snowden-manning-heros

Snowden-Manning Heros?

DISCLAIMER: I have no first hand knowledge of the NSA PRISM program.  This is just my personal opinion of Edward Swowden’s release of classified information and the impacts.

What is PRISM:

PRISM is the code name for the data collection program which was born out of the Protect America Act.

Recently Mr. Edward Snowden released classified information to the international media and fled the U.S.  He was working on the PRISM program and felt that the right thing to do was to tell U.S. citizens about their loss of privacy.

 snowden-manning-heros

snowden-manning-heros

SHH!! Don’t tell anybody this.. but privacy has BEEN gone if you are on Facebook, Google or any other social network.  These organization are storing our private data.  But what do these organizations do with that data?

  • Do they try to protect your data?
  • Do they sometime release it to third parties?
  • Can certain data you store on their system be used against you in a court of law?
  • All of the Above 🙂

Encrypt your data.  That is the only real way to have privacy to a trusted party.   Don’t use FB or Google for stuff you want hidden.

The Need for Some Sort of PRISM:

Spies get a very very bad rap lately.  Analysts are unsung heros.   It that world nothing is what it seems.  The media presents one side of everything.  You have to dig and cross reference to get facts.  Intelligence provides a proactive answer to security.  I am speaking from the perspective of someone who has done security defensively.  There is a need for gathering data within the U.S. infrastructure.  Once data is gathered, it can be correlated to detect patterns of potential threats.

So I think we MUST have something like PRISM (especially in the US) due to the exposure of our assets and the subsequent likelihood of attack. We have a high risk.  And the greatest risk is from INSIDERS (ironically enough PRISM cannot protect itself).

There are three main issues with the programs current setup:

1.  Lack of Oversight & Transparency: There seems to be very little transparency and  oversight that represents US citizens regarding privacy and controlling how far the government can go.  US Senators are led away from what is really going on.

2.  Total Information Awareness:  This system may be too DAMN powerful as far as what it is capable of.  In fact, it seems to be like using GOD Mode 24/7 to gather information.  Snowden mentioned that it can track ANY email.. is this on a whim?  does there need to be some sort of probable cause or “reason to believe” or is this left to the discretion of the guy with his finger on the button.. this leads to the next issue..

3. The Patriot Act II + Protect America Act =  Its too DAMN politically powerful.  This program has the legal backing to do anything with NO checks and balances.

Is SNOWDEN A HERO?

Would I call Snowden/Manning heros/martyrs?  I would not group Snowden with Manning.  The information that Snowden released (so far) is showing a the capability of NSA spying (something that was done by whistle blower William Binney in 2002).  PVT First Class Bradley Manning leaked a lot of war material that risked a lot of people’s lives:

videos of the July 12, 2007 Baghdad airstrike and the 2009 Granai airstrike in Afghanistan; 250,000 United States diplomatic cables; and 500,000 army reports that came to be known as the Iraq War logs and Afghan War logs. It was the largest set of restricted documents ever leaked to the public. — http://en.wikipedia.org/wiki/Bradley_Manning

The problem with this is that it actually endangered the lives of informants, and some people that were on the ground in Afghan/Iraq.  Manning fucked up big time.  Snowden is a hacktivist who will have to spend sometime in prison or in Iceland evading the US government unless the American public rallies to sway the politicians.

Whistleblower Protection:

My hope is that there is due care taken on this issue.  Because there is a real concern regarding the Constitution, Privacy and uncheck powers of the government.  If not, perhaps the next administration will take up the call of the people.  SarbanesOxley Act of 2002 has a Whistleblower Protection Act that would be helpful if such a law could apply to Snowden.  I am not so sure about that.

Transparency & Accountability

I know their needs to be transparency and accountability. But I think its naive to think that we should release all information on all classified data to the world as the Wikileaks crowd believes.  

Why?

Organizations & States have an obligation to maintain Confidentiality of critical data.

That means databases with witness protection programs must be kept Confidential, bank transactions must be protected..

Nations have some serious enemies (ESPECIALLY the US).  The US governments duty is to protect its people from those enemies (foreign or domestic).

Consider this:  Certain information on the physical/logical locations of weapons systems, pattens on lethal biochemicals, information on the capabilities of a nation are very effective tools in the hands of really bad people.

Its naive to think that opening up all classified data is going to set the world free.  I wish humanity was in a kinder, gentler situation.. but the reality is some crazy people want to kill as many people as possible.

Yes!  I agree that governments with unrestricted power can be MUCH more dangerous.  Some transparency with check and balances are necessary.

 

WAR OF INFORMATION

The post modern war conflict is a fight over ideology. Its less about my nation versus your nation and more and more about belief systems.  

RIGHT NOW there is someone with the intent to kill as many people as possible.  With the capability and opportunity they would strike.  There IS an enemy and they are anywhere and everywhere.  You can no longer point at a map and say “All these people are my enemy.”

Now there is an enemy willing to kill you over what you believe, what you represent and what they think you are.  And more than likely, THEY are living in your city.   Who are “THEY”?

Figuring out who THEY are.. is where data mining and correlation comes in.

The threat-source can be from ANY country, race, creed, or religious faction. They are more and more likely to have a citizenship in your country for the sake of having free reign to make the most damage on the most people that represent what they seek to destroy.

Its sounds crazy until a bomb goes off in the middle of a Boston Marathon with the attackers on their way to Time Square.  Luckily, there was surveillance to help deter further killings.

How do we fight against these threats?
Threats can be detected via patterns within information.

Solution:  The government should allow the program manager of the system to explain why its necessary, provide proof of its usefulness.  Limit the use and extent of PRISMs power.

I hope the president will listen to the Internet community on this.  I hope that some political party will hear the cries of thousands of potential constituents then take an intelligent look at the public’s concerns.  Realistically, the American public voted on the reps that backed the laws that created this system.  They accepted it by proxy.  But the shock is from the alleged reach of this program.  Its too bad it took Snowden is risking years away from home and possibly prison for the US to wake up and start talking about something that was leaked years ago.

Jeff Moss + DHS = Super Security

“Godfather of Hackers” Jeff Moss, founder of the Black Hat and Defcon hacker and security conferences, was sworn in as one of the new members of the Department of Homeland Security’s Advisory Council (HSAC). And we think it’s a shrewd and thoughtful move. Obama seems to be getting serious about cyber security now by hiring “Dark Tangent.”

on gizmodo

Jeff Moss is not only a celebrity in the world of hacking, he is also a powerbroker. He is a respected force to be reckoned with. I am not going to say that I think he is some sort of cyber mafia boss but I will say that he could destroy just about anyone with a 100 word post on a forum. Getting “street cred” in the hacker world is something that must be truly earned usually by technical expertise proven by hundreds or even thousands of your hacker peers validated by published technical papers, famous/infamous system infiltrations, the discovery of 0-day exploits that make major corporations take notice, or some combination of these.

Jeff has his finger on the pulse of the entire spectrum of hacking.

Jeff is now going to advise the president.

Now that is good judgement.

The rise of “intelligent” CCTV

I think its great that we have better technology in security. What is disconcerting are laws like the Patriot Act and FISA bill which take right from citizens for the sake of more security. With this increased technological power in security, there needs to be more balance, but it seems the rights of citizens (particularly privacy and civil liberties) are taking a back seat to all manor of political will. All this powered by the fear of terrorism after 9/11.

I’m not saying we should not be more cautious or more aware. I’m not saying that more security is not necessary. What I am saying is that Taking away liberties is not necessary. And even if you feel it is necessary to spy on all citizens indefinitely to “catch terrorist” shouldn’t there be checks and balances on the watchers. Who will watch the watchers? How will we ensure that their powers are not abused.

New Technologies:
Smart CCTV – There are now smart security cameras with pattern recognition that allow them to alarm when some one does something suspicious such as climb a fence, or put down a bag and walk away. That technology has been developed by companies like ObjectVideo Inc. Defense Advanced Research Products Agency (DARPA) hopes to take it a step further by creating systems that can learn everyday patterns and send alarm when things are outside of their known pattern, also known as anomaly detection.

http://govtsecurity.com/mag/fighting_terror_technology/

read more | digg story

War on Zombies

Lawmakers are looking to make harsher punishments for botnet herders. Botnet laws are sure to shake things up. The Racketeer Influenced and Corrupt Organizations, or RICO, law & Internet Spyware (I-SPY) Prevention Act are examples of such laws. Once passed, these laws will be a signifigant change to federal computer law.

“Today’s botnet herders have hundreds of thousands of computers at their command and use technically sophisticated ways to hide their headquarters, making it easy for them to make millions from spam and credit card theft. They can also be used to direct floods of fake traffic at a targeted website in order to bring down a rival, extract protection money or less frequently, used to make a political point in the case of attacks on Estonia and the Church of Scientology.” — Wired

Homeland Security Secretary Michael Chertoff speaks about computer security at the RSA Conference on information security in San Francisco, Tuesday, April 8, 2008.

U.S. to Expand Domestic Use of Spy Satellites {response}

Robert Block at bobby.block@wsj.com, wrote an article at the Wall Street Journal about US Defense spy satellites being turned toward the people of the United States. Perhaps this is not really a new phenomenon. I suspect that in the past it was done without asking and without anyone knowledge. Now unchecked spying by the government is legalized. There is a trend of legalizing misconduct that is justified by what a small elite believe is the greater good. If you think I am just a paranoid conspiracy theorist do your own reading, find out for your self don’t take my word for it. Start here: http://www.themoneymasters.com/order.htm#books

If I am not mistaken abuse of government power is one of the reasons that the original 13 colonies in America rebeled against the British Empire. They were paying taxes but had NO say in what was going on in England or even on their own land: “Taxation without Representation.” The founding fathers were so serious about guarding against the unchecked power of government that they created the 2nd amendment, right to bear arms:

“A well regulated militia being necessary to the security of a free State, the right of the People to keep and bear arms, shall not be infringed”

Now we face abuse of power on an entirely different level, but abuse of power all the same.

Liberties are given away wholesale with NO regard for the Constitution. As a security person, I appreciate national security, but NOT at the expense of liberty. At the very least programs that spy on the people should have checks and balances. But there are no organizations dedicated to protecting privacy and liberties with the same level of influence as the executive branch, CIA, and NSA.

The neo-conservative view of going to war to “protect our freedoms” is only valid if there is freedoms left to protect. Make no mistake, I am no liberal who wants to create bigger government to help the poor and less fortunate. I just don’t trust the government enough to give them more power than they already have. Government should be small and managed by the people, not the other way around.

I fear that humanity has created a very efficient system whose function (regardless of what it says) is to exact total control over its heard of consumner citizens.

“Where liberty dwells, there is my country.”
–Benjamin Franklin, letter to Benjamin Vaughn, March 14, 1783

US National ID Card: Security or Citizen Tracker

Most American citizens violently oppose a National ID card.  The federal government can get around this in two ways: 

    1. Don’t call it a national ID card 
    2. Don’t put the federally controlled database in a federal building

The U.S. government is doing both of these things (as up 2007, should be complete by 2009).

According the the Department of Homeland Security’s FAQ on REAL ID it is NOT a national ID card & the feds will not create a national database:

“Is this a National ID card?

No. The proposed regulations establish common standards for States to issue licenses. The Federal Government is not issuing the licenses, is not collecting information about license holders, and is not requiring States to transmit license holder information to the Federal Government that the Government does not already have (such as a Social Security Number). Most States already routinely collect the information required by the Act and the proposed regulations.”

“Will a national database be created that stores information about every applicant?

No. The REAL ID Act and these regulations do not establish a national database of driver information. States will continue to collect and store information about applicants as they do today. The NPRM does not propose to change this practice and would not give the Federal government any greater access to this information”  

Well piss on my back and tell me its raining! The government is NOT creating a national ID card.  The only problem with the above statements issued by the DHS is that they are bullshit. 

Imagine.  ME, a security guy of all people, opposed to a National ID Card?  But I’m not the only one.

First off, what is this National ID Card REAL ID Card?

On March 1, the Department of Homeland Security (DHS) released draft regulations [PDF] for implementing REAL ID, which makes states standardize drivers licenses and create a vast national database linking all of the ID records together. Once in place, uses of the IDs and database will inevitably expand to facilitate a wide range of tracking and surveillance activities.EFF

As stated above, the National ID Card for the U.S. would be based on existing State I.D. Cards and driver’s license programs.  The main issue is linking all state databases together so that the federal government can track citizens.  

Now you may be wondering: Does this sound like something an illegal immigrant and/or criminal would not be able to falsify?  (and even if they are caught current laws for illegal immigrants are not enforced)  If illegal immigrants are not going to abide by the law, does this law really enhance the nation’s security?  

Oppose the Real ID Act of 2005 

My main reason for opposing a US national ID card is that I don’t trust the federal government with a consolidated view and control of all of our information.  I think all the information they gather will eventually fall into the wrong hands (on purpose or by negligence).  I was in the military, so the feds already have my data and the feds have lost MY {privacy act protected} information more than once.  A branch of the U.S. government lost 25.6 million account including the Social Security Numbers for Veterans more than once. They kept this information secret from the victims for 19 days.  19 days is ample time for someone to steal an identity once they have the information they need.  In one case the data was supposedly recovered and deemed by the FBI forensics as un-tampered with.  Supposedly they are not creating a seperate national database… but the linked state system WILL be the national database from which the feds will feed.  Its a play on words and I wish people would wake up screaming about this.

There seems to be a disregard for protecting the privacy and security of citizens.  The resources that would normally be used to protect us are being wasted and sent to serve other purposes.  In my oppinion security is still NOT being done because illegal immigrant laws are not being enforced despite the fact there is a “war on terrorism”.  Now if you don’t think something is seriously wrong about the protection of our borders at a time when their is a “war on terrorism” read the story of Border Patrol Agent Ignacio Ramos being jailed for shoot a drug dealer trying to enter the country. The DHS officials lied to congress about these agents (and got caught).  Drug smuggler Osbaldo Aldrete-Davila is a free man.  Meanwhile, other border patrol agents are being deployed to IraqI believe there is a reason that the law is not enforced but I leave that speculation up to you.

Privacy Clearing House has a chronological list of data breaches starting from 2005.  The more databases of large organizations (schools, federal/state, credit cards) our personal information is in, the greater the risk of ID theft and financial fraud we face.  ID theft is currently the fastest growing crime in the US and UK.  And its been the fastest growing for a long time.  I attribute this to organizations putting security last when it should be implemented from the very begining and maintained aggressively. 

So, a national card REAL ID registry databases at the federal level may only add to on-going issues of personal security of US citizens which the US government does not seem to worried about too much. 

To the credit of the U.S. federal government, the Department of Homeland Security’s Chief Privacy Officer, Hugo Teufel III, issued a Privacy Impact Assessment (PIA).  According to the document the National ID card would be difficult to falsify. 

Other issues addressed in the PIA:

The PIA addresses the key privacy issues posed by the Act: (1) Does the REAL ID Act create a national identity card or database; (2) How will personal information required by the REAL ID Act be protected in the state databases; (3) How will the personal information stored on the machine readable technology on the driver’s licenses and identification cards be protected from unauthorized collection and use; and (4) Do the requirements for a photograph and address on the credential and the DMV employee background check erode privacy.

The REAL ID method will extend the life and legitamacy of the Social Security Number as a national ID number.

The DHS PIA document is exactly right when it states:

Some of the public concern about the REAL ID stems from the history surrounding the expansive use of the SSN beyond its original purpose of recording the information necessary to provide a public pension benefit.

The original purpose of the Social Security Number was to track taxation and payments for social programs under Roosevelt’s New Deal created in the 1930s following the Great Drepression.  These days the Social Security number is a de facto national ID number issued to all citizens and you really can’t do anything signifigant without it (i.e. get a job… unless your are an illegal immigrant.. i guess people in the US have privacy after all).  BTW – Collecting Social Security after age 65 is a joke… it is program that will not support the “baby boomer” (but that is a different issue all together). 

The DHS Privacy Impact Assessment goes through most general concerns the the REAL ID act posses to the privacy of U.S. citizens thoroughly…. except for one. Put on your tin-foil hats for this one.  The government works so closely with private companies (namely lobbyists pushing and paying for certain policies, bid and no-bid contracts, laws and regulations) that I believe that they would give out our con$olidated information for the right price. Realistically, a national database in some form or another already exists (social security).  But the REAL ID database would make it possible to have a REAL-time view of all transactions.

DHS PIA pg. 6: “financial institutions, retailers, hotels, health-care providers, and others may consider the REAL ID credential”. 

It sounds like the ultimate consolidation of all personal data.  It will merge your social, driver’s license, and possibly finacial and medical info. 

You see, the REAL ID system would not just be used in the police but with PRIVATE agencies.  On military installations you can’t do much of anything without a certain government ID card.  The data on this REAL ID will be the cream of the crop.  Particularly if is collects data on where you’ve been.  But conspiracy theories on new American corporate facism aside, people need to know that this is happening.  A wake up is long over due for Americans.  I just hope this cancerous apathy doesn’t kill the priciples of the country I love.

Check out the last line of the DHS Privacy Impact Assessment:

The public is encouraged to comment on the NPRM and on the privacy issues associated with implementation of the Act in order to ensure that the final rule reflects robust public input on these important issues.

Links:

Facial Recognition to deter ID Theft

DHS Privacy Impact Assessment REAL ID Act – Chief Privacy Officer, DHS

Four State Oppose RealID (New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)

(New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)Ron Paul oppinion on Amnesty for illegal immigrants and the National ID

(New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)

(New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)New World Ord… I mean other things that didn’t make it into the REAL ID ACT:

(New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)

(New Hampshire, Oklahoma, joined Montana, Washington – as of 10 Jun 2007)

Original legislation contained one of the most controversial elements which did not make it into the final legislation that was signed into law. It would have required states to sign a new compact known as the Driver License Agreement (DLA) as written by the Joint Driver’s License Compact/ Non-Resident Violators Compact Executive Board with the support of AAMVA which would have required states to give reciprocity to those provinces and territories in Canada and those states in Mexico that joined the DLA and complied with its provisions. As a part of the DLA, states would be required to network their databases with these provinces, territories and Mexican states. The databases that are accessible would include sensitive information such as Social Security numbers, home addresses and other information. The foreign states and provinces are not required to abide with the Drivers Privacy Protection Act (DPPA) and are free to access and use the sensitive information as they see fit.  – REAL ID wiki

The UK is fighting the same battle of liberties

If I trusted the government, I suppose this would not be that big a deal.

Bonus: Total “Terrorism” Information Awareness – TIA 

 Multiple standardized computing environments can be monitored and controlled using Open Grid Service Architecture (OGSA).  If the federal government is not using this technology togather data from the DMV systems I would be very surprised.