How NSA Tracks You (Bill Binney)

Anyone who is paying attention knows that the Obama FBI/DOJ used massive government surveillance powers against the Trump team during and after the election. A FISA warrant on Carter Page (and Manafort and others?) was likely used to mine stored communications of other Trump team members. Hundreds of "mysterious" unmasking requests by Susan Rice, Samantha Powers, etc. were probably used to identify US individuals captured in this data.

I think it's entirely possible that Obama et al. thought they were doing the right (moral, patriotic) thing -- they really thought that Trump might be colluding with the Russians. But as a civil libertarian and rule of law kind of guy I want to see it all come to light. I have been against this kind of thing since GWB was president -- see this post from 2005!

My guess is that NSA is intercepting and storing big chunks of, perhaps almost all, US email traffic. They're getting almost all metadata from email and phone traffic, possibly much of the actual voice traffic converted to text using voice recognition. This used to be searchable only by a limited number of NSA people (although that number grew a lot over the years; see 2013 article and LOVEINT below), but now available to many different "intel" agencies in the government thanks to Obama.

Situation in 2013: https://www.npr.org/templates/story/story.php?storyId=207195207

(Note Title 1 FISA warrant grants capability to look at all associates of target... like the whole Trump team.)

Obama changes in 2016: https://www.nytimes.com/2016/02/26/us/politics/obama-administration-set-to-expand-sharing-of-data-that-nsa-intercepts.html

NYT: "The new system would permit analysts at other intelligence agencies to obtain direct access to raw information from the N.S.A.’s surveillance to evaluate for themselves. If they pull out phone calls or email to use for their own agency’s work, they would apply the privacy protections masking innocent Americans’ information... ” HA HA HA I guess that's what all the UNmasking was about...

More on NSA capabilities: https://en.wikipedia.org/wiki/LOVEINT (think how broad their coverage has to be for spooks to be able to spy on their wife or girlfriend)

See also FISA, EO 12333, Bulk Collection, and All That.

Wikipedia: William Edward Binney[3] is a former highly placed intelligence official with the United States National Security Agency (NSA)[4] turned whistleblower who resigned on October 31, 2001, after more than 30 years with the agency.

He was a high-profile critic of his former employers during the George W. Bush administration, and later criticized the NSA's data collection policies during the Barack Obama administration. 

From the transcript of Binney's talk:

07:45
ways that they basically collect data
07:48
first it's they use the corporations
07:50
that run the fiber-optic lines and they
07:53
get them to allow them to put taps on
07:55
them and I'll show you some of the taps
07:57
where they are and and if that doesn't
07:59
work they use the foreign government to
08:00
go at their own telecommunications
08:02
companies to do the similar thing and if
08:04
that doesn't work they'll tap the line
08:06
anywhere they can get to it and they
08:08
won't even know it you know the
08:09
government's know that communications
08:11
companies will even though they're
08:12
tapped so that's how they get into it
08:14
then I get into fiber lines and this is
08:17
this is a the prism program ...

that was published
08:30
out of the Snowden material and they've
08:32
all focused on prism well prism is
08:36
really the the minor program I mean the
08:40
major program is upstream that's where
08:42
they have the fiber-optic taps on
08:43
hundreds of places around in the world
08:45
that's where they're collecting off the
08:47
fiber lined all the data and storing it

2016 FISC reprimand of Obama administration. The court learned in October 2016 that analysts at the National Security Agency were conducting prohibited database searches “with much greater frequency than had previously been disclosed to the court.” The forbidden queries were searches of Upstream Data using US-person identifiers. The report makes clear that as of early 2017 NSA Inspector General did not even have a good handle on all the ways that improper queries could be made to the system. (Imagine Snowden-like sys admins with a variety of tools that can be used to access raw data.) Proposed remedies to the situation circa-2016/17 do not inspire confidence (please read the FISC document).

Atavist Magazine: The Mastermind

Highly recommended! Fantastic long form reporting -- 2 years in the making -- by Evan Ratliff. Podcast interview with the author.

Le Roux ran a global crime empire which accumulated hundreds of millions of dollars, conducted assassinations in multiple countries, and had its own private army. Most criminals are stupid, but Le Roux is highly intelligent, disciplined, hard-working and totally amoral.

(The prisoner in the photo above is not Le Roux, but one of his lieutenants, a former US soldier captured in Thailand.)

Atavist Magazine: The Mastermind: He was a brilliant programmer and a vicious cartel boss, who became a prized U.S. government asset. The Atavist Magazine presents a story of an elusive criminal kingpin, told in weekly installments.

"Not even in a movie. This is real stuff. You see James Bond in the movie and you’re saying, “Oh, I can do that.” Well, you’re gonna do it now. Everything you see, or you’ve thought about you’re gonna do. It’s, it’s real and it’s up to you. You know how the government says if you work through the government [U/I] we don’t know you. Same thing with this job. No different right? So, that’s how it is. Same thing you do in the military except you’re doing for these guys you know? If you get caught in war, you get killed, right? Unless you surrender if they let you surrender or if you get you know, the same thing. This is… Everything’s just like you’re in war [U/I] now."

Here are the final paragraphs:

... It seemed to me that he tried to apply the detached logic of software to real life. That’s why the DEA schemes must have appealed to him as much as his own. His approach was algorithmic, not moral: Set the program in motion and watch it run.

But Lulu’s comment about infamy stuck with me. Perhaps that wasn’t Le Roux’s aim at first, but over time it became something he coveted. Le Roux had known all along that he’d get caught—ultimately, the program could only lead to one outcome. But that meant that I, too, was part the design.

One afternoon, two months ago, I met an Israeli former employee of Le Roux’s at a quiet upstairs table in a café inside a Tel Aviv mall. I’d had a difficult time persuading this man to talk to me at all. He was free of Le Roux’s organization, on to new things. He hadn’t been indicted in the prescription-drug case, despite working in one of the call centers, although he said he planned to wait a few years before traveling to the U.S., just in case. I asked him this question, too: What did Le Roux want? “He wanted to be the biggest ever caught,” he said.

As we said good-bye, he told me, “What’s important is that justice be done, for what Paul did.” Then he leaned in, pointing at my notebook. “If you publish this story, ultimately you are giving him what he wanted. And by talking to you I guess I am, too. This is what he wanted. This story to be told, in this way.”

Crypto-currencies, Bitcoin and Blockchain

Photos from two meetings I attended last week.

Some general comments on crypto-currencies:

1. Bitcoin doesn't really solve any payment problems, unless of course you are a paranoid libertarian who hates "fiat" currencies. But why should you trust the Bitcoin Foundation any more than you trust a central bank? (See Bitcoin dynamics.)

2. Most potential users just want something that works and don't care at all about crypto magic.

3. The high volatility of Bitcoin makes it unattractive as a store of value, except for speculators looking for price appreciation. It's possible that confidence in and the liquidity of Bitcoin (or another crypto coin) will rise to the point that this problem is eliminated. At that point things will get much more interesting. However, it's not clear what the timescale is for this (but see point 7 below).

4. Blockchain processing is extremely inefficient and has a high cost overhead.

5. Ethereum, with its Turing-complete blockchain operations, does make possible low-cost derivative contracts, insurance, etc. But I have yet to hear a convincing case for a killer application. Gambling is an obvious use, but the US government has shown a strong inclination to pursue those involved with illegal online gambling.

6. Innovation in payment technologies is long overdue, but because of positive network effects it will probably be a big player like Apple or Google that finally changes the landscape.

7. One interesting scenario is for a country (Singapore? Denmark?) or large financial entity (Goldman, JPM, Visa) to issue its own crypto currency, managing the blockchain itself but leaving it in the public domain so that third parties (including regulators) can verify transactions. Confidence in this kind of "Institutional Coin" (IC) would be high from the beginning. An IC with Ethereum-like capabilities could revolutionize the financial industry. In place of an opaque web of counterparty relationships leading to systemic risk, the IC blockchain would be easily audited by machine. Regulators would require that the IC authority know its customers, so pseudonymity would only be partial.

Here's a good podcast on crypto-currencies for non-experts.

Wall Street journalists Paul Vigna and Michael J. Casey talk about cybermoney in The Age of Cryptocurrency: How Bitcoin and Digital Money are Challenging the Global Economic Order. Vigna and Casey argue that digital currency is poised to launch a revolution that could reinvent traditional financial and social structures, and bring the world's billions of "unbanked" individuals into a new global economy.

Analogies between Analogies

As reported by Stan Ulam in Adventures of a Mathematician:

"A mathematician is a person who can find analogies between theorems; a better mathematician is one who can see analogies between proofs and the best mathematician can notice analogies between theories. One can imagine that the ultimate mathematician is one who can see analogies between analogies."  --Stefan Banach

See also Analogies between Analogies: The Mathematical Reports of S.M. Ulam and His Los Alamos Collaborators; esp. article 20 On the Notion of Analogy and Complexity in Some Constructive Mathematical Schemata.

I'll add my own comment:

The central problem of modern genomics is essentially cryptographic. The encryption scheme is the model relating phenotype to genotype, and the ciphertext--plaintext pairs are the genotypes and phenotypes. We will recover the schemes -- models which can predict phenotype from genotype -- once enough ciphertext and plaintext (data) is available for analysis.

We have programs (DNA code) and their outputs (organisms) to study; from this we deduce the programming language.

See also Alan Turing:

“There is a remarkably close parallel between the problems of the physicist and those of the cryptographer. The system on which a message is enciphered corresponds to the laws of the universe, the intercepted messages to the evidence available, the keys for a day or a message to important constants which have to be determined. The correspondence is very close, but the subject matter of cryptography is very easily dealt with by discrete machinery, physics not so easily.”

Citizenfour and Sisu

NYBooks: ... In an interview about Citizenfour with the New Yorker reporter Jane Mayer, Snowden has said that his action seemed to him necessary because the American officials charged with the relevant oversight had abdicated their responsibility. He meant that President Obama, Attorney General Eric Holder, and the intelligence committees in the House of Representatives and the Senate had utterly failed to guard against extraordinary abuses of the public trust under the pretext of national security. Nor had they undertaken the proper work of setting limits to government spying on Americans consistent with the spirit of the First Amendment and the letter of the Fourth Amendment.

...Snowden is often called a “fanatic” or a “zealot,” a “techie” or a “geek,” by persons who want to cut him down to size. Usually these people have not listened to him beyond snippets lasting a few seconds on network news. But the chance to listen has been there for many months, in two short videos by Poitras on the website of The Guardian, and more recently in a full-length interview by the NBC anchorman Brian Williams. The temper and penetration of mind that one can discern in these interviews scarcely matches the description of fanatic or zealot, techie or geek.

An incidental strength of Citizenfour is that it will make such casual slanders harder to repeat. Nevertheless, they are likely to be repeated or anyway muttered in semiprivate by otherwise judicious persons who want to go on with their business head-down and not be bothered. It must be added that our past politics give no help in arriving at an apt description of Snowden and his action. The reason is that the world in which he worked is new. Perhaps one should think of him as a conscientious objector to the war on privacy — a respectful dissident who, having observed the repressive treatment endured by William Binney, Thomas Drake, and other recent whistle-blowers, does not recognize the constitutional right of the government to put him in prison indefinitely and bring him to trial for treason. ...

What seems most remarkable in that hotel room in Hong Kong is Snowden’s freedom from anxiety. He is fearful, yes ... He knows that he is at risk of being subjected to “rendition” or worse. But there is no theatrical exaggeration here, and no trace of self-absorption. He has made his commitment and that is that. ...

... [Snowden] realizes that if he keeps his identity a secret, the government will rally all its powers and those of the media to convert the treacherous and hidden leaker into the subject of the story. His intuition is that the best way to counter such a distraction will be to make the story personal right away, but to render the personal element dry and matter-of-fact. He will do this in the most unobtrusive and ordinary manner. He will simply admit that he is the person and spell out the few relevant facts about his life and work.

The undeclared subject of Citizenfour is integrity—the insistence by an individual that his life and the principle he lives by should be all of a piece.

Sisu is a Finnish term loosely translated into English as strength of will, determination, perseverance, and acting rationally in the face of adversity. However, the word is widely considered to lack a proper translation into any other language. Sisu contains a long-term element; it is not momentary courage, but the ability to sustain an action against the odds. Deciding on a course of action and then sticking to that decision against repeated failures is sisu. It is similar to equanimity, except the forbearance of sisu has a grimmer quality of stress management than the latter.

Pessimism of the Intellect, Optimism of the Will.

Ethereum

Did you miss out on the next big thing? :-)   See also Bitcoin dynamics.

Satoshi Nakamoto is ... Satoshi Nakamoto!

Newsweek breaks the story! This man has hundreds of millions of dollars in bitcoins :-)

The original proposal. I once did some modest internet sleuthing to figure out who "Satoshi Nakamoto" really was, but to no avail.

As usual, like the guy behind the World Wide Web (Berners-Lee), discovery of DNA structure (Crick), laser (Townes), atomic bomb, transistor (Shockley), electronic computer (Atanasoff et al.), etc., etc., Nakamoto is a ...

"You want to know about my amazing physicist brother?" says Arthur Nakamoto, Satoshi Nakamoto's youngest sibling, who works as director of quality assurance at Wavestream Corp., a maker of radio frequency amplifiers in San Dimas, Calif.

"He's a brilliant man. I'm just a humble engineer. He's very focused and eclectic in his way of thinking. Smart, intelligent, mathematics, engineering, computers. You name it, he can do it."

... Just after graduating college, Nakamoto went to work on defense and electronics communications for Hughes Aircraft in southern California. "That was just the beginning," says Arthur, who also worked at Hughes. "He is the only person I have ever known to show up for a job interview and tell the interviewer he's an idiot - and then prove it."

See also Prometheus in the basement.

UPDATE: Maybe it's not him ...

Beating down hash functions

The state of the art in GPU- and statistics-enhanced password cracking. Crackers beating down information entropy just like in the old days at Bletchley Park! (Trivia question: what are "bans" and "cribs"? Answers)

Ars technica: ... An even more powerful technique is a hybrid attack. It combines a word list, like the one used by Redman, with rules to greatly expand the number of passwords those lists can crack. Rather than brute-forcing the five letters in Julia1984, hackers simply compile a list of first names for every single Facebook user and add them to a medium-sized dictionary of, say, 100 million words. While the attack requires more combinations than the mask attack above—specifically about 1 trillion (100 million * 104) possible strings—it's still a manageable number that takes only about two minutes using the same AMD 7970 card. The payoff, however, is more than worth the additional effort, since it will quickly crack Christopher2000, thomas1964, and scores of others. 

"The hybrid is my favorite attack," said Atom, the pseudonymous developer of Hashcat, whose team won this year's Crack Me if You Can contest at Defcon. "It's the most efficient. If I get a new hash list, let's say 500,000 hashes, I can crack 50 percent just with hybrid." 

With half the passwords in a given breach recovered, cracking experts like Atom can use Passpal and other programs to isolate patterns that are unique to the website from which they came. They then write new rules to crack the remaining unknown passwords. More often than not, however, no amount of sophistication and high-end hardware is enough to quickly crack some hashes exposed in a server breach. To ensure they keep up with changing password choices, crackers will regularly brute-force crack some percentage of the unknown passwords, even when they contain as many as nine or more characters. 

"It's very expensive, but you do it to improve your model and keep up with passwords people are choosing," said Moxie Marlinspike, another cracking expert. "Then, given that knowledge, you can go back and build rules and word lists to effectively crack lists without having to brute force all of them. When you feed your successes back into your process, you just keep learning more and more and more and it does snowball."

Skype backdoor

I knew it was too good to be true! As a for-profit company, Skype/EBay eventually had to cave in to spook pressure and allow for eavesdropping. In fact, the back door might have been in from the beginning.

Heise online: According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary's press spokesman was brief, "Skype does not comment on media speculation. Skype has no further comment at this time." There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

Here's what I wrote back in 2005:

...I just learned that Skype connections are encrypted using 256 bit AES, negotiated using 1024 bit RSA. This level of encryption is essentially unbreakable with current computing power. The Feds (with the possible exception of the NSA, and they would have to work very hard to break even a single session) have no chance of eavesdropping on any Skype conversation.

It is true that Skype is closed-source, so it isn't easy to verify that the crypto implementation doesn't have any holes or backdoors. However, given the number of users and the negative consequences for the company of any privacy issues, I suspect that it works as advertised.

Well, although you are probably safe from your neighbors or local network admin, the Feds apparently don't have any problems listening in on your Skype calls.