Thread: Privacy Alert! Big Brother is watching and listening, UPDATED

Privacy and surveillance: Jacob Applebaum, Caspar Bowden and more

LiveAll-day conference in Lausanne, Switzerland will discuss topic of privacy and surveillance in the light of the Snowden disclosures highlighted by the Guardian - and we're on the spot to liveblog it

• 
• 
  
  • Charles Arthur

Protests in Berlin against US surveillance, after the Edward Snowden case.
Wrapup - a fascinating day

A long day - with some fascinating insights from Caspar Bowden, Bill Binney and Jacob Appelbaum. We hope you found it as fascinating as we did.


5.37pm BST
Appelbaum Q+A 2

Appelbaum: "We give [NSA and GCHQ] a really hard target [in Tor].
Q: when I look at the Tor map there's a big thick green line going to the middle of the US... what is it..?
A: I'll answer a related question - does the NSA run Tor nodes? As far as I can tell that's not the angle they're going for. But there are people with fast internet who care about freedom of speech.
The Tempora program.. there are places which the NSA can't break into. Tor reduces the chance that you get targeted.


5.33pm BST
Appelbaum: Q+A

A: financial transparency.. Julian Assange wrote an essay called "On The Take and loving it" about academic grants. For Tor we put our sources up. DoD, EFF...
State interference in Tor.. GCHQ and the White House are targeting Tor and they are failing.


5.28pm BST
Appelbaum: we need to compartmentalise

"The fact is that wherever there are unique identifiers the NSA will want to record it. They want it for 100 years, and certainly have it for 15.
"One thing about Facebook was the real name policy. A fascinating notion is that we only have one name, and that it belongs to the state. The only people who get anonymity are those who can create IDs - which are states.
"The Transnational Republic is trying to let us generate our own names - so you could define a pseudonym as yours. Things like that I suspect are worth working on.
"One really important conclusion - IBM's German subsidiary in the second world war knowingly built punch card machines and repaired them in Auschwitz. They knew what they were doing. When these people are killing Muslims with flying robots, things have gone too far. We need to stop the engineers working on these extrajudicial systems. IBM Deutschland knew what it was doing. And the hacker group Gamma is building weaponised systems for the monarchy in Morocco... which is a problem.. the battlefield comes home. We really need to solve these problems.
"There are differences in scale, but not in progression Targeting people for torture or assassination - it's a matter of scale.
"One last thought - imagine there's a wiretapping system that goes into an internet point. What does the FBI or CIA do when it taps a fibre? Each - NSA, CIA, FBI - gets this data. The problem isn't just the NSA, it's all of these agencies working together, they've subverted our democracy. The last stand is cryptography. If you're an engineer working on crypto.. this is for you. And we can all take a stand politically."


5.21pm BST
Appelbaum: systems backdoors should be treated like landmines

In 2004 Greece had intercepts of phone systems - that attack looks very similar to Belgacom case. Maybe people have these [backdoor] systems built for one set of people but others can use it too. Adding backdoors - we should look at criminalising it. It's like landmines.
"If we're worried about Chinese hackers, which I think is just veiled racism - they're not the problem, with the NSA we had to be told by someone inside, and they're in everything. If these NSA people got arrested when they travelled to Europe that would be interesting. The Guardian doesn't want to release names, and that's good in some cases. But people who commit mass human rights violations, they should be prosecuted.
"The NSA has a slogan internally - 'we track 'em, you whack 'em'. Not a joke. It's really critical that we see the parallels: we're losing due process and we're losing judtice. The number of people killed on the Berlin Wall during its operation was around 180. Number of people killed by drone strikes in the last 10 years is an order of magnitude more.
"Policy is lagging behind technology. Policy should make sure we use crypto .. make it impossible to spy so we are secure in our communications. By marrying technology and policy together."

Updated at 5.21pm BST

5.16pm BST
Appelbaum: RC4 may be broken

Appelbaum says that the NSA is likely to be ahead of academic analysis. "I think the NSA may have broken RC4.. something like IPSEC which has a NIST standard may be just as bad or worse. And proprietary environment it may be worse.
"In my computing hardware I drill the microphones out of my laptop." (A pause in the room while people consider that.)
"How do we resist this? If I'm going to meet someone then I need to work on something that's forward-secret... it's called PANDA.. we want a way to have a shared secret and meet in a forward-secret way to do a key exchange. Because we know they look for particular keywords. The moment you connect to the internet then you reveal all your information, your presence."
(Complex explanation follows of how they generate an encrypted tag using Diffie-Helman (encryption) and then go forward and have a key exchange (for SSL) over the Tor network.)
"I'm pretty confident that the way they would and could beat Tor would be via the web browser... " He tails off: doesn't want to describe something there.
"Trying to save email is a lost cause apart from how it's distributed; PGP I trust but the user interface is a nightmare."
His aim is "get rid of plaintext on the internet wherever possible... Google is starting to encrypt its own backbone, the internal fibres.. so even if the NSA was sniffing stuff in there it would get nothing... big networks need to adopt that.
"I think if you're working on these things.. have one machine which is completely routed through Tor and never use the web browser on that. And then use another machine for browsing. A web browser is a nightmare of code. It's really quite, quite, quite scary. Perhaps transfer URLs via QR codes.
(That's quite a warning from Appelbaum: web browsers are unsafe with the NSA in sight.)
"All the major corporations which control DNSSec.. they're beholden to the NSA. I met a person who works in a security company, and they were told that whatever they do for their customers they're required to turn over their entire work product to the agency, without telling their customer or shareholders. The company has these privacy and non-disclosure agreements - and the state has privatised computer security researchers' work.
"I've heard that from two sources but haven't seen any documents about it. But what I see in other things is that that seems to be what they would do. In Bullrun [cryptographic subversion] they're going to want data from companies.. via business record requests.
"Free software is one of the only ways to move forward, but we need verifiable hardware too. And that's really difficult. Intel's random number generator.. I wouldn't really trust that, get lots of sources of entropy [for random number generation]."


5.03pm BST
Appelbaum: silence won't protect us

"Just following orders isn't the way we should continue.. Another NSA program, Colocation, looks at cell location data - when Gen Alexander talks about how they're not collecting data under S.215, what they're doing is pulling location data for everyone nearby. They find data from people nearby." (Caspar Bowden says he hasn't had a mobile phone for two years.)
Appelbaum says he only has a mobile phone "to mess with peoples' heads.."
Says "it's scary when you consider the wiretapping of the planet. Cybersecurity... imagine there's a global dragnet getting usernames and passwords and pulling them into a database. And they store a lot of cryptographic data from handshakes. From Diffie-Helman handshakes. Imagine if you could watch all that, what could you do with it? They may be able to do mathematical attacks that we would have trouble simulating or imagining."
(Suggestion being that NSA is trying to crack some of the tougher crypto.)


4.58pm BST
Appelbaum: LOVEINT and more

LOVEINT and the surveillance - "you put in an email address for a girlfriend or boyfriend and see what this planetary surveillance system pops up.. and they precompute your social graph, pulling in tax records, voter information, operating system, who your father is, where you work - it all gets tied together and XKeyScore ties it all together.
"XKeyScore isn't just for data sharing - so FiveEyes (the five countries' data sharing) have a ratio - it's like a BitTorrent tracker.... it appears GCHQ has unfettered access to the NSA's database and vice-versa, so they've given up national sovereignty in order to work with each other.
"And now imagine that they've got quantum insertion.. being careful how I phrase this.. there's a system that decides if you're vulnerable, and a system which decides whar to put in.
"This is especially scary when you consider that you can't do forensics on your device - you don't know if the embedded controller on your keyboard is what you think it is, the OS on your computer. As a designer you have to think of the worst it can be, and prepare for it."


4.53pm BST
Appelbaum: quantum insertion and MITM

"Quantum insertion is a sort of 'man in the middle' attack - a person is targeted, and there may be an analyst doing it live.
"You might visit a website and you're flagged and you become a new node in the graph. So for Belgacom they went after people using Belgacom, they targeted people and - when those people connected to services, those services were MITM exploited - say TCP, where you can inject something, they work on exploiting the computer in the other side. They can see the whole [TCP/IP] conversation and then fingerprint the software on either side. And they owned Belgacom.
"So we see a shift in what GCHQ is doing - this is the new cool, but the social cost of this kind of spying is too low, if someone has access to this kind of quantum insertion system, they would be viewed as pretty cool in some computing circles.
"But we should ask about justice, human rights. Everybody should have a sort of military security training against these extremely advanced military insertion techniques."


4.50pm BST
Appelbaum: we need to think about census data

"With just census data you can pretty much wipe out a population, and not in a good way.
"It's not just passive - there's a myth of passivity with the NSA - Prism, upstream programs. We need programs because these systems are designed as surveillance systems, where you are the product. Power congeals around these central points. Caspar [Bowden] has written about this - he just needs to throw in the NSA's lies.
"If we look at this and the targeting system, it's the most challenging problem of our generation. We need to ruin graph analysts' work. But that's hard - how do we communicate without revealing metadata? "


4.46pm BST
Appelbaum: the new threat model leaves you one hop from a 'bad guy'

"The new threat model ... all communications on the planet are in some way monitored by the NSA. You'll find people put classified program names on LinkedIn.. Mainway must be about telephone metadata because they say they're in telephone surveillance. And every one of those programs is solving one problem.
"Satellites.. cellphones.. and the New York Times revealed something on Sunday - that the US government has data retention for 15 years. Now imagine the pale blue dot [Earth] and the NSA is trying to gather all those communications, and put them into a database.
"They view themselves as an attacker, but the good guys.. and us as the victims.. they are in fact the adversary. And they're the adversary worth defending against. They're building social graphs for everyone." (This is referring back to the NYT piece about social networks, linked below.)
"I send an email, Ari sends an email, he sends an email, there's enough plaintext there [in the headers] to analyse.. which allow you to automatically learn to pull this stuff out, and it starts to pull people out. When I'm in the room with a cellphone and you're in the room, and you're in the [social] graph.
"It's clear it will start to gather lots of innocent people all the time. And when you tie this to the drone strike it means that merely using the phone and having a pattern is enough to have you targeted for murder.
"Shouldn't we be designing as engineers against our systems being misused in this way?
"There are a couple of books I'd encourage everyone to read - Philip K Dick's "A Scanner Darkly" (about a spy who is never sure if the people he's spying on are spies or not) and IBM And The Holocaust (about the collection of data in Hitler's Germany).
"It talks about the threat models - using census data the Nazis could go from house to house and have this ability - in Holland it was 70% of Jews were eradicated, in France it was 30% because the card punch person was a member of the Resistance.
"That machinery has been built again."

Updated at 4.46pm BST

4.37pm BST
And now: Jacob Appelbaum

Applebaum is a digital activist...
"Been thinking about revealing some new programs and wondered do I want to go to prison or not.. I know about things but can't talk freely about those things which affect you all..
"Cryptography is so important because it becomes not possible to break the law.. you can't subvert the maths when the implementation is good. Today I want to describe the new threat model.
"I met someone who said his friend was killed by a drone strike. By a flying robot. By graph analysis that means you're all one hop away [from a bad guy]. These powers.. maybe we should get rid of surveillance, rather like getting rid of landmines. And I think we can do that.
"The person who was killed didn't have a trial by jury... and the only way to build a system so that he could have that would be by having secure systems. If you don't have the right to refuse to give up your passphrase you don't have the right to remain silent."


4.31pm BST
Binney: Q+A

Q: Caspar Bowden: MLAT (multilateral?) information - the legal basis can be a sham
A: yes, the point is that it's total subversion of the judicial system, not just ours. (Bowden: "This gives us an angle of attack.")
Q: Jacob Appelbaum: seems like we've lost, need to move to the resistance phase... what advice would you give to the younger generation (Binney's not in the first flush).
A: you're saying you want your Fifth Amendment right not to incriminate yourself.. you have to use encryption and position yourself so they can't get to your system. I think they've lost a lot of their capability. These people [now] are linear thinkers. When you're trying to solve a crypt system or code system you need to be able to do innovative things, see anything for a clue... and they are not audited. The US government does not audit the CIA, NSA, DEA... but they should be. We have to make them acccountable.
Q (Appelbaum): but if we fail.. network analysis is very powerful.. so other than reinventing the internet, are there real avenues for resistance or are we totally screwed?
A: I think we're totally screwed. (Laughs.) I know these people, personally. Not wittingly, but--
Q: Why are you able to talk about this here when Snowden's in Moscow?
A: they really pissed me off. If it happens to me.. I'm trying to goad them, to be in their face. (Applause. Standing ovation - Binney is in a wheelchair, so could hardly run if the NSA or others came after him.)


4.21pm BST
Binney: it should be about finding out things before they happen..

.."but they're being more of a transaction... forensic descriptor. That's not what it's meant to be." (There seems to be a tinge of regret in his tone that the NSA has basically lost its way: that it used to be doing useful work and now isn't.)
Points to "Special Ops Division" (SOD) which works with US Drug Enforcement Agency where it doesn't tell people where information has come from. "That's subverting the fourth Amendment... this subverts the Constitution."
Points to printout of SOD presentation which says "parallel construction" mean "use of normal investigative techniques to recreate the information created by SOD" - that is, doing things that you wouldn't have known to look for if it hadn't been for the information gained by surveillance.
"This is the threat created by lack of privacy," Binney says, finishing.
(Fascinating talk - he's a former NSA agent who feels that the organisation he used to work for is being used to breach the US Constitution instead of preventing crime.")


4.12pm BST
Binney: how we found suspects

Binney slide shows how by going from a "known bad guy" and expanding the view you take, you get to "suspected bad guys" - add in a couple of layers and you can't "focus in on the real problem" because after two layers where you expand by 10 people each layer you're up to 100, then 10,000, and more and more.
He thinks taking in too much data gives you too much to handle - and that creates problems.
"That's why they missed the bombers in Boston, the shooting in Fort Hood.. whatever system you design, people have to be able to make effective decisions from it… as programmers you have to think about what you're taking in, what are the enterprise objectives, and think about the entire program."


4.07pm BST
Binney: how the NSA tracks people

Shows a slide about tracking which shows how you can be tracked from "Bob" turning on his computer at 6am through to the end of the evening. How? Tapping cables.
The major carriers including BT all have cable convergences in places like New York and Chicago, Houston, and then internationally in Frankfurt, Hong Kong, Tokyo... (remember the Mastering The Internet story from the Guardian in the summer.)


4.00pm BST
Binney: '300,000 phone calls per day'

NSA was monitoring 300,000 out of 300 million US calls, and 3bn calls crossing - and maybe 10bn per day.
"We had a way to monitor this without violating anyone's privacy... we had no difficulty in finding devices or people anywhere in the world.. you could track them, there were ways to do that... we could find all sorts of things."
Everyone listening hard... "we had some positive things happening in the US.. Congress under Rep Amos are trying to unfund the NSA, tried to pass a bill in late July and August, which only failed because of the President and Gen Alexander.. I look on Snowden as an absolute whistleblower, he has done a service for the entire world. And that's from an NSA perspective." Tongue-in-cheek smile.

Updated at 4.03pm BST

3.51pm BST
Binney: 'we weren't supposed to know about it'

"They gave the excuse that we have to use this to stop the terrorists and if you stop this then the terrorists will win. It was all nonsense."
Describes LOVEINT - when analysts would use surveillance data to see what an ex-girlfriend was doing. "Or Snowden could drain it all off. They didn't have any way to monitor the use of this stuff." (Lovely phrase - that Snowden "drained" the data.)


3.46pm BST
Binney: 'it was unconstitutional'

"Collecting the records was unconstitutional... they should have started impeachment proceedings." Suggests Nancy Pelosi (Democrat) was one of the people who was told; she later dismissed idea of impeachment against George W Bush. No capability of oversight of the collection program. Re-approved every 45 days: "this was a cabal inside government, a secret constitution." Decision started soon after 9/11, perhaps on 14 September, and the equipment needed started showing up in early October 2011.
Program was called "Stellar Wind" - this was for domestic data.
"This is why we refer to Washington DC as the 'District of Corruption'."


3.41pm BST
Binney: we could have picked up the terrorists from 9/11..

They could have spent $300m then.... or $4bn now. There was a progtamme which could have spotted some of what was happening. He had a team of five people... "we focussed on finding the problem... looking at 20TB/min, most of it we let go by, you calling your spouse, that's not relevant to anything, we let that pass by."
"Then 9/11 happened.. there was a conspiracy to subvert the constitution of laws of the United States...they had a problem, how to do it and let it happen.. they called this program a 'covert' program'.. meaning they can only notify eight members of Congress." (Audience is hanging on this.)


3.34pm BST
We return... with a speaker from the NSA

That's Bill Binney. He's ex-NSA (not current) and he has, he said, left the US. Here's the Wikipedia quickread:

a former highly placed intelligence official with the United States National Security Agency (NSA)[3] turned whistleblower who resigned on October 31, 2001, after more than 30 years with the agency. He was a high-profile critic of his former employers during the George W. Bush administration, and was the subject ofFBI investigations, including a raid on his home in 2007.

Updated at 3.47pm BST

3.06pm BST
Hill: Q+A: why did the US go after Snowden so viciously?

Q: (Jacob Applebaum): no metadata protection in ITRs; and China blocks Tor by looking at metadata. Metadata is where the power is. (And he helped write the "necessary and proportionate" part. And doesn't support keyword filtering.) The text hasn't got a clause saying no censorship...
A: ... but there isn't ...
Q: ... but what about spam filtering ...?
A: You can look at a bot ... and interpret the text by saying "we use anti-spam filters". (It's about telling people you're doing it.)
Q: You said knowledgeable people knew spying was going on ... so why did the US go after Snowden with such a vendetta?
A: I think most European parliamentarians did not know what was going on - don't underestimate their lack of technical knowledge. I didn't think they were doing things like XKeyScore - I didn't think they were stupid enough, that it would cost too much. But it's entirely different when it's out in public and then someone puts it on the floor in the United Nations - the US didn't reply. In diplomatic conferences states tend not to attack each other.
Domestic politics ... it's about spying, it raises complications. And it is a trade – if the US can get him they'll put him in jail forever. 'He signed an agreement ... he's a traitor, and there's a long history of people defecting back and forth between the US and Russia'.
Q (Jacob Applebaum): He didn't defect, the US cancelled his passport while he was en route to other democratic countries which he could have gone to. He's not a defector – he's enabled all of us to have information we coudn't have got any other way. We should not use the language of the oppressor - he should be getting asylum here because he has revealed serious crimes against everyone in this room.
And that's the end of the session, with that intervention from Applebaum - who is speaking in about an hour next, in about half an hour.

Updated at 3.32pm BST

2.54pm BST
Hill: the way forward

- limitation to right to privacy should be limited by law
- limited exceptions to user notification of surveillance
- states should be transparent about surveillance
- there should be public oversight.
Calls on the Swiss government to lead the way in this, especially by revisiting International Telecoms Regulations, and consider the "necessary and proportionate principles" 0f monitoring.


2.50pm BST
Hill: International telco regulations... maybe not as strong as they could be?

Points out how the international telcos are gently allowing US to tap phone networks. "Media coverage was inaccurate, influenced by well-funded misinformation campaign which served the interests of the US government."
(interlude..)
US President Obama said in May 2009: "Our pursuit of cybersecurity will not include monitoring internet communications." But Prism had started in 2007. Open question: did he not know, or did he think it would be legal?


2.41pm BST
Hill: post-Snowden, we need regulations on what can be done to phone lines

International Telecomms Regulations (ITRs) need to be regulated. Has to be consistent with human rights.
Telecoms is about 3% of GNP, up to 10% in developing countries.


2.32pm BST
Hill: but headlines were overblown...

Icann couldn't do that... because Dubai is a signatory to ECHR.
"Now, who plays poker?" Almost nobody puts hands up. "Oh, this is different from MIT."
But poker is a game of skill - though it's never been tested in court whether it is gambling to play or not. US government didn't go to those lengths - it just went after big gambling sites, which caved.


2.27pm BST
Hill: what once took a year...

"It took Hitler a year to collect the names of all the Jews in Germany. If he had been around now, it would have taken him just a day."
And now we move on to Dubai - and he recalls the headlines from the Icann meeting of 2012: "UN to take over internet to carry out censorship". (That wasn't our headline.)


2.20pm BST
Hill: recap of Snowden disclosures

A quick recap of what we learnt from Snowden...widespread surveillance, judicial supervision for US citizens, other nations also do it, and "knowledgeable persons knew" - but not all ordinary people knew.
GSM phone voice encryption code was allegedly weakened at the request of security agencies.
Hill has an Android phone but refuses to sign into Google, so can't sign into Google Play, so can't get apps (so couldn't get app for this conference).


2.12pm BST
Hill: Bill of Rights, ECHR

This is going to be more of a legal examination than Schneier's which was more free-form ...

Updated at 2.57pm BST

2.09pm BST
Richard Hill: Internet freedom, Snowden and Dubai

Hill's details are here.

Updated at 2.09pm BST

2.05pm BST
Schneier Q+A: on NIST and NSA

Q: (on a psuedo-random number generator which NIST suddenly recommended against using) ...?
A: we don't know ... we need guidelines to figure out what we can trust today.
(Cost-benefit question comes up.)
A: We need cost-benefit analysis – nobody ever says "this is too much intelligence". TSA is easier place to start – you know the cost of full body scans, what's the benefit? Reinforcing the cockpit door makes sense; taking off your shoe doesn't.
Q: (Jacob Applebaum, who calls himself an American exile living in Europe): are you horrified by how the US treats people like me?
A: we're living in a world where if it's immoral, as long as it's legal it's UK. But writing for US audience, the idea that EU citizens are "lesser" is pervasive. That's just the way the system is built. "It's not illegal, therefore it's OK."

Updated at 2.58pm BST

1.52pm BST
Schneier: Q+A

Q: (Caspar Bowden): Anything in the Snowden documents relating to PGP?
A: I believe the maths is robust. But we know they have done stuff because they're crowing about it. But - something with Elliptic Curve; or factoring logs; or RC4. Other than that - they break a lot of crypto, by hacking around the crypto, on the random number generators, or getting keys, or compromising root certificates – to get that so they can do it in human time ... is hard.
Q: Metadata ... Europe ... a lot of this technological determinism comes from the US where our regulators don't see them the same way.
A: The cost of saving data is so cheap that you're going to save it just in case ... But companies like Facebook and Microsoft are really pissed off that they're losing business because of this NSA stuff. Though for more people this is not an issue.

Updated at 3.01pm BST

1.43pm BST
Schneier: death of privacy has always been a big seller...

"Privacy has always been a balancing act ... we either learn or we handle it through law. Technology determines what's feasible, law determines what's allowable.
"Data is the pollution of the information age ... we're arguing about how to dispose of it, we're arguing about secondary uses.. we'll look back in a few generations, like we do to Victorian age, and marvel at how we ignore data pollution.
"The people who brag that they don't use email need to retire. And the people who grew up on the internet need to take over."

Updated at 3.01pm BST

1.37pm BST
Schneier: surveillance is robust

One of the lessons of these leaks is that surveillance is robust - given the choice of doing A or B, the NSA does both.
US has a three-day warning via its intelligence of the Syrian chemical attack. Lots of possibilities for why nothing was done: perhaps nothing was done because collecting it meant that it was collected, and to reveal it would mean that sources might be compromised. "We've seen nothing of a cost/benefit analysis from the NSA. But we've seen nothing from the TSA either.
"How do we know if this is worth it? We never see a cost/benefit analysis of this work.
"We need to reject the security v privacy debate - it's a false dichotomy. When someone says security v privacy, say "a fence. A doorlock." Neither affects privacy.
"ID cards affect privacy, but not security. The only thing that has made flying safer is locking cockpit doors and allowing passengers to fight back - that's not privacy."
Fundamentally a liberty v control debate: "privacy increases power, so when you have forced openness in government, it increases liberty; force it in people and it decreases their liberty. IF you go to a doctor and he says 'take off your clothes' you can't say 'you first'. If a police officer demands your ID, it doesn't help if you see their ID first. There's an imbalance."


1.29pm BST
Schneier: Moore's Law is the friend of intrusion

"It's good we're having this debate now, because I think it might fade into the distance. In the US you get ID checks all the time, where 30-40 years ago it would have been abhorrent. In ten years' time the cameras will be everywhere and they'll know who you are based on the devices you're wearing, your facc, everything about you."


1.28pm BST
Schneier: ask someone what their privacy policy is...

"...and they'll look at you like you're weird. But you know that they have one." (We think of what we regard as private and what we share.) "It's only because of computer mediation that we have to write it down and make it explicit." Same with our backup policy, he suggests.
Survey found that if you put a big paragraph about privacy policies in front of people when they first log on to a site, they disclose less.
The more you think people are sharing, the more you will share. Privacy levels are set locally. If you start asking public questions to much more personal ones, people block off answering sooner than if you go in the opposite direction (start with a very personal question, make it more general).
"This is because people have conflicting privacy policies.. and companies play on this. Sites are designed so that you will share more. It's not breaking the law, it's basic psychological manipulation."


1.20pm BST
Schneier: Google has great customer service...

"...but you, Gmail account holder, aren't a customer. You're a product. Google doesn't have great product service." In other words, its customers (advertisers) get great service - dedicated customer agents. However, products (you, the people) don't get so well treated.
"We're moving towards a world where we can't forget. A world where nothing is ever ephemeral is going to be different in all sorts of ways. There's no such thing as a throwaway conversation. Maybe the world will be like a giant airport security zone where nobody can ever make a joke."
Corporations use government rules to protect themselves, and vice-versa. Eg US companies not releasing information because they claim there's a national security interest - eg about pollution records (detailing pollution might give clues to a Sikrit Plant).
"Metadata = surveillance. If you hired a private detective to put someone under surveillance, they'd see who they spoke to, where they went, what they bought. That's metadata. When the president says 'it's just metadata', he's saying "it's surveillance".


1.14pm BST
Schneier: we're leaving digital footprints wherever we go

"This isn't malice.. it's just what happens. And cloud computing exacerbates this. We're leaving this on someone else's computer, that's what cloud computing is - your data on someone else's hard drive. And cloud is probably the endpoint - access from wherever you are, so likely this is the end - we're going to have our data where it makes commercial sense, and that's on someone else's machine because it's too expensive to maintain myself."
Now looking at the legal side.
"There's been a libertarian bent to the internet.. laws shouldn't mess with the internet.. that data belongs to the people who have it. Gmail with email, data brokers, phone records with carriers... there's not much protection in the US. Different in Europe,which I like. But national intelligence operates in a grey area."
He says that technology "grows the box" of legal regulation - rather like a gas expanding, keeping ahed of the laws holding them back."Legal can't keep up."
Schneier says that he still uses POP (Post Office Protocol) for his email - for many techies that went out in around 2003.
"Apple has much tighter control of what's allowed on the iPhone than on its desktop, or is on Windows. And Windows 8 is heading in that direction. There are good business and consumer reasons why that's happening. But we are losing control of our data."


1.07pm BST
Bruce Schneier: what are the threats to privacy?

Audience is fed and watered, and Bruce Schneier, longtime security and privacy advocate, is speaking.
"Audio surveillance.. phone calls... video surveillance from CCTV or even Google Glass... Wi-Fi surveillance, Bluetooth surveillance.. there's a lot going on."
Automatic face recognition; voice recognition (Spanish telecoms company uses voice recognition - which meant that Jacob Applebaum won't call you if you're in Spain.)
"In the US we have Infinity cards... [loyalty cards].. tie you to what you've purchased.. I think the trends are important because they point to what's happening. Data is a byproduct of the information society. Everything done on a computer creates a transaction record. Your mobile phone creates records - location, call.. that new iPhone with the motion sensor will know when you're holding it, asleep... any kind of commerce, EZPass in the US for paying for tolls, everything produces that data. Data is a byproduct of almost all our socialisation now because it's mediated by computers, except for incidents when we're in the same room.
"When I talk to my wife, we talk by email. Even if we're in the same house. Because we're in different rooms." (Intriguing insight into the Schneier home life..)


11.49am BST
On another note.. European Council on privacy and internet on Tuesday

European Council having hearings on privacy and internet tomorrow - Duncan (Zircon) Campbell is going there.
Person running the day: "Can everyone who does not have a Facebook account raise their hand?" (Quite a lot do - at least a third of the audience?) "You can have lunch."


11.46am BST
Arnbak: Q+A

Q: This is like environmental protection, isn't it?
A: Understanding the problem is vital... in the debate.. what are the incentives? Why is this happening? It's not counterterrorism, or cyberattack prevention... it's something else. We're still trying to figure out why this is happening.
Q: (Jacob Applebaum): NSA isn't passive - Belgacom - GCHQ has broken into the telco and exploited them. Isn't that illegal? It seems illegal. Are we living in post-democratic times? It seems that way in the US.
A: I would have to say that national security exceptionalism is big.. Belgacom, should challenge before the courts. Maybe these revelations will annoy judges. It's vital not to give up on legal solutions. It's good that [Liberty and Privacy International] have taken this action.

Updated at 3.17pm BST

11.31am BST
Arnbak: Liberty v UK most relevant

UK has some big getouts in its law: "information could be listened to or read if the secretary of state considered this was required for national security… or the protection of the UK economy".
It's unclear whether there's a moral or legal obligation under the ECHR (Human Rights act).
(Basically, we seem to be concluding that there's no clear case law, but that ECHR lets you leak.)


11.24am BST
Arnbak: "who's going to bring the case?"

"Everybody is complicit.. who's going to bring the case? Is the UK going to sue the US?" Arnbak doesn't see that happening.
But Liberty has launched a case... and in Europe the existence of a law which allows you to be surveilled can be argued as indicating that you've been harmed. And it's not just personal data, but all data on a server that's protected under European law - at least, that's the argument.


11.17am BST
Arnbak: do 15m of the US workforce do something in intelligence?

5 million people have security clearances, each has two staff - that suggests 15m of 136 million in the US workforce are in it. Though you can't get the numbers. Classified.
"Dubious role of academia". Possibly 10 years behind the NSA.
So can law and policy stop it? In Netherlands found that the Dutch medical records were being built by a US company; they raised question about whether that could be shared with the US. Dutch minister said that "we have medical secrecy!" Arnbak suspects that the NSA probably knows all the details it needs.
Hardly any chance of reform of US laws, especially relating to foreigners. "No chance".


11.12am BST
Arnbak: SSL certificates are a strange market

Three certificate authorities sell 75% of all certificates, and five sell 95%. "Markets tend towards concentration which makes access to data very easy." (Implication is that cert authorities have been subverted.)
Intelligence sharing means that you get a race to the bottom. Like cycling - if all but one stops doping, then that one will keep winning. The race to the bottom in intelligence is to collect everything so you have more to share so you can get more in a sharing arrangement with other nations.
But: nobody gets fired. (A good point. Not a single head has rolled - that we know of - over this whole affair.)


11.07am BST
Arnbak: it's all being collected

Points to the NYT/ NSA / social connections article (mentioned below). "Able to take in 20bn record events daily and make them available to NSA analysts within 60 minutes." And that data is collected about US persons for up to five years online, and an additional 10 years offline for 'hostorical searches'." So that's 15 years - "US citizens aren't that much better off."
Total Information Awareness - was given up as too expensive in 2003, but it's back in 2013, even if not under that name.
$600m - Amazon and the CIA signed a deal where the CIA would lease cloud computing capacity. Points back to Vogels in October 2012 talking of "fearmongering" - and suggesting that Vogels "already knew" about the CIA deal coming down the track when he made that statement.


10.59am BST
Meanwhile, Phil Zimmermann says email can't be made safe

Elsewhere on the Guardian site, Phil Zimmermann - inventor of PGP - says that email just can't be made safe, because of its use of headers, which can be scooped up. (See earlier linking to the New York Times.)


10.54am BST
Next: Axel Arnbak on the law v total international surveillance

Arnbak says the question is: can law address total international surveillance?
(Wearing a t-shirt saying "Yo, where are my bits at?" which could be the slogan for the entire conference.)
Points to Werner Vogels, Amazon cloud CEO, saying that questions about cloud security and privacy was "fearmongering".
Wrote a paper about threats of clouds and decided on a Pink Floyd album name - "Obscured by Clouds". And on the day they published, the Snowden disclosures began. "So we should have called it 'Dark Side Of The Moon'." (The audience liked that.)


10.45am BST
Forgo: Q+A:

Q: how different is eg Facebook privacy from any consent form eg for an operation? And which are the best countries for data privacy?
A: European concept of data protection differs from medical consent.. but some of the ideas from clinical trials can be used for better implementation. And we don't know which laws work best - that would need empirical analysis which we don't have because of lack of transparency- you can't ask secret services what they're doing; they're called 'secret' for a reason.
And ideas of computer security differs in law between eg UK and Spain - one is precise, one is abstract.


10.39am BST
Forgo: rounding up.. it's the economy..

Points to Euro Commission which shows that top five sites viewed in EU member states: Google, Facebook, YouTube, eBay... very rarely do you get a European company in them.
Quoting EU digital agenda data: economy means it's about infrastructure. (His argument seems to be that Europe needs to design its own cloud infrastructure.) Points to article about "Google knows nearly every Wi-Fi password in the world".
(The implication being that Europeans need to roll their own. Points to "made in Germany" email services. Quotes the suggestion that NSA fallout could cost Silicon Valley up to $35bn in annual revenues in lost overseas business.)
Points to survey of EU police authorities and various hacking strategies (eg man-in-middle, DNS poisoning) - where many refused to say if they were using particular tactics at all.


10.32am BST
Forgo: not just Britain trying to impede law

Mentions Guardian article from last Friday on data protection law changes.
He isn't particularly hopeful that EU changes to data protection will be much of an improvement. Hedged around with phrases like "having regard to the state of the art and the cost of implementation".
"Right to be forgotten": Stanford Law Review was scathing about it, saying "Europeans have a long track record of declaring abstract rights which they then don't enforce."


10.25am BST
Caspa Bowden: link to new report

Mentioned previously, the full report is here.


10.21am BST
NYTimes: NSA gathers data on US citizens' social connections

Just a reminder that this is about real people and topics: the New York Times on Saturday said that the NSA is gathering data on social connections of US citizens.

The spy agency began allowing the analysis of phone call and email logs in November 2010 to examine Americans’ networks of associations for foreign intelligence purposes after NSA officials lifted restrictions on the practice, according to documents provided by Edward J Snowden, the former NSA contractor.

Updated at 11.02am BST

10.11am BST
Forgo: what does 'processing of data' mean?

Forgo goes into article 8 of EU privacy law - covering data: "It's a very general and broad clause."
But he points to article 2: that data needs to be processed fairly for "specified purposes"' He points out that this goes against some big data uses. (At least, if you do it without permission.) It is illegal if you don't have informed consent, or some other legitimate use.

Updated at 10.28am BST

10.08am BST
Forgo: why does Facebook want real names?

Facebook conditions says "We require everyone to provide their real names, so you always know who you're connecting with. This helps us keep our community safe." (Not that it does, but he pointed out that this isn't helpful for dissidents.)
Cites the Randi Zuckerberg photo (private photo posted on FB which then escaped to Twitter): "You reposting it to Twitter is way uncool," Ms Zuckerberg says.
Forgo: "In Europe we'd probably say 'illegal' not 'uncool'." And points out that the picture appeared in the Twitter-passer's FB feed – so, she said, "I thought it was public."

Updated at 10.27am BST

9.58am BST
Forgo: how gamers literally sold their souls

Cites an April Fools Joke where Gamestation changed its Ts+Cs so that it could claim the souls of anyone who signed up - though if you read it and objected then they would send a £10 voucher. 7,500 sold their souls; about 10 claimed the voucher. (That's remarkable that as many as 10 actually got that far.)
Facebook's full use data policy is scrolling past quite quickly: "it takes about a minute".
Europeans would say that "including" - which is in the first sentence in the FB terms - isn't sufficient: that you need to specify what you're actually going to collect and what you're going to do with it. Points out that this stuff is all too vague: "Sometimes we get data... an advertiser may tell us information about you including... We also put together data from the information we already have about you and your friends... We may access, preserve and share your information in response to a legal request.... if we have a good faith belief that the law requires us to do so." Emphasis added by Forgo: he points out that they're not saying that there actually is a legal requirement, only that they believe there's one.
"Facebook use reminds me of people who smoke - they know it's not healthy, but they do it anyway."


9.52am BST
Next up: Nikolaus Forgo: no harm in law if you agree... but what's that?

Forgo is head of the Belgian Center for Data Protection.
Says that we're living in "interesting times" (which isn't actually a Chinese curse, but serves well enough). Reminds us that "if the product is for free, you are the product". And Zuckerberg's assertion that "privacy is a social norm of the post"; and Eric Schmidt that "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." (Such as buying a penthouse in New York, Mr Schmidt?)
And "volenti non fit iniuria" - if you agree to something, there's no harm in law. Cites Facebook: "did you read the privacy policy? And did you understand it?" Very rarely do people read what they agree with.


9.17am BST
Bowden: free software isn't a panacea

Questioner says that free software has been subverted too - so what do you do?
Bowden: at least it's the least worst. (Bruce Schneier agrees.)
General agreement from the front row (the speakers) that free software is the best place to start if you're trying to escape surveillance.
(There's a break now before the next session.)

Updated at 9.39am BST

9.12am BST
Bowden: Q+A

Bowden: "Snowden probably only had basic access to NSA details ... CIA is building its own $600m data centre ... and gets its own copy of data which can be analysed under its own missions and authorities. And we don't know anything about that – we need to pay attention to that."
Duncan "Echelon" Campbell asking about intra-EU threats - eg GCHQ tapping into fibre networks, other EU countries including Sweden and others in "Five Eyes" (US, UK, Australia, New Zealand, Canada intelligence sharing). Bowden: report coming out next month. Update: here's the link to his report.

Updated at 10.28am BST

9.04am BST
Bowden: Europe dropped anti-FISA clause under US lobbying

EU was doing to have a "political" warning - but article 42 of the data regulation was dropped.
Says we need an "EU cloud" - an Airbus to match the US's Boeing.
He's put up a report (link to come). Thinks that "there should be a warning when you log on to US services that 'you're putting your data within the surveillance range of a foreign government. Do you agree?'"
(Audience laughs and applauds that one.)
"If you want information security buy an exercise book and a biro. Because we don't know what's being collected. If you put your data online it's like putting it in a privacy Guantanamo Bay."
(Quite a flourish to end.)


9.00am BST
Bowden: 'it's not PRISM that's controversial in the US, it's the PATRIOT Act' - metadata

The US political debate has all been around Americans and their rights; the rights of non-Americans just don't exist in this context. Ex-NSA director Hayden says that "the Fourth Amendment [guaranteeing privacy] is not an international treaty" and that there's a "home field advantage" having data go across the US.


8.56am BST
Bowden: are there more PRISM-style programmes?

It's a big question: might there be other s.702 programmes - for business cloud computing?
The cookie that Facebook drops on your to watch you might be used for surveillance -there's no difference between business and government surveillance.
Mentions XKeyscore and Bullrun. And the James Clapper agreement that Prism was about s.702 of the FISA. "I thought, 'wow'."
Mentions Guardian publication on 20 June of how NSA targets non-US citizens: confirms zero substantive privacy protection outside the US.




http://www.theguardian.com/world/201...in-switzerland

NSA files: latest reaction and developments - live

LiveWelcome to our new hub for all Edward Snowden, NSA and GCHQ-related developments around the world, as controversy over revelations leaked by the whistleblower continue to make headlines

The extent of state surveillance exposed by the whistleblower Snowden is forcing a global debate about privacy in the digital age.

As billions of ordinary people argue over how much of our day to day life should be monitored in the name of national security, this liveblog will bring together the latest developments and reaction.

We'd like to know what you think about the whole NSA story, what you're worried about - and any new areas you'd like to read more about.


NSA keeps public web data for one year

The latest Guardian story reveals Marina, the codename for a vast repository of data on millions of web users backdated up to one year.
Data includes search terms, emails and account passwords gathered from NSA collection systems, although phone data is stores separately.

An introductory guide to digital network intelligence for NSA field agents, included in documents disclosed by former contractor Edward Snowden, describes the agency's metadata repository, codenamed Marina. Any computer metadata picked up by NSA collection systems is routed to the Marina database, the guide explains. Phone metadata is sent to a separate system.
"The Marina metadata application tracks a user's browser experience, gathers contact information/content and develops summaries of target," the analysts' guide explains. "This tool offers the ability to export the data in a variety of formats, as well as create various charts to assist in pattern-of-life development."
The guide goes on to explain Marina's unique capability: "Of the more distinguishing features, Marina has the ability to look back on the last 365 days' worth of DNI metadata seen by the Sigint collection system,regardless whether or not it was tasked for collection."

5.20pm BST
What you're saying below the line...

zacmcd is right on the zeitgeist: "if you want privacy you now have to pay for it."
LidBlownOff makes a great point about spam - would be great to get some figures on that: "Move[d] my email to a non-US server as soon as this NSA obscenity broke into the public domain. Interesting to note the immediate improvement. Before - using google mail and google search - I would regularly get at least 15 spam messages a day. After switching totally away from Google I have not received a single spam message."
The bottom line from Ralfph on the challenge for any kind of Euro Cloud, as suggested by Caspar Bowden: "Still need to protect the Euro cloud from GCHQ and BND."
Is the Euro Cloud really the answer? analoguy thinks that's more complicated than it looks: "The NSA, GCHQ, etc. have spy centers right here in Europe, like in the Frankfurt earea of Germany, which is a major hub for all Internet traffic within Europe. So I'm afraid all those good intentions are kind of a waste of time and money."
Why isn't there a public outcry?

vFuzzy wants answers: "Why isn't there a public outcry by the American people against a government which betrayed them? How can they live with their lives being infiltrated and spied upon by an agency caught in it's own lies? Why aren't the members of Government and the NSA involved being sued for privacy issue and data infringement along with international espionage plus the trafficking of data involving matters of national security to another sovereign nation. The Agency breaks international laws and breaks all code of ethics yet still they are able to justify it. This just shows how weak the American people really are standing by while their government takes away their civil rights and all meaning from the amendments."


4.57pm BST
NSA analysing social networking data

It's unlikely that Mark Zuckerberg ever intended 'the social graph' to be plundered by national security services, but the New York Times reports that the NSA has been exploiting public social data to map social connections, locations and travel plans.
NYT picked up on the analysis of social data partly because it did not distinguish between US and non-US citizens.

An agency spokeswoman, asked about the analyses of Americans’ data, said, “All data queries must include a foreign intelligence justification, period.”
“All of N.S.A.’s work has a foreign intelligence purpose,” the spokeswoman added. “Our activities are centered on counterterrorism, counterproliferation and cybersecurity.”
The legal underpinning of the policy change, she said, was a 1979 Supreme Court ruling that Americans could have no expectation of privacy about what numbers they had called.

It took two full days for technology tabloid the Register to respond with the requisite post headlined: "NSA in new SHOCK ' can see public data' SCANDAL!

More spooky but less surprising: the NSA seems to have worked out that if punters are already publishing information about themselves on social networks like Facebook or Twitter, it might be able to scoop that information into its databases (and from there into its analysis) without a warrant.

More here:
http://www.theguardian.com/world/201...-whistleblower

Read the documents

• Project Bullrun – classification guide to the NSA's decryption program
  
  Interactive Guide for NSA employees and contractors on Bullrun outlines its goals – and reveals that the agency has capabilities against widely-used online protocols such as HTTPS
  
  31 comments
• Sigint – how the NSA collaborates with technology companies
  
  Interactive Document shows how 'signals intelligence', or Sigint, 'actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs'
  
  
• NSA: classification guide for cryptanalysis
  
  Interactive Guide reveals that NSA 'obtains cryptographic details of commercial cryptographic information security systems through industry relationships'
  

NSA Central to U.S. Assassination Program

Submitted by George Washington on 09/29/2013 23:30 -0400


We’ve previously documented that the NSA isn’t just passively spying like a giant peeping tom, but is actively using that information in mischievous ways … such as assassinations.

A lot more information is about to come out on the topic. AP reports:

Two American journalists known for their investigations of the United States’ government said Saturday they’ve teamed up to report on the National Security Agency’s role in what one called a “U.S. assassination .”

***

Jeremy Scahill, a contributor to The Nation magazine and the New York Times best-selling author of “Dirty Wars,” said he will be working with Glenn Greenwald, the Rio-based journalist who has written stories about U.S. surveillance based on documents leaked by former NSA contractor Edward Snowden.

“The connections between war and surveillance are clear. I don’t want to give too much away but Glenn and I are working on a project right now that has at its center how the National Security Agency plays a significant, central role in the U.S. assassination program,” said Scahill ….

***

“Dirty Wars” the film, directed by Richard Rowley, traces Scahill’s investigations into the Joint Special Operations Command, or JSOC. The movie, which won a prize for cinematography at the Sundance Film Festival, follows Scahill as he hopscotches around the globe, from Afghanistan to Yemen to Somalia, talking to the families of people killed in the U.S. strikes.

JSOC, as well as the CIA, have been described as “the President’s private army“, which operate at the President’s beck-and-call with no real oversight.

But a fourth agency is also centrally involved in both intelligence-gathering and assassinations: the National Counterterrorism Center (NCTC). NCTC is responsible for generating the “disposition matrix” of who to murder using drones or other means.

As Greenwald noted last year:

The ACLU has long warned that the real purpose of the NCTC … is the “massive, secretive data collection and mining of trillions of points of data about most people in the United States” …. In particular, the NCTC operates agigantic data-mining operation, in which all sorts of information about innocent Americans is systematically monitored, stored, and analyzed. This includes “records from law enforcement investigations, health information, employment history, travel and student records” – “literally anything the government collects would be fair game”. In other words, the NCTC – now vested with the power to determine the proper “disposition” of terrorist suspects – is the same agency that is at the center of the ubiquitous, unaccountable surveillance state aimed at American citizens.

Worse still, as the ACLU’s legislative counsel Chris Calabrese documented back in July in a must-read analysis, Obama officials very recently abolished safeguards on how this information can be used. Whereas the agency, during the Bush years, was barred from storing non-terrorist-related information about innocent Americans for more than 180 days – a limit which “meant that NCTC was dissuaded from collecting large databases filled with information on innocent Americans” – it is now free to do so. Obama officials eliminated this constraint by authorizing the NCTC “to collect and ‘continually assess’ information on innocent Americans for up to five years”.

But don’t worry, the government would never assassinate Americans living on U.S. soil … would it?

And even if it would, it would only consider truly bad guys to be terrorists … wouldn’t it?


http://www.zerohedge.com/contributed...nation-program

Report: NSA stores everyone’s metadata for at least a year

9:38 PM 09/30/2013

• Regardless Regardless of whether a person was targeted by the National Security Agency, the agency has been storing the online metadata “of millions of internet users for up to a year,” The Guardian reports.

While the Obama administration has made statements that the NSA’s surveillance program only targets individuals connected with foreign intelligence or terrorism, top secret documents revealed by former NSA contractor Edward Snowden demonstrate the contrary.
The NSA retains “vast amounts of metadata” that allow analysts to put together a full picture of a year of a person’s life, reports The Guardian.
Metadata, or data about data, includes phone numbers, email addresses, and call and browsing history.
Internet metadata is stored in a database called Marina, while phone metadata is stored in a separate database.
The New York Times revealed on Saturday that the agency was mapping the social connections of all U.S. citizens with the information collected from its surveillance programs regardless of their innocence.
The Hill reported Monday that the Senate is set to move on legislation that would curb the NSA’s spying powers, but the end bill would probably do little to assuage the fears privacy advocates.

http://dailycaller.com/2013/09/30/re...-least-a-year/

John McAfee unveils plans for device to thwart NSA

9:37 PM 09/30/2013

Over the weekend eccentric antivirus pioneer John McAfee unveiled his plans to thwart the National Security Agency’s Internet surveillance.


On Sunday during the C2SV Technology Conference + Music Festival in San Jose, McAfee revealed to audience members that he plans to develop a new gadget called Decentral that would enable users’ devices to connect directly with one another.


“He said the gadget is called Decentral because by communicating with smartphones, tablets and other devices, it will create decentralized, floating and moving local networks that can’t be penetrated by government spy agencies,” reports the San Jose Mercury News.


McAfee plans to finish the first prototype of Decentral in six months. The finalized device will sell for $100.
While he claims to have had the idea prior to the revelations of former NSA contractor Edward Snowden, McAfee confessed to audience members that “it became the right time” to make Decentral real after Snowden’s revelations.


The announcement comes as only the latest in a series of McAfee’s colorful escapades, his most famous being when he ran from authorities in Belize who wanted him for questioning about the murder of his neighbor when he lived there.

http://dailycaller.com/2013/09/30/jo...to-thwart-nsa/

Feds say no to added transparency on spy requests


The US government has no plans to provide more information on the requests it sends to tech companies for user data, Reuters reported Wednesday.
The US Justice Department told a secret surveillance court that it opposes a request from tech companies asking the court for the righ... on government spying demands, including statistics on the extent of the demands, according to initially sealed court documents. The request was filed with the US Foreign Intelligence Surveillance Court, which has not publicly ruled on the request.
The companies that made the request includes Microsoft, Yahoo, LinkedIn and … Read more

Adobe hacked, 3 million accounts compromised

The massive attack exposes customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.
by Rachel King
October 3, 2013 2:31 PM PDT




Adobe announced on Thursday that it has been the target of a major security breach in which sensitive and personal data about millions of its customers have been put at risk.
Brad Arkin, senior director of security for Adobe products and services, explained in a blog post that the attack concerns both customer information and illegal access to source codes for "numerous Adobe products."
A few examples include Adobe Acrobat, ColdFusion, and the ColdFusion Builder. However, as far as the source code is concerned, Adobe assured that there is no "increased risk to customers as a result of this incident."
Adobe officials added that the investigation has not turned up any zero-day attacks either.
Unfortunately, the culprits have obtained access to a large swath of Adobe customer IDs and encrypted passwords.
Arkin specified that removed sensitive information (i.e. names, encrypted credit or debit card numbers, expiration dates, etc.) about approximately 2.9 million Adobe customers.
He added that investigators don't "believe the attackers removed decrypted credit or debit card numbers" from Adobe's systems.
While federal law officials are involved, Adobe stressed that there are some precautions that customers need to take action on now.
Adobe is resetting the passwords on breached Adobe customer IDs, and users will receive an email if they are affected. The software giant is also currently notifying customers whose credit or debit card information was exposed.
Adobe has also promised to offer these customers with the option of enrolling in a one-year complimentary credit monitoring membership where available.
http://news.cnet.com/8301-1009_3-57605962-83/adobe-hacked-3-million...

Silent Circle: NIST encryption standards untrustworthy


The National Security Agency's apparent attempts to weaken encryption t... has led a private-communication startup to move away from encryption algorithms from the US government's National Institute of Standards and Technology.
Silent Circle co-founder Jon Callas called NIST encryption experts "victims of the NSA's perfidy" in a blog post Monday and said the company will move away from using encryption standards that NIST helped create. The standards will still be available, but not by default, he said.
"At Silent Circle, we've been deciding what to do about the whole grand issue of whether … Read more