abroad - that it is in league with the U.S. intelligence community, a charge it has always denied. And in this atmosphere of growing distrust, little distinction will be appreciated between our domestic and foreign spy agencies. Moreover, the connections between Cisco's new acquisition and U.S. intelligence are more than financial, they are familial, too, as we'll get to below.
As first noted by blogger Brad Reese, no mention was made of the CIA funding of ThreatGRID by those involved in announcing the deal last week. I was unable to find any mention of ThreatGRID on the In-Q-Tel website, though dozens of current and former funding recipients are listed.
So might real-world buyers even care about such a link?
"I think it's a reasonable proposition," says Zeus Kerravala, founder and principal analyst with ZK Research, and a contributor to Network World. "The fact remains, there's so much uncertainty today about whose watching what that it scares some customers. The uncertainty though should drive U.S. customers back to Cisco but give cause for concern for overseas ones. Either way, it doesn't help security sales for Cisco or really any company."
There's an element of bad timing at play here, too, as the deal was clearly in the works before those damaging pictures emerged and ThreatGRID received its CIA funding before the world had even heard of Edward Snowden.
From a May 28, 2013 story in CRN:
Dov Yoran, co-founder and CEO of ThreatGrid, an antimalware analysis platform that recently received In-Q-Tel funding, said the investment firm required a certain influence on the product road map. The funding ensures that the intelligence community not only gets the technology, but gets a product that is more refined for their needs, he said. ..."In-Q-Tel helps you break that government veil of being an outsider looking in," Yoran said. "It benefits the company with not only larger exposure to potential clients, but real clients that are actually going to buy."
Also quoted in that CRN story was Yoran's brother, Amit Yoran, a senior vice president at RSA who in 2003 was appointed director of the Department of Homeland Security's National Cyber Security Division, a post he held for a year. In 2006, Amit Yoran served a four-month stint as CEO of In-Q-Tel.
A third brother, Elad Yoran, in addition to having 20 years of experience in the cyber security industry, has served as an advisor to the Department of Homeland Security and currently serves the FBI in that capacity.
The brothers did a televised interview with Fox News on Aug. 14, 2013 where they were introduced as "the self-proclaimed first family of cyber-security."
None of which should have anything to do with Cisco and its products.
Unless you're looking for a reason to suspect Cisco and its products.
EFF Accuses the Government of Spoilation of Evidence
Published May 30, 2014 | By emptywheel
I’ve written about these accusations in the past. EFF got a preservation order in its NSA lawsuits back in 2008. Only after the government asked for permission to destroy phone dragnet data earlier this year did they learn the government has been destroying data relevant to their various suits for years.
But now they’ve written an aggressive motion asking for sanctions.
There is now no doubt that the government defendants have destroyed evidence relevant to plaintiffs’ claims. This case concerns the government’s mass seizure of three kinds of information: Internet and telephone content, telephone records and Internet records. The government’s own declarations make clear that the government has destroyed three years of the telephone records it seized between 2006 and 2009; five years of the content it seized between 2007 and 2012; and seven years of the Internet records it seized between 2004 and 2011, when it claims to have ended those seizures.
By destroying this evidence, the government has hindered plaintiffs’ ability to prove with governmental evidence that their individual communications and records were collected as part of the mass surveillance, something the government has vigorously insisted that they must do, even as a threshold matter. Although plaintiffs dispute that the showing the government seeks is required, the government’s destruction of the best evidence that plaintiffs could use to make such a showing is particularly outrageous.[snip]This is spoliation of evidence. A litigant has a clear legal duty to preserve evidence relevant to the facts of a case pending consideration by the court, and that duty requires preservation of all relevant evidence, defined as anything that is likely to lead to the discovery of admissible evidence. This duty is subject only to practical considerations, none of which the government has ever raised. Any private litigant who engaged in this behavior would be rightly sanctioned by the court; indeed many have been severely sanctioned for failure to preserve evidence in far less egregious circumstances.
This court has the power to order a broad range of remedies for spoliation, up to and including terminating sanctions. Plaintiffs here seek more modest relief: that the government be subject to an adverse inference that the destroyed evidence would have shown that the government has collected plaintiffs’ communications and communications records. Plaintiffs also request that the Court set a prompt hearing date on this matter in order to halt any ongoing destruction.
My favorite part — being a bit of a timeline wonk — is the timeline showing all the broad claims the government made to ensure state secrets would cover even activities authorized by FISA, interspersed with what data the NSA was destroying when.
Then there’s this lesson in warrantless wiretapping.
The government overreaches in trying to limit plaintiffs’ complaint. For example, the government tries to use the fact that plaintiffs often characterize the surveillance as “warrantless” as indicating that the complaint doesn’t reach surveillance conducted under the FISC. But this characterization is absolutely true even as to the FISC-authorized surveillance. Whatever the legal import of the FISC orders, they are unequivocally not full Fourth Amendment warrants, and the surveillance conducted under them is “warrantless.” Thus, this court was exactly correct in July 2013 when it stated that Plaintiffs’ claim is “that the federal government . . . conducted widespread warrantless dragnet communications surveillance of United States citizens following the attacks of September 11, 2001.”
Given all the things the government destroyed here — such as the US person phone data collected without requisite First Amendment review, the Internet metadata that included content, and the US person communications collected under upstream collection, the EO 12333 collected metadata mingled with the PATRIOT authorized data – they might well rather give EFF standing without all that data.
Snowden: “A Classified Executive Order”
Published May 30, 2014 | By emptywheel
Yesterday, I noted that the subject of Edward Snowden’s emailed question to NSA’s Office of General Counsel pertained to one of the under-reported themes of his leaks, the way NSA uses EO 12333 to collect data on Americans that either clearly was or might have been covered by stricter laws passed by Congress. I also notedhow unbelievably shitty the NSA training programs released to ACLU and EFF are, particularly the way seemingly outdated documents that remain in effect appear to allow spying on Americans prohibited by statute.
I’d like to return to the precise language Snowden usedto refer to this email exchange (and a thus-far unreleased exchange he claims to have had with NSA’s Compliance folks).
Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published.
I suggested yesterday that this was likely a conflict over whether EO 12333 superseded laws passed by Congress, including but not limited to FISA.
But note: Snowden says he asked about a “classified” EO.
EO 12333 is unclassified.
So there are two possibilities. First, that there’s a classified EO — one that remains classified – that we don’t know about, one Congress may not even be fully cognizant of (on the premise that this EO supersedes the law).
That’s possible. But EO 12333 is the only EO referenced in USSID 18′s list of references.
The other possibility is far more interesting.
As I noted, the documents laying out the core regulations governing NSA conflict badly, largely because many of the documents are very dated, and have been (or should have been) superseded by recent laws (like the FISA Amendments Act) and court decisions (like John Bates’ 2011 ruling on upstream collection).
Of particular interest is NSA/CSS Policy 1-23 (starting at PDF 110). That policy is interesting, first of all, because it was first issued on March 11, 2004 by Michael Hayden. That is, this policy dates to the very day when Michael Hayden agreed to continue the illegal wiretap program even as half of DOJ threatened to quit.
The policy was updated twice, once to make what were considered minor adjustments in policy in 2007, and once in 2009 to incorporate FISA Amendments Act changes. Thus, the policy at least purports to fully incorporate FAA. The 2009 reissue — and its classified annex — is considered among the signature authorizing milestones according to a timeline leaked by Snowden, above, and the only one that mentions a classified annex.
But — as I noted yesterday — the policy still relies on (and incorporates) a classified annex to EO 12333 that was written in 1988 (though the document itself bears the March 11, 2004 date). And among other things, that now declassified annex permits the collection of US person data for 90 days so long as the Attorney General certifies that person is a foreign agent.
with specific prior approval by the Attorney General based on a finding by the Attorney General that there is probable cause to believe the United States person is an agent of a foreign power and that the purpose of the interception or selection is to collect significant foreign intelligence. Such approvals shall be limited to a period of time not to exceed ninety days for individuals and one year for entities.
That is, NSA/CSS Policy 1-23, and the 25 year old classified annex to EO 12333 that was still classified and in place in April of last year (and for all we know, still today), permits wiretapping Americans on the very same terms the government used under the illegal wiretap program: AG approval for 90-day periods.
It also includes authority to do precisely what NSA tried to legalize in Dianne Feinstein’sFakeFiSAFix last year: wiretapping non-resident aliens who enter the US for 72 hours.
It permits the interception and dissemination of “Illicit Communications,” which I suspect would include encrypted communications.
It lays out a very broad definition of “significant foreign intelligence,” which as applied would mean the NSA could keep everything that might feasibly be helpful for foreign intelligence purposes (which is the standard we understand them to use).
[A]ny deliberate interception, selection or use of a selection term shall be deemed to constitute electronic surveillance; and “significant foreign intelligence” shall mean not only those items of information that are in themselves significant, but also items that are reasonably believed, based on the experience of the United States Signals Intelligence System, when analyzed together with other items, to make a contribution to the discovery of “significant foreign intelligence.” ,
It also includes language on dissemination that would seem to permit the government to disseminate communications it obtained from NatSec journalists.
the communication or information indicates that the United States person is engaged in the unauthorized disclosure of classified national security information;
In short, the now declassified classified annex to EO 12333 seems to permit a number of things — including wiretapping of Americans without a warrant — that FISA would seem to prohibit.
If this is the classified (annex to an) Executive Order that Snowden referred to , it would mean even NSA’s compliance people were suggesting this language took precedence over FISA as recently as April of last year.
As I noted, both PCLOB and HPSCI were pushing — as recently as a late March — to force the Agencies to update their decades old implementation procedures for EO 12333, which this would seem to include this classified annex.
This document was declassified and released on November 18 of last year, less than a week after DiFi’s FakeFISAFix passed through the Senate Intelligence Committee. It was released along with some far more interesting documents (including several pertaining to the Internet Dragnet). Given that only one or two other people have even read the other documents associated with this release, I suspect almost no one read this annex. But it seems to have made quite clear that in implementing EO 12333, NSA created loopholes in the laws passed by Congress.
The same loopholes that almost led half of DOJ to quit in 2004.