It is less than a day after I wrote the previous blog ‘The danger ahead’, now I read in the Guardian (at http://www.theguardian.com/world/2014/jan/27/nsa-gchq-smartphone-app-angry-birds-personal-data) that the quote I made in yesterday’s blog “Speed and disregard of proper development has allowed for open access to many computers and devices, which allows for almost complete collection and stored and such storage can only be done by just a few. This open level of availability allows the NSA and GCHQ (amongst others) to collect open source intelligence, hoping to gain the upper hand in the war on terror.“, which is close to what the Guardian reported, as well as what is currently shown on Sky News!
At this point, I am looking at a few issues and the more I look at the data that the press is stating, the more I see that Edward Snowden is more than just a traitor. He claims being a victim in a German TV interview (at http://www.dw.de/wanted-dead-by-us-officials-snowden-tells-german-tv/a-17388431), where he speaks the fear that he is being targeted for long term sleep therapy (aka ‘terminal sleep’).
The ‘problem’ is that the issue is not just Snowden. The more I look into the breaches, the more I look into a possible functional approach on the way the NSA server parks (plural) are set up, the more I am convinced that not only was Edward Snowden not alone in this all, I feel some level of certainty that this person might still be in the NSA, endangering both NSA and GCHQ as well as other allied monitoring agencies.
The humongous amount of ‘revelations’ that are claimed in the name of Snowden do two things. First of all it turns Benedict Arnold in a stumbling saint (I just had to wash my mouth with soap for making such a claim). Linked to this is the fact that the many dozens of operations as his ‘revelations’ seem to touch on would have been on at least a dozen of servers (as projects are spread around). The fact that NSA uses an upgraded edition of SE-LINUX means that a system with logs and mandatory access control cannot get transferred to such a degree. The fact that IT and security monitors it all, as well that he was civilian contractor means that his name should have popped up a dozen times. Even if he used other accounts, the logs should have triggered alerts all over the field when they were scanned through solutions not unlike a program like Palantir Government.
The claims I am making are growing in reliability with every ‘revelation’ that is being made. There is however another side that is now the consequence of all these whingers and whiners about ‘their privacy‘ (at http://www.theguardian.com/world/2014/jan/27/tech-giants-white-house-deal-surveillance-customer-data). We now enter a field where it is important to realise that the new situation could be regarded as a danger.
It is linked to a previous newscast where President Obama was considering moving telephony data out of government hands (at http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/23/government-privacy-board-members-say-shifting-nsa-data-to-third-parties-is-a-bad-idea/)
As stated before, this is a really bad idea. Consider that criminals, if enough money is in play, can use places like HSBC to launder their money (I am not talking about forgetting your wallet whilst washing your jeans), but the idea that commercial enterprises can get away with these events for just a 5 week fee (at http://www.forbes.com/sites/afontevecchia/2012/07/16/hsbc-helped-terrorists-iran-mexican-drug-cartels-launder-money-senate-report-says/, as well as http://uk.reuters.com/article/2014/01/23/uk-standardbank-fine-idUKBREA0M0LF20140123) is a lot more dangerous than many realise. Handing data storage out of government hands is just too dangerous. I am steering away from the issue whether the monitoring program should go on or stop. The intelligence community needs to do what it needs to do. Leaving that data with third parties is just not an option. The worst case scenario would see the US government paying out billions if any data leading to a registered IP ends up in ‘other’ hands. Once that evidence is ever given, the US would lose whatever credibility they ever thought they had.
At this point the title can be used as a joke. What is the difference between for free and for naught? Someone got rich for free, the US got rich for naught! That would end up being the reality of a project that was meant to map levels of global terrorism. This joke only gets stronger when we see another ‘view of shock’, but now from Google CLO David Drummond (at http://www.bbc.co.uk/news/world-25911266). It is hard to state against his view, or the premise of the company. These carefully pronounced statements from legal eagles are to be expected from many firms for some time to come. There is however a commercial positive view (at http://www.bbc.co.uk/news/technology-25914731). Here we see how entrepreneurs in makeup and clothing are showing options to avoid detection. In more than one instance it is stated to be metal based, so standing next to airport detectors should be fun soon enough. I wonder how much more would get checked when the boxers or briefs are also metal based.
So whether we get entertainment for free or fashion for naught will be discussed by many soon enough, the main fact remains. If we want to remain safe, then data needs to be collected. It is not for free, or for naught. It is for the simple reason that the world is filled with bad people; some will go any distance to hurt as many as they can. Our governments have a duty to keep us safe, it is only fair that they are given the tools, the methods and the opportunity to do so.
This does get us to the final part (or final side) to these events. This morning, the Guardian (at http://www.theguardian.com/world/2014/jan/28/microsoft-rules-out-back-door-access-to-mps-electronic-communications) reported on backdoor access allegations. The quote “Both Ludlam and South Australian independent senator Nick Xenophon have been concerned about the security of Australian parliamentary communications since the Prism surveillance program was first revealed by National Security Agency contractor-turned-whistleblower Edward Snowden.” gives the information that was the part of all this. So again we see more resources squandered in regards to Snowden. Do not get me wrong, the question by both Ludlam and Xenophon is fair enough and as such it should be looked at. Whoever wants access to certain information, which might always be the case, could consider Intruding a system, which, unless you are a real expert is getting harder and harder, as it should be.
Yet, capturing and copying frames sent over a router system makes a lot more sense. You just capture it all and decrypt it later. Now, most people will not have the ability to do this, but consider the amount of elements to get this all from user1 to user2 via server X. If you think that this is highly encrypted hard to achieve effort, then think again. The more common the method used, the easier it is to read into it. So, there is a level of entertainment as we see leagues of technicians concentrate on the door of the bank vault, whilst in reality one of the walls is missing. To give you another example, we take a look at a paper by Daehyun Strobel, Benedikt Driessen, Timo Kasper et al (at https://eprint.iacr.org/2013/598.pdf). As we look at the quote “Despite the fact that nowadays strong and well-analyzed cryptographic primitives are available for a large variety of applications, very weak cryptographic algorithms are still widely deployed in real products all over the world.” This relates to the IT issue as, we might have secure servers and powerful password rules, but files are send from one computer to another via the ‘internet’, which goes via a router system (no matter how you twist or turn it). So, as someone gets to any router on the track and wireshark’s the traffic, the stream can be rebuilt. From there the hacker still faces a few obstacles, but you better believe that above a certain skill level, this data can be retrieved. So what exactly are we all crying about?