• Tag Archives NSA
  • Vault 7 Confirms, You’re Right to Be Paranoid

    Vault 7 Confirms, You’re Right to Be Paranoid

    On March 7, the transparency/disclosure activists at Wikileaks began releasing a series of documents titled “Vault 7.” According to the New York Times, Vault 7 consists of “thousands of pages describing sophisticated software tools and techniques used by the [US Central Intelligence Agency] to break into smartphones, computers and even Internet-connected televisions.”

    Stranger Than Fiction


    If the documents are authentic — and WikiLeaks has a sterling reputation when it comes to document authenticity — every paranoid thriller you’ve ever watched or read was too timid in describing a hypothetical Surveillance State. Even the telescreens and random audio bugs of George Orwell’s 1984 don’t come close to the reality of the CIA’s surveillance operations.

    In theory, the CIA doesn’t spy on Americans in America. In fact, digital traffic pays no heed to national borders, and the tools and tactics described have almost certainly been made available to, or independently developed by, other US surveillance agencies, not to mention foreign governments and non-government actors.

    Bottom line: You should accept the possibility that for the last several years anything you’ve done on, or in the presence of, a device that can connect to the Internet was observed, monitored, and archived as accessible data.

    Paranoid? Yes. But the paranoia is justified.

    Even if “they”  — the CIA, the NSA, the FBI, some random group of credit card thieves or voyeurs or whatever — aren’t out to get you in particular, they consider your personal privacy a technical obstacle to overcome, not a value to respect.

    All the Skeletons

    If you’ve got nothing to hide you’ve got nothing to fear? Everyone has something to hide. Somewhere, sometime, you’ve said or done something you regret or wouldn’t want the world to know. And you probably said or did it within a few feet of your smartphone, your laptop, or your Internet-connected television. Maybe nobody was listening or watching. Or maybe someone was. The only plausible conclusion from the Vault 7 disclosures is that you should assume the latter.

    Vault 7 confirms that as a State entity, the CIA answers to philosopher Anthony de Jasay’s description of the State as such. Just as a firm acts to maximize profits, the State and its arms act to maximize their own discretionary power. Even if it doesn’t do some particular thing, it requires the option, the ability to do that thing. It seeks omnipotence.

    The abuses of our privacy implied by the WikiLeaks dump aren’t an aberration. They’re the norm. They’re what government does.

    Reprinted from Libertarian Institute.


    Thomas Knapp

    Thomas L. Knapp, aka KN@PPSTER, is Director and Senior News Analyst at the William Lloyd Garrison Center for Libertarian Advocacy Journalism and publisher of Rational Review News Digest. He lives and works in north central Florida.

    This article was originally published on FEE.org. Read the original article.


  • Why We’re Being Watched

    Why We’re Being Watched

    Wikileaks has just published over 8,000 files they say were leaked from the CIA, explaining how the CIA developed the capacity to spy on you through your phone, your computer, and even your television. And Wikileaks’s Julian Assange claims these “Vault 7” documents are just one percent of all the CIA documents they have.

    The media will be combing through these for weeks or months, so now is a perfect moment for us to reconsider the role of privacy, transparency, and limited government in a free society.

    We’ve put together a quick list of the six best Learn Liberty resources on government spying and whistleblowing to help inform this discussion.



    1. War Is Why We’re Being Watched

    Why is the US government spying on its citizens in the first place? Professor Abby Hall Blanco says that expansive state snooping at home is actually the result of America’s military interventionism abroad:

    2. Is Privacy the Price of Security?

    Yes, you may think, the government is snooping on us, but it’s doing that to keep us safe!

    That’s the most common justification for sweeping and intrusive surveillance, so we held a debate between two experts to get right to the heart of it. Moderated by TK Coleman, this debate between Professor Ronald Sievert and Cindy Cohn, the Executive Director of the Electronic Frontier Foundation, was inspired in part by the revelations about NSA surveillance leaked by Edward Snowden in June 2013.

    3. Freedom Requires Whistleblowers

    People are already drawing parallels between the Snowden leaks and the Vault 7 revelations. If the leaks are indeed coming from a Snowden-like whistleblower, that will once again raise the issue of government prosecution of people who reveal classified information to the public.

    Professor James Otteson argues that a free society requires a transparent government, and whistleblowers play a key role in creating that accountability. Otteson also sounds a warning that should resonate with many Americans today:

    Maybe you’re not concerned about the invasions of privacy that the federal government agencies are engaging in because you think, “Well, I haven’t done anything wrong. What do I have to fear?” Maybe you think, “I like and support this president. I voted for him.”

    But what about the next president?  The powers that we let the government have under one president are the same powers that the next president will have too.

    What if the next president is one you don’t support? He, too, will have all the power that you were willing to give the president you now support.”

    4. Encryption Is a Human Rights Issue

    Documents from Vault 7 suggest that the CIA has been so stymied by encrypted-messaging apps, such as Signal and Whatsapp, that it has resorted to taking over entire smartphones to read messages before they are sent.

    That turns out to be a costly, targeted, and time-consuming business that doesn’t allow for mass data collection. But for decades, government officials have tried to require tech companies to give the government a backdoor into their encryption. In “Encryption Is a Human Rights Issue,” Amul Kalia argues that protecting encryption from government is essential to our safety and freedom.

    5. The Police Know Where You Live

    It turns out that it’s not just spy agencies that have access to detailed information about your life. Ordinary police officers have it, too, and they often face little supervision or accountability. As Cassie Whalen explains, “Across the United States, police officers abuse their access to confidential databases to look up information on neighbors, love interests, politicians, and others who had no connection to a criminal investigation.”

    Surveillance is a serious issue at every level of government.

    6. Understanding NSA Surveillance

    If you’re ready to take your learning to the next level, check out our complete video course on mass government surveillance with Professor Elizabeth Foley. In it, you’ll learn what you need to know to make sense of the NSA scandal in particular and mass surveillance in general.

    Reprinted from Learn Liberty.


    Kelly Wright

    Kelly Wright is an Online Programs Coordinator at the Institute for Humane Studies.

    This article was originally published on FEE.org. Read the original article.


  • NSA’s Failure to Report Shadow Broker Vulnerabilities Underscores Need for Oversight

    In August, an entity calling itself the “Shadow Brokers” took the security world by surprise by publishing what appears to be a portion of the NSA’s hacking toolset. Government investigators now believe that the Shadow Brokers stole the cache of powerful NSA network exploitation tools from a computer located outside of the NSA’s network where they had been left accidentally, according to Reuters. A new detail, published for the first time in yesterday’s Reuters report, is that the NSA learned about the accidental exposure at or near the time it happened. The exploits, which showed up on the Shadow Brokers’ site last month, target widely used networking products produced by Cisco and Fortinet and rely on significant, previously unknown vulnerabilities or “zero days” in these products. The government has not officially confirmed that the files originated with the NSA, but the Intercept used documents provided by Edward Snowden to demonstrate links between the NSA and the Equation Group, which produced the exploits.

    The Reuters story provides a partial answer to the most important question about the Shadow Brokers leak: why did the NSA seemingly withhold its knowledge of the Cisco and Fortinet zero days, among others, from the vendors? According to unnamed government sources investigating the matter, an NSA employee or contractor mistakenly left the exploits on a remote computer about three years ago, and the NSA learned about that mistake soon after. Because the agency was aware that the exploits had been exposed and were therefore vulnerable to theft by outsiders, it “tuned its sensors to detect use of any of the tools by other parties, especially foreign adversaries with strong cyber espionage operations, such as China and Russia.” Apparently finding no such evidence, the NSA sat on the underlying vulnerabilities until the Shadow Brokers posted them publicly.

    But the NSA’s overconfidence should disturb us, as security researcher Nicholas Weaver points out. The “sensors” mentioned by Reuters are likely a non-technical reference to monitoring of the Internet backbone by the NSA under such authorities as Section 702 and Executive Order 12333, which could act as a form of Network Intrusion Detection System (NIDS). (The Department of Homeland Security also operates an NIDS called Einstein specifically to monitor government networks.) But Weaver explains that at least some of the exploits, including those that affected Cisco and Fortinet products, appear not to lend themselves to detection by outside monitoring since they operate within a target’s internal network. In other words, the NSA’s confidence that its surveillance tools weren’t being used by other actors might have been seriously misplaced.

    The NSA’s decision not to disclose the Cisco and Fortinet vulnerabilities becomes even more questionable in light of the fact that some of the specific products affected had been approved by the Department of Defense’s Unified Capabilities (UC) Approved Products List (APL), which identifies equipment that can be used in DoD networks:1

    Under National Security Directive 42 [.pdf], NSA is tasked with securing “National Security Systems” against compromise or exploitation, a mission which was traditionally housed within the Information Assurance Directorate (IAD). The NSA is currently in the process of combining the “defensive” IAD with its “offensive” intelligence-gathering divisions, but high-level officials charged with information assurance have acknowledged the NSA’s defensive mission is more important than ever. Regardless of whether the mission of protecting National Security Systems is interpreted broadly or narrowly, the NSA’s failure to remedy defects in products used widely across the IT sector and apparently by the government, and even the DoD itself, is difficult to defend.

    Above all, the Shadow Brokers story highlights the need for oversight of the government’s use of zero days. Right now, the decision whether to retain or disclose a vulnerability is theoretically governed by the Vulnerabilities Equities Process (VEP), a once-secret policy that EFF obtained in redacted form via a Freedom of Information Act lawsuit. But because the VEP isn’t binding on the government, as far as we can tell, it’s toothless. While we don’t know the exact considerations employed by the government in reaching a decision to withhold a zero day, several of the high-level considerations described by White House Cybersecurity Coordinator Michael Daniel in a blog post about the VEP seem highly relevant:

    • How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
    • Does the vulnerability, if left unpatched, impose significant risk?
    • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
    • How likely is it that we would know if someone else was exploiting it?

    Even if NSA initially believed the specific vulnerabilities at issue in this case wouldn’t be discovered by others, its knowledge that the exploits had been left exposed should have changed that calculus. And if NSA knew specifically that the exploits had been stolen, it’s hard to think of a rationale where disclosure would still be outweighed by other considerations. Coincidentally, the NSA seems to have lost control of the Shadow Brokers exploits in 2013, during a fallow period for the VEP. Although the VEP was written in 2010, Michael Daniel told Wired that it was not “implemented to the full degree that it should have been” and was only “reinvigorated” in 2014.

    We think lawmakers should be concerned with this story, and we encourage them to ask the NSA to explain exactly what happened. We think the government should be far more transparent about its vulnerabilities policy. A start would be releasing a current version of the VEP without redacting the decisionmaking process, the criteria considered, and the list of agencies that participate, as well as an accounting of how many vulnerabilities the government retains and for how long. After that, we urgently need to have a debate about the proper weighting of disclosure versus retention of vulnerabilities, and we should ensure that any policy that implements this decision is more than just a vague blog post or a document that lacks all “vigor.”

    Source: NSA’s Failure to Report Shadow Broker Vulnerabilities Underscores Need for Oversight | Electronic Frontier Foundation