Wiretapping, pen traces, and free SkypeOut

Ars Technica with an excellent overview of NSA programs. Be sure to follow the links to the story about Mark Klein, the AT&T whistleblower, and Klein’s statement to the press.

Meanwhile, I received an email today from Skype telling me that all phone calls made via Skype from anywhere in the US and Canada to any phone number in either country are now free for the rest of 2006. (They were previously about two eurocents a minute.) Since Skype phone calls are encrypted, this may or may not be related to what’s going on in the NSA revelations, but it’s very interesting. Notably, since Skype calls can be made from public wifi points, this bypasses both wiretapping and casual attempts at an IP trace. And it will probably lead me to buy less cell phone minutes. How many millions of others will do the same?

Only downsides that I can think of are that my laptop is not available while walking around (but PocketPC PDAs are, and are Skype compatible), and that SkypeOut calls don’t provide a caller ID, which strikes me as marginally unprofessional for business calls.

These are minor knocks, and it might move millions of phone calls into encrypted channels. I’m trying to wrap my head around how huge this might be.

Addendum: Apparently, reporters at ABC News are being individually targeted to find out who they are calling.

Phone calls that aren’t (yet) being monitored

According to Engadget Mobile, T-Mobile and Verizon Wireless cell phone records are not being provided to the NSA. Obviously, if you’re calling a US landline, they can pick it up on the other end.

The jury is still out on whether a pen trace on Skype phone calls is possible, but as far as I’ve heard they’re currently outside the NSA dragnet. On the other hand, Skype is still the only consumer-level phone system that provides end-to-end 128-bit encryption transparently to its users, so the call itself cannot be tapped if you’re calling to another Skype user — again, if you’re calling a landline, you’re exposed on the other side.

Idiot, indicted, and just maybe, telling us what we need to know

Gary McKinnon is an idiot. Or he’s the most dangerous hacker who has ever penetrated US military systems.

Evidence for idiocy comes from Slashdot’s discussion of McKinnon’s failed attempt in a British court to block his extradition to the United States.

Evidence for danger comes from this BBC report that the US claims he caused $700,000 in damages hacking military and government computers.

A few thoughts, off the cuff:

No question, we’re talking grade-A idiot. For one thing, he was looking for hidden UFO data. For another, he was spelunking about in US military systems and got caught using off-the-shelf monitoring tools, rather than hacker tools that might at least have given him a shot at covering his tracks.

But is he dangerous? And more importantly, is there anything we should be taking away from this story?

For one thing, if McKinnon’s claims are true that he accessed some of these systems and found that they had no password protection, that’s something we need to be looking at very strongly. I don’t think it excuses his actions (neither does his stupidity, for that matter), but there’s not a great deal of difference between what McKinnon did to NASA and what you’re doing to jeffporten.com right now. That is, the difference isn’t “hacking”, but rather that I want you here, and the NASA computer is more obscure than my site. But still findable, and still on the Internet.

Here’s an example. Let’s say you’re using a computer with nmap installed, and you type in the following command:

nmap -sS

What you will get back is a list of protocols on which my website is willing to talk to you. Now let’s say you do this instead:

nmap -sS 143.84.24.*

and you’re stupid enough to do this from somewhere other than someone else’s Wifi access point. What you’ll get back is a list of people in dark suits with badges who are suddenly interested in what you’re doing. Because now you’re mapping a block of sites that includes the Army Research Laboratory, whose scary warning I blogged a while back.

Note that I have not actually run that command and I don’t think you should either. You’ll end up scanning 256 computers that are most likely all military, and for all I know some of them are not supposed to be accessed by guys without uniforms. But all of them are on the Internet, and all you’ve done so far is walk up to all of them and say, “Hi! What services are you running?”

So let’s say you’ve done this, and somebody over in the Double Secret Probation Security Department decides to figure out if you’re an idiot or a true threat. He gets a team to trace your traffic. But you used several of nmap’s standard obfuscation techniques (which I’m not going to document for you; they’re easy enough to find), so it takes them a week to figure out which logs apply to you. Then they have a map of IP addresses from which Internet providers you used, so they ask an FBI type to go knocking on ISP doors and connect those to physical addresses.

Then they set up a surveillance team and nail your ass.

No, I’m not running off on some paranoid fantasy. I’m just working some numbers from the Bureau of Labor Statistics, and doing a few sums in my head, and the figure I come up with is that what took you about five seconds to do, cost about $25K for the US government to nail you for, just in terms of salaries for the people involved. Probably higher since my numbers presume that these computer techies and FBI types don’t have any supervisors and prosecution is done pro bono.

That’s why I’m, well, skeptical when I see numbers like “$700,000 [in] damage to military and NASA systems”. I remember seeing reports of attacks on military computers from the 1990s, designed to scare the hell out of Congress, where the exact line of code I listed earlier would have been counted as 16,777,216 separate attacks on military networks. Under extremely vague statutes in force today, opening your laptop in the wrong part of Washington DC, and accidentally handshaking with an open government Wifi base station, could constitute a terrorist attack.

Which is not to say that I think this is a secret government plot to throw all computer users in Gitmo. Every server I run is attacked on the order of 1,000 times a day by automated attacks, and I’m guessing that any government system gets hit far worse. Most folks fly way beneath the radar even if they are terminally stupid, and I presume that McKinnon did something to set off an alarm bell or two.

But if he is right, and he did find services that were inadequately protected, then it would be awfully nice if the process of prosecuting him also exposed these problems and caused them to be fixed. Because it’s axiomatic that if he found them, he wasn’t the first nor the last. Somehow, I don’t expect that kind of open trial is going to take place.

And I gotta say… the worst hack in US military history came from a UFO nut in London, working alone, and cost only $700K to fix? Man, that’s the most reassuring news I’ve heard in years.

More on wiretapping (or moron wiretapping) your calls

So, on Monday I paraphrased Mort Halperin as saying that “all of the [Bush] administration’s statements concerning which information is targeted [for wiretapping] were specifically about this particular initiative [monitoring overseas calls]; … most expert observers believe that there is at least one more program, and possibly more, whose scope has not yet been revealed.”

What a difference three days makes. Boom, brand new program that doesn’t discriminate too much about whether you’re a US citizen or inside US borders.

I have little interest in the metaphysical debate over whether the Fourth Amendment covers the use of government computers, rather than government humans, listening in on your calls. I have little interest because I’m damn sure it should. The claim that computer monitoring is somehow not an unreasonable search into your papers is as ludicrous as if James Buchanan had claimed ponytapping was Constitutional because he used slaves instead of white people.

What I’d instead like to draw your attention to is this quote from Reuters:

“The privacy of ordinary Americans is fiercely protected in all our activities,” Bush told reporters at a hastily called session aimed at damage control. “We’re not mining or trolling through the personal lives of millions of innocent Americans.”

And that’s highly interesting, because it’s a lie. Not an evasion, not a spin, not a misreading, but a damned lie. Specifically, the phrase “we’re not mining.” It’s a shame he didn’t stick with “trolling,” because one could argue that they’re not literally using giant fishnets or trying to pick up women in bars.

But mining, well, that’s exactly what you have to do with the largest database in the world, and it’s pretty much the exact definition of “using the data to analyze calling patterns in an effort to detect terrorist activity.”

So, to recap — we have this program over here that monitors the actual content of phone calls on overseas lines, which is revealed by media investigation, and which Bush claims (without providing evidence) is strictly limited in focus. Then we have that program over there that monitors pen traces of domestic calls, which is also revealed by media investigation, and which is arguably what Bush claimed he was not doing when he was exposed the first time.

When that hits the news, he simply lies about it.

That’s the problem with circumventing the rule of law; once you’ve decided you’re above it, there just aren’t any limits. Or, to quote Al Gore, “Can it be true that any president really has such powers under our Constitution? If the answer is ‘yes’ then under the theory by which these acts are committed, are there any acts that can on their face be prohibited? If the President has the inherent authority to eavesdrop, imprison citizens on his own declaration, kidnap and torture, then what can’t he do?”

These surveillance programs ran simultaneously. To state that there are others which we don’t know about is a given; that’s the point of intelligence agencies. The sole question about the others is their scope. Considering the scope of the programs we do know about, I don’t see any conceptual line being drawn as “information about Americans that the government has no right to know.”

So — an open question to anyone in the “nothing to hide” community who’s stopping by this week. Where’s your line? How do your Fourth Amendment rights protect you? If you’re not disturbed about your phone calls, how about your emails? Private documents? What doesn’t the government have the right to know about you?

My CFP coverage in TidBITS

My coverage of the Computers, Freedom, and Privacy conference has just been published at TidBITS. The conference was chock-full of information and I’ve got more to say about it, which had to be cut from the article to keep this issue from becoming 30,000 words long, or from taking on more of a political tone than is usually the case. I’m still catching up on a pile of work from last week, so feel free to keep checking the CFP topic here to see my new articles as I post them.

Thanks go out to Adam Engst and the rest of the TidBITS crew for asking me to cover the conference, and to the Association for Computing Machinery for putting it on in the first place. As I say in the article, if you’re in the least bit interested in these topics, by all means come to Montreal next year.

Another shout-out goes to my buddy Brian Greenberg, who surely is shocked as hell to read this. The reason? Because Brian was the audience I had in mind when writing the article; he’s my standing skeptical sounding board on issues related to privacy and whether the current administration is living up to Orwell’s 1984, and I consciously wrote my piece with the hope of convincing Brian — and others like him — why these topics are important.

I’m sure he’ll tell me if I succeeded. Hope you do too.

More to come on CFP

I had expected to post more this week while I was at CFP, because, well, I am an utter blinkin’ moron. This is the busiest conference I’ve attended in a long time, and that is saying something.

Rest assured, I have much to say on the topic, but I’m going to hold off on commenting more here until my article gets published in TidBITS. When it is, I’ll continue here with the sort of editorial commentary that really isn’t appropriate over there.

But as a teaser, I’ll mention that after hearing from DHS about their plans to keep us safe, this is looking like an awfully fine time to move to Canada.

Lunchtime notes, CFP day 1

Quote of the day, from a T-shirt sported here: “Every time Linux is booted, a penguin gets his wings.”

Opening speech this morning from Senator Leahy, from the great state that will not apologize for its cheese. Full text available here, shorter: “Security good. Privacy good. I’ll elide my role in passing legislation that eroded the latter and didn’t do much for the former. The Bush administration went too far. We need more hearings, discussion, and bipartisanship.” Before passing more laws eroding privacy (Jeff addendum).

More shortly from a panel discussing federal regulation.

My day at the NSA

You know it’s an interesting day when you start at the National Security Agency and end at Public Citizen.

Today was the first day of CFP2006, and my first activity was the guided tour of the NSA. Or so we thought. Our first stop was at the entrance to the barbed wire fences that surround the NSA parking lot, where security boarded the bus to check the IDs of 50 privacy advocates. We were then warned to leave behind all cameras and electronics on the bus, especially cell phones and pagers, before going to the Visitor’s Center.

nsa.jpgI was towards the rear of the line (having a cigarette and vaguely wondering if a Zippo was a weapon), so I didn’t get to see the inside of the Visitor’s Center before the front of the line was sent back out—we actually hadn’t been cleared to be visitors. So we all tromped back to the bus, with a quick pause while another attendee grabbed a few telephoto shots of the Death Star building through the inner line of fencing.

I was left to wonder about the security precautions for the Visitor’s Center. You can’t see it in this Wikipedia shot; it’s a small building in the center of the parking lot, below the lower right of the photo here. It’s completely separate from the main building; I’ve been closer to the interior of the White House standing on Pennsylvania Avenue. So why are cell phones forbidden? My best guesses are: 1) greater concerns over Nokia bombers than shoe bombers; 2) just because; and 3) it makes (most) visitors feel really special to be seen as security risks, or reassures them about NSA security. As critical as I am of the NSA, I would generally give them the credit not to have anything in the Visitor’s Center too sensitive to be near a camera or an open phone line. I hope.

In any case, we tromped back aboard the bus, drove back out through the barbed wire, past the Shell station (20 cents a gallon cheaper than in DC), and to the National Cryptologic Museum, where we were supposed to be in the first place. “Can we bring our gadgets?” “Bring anything you like, this time.”

vigilancepark.jpgSuitably equipped with implements of destruction, we were all treated to a fine tour of the museum. We had already seen National Vigilance Park on the drive over, a re-creation of three planes that had been shot down during intelligence missions over the years. Those engagements, as well as others that cost the lives of NSA personnel, are commemorated in Memorial Hall, the first room we saw.

We were then conducted into a treasure trove of geek mathematical history, including a collection of Enigma machines and the Bombe that was used to decode them. An Enigma on display is exposed, so you can type in whatever you like and see the lights flash on as it is encrypted. I asked our guide how much they had to do to keep it working. He said, “It just works. We have 50,000 visitors a year, and kids love to bang on it. Every once in a while we have to change the light bulbs.” The machine continues to be battery powered, as per its original design, and could still serve as a 35-pound spy laptop.

The tour discussed the breaking of WWII German and Japanese codes, the security of the equivalent American codes after 1943 (which were used through the early 60s), and showed an array of fascinating artifacts from throughout the 20th century.

Almost. The notable thing about the NCM is that history ends in 1972 or so. If there’s anything there regarding satellites or the Internet, I missed it. Certainly nothing regarding wiretapping or other present-day issues. And of course, one wouldn’t necessarily expect to see such things at a museum that’s meant to give a positive impression of the Agency.

Which it does, and which is largely deserved. I recommend the NCM to history and technology buffs alike, and the underlying message—that the NSA has a history of serving its country well and with sacrifice—is worth repeating. Which is perhaps why one might regret that its present day actions are not similarly untarnished. I look forward to visiting the museum again in 2036 to see what it says then.

Postscript: as we were driving into the NSA, a wave of laughter passed through the bus because one of the cars there had a vanity license plate which was very amusing in the context of the NSA. I had originally intended to include it here, but I thought twice about it. Certainly, if this person does not want it widely known that he works at the NSA, his choice of vanity plates (and his parking near the visitors’ entrance) is extremely unwise. And yet… someone knows this plate and knows who drives that car. Perhaps that someone shouldn’t know where that car is driven to. So I’ll refrain from passing along the joke, just in case.