Security News

New lawsuit is broadest challenge yet to NSA spying

Marijuana users, gun owners, civil rights groups unite—helped by Snowden leaks.    

Man organizes satirical NSA walk, authorities come to his front door

"If we’re lucky, we might even be able to see a real NSA spy," event page says.    

Yahoo "wins" public disclosure on FISA files

Yahoo has won a Foreign Intelligence Surveillance Act (FISA) court order that could force the public disclosure of the company's attempts to distance itself from the NSA's Prism program.The Daily Dot found the court ruling, signed off by Reggie B. Walton, FISA, which reads: "The Government shall conduct a declassification review of this Court's Memorandum Opinion of [Yahoo's case] and the legal briefs submitted by the parties to this Court".It's not a total victory.

The court has ruled that the DoJ can estimate how long it will take to declassify the documents - and will still be able to redact what it considers classified information.The document reads: The Government shall report to the Court by July 29, 2013, with estimated dates by which it will be able to complete its review of the two categories of documents identified above. Priority should be given to the review of this Court's Memorandum Opinion".Yahoo has previously said it hopes releasing the documents will inform the public the nature of the conversations. In a statement, the company said it was "pleased" with the decision, and that once the documents are public, it believes "they will contribute constructively to the ongoing public discussion around online privacy".The Electronic Frontier Foundation has pointed out Yahoo did begin a legal fight against FISA of its own volition, and that other companies may have acted in a similar way - the information is just not public yet. It awarded Yahoo a "gold star" for its efforts.Since the Prism revelations, American companies have been rushing to stem the PR disaster by insisting they did not directly collaborate with the NSA and that they had been forced to act within the law.For its part, Yahoo disclosed that it had received up to 13,000 requests from US authorities between 1 December 2012 and 31 May, 2013.Critics argue that the companies themselves were culpable in the extent of their collaboration. Edward Snowden, who is on the run from the Obama administration for the leaks, claimed Microsoft provided direct access to Outlook.com and Skydrive to the NSA.In a statement, Microsoft said: "Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product.  "Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request.

There are aspects of this debate that we wish we were able to discuss more freely.  "That’s why we’ve argued for additional transparency that would help everyone understand and debate these important issues”.  Although these companies may have been bound by the law, people are questioning the enthusiasm with which they participated, if at all, and the extent they were forced to comply.

Microsoft Responds to Growing NSA Spying Scandal

The software and cloud services giant joins Facebook and Google in confronting allegations that PRISM enjoyed deep access to user data, including encrypted communications in Microsoft's case. U.S. intelligence agencies had methods of circumventing the security and encryption safeguards placed on popular cloud services from Microsoft, including SkyDrive, Skype and Outlook.com (formerly Hotmail), alleged a July 11 report from The Guardian. Microsoft played a key role in facilitating access to user data by cooperating with the U.S. National Security Agency (NSA) and the Federal Bureau of Investigations (FBI), according to the report. Since NSA contractor Edward Snowden first sparked the PRISM spying controversy, major technology firms including Apple, Google and Facebook have been battling allegations that the U.S. government enjoyed direct access to the servers in their cloud data centers and the user data contained within. In a brief July 11 statement, Microsoft addressed the latest accusations and reiterated the company's stance on government requests for data. Microsoft asserts that the company provides customer data only in response to legal processes and that its compliance team thoroughly examines each demand, rejecting those that aren't valid. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate," the company stated. "To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product," according to Microsoft.

The company also stated that the law prevents it from discussing matters that may clarify the situation. "Finally when we upgrade or update products, legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request.

There are aspects of this debate that we wish we were able to discuss more freely," read the statement. Microsoft filed a motion on June 19 with the U.S.

Foreign Intelligence Surveillance Court seeking "to report aggregate information about FISA orders and FAA [FISA Amendments Act] directives," claiming a First Amendment right to disclose such information. Microsoft's response mirrors those of other tech titans that stand accused of allowing the government to enjoy what amounts to unrestricted access to user data. Facebook CEO Mark Zuckerberg took to his company's own social media platform to shed some light on "outrageous press reports about PRISM." In a June 7 Facebook post, Zuckerberg wrote that his company "is not and has never been part of any program" to give government direct access to its servers. "We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received," said Zuckerberg. Likewise, Google's top brass sounded off against reports that Google had an open door policy when it came to U.S. intelligence gathering. Google CEO Larry Page and Chief Legal Officer David Drummond stated in a June 7 blog post titled "What the ...?" that the company had "not joined any program that would give the U.S. government—or any other government—direct access to our servers." They added, "Indeed, the U.S. government does not have direct access or a 'back door' to the information stored in our data centers." Reports suggesting that Google "is providing open-ended access to our users’ data are false, period."

Remember Jay-Z’s terrible Android app? Privacy group wants feds to investigate

Even Hova himself said of the privacy problems: "sux must do better."    

The only Utah ISP (and one of the few nationwide) standing...

Giving metadata or traffic monitoring not "necessary to protect the safety of Americans."    

Why you shouldn’t worry that the NSA is inside Android’s code

It's not difficult to jump to conclusions when you hear NSA, refining code, and Android in a single sentence, but that's exactly what a lot of people are doing. I'm referring to the "revelation" that Google has accepted code from the US National Security Agency (NSA), and included it in Android. Certainly, with PRISM hitting the headlines, it's a great time to get stuck into the NSA, but honestly, when that three-letter organisation starts meddling with something, it's not always for a bad reason. And it would be an especially dumb move for the nation's code breakers when it is pointed out that Android is an open-source project where anyone can review anyone else's code (at least, code that's contributed by developers like the NSA).

The NSA would be a laughing stock to place any back door in such plain sight. The NSA's own code falls under its contributions to the Security Enhancements for Android project, which it describes as one that helps to "identify and address critical gaps in the security of Android". If it at all sounds familiar, it's because the NSA has already done the same sort of thing with Linux in the form of Security-Enhanced Linux (SELinux). In fact, the NSA was one of the first developers for SELinux, and its changes have been already integrated into the Linux kernel for almost a decade. To those people who seem worried that NSA-written code might make its way into Android devices the world over: Don't worry, it's already been all over your Linux distributions for years. And speaking of years, let's go back farther. To 1975, in fact, to demonstrate that the spooks haven't always been trying to probe us. That was about the time that the Data Encryption Standard (DES), developed by IBM, was published.

The NSA's code-breaking sleuths had an interesting take on it once they got their hands on it.

They wanted to reduce the proposed key length from 64 bit to 48 bits — because, hey, why not if you're the biggest code-breaking organisation in the US? — but it also made some unexplainable-at-the-time changes to the substitution boxes.

These S-Boxes were just one part of the DES algorithm, and no one could immediately see why the NSA's changes would make much difference. Conspiracy theorists of course came forth with claims that perhaps the NSA was weakening the encryption standard. But after time, the opposite was found to be true when an IBM researcher revealed in 1994 that the NSA's changes had actually strengthened the algorithm against differential cryptanalysis — a technique of observing how subtle changes to an algorithm's input changes the output, and, from this, determining what the key material might be. And before it was eventually broken, as all encryption is once computers get fast enough, DES was like Linux and Android. It was everywhere.

As the go-to standard for encryption, it was used in military networks, government installations, and anything that fell in between the '80s to the early '90s that needed some form of protection. Evidence eventually pointed to the NSA doing the right thing, despite a decade of naysayers thinking the opposite. I wouldn't worry about the NSA getting all up in Android, especially when it's open source and there's the potential for severe embarrassment if it decides to pull a quick one. Go ahead and wonder whether it's intercepting our data ethically and legally, sure; but on these sort of projects, it's a good idea to have some code breakers on your side.

Virus removal squad: Ars readers talk security measures

Ars talks about the wholesale destruction of EDA computers, super-secure passwords.    

Estonia publishes its e-voting source code on GitHub

System architect says he welcomes "development and security of the e-elections."    

Prenda’s John Steele in LA: Two wrongs don’t make a Wright...

At last, John Steele speaks, describing a "pattern of fraud." Not his, though.    

Artist investigated after shining Kim Dotcom “light art” on US Embassy

"United Stasi of America" image shone onto walls of US Embassy for 30 seconds.    

Snowden holds court in Moscow airport, asks for safe passage

He had vast spying abilities: "That is the power to change people's fates."