December 5, 2013
NSA considered spying on Australians ‘unilaterally’, leaked paper reveals
James Ball and Paul Farrell
December 4, 2013
The US National Security Agency has considered spying on Australian citizens without the knowledge or consent of the Australian intelligence organisations it partners with, according to a draft 2005 NSA directive kept secret from other countries.
The draft directive leaked by the US whistleblower Edward Snowden reveals how the NSA considered the possibility of “unilaterally” targeting citizens and communication systems of Australia, New Zealand and Canada – all “5-Eyes” partners which it refers to as “second party” countries.
"Under certain circumstances, it may be advisable and allowable to target second party persons and second party communications systems unilaterally when it is in the best interests of the US and necessary for US national security,” says the directive, which was classified as “NF” for No Foreign and is titled Collection, Processing and Dissemination of Allied Communications.
“Such targeting must be performed exclusively within the direction, procedures and decision processes outlined in this directive.”
Australia is one of the countries acting in partnership with Britain, the US, New Zealand and Canada to share intelligence and conduct surveillance operations around the world. These 5-Eyes states form part of the UKUSA agreement, which was believed to limit the ability of the partner countries to spy on each other. The Australian Signals Directorate maintains a close partnership with the NSA.
On Monday Guardian Australia revealed that the Defence Signals Directorate – now the Australian Signals Directorate – had offered to share citizens’ personal data in a 2009 meeting. Last month an officer responsible for federal parliament’s IT systems left open the possibility that parliamentarians could be subject to US surveillance through a Microsoft operating system vulnerability.
The draft 2005 directive, which was published in the Guardian in November, goes on to state that the US could conduct the targeting without the knowledge of Australian, Canadian or New Zealand authorities, and even if the countries had rejected a “collaboration proposal” for the operation.
"When sharing the planned targeting information with a second party would be contrary to US interests, or when the second party declines a collaboration proposal, the proposed targeting must be presented to the signals intelligence director for approval with justification for the criticality of the proposed collection."
It is not clear how the NSA would select Australian targets for unilateral surveillance and what the purpose of this targeting would be and it is unclear which procedures may have been enacted as a result of the draft directive.
The “targeting” procedures of the NSA are broad and allow a large range of internet, data and phone information to be collected if approved. They can even be authorised to “acquire communications about the target that are not to or from the target”.
The original 1946 UKUSA agreement between the US and Britain was previously designed only for “foreign intelligence” operations. The draft memo appears to indicate that the agreement has changed.
"[The 1946 UKUSA] agreement has evolved to include a common understanding that both governments will not target each other’s citizens/persons. However, when it is in the best interest of each nation, each reserved the right to conduct unilateral Comint [communications intelligence] action against each other’s citizens/persons."
In a later part of the draft cleared for release to the 5-Eyes countries, the document suggests there may be circumstances in which Australia, Canada and New Zealand should co-operate to allow the US to target their citizens.
“There are circumstances when targeting of second party persons and communications systems, with the full knowledge and co-operation of one or more second parties, is allowed when it is in the best interests of both nations,” the 2005 document says. “This targeting will conform to guidelines set forth in this directive.”
It says this type of collaborative targeting is most commonly achieved “when the proposed target is associated with a global problem such as weapons proliferation, terrorism, drug trafficking or organised crime activities”.
After Monday’s revelations, Australia’s prime minister, Tony Abbott, said there was no evidence Australia’s spy agencies had acted outside the law. The inspector general of intelligence and security says it maintains “ongoing visibility” of all activities undertaken by the Australian Signals Directorate
December 5, 2013
Sweden spied on Russia for NSA: report
December 5, 2013
Information collected about Russian politicians by Sweden’s main signals intelligence agency, the National Radio Defence Establishment (Försvarets radioanstalt, FRA), was handed over to the US spy agency, according to documents reviewed by Sveriges Television (SVT) investigative news programme Uppdrag gränskning (UG).
The documents describe FRA as a “leading partner” in the NSA’s international cooperation to monitor communications traffic around the world.
"The FRA provided NSA (…) unique collection on high-priority Russian targets, such as leadership, internal politics," reads one NSA document from dated April 18th, 2013.
The documents don’t go into detail about how leading Russian politicians are monitored, such as whether their phones are tapped or information about their phone calls and internet use are registered. Nor is it clear if Russian President Vladimir Putin or other leaders are the target of the spying.
However, it appears the NSA is satisfied with the cooperation provided by FRA, which the US spy agency describes as “unique”.
Ahead of a meeting with officials from FRA, NSA bosses are instructed to praise the Swedes, according to the investigative news programme.
“Thank Sweden for its continued work on the Russian target, and underscore the primary role that FRA plays as a leading partner to work the Russian Target, including Russian leadership, (…) and (…) counterintelligence,” one of the documents reviewed by SVT reads.
"FRA’s cable access has resulted in unique SIGINT reporting on all of these areas," it continues, using a common abbreviation to refer to signals intelligence.
According to UG, neither FRA or the NSA was willing to comment on the report.
"The quote you read here is the type of information that’s hard for us to comment on," FRA spokesman Fredrik Wallin told SVT.
The NSA said only that “the US government has made clear that the United States gathers foreign intelligence of the type gathered by all nations”.
The reports comes amid revelations about the extent of US-led international signals intelligence activities, with Sweden having been named previously as an important partner.
British journalist Duncan Campbell claimed earlier this year that Sweden, via FRA, had become “the biggest partner to (British intelligence agency) GCHQ outside the English-speaking countries”.
Both FRA and the Swedish government have pointed out that Sweden’s laws allow for international cooperation, but won’t specify with which countries.
"A partner can’t control us; what we cooperate on with lies within the framework of the direction the Swedish government has given us," Dag Hartelius, the recently installed head of FRA, said a month ago.
FRA is authorized to monitor cable-bound communications traffic to track “external threats” against the country. The intelligence gathering can only be directed toward foreign countries.
The government, military, Swedish Security Service (Säpo), and the National Bureau of Investigation (NBI) can order intelligence material from FRA. The agency can also share information with other countries.
Permits are authorized by a secret court, the Defence Intelligence Court (Försvarsunderrättelsedomstolen).
December 5, 2013
Anarchy at Door, West Starts to Rebuild Libyan Army
December 5, 2013
TRIPOLI — On a dusty parade ground outside Tripoli, young recruits march and bark out slogans for the new Libyan army that Western powers hope can turn the tide on militias threatening to engulf the North African country in anarchy.
Their boots are new and their fatigues pressed, but Libya’s army recruits will need more than drills to take on the hardened militiamen, Islamist fighters and political rivalries testing their OPEC nation’s stability.
Two years after NATO missiles helped rebels drive out Muammar Gaddafi, Libya is under siege from former rebel fighters who now flex their military muscle to make demands on the state, seize oilfields and squabble over post-war spoils.
With Libya’s army still in the making, Western powers are keen to halt chaos in the key European oil supplier and stop illicit arms spilling across North Africa.
Prime Minister Ali Zeidan last month stood by in London as U.S. Secretary of State John Kerry and Britain’s William Hague pledged support. Just weeks earlier, Zeidan himself was briefly abducted from a Tripoli hotel by militiamen.
Everyone agrees Libya needs help. But after four decades of Gaddafi rule, Libya’s stuttering decision-making, fragile leadership and chronic disorganization hamper cooperation.
Infighting between broadly liberal and Islamist camps in the assembly, and their network of militia allies, muddies Western efforts to stabilize a country where NATO’s intervention was seen as a model two years ago.
"What happens next depends on outside pressure. If we don’t make a compromise, we’ll lose Libya," said Tofiq al-Shahibi, a leader with the National Forces Alliance party. "If we think we can build our country without outside help, we will fail."
Libya’s new army is already being tested. The worst clashes in Tripoli since 2011 killed more than 40 people last month, forcing quasi-legal militias to withdraw from the capital and leave the nascent army to patrol for now.
In Benghazi, where Islamist militants assaulted the U.S. consulate last year killing four Americans including the ambassador, Libya’s special forces are now taking on the same hardline group Washington blames for the September 2012 attack.
Turkey, Italy, and Britain are leading the way with promises to train around 8,000 troops and police in skills from infantry basics to forensics. Other recruits are graduating from programs in Jordan.
But Western military support is in its infancy. The army struggles even to pin down how many troops it has, including new recruits, ex-Gaddafi soldiers and militiamen drafted into the ranks.
As in other countries where Arab Spring revolts ousted autocrats, Libya’s messy path from Gaddafi’s rule is complicating Western efforts.
Parliament is deadlocked between the mainly liberal National Forces Alliance, often linked to militia fighters from the mountain redoubt of Zintan, and the Justice and Construction party or JCP, a wing of the Muslim Brotherhood, frequently associated with fighters from coastal Misrata and Tripoli.
Disputes run deep through the interior and defense ministries, where former rebels, including hardline Islamists, have been reintegrated and put on the state payroll in an attempt to control their fighters.
"We can do capacity building and training and advice, but ultimately if the Libyans don’t sort out the basic political problem then it is all on the margins," one Western diplomat said. "They need to come to some national consensus about what kind of country they want."
Former fighters have plagued Libya’s central government since the fall of Tripoli in August 2011 when rebels from rival cities into the capital and entrenched themselves in fiefdoms.
This year former rebel commanders in the east and tribes in the west have taken over gas pipelines, ports and oilfields, cutting off crude shipments to demand ethnic or regional rights.
Balanced against those militia, officials say the army has 5,000 troops in training overseas and 10,000 in Libya. At least 3,000 were in Tripoli after the militia withdrawal last month and special forces units are in Benghazi, one diplomat said.
Italy and Turkey are training police. Britain will start early next year giving training to 2,000 infantry troops with instruction mostly given overseas.
Washington is still considering cooperation proposals, including a plan for groups of Libyan soldiers to rotate though Bulgaria for training.
Adm. William McRaven, the commander of U.S. Special Operations Command, has said the U.S. military was working to train 5,000 to 7,000 Libyans. He acknowledged a risk that some recruits tied to militias may not have “clean records.”
"We all recognize the circumstances that are here. This is a new state, this is a developing state, that carries some baggage with it," U.S. Ambassador Deborah Jones told reporters this week. "I am very optimistic."
So much of the training takes place overseas because few of Libya’s partners are willing to commit advisors on the ground.
Turkey trained 800 police cadets who graduated in February, but so far Libya has been unable to send a second batch because of state “decision-making” problems, one official said.
"We set up training. On day one, no one shows up. The second day, they promise us eight recruits, and only two show up. It’s frustrating," another diplomat said.
Lack of modern equipment, basic skill levels and limited army facilities make training difficult; Gaddafi-era rivalries between departments mean coordination is often non-existent.
Some Libyan forces start from scratch. Coast guards, for example, often went out without life-jackets before training started and borrowed fishing vessels to make voyages to sea.
"They are trying to reform a non-system, they are trying to reform what didn’t operate and make it into a rational system at break-neck speed," said Peter Rundell, deputy head of an EU mission that trains border guards and customs workers.
GUNS AND DISTRUST
Increasing Western aid could not come too soon for Zeidan’s fragile government. The Libyan premier may now see a chance to capitalize on growing popular discontent with the militias to speed up recruitment and regain some control of the capital.
Tripoli’s residents are frustrated. Gunmen armed with anti-aircraft cannons on trucks earlier this year besieged ministries to force political demands on the assembly and have fought turf wars in the capital and Benghazi.
One Tripoli battle at the start of November was sparked by a personal feud after one militia briefly arrested a leader from a rival group for driving an unlicensed car. He was freed, but returned with his militiamen and a gun battle broke out.
Armed protests at oil ports and production facilities have cut the country’s oil exports to 10 percent of the normal 1.4 million barrels per day output and forced the government to import fuel and cut back on electricity in the capital.
November’s clashes in Tripoli were sparked when angry residents marched on the base of a militia from Misrata to demand they leave the capital. Gunmen opened fire with anti-aircraft guns fastened to a truck.
Faced with popular anger, the Misratans and rival Zintani brigades pulled out of their bases, where army patrols and police are now stationed. Some fighters agreed to join the regular army; others left with their heavy weaponry.
"Each one wants to keep their weapons, not because of the government, but because they are aware the others didn’t hand theirs over yet. To be on the safe side," said Saleh Gaouda, a lawmaker allied to Libya’s Islamists.
At the 2nd Brigade army camp outside Tripoli, recruits are keen to sign up, dumping their bags, blankets and baseball caps on the parade ground before drill officers in aviator glasses run them through their first day of training.
Officers complain of a lack of space at the camp, where recruits get three months of basic training in army discipline and fitness before they get near any weapons. But they sense a shift in the military’s fortune.
"We are getting more and more everyday," base commander, Brigadier Faituri Gabil said. "Everything needs time, we are just starting and it is difficult. We have lots of militias and lots of different ideas, now the army is winning."
December 5, 2013
Sweden Key Partner for U.S. Spying on Russia: TV
December 5, 2013
STOCKHOLM — Sweden has been a key partner for the United States in spying on Russia and its leadership, Swedish television said on Thursday, citing leaked documents from the U.S. National Security Agency (NSA).
Earlier this year, former U.S. National Security Agency contractor Edward Snowden passed to media details of a global spying program by the NSA, stirring international criticism. The U.S. has said much of the information was a result of cooperation with other intelligence services.
Swedish television cited a document dated Apr. 18 this year saying Sweden’s National Defense Radio Establishment (FRA), which conducts electronic communications surveillance, had helped in providing the United States with information on Russia.
"The FRA provided NSA … a unique collection on high-priority Russian targets, such as leadership, internal politics," it quoted the document saying.
The FRA declined to comment on the matter.
"We do in general have international cooperation with a number of countries, which is supported in Swedish legislation, but we do not comment on which ones we cooperate with," Anni Bolenius, head of communications at the FRA said.
In a separate document, high level NSA employees were told to “thank Sweden for its continued work on the Russian target, and underscore the primary role that FRA plays as a leading partner to work the Russian target, including Russian leadership … and … counterintelligence.”
Previously, Sweden’s FRA has said only that it cooperates with foreign intelligence services, but that all activities are strictly controlled by Swedish law.
Swedish television said it had obtained the documents from Glenn Greenwald, the journalist who brought the Snowden leaks to world attention.
Snowden is in Russia, where he was granted asylum in August for at least a year.
December 5, 2013
Stolen Cobalt-60 Found Abandoned in Mexico
December 4, 2013
MEXICO CITY — A missing shipment of radioactive cobalt-60 was found Wednesday near where the stolen truck transporting the material was abandoned in central Mexico, the country’s nuclear safety director said.
The highly radioactive material had been removed from its container, officials said, and one predicted that anyone involved in opening the box could be in grave danger of dying within days.
The cobalt-60 was left in a rural area about a kilometer (a half a mile) from Hueypoxtla, an agricultural town of about 4,000 people, but it posed no threat or a need for an evacuation, said Juan Eibenschutz, director general of the National Commission of Nuclear Safety and Safeguards.
"Fortunately there are no people where the source of radioactivity is," Eibenschutz said.
Commission physicist Mardonio Jimenez said it was the first time cobalt-60 had been stolen and extracted from its container. The only threat was to whoever opened the box and later discarded the pellets of high-intensity radioactive material that was being transported to a waste site. It had been used in medical equipment for radiation therapy.
"The person or people who this took out are in very great risk of dying," Jimenez said, adding that the normal survival rate would be between one and three days.
He said there was no word so far of anyone reporting to area hospitals with radiation exposure. He said those who exposed themselves to the pellets could not contaminate others.
Federal police and military units on the scene put up a cordon of 500 meters (yards) around the site.
The cargo truck hauling the cobalt-60 was stolen from a gas station Monday in the neighboring state of Hidalgo, about 40 kilometers (24 miles) from where the material was recovered, Jimenez said. Authorities had put out an alert in six central states and the capital looking for it.
The truck was taking the cobalt to a nuclear waste facility in the state of Mexico, which is adjacent to Mexico City
The material was used in obsolete radiation therapy equipment that is being replaced throughout Mexico’s public health system. It was coming from the general hospital in the northern border city of Tijuana, Eibenshutz said.
Before the container was found, he said the thieves most likely wanted the white 2007 Volkswagen cargo vehicle with a moveable platform and crane.
Eibenschutz said there was nothing to indicate the theft of the cobalt was intentional or in any way intended for an act of terrorism.
On average, a half dozen thefts of radioactive materials are reported in Mexico each year and none have proven to be aimed at the cargo itself, he said.
According to the complaint of this theft, a truck marked “Transportes Ortiz” left Tijuana on Nov. 28 and was headed to the storage facility when the driver stopped to rest at a gas station in Tepojaco, in Hidalgo state north of Mexico City.
The driver, Valentin Escamilla Ortiz, told authorities he was sleeping in the truck when two men with a gun approached him. They made him get out, tied his hands and feet and left him in a vacant lot nearby.
When he was able to free himself, he ran back to the gas station to get help.
Eibenschutz said the transport company did not follow proper procedures and should have had GPS and security with the truck.
"The driver also lacked common sense because he decided to park along a highway so he could sleep," Eibenschutz said.
The company couldn’t immediately be located for comment. One Mexico City company called “Transportes Ortiz” said the truck was not theirs and they had nothing to do with the incident.
Eibenschutz had said early in the day that direct exposure to cobalt-60 could result in death within a few minutes, but Jimenez said the pellets involved were sealed.
The health risk depends on time of exposure and distance to the pellets, said Dr. Fred Mettler, a University of New Mexico’s radiology professor and a U.S. representative to the U.N. on radiation safety.
"If you hold the source in your hand for five or six or eight minutes you are probably going to get enough radiation to your whole body that may well kill you," he said. "But if somebody is across the street, they are not going to enough to really make them sick."
December 5, 2013
Iraq Police Storm Mall, Kill Gunmen After Standoff
December 5, 2013
KIRKUK, Iraq — Iraqi police stormed a mall in a northern city that gunmen used to launch an attack on a nearby police station, killing three militants and ending an hourslong standoff as attacks elsewhere left seven dead Thursday, authorities said.
Militants held off police from their rooftop position on six-story Jawahir mall in Kirkuk overnight, throwing down grenades and firing on officers and civilians who tried to flee the fighting. Officers raided the mall Thursday morning before dawn, killing the militants, said Brig. Gen. Sarhad Qadir, Kirkuk’s police commander.
No security forces or civilians were wounded in that fighting, Qadir said, though it left large portions of the mall burned. Eleven storekeepers hid inside the mall during the attack, scared to leave, he said.
The fighting in Kirkuk began Wednesday, when authorities said a car bomb exploded at the gates of the Police Intelligence Department. A suicide bomber on foot entered the station and detonated his explosives after that, officials said. The gunmen on the mall’s roof then opened fire down on the station, they said.
The police station attack killed five officers and two civilians, while wounding some 70 people, Qadir said.
A similar style attack Tuesday on a mayor’s office in Tarmiyah killed 10 people, officials said.
Meanwhile Thursday, police said gunmen wearing military uniforms stormed the house of a police major in Arej village just south of Mosul, about 350 kilometers (225 miles) northwest of Baghdad. The gunmen killed the police major and his two sons, officials said.
In western Baghdad, a bomb blast on a commercial street killed two people and wounded six, police said. An explosion near shops in the town of Madian, just south of Baghdad, killed two people and wounded six, officials said.
Violence has spiked in Iraq following a security deadly crackdown on a Sunni protest camp in April. More than 8,000 people have been killed since the start of the year, according to United Nations estimates.
December 5, 2013
France: C. African Republic Intervention Imminent
December 5, 2013
BANGUI, Central African Republic — Gunfire echoed across the capital of the near-anarchic Central African Republic early Thursday amid reported clashes between the mostly Muslim armed fighters who have controlled the country since March and Christians who support the ousted president.
The United Nations Security Council is set to authorize troops from African nations and former colonial power France to deploy amid growing sectarian violence. The most recent attack this week, which was blamed on Christian fighters, killed nearly a dozen women and children in a remote community.
French Foreign Minister Laurent Fabius said Thursday that military intervention would unfold swiftly after the U.N. vote, telling BFM-TV that the French deployment would total around 1,200, with 600 troops already in the country.
"We have to end this humanitarian catastrophe and restore security," Fabius said.
Crackles of gunfire first erupted around 6 a.m. and could still be heard sporadically nearly three hours later close to Bangui’s airport. Other reports of arms fire came in from suburbs north and east of Bangui.
"It’s not exactly clear but we believe the attackers are members of the anti-balaka," said government spokesman Gaston Mackouzangba. "Our forces are on the ground now."
Balaka means machete, and “anti-balaka” is the name adopted by groups who took up arms against members of the former rebel coalition known as Seleka, who now claim control of the government.
Seleka is an unlikely group of allies who united a year ago with the goal of forcing President Francois Bozize from the presidency after a decade in power. After thousands of rebels besieged Bangui in March, Bozize fled and the insurgents installed their leader Michel Djotodia as president.
However, he has increasingly sought to distance himself from his former allies as the Seleka rebels have been blamed for scores of atrocities in Bangui, killing and raping civilians and stealing from aid groups and orphanages. He has even less control over the ex-Seleka in the distant provinces where anger over human rights abuses fueled the formation of the Christian anti-balaka movement several months ago.
While the anti-balaka fighters include villagers defending their communities against Seleka attacks with artisanal hunting rifles and machetes, it also is believed to be receiving support from those still allied to Bozize, now in exile. The anti-balaka fighters also have been implicated in massacres on Muslim civilian populations, which also have suffered under the Seleka regime and say they are being unfairly blamed for Seleka’s wanton destruction.
The death toll has been impossible to estimate in Central African Republic, a long lawless and desperately poor country in the heart of Africa where many roads have not been repaved since independence from France in 1960. Fabius has warned that Central African Republic is on “the verge of genocide” as communal violence escalates.
France called for a vote Thursday on a resolution that would authorize the deployment of an African Union-led force to Central African Republic for a year to protect civilians and restore security and public order. The AU force is replacing a regional peacekeeping mission whose presence has been mainly limited to the capital and a few northern cities.
The U.N. resolution also would authorize French forces, for a temporary period, “to take all necessary measures” to support the AU-led force known as MISCA, whose troop numbers are expected to rise from about 2,500 to 3,500.
December 5, 2013
Assailants Launch Two-Pronged Attack on Yemen Defense Ministry
Nasser Arrabyee and Alan Cowell
New York Times
December 5, 2013
SANA, Yemen — Assailants launched a twin-pronged attack on Yemen’s heavily guarded Defense Ministry in the center of the capital on Thursday, ramming a car packed with explosives into one side of the complex as attackers on foot opened fire with automatic rifles on another, witnesses said.
In the initial confusion, news reports quoting defense ministry officials said 20 people had been killed, including both militants and Yemeni soldiers, and dozens wounded, but other accounts put the death toll higher.
Gunfire rang out after the car exploded, sending plumes of smoke into the air. The blast was heard across Sana, the capital of a troubled and impoverished country that is regularly convulsed by violence. There was no immediate claim of responsibility for the attack, which some analysts said showed the hallmarks of Al Qaeda.
The attack was apparently timed to coincide with the changing of the guard at the complex, when gates are opened to allow soldiers to enter and leave. Yemeni special forces in armored vehicles surrounded the building, fighting gun battles with about a dozen assailants.
Yemen is known as the home of one of Al Qaeda’s most organized and threatening affiliates, whose operatives are the targets of an American drone campaign to kill militants suspected of involvement in kidnapping for ransom and a string of deadly attacks on military targets.
Yemeni officials say that Al Qaeda in the Arabian Peninsula, as the affiliate is called, has infiltrated the country’s security services, and there were reports that the attackers on Thursday wore military uniforms.
In September, at least 21 government soldiers were killed by militants suspected of belonging to Al Qaeda in attacks on two military targets in the south of Yemen.
Al Qaeda is not the only source of unrest. The government is facing secessionists in the south and Shiite Muslim rebels in the north. Since the former president, Ali Abdullah Saleh, was forced from office in 2011 by popular protests, the country has been run by an interim government.
December 5, 2013
Internet Firms Step Up Efforts to Stop Spying
Nicole Perlroth and Vundu Goel
New York Times
December 5, 2013
SAN FRANCISCO — When Marissa Mayer, Yahoo’s chief executive, recently announced the company’s biggest security overhaul in more than a decade, she did not exactly receive a standing ovation.
Ordinary users asked Ms. Mayer why Yahoo was not doing more. Privacy activists were more blunt. “Even after today’s announcement, Yahoo still lags far behind Google on web security,” said Christopher Soghoian, a technology analyst at the American Civil Liberties Union.
For big Internet outfits, it is no longer enough to have a fast-loading smartphone app or cool messaging service. In the era of Edward J. Snowden and his revelations of mass government surveillance, companies are competing to show users how well their data is protected from prying eyes, with billions of dollars in revenue hanging in the balance.
On Thursday, Microsoft will be the latest technology company to announce plans to shield its services from outside surveillance. It is in the process of adding state-of-the-art encryption features to various consumer services and internally at its data centers.
The announcement follows similar efforts by Google, Mozilla, Twitter, Facebook and Yahoo in what has effectively become a digital arms race with the National Security Agency as the companies react to what some have called the “Snowden Effect.”
While security has long simmered as a concern for users, many companies were reluctant to employ modern protections, worried that upgrades would slow down connections and add complexity to their networks.
But the issue boiled over six months ago, when documents leaked by Mr. Snowden described efforts by the N.S.A. and its intelligence partners to spy on millions of Internet users. More than half of Americans surveyed say N.S.A. surveillance has intruded on their personal privacy rights, according to a Washington Post-ABC News poll conducted in November.
The revelations also shook Internet companies, which have been trying to reassure customers that they are doing what they can to protect their data from spying. They have long complied with legal orders to hand over information, but were alarmed by more recent news that the N.S.A. was also accessing their data without their knowledge.
“We want to ensure that governments use legal process rather than technological brute force to obtain customer data — it’s as simple as that,” said Bradford L. Smith, Microsoft’s general counsel, in an interview.
Mr. Smith said his company would also open “transparency centers” where foreign governments can inspect the company’s code in an effort to assure them that it does not plant back doors for spy agencies in its products.
Already, the Snowden revelations threaten to erode the market share of American technology companies abroad.
In India, government officials are now barred from using email services that have servers located in the United States. In Brazil, lawmakers are pushing for laws that would force foreign companies to spend billions redesigning their systems — and possibly the entire Internet — to keep Brazilian data from leaving the country.
Forrester Research projected the fallout could cost the so-called cloud computing industry as much as $180 billion — a quarter of its revenue — by 2016.
“The world is quickly being divided into companies that are secure and companies that are not,” said Bhaskar Chakravorti, a dean of international business and finance at the Fletcher School at Tufts University.
One by one, technology companies have been scrambling to plug security holes.
The best defense, security experts say, is using Transport Layer Security, a type of encryption familiar to many through the “https” and padlock symbol at the beginning of Web addresses that use the technology. It uses a long sequence of numbers — a master key — that scrambles sensitive data like passwords, credit card details, intellectual property and personal information between a user and a website while in transit.
Banks and other financial sites have used such security for years, and Google and Twitter along with Microsoft’s email service made it standard long ago. Facebook adopted https systemwide this year. And Ms. Mayer said Yahoo would finally allow consumers to encrypt all their Yahoo data in January.
But as many sites move to https, security experts say more advanced security measures are needed. If a government can crack the master key — or obtain it through court orders — it could go back and decrypt past communications for millions of users.
That’s why companies like Google, Mozilla, Facebook and Twitter have added another layer of protection, called Perfect Forward Secrecy. That technology adds a second lock to each user’s transmissions, with the key changed frequently. Microsoft plans to add the encryption method next year, but Yahoo has not said whether it will add it.
“Perfect Forward Secrecy is a billion different secrets, and it’s not protected by one central secret,” said Scott Renfro, a Facebook software engineer who works on the company’s security infrastructure.
So even if an outsider obtained the master key, it would still have to crack the other keys, over and over again.
“This type of protection should have been engineered into all web systems and all Internet systems to begin with,” said Jacob Hoffman-Andrews, an engineer at Twitter.
The technology has existed for two decades, but companies were slow to adopt it because it added complexity and introduced a delay to Internet transactions, which can encourage impatient users to flee for faster sites. But many of those issues were resolved by Google when it applied Perfect Forward Secrecy in 2011, said Adam Langley, a software engineer at the company. Google shared its improvements with the broader tech community.
Still, technical solutions can be trumped by law. While https and Perfect Forward Secrecy protect the data transmission, law enforcement agencies can still compel companies to hand the data over from their servers, where it is stored.
So Internet companies are trying to ensure they are at least blocking unauthorized access by addressing other security issues, including a hole that leaves users vulnerable at the very beginning of a site visit. When users want to log into, say, Google’s Gmail, their Internet browser checks the site’s security certificate to make sure it’s not an impostor.
Some security experts believe that hackers are nearly capable of cracking the 1024-bit encryption keys that protect the certificates. But an industry standards group is requiring that, starting next year, all new and renewed certificate keys use 2048-bit encryption, which is far more difficult to break.
Ultimately, however, every security advance is met by new threats. “Attacks don’t get worse,” Mr. Langley said. “They only get better.”
December 4, 2013
Do Antivirus Companies Whitelist NSA Malware?
December 4, 2013
Microsoft, Symantec, and McAfee fail to respond to a transparency plea from leading privacy and security experts.
Dear antivirus vendors: Are you aiding and abetting National Security Agency (NSA) spying?
That’s the subject of an open letter, sent in October to leading antivirus vendors, from 25 different privacy information security experts and organizations. The letter asks the vendors to detail whether they’ve ever detected state-sponsored malware or received a government request to whitelist state-sponsored malware, and how they would respond to any such requests in the future.
The letter, sent from Dutch digital rights foundation Bits of Freedom, requested that the firms respond by November 15. “Please let us know if you feel that you cannot, or cannot fully, answer any of the above questions because of legal constraints imposed upon you by any government,” it said.
"Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we’ve been wondering if it’s done anything to antivirus products," letter signatory Bruce Schneier, chief security technology officer of BT, said in a blog post. “Given that it engages in offensive cyberattacks — and launches cyberweapons like Stuxnet and Flame — it’s reasonable to assume that it’s asked antivirus companies to ignore its malware. We know that antivirus companies have previously done this for corporate malware.”
As of two weeks ago, however, only six security vendors — ESET, F-Secure, Kaspersky Lab, Norman Shark, Panda, and Trend Micro — had responded to the request for information. Even so, the news was good. “All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher,” according to researcher Ton Siedsma at Bits of Freedom. “Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply.”
No malware is harmless
That, of course, gets to the crux of the matter: Is there any such thing as benign malware? Most, if not all, security experts would argue otherwise. “All the aforementioned companies believe there is no such thing as harmless malware,” Bits of Freedom’s Siedsma noted.
Hence it’s odd that US-based McAfee, Microsoft, and Symantec all failed to respond to Bits of Freedom’s letter before the deadline. (Siedsma at Bits of Freedom didn’t immediately respond to an emailed question about whether any have done so since then.) Ditto for Agnitum (Russia), Ahnlab (South Korea), Avast (Czech Republic), AVG (Czech Republic), Avira (Germany), Bitdefender (Romania), and Bullguard (United Kingdom).
Firms that did respond, by contrast, were largely outspoken in their attitude toward state-sponsored malware. “We have a very simple and straightforward policy as it relates to the detection of malware: We detect and remediate any malware attack, regardless of its origin or purpose. There is no such thing as ‘right’ or ‘wrong’ malware for us,” according to Kaspersky Lab’s statement.
Likewise, Christian Fredrikson, president and CEO of Finnish antivirus vendor F-Secure, argued that malware has no shades of gray. “If it’s malware, we will protect our customers from it,” he wrote to Bits of Freedom. “Our decision-making boils down to a simple question: would our customers want to run this program on their system or not. Obviously the answer for governmental Trojans would be a ‘No.’ “
Ignoring malware of any stripe leads to collateral damage. For example, take the Stuxnet virus, which was allegedly developed by the United States and Israel under the so-called “Olympic Games” cyberweapon program, and which was designed to sabotage the high-frequency convertor drives used in centrifuges inside the Iranian nuclear facility at Natanz.
Security firms, in fact, were the first to discover Stuxnet — in July 2010 — and soon began sounding related warnings. While Stuxnet was designed to not cause damage to any other systems outside of Natanz, it did infect numerous other systems, for example at energy giant Chevron, triggering panic and cleanup costs.
For the record, whatever antivirus vendors’ attitude toward state-sponsored malware, whether or not they detect it won’t necessarily stop the spread of such malware. In part, that’s because for an antivirus firm to spot malware, it first needs to have seen the malware, recognized that it’s malicious code, and written a corresponding virus signature for its products. In addition, intelligence agencies no doubt work overtime — and occasionally make use of zero-day vulnerabilities — to ensure that their malicious code escapes detection. They’re probably quite successful at doing so. For example, leaked documents suggest that by 2012, the NSA had installed malware on more than 50,000 PCs used by US government targets.
Given that level of success, it’s unlikely, argued Schneier, that any intelligence or law enforcement agencies would try to tell domestic antivirus firms what to do. “Antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies,” he said.
But if that’s the case, what’s to account for the silence from McAfee, Microsoft, and Symantec, and the other antivirus firm holdouts?