SUBSCRIBE TO OUR FREE NEWSLETTER
Daily news & progressive opinion—funded by the people, not the corporations—delivered straight to your inbox.
5
#000000
#FFFFFF
5
#000000
#FFFFFF
cisa
If a Close US Ally Backdoored Juniper, Would NSA Tell Congress?
Dec 26, 2015
You may have heard that Juniper Networks announced what amounts to a backdoor in its virtual private network products. Here's Kim Zetter's accessible intro of what security researchers have learned. And here's some technical background from Matthew Green.
As Zetter summarizes, the short story is that some used weaknesses encouraged by the NSA to backdoor the security product protecting many American businesses.
They did this by exploiting weaknesses the NSA allegedly placed in a government-approved encryption algorithm known as Dual_EC, a pseudo-random number generator that Juniper uses to encrypt traffic passing through the VPN in its NetScreen firewalls. But in addition to these inherent weaknesses, the attackers also relied on a mistake Juniper apparently made in configuring the VPN encryption scheme in its NetScreen devices, according to Weinmann and other cryptographers who examined the issue. This made it possible for the culprits to pull off their attack.
As Green describes, the key events probably happened as early as 2007 and 2012 (contrary to the presumption of surveillance hawk Stewart Baker, who is looking to scapegoat those calling for more security). This means this can't be a response to the Snowden document, which strongly suggests the NSA had pushed those weaknesses in Dual_EC.
I find that particularly interesting, because it suggests whoever did this either used public discussions about the weakness of Dual_EC, dating to 2007, to identify and exploit this weakness, or figured out what (it is presumed) the NSA was up to. That suggests two likely culprits for what has been assumed to be a state actor behind this: Israel (because it knows so much about NSA from having partnered on things like StuxNet) or Russia (which was getting records on the FiveEyes' SIGINT activities from its Canadian spy, Jeffrey Delisle). The UK would be another obvious guess, except an Intercept article describing how NSA helped UK backdoor Juniper suggests they used another method.
This leads me back to an interesting change I noted between CISA -- the bill passed by the Senate back in October -- and OmniCISA -- the version passed last week as part of the omnibus funding bill. OmniCISA still required the Intelligence Community to provide a report on the most dangerous hacking threats, especially state actors, to the Intelligence Committees. However, it eliminated a report for the Foreign Relations Committees on the same topic. I joked at the time that that was probably to protect Israel, because no one wants to admit that Israel spies and has greater ability to do so by hacking than other nation-states, especially because it surely learns our methods by partnering with us to hack Iran.
Whoever hacked Juniper, the whole incident offers a remarkable lesson in the dangers of backdoors. Even as the FBI demands a backdoor into Apple's products, it is investigating who used a prior US-sponsored backdoor to do their own spying.
Keep ReadingShow Less
The Good, the Bad and the Ugly in the Government Budget Bill
Congress just passed an enormous omnibus-spending bill to keep the government running -- but what's in this bill besides funding for various agencies?
Here's the low-down on the good, the bad and the ugly parts of the bill:
Really Good: No Net Neutrality Sneak Attacks
Dec 20, 2015
Congress just passed an enormous omnibus-spending bill to keep the government running -- but what's in this bill besides funding for various agencies?
Here's the low-down on the good, the bad and the ugly parts of the bill:
Really Good: No Net Neutrality Sneak Attacks
After fighting last summer to keep out budget riders that would have undermined the FCC's open Internet rules, we knew we couldn't allow this dangerous language to make a comeback in the omnibus bill. Thousands of Net Neutrality supporters picked up the phone and urged Congress to leave these vital open Internet rules alone. Your voices made a difference: None of the riders made it into the spending bill.
Good: Financial Services Agencies and Privacy for Our Emails
Both the Securities and Exchange Commission and the Federal Trade Commission believe they should be able to read our emails and other online messages without a warrant, thanks to a loophole in the Electronic Communications Privacy Act (ECPA). Thanks to Rep. Kevin Yoder (R-Kansas) and others, the spending bill requires these financial agencies to behave in accordance with the Fourth Amendment when it comes to our online communications. The language applies only to financial services agencies, and it's no substitute for a comprehensive ECPA fix, but we believe it's an important first step.
Really Bad: Cyber Surveillance Bill Made Law
CISA is back. A quick refresher: A number of bills brought up last year encourage companies to monitor and share our personal data with the government, in theory to detect hacking threats. In return, these companies get legal immunity from existing privacy laws. Varying versions of this so-called "cybersecurity" legislation passed both the House and Senate, but instead of letting the chambers settle their differences leadership decided to do an end run around the process by attaching it to the budget bill. This newly passed version is even worse than all of the previous ones, and that means more invasive government surveillance and a dangerous blow to privacy safeguards.
Bad: Civil Liberties Oversight Board Gutted
Congress also worked in a provision that would prevent the Privacy and Civil Liberties Oversight Board (PCLOB) from gaining access to any information about government covert-action programs. The PCLOB is an independent agency designed to protect Americans' privacy and civil liberties by conducting oversight of counterterrorism programs. The language in the budget bill could allow surveillance programs to evade oversight if agencies claim they're connected to broadly defined "covert-action programs." Congress should be working to improve surveillance oversight, not remove it.
Bad: Waivers for Big Media Consolidation
The budget bill also includes a waiver allowing broadcasting conglomerates to hold on to Joint Sales Agreements (JSAs) that allow them to evade the FCC's media ownership limits. Sharing agreements like JSAs allow a single media giant to maintain control of multiple local TV stations while claiming that independent owners are in charge. JSAs and other similar schemes force out local ownership, damage media diversity, homogenize newsrooms and hurt journalists and communities of color, yet Congress decided to bail out broadcasters via the omnibus bill.
Keep ReadingShow Less
Congress Reportedly Slipping CISA Spy Bill Into Must-Pass Omnibus
Privacy advocates calling on President Obama to veto the legislation, saying his legacy—and the future of the Internet—depend on it
Dec 14, 2015
Update:
Following publication, Sari Feldman, president of the American Library Association, told Common Dreams that librarians are "proud to stand with groups from every part of the political spectrum to expose and oppose the latest legislative attempt to advance a new mass surveillance law."
"Shoehorning a new version of 'CISA' hostile to personal privacy into a massive omnibus spending bill is troubling as a matter of substance and process," Feldman added, saying the group calls on Congress "to reject this latest assault on privacy and democracy."
Earlier:
Digital rights groups are sounding the alarm after sources reportedly confirmed on Monday that the controversial cyber-surveillance bill formerly known as CISA has been slipped into the "must-pass" omnibus spending bill that Congress is expected to vote on later this week.
Fight for the Future, a leading digital rights group that has organized fierce grassroots resistance to CISA (otherwise known as Cybersecurity Information Sharing Act) and similar bills, issued a statement saying that all eyes will be on President Barack Obama should the legislation reach his desk.
"Now is when we'll find out whether President Obama really cares about the Internet and freedom of speech, or whether he's happy to roll over and allow technologically illiterate members of Congress break the Internet in the name of cybersecurity," said the group's campaign director, Evan Greer.
Negotiators have been working to pass some version of the CISA bill, which would allow the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies, for more than three years.
After the Senate passed its Intelligence Committee-originated version in October, lawmakers have been trying meld that rule with two similar versions that recently passed in the House--amounting to a bill which critics warn is completely gutted of any privacy protections.
Now, citing "media reports and sources close to legislative negotiations," privacy advocates say that the legislation has been tacked on to the budget bill. According to The Hill, "Most observers believe the tactic gives the cyber bill its best shot of getting through Congress in 2015, as only a handful of legislative days remain before the upcoming recess."
Fight for the Future on Monday launched a petition campaign calling on the president to reject the bill, which it warns would allow "unlimited surveillance" thus destroying online privacy, make users more vulnerable to hackers, and eliminate any incentive that private technologies might have to improve cyber security.
"This administration promised to veto any information sharing bill that did not adequately protect Internet users' privacy, and the final version of this bill doesn't even come close," Greer continued.
Keep ReadingShow Less
Most Popular