We know that NSA is hurting tech companies – that’s a good thing

Snowden leaked his documents a year ago. We’ve been getting a slow trickle ever since. However, some of these documents are getting date and surely the NSA is doing more stuff than they had in the past. That being said, they are continually being surprised by a new document that’s released or another. They clearly haven’t fully figured out the full list of documents that Snowden managed to take. Furthermore, they haven’t learned anything by not changing the techniques that they currently use. The NSA should have systematically shut down every program that could have been possibly leaked and moved onto something different. They haven’t, which means that they don’t really feel they need to change anything unless we force them to acknowledge that they’re doing something Americans (and the rest of the world) don’t want.

Today the guy that founded Netscape (a Silicon Valley Venture Capitalist) thinks that the fact the Edward Snowden released these documents hurt US technology companies. He thinks that because we now know that the US government does bad things with OUR tech company’s technology before it reaches a customer is hurting our companies. He blames Snowden. This is the most assinine thing I’ve ever heard. Marc Anderssen should be pissed off at the US government and praising Snowden because NOW US tech companies can DO something about it.

This is what a good manager or leader does. They support and acknowledge the fact that a person raise the attention of a problem, used them to address the root cause of the problem, and move on to the next problem. This is what Lean process improvement is all about. You NEVER shoot the messenger, you shoot the root cause of the problem eliminate it and make sure it never comes back. Saying that Snowden is a traitor because he highlighted the fact that the US government is taking good companies work (Cisco) and add malware is counter productive. We need to know when anyone government or otherwise is intentionally trying to break the internet. I do not believe that Mr. Netscape believes that the person who leaked the TransPacific Partnership is a traitor – when they essentially highlighted a similar problem.

I also believe, that labeling Snowden a traitor implicitly removes any blame from those companies that are being harmed by the US government. In many cases those companies have bee fully complicit with not just the US government, but “rogue” states (Iran, China, and other oppressive regimes) as well as companies (like Comcast, TWC, etc..) through enabling deep packet inspection (which allows anyone to snoop at anything you do. All of these have to have been enabled by a US technology company. These companies found a benefit to their benefit by doing this.

Now other companies, like Google, WordPress, and others are trying to get around both of these by encrypting their data. I actually suggested this as a tool to get around data caps or fast/slow lanes (if all data is encrypted you can’t slow or speed up traffic). This will inherently force a more net neutral internet (baffling deep packet inspection) and defeating much of the tools of the NSA.

All of these are good things. We know this because of Snowden. We know that tech companies need to address problems that the NSA and other government agencies have caused. This is a cause for celebration not condemnation. We need more people like him so that the internet can continue to thrive and be an economic driver. Don’t blame the messenger, if the US government is hurting US tech companies, we need to know so we can stop that from happening.

NSA Bulk Metadata ruled likely unconstitutional

Today was a pretty big day for privacy fans. The NSA’s bulk collection of metadata has been ruled likely unconstitutional. Why is this a big deal? It’s “Just” metadata. Well, as the CBS 60 Minutes report showed the NSA is able to convert that information into a network. Networks show everyone that you talked with and despite assurances otherwise that phone numbers weren’t used, it’s fairly easy to unmask a person in a network based on the network characteristics. I wrote a blog post about this a while back that talked about a paper showing the power of metadata. I think it’s important to reiterate here what that is.

In the article, titled Using Metadata to find Paul Revere, the author explains by using who talks who it is possible to construct a large network and that it was likely to determine the major players of the US revolutionary war. Just using club membership, it wasn’t even what they talked about, just what groups they were members of and how they were all associated. Based on the metadata Paul Revere is a pretty central figure and knows a lot of the other leaders of the revolution.

The NSA would take this view and say, “See it could have caught those terrorists back before the revolution!” However, the judge in this case says that the government did not do a sufficient job showing that this actually worked. It is, in fact, likely that the British had some of this membership information but wasn’t able to put it to good use. In this case, the judge ruled that the collection of Bulk metadata is a violation of the 4th amendment.

What can we expect next? Well, the ACLU has a very similar case that is being heard. If the judge rules differently the Supreme Court may need to weigh in to deal with the problem once and for all. Which depending on how these cases are dealt with could be a good or bad thing.

It is unclear at this point how this will change the conversation in DC, it will likely just lead to more denials from the NSA and White House. They will argue it’s still legal and that they will appeal to the highest court that they can. If they lose this case, it will likely lead to a lot of other questions being asked and possibly calls for impeachment and resignations. I would not be surprised if some of the more extreme on the right call for Obama’s arrest as well.

The other piece that is of interest to me is the question about the companies that have been complicit with sharing of our metadata. Are they going to be in the clear or not? In the case of AT&T there was a law that protected them retroactively. I am interested to know if that will also be ruled unconstitutional as it enabled the government to break the law farther than it could have before.

In general this is something really good, but I believe it opens many more questions than it answers about the long term repercussions of this program. I will continue to blog about this topic!

Goofy Stock photos might not be so silly any more

Silly Stock photo

@NFEN and @Cheddarchezz having a conversation about “hacking”

I just saw a few people that I follow tweeting about trying to take over Youtube. There’s a Meme on Youtube right now that’s been going on for a while as a form of protest over some of the recent changes to the comment policy, copyright policy, integration with Google+ and probably a litany of other issues. To the gaming community Youtube is a dying platform.

What struck me about the conversation wasn’t really what they were talking about, but the stupid stock photos that are supposed to represent “hackers’ breaking into a network. For some absurd reason stock photography companies almost always put them in the same outfit they’d be wearing if they were breaking into a house, mugging someone, or doing some other nefarious activity. Clearly it’s just a ploy to help people understand that the person using the computer is up to no good, but it just looks ridiculous as almost no one wears any of those clothes while using the computer. So instead of making it look like a criminal it just make it look like an idiot. However, I think that with some recent revelations about the FBI and the hacking process called “RAT” these imagines are looking less absurd. Not that I’ll go out and buy clothes like this to work at my computer on.

One of the more recent Edward Snowden revelations has to do with breaking into personal computers by the US government. This isn’t really shocking, nor is what they do when they are on the computer. The FBI has admitted that they have the capabilities to hack into your computer and activate your webcam without turning on the indicator light. These capabilities aren’t new. In fact Ars Technica did a report on this in the kiddie hacker community called RAT. I imagine that some of the tools that my friends used to use while we were in highschool to remotely open a CD drive or type messages to each other operates in a similar fashion.

So, if you are hacking a computer does it make sense to take precautions against showing your face? It might or as the Ars article suggest, just cover up the camera.The difference is that you don’t know if you’re under surveillance or not. It’s also not clear if the FBI only means laptop webcams or if they are able to do the same to a smart phone or tablet. As the ACLU mentions in one article “we’ve never had discussion” about law enforcement hacking into computers. This is part of the reason there was a petition for We the People to update our privacy laws. Regular mail and packages are protected by the fourth amendment while email is not. Using a web cam with or without a web cam constitutes a much larger breach of privacy than just taking pictures through the camera. It’s likely that with access to the webcam the entire computer is open to the FBI, which means that a warrant for a web cam is a warrant for everything you do. If you have services that you’re always logged into like Drop Box or Tresorit those are also accessible through the computer you’re cam is being used on.

We need to have a conversation about the limits of searching and privacy. I don’t want to sit around in a ski mask or cover up my webcam. Users likely need to install firewalls, more passwords, and disconnect from services they aren’t actively using.

The NSA, FBI, and Internet Security

Over the past few months we’ve learned a lot about how the US government looks at its own citizens. We’ve learned this through the actions of Edward Snowden. He’s done us a great service by forcing a conversation that the NSA and FBI didn’t want us to have. The NSA lied to the Senate recently by claiming that it never tracked US citizens through Cell Phones. We would never have known about these activities if it wasn’t for Snowden.

Snowden was using email to send information back and forth between himself and Glenn Greenwald. Since email is in one of those fuzzy gray areas of the law around data retention and government access to it this has caused a bit of a problem. It make things more difficult Snowden used an encrypted email service called Lavabit. It’s encryption was at such a level that when the FBI requested data from it, they were confounded and essentially attempted to blackmail (legally of course) the owner into handing over the encryption key. This would have effectively rendered the service these people were paying for worthless. They were paying to have their email traffic be secured from both public and private entities.

As we hear and more about how the US government has been behaving towards internet security, the more we’re learning that the NSA and other US agencies are doing their best to thwart it. They have worked with the NIST and weakened the encryption key they developed. The problem with these backdoors is that if it’s there for the “good guys” (whoever that might be) it’s also there for the “bad guys” (whoever that might be). This isn’t just general encryption keys, it’s things that we use every day without using it. Whenever we are using any website that includes “https” we are using a basic encryption protocol called SSL. Think about when you’re banking, you see the https. Google now allows you to use this when you send information to and from them. This encryption has also been broken by the NSA. This is our personal stuff and if it’s broken by the NSA it can be broken by other people. Now does this mean we’re likely to have a rash of new fraud cases or theft cases? No, as it’s been compromised for some time. However, people do know about it now and this of course is a greater cause for concern.

What can we do about this? Well, first, look into more secure encryption methods. I wouldn’t be surprised if Google and applications like HTTPS everywhere will change their algorithm in result. Second, contact your representative and your senator. I’m lucky my senator in Oregon is very vocal (Ron Wyden) not everyone is so please help inform your leaders. Third, buy from companies that you know haven’t given up data to the NSA, don’t use Facebook and the like and basically try to follow the great writing that Sean did several months ago over on KBMOD. He nailed it then and it’s even more pressing than before to keep up with security.