Opportunity for public comment on NSA surveillance

The Office of the Director of National Intelligence (ODNI) is seeking public comment on:

how in light of advancements in communications technologies, the United States can employ its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure.

Thanks to the EFF for finding this opportunity.

This was my response:

Continue reading “Opportunity for public comment on NSA surveillance”

The NSA wiretapped the cow and got the milk for free

Today three major news agencies, the New York Times, the Guardian, and ProPublic released details of the most intrusive NSA activity to-date.  The NSA and the GCHQ, the British version of the NSA, have “been looking for ways into protected traffic of popular Internet companies: Google, Yahoo, Facebook and Hotmail.”  Microsoft apparently handed over pre-encryption access to Outlook e-mail, Skype and SkyDrive.  Companies have also put back doors into hardware and software products at the request of the NSA.

The NSA and the companies who allowed the back doors have broken the public’s trust.  It’s time we take back the Internet.  As usual, the Electronic Frontier Foundation has an excellent summary on this issue and a list of actions you can take.  This is a two-pronged attack.  First, we should petition our elected officials, which is very easy to do from the EFF’s take action site.  Second, if the companies don’t stand up for their users, you can vote with your feet and leave their feudal system.  I don’t use Microsoft, Yahoo, or Facebook, but I do use Google and Apple.  While Google has claimed there are no back doors, Google is also asking permission from the Government to tell the public about what it does provide.  That sounds like a Kafka novel to me and I think I’m going looking for a new email provider.  Apple lost me when I had to ask permission to install applications.  In the writing of this post, I discovered something new about myself; I don’t like asking permission for things 🙂 .

But also we should step-up your defense. Bruce Schneier published a list of recommendations to maintain (some) control over privacy and security online.  Read the article for the details, but the short list is:

  • Hide in the network. (i.e. use Tor)
  • Encrypt your communications. (use HTTPS Everywhere)
  • Assume that while your computer can be compromised, it would take work and risk on the part of the NSA so it probably isn’t.
  • Be suspicious of commercial encryption software, especially from large vendors.
  • Try to use public-domain encryption that has to be compatible with other implementations.

For those looking for a more complete software list, check out PRISM Break.

Lastly, Bruce Schneier closed with this call-to-arms:

To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.

A simple and inexpensive way to do accomplish this is to go buy a $45 Beaglebone Black and set it up as a Tor relay and help grow the Tor network.  You can follow my instructions to set this up and have a low-power, freedom protecting, Tor relay.

Of course, you can also join the EFF too or get the t-shirt that the NSA tried to censor, just for fun.

A Veteran’s Disappointment with the NSA Spying

A practitioner of Zen Buddhism was talking to me about delusions.  I asked him to clarify what he meant and he explained that delusional thinking was a way of convincing yourself of a false reality.  It’s like when you believe the Double Down is good for you because it doesn’t have any bread (this is my example, not his…).  Don Quixote is the epitome of a delusional thinker who believed windmills were giants and subsequently attacked them.  Thinking that the NSA isn’t unconstitutionally spying on Americans is also delusional.

The original NSA spying leak was shocking but since then there continues to more damning announcements.  The U.S. Drug Enforcement Agency is actively using the NSA database, but then lying about how it obtained evidence through the euphemism “parallel construction.”  The owner of the Edward Snowden’s email service decided to shut down his company rather than become “complicit in crimes against the American people,” warning:

without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

And despite promises by officials to the contrary, the Guardian reported another leak that due to a Kafkaesque loophole, warrant-less spying on Americans is indeed allowed.

I am a proud veteran of the U.S. Navy.  I willingly took an oath to support and defend the U.S. Constitution.  While I’m no longer in the military, as a person who went to Afghanistan to fight for his country, I feel a civic responsibility to act when I see the Constitution being violated.  What the NSA and other agencies are doing is wrong and needs to stop.

Despite the attempts by his squire Sancho to convince him what was real, Don Quixote rushed into battle against false enemies and brought harm to those around him.  The War on Terror has become our windmill.  We’ve spent countless taxpayer’s dollars and disgraced ourselves chasing false giants.  Before his death, Don Quixote realized his delusional behavior and regretted his actions.  It’s time we have a similar revelation, “Now I see through [the] absurdities and deceptions, and it only grieves me that this destruction of my illusions has come so late that it leaves me no time to make some amends

I am not a “14-year-old in the basement clicking around the Internet,” but I do proudly wear my Happy Hacking t-shirt.  I’m a veteran who has had enough of the lying and it’s time to speak up.  If this matters to you too, please consider joining the Electronic Frontier Foundation and help them fight for our digital rights.

Cory Doctorow’s Homeland: Activity over Apathy

Cory Doctorow’s Homeland carries the energy, intensity, and style from its predecessor Little Brother. Like Little Brother, Homeland is filled with fantastical technology that is all around us. Devices like 3-D printers and DIY quadcopters make cameos in this book and the privacy enabling software Tor is back in this sequel. The tech-infused plot is reason enough to like the book, but that’s not why this book is important.

Continue reading “Cory Doctorow’s Homeland: Activity over Apathy”

TLS False Start is dead

So for about a year and half, Chrome has been speeding up TLS / SSL connections by a mechanism called “TLS False Start.”  The performance improvements were impressive; False Start dropped connection times by 30% or just under 200 ms.  The details of TLS False start are described in this tech memo, but the basics are that the client starts sending application data immediately after the Change Cipher Spec and Finished messages, without waiting from the server.  This essentially removes one round trip across the network.  Actually, it’s quite clever since once the client has sent the Change Cipher Spec message, it has shifted over to the bulk encryption algorithm and finished the key exchange and doesn’t necessarily need to wait for the server to confirm.

However, the reasons for its demise are a bit comical and unfortunately False Start’s tragedy has much to do with a good protocol and restrictive implementations.   My favorite problem was that a major vendor of SSL Terminators (servers acting as the SSL / TLS endpoint, probably with hardware acceleration) has some sort of minor bug preventing the use of TLS False start.  The vendor refused to fix it.

One, fairly major, SSL terminator vendor refused to update to fix their False Start intolerance despite problems that their customers were having. I don’t believe that this was done in bad faith, but rather a case of something much more mundane along the lines of “the SSL guy left and nobody touches that code any more”. However, it did mean that there was no good answer for their customers who were experiencing problems.

I can see how this can happen and why the company wouldn’t want to fix it.  By the way, I’ll be returning to work in August… (no I don’t work for this vendor). 🙂

One of the frustrating aspect of protocol design is that there is a duality consisting of what the protocol says and the populous implementation.  Actually, its more of an oligarchy, where the most popular implementation sets the standard.

Well, you can still install HTTPS Everywhere in Chrome so that’s a good thing.  I highly recommend it.  Not only is supported by the EFF, a great organization, it’ll always attempt to use the https version of a website, making your web traffic more secure.

HTTPS Everywhere from the EFF

[UPDATE] For those with a Wireshark inclination, here are two captures of TLS False Start in action.

TLS False start in action on the client and server
False start on the client side only (chrome)