Slashdot Mirror

If the President orders the military to march on the capital and kill anyone who refuses to proclaim him emperor, is it they who are engaging in treason when they refuse his command, or is it the President who is engaging in treason for having given the command in the first place? I, and I would assume most others here, would suggest that it would be the latter. The President was acting in violation of his allegiance to the nation, and the military was acting in accordance with the higher calling they had to safeguard the nation, rather than the person currently leading it.

The situation here is less extreme and has different players, but the dissimilarities end there. From the NSA's own Q&A page:

What is more important – civil liberties or national security?

I'm often asked the question, "What's more important – civil liberties or national security?" It's a false question; it's a false choice. At the end of the day, we must do both, and they are not irreconcilable. We have to find a way to ensure that we support the entirety of the Constitution – that was the intention of the framers of the Constitution, and that's what we do on a daily basis at the National Security Agency.

The President, NSA, and other government agencies and officials have a calling to uphold the Constitution in its entirety. They have an additional calling to protect our safety, provide information to the decision makers, or engage in other actions depending on their role in the government, but only insomuch as they can do so within the bounds of the Constitution. When they get those priorities out of balance, such as valuing our safety beyond its worth, we end up in situations where the government begins stripping us of freedoms in the name of keeping us safe, which is an act of treason, in that it betrays the trust we've put in them to preserve our liberty above all else. Most of us have heard a variation of Benjamin Franklin's famous quote:

They who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

So, I ask you: who committed treason? The ones who violated the trust of the nation, or the one who refused to be a part of it?

So how are they supposed to do their mission of "Global Cryptologic Dominance through Responsive Presence and Network Advantage" if they're only on US soil?

http://www.nsa.gov/about/values/index.shtml

But more to the point, have you ever seen any black people who work for the NSA?

Not only they have African Americans who work for NSA, they have set up a special web page for them, and have dedicated a special wall panel to commemorate their contribution, inside the NSA building.

http://www.nsa.gov/about/cryptologic_heritage/african_americans/

But even more to the point - no matter what color of skin they have, - white, black, and all hues in between - those who work for NSA, if they continue to violate the Constitution of America, they are Traitors to the country !

... if, say, the military or state department actually follows the NSA's suggestions, there's a decent chance that those suggestions are pretty close to as good as it gets ...

Are you saying that NSA hasn't yet created enough havoc, that you wish the State Department and the Military to join NSA in making even more violations to our Constitutions ??

When he said suggestions (not examples), I think he meant something like the NSA's Information Assurance recommendations.

Check it out, it's quite informative (+5 Informative).

Saying that the purpose of the GCHQ or NSA is to spy outside the country is like saying that the purpose of the military is to shoot and bomb people.

The NSA Mission Statement references Executive Order 12333, and I quote directly -- "2.2 Purpose. This Order is intended to enhance human and technical collection techniques, especially those undertaken abroad..." The GCHQ lacks a specific mission statement, because as you know, the British are terrible at getting to the point. The website is, however, full of committee-written documents and available in 9 different languages and makes a point of saying it's available to those who require "assistive devices". The NSA makes no such attempt; I guess that's social commentary.

And as to the military... for an organization whose purpose isn't to shoot and bomb people, they sure do shoot and bomb people a lot. In other news... If an NSA or GCHQ analyst ever reads your post... they'd laugh as hard as I did at your naivety, except part of the swearing in ceremony to become an employee requires they surgically remove the sense of humor.

Sure, just look at history. How about the battle of Midway?

It's one example where such work was absolutely critical.

http://www.nsa.gov/about/_files/cryptologic_heritage/publications/wwii/priceless_advantage.pdf

The NSA advertises jobs all the time in a variety of formats. They have recruitment booths at technical conferences, internships, etc.. They have a whole web site and all. What is particularly newsworthy about this?

A Soviet Defector at NSA (DOCID: 4001125) http://www.nsa.gov/public_info/_files/cryptologic_spectrum/soviet_defector_nsa.pdf

CAPTCHA: junction

... they're subject to a very stern reprimand (on the merits on not getting caught), and for the most egregious offenders, the possibility of paid vacation and/or reassignment.

From what I seem to recall reading, many of them were fired.

Here's the report: https://www.nsa.gov/public_info/press_room/2013/grassley_letter.pdf

I was wrong; some were suspended without pay. Some resigned. I didn't read anything about anyone getting fired, and despite the violation of federal laws that occurred in all instances, DOJ chose to prosecute in none of them.

No one got fired; only resignations, suspensions, reprimands, pay-cuts, and the like.

This thing reeks. (I wouldn't normally be fooling with this NSA garbage, but since this is cold fjord discussion, we're using the "official" stuff approved for public consumption here — not the gold Snowden brought us. Snowden's set likely didn't include material about abuses of our ill-gotten private data, as there was no need for such documentation to exist then.)

The last line is telling: "I hope that this information satisfies your request." Supposing this information didn't satisfy the senator's request? I think the Inspector General would need to "catch" more violations, but not so many as to imply that the abuse is rampant.

At least they could provide a direct link to Facebook

If the stated goal is to prevent terrorism, then going after your allies is NOT how you do that.

Well see, your premise is incorrect. The NSA's stated goal is to "gain a decision advantage for the Nation and our allies under all circumstances".

Check out the history of the NSA, from its very origin: "The NSA is tasked with the global monitoring, collection, decoding, translation and analysis of information and data for foreign intelligence and counterintelligence purposes.". It's never been specifically about terrorism, its focus is about communications intelligence. http://www.nsa.gov/public_info/_files/cryptologic_histories/origins_of_nsa.pdf

What exactly makes you think the NSA would have any incentive to do a better job than the existing producers? My guess would be the NSA's products would be *worse*. They don't need you to trust them. They don't need to turn a profit. Things are easier for them if you shit is not secured. And they don't give a damn if anyone else reads your traffic. Exactly what incentive would they have to make things secure?

The NSA is the premiere writer of security guides for networking equipment. They give this information away for free and their work is quite thorough. These documents were (and as far as I know still are) the best of the best bar none for many years. Very impressive stuff. I recommend a look as no one else has come close to this sort of work. All the fancy postgrad papers and guides by huge international companies read like summaries of these things, never actually managing to add anything.

One caveat though, after many revisions it appears they stopped updating it (publicly anyway) in 2005, just before the time all this domestic spying stuff really kicked off. Interesting yeah?

What exactly makes you think the NSA would have any incentive to do a better job than the existing producers? My guess would be the NSA's products would be *worse*. They don't need you to trust them. They don't need to turn a profit. Things are easier for them if you shit is not secured. And they don't give a damn if anyone else reads your traffic. Exactly what incentive would they have to make things secure?

The NSA is the premiere writer of security guides for networking equipment. They give this information away for free and their work is quite thorough. These documents were (and as far as I know still are) the best of the best bar none for many years. Very impressive stuff. I recommend a look as no one else has come close to this sort of work. All the fancy postgrad papers and guides by huge international companies read like summaries of these things, never actually managing to add anything.

One caveat though, after many revisions it appears they stopped updating it (publicly anyway) in 2005, just before the time all this domestic spying stuff really kicked off. Interesting yeah?

a.) their job is to collect foreign intelligence ("information" for those ignorant of the correct definition to use for the word)

b.) they didn't get caught they got exposed by Snowden

c.) Other countries (France and England included) spy on the U.S. all the time...since, well, as long as the U.S. has existed. Just because their an ally doesn't mean we don't gather intelligence on them clandestinely. It's part of the way the world works. It's the spying internally that is bad, bad, bad, bad, bad! That's what Snowden was trying to point out and (rightfully) get stopped. He unfortunately caused a lot of collateral damage in the process. Trust me, it's going to take more than a "hey-you're-spying-on-us" incident to sour collaboration against terrorism. We might lose some trade deals or something like that, but France and other allies don't want their citizens injured in an attack either and will cooperate to thwart a plot. To not act on U.S. intelligence and have French citizens killed would be much worse for those in charge than some spying.

Boo freekin hoo. This is what the NSA is supposed to do.

Um, no. They are supposed to focus on the activities of groups who are directly threatening American interests.

Ummm, no, please read. They are supposed to be building and looking through haystacks. That *IS* their job by mandate. Their mandate did not extend to U.S. soil until the (Un-)Patriot Act. That's when everyone's panties got in a bunch. The NSA is supposed to support intelligence and counterintelligence information gathering to support national and departmental interests. That includes spying on our allies. Always has. And they have always spied on us too, so welcome to the real world!

(when did this program start, I wonder?)

The NSA just celebrated it's 60th anniversary . . .
http://www.nsa.gov/about/cryptologic_heritage/60th/index.shtml

If they are using Windows Server 2003 for their MITM attacks, you would think someone could come up with a way to identify and infect them.

Assuming that information is accurate to begin with, I'm pretty sure NSA knows a thing or two about securely deploying a Windows system on the public internet; after all, they wrote the book on it. And I don't think it would be wise to be "that guy" who goes probing for vulnerabilities on NSA's hardware.

Also, I find it a bit funny that NSA's advice related to the government shutdown is in quote marks: "Due to the Government Shutdown, this site is not being updated."

"The NSA/CSS Memorial Wall lists the names of 171 cryptologists who have died in the line of duty since the Agency's inception in 1952," according to the letter.

This refers to members of the US military doing cryptographic duty who died in the line of duty. Here's the list. Most died during the Cold War or in Vietnam. In recent years, in Afghanistan or Iraq. Only one civilian, Alan M. Blue, who was on the USS Liberty when the Israelis attacked it.

"Lets face it, security and privacy were not designed into the protocols we use on the internet today, they were bolted on afterward, and the government played a big (and self serving) part of that effort."

For those that doubt that statement, please read the documentation provided by the none other than the NSA itself.

http://www.nsa.gov/ia/programs/suiteb_cryptography/

That page was posted by the NSA 4 1/2 years ago and updated in May 2013. Surprisingly, they name names--exactly who worked on what--and even go so far as to provide addresses and personal information for these people. These names can be used to locate networks of "cooperation", just like the NSA uses metadata to find out things about us. For instance, one of the key writers in this document ( http://www.ietf.org/rfc/rfc6318.txt?number=6318 ) when Googled is linked to this document-- https://www.google.com/patents/US6243467 , which in turn adds more names. Follow the names, and see just how much trust you have afterwards.

Dig through the links! Very informative! Start asking yourself what crypto might be safe from the NSA, and you'll quickly realize--the further you dig--that none of it is safe from the NSA. They've identified and created "secure" versions of almost every protocol, for themselves (Suite B), and stuck the rest of the world with lesser versions, versions that would obviously be crackable given that they possess something better.

To be honest, I'm a little surprised that page is still available. I suspect it won't be for long.

"Securing The X Window System With SELinux"

PARANOIA ALERT: SELinux was created by the NSA. Not that that will stop me from using it; the NSA cares far less about my systems than some random cybercriminal.

Color me ignorant, but could someone please explain that elliptic curve is more secure than RSA? Wikipedia even claims that a 128-bit EC key is equivalent to 3072-bit RSA key. Even if it's computation complexity brute forcing discrete log or integer factorization on a non-deterministic turing machine, it should differ by no more than a small constant factor, e.g. 512-bit versus 1024-bit, not by O(sqrt(n)) as Wikipedia claims. Wikipedia is simply quoting NSA.

If, as Rep. Holt apparently wishes, the NSA were to stop intercepting and decrypting electronic communication, what exactly is the point of the organization?

Their mission:

The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances. [Source}

Or is Rep. Holt insisting that the NSA not take shortcuts, and instead rely on brute-force decryption to somehow "level the playing field" and improve other country's opinion of us?

True, and that's certainly a concern. The NSA could have chosen those parameters to weaken the algorithms or they could have chosen them to strengthen them much like they did with DES. Alternatively, the parameters could have been chose to optimize performance on certain systems, or perhaps even at random. It's not known why they chose what they did, so it makes sense to be somewhat skeptical. Still, the NSA recommends ECC for government use, so they seem to be reasonably confident about its security.

Additionally, ECC offers considerable performance improvements over discrete log algorithms. According to this site, adding perfect forward secrecy with ECC requires an additional overhead of 15-30% or so, depending on optimizations. Using discrete log-based Diffie Hellman key exchange there's an overhead of about 300%. That can be considerable when you're running services at the scale of, say, Google.

If you're particularly concerned about the security of ECC, and it's reasonable to be concerned, you could only use it where performance is important and extremely high security is not required.

Just to be clear:
I don't agree with what they did (on many levels). I'm just pointing out that this is exactly what they do.
See: http://www.nsa.gov/about/mission/index.shtml

Cheers,
Bruce.

The NSA is a deeply schizophrenic organization.

Not schizophrenic - they just have 2 conflicting missions. That would be signals intelligence (gather and decrypt) and information assurance (protect and defend).

It could be that a split and reorg would be good - say move the information assurance folks and merge them with DISA. Then clamp down on any out of control signals intelligence programs.

The NSA is a deeply schizophrenic organization.

Not schizophrenic - they just have 2 conflicting missions. That would be signals intelligence (gather and decrypt) and information assurance (protect and defend).

It could be that a split and reorg would be good - say move the information assurance folks and merge them with DISA. Then clamp down on any out of control signals intelligence programs.

Maybe I missed the morning news, but I'm not sure what you're saying there.

I'm saying that finding a common set of suitably pseudo-random bits to use as a one-time-pad is rather trivial -- an MP3 (at least the bits that are the compressed data and not the text tags), a wav file from a commercial audio CD track, the jpeg image from an online newspaper, etc. And that you can display irony by using something the NSA itself produces (which of course there is no real podcast by that name or source, but irony needs not be factual to be irony) such as from here. You just have to agree ahead of time what to use.

Anywhere else, really.

Europe seems to take this stuff a lot more seriously.

But that's not really needed. What's needed here is to put pressure on the US government, and pulling business out of the US will do just that. Even if the net is still being spied on, enough harm to US corporations will get the lobbyists' attention.

What harm comes from a corporation moving its servers out of the U.S.? Other than making them bigger targets for the NSA that is supposed to be spying on everyone BUT the U.S.A.? Vote the fuckers out that approved this nonsense and reform the system back to what its mandate is/was supposed to be! Corporations are better staying inside the U.S. with technology infrastructure than outside. They know this, mostly because they have people that work for them that know how to read!

I don't know if anyone else in the thread has pointed this out yet, but if you're worried about the NSA, going outside the U.S. is NOT the answer. Their mission (before the Patriot Act anyway) was to monitor ALL foreign communications, not domestic ones.

So, I was researching to comment/argue with a previous post and typed into google "goal of the nsa"- and the first link was: http://www.nsa.gov/about/strategic_plan/

Coincidentally that returned "Internal Server Error...unable to complete your request."

HAH!

http://www.nsa.gov/about/strategic_plan/index.shtml

Mapping .shtml as a index page candidate is apparently too difficult for the people they hire to do web server administration.

So, I was researching to comment/argue with a previous post and typed into google "goal of the nsa"- and the first link was: http://www.nsa.gov/about/strategic_plan/

Coincidentally that returned "Internal Server Error...unable to complete your request."

HAH!

Well at least something good came out of the NSA then...

Yes, some open-source software did come from the NSA.

However, as others have noted, this is a different meaning of "open source".

Except it turned out not to be the case when the Soviets were bugging the U.S. Embassy's typewriters. CBS News had learned about the original typewriter bugging from a leaker, and in their reporting sought out an expert to explain how the bugs worked. The expert guessed that it was an audio bug. But this technique was refuted in the NSA paper "Learning from the Enemy", on page 18:

"In an article entitled "Tapping the Keys," a bugging expert offered the following explanation of the Soviet bug:

The Soviets must have taken advantage of the way the Selectric types. A metal ball covered with characters spins so that the appropriate character strikes the paper and then spins back to its starting point. The time it takes to accomplish the rotation to each letter is different. A lowtech listening device planted in the room could transmit the sounds of a typing Selectric to a computer. The computer could then easily measure the time intervals between each key stroke and the character being put on the paper, and thus determine which character had been tapped.

[ ], an engineer in the COMSEC organization, who was involved in reverse engineering the GUNMAN bug, explained that the press had a good idea, but it was inaccurate: "IBM Selectric typewriters used a spinning ball to get the right character on the paper. The bug was not based on sound or timing." [ ] further elaborated: "The Soviets were very good with metal. Housing the bug in a metal bar was ingenious. The bar was difficult to open and it really concealed the bug from inspection." [ ], an engineer from R9 who also worked on this project, agreed:

To the naked eye, the bar looked like a single unit. You could not see that it could be opened. The use of low power and short transmission bursts also made it difficult to detect this bug. The bug contained integrated circuits that were very advanced for that time period. The implant was really very sophisticated."

Elsewhere in the paper, the NSA explains the bug was hidden in a metal bar, and magnetically detected the ball moving mechanism.

If you are so sure of that then what is this? http://www.nsa.gov/research/selinux/

Pretty darned good PR, and cheap at the price. A few NSA sharpies come up with something like that and get it out to thair alternates in the community, and it makes the whole of the NSA look like thay're all super elite security wizards, and they can all go back to playing Angry Birds; pats on backs all around, bonuses for the sharpies. Smoke & mirrors.

If you are so sure of that then what is this? http://www.nsa.gov/research/selinux/

Something the DoD doesn't use. :/

I wonder how many of the software technologies that these agencies are using, have their roots in open source? Hadoop? Hbase? Hive? Mahout? It would be nice to see them publishing their developments back to the Open Source communities.

Something like this?

We had several KWR-37 devices that needed time sync to under one second worldside with the transmitting station when changing daily key cards. WWW()x was great until you where some where past SE asia, then we used the Russia time sync RWM to lock devices,
http://en.wikipedia.org/wiki/RWM
http://en.wikipedia.org/wiki/KW-37
http://www.nsa.gov/public_info/_files/uss_pueblo/Section_V_Cryptographic_Damage_Assessment.pdf

Let me add a few datapoints here, as a reminder...

1) The AES competition was launched in part because DES and 3DES were cracked by EFF using FPGA-based brute-force decryption machine. Source :
https://en.wikipedia.org/wiki/EFF_DES_cracker
https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_des_faq.html

As a reminder, DES was THE standard crypto algorithm, vetted and approved by NSA. It could be cracked by EFF only because of Moore's Law and some serious budget and effort.

2) Public-key cryptography was invented separately at GCHQ (UK NSA) and NSA itself, several years *before* Diffie-Hellmann. Source:
https://en.wikipedia.org/wiki/Public-key_cryptography#History

So, yes, these people (NSA/GCHQ) are very good at what they do. They have had at least 10 years of head-start, since cryptography was considered for many years just a branch of mathematics in academic circles. These guys work on nothing but crypto and digital/analog communications, year in, year out. Do not underestimate them.

3) One of the first electronic computers, was delivered to the NSA in the 1950s. NSA later suggested improvements to the company that built it. The first Cray supercomputers were delivered straight to NSA. Again, that was in the 1950s, when most computer companies (IBM comes to mind) were still struggling to define what a computer was good for. Source:

http://www.nsa.gov/public_info/_files/cryptologic_quarterly/digitalcomputer_industry.pdf
http://www.physics.csbsju.edu/370/mathematica/m1_eniac.pdf

4) The NSA and GCHQ have a long history of backdoors. They love these things, as they make their life so much easier. Read on Venona, Enigma, Ivy Bells: all of these were made possible by intercepting/copying one-time pads, selling "unbreakable" German encryption machines and tapping undersea Russian cables. And I am willing to bet these are just a small fraction of what these people have done over the years. Source:

https://en.wikipedia.org/wiki/Venona_project
https://en.wikipedia.org/wiki/Enigma_machine
https://en.wikipedia.org/wiki/Operation_Ivy_Bells

Again, this is just a small fraction of what NSA and GCHQ have done over the years. So, yes, suspecting backdoors in open-source software is... shall we say... only natural.

If I was paid to be a professional paranoid, I would be taking a very long hard look at my computers and telecom equipment right now.

The only link on the NSA's site that mentions it was this one:

http://www.nsa.gov/public_info/_files/crypto_almanac_50th/NSA_Before_Super_Computers.pdf

But it's not the actual pdf... And no trace of the pdf on torrent sites. Can anyone seed it and post a link?

It's not that they aren't a spy agency, but that covert spying is the domain of the CIA. http://www.nsa.gov/public_info/_files/cryptologic_spectrum/early_history_nsa.pdf

The actual NSA home page is www.nsa.gov

doesn't mean that there aren't other mechanisms in place to collect a lot more data without specific requests. For example, the NSA could be collecting data where Facebook's servers connect to the Internet.

Apparently SSL encryption at all of the large internet corps is handled by dedicated front-ends - and the network between the SSL front-ends and the real guts of entities like facebook, google, etc are all in the clear. That makes for a perfect location for the NSA to drop their sniffers in, no need to compromise any SSL certs at all, no forward secrecy, etc, just wide open traffic perfect for raw harvesting.

And, of course, you have to assume that the Utah data center is going to be used to store something, and it ain't gonna be data obtained from just 20000 Facebook-related requests, because those would fit on my hard drive.

I think that bears repeating - the NSA ain't building data silos (there are others, like one in san antonio, texas) that consume as much electricity as a small city for nothing. They are collecting literally tons of data on us, its gotta be coming from somewhere.

Home in Hawaii.

He knew better than to buy the home, too. He was renting it and moved out a month ago. If he had bought it, the Feds would have seized it. The NSA opened a new operations center in Hawaii last year (it even has an optical data pipe disguised as a rainbow) and is probably looking for local land to store all the bits they've collected so far.

The DOJ, which illegally seizes domains from foreign holders? The DOJ which orchestrates illegal raids in New Zealand? The DOJ which is the bully of the Content Mafia?

It seems that these are not really the most technical-minded people, and you expect them to advise on Computer Security?

I'd rather follow the NSA Guidelines http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

Stop moaning...

Here you go.

http://www.nsa.gov/public_info/_files/Untangling_the_Web.pdf

40MB but downloads pretty fast.

Don't expect miracles - a quick peek shows a crappy-quality B&W PDF, (despite the file size). A pretty epub it's not.

http://www.nsa.gov/public_info/_files/Untangling_the_Web.pdf

Untangling the Web: A Guide to Internet Research.

If you click it the NSA will execute a reverse ninja hack on your computer. For real.

you basically can't buy a computer without having at least some of its parts source, assembled, or otherwise passing through China

For really top secret stuff, you can, they should, and they do. It goes as far as getting the NSA its own chip fabrication facility at ft. meade. Do you want to work there?

Check out the "Security Technical Implementation Guides" (STIGs) put out by DISA at:

http://iase.disa.mil/stigs/

and the "Security Configuration Guides" put out by the NSA at:

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtml

while following them fully is probably overkill for you they have a lot of good information on hardening systems and applications.