CAT | National Security
Bruce Schneier has a great post on issues with CALEA-II.
He talks about two main issues, with historical context.
First, about the vulnerabilities that automated eavesdropping backdoors always create in communications, and how that disadvantages US companies.
Second, about the fact that law enforcement claims of communications “Going Dark” are absurd given the treasure trove of new surveillance information available through social media, and cloud services (like gmail).
I know I have talked about this issue a lot over the years, but I am shocked that I can’t find any posts like it on this blog.
Bruce does it really well in any case.
The FBI in conjunction with the Bureau of Justice Assistance and Joint Regional Intelligence Center have produced a number of fliers to help the public identify possible terrorists. While some of the points have merit, it is very likely that this will generate an extremely high proportion of false alerts based on perfectly reasonable and legal behaviors.
A big red flag for me were the fliers for cyber cafes and electronics stores. These suggest that the use of privacy protecting services, like Anonymizer, should be deemed suspicious. They also call out Encryption, VoIP, and communicating through video games.
In almost all of the fliers they suggest that wanting to pay cash (legal tender for all debts public and private) is suspicious.
Thanks to Public Intelligence for pulling together PDFs of the documents.
Bruce Schneier on the real world effectiveness of a very simple domain name based man in the middle attack.
Here is a Wired article on the same issue showing how it was used to steal 20 GB of email from a Fortune 500 company.
Matt Blaze analyzes why the widespread use of cryptography has had almsost no impact on our practical ability to do wiretaps and gather information under legitimate court orders. Not too technical and absolutely worth a read.
Here is a really nice analysis of the recent security breach at Lockheed Martin. The short version is that is looks like their SecureID tokens got duplicated. This is almost certainly related to the security breach at EMC / RSA.