Archive for the ‘NSA’ Category

You read that right, President Obama’s UN Representative is believed to have made hundreds of unmasking requests. – American Center for Law and…

Weve reported for months on the frightening Obama Administration unmasking scandal and other Obama deep state efforts to sabotage the new Administration and undermine the Constitution and what we are doing about it.

The momentum is starting to shift.

Recent reports show that President Obamas National Security Advisor Susan Rice is being implicated in the unmasking scandal and leaking disgrace which is being exposed for what it is. We sent a Freedom of Information Act (FOIA) request to the National Security Agency (NSA). They ignored it, so we took them to federal court our second federal lawsuit against the NSA in the past few months.

Reports just this month reveal that Samantha Power President Obamas Representative to the United Nations is believed to have requested hundreds of so-called unmaskings of United States persons.

You read that right, President Obamas U.N. Representative is believed to have made hundreds of unmasking requests.

According to the Washington Free Beacon:

Former United Nations Ambassador Samantha Power is believed to have made hundreds of unmasking requests to identify individuals named in classified intelligence community reports related to Trump and his presidential transition team, according to multiple sources who said the behavior is unprecedented for an official in her position. . . .

Efforts by the former Obama administration to obtain the names of Trump allies included in raw intelligence reports have fueled speculation that subsequent leaks to the press were orchestrated by the former administration and its allies in a bid to damage the current White House and smear Trumps most senior confidantes.

House Intelligence Committee Chairman Devin Nunes, in a recent letter to Director of National Intelligence Daniel Coats, expressed the Committees findings, and alarm, that senior government officials offered remarkably few individualized justifications for access to this U.S. person information.

He went on:

For example, this Committee has learned that one official, whose position had no apparent intelligence-related function, made hundreds of unmasking requests during the final year of the Obama Administration. Of those requests, only one offered a justification that was not boilerplate and articulated why that specific official required the U.S. person information for the performance of his or her official duties.

That person, the one whose position had no apparent intelligence-related function, is believed to be Obama U.N. Representative, Samantha Power.

This is outrageous and despicable.

Interestingly, her attorney denied that she committed any of the leaks, but did not deny that she was the one implicated in the Washington Free Beacon report and Chairman Nunes letter.

Sometimes whats not said is more important than what is.

In the midst of misinformation and doublespeak, the ACLJ is pressing forward to get to the bottom of this latest shocking and embarrassing story, and to keep the pressure on to hold this lawless behavior accountable.

Today we took our next big step.

We sent what is now our third FOIA request to the NSA, seeking:

records pertaining to any and all requests former United Nations Ambassador Samantha Power made to National Security Agency (NSA) officials or personnel regarding the unmasking of the names and/or any other personal identifying information of then candidate and/or President-elect Donald J. Trump, his family, staff, transition team members, and/or advisors who were incidentally caught up in U.S. electronic surveillance.

We laid out several specific requests to make sure we cover all possible angles. Heres one example:

All records, communications or briefings created, generated, forwarded, transmitted, sent, shared, saved, received, or reviewed by any NSA official or employee, where one communicant was former United Nations Ambassador Samantha Power, including any communications, queries or requests made under an alias or pseudonym, and another communicant was the Director of the National Security Agency, the Chief of the Central Security Service, SIGINT production organization personnel, the Signals Intelligence Director, Deputy Signals Intelligence Director, or the Chief/Deputy/Senior Operations Officers of the National Security Operations Center, or any other NSA official or employee, referencing, connected to, or regarding in any way communication, request, query, submission, direction, instruction, or order, whereby Samantha Power sought access to or attempted to access SIGINT reports or other intelligence products or reports containing the name(s) or any personal identifying information related to [various individuals connected to President Trump] whether incidentally collected or otherwise . . . .

In the mean time, Attorney General Sessions recently announced that his Department of Justice is stepping up the investigations into illegal leaking. This is something weve been calling for and we applaud his announcement.

The momentum continues to build, and the ACLJ will stay at the forefront of the battle to protect the Constitution, defend our national security, fight government corruption, and demand accountability. We must preserve the integrity of our nations intelligence and national security apparatus. If we fail, the consequences would be devastating. Join us. Sign our Petition today.

Link:
You read that right, President Obama's UN Representative is believed to have made hundreds of unmasking requests. - American Center for Law and...

Covert NSA Listening Stations in Every Major City? – Telepresence Options

Story and images by Aaron and Melissa Dykes

Hi everyone. This piece is a bit more personal. While driving through the South, we happened upon an odd AT&T building in downtown Birmingham, Alabama when we stopped for lunch. After seeing a creepy and very serious security/surveillance man waiting at the parking garage, watching us with some sort of long telephoto lens, it struck us that this was no ordinary building.

Just like the TitanPointe "long-lines building" in New York - an AT&T front where the NSA monitors huge volumes of communications that was exposed by The Intercept and a team of bloggers they worked with - this building in Birmingham, and similar ones in major cities anywhere and everywhere across the country, was not just there to reach out and touch someone.

No, you can get goosebumps just from being near it

Read the rest here:
Covert NSA Listening Stations in Every Major City? - Telepresence Options

I FOIA’d the NSA’s Recycling Mascot, and Now I Have More Questions Than Answers – New York Magazine

Move over, Pixar theres a new CGI creature in town, and he comes from the most unlikely of places, the National Security Agency. Of the federal government agencies that youd expect to have an anthropomorphic mascot dedicated to reducing environmental waste, the NSA is probably near the bottom of the list.

The mascot, Dunk, became public knowledge in 2015, thanks to a menacing NSA tweet the agency sent to publicize its green efforts.

That effort included a school initiative teaching children how to conduct awaste audit, categorize trash, and figure out how effective they were at properly disposing of trash. Yes, the NSA wanted children to go snooping through trash, which seems almost too on the nose to be true. So youre asking me, hey Dunk, what is a waste audit? Well, youre going to dig through all of the trash in your school and then youre going to analyze it, the blue beastintonedin his nasal voice. Youll need to identify the types of trash making up the waste stream of your school and the amounts of each type of trash, by weight and volume.

Upon learning of Dunk, I submitted a Freedom of Information Act request for any communication and documents related to the development of Dunk. More than two years later, the NSA came through with a handful of unclassified documents.

On August 22, 2008, a graphic-design coordinator sent an email with the subject line, (U) Quick Idea. Attached was a file called recycle idea.pdf, which contained preliminary sketches for two waste-disposal bins with faces and arms. One is a round, green recycling bin, for soda cans and such; the other is an orange dumpster labeled WOOD ONLY thats disposing of a pallet. The slogan: Think Before You Throw.

The initiative was put on hold until the graphic-design coordinator returned from leave in early September. The next email exchange that the NSA included begins on October 1, when a waste-and-recycling manager inquires about the Dunk program. Just wanted to know if weve made any further progress Let me know

Two days later, the Dunk we all know and love appears in a file simply titled dunk.pdf, courtesy of the same graphic-design coordinator. Hes now a blue, rectangular recycling bin, who throws trash through a hole in the top of his head, rather than eating it via his mouth. Does the trash give him energy? What happened to his dumpster friend? Why is he called Dunk when hes clearly lobbing the trash?

The final page included in the NSAs response is the final Dunk, now with fancy purple shorts. The picture is not dated, but its presumably the type of office posting that is placed right over the trash bins. Years before Dunk was telling kids to dig through the trash, he was telling NSA workers to be mindful of their waste habits.

Think before you throw! the NSA warns. I mean, thatd be crazy, right? Imagine if your stuff ended up in the wrong place, and someone you didnt intend got ahold of it and used it improperly. Thatd be so embarrassing!

Commonly held best practices for password safety are going out the window.

Nothing (rose) gold can stay.

Including sweatproof, noise-canceling, and foldable versions several under $50.

How an actual person became a bot overnight.

Weve got your John Tucker Must Die sequel right here, folks.

Think before you throw.

We finally know who wrote the infamous document.

Because what the world needs right now is obviously another way to leave your friends on read.

The one about the media wanting him in a noose is really something.

A leaked internal document called the wage gap a myth and laid out all the reasons men are treated unfairly.

Weve heard this argument before.

How to eke a few more minutes out of your battery before everything goes dark.

Its called Stamp.

Including one for $250.

We might be getting a frowning poop emoji to go with the smiling one.

Robbie Tripp is getting owned on Twitter after posting a gushing Instagram about how much he loves his wifes curvy body.

The CMS wasnt cutting it.

It was only after a drivers dashboard went up in spontaneous flames that the company decided to do something.

Original post:
I FOIA'd the NSA's Recycling Mascot, and Now I Have More Questions Than Answers - New York Magazine

Separating NSA and CYBERCOM? Be Careful When Reading the GAO Report – Lawfare (blog)

The Government Accountability Office last week published a report that, among other things, weighs in on the pros and cons the NSA/CYBERCOM dual-hat system (pursuant to which the Director of NSA/CSS and Commander of CYBERCOM are the same person). The report deserves attention, but also some criticism and context. Heres a bit of all three.

1. What is the dual-hat issue?

If you are new to the dual-hat issue, or in any event if youve not closely followed the developments of the past year, please read this recent post for an introduction and overview.

2. What was GAOs bottom line? Did they recommend keeping or abolishing the dual-hat?

Neither. The report does not purport to answer that question. It is, instead, no more no less than an attempt to convey the DOD perspective (and only the DOD perspective) on the pros and cons of keeping the dual-hat structure (as well as identifying some mitigation steps).

3. What method did GAO use to determine DODs perspective?

GAO did three things:

a. It reviewed documents previously generated by CYBERCOM and by the Joint Staff to educate their own leadership on the pros and cons.

b. It sent out questionnaires to various DOD components (with relevant responses received from CYBERCOM, 6 combatant commands, 4 combat support agencies, and 3 OSD offices, plus a collective response for DOD produced by DODs CIO); and

c. It conducted interviews with personnel from CYBERCOM, DOD CIO, and NSA/CSS.

4. Anything wrong with that methodology?

Not if your goal is to convey only DODs perspective. And to be fair, that was GAOs stated goal. But this approach is problematic.

One of the issues driving the dual-hat debate involves the tension that arises between intelligence-collection equities (which NSA would be inclined to favor) and disruption equities (which CYBERCOM would be inclined to favor), in the scenario in which access to enemy-controlled system could be used for either purpose. As a result, the Intelligence Community has a stake in this question. GAO should have reached out for input from ODNI in particular (and it also is odd that GAO only included NSA in one of the three methods mentioned above).

GAO might respond that its terms of reference were DOD-specific. Thats clearly true for certain other parts of the GAO report in question, dealing with other topics. Its less clearly the case with the dual-hat portion of the report. But even if it is, it does not follow that GAO could not include in its report any reference to possibly-competing perspectives from the IC. Indeed, I would go further and say it was a big mistake not to do so, for it was perfectly foreseeable that this report would be taken by many (especially the media) as conveying a general assessment of the dual-hat issue rather than just a DOD-specific summary of opinions, no matter how many caveats are given.

5. Fine, but it is what it is. So lets look at what GAO actually reported, starting with the three pros favoring preservation of the dual-hat arrangement. The first one asserts that the dual-hat promotes coordination and collaboration between NSA and CYBERCOM. Comments?

At bottom, this is a claim that having a common boss makes it relatively easy to collaborate when it comes to developing exploits and sorting out when and how they are used. That makes sense, and is consistent with conventional wisdom on the dual-hat situation.

6. The second pro is about how the dual-hat solves the deconfliction challenge mentioned above, but whats really interesting here is what the report implies about how that challenge would otherwise have to be managed.

As noted above, the need to deconflict when collection and disruption equities compete is a big part of this story. Here, GAO acknowledges that the status quo provides a ready-made solution. So far, so good. What is really interesting, though, is the comment GAO then makes regarding what would happen in such cases of tension in the absence of the dual-hat.

Tellingly, the report observes that, in that case, deconfliction issues would have to be taken to the Secretary of Defense and/or Director of National Intelligence for resolution (emphasis added). I love the use of and/or in that sentence. It perfectly captures a critical point: absent a dual-hat, there has to be a new deconfliction system, and yet the lead contenders for that role each have a dog in the fight. Let me expand on that a bit.

Assume we decide to end the dual-hat system, without first settling on a new deconfliction system. What then? In that case, CYBERCOM usually will win over NSA. Why? Think about it. NSA wants to use existing access to keep collecting, but CYBERCOM wants to use it to disrupt the platform. If NSA barrels ahead with its preference, nothing really changes; the target remains operational and the enemy is none the wiser, hopefully. But if CYBERCOM barrels ahead with its preference, in most instances that will shut down the target (or at least make it clear to the enemy that the target has been penetrated); no more collection at that point. NSA will lose such battles, except when DIRNSA manages to see the issue coming and gets someone over CYBERCOMs head to make them back off.

Sounds like we would need a formal system to replace the dual-hat for deconfliction then. But what would that look like? If the solution is to charge the DNI with making the call, CYBERCOM wont likely be happy. If the solution instead is to charge SecDef (or USD(I) or the like), NSA (and DNI) wont likely be happy. If the solution instead is to convene a committee of some kind with stakeholders from both sidesand that committee works by majority votethen the same problem arises (unless you find some third-party player, like the National Security Adviser, to ensure there is not a tie and that the IC and military have equal voting power).

The point being: this issue needs serious attention. I dont doubt a decent solution can be developed, but care must be taken lest we stumble into the default scenario mentioned above.

7. The third pro involves the efficient allocation of resources, but its really about the idea that NSA makes CYBERCOM possibleand that reminds us that the dual-hat isnt going away soon.

The third pro noted by GAO is that the dual-hat facilitates NSA and CYBERCOM sharing operational infrastructure (translated: hacking tools, accesses, staging servers, personnel, etc.), as well as the infrastructure for training. Of course, its pretty much a one-way street; this traditionally is all about NSA sharing its expertise with CYBERCOM as it has stood up. Legislation currently forbids separation of the dual hat until DOD can certify that CYBERCOM is truly ready to operate independently. Thats supposed to be the case by September next year, but of course its one thing to say it and quite another to achieve it.

8. Turning now to the cons, GAO introduces the idea that the dual-hat may give CYBERCOM an unfair advantage over other commands.

This one was phrased very carefully. Without saying that this problem already exists, GAO says that CYBERCOM thinks that other commands are worried that the dual-hat may in the future unduly favor CYBERCOM requests for NSA support over the requests that come from other military commands. This is an interesting twist on the more-familiar concern that military equities in general will trump collection equities. This is military-vs-military instead. At any rate, again note that it is framed as speculation rather than a current observation. That might be politeness, or it might really be purely speculative. You really cant tell from the GAO report (see my last point below, on whether any of the reports observations have strong evidentiary foundations).

9. The second con GAO lists is a bombshell: The dual-hat creates [i]ncreased potential for exposure of NSA/CSS tools and operations.

Wow. In an almost cavalier way, the GAO report links the dual-hat issue directly to the fierce, ongoing debate over the security of NSAs tools, a topic that goes to the very heart of NSAs mission. Because of the importance of that latter debate, GAOs assertion will constitute a heavy thumb on the scale in favor of separating the dual-hat, if it catches on. Time will tell if it will. For now, lets just take a closer look at the claim.

First, here is what GAO says on the subject:

The dual-hat command structure has led to a high-level of CYBERCOM dependence on NSA/CSS tools and infrastructure. According to NSA/CSS officials, the agency shares its tools and tactics for gaining access to networks with a number of U.S. government agencies, but CYBERCOMs dependence on and use of the tools and accesses is particularly prevalent. CYBERCOMs dependence on NSA/CSS tolls increases the potential that the tools could be exposed.

Lets parse the two claims here.

Does the dual-hat create CYBERCOM dependence on NSA, as the first sentence indicates? I think that has things backwards. As noted in the prior con, CYBERCOM badly needed NSA at first, and still needs it to no small extent. Thats not caused by the dual-hat. It is caused by lack of capacity. The dual-hat has been part of the solution to that need. Perhaps DOD meant to convey a different point: that keeping the status quo has become a crutch that prevents CYBERCOM from pressing faster to build its own capacities. That makes more sense.

Does CYBERCOM use of NSA tools and accesses (i.e., exploits and penetrations) increase the risk of their exposure? Put that way, the answer must be yes. Every instance of use of any exploit or access creates a new opportunity for others to discover it, and so the risk must go up each time (you might say each use increases the exposure surface). But note that weve just put the question in a non-nuanced way, without any attempt to quantify the degree of increase in the risk, let alone to place it in context with offsetting benefits or with reference to mitigation strategies for this problem. All that emerges from the GAO Report is the bottom line: CYBERCOM relies on NSA tools ostensibly because of the dual-hat, and therefore the dual-hat increases the risk of those tools getting loose. And any suggestion that a policy exacerbates that risk is bound to draw attention.

The possibility of loose NSA tools has become a flashpoint for debate, in a manner that threatens for better or worse to create new limits on the ability of NSA to develop or keep certain capacities (particularly knowledge of zero-day vulnerabilities). NSA received a substantial black eye when a Russian intelligence agency the mysterious entity identifying itself as the Shadowbrokers somehow acquired a cache of NSA-created exploits and then began dumping them publiclyespecially after one of those exploits was used in connection with WannaCry and NotPetya. Both WannaCry and NotPetya received a vast amount of media attention, much of it pinning the blame in large part on NSA. This fueled arguments to the effect that NSA should not be allowed to create or preserve such tools (or at least that current procedures for balancing the competing equities involved (building NSAs collection capacity, vs improving the security of commercially-available products) should be altered significantly so as to reduce NSAs capacities in this area).

That argument was out there before WannaCry and NotPetya broke, in fact, but once those stories broke it received a strong boost from Microsoft. As this June piece in the New York Times from Nicole Perlroth and David Sanger underscores, this perspective has gained considerable momentum with some in private industry, Congress, and foreign governments. Just this morning, former NSA Deputy Director Rick Ledgett wrote a post here at Lawfare fighting back against this argument, highlighting how important the issue is.

Whether you agree or disagree with this argument, you no doubt can appreciate how it has made the government acutely sensitive to questions about the security of NSAs tools. As a result, the argument that the dual-hat creates significant security risks for those tools has the potential to have an outsized impact on the dual-hat debate. Which is a good thing, if the argument is a persuasive one. Unfortunately, the GAO report does not come anywhere close to giving us enough information to judge the matter. And yet this part of the report grabbed headlines in some quarters (see this piece in NextGov, titled GAO: Keeping NSA and CyberCom Together Makes Hacking Tool Leaks More Likely).

10. The next con listed by GAO: NSA and CYBERCOM are too much for any one person to manage.

Thats a familiar and serious concern, and it is unsurprising that it arose here. It is entangled to some extent with the deconfliction issue, of course, but at the end of the day being Director of NSA and Commander of CYBERCOM both concern vastly more than deconfliction.

11. The next con on the list? Strangely, its the deconfliction issue, which we already discussed above as a pro for the dual-hat. What gives?

It is telling that the deconfliction issue pops up both as a pro and a con. As noted above, the dual-hat is a good thing for deconfliction insofar as one thinks there ought to be a single decision-maker who takes both collection and disruption equities seriously. But here we now see the flip-side of the argument, as GAO reports that personnel from both NSA and CYBERCOM (including a senior-level official) told GAO that the dual-hat leads to increased tension between NSA and CYBERCOM staffs, because their respective collection and disruption missions may not always be mutually achievable.

You know what Im going to say, I suspect. The tension is caused by the combination of incompatible missions and shared tools/accesses. Thats not the dual-hats fault. The dual-hat is one solution to resolving the tension. As I have noted here, there clearly is a view in some circles that the fix is in with the dual-hat, in favor of NSAs collection mission. Maybe thats right, maybe its not. But at any rate, listing the dual-hat as a con here seems to be a reflection of that perspective.

12. The last con on the list has to do with difficulties in tracking expenditures the NSA makes on behalf of CYBERCOM

This may well be a very important issue, but it seems to me the sort of thing to be addressed through improved procedures, and should not matter much in deciding whether to keep the dual-hat.

13. How strong is the evidence supporting the various pro and con claims?

I recommend caution. We get a description of GAOs methods, as noted above, but of course we do not also get the underlying documents, interview notes, etc. And the reports narrative on each point is exceedingly thin, no longer really than what Im providing here. Note, too, my earlier observation that GAO does not appear to have sought the views of ODNI, and only sought NSA views to a limited extent. None of which is to say that any of the observations are incorrect, of course.

Read the original here:
Separating NSA and CYBERCOM? Be Careful When Reading the GAO Report - Lawfare (blog)

NSA whistleblower discusses ‘How the NSA tracks you’ – CSO Online – CSO Online

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

At the outdoor hacker camp and conference SHA2017, which is taking place in the Netherlands, NSA whistleblower William Binney gave the talk, How the NSA tracks you.

As a former insider, Binney knew about this long before Snowden dropped the documents to prove it is happening. Although he didnt say anything new, Binney is certainly no fan of the NSAs spying he calls the NSA the New Stasi Agency. If you are no fan of surveillance, then his perspective from the inside about the total invasion of the privacy rights of everybody on the planet will fuel your fury at the NSA all over again.

In todays cable program, according to Binney, the NSA uses corporations that run fiber lines to get taps on the lines. If that fails, they use foreign governments to get taps on the lines. And if that doesnt work, theyll tap the line anywhere that they can get to it meaning corporations or governments wont even know about the taps.

The companies are involved at the next step the PRISM program, which includes collection directly from the servers of U.S. service providers. However, Binney said PRISM is the minor program when compared to Upstream, which includes collecting data from the taps on fiber-optic cables in hundreds of places around the world. Thats where they are collecting off the fiber lines all the data and storing it.

PRISM was for show-and-tell purposes, to show Congress and courts what the NSA was doing and to say we have warrants and are abiding by the laws. Upstream was the one that allowed the NSA to take everything off the line.

Regarding worldwide SIGINT, CNE (computer network exploitation) was the big one. Implants in hardware or software, lets say switches or servers, make them do anything they want because the NSA pwned them.

That feeds the NSAs Treasure Map, which provides a map of the entire internet in near real-time; any device, anywhere, all the time every minute of every day. As Binney put it, So its not just collecting what youre saying encrypted or not but its also monitoring where you are when you do it.

Treasure Map is also how intelligence agencies use GPS from cell phones to target drone attack victims. Binney noted there are at least 1.2 million people on the drone hit list.

He also mentioned the programs that include the input of all phone data, fixed, mobile, satellite any kind of phone which both the FBI and CIA can directly access so that when they want to see who did what, they have an index, all, to everything they ever said in their database.

All the data is collected without warrants so its a basic violation of the rights of every human, Binney said.

He also covered how other agencies can directly access the NSAs data, Five Eyes, CIA, FBI, DEA and DIA. The police can access it via the FBIs system.

The NSA could choose to look at the right targets, but doesnt. The NSA may collect it all, but thats not the same as intelligence, as understanding all of what was collected. If you use one of the hot keywords in an email, for example, it will get flagged for review. But planned attacks happen because analysts are so buried beneath the data they cant see the attacks coming. Binney previously tried to convince the U.K. that bulk data kills people.

While all this data isnt helping to stop attacks, having all the data gives the intelligence community the power to manipulate anyone they want. Its like J. Edgar Hoover on super steroids all the collected data gives intelligence agencies the means to target anyone. Then parallel construction is used after the fact to go back and build a separate basis for an investigation to cover up the fact that the data was obtained unconstitutionally.

Before taking questions from conference attendees, Binney pointed out an icon on a slide as a teaser to his startup, which will advise on ways you can do privacy and security by design. He came to Europe, since they cant get anything done in the U.S. The U.S. and U.K. are too dense to realize it can be done it also goes against their agenda for more money, power and control.

Can we expect more NSA employees to blow the whistle? Perhaps, but the people in power there are corrupt, Binney said. During the portion of the talk when attendees could ask questions, he talked about how the NSA has employed a lot of introverts, people with ISTJ personalities, making them easy to threaten. Binney added that the See Something, Say Something (about your fellow workers) program inside the NSA is what the Stasi did. Theyre picking up all the techniques from the Stasi and the KGB and the Gestapo and the SS; they just arent getting violent yet that we know of internally in the U.S.; outside is another story.

Read the rest here:
NSA whistleblower discusses 'How the NSA tracks you' - CSO Online - CSO Online