9 Ways to Restrain the NSA

Keith Alexander

With U.S. Government surveillance being a hot news issue lately, several members of Congress have stepped up and started working on bills to place limits on NSA powers. Although these are admirable attempts, most proposals likely won’t have much affect on NSA operations. So of course I thought I’d propose some points that I think at a minimum any surveillance bill should cover.

1. No backdoors or deliberate weakening of security

The single most damaging aspect of recent NSA revelations is that they have deliberately weakened cryptography and caused companies to bypass their own security measures. If we can’t trust the security of our own products, everything falls apart. Although this has had the side-effect of causing the internet community to fill that void, we still need to trust basic foundations such as crypto algorithms.

Approaching a company to even suggest they weaken security should be a crime.

Related issue: the mass collecting of 0-day exploits. I have mixed feelings on how to limit this, but we at least need limits. The fact is that government law enforcement and military organizations are sitting on tens of thousands of security flaws that put us all at risk. Rather than reporting these flaws to vendors to get them fixed and make us all secure, they set these flaws aside for years waiting for the opportunity to exploit them. There are many real threats we all face out there and it is absurd to think that others can’t discover these same flaws to exploit us. By sitting on 0-days, our own government is treating us all as their personal cyberwar pawns.

2. Create rules for collection as well as searches

We saw how the NSA exploited semantics to get away with gathering personal records and not actually calling it a search. They got away with it once, we should never allow that excuse again. Any new laws should clearly define both searches and collection and have strict laws that apply to both.

3. Clear definition of national security

Since the Patriot Act, law enforcement agencies have stretched and abused the definitions of national security and terrorism so much that almost anything can fall under those terms. National security should only refer to imminent or credible domestic threats from foreign entities. Drug trafficking is not terrorism. Hacking a school computer is not terrorism. Copyright infringement is not terrorism.

4. No open-ended gag orders

Gag orders make sense for ongoing investigations or perhaps to protect techniques used in other investigations but there has to be a limit. Once an investigation is over, there is no valid reason to indefinitely prevent someone from revealing basic facts about court orders. That is, there’s no reason to hide this fact unless your investigations are perhaps stretching the laws.

5. No lying to Congress or the courts

“There is only one way to ensure compliance to laws: strong whistleblower protection. We need insiders to let us know when the NSA or other agencies make a habit of letting the rules slide.”

It’s disconcerting that I would even need to say this, but giving false information to protect classified information should be a crime. The NSA can simply decline to answer certain questions like everyone else does when it comes to sensitive information. Or there’s always the 5th amendment if the answer to a question would implicate them in a crime.

6. Indirect association is not justification

Including direct contacts in surveillance may be justified, but including friends of friends of friends is really pushing it and includes just about everyone. So there’s that.

7. No using loopholes

The NSA is not supposed to be spying on Americans but they can legally spy on other countries. The same goes for other countries, they can spy on the US. If the NSA needs info on Americans, they can just go to their spying partners to bypass any legal restrictions. Spying on Americans must include getting information from spy partners.

And speaking of loopholes, many of the surveillance abuses we have seen recently are due to loopholes or creative interpretation of the laws. Allowing the Government to keep these interpretations secret is setting the system up for abuse. We need transparency for loopholes and creative interpretations.

8. No forcing companies to lie

Again, do I even have to say this? The NSA and FBI will ultimately destroy the credibility of US companies unless the law specifically states that people like Mark Zuckerberg can’t come out and say they don’t give secret access to the US government.

9. Strong whistleblower immunity

We saw how self regulation, court supervision, and congressional oversight has overwhelmingly failed to protect us from law enforcement abuses. There is only one way to ensure compliance to laws: strong whistleblower protection. We need insiders to let us know when the NSA or other agencies make a habit of letting the rules slide.

Whistleblowers need non-governmental and anonymous third party protection. We need to exempt these whistleblowers from prosecution and provide them legal yet powerful alternatives to going public. You’d think that even the NSA would prefer fighting this battle in a court over having to face leaks of highly confidential documents. In fact, I think that the only reason to oppose these laws if you actually have something to hide. The NSA’s fear of transparency should be a blaring alarm that something is horribly wrong.

The NSA thinks that public response has been unfair and will severely limit their ability to protect us. What they don’t seem to understand is the reasons we have these limits in the first place. When the NSA can only focus on foreign threats, they have no interest in domestic law enforcement. Suspicionless spying is incompatible with domestic law enforcement and justice systems.

The greatest concern, however, is the unchecked executive and military power. The fact that there has been so much for Snowden to reveal demonstrates the level of abuse. Unfortunately, the capabilities are already in place so even legal limits are largely superficial and self-enforced. It would be trivial to ignore those laws in a national security emergency.

I cringe at the thought of becoming one of those people warning others to be afraid, but that is why we put limits on the government, so we know we don’t ever have to be afraid. We solve the little problems now so we don’t have to face the big problems later. We understand the need for surveillance, we just need to know when the cameras point at us.



So What Exactly Did The US Government Ask Lavabit to Do?

The recent shutdown of Lavabit’s email services prompted a flurry of reporting and speculation about the extent US Government spying, mostly due to the mysterious statement by Lavabit founder Ladar Levison:

Most of us saw this as yet another possibly overhyped government spying issue and didn’t really think too much of it. Much of the media coverage is already starting to die down but there still is some question as to exactly what the government required of Levison that left him with only one option: shutting down his entire business he built from ground up. I wondered if there were enough clues out there to get some more insight into this case. I started by looking at exactly what Lavabit offered and how that all worked behind the scenes.

Lavabit Encryption

Lavabit claimed they had “developed a system so secure that it prevents everyone, including us, from reading the e-mail of the people that use it. ” This is a bold claim and one that surely was a primary selling point for their services.

The way it worked is relatively simple: Lavabit encrypted all incoming mail with the user’s public key before storing the message on their servers. Only the user, with the private key and password could decrypt messages. Normally with encrypted email, users store private keys on their own computers, but it appears that in the case of Lavabit, they stored the users’ private keys, each encrypted with a hash of that user’s password. This is by no means the most secure way of doing this, but it dramatically increases transparency and usability for the user. By doing this, for example, users do not need to worry about private keys and they still have access to their email from any computer.

So let’s break this down: a user logs in with their password. This login might occur via POP3, IMAP4, or through the web interface (which in turn connected internally via IMAP). Because Lavabit used the user’s password to encrypt the private key, they will need the original plaintext password which means they would not be able to support any secure authentication methods. In other words, all clients must send passwords using AUTH PLAIN or AUTH LOGIN with nothing more than base64 encoding. The webmail interface appears to have been available as both SSL and non-SSL and the POP3, IMAP4, and SMTP interfaces all seem to have accepted connections with or without SSL. All SSL connections terminated at the application tier.

Once a user sends a password, the Lavabit servers create SHA-512 hashes explained as follows:

… Lavabit combines the password with the account name and a cryptographic salt. This combined string is then hashed three consecutive times, with the former iteration’s output being used as the input value of the next iteration. The output of the first hash iteration is used as the secret passphrase for AES [encryption of the private key]. The third iteration is stored in our password database and is used to verify that users entered their password correctly.

The process they describe produces two hashes: one for decrypting the user’s private key and after two more hashing iterations, a hash to store in the database for user authentication. While this is a fairly secure process, given strong user passwords, it does weaken Lavabit’s claim that even their administrators couldn’t read your email. In reality all it would take is a few lines of code code to log the user’s original password which allows you to decrypt the private key which in turn allows you to receive and send mail as that user as well as access any stored messages.

The message here is that US courts can force a business to subvert their own security measures and lie to their customers, deliberately giving them a false sense of security.

It is important to note that the scope of Lavabit’s encryption was limited to storage on it’s own servers. The public keys were for internal use and not something you published for others to use. Full protection would require employing PGP or S/MIME and having untapped SSL connections between all intermediate servers. On the other hand, if an email was sent through Lavabit already using PGP or S/MIME encryption, they would never be able to intercept or read those emails.

The question here is what exactly did the government request Levison to do that was so bad that he’d rather shut down his entire business? What information could Lavabit even produce that would be of interest to a government agency? Unencrypted emails, customer IP addresses, customer payment methods, and customer passwords. Based on media statements, it appears that he would be required to provide unencrypted copies of all emails going through his system.

Let’s look at some quotes levison has given to various media outlets. First, here are some quotes from an interview with CNET:

“We’ve had a couple of dozen court orders served to us over the past 10 years, but they’ve never crossed the line.”

“Philosophically, I put myself in a position that I was comfortable turning over the information that I had. I built Lavabit in a reaction to the original Patriot Act.”

“Where the government would hypothetically cross the line is to violate the privacy of all of my users. This is not about protecting a single person or persons, it’s about protecting all my users. What level of access to this nation does the government have?”

“Why should I collect that info if I didn’t need it? [That philosophy] also governed what kind of information I logged.”

“Unfortunately, what’s become clear is that there’s no protections in our current body of law to keep the government from compelling us to provide the information necessary to decrypt those communications in secret.”

“If you knew what I know about e-mail, you might not use it either.”

In an article from NBC News, we have this:

Levison stressed that he has complied with “upwards of two dozen court orders” for information in the past that were targeted at “specific users” and that “I never had a problem with that.” But without disclosing details, he suggested that the order he received more recently was markedly different, requiring him to cooperate in broadly based surveillance that would scoop up information about all the users of his service. He likened the demands to a requirement to install a tap on his telephone. Those demands apparently began about the time that Snowden surfaced as one of his customers, apparently triggering a secret legal battle between Levison and federal prosecutors.

And finally in an interview with RT he said:

I think the amount of information that they’re collecting on people that they have no right to collect information on is the most alarming thing,” he told RT. “I mean, the Fourth Amendment is supposed to guarantee that our government will only conduct surveillance on people in which it has a probable suspicion or evidence that they are committing some crime, and that that evidence has been reviewed by a judge and signed off by a judge before that surveillance begins. And if there’s anything alarming, it’s that now that’s all being done after the fact. Everything’s being recorded, and then a judge can after the fact say it’s okay to go look at the information.

Given the above information, let’s analyze some of the facts we know:

  • The government asked Lavabit to do something which levison considered to be a crime against the American people.
  • Levison was comfortable and had complied with warrants requesting information on specific users.
  • Levison told Forbes that “This is about protecting all of our users, not just one in particular.”
  • Levison is not even able to reveal some details with his own attorney or employees.
  • Shutting down operations was an option to circumspect compliance, although there was a veiled threat he could be arrested for doing so.
  • He did not delete customer data, he still has that in his possession so this was a request for ongoing surveillance.
  • This was a court order, which levison is fighting through the US Court of Appeals for the Fourth Circuit.
  • Levison compared the request to installing a tap on his telephone.

Apparently what made Levison uncomfortable with the request was that the fact that it collected information about all users, without regards to a warrant. Presumably law enforcement wanted to collect all data that they would later retroactively view as necessary once they had a warrant. The two issues here are that the Government wanted to collect information on innocent users (including Levison himself) and Levison would be out of the loop completely, taking away his control over what information he provided to law enforcement. These were the lines the Government crossed.

What’s interesting here is that Lavabit terminated the SSL connections right on the application servers themselves. These are the servers that also performed the encryption of email messages. Because of that, a regular network tap would be ineffective. The only way to perform the broad surveillance Levinson objected to would be (in order of likelihood) :

  1. Force Lavabit to provide their private SSL keys and route all their traffic through a government machine that performed a man-in-the-middle style data collection;
  2. Change their software to subvert Lavabit’s own security measures and log emails after SSL decryption but before encrypting with the users’ public keys; or
  3. Require Lavabit to install malicious code to infect their own customers with government-supplied malware.

Sure, this could have been a simple request to put a black box on Lavabit’s network and Levinson is just overreacting, but the evidence doesn’t seem to indicate that. Regardless of which of the requests the Government made, they would all make Levison’s entire business a lie; all efforts to encrypt messages would be pointless. Surely there were some heated words spoken when the Department of Justice heard about Levison’s decision, but this is not an act of civil disobedience on Levison’s part, his personal integrity was on the line. Compliance would make his very reason for running Lavabit a deception; a government-sponsored fraud.

While Lavabit initially had quite a bit of media coverage over this issue, the hype seems to be a casualty of our frenzied newscycle. But after looking closely at the facts here, I now see that this is a monumentally important issue, one that the media needs to once again address. The message here is that US courts can force a business to subvert their own security measures and lie to their customers, deliberately giving them a false sense of security. They can say what they want about security on their web sites, it means nothing. If they did it to Lavabit, how many hundreds or thousands of other US companies already participate in this deception?

If the courts can force a business to lie, we can never again trust the security claims of any US company. The reason so many businesses specifically rely on US services is the sense of stability and trust. How sad that an overreaching and panicked pursuit of a whistleblower has thrown that all away.

This issue is so much more than a simple civil liberties dispute, it is the integrity of a nation at stake. We walked with the devil in a time of need–that is a legacy we must live with–but at what point do we sever that relationship and return to the integrity required to lead the world through respect and not by fear?





UPDATE: Since publishing this post, this Wired article has since revealed that in fact Lavabit was required to supply their private SSL keys as suspected above.


Thanks NSA for Ruining the Internet

NSA: We Are PlanetI know, we have been told for years that the NSA has been spying on us. The revelations in recent months really aren’t that new. We always assumed there was that looming over us and many of us have even greeted various government agencies in our private chats and emails (i.e, “I want to blow that up, j/k nsa, LOL, no really just kidding”).

On the other hand, our lives are full of conspiracy theories that nag at us: Is that mirror in the dressing room a two-way mirror? Is that webcam on my laptop secretly recording me? Why is that black Suburban parked on my street? Fortunately, it’s easy to dismiss these things as conspiracy—that is until two guys step out of that Suburban and approach your door. Edward Snowden’s leaks about NSA spying made it that real to us.

Perhaps the most frustrating aspect of this is the reaction by our government. To them the problem isn’t that they are spying, it’s that we found out about it. If we just don’t know about it then everything will be okay, right? Fire some admins, tell us about a few of their programs, and maybe issue a terror alert to help us see how much they are helping us. Clearly they are missing the point here. What bothers us isn’t just the spying, it’s the loss of trust. Not just in our government, but in almost everything we do online. We can’t trust our email, our phone conversations, text messages, or online chats. Right, we kind of already knew this.

Once we found out that it is acceptable to lie in the name of national security, that changed everything.

But once we found out that it is acceptable to lie in the name of national security, that changed everything. Suddenly when the NSA says there are no domestic spying programs, is that really true, or is it the least untruthful answer they are allowed to give us? When an online service we use says they don’t give information to the NSA, is that true or are they being to deny this? Do terms of service and privacy policies mean anything anymore when national security trumps everything?

Do we now just assume that all online privacy is compromised? If not by our own government, by some other entity? What about our online backups, our cloud storage services, online notes, bookmarks, calendars, to-do lists, photos, accounting, online banking, hosted web servers, password management services, or medical records? And what about encryption, do we even trust our current technologies anymore?

Denials by the NSA or these companies don’t mean anything to us now because how do we know these aren’t just National Security denials?

Fortunately, in the end this will be good for us. We will be forced to develop technologies that make us all more secure. We will step up to the challenge, putting us back in control of our data. Improving security will be the new civil disobedience.

In the meantime, thanks NSA for ruining the internet.

Dear NSA, I Don’t Think You Meant Yottabytes

NSA Spying - What is a yottabyte?Several media reports claim that the NSA’s Utah data center may ultimately be able to store data on the scale of yottabytes because, you know, they think they’re totally going to need yottabytes. To put this into perspective, a yottabyte would require about a trillion 1tb hard drives and data centers the size of both Rhode Island and Delaware combined. Plus, a trillion hard drives is more than a thousand times the number of hard drives produced each year. In other words, at current manufacturing rates it would take more than a thousand years to produce that many drives. Not to mention that the price of buying those hard drives would cost up to 80 trillion dollars–greater than the GDP of all countries on Earth.

Let’s just establish one thing NSA: without major improvements in storage technology, yottabyte storage capabilities is simply absurd. Just get yottabytes out of your mind and stop telling people you need yottabytes, it makes you sound dumb. Even the zettabyte, which is 1/1000 of a yottabyte, is silly but let’s use that as an example anyway.

Continue reading “Dear NSA, I Don’t Think You Meant Yottabytes” »

Dear NSA, It’s Not Just About the Spying

NSA SpyingThis not only applies to the NSA, but to Congress and President Obama: You betrayed our trust. That’s why we are angry.

It’s not about spying and it’s not about having anything to hide. The fact is, my life is very boring and it’s kind of sad knowing how many terabytes of data might be stored of me complaining to the phone company about my phone bill or calling my wife to pick up an energy drink while she’s out. I can’t even imagine how many SMS messages are stored of my kids texting their friends 24 hours a day. Then there’s that endless flow of useless junk in my inbox.

And it’s not just me, it’s my boring life times 300 million other American lives. Just South of me  there’s a million square feet ready to start storing all of that data. We’re not talking about petabytes, exabytes, or even zetabytes here, but yottabytes of data, a number so large there’s just no metaphor to help you comprehend it. I imagine this data center slowly filling up like a massive reservoir behind a newly built dam. A massive reservoir of 300 million lives, 75 million of those being under 18 years old. A million square feet, billions of dollars, eventually up to 200 megawatts of power, 60,000 tons of cooling equipment, and a carbon footprint greater than some entire countries.

Keep in mind that this is just their new data center. There are those existing data centers scattered across the country that are apparently running low on free disk space. Even that isn’t enough, the NSA has new equally massive facilities coming online in Maryland and Texas as well.

So what has all these yottabytes of storage and exaflops of computing power bought us? Apparently we stopped literally dozens of terrorist attacks (I bet not letting fingernail clippers on airplanes also prevented dozens of attacks!). “Dozens of attacks” it turns out means around fifty–ten of which were domestic plots. But some members of Congress have even questioned that number.

“Backed up by secret courts, secret interpretations of law, and the ability to accompany data requests with gag orders empowered the NSA to collect any data it wanted”

When Congress introduced the Patriot Act, there were a number of privacy concerns, but we put our trust in the government to do what was right. We were hurt and angry after 9/11 and there was a national cry to stop these terrorists. We knew when the Patriot Act became law that we would be giving up some of our privacy but it was for the greater good. The government assured us that there were checks and balances to prevent abuse of these new powers.

The government, it turns out, lied to us. NSA officials such as James Clapper, came right out and falsely told Congress that the NSA was not collecting data on Americans. Backed up by secret courts, secret interpretations of law, and the ability to accompany data requests with gag orders empowered the NSA to collect any data it wanted–all with the blessing of Congress. Sure, we already figured that the NSA spied on us, but we kept getting all those assurances that they weren’t.

When we elect government officials we try to not only find those people who represent our political views, but we also look for people with a certain amount of integrity. We want congressmen and presidents who we can trust. Much of President Obama’s original platform was based on changing how government worked by adding transparency, targeting government abuses of power, and encouraging whistleblowers who revealed government abuses. It sounded pretty convincing and enough people believed in him to elect him President, but now even some of his most ardent supporters feel he betrayed their trust.

We also trusted Congress with the billions of tax dollars they spent building the largest spying mechanism ever known to man. Billions of dollars spent on millions of hard disks spinning away recording my kids texting their friends about what a loser their Dad is.

Yes it’s creepy knowing the NSA is always listening and we don’t like that the government considers all of us the enemy. Yes, it’s a violation of our constitutional rights that they gather evidence on us before we have even considered committing a crime. But what really bothers us the most is the violation of trust. We gave you power and–albeit predictably–you overreached way beyond that power, crafting laws that prevented us from even questioning your abuses and aggressively pursuing those who do.

You can claim that these practices are legal, strictly monitored, and performed with court approval, but we just don’t believe you anymore. You no longer have any credibility because humans are good at not trusting those who repeatedly lie to us. In fact, we want you to give us back control over what you do and how you spend our money. We don’t need your massive data collection to stop ten domestic terror attacks. In fact, we don’t even believe you that this data collection is about protecting us from terrorists anyway, you can only use that excuse so much before we start seeing through it. Ultimately, it comes down to the same old power, greed, and corruption that we learned about in History class.

You betrayed our trust so now you don’t get our trust. We don’t want new data centers; we want to cut back on your data collection free-for-all and even start shutting down existing data centers. We want to take away your massive and seemingly unlimited budgets. We want you to stop pre-collecting data so you later take “the book off the shelf and opening it up and reading it.” We want to be able to limit what you can do in the name of national security and we want Congress to roll back some of the overly permissive provisions of the Patriot Act. We want Congress to actually punish those who lie under oath and not just let it slide just because they are the Director of National Intelligence. We want you to provide some form of protection for those whistleblowers who expose clear and possibly illegal abuses of power.

We don’t trust you anymore and we don’t know how far you are willing to go in the name of national security. You are laying a framework of abuse so vast that we fear it could someday become oppressive. We certainly don’t think you have our best interests in mind and we are seriously questioning the power (and petabytes of storage) the people have given you.

It’s time for us to speak now: we want our data back.


Grant Edward Snowden Retroactive Immunity

NSA SpyingLast week I was struck by the absurdly hypocritical statement by James Clapper, the Director of National Intelligence:

“The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”

I suppose that if you live at the top of the intelligence food chain long enough, statements like this eventually start sounding perfectly normal to you. For releasing classified information about the NSA’s clandestine spying programs, Clapper is quick to label Edward Snowden as a traitor. But who betrayed the American more, Snowden or the NSA?

The US Constitution defines treason against the United States as “levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.” The question here is what is the United States, is it the governmental or the citizens? Is the United States some .gov organization or is it the people who inhabit our political geography? Is the United States a secret spying program or a representative democracy that is “of the people, by the people, for the people?

If it were up to the American people to decide, I think we would have a very different opinion of who should be called the traitors.

While Snowden may have violated the terms of his security clearance, he did not betray America. It is absurd to claim that revealing the NSA’s overreaching is in any way an aid to any enemy. Certainly no one buys the claim that terrorists will now communicate any differently than they did last month. On the contrary, I would argue that Snowden’s actions are in fact a powerful demonstration of true loyalty that he was willing to sacrifice himself for the American people. He betrayed his employer, but not the American people.

Ask yourself, do you feel more betrayed that Snowden revealed this secret program or do you feel more betrayed by the program itself?

Do you feel more betrayed that Snowden told the truth to journalists or that Clapper recently deceived a Congressional committee when asked a direct yes or no question about information gathering?

Do you feel more betrayed that Snowden produced actual evidence of spying on Americans or that the NSA does not want you to know what a FISC court ruled about the constitutionality of their spying programs and that the NSA spying has violated the constitution at least once before?

How about Bradley Manning, do you feel more betrayed that he exposed a number documents revealing questionable and possibly criminal acts or would you feel more betrayed if you knew exactly what the NSA plans to store in their unfathomably massive Utah data storage facility? (Hint: you don’t need exabytes of storage unless you have exabytes of information to store).

Would you feel betrayed if you knew that the NSA and other government agencies buy up and sit on 0-day exploits so that they can use them in their cyberwarfare efforts, knowingly leaving millions of our own systems vulnerable in the process?

Last year it was reported that the Flame malware, allegedly an NSA effort, included a digital certificate that appeared to be legitimately signed by Microsoft. Do you feel betrayed knowing that the NSA has this ability? Would you feel betrayed if we knew the full extent of their capabilities in faking certificates?

And how about crypto algorithms? Would you feel betrayed finding out the NSA has broken some of these yet still knowingly lets us use them?

If it were up to the American people to decide, I think we would have a very different opinion of who should be called the traitors.

Nevertheless, chances are that if allowed to, the US government will be able to successfully prosecute Snowden. US laws on sedition and subversive behavior are broad, especially during times of war. I imagine that it would take an act of Congress to grant this individual, and others like him, immunity for exposing wrongdoings of the government. George Bush was able to persuade Congress to grant retroactive immunity to telcos when the NSA spying program first came to light, why can’t they grant this same privilege to this material witness who exposed this overreaching and possibly unconstitutional spying program?

To Congress I say, considering how little you have done for the American people lately, you guys really owe us this one.

About The US Government’s Absurd Filing in a Megaupload-Related Case

You’d think the US Government has been embarrassed enough with their abuse of power and disregard for procedure in the Megaupload case that they would just let it all quietly die. No, as evidenced by a recent filing in the Kyle Goodwin case, they are going to fight this one until the end.

Because this case potentially affects everything we do in the cloud, I have followed it closely. But I have to say I am a bit amazed by the arrogant, contradictory, hypocritical, almost desperate brief the government filed a few days ago. I recommend taking a few minutes to read the whole thing, but it basically comes down to the government arguing that instead of having one hearing to see if the guy can get his data back they should break it down into several different hearings, one to argue each point. Their logic is that if they don’t get past the first point, they don’t need to hold any more hearings.

The government would like the hearing broken down like this:

1. A hearing requiring Kyle Goodwin to prove he owns the files he says he owns.
2. A hearing to determine if Federal Rule of Criminal Procedure 41(g) allows Goodwin any relief.
3. Another hearing that would consider exactly what relief might be appropriate.

What the government is trying to do here is abuse the process to prevent the question coming up asking if their raid was legal in the first place.

They also imply other hearings, such as an evidential hearing or another to ensure the court even has jurisdiction over the complaint.

Of course, this is all absurd and an obvious attempt to delay the proceedings and put a greater burden on Goodwin and anyone else who might want to get their files back. It is a common tactic and is one of the reasons why many law firms refuse to accept cases suing the government: even if the government is wrong, they have enough resources to completely swamp a law firm with paperwork and procedural obstacles potentially costing the firm millions of dollars just to get the case heard.

The government’s argument is that by breaking the hearings up, they can put less of a burden on the court. They state that by having just one hearing that “the Court may unintentionally authorize a large amount of irrelevant discovery that impinge on the criminal proceedings.” Plus, they argue, if you dispute some facts, that would likely result in having to dispute other facts and that might require “the testimony of numerous witnesses, including potential expert witnesses.” Finally, they argue, that because they won’t know the scope of the hearings, they don’t know how much information they will need to gather.

Much of the government’s filing is a clear attempt to kill the case by saying that Goodwin can’t even prove he owns his files. It all comes down to Federal Rule of Criminal Procedure 41(g):

(g) Motion to Return Property. A person aggrieved by an unlawful search and seizure of property or by the deprivation of property may move for the property’s return. The motion must be filed in the district where the property was seized. The court must receive evidence on any factual issue necessary to decide the motion. If it grants the motion, the court must return the property to the movant, but may impose reasonable conditions to protect access to the property and its use in later proceedings.

To argue that Goodwin has no ownership rights, the government says that he only used a service provided by Megaupload and they only leased servers from Carpathia, therefore Goodwin has no ownership rights to the servers they imaged. The contracts of these services, they argue, probably say that he doesn’t own those servers. But the argument here was never that he owned the servers, only that the government took the only copy of his data.

So what about the data? The government argues that owning a copyright “is not sufficient to establish that he has an ownership interest in… the copies of his data.” They say that there should be a hearing to determine whether Goodwin has a prima facie case before proceeding and that his contract with Megaupload limits his ownership rights. I find it hilarious that this very fact is why everyone is angry about the Megaupload case in the first place: the government had no hearing to prove that the entertainment industry had ownership rights of their data and the fact that Megaupload’s contract and federal laws indemnify them of any liability for sharing copyrighted files.

Their argument also has a major flaw: this is not a contract dispute between Goodwin and Megaupload or Carpathia, it is a lawsuit against the US Government. The government is not a party to any of these contracts and therefore they are completely irrelevant.

Then it gets even stranger. Although the government says they do not have Goodwin’s data on the servers they imaged, and that they are not in possession of the other servers, and that finding any particular users’ data may be technically infeasible, they go and claim that his Megaupload account contains files that might be pirated music. So do they have access to his files or not? Further, having pirated files in his account does not negate the fact that he owns his video files. It’s nothing more than a scare tactic and veiled threat that Goodwin should not continue this case because he does not have “clean hands.”

After the whole argument about Goodwin having to provide evidence of ownership, the government goes on to say that in a hearing to decide a Rule 41(g) motion, “the Court may use affidavits and documentary evidence, without the need for live witnesses.” Basically what they want is to be able to use sworn affidavits instead of putting up live witnesses. This means that they get to introduce a statement from their witness with no opportunity for the plaintiff to cross-examine the witness. Their argument is that Goodwin must bear the burden of proof, not the government. Nice trick, but our legal system doesn’t work that way. The only way to reconcile disagreements of prima facie evidence is through a full trial and that includes witnesses.

What the government is trying to do here is abuse the process to prevent the question coming up asking if their raid was legal in the first place. Part of Goodwin’s case relies on proving that his data was unlawfully seized, which might include proving whether Megaupload’s servers themselves were unlawfully seized and searched. This is an extremely important question that needs to be asked because it will set the precedent for all future government seizures. It affects every company on the Internet that hosts the data of others. And it affects any of us that completely rely on the cloud for running our own lives and livelihoods.

The government must be held to the same standards as anyone else and cannot be allowed to abuse the law to take out any company in any country that threatens the US entertainment industry. If we can stop the little abuses, we help prevent the big abuses.



Did the EFF Get it Wrong on CISPA?

My first reaction in seeing the recent headlines about CISPA (HR 3523), like many others, was simply being outraged at yet another attempt by the US government to open the doors for spying and censorship. In fact, we have seen so much of this lately and with so many cries that this is worse than SOPA I didn’t even bother reading the bill.

Even the EFF came out with a statement against it and many other respectable organizations have subsequently chimed in and asked for support to block this.

But then someone brought up to me the fact that this bill really isn’t that bad. I spent a few minutes reading the short bill to prove them wrong but in fact I was surprised that this bill is not as evil as everyone has made it out to be. In fact, having worked in the security industry for so long I can see how helpful this law could actually be.Let me explain where I think the EFF got it wrong.

Update: Many have interpreted this post as supporting CISPA, which I do not. I do agree with the premise of CISPA, but the point here is that fear, uncertainty, and doubt really have no place anywhere and I would think that the EFF would be above this. Here are some of my updated thoughts on CISPA.

The Free Pass

The EFF claims that this law gives “companies a free pass to monitor and collect communications, including huge amounts of personal data like your text messages and emails, and share that data with the government and anyone else.”

In fact, the law specifically says that an organization may, for cybersecurity purposes, identify and obtain information about threats to their own rights and property:

(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes
(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.

The Cybersecurity Purpose

The EFF says that “vaguely-defined ‘cybersecurity threats'” could be used “as a shortcut to bypassing the law.” They go on to say that “Worst of all, the stated definition of “cybersecurity” is so broad, it leaves the door open to censor any speech that a company believes would ‘degrade the network.'”

So what is a cybersecurity purpose? I think the law defines that pretty clearly as well:

(4) CYBERSECURITY PURPOSE- The term `cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from–
(A) efforts to degrade, disrupt, or destroy such system or network; or
(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

So a cybersecurity purpose is protecting a network or system from a direct attack on the service or a theft of data from that network or system. I just don’t see this as broad and it certainly would be a huge stretch for an organization to say that speech degrades a network.

Intellectual Property

The EFF statement says that “The bill specifically mentions that cybersecurity can include protecting against the “theft or misappropriation of private or government information” including ‘intellectual property.’ Such sweeping language would give companies and the government new powers to monitor and censor communications for copyright infringement.”

As mentioned above, the law states that a cybersecurity purpose is to protect a an organization’s systems or networks from an attack or theft of information, not protecting intellectual property in a general sense. So if someone is breaking into a movie studio’s network to steal a movie that would fall under this law but there is nothing that grants them any rights beyond the scope of their own network.

Monitoring and Censoring

The EFF claims that CISPA allows “a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop cybersecurity threats.”

But does it really allow this? The bill states that “the term `cyber threat information’ means information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity…” There is nothing here that allows companies to intercept emails and share them with everyone, the information must directly pertain to a vulnerability or threat and this info must have been gathered in the process of protecting their own network or systems.

There is also nothing that allows or even implies that an organization can modify or block information. This law only addresses the sharing of threats and says nothing about how an organization may deal with those threats.

So what about sharing any info with government? That is actually a good thing because there can be some ambiguity with evidence that I actually wrote about ten years ago. The ability for an organization to share information about an attack with law enforcement without the threat of being sued is a big step in being able to prosecute attackers. Furthermore, the law allows organizations to choose how little information they share with the government in these cases.

Civil and Criminal Immunity

The EFF says that CISPA will “let companies spy on users and share private information with the federal government and other companies with near-total immunity from civil and criminal liability. It effectively creates a ‘cybersecurity’ exemption to all existing laws.”

This too is a stretch. Organizations will not automatically be immune from spying. The law states that the immunity applies if the organization is “acting in good faith” for the purpose of protecting themselves and reading and sharing everyone’s emails hardly falls under acting in good faith. Furthermore, the bill does put oversight in place to address privacy and civil liberty concerns.


So Did the EFF Get it Wrong?

When it came to SOPA I hated those who defended it but in this case I think the EFF got it wrong. While I certainly cannot imagine all consequences of this law and some of the points  surely could use some clarification (such as explicitly saying this info cannot be used other than addressing specific threats), I think the EFF is wrong on this and has created quite a bit of misguided anger. Yes we need to protect our rights but this is not the bill we should be freaking out over.

Don’t take my word for it, go read the short bill and see what you think.



My SSN is showing?

I got an e-mail earlier this week from a financial web site. The e-mail displayed the last 4 digits of my U.S. social security number. Presumably, they didn’t show the entire number for security reasons, but I wondered how secure that really is to show even the last 4 digits. Can someone easily guess my full SSN with just the last 4 digits? Continue reading “My SSN is showing?” »

Pafwert: Smarter Passwords

I am now making available a freeware desktop version of Pafwert, a strong password generator. Although it looks simple on the surface, Pafwert is a complex software application I built based on years of research on passwords and password security.

Pafwert Screenshot - Click for larger view

Larger Screen Shot

Continue reading “Pafwert: Smarter Passwords” »