Cryptography experts pen open letter against NSA surveillance

By Tom Warren

nsa stock

The pressure on the US government to reform the NSA’s surveillance programs is growing. Apple, Google, and Microsoft all called for change last month alongside apetition from international authors calling for an end to mass surveillance. President Obama announced big changes to government surveillance programs, but most of them centered around the NSA’s bulk collection of Americans’ phone records, not its spying on internet communications. In an open letter published on Friday, more than 50 cryptography experts are asking the US government to make more changes to protect privacy.

“The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy, and the US technology sector is readily apparent,” the authors of the open letter state. “Because transparency and public consent are at the core of our democracy, we call upon the US government to subject all mass-surveillance activities to public scrutiny and to resist the deployment of mass-surveillance programs in advance of sound technical and social controls.”

MORE PRESSURE ON PRESIDENT OBAMA TO MAKE ADDITIONAL CHANGES

Although the letter doesn’t mention Obama, it’s clear the president’s recent speech has not eased concerns from cryptographers over the weakening of encryption standards. An independent review panel has recommended that the NSA be separated from NIST’s cryptography approval process, and that the NSA should not hold encrypted communication as a way to avoid retention limits. The signatories back the five principles put forth by Apple, Google, Microsoft, and others last month, noting they “provide a good starting point.”

Dr. Ronald Rivest is one of the key signatories on the list of more than 50 cryptographers, alongside MIT professor Hal Abelson, a founding director of the Free Software Foundation. Rivest, also a MIT professor, is one of the inventors of the RSA algorithm and founders of RSA Security. The RSA security firm was forced to deny last month that it entered into a contract it knew would provide the NSA a backdoor into one of its security systems. The controversy sparked concerns around the NSA’s involvement with the NIST cryptography approval process.

Other signatories include former federal employees, and The Washington Post notes that some have received funding from defense agencies for research. “The choice is not whether to allow the NSA to spy,” the authors of the open letter explain. “The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users.”

VIA THE WASHINGTON POST
SOURCE MASS SURVEILLANCE OPEN LETTER
full story: http://www.theverge.com/2014/1/26/5347402/cryptography-researchers-open-letter-against-mass-surveillance

This $50 Box Will Cover Your Online Tracks—If You Don’t Mind Waiting Around

The Safeplug box plugs into your router and reroutes its traffic through Tor, helping users escape detection. But be warned, it takes some time.

By Rachel Z. Arndt

The way most of us surf the web now, traffic takes a pretty direct route. The request you make for a website goes directly from your computer to a server and comes back again, delivered in the form of whatever website you’re visiting. And everything is out in the open, which means anyone who wants to catch a glimpse of your location can do so. But when the request is more like an onion, wrapped in layers of encryption and moved around a roundabout route from your computer to the end server, it becomes almost completely anonymous.

That’s the thinking behind online-anonymity-enabling Tor Project (short for The Onion Routing Project), which is now packaged in hardware form in the Safeplug, a device made by Pogoplug. The $49 box plugs directly into an Internet router and reroutes traffic on that network through Tor, which began with funding from the U.S. Naval Research laboratory (and has popped up in the general consciousness this year as the way to get onto the now defunct Bitcoin marketplace Silk Road). Internet traffic that moves through the Tor network passes, encrypted, through a series of relays before it reaches the intended server and is sent back. So instead of taking a straight path, data move in twists and turns, throwing off would-be stalkers.

Until now, the only way to use Tor has been through the Tor browser. It can be unfamiliar and intimidating to the non-tech-savvy (and some won’t find it terribly aesthetically pleasing). Safeplug takes away that barrier to entry and annoyance. Once the Linux-based box is plugged in, it takes about two minutes to configure it through your browser of choice, whether Chrome, Firefox, Safari, or Internet Explorer. And that’s that.

As Safeplug promises, the setup is a breeze. The trouble is in the actual browsing. It’s not the fault of the device, but rather the system it uses. Because it beams your Internet traffic around a twisting path of randomly picked servers on the way to its destination, it’s slow-going. With Safebox plugged in, it took more than a minute to load google.com via an internet connection that runs at about 40 Mbps. There’s some relief in that you can set Safebox to run only on a certain browser and, within that browser, choose websites that bypass Tor. But if you are truly concerned about privacy, you’d want all of your traffic to be encrypted and rerouted, so not running Tor would defeat the purpose.

Another problem comes from connecting the Safeplug to more than one router. I ran into trouble after I’d activated with one router, disconnected it, and plugged it into a second router. The Safeplug stays attached to whatever router it was connected to during initial setup. So when I went through the setup again, with a different router, everything looked successful until I was supposed to hit the settings screen, the final webpage of configuration. It was blank. To make it work, I had to go to my router’s webpage and find the Safeplug’s IP address in the list of connected DHCP clients. Using that address, I could again access the Safeplug settings.

The best use of this tech might be sparing use: Keep the Safeplug attached to a single router, and keep it running not in your favorite browser but in your second favorite one. That way, when you really want to cover your tracks, you can switch over to the oniony browers, and the rest of the time you can browse happily and speedily in your normal browser.

full story: http://www.popularmechanics.com/technology/gadgets/reviews/cover-your-online-tracks-with-this-50-dollar-box-16417037

US willing to hold talks with Edward Snowden, but only if he pleads guilty first

By Chris Welch

edward snowden (wikileaks)

The US Justice Department says it will hold talks with Edward Snowden’s lawyers, but only under one condition: the NSA contractor-turned-whistleblower must return home and plead guilty to the charges against him. Snowden is currently living under asylum in Russia to avoid charges of espionage after he famously leaked thousands of documents outlining the alarming surveillance practices of the US government. Some lawmakers and civil liberties groups have called for the Obama administration to grant Snowden clemency for his actions, which put a spotlight on controversial data collection and mass snooping tactics of the NSA. President Obama himself recently said he doesn’t have a straight yes or no answer as it relates to clemency for Snowden. “This is an active case, where charges have been brought,” he said during a wide-ranging interview with The New Yorker.

But Attorney General Eric Holder has taken a much firmer stance; he says clemency is off the table, and it was never a plausible option to begin with. “We’ve always indicated that the notion of clemency isn’t something that we were willing to consider,” he said at the University of Virginia on Thursday. “Instead, were he coming back to the US to enter a plea, we would engage with his lawyers.” Holder also makes it clear that Snowden wouldn’t be given any special treatment. Despite the high profile nature of the case, those discussions would be the “same with any defendant who wanted to enter a plea of guilty,” he said.

For his part, Snowden says he isn’t coming back anytime soon — but he realizes it would be the preferred outcome for everyone involved. In an online Q&A yesterday, he said, “Returning to the US, I think, is the best resolution for the government, the public, and myself, but it’s unfortunately not possible in the face of current whistleblower protection laws, which through a failure in law did not cover national security contractors like myself.” Under current laws, Snowden claims there’s “no chance to have a fair trial, and no way I can come home and make my case to a jury.”

Microsoft offers overseas data storage in response to NSA concerns

By Russell Brandom

microsoft logo granite stock 1020

Today, Microsoft announced an unpredecented response to concerns of NSA data access, offering customers in foreign countries the option of having their data stored outside US borders. According to Financial Times report, the company decided to launch the program after discovering the NSA was using their networks to surveil citizens of Brazil and the European Union. So far, Microsoft is the only major company offering explicitly non-US data storage, despite evidence that the agency has broken into the private networks of both Google and Yahoo.

While there’s no guarantee the NSA won’t be able to reach servers outside US borders, the move would offer an additional layer of protection, as local law enforcement is likely to respond more aggressively to agents of a foreign country. It also continues recent moves to shift web traffic away from the US in response to the NSA scandal, in Brazil and elsewhere. If privacy-conscious users want to shift away from the American parts of web, this latest offer ensures they’ll be able to do so without shifting away from American companies like Microsoft.

Facebook Backdoor Gives Clues To Private Email Addresses

by Adam Tanner, Contributor

If you forget your Facebook profile name, you can enter your name, email or phone number into a page called Find Your Account to find your Facebook profile and some alternative email addresses, which are partially obscured such as j*******s@yahoo.com.

The same technique works if you type in other people’s details. Then Facebook can act as a Caller ID and produce a photo, name or clues about a private email. That could help if someone telephones but does not leave a message, or if you want to find a private email address from a company email.

As a test I looked up Gary King, one of two dozen who hold Harvard’s prestigious title of University Professor. His email address is listed on his public webpage. A search of Find Your Account leads to his Facebook profile photo and revealing clues to his alternative email addresses.

I repeated the process for several other people. It did not find everyone– perhaps the telephone numbers or email addresses were not linked with Facebook — but in many cases it did, including for a well-known private detective in Las Vegas whose photo I was able to see.

“This is an interesting case where a feature aimed at giving users a better service actually exposes their private data,” said Michael Bar-Sinai, a software engineer at Harvard’s Institute for Quantitative Social Science where King serves as director.

He pointed out his privacy settings allowed only friends of friends – not everyone – to look him up with his email address or his phone number. Yet a search finds his photo, name and partial email addresses.

In many cases, “Find Your Address” would not reveal any startling information. However, often a little bit of personal information here and there allows outsiders to gain a far 

facebook2

more intimate portrait of us than we imagine. One chapter in my upcoming book tries to find a woman whose thumbnail-size image is posted on a Yelppage. Tiny clues in obscure places help reveal her double life on the steamier side of the Internet.

Asked about the information shown by Find Your Account, a Facebook spokesman who did not want to be named said: “Certain information on Facebook—such as your name, profile photo, and networks (if you choose to add any)—is treated as public because it plays a crucial role in helping your friends and family connect with you. In this case, showing a profile photo helps people avoid accidentally initiating a password reset for the wrong account.”

This page describes what Facebook considers public information. Users can adjust their privacy settings with details given here to mask the name and photo from being visible in the password recovery process.

“If you use the password recovery feature to search for someone who has modified these settings such that you can’t look them up using this information, you will see only ‘Facebook User’ and will not be able to view their name, profile photo, or networks,” the spokesman said.

Still, the partial email address remains visible. So using his phone number, I looked up the spokesman via Find Your Account. His name and photo were not given, but I could easily guess what his private Gmail address is from the partially masked information. It showed the first letter of his first name, stars, and the last letter of his uncommon surname followed by @gmail.com.

“We show obscured email addresses in the password reset flow because our experience with helping many people recover their accounts over the years suggests that this information is important for helping people find the account recovery message we send,” he said. “Many people have multiple email addresses and don’t always remember which one is registered with Facebook.”

In the case of Professor King, his photo is available elsewhere and he posts his university email on his web page. His private email addresses – for which Facebook provided some clues — would be harder to locate. But he is relaxed about this information being visible.

King cited outgoing Microsoft CEO Steve Ballmer as someone who has made his email address public and referred to that fact in interviews. Ballmer “said he does the same and has no problems.  I get a lot of email, but just like he said, people tend to be respectful,” King said. “I sign out of every automated mailing, which cuts things down some.”

full story: http://www.forbes.com/sites/adamtanner/2014/01/17/facebook-backdoor-gives-clues-to-private-email-addresses/

5 Changes President Obama Wants To Make to NSA’s Surveillance Programs

In a major address this morning, President Obama tried to soothe Americans’ fears about NSA spying by promising these changes.

By Davey Alba

President Barack Obama speaks about the National Security Agency (NSA) at the Justice Department, on January 17, 2014 in Washington, DC.
Mark Wilson/Getty Images

Earlier this morning, President Obama spoke about a number of reforms he wants to make to the National Security Agency’s surveillance programs, which have been widely criticized since Edward Snowden’s leaked on the extent of agency’s spying operations. Almost every week now, it seems, new revelations emerge, ranging from the bulk collection of telephone metadata to capturing information from computers that aren’t even connected to the Internet through radio waves sent out by the machines.

With dissent mounting, President Obama took to the podium once more to try to mitigate public concerns. Here are the five crucial things you need to know about the announcement. (You can also read the full text of Obama’s speech here, or read the presidential policy directive on surveillance, which has been posted online.)

1. An End to the NSA’s Bulk Data Collection Program

The biggest reform announced today was the end of the bulk data collection program under section 215 of the Patriot Act. Quick refresher: This was the program that enabled the NSA to review the telephone connections of many Americans‚Äînot the actual content of the phone calls, but the phone numbers and the times and lengths of the calls. That may seem benign, but one can glean a huge amount of information from this metadata, and the revelation was arguably the most important Snowden leak. According to President Obama, this program will come to a halt. It’s unclear how long it will take before bulk data collection is completely overhauled‚Äîthe process could take months if not more‚Äîbut in the meantime, new restrictions will be put into place to limit the government’s access to this data.

2. Continued Access to Call Records Under a New System

President Obama doesn’t want to cut off the government’s access to this data completely, though. The government will establish a new system for holding the phone records, but it’s so far unclear what form that system will take. Some possibilities mentioned included asking the phone companies to hold onto customer data and hand it over to the government whenever a court order mandates it, or creating an entirely new body that would act as the keeper of the massive database of phone records.

3. New Limitations on Spying on U.S. Allies

The Snowden documents revealed that the NSA had digital snooped on foreign leaders, most famously German Chancellor Angela Merkel, whose cell phone was being monitored. Obama has ordered that that the heads of states that are friendly with the United States will be completely off-limits for electronic surveillance by the government. Of course, this measure is a bit murky; why gets to decide who are the “close” allies of the U.S.?

4. A Panel of Public Advocates for Cases in Surveillance Courts

If Obama’s recommendation comes to fruition, third-party public advocates will be present at each request for data in the FISA courts‚Äîthose special federal courts that handle secret requests for surveillance warrants against suspected enemies of the U.S. However, this initiative requires action by Congress before it can become standard procedure.

5. Privacy Protections for Foreigners

Obama is also calling for a reform of the Section 702 program targeting foreign individuals, which allows the government to snatch up communications of foreigners who have information about national security. The President says that unless there is a major threat to national security, foreigners shouldn’t have a reason to fear being spied on. The rules will be developed and crystallized in the next few months.

Read more: 5 Changes President Obama Wants To Make to NSA’s Surveillance Programs – Popular Mechanics
Follow us: @PopMech on Twitter | popularmechanics on Facebook
Visit us at PopularMechanics.com