View Full Version : CRYPTO-GRAM - Bruce Schneier - August 15, 2013 (NSA coverage/opinion)

17th August 2013, 23:33
Bruce Schneier has been writing these newsletters for sometime. Obviously recently he has been all over the NSA issue, this installment is a very good read.

Permission is given to repost this and forward, so long as nothing is changed.



August 15, 2013

by Bruce Schneier
BT Security Futurologist

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit

You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1308.html>. These same essays and
news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively and intelligent
comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
The Public/Private Surveillance Partnership
The NSA is Commandeering the Internet
Restoring Trust in Government and the Internet
Book Review: "Rise of the Warrior Cop"
Schneier News
Michael Hayden on the Effects of Snowden's Whistleblowing
Counterterrorism Mission Creep

** *** ***** ******* *********** *************

The Public/Private Surveillance Partnership

Imagine the government passed a law requiring all citizens to carry a
tracking device. Such a law would immediately be found unconstitutional.
Yet we all carry mobile phones.

If the National Security Agency required us to notify it whenever we
made a new friend, the nation would rebel. Yet we notify Facebook. If
the Federal Bureau of Investigation demanded copies of all our
conversations and correspondence, it would be laughed at. Yet we provide
copies of our e-mail to Google, Microsoft or whoever our mail host is;
we provide copies of our text messages to Verizon, AT&T and Sprint; and
we provide copies of other conversations to Twitter, Facebook, LinkedIn,
or whatever other site is hosting them.

The primary business model of the Internet is built on mass
surveillance, and our government's intelligence-gathering agencies have
become addicted to that data. Understanding how we got here is critical
to understanding how we undo the damage.

Computers and networks inherently produce data, and our constant
interactions with them allow corporations to collect an enormous amount
of intensely personal data about us as we go about our daily lives.
Sometimes we produce this data inadvertently simply by using our phones,
credit cards, computers and other devices. Sometimes we give
corporations this data directly on Google, Facebook, Apple Inc.'s iCloud
and so on in exchange for whatever free or cheap service we receive from
the Internet in return.

The NSA is also in the business of spying on everyone, and it has
realized it's far easier to collect all the data from these corporations
rather than from us directly. In some cases, the NSA asks for this data
nicely. In other cases, it makes use of subtle threats or overt
pressure. If that doesn't work, it uses tools like national security

The result is a corporate-government surveillance partnership, one that
allows both the government and corporations to get away with things they
couldn't otherwise.

There are two types of laws in the U.S., each designed to constrain a
different type of power: constitutional law, which places limitations on
government, and regulatory law, which constrains corporations.
Historically, these two areas have largely remained separate, but today
each group has learned how to use the other's laws to bypass their own
restrictions. The government uses corporations to get around its limits,
and corporations use the government to get around their limits.

This partnership manifests itself in various ways. The government uses
corporations to circumvent its prohibitions against eavesdropping
domestically on its citizens. Corporations rely on the government to
ensure that they have unfettered use of the data they collect.

Here's an example: It would be reasonable for our government to debate
the circumstances under which corporations can collect and use our data,
and to provide for protections against misuse. But if the government is
using that very data for its own surveillance purposes, it has an
incentive to oppose any laws to limit data collection. And because
corporations see no need to give consumers any choice in this matter --
because it would only reduce their profits -- the market isn't going to
protect consumers, either.

Our elected officials are often supported, endorsed and funded by these
corporations as well, setting up an incestuous relationship between
corporations, lawmakers and the intelligence community.

The losers are us, the people, who are left with no one to stand up for
our interests. Our elected government, which is supposed to be
responsible to us, is not. And corporations, which in a market economy
are supposed to be responsive to our needs, are not. What we have now is
death to privacy -- and that's very dangerous to democracy and liberty.

The simple answer is to blame consumers, who shouldn't use mobile
phones, credit cards, banks or the Internet if they don't want to be
tracked. But that argument deliberately ignores the reality of today's
world. Everything we do involves computers, even if we're not using them
directly. And by their nature, computers produce tracking data. We can't
go back to a world where we don't use computers, the Internet or social
networking. We have no choice but to share our personal information with
these corporations, because that's how our world works today.

Curbing the power of the corporate-private surveillance partnership
requires limitations on both what corporations can do with the data we
choose to give them and restrictions on how and when the government can
demand access to that data. Because both of these changes go against the
interests of corporations and the government, we have to demand them as
citizens and voters. We can lobby our government to operate more
transparently -- disclosing the opinions of the Foreign Intelligence
Surveillance Court would be a good start -- and hold our lawmakers
accountable when it doesn't. But it's not going to be easy. There are
strong interests doing their best to ensure that the steady stream of
data keeps flowing.

This essay originally appeared on Bloomberg.com.
or http://tinyurl.com/me4bpsx

Corporations collecting data:
or http://tinyurl.com/mpy6tbz

Corporations cooperating with the NSA:
or http://tinyurl.com/jw7f4ob
or http://tinyurl.com/l4ztclv
or http://tinyurl.com/ntd3ffe
or http://tinyurl.com/osj2zps

How the partnership manifests itself:
or http://tinyurl.com/myc3gtl
or http://tinyurl.com/kkcyqej

Congress attempt to rein in NSA:
or http://tinyurl.com/msvoc7k

The death of privacy:

Disclosing FISA opinions:
or http://tinyurl.com/kevlx6c

** *** ***** ******* *********** *************

The NSA is Commandeering the Internet

It turns out that the NSA's domestic and world-wide surveillance
apparatus is even more extensive than we thought. Bluntly: The
government has commandeered the Internet. Most of the largest Internet
companies provide information to the NSA, betraying their users. Some,
as we've learned, fight and lose. Others cooperate, either out of
patriotism or because they believe it's easier that way.

I have one message to the executives of those companies: fight.

Do you remember those old spy movies, when the higher ups in government
decide that the mission is more important than the spy's life? It's
going to be the same way with you. You might think that your friendly
relationship with the government means that they're going to protect
you, but they won't. The NSA doesn't care about you or your customers,
and will burn you the moment it's convenient to do so.

We're already starting to see that. Google, Yahoo, Microsoft and others
are pleading with the government to allow them to explain details of
what information they provided in response to National Security Letters
and other government demands. They've lost the trust of their
customers, and explaining what they do -- and don't do -- is how to get
it back. The government has refused; they don't care.

It will be the same with you. There are lots more high-tech companies
who have cooperated with the government. Most of those company names
are somewhere in the thousands of documents that Edward Snowden took
with him, and sooner or later they'll be released to the public. The
NSA probably told you that your cooperation would forever remain secret,
but they're sloppy. They'll put your company name on presentations
delivered to thousands of people: government employees, contractors,
probably even foreign nationals. If Snowden doesn't have a copy, the
next whistleblower will.

This is why you have to fight. When it becomes public that the NSA has
been hoovering up all of your users' communications and personal files,
what's going to save you in the eyes of those users is whether or not
you fought. Fighting will cost you money in the short term, but
capitulating will cost you more in the long term.

Already companies are taking their data and communications out of the US.

The extreme case of fighting is shutting down entirely. The secure
e-mail service Lavabit did that last week, abruptly. Ladar Levison,
that site's owner, wrote on his homepage: "I have been forced to make a
difficult decision: to become complicit in crimes against the American
people or walk away from nearly ten years of hard work by shutting down
Lavabit. After significant soul searching, I have decided to suspend
operations. I wish that I could legally share with you the events that
led to my decision."

The same day, Silent Circle followed suit, shutting down their e-mail
service in advance of any government strong-arm tactics: "We see the
writing the wall, and we have decided that it is best for us to shut
down Silent Mail now. We have not received subpoenas, warrants, security
letters, or anything else by any government, and this is why we are
acting now." I realize that this is extreme. Both of those companies
can do it because they're small. Google or Facebook couldn't possibly
shut themselves off rather than cooperate with the government. They're
too large; they're public. They have to do what's economically
rational, not what's moral.

But they can fight. You, an executive in one of those companies, can
fight. You'll probably lose, but you need to take the stand. And you
might win. It's time we called the government's actions what they really
are: commandeering. Commandeering is a practice we're used to in
wartime, where commercial ships are taken for military use, or
production lines are converted to military production. But now it's
happening in peacetime. Vast swaths of the Internet are being
commandeered to support this surveillance state.

If this is happening to your company, do what you can to isolate the
actions. Do you have employees with security clearances who can't tell
you what they're doing? Cut off all automatic lines of communication
with them, and make sure that only specific, required, authorized acts
are being taken on behalf of government. Only then can you look your
customers and the public in the face and say that you don't know what is
going on -- that your company has been commandeered.

Journalism professor Jeff Jarvis recently wrote in the "Guardian":
"Technology companies: now is the moment when you must answer for us,
your users, whether you are collaborators in the US government's efforts
to 'collect it all' -- our every move on the internet -- or whether you,
too, are victims of its overreach."

So while I'm sure it's cool to have a secret White House meeting with
President Obama -- I'm talking to you, Google, Apple, AT&T, and whoever
else was in the room -- resist. Attend the meeting, but fight the
secrecy. Whose side are you on?

The NSA isn't going to remain above the law forever. Already public
opinion is changing, against the government and their corporate
collaborators. If you want to keep your users' trust, demonstrate that
you were on their side.

This essay originally appeared on TheAtlantic.com.
or http://tinyurl.com/koa9bzc

Corporations and the NSA surveillance apparatus:
or http://tinyurl.com/ldxkpkt
or http://tinyurl.com/jw7f4ob
or http://tinyurl.com/ntd3ffe

Companies wanting more disclosure:
or http://tinyurl.com/mcn9xjr

Whistleblowing as civil disobedience:
or http://tinyurl.com/jwbcgom

Cooperating with NSA surveillance costs companies money:

or http://tinyurl.com/loe4dfd

Silent Circle:

Jarvis essay:
or http://tinyurl.com/mpr8x2k

Tech companies meet with Obama:
or http://tinyurl.com/mpr8x2k

NSA is a criminal organization:

Regaining trust:

Slashdot thread:
or http://tinyurl.com/ns9hk8v

** *** ***** ******* *********** *************

Restoring Trust in Government and the Internet

In July 2012, responding to allegations that the video-chat service
Skype -- owned by Microsoft -- was changing its protocols to make it
possible for the government to eavesdrop on users, Corporate Vice
President Mark Gillett took to the company's blog to deny it.

Turns out that wasn't quite true.

Or at least he -- or the company's lawyers -- carefully crafted a
statement that could be defended as true while completely deceiving the
reader. You see, Skype wasn't changing its protocols to make it possible
for the government to eavesdrop on users, because the government was
already able to eavesdrop on users.

At a Senate hearing in March, Director of National Intelligence James
Clapper assured the committee that his agency didn't collect data on
hundreds of millions of Americans. He was lying, too. He later defended
his lie by inventing a new definition of the word "collect," an excuse
that didn't even pass the laugh test.

As Edward Snowden's documents reveal more about the NSA's activities,
it's becoming clear that we can't trust anything anyone official says
about these programs.

Google and Facebook insist that the NSA has no "direct access" to their
servers. Of course not; the smart way for the NSA to get all the data is
through sniffers.

Apple says it's never heard of PRISM. Of course not; that's the internal
name of the NSA database. Companies are publishing reports purporting to
show how few requests for customer-data access they've received, a
meaningless number when a single Verizon request can cover all of their
customers. The Guardian reported that Microsoft secretly worked with the
NSA to subvert the security of Outlook, something it carefully denies.
Even President Obama's justifications and denials are phrased with the
intent that the listener will take his words very literally and not
wonder what they really mean.

NSA Director Gen. Keith Alexander has claimed that the NSA's massive
surveillance and data mining programs have helped stop more than 50
terrorist plots, 10 inside the U.S. Do you believe him? I think it
depends on your definition of "helped." We're not told whether these
programs were instrumental in foiling the plots or whether they just
happened to be of minor help because the data was there. It also depends
on your definition of "terrorist plots." An examination of plots that
that FBI claims to have foiled since 9/11 reveals that would-be
terrorists have commonly been delusional, and most have been egged on by
FBI undercover agents or informants.

Left alone, few were likely to have accomplished much of anything.

Both government agencies and corporations have cloaked themselves in so
much secrecy that it's impossible to verify anything they say;
revelation after revelation demonstrates that they've been lying to us
regularly and tell the truth only when there's no alternative.

There's much more to come. Right now, the press has published only a
tiny percentage of the documents Snowden took with him. And Snowden's
files are only a tiny percentage of the number of secrets our government
is keeping, awaiting the next whistle-blower.

Ronald Reagan once said "trust but verify." That works only if we can
verify. In a world where everyone lies to us all the time, we have no
choice but to trust blindly, and we have no reason to believe that
anyone is worthy of blind trust. It's no wonder that most people are
ignoring the story; it's just too much cognitive dissonance to try to
cope with it.

This sort of thing can destroy our country. Trust is essential in our
society. And if we can't trust either our government or the corporations
that have intimate access into so much of our lives, society suffers.
Study after study demonstrates the value of living in a high-trust
society and the costs of living in a low-trust one.

Rebuilding trust is not easy, as anyone who has betrayed or been
betrayed by a friend or lover knows, but the path involves transparency,
oversight and accountability. Transparency first involves coming clean.
Not a little bit at a time, not only when you have to, but complete
disclosure about everything. Then it involves continuing disclosure. No
more secret rulings by secret courts about secret laws. No more secret
programs whose costs and benefits remain hidden.

Oversight involves meaningful constraints on the NSA, the FBI and
others. This will be a combination of things: a court system that acts
as a third-party advocate for the rule of law rather than a rubber-stamp
organization, a legislature that understands what these organizations
are doing and regularly debates requests for increased power, and
vibrant public-sector watchdog groups that analyze and debate the
government's actions.

Accountability means that those who break the law, lie to Congress or
deceive the American people are held accountable. The NSA has gone
rogue, and while it's probably not possible to prosecute people for what
they did under the enormous veil of secrecy it currently enjoys, we need
to make it clear that this behavior will not be tolerated in the future.
Accountability also means voting, which means voters need to know what
our leaders are doing in our name.

This is the only way we can restore trust. A market economy doesn't work
unless consumers can make intelligent buying decisions based on accurate
product information. That's why we have agencies like the FDA,
truth-in-packaging laws and prohibitions against false advertising.

In the same way, democracy can't work unless voters know what the
government is doing in their name. That's why we have open-government
laws. Secret courts making secret rulings on secret laws, and companies
flagrantly lying to consumers about the insecurity of their products and
services, undermine the very foundations of our society.

Since the Snowden documents became public, I have been receiving e-mails
from people seeking advice on whom to trust. As a security and privacy
expert, I'm expected to know which companies protect their users'
privacy and which encryption programs the NSA can't break. The truth is,
I have no idea. No one outside the classified government world does. I
tell people that they have no choice but to decide whom they trust and
to then trust them as a matter of faith. It's a lousy answer, but until
our government starts down the path of regaining our trust, it's the
only thing we can do.

This essay originally appeared on CNN.com.

Skype story:
or http://tinyurl.com/q833uj7
http://www.slate.com/blogs/future_tense/2013/07/12/skype_surveillance_a_timeline_of_public_claims_and _private_government_dealings.html
or http://tinyurl.com/kmjfj27

Clapper story:
or http://tinyurl.com/lvs5z9g
or http://tinyurl.com/mhtg7rz

Government lies:

How NSA sniffers actually work:

Published reports of NSA surveillance requests:

Microsoft Outlook story:
or http://tinyurl.com/p3n2x5m
or http://tinyurl.com/mnuxbsu

General Alexander's justification:
or http://tinyurl.com/ms7gzv6

Examining terrorist plots:

The value of trust:

Two more links describing how the US government lies about NSA surveillance.
http://www.slate.com/articles/news_and_politics/politics/2013/07/nsa_lexicon_how_james_clapper_and_other_u_s_offici als_mislead_the_american.html
or http://tinyurl.com/mgm8osg

[continued in next post]

17th August 2013, 23:33
[/continued from first post]

** *** ***** ******* *********** *************


A problem with the US Privacy and Civil Liberties Oversight Board:

Interesting essay on the impossibility of being entirely lawful all the
time, the balance that results from the difficulty of law enforcement,
and the societal value of being able to break the law. It is very much
like my notion of "outliers" in my book "Liars and Outliers."
or http://tinyurl.com/qzbxmns

Good article on the longstanding practice of secretly tapping undersea
or http://tinyurl.com/o6b7unb
This is news right now because of a new Snowden document.
or http://tinyurl.com/n2rpec9

An amazing e-mail from the DHS, instructing its employees not to read
Snowden's documents when they appear in the press.

Edward Snowden has set up a dead man's switch. He's distributed
encrypted copies of his document trove to various people, and has set up
some sort of automatic system to distribute the key, should something
happen to him. Dead man's switches have a long history, both for safety
(the machinery automatically stops if the operator's hand goes slack)
and security reasons. WikiLeaks did the same thing with the State
Department cables. I'm not sure he's thought this through, though. I
would be more worried that someone would kill me in order to get the
documents released than I would be that someone would kill me to prevent
the documents from being released. Any real-world situation involves
multiple adversaries, and it's important to keep all of them in mind
when designing a security system.

For a change, here's a good idea by the TSA:

Violence as a source of trust in criminal societies:
or http://tinyurl.com/mh6ntno

I generally don't like stories about Snowden as a person, because they
distract from the real story of the NSA surveillance programs, but this
article on the costs and benefits of the US government prosecuting
Edward Snowden is worth reading.
or http://tinyurl.com/n77xwfs
Related is this article on whether Snowden can manage to avoid arrest.
Here's the ending:

Marc Rotenberg of EPIC explains why he is suing the NSA in the Supreme
or http://tinyurl.com/loy6uge
And "USA Today" has a back and forth on the topic.
or http://tinyurl.com/ljl6n7f
or http://tinyurl.com/k7dmv9a

This is a succinct explanation of how the secrecy of the FISA court
undermines trust.

In an effort to lock the barn door after the horse has escaped, the NSA
is implementing two-man control for sysadmins.
or http://tinyurl.com/kd3hmgl
This kind of thing has happened before. After USN Chief Warrant Officer
John Walker sold encryption keys to the Soviets, the Navy implemented
two-man control for key material. It's an effective, if expensive,
security measure -- and an easy one for the NSA to implement while it
figures out what it really has to do to secure information from IT insiders.

The story of people who poach and collect rare eggs, and the people who
hunt them down.
or http://tinyurl.com/oz582j4
Securing wildlife against poachers is a difficult problem, especially
when the defenders are poor countries with not a lot of resources.

We're starting to see Internet companies talk about the mechanics of how
the US government spies on their users. Here, a Utah ISP owner
describes his experiences with NSA eavesdropping:
or http://tinyurl.com/laxrkhh
Declan McCullagh explains how the NSA coerces companies to cooperate
with its surveillance efforts. Basically, they want to avoid what
happened with the Utah ISP.
or http://tinyurl.com/jw7f4ob
And Brewster Kahle of the Internet Archive explains how he successfully
fought a National Security Letter.
or http://tinyurl.com/ntd3ffe

Secret information is more trusted:
or http://tinyurl.com/kfgzqf2
Original paper abstract:

NSA cracked the Kryptos Sculpture (parts one, two, and three) years
before the CIA did.
or http://tinyurl.com/p6fwhyg
The fourth part is still uncracked.

The Obama Administration has a comprehensive "insider threat" program to
detect leakers from within government. This is pre-Snowden. Not
surprisingly, the combination of profiling and "see something, say
something" is unlikely to work.
or http://tinyurl.com/lgfcb4h
or http://tinyurl.com/lavjba2
or http://tinyurl.com/m6mebbz

This is a really clever social engineering attack against a bank-card
or http://tinyurl.com/ljh2fxu

Research on why some neighborhoods feel safer.
or http://tinyurl.com/lk2b3cb
or http://tinyurl.com/kzql6rz
I've written about the feeling and reality of security, and how they're
That's also the subject of this TEDx talk.
Yes, it's security theater: things that make a neighborhood *feel* safer
rather than actually safer. But when the neighborhood is actually safer
than people think it is, this sort of security theater has value.
Two related links:
or http://tinyurl.com/n8zlhdc
or http://tinyurl.com/lr3p3ru

This is what happens when you're a security writer and you piss off the
wrong people: they conspire to have heroin mailed to you, and then to
tip off the police. And that's after they've called in a fake hostage
or http://tinyurl.com/od9pm92

The UK has banned researchers from revealing details of security
vulnerabilities in car locks. In 2008, Phillips brought a similar suit
against researchers who broke the Mifare chip. That time, they lost.
This time, Volkswagen sued and won.
or http://tinyurl.com/l2bmceu
or http://tinyurl.com/pdcs94d
or http://tinyurl.com/kalru5n
This is bad news for security researchers. (Remember back in 2001 when
security researcher Ed Felten sued the RIAA in the US to be able to
publish his research results?) We're not going to improve security
unless we're allowed to publish our results. And we can't start
suppressing scientific results, just because a big corporation doesn't
like what it does to their reputation.

Richard Bejtlich and Thomas Rid (author of the excellent book "Cyber War
Will Not Take Place") debate the cyberwar threat on "The Economist" website.

There was a story about how searching for a pressure cooker and
backpacks got one family investigated by the police. It was initially
reported as NSA eavesdropping, but it wasn't. And as more of the facts
came out, it seemed pretty reasonable overall.

The "Guardian" discusses a new secret NSA program: XKeyscore. It's the
desktop system that allows NSA agents to spy on anyone over the Internet
in real time. It searches existing NSA databases -- presumably
including PRISM -- and can create fingerprints to search for all future
data collections from systems like TRAFFIC THIEF. This seems to be what
Edward Snowden meant when he said that he had the ability to spy on any
American, in real time, from his deck.
or http://tinyurl.com/kxn4ca3

There's speculation that the FBI is responsible for an exploit that
compromised the Tor anonymity service. Note that Tor Browser Bundles
installed or updated after June 26 are secure.
or http://tinyurl.com/pa82o2y
or http://tinyurl.com/lq7be6j

The further Kip Hawley has gotten from running the TSA, the more sense
he has started to make. This is pretty good.

Twitter just rolled out a pretty nice two-factor authentication system
using your smart phone as the second factor.

Latest movie-plot threat: explosive-dipped clothing. It's being
reported, although there's no indication of where this rumor is coming
from or what it's based on. I can see the trailer now. "In a world
where your very clothes might explode at any moment, Bruce Willis is,
Bruce Willis in a Michael Bay film: BLOW UP! Co-starring Lindsay
Lohan..." I guess there's nothing to be done but to force everyone to
fly naked.
or http://tinyurl.com/lx2oup2

Lots of sports stadiums have instituted draconian new rules. Here are
the rules for St. Louis Rams games.
or http://tinyurl.com/ldnxv2e
Of course, you're supposed to think this is about terrorism. My guess
is that this is to help protect the security of the profits at the
concession stands.

General Keith Alexander thinks he can improve security by automating
sysadmin duties such that 90% of them can be fired. Does anyone know a
sysadmin anywhere who believes it's possible to automate 90% of his job?
Or who thinks any such automation will actually improve security? He's
stuck. Computerized systems require trusted people to administer them.
And any agency with all that computing power is going to need thousands
of sysadmins. Some of them are going to be whistleblowers.
Leaking secret information is the civil disobedience of our age.
Alexander has to get used to it.
or http://tinyurl.com/jwbcgom

The 2013 Cryptologic History Symposium, sponsored by the NSA, will be
held at Johns Hopkins University this October.
or http://tinyurl.com/3elcr75

Rangzen looks like a really interesting ad hoc mesh networking system to
circumvent government-imposed communications blackouts. I am
particularly interested in how it uses reputation to determine who can
be trusted, while maintaining some level of anonymity.
This is exactly the sort of thing I was thinking about in this essay.

This essay is filled with historical MI5 stories -- often bizarre,
sometimes amusing.

** *** ***** ******* *********** *************

Book Review: "Rise of the Warrior Cop"

"Rise of the Warrior Cop: The Militarization of America's Police
Forces," by Radley Balko, PublicAffairs, 2013, 400 pages.

War as a rhetorical concept is firmly embedded in American culture. Over
the past several decades, federal and local law enforcement has been
enlisted in a war on crime, a war on drugs and a war on terror. These
wars are more than just metaphors designed to rally public support and
secure budget appropriations. They change the way we think about what
the police do. Wars mean shooting first and asking questions later. Wars
require military tactics and weaponry. Wars mean civilian casualties.

Over the decades, the war metaphor has resulted in drastic changes in
the way the police operate. At both federal and state levels, the
formerly hard line between police and military has blurred. Police are
increasingly using military weaponry, employing military tactics and
framing their mission using military terminology. Right now, there is a
Third Amendment case -- that's the one about quartering soldiers in
private homes without consent -- making its way through the courts. It
involves someone who refused to allow the police to occupy his home in
order to gain a "tactical advantage" against the house next-door. The
police returned later, broke down his door, forced him to the floor and
then arrested him for obstructing an officer. They also shot his dog
with pepperball rounds. It's hard to argue with the premise of this
case; police officers are acting so much like soldiers that it can be
hard to tell the difference.

In "Rise of the Warrior Cop," Radley Balko chronicles the steady
militarization of the police in the U.S. A detailed history of a
dangerous trend, Mr. Balko's book tracks police militarization over the
past 50 years, a period that not coincidentally corresponds with the
rise of SWAT teams. First established in response to the armed riots of
the late 1960s, they were originally exclusive to big cities and
deployed only against heavily armed and dangerous criminals. Today SWAT
teams are nothing special. They've multiplied like mushrooms. Every city
has a SWAT team; 80% of towns between 25,000 and 50,000 people do as
well. These teams are busy; in 2005 there were between 50,000 and 60,000
SWAT raids in the U.S. The tactics are pretty much what you would expect
-- breaking down doors, rushing in with military weaponry, tear gas --
but the targets aren't. SWAT teams are routinely deployed against
illegal poker games, businesses suspected of employing illegal
immigrants and barbershops with unlicensed hair stylists.

In Prince George's County, MD, alone, SWAT teams were deployed about
once a day in 2009, overwhelmingly to serve search or arrest warrants,
and half of those warrants were for "misdemeanors and nonserious
felonies." Much of Mr. Balko's data is approximate, because police
departments don't publish data, and they uniformly oppose any attempts
at transparency or oversight. But he has good Maryland data from 2009
on, because after the mayor of Berwyn Heights was mistakenly attacked
and terrorized in his home by a SWAT team in 2008, the state passed a
law requiring police to report quarterly on their use of SWAT teams: how
many times, for what purposes and whether any shots were fired during
the raids.

Besides documenting policy decisions at the federal and state levels,
the author examines the influence of military contractors who have
looked to expand into new markets. And he tells some pretty horrific
stories of SWAT raids gone wrong. A lot of dogs get shot in the book.
Most interesting are the changing attitudes of police. As the stories
progress from the 1960s to the 2000s, we see police shift from being
uncomfortable with military weapons and tactics -- and deploying them
only as the very last resort in the most extreme circumstances -- to
accepting and even embracing their routine use.

This development coincides with the rhetorical use of the word "war." To
the police, civilians are citizens to protect. To the military, we are a
population to be subdued. Wars can temporarily override the
Constitution. When the Justice Department walks into Congress with
requests for money and new laws to fight a war, it is going to get a
different response than if it came in with a story about fighting crime.
Maybe the most chilling quotation in the book is from William French
Smith, President Reagan's first attorney general: "The Justice
Department is not a domestic agency. It is the internal arm of national
defense." Today we see that attitude in the war on terror. Because it's
a war, we can arrest and imprison Americans indefinitely without
charges. We can eavesdrop on the communications of all Americans without
probable cause. We can assassinate American citizens without due
process. We can have secret courts issuing secret rulings about secret
laws. The militarization of the police is just one aspect of an
increasing militarization of government.

Mr. Balko saves his prescriptions for reform until the last chapter. Two
of his fixes, transparency and accountability, are good remedies for all
governmental overreach. Specific to police departments, he also
recommends halting mission creep, changing police culture and embracing
community policing. These are far easier said than done. His final fix
is ending the war on drugs, the source of much police violence. To this
I would add ending the war on terror, another rhetorical war that costs
us hundreds of billions of dollars, gives law enforcement powers
directly prohibited by the Constitution and leaves us no safer.

This essay originally appeared in the "Wall Street Journal."
http://online.wsj.com/article/SB10001424127887324354704578638020270704646.html?m od=djemITP_h
or http://tinyurl.com/mw6o2lt

or http://tinyurl.com/awu4r6u

Related essay.
or http://tinyurl.com/k3aod6s

** *** ***** ******* *********** *************

Schneier News

My blog has made the "Time" magazine "25 Best Bloggers 2013 Edition" list.
or http://tinyurl.com/pf688td

Good review of the strengths and weaknesses of "Cryptography
Engineering" and "Applied Cryptography." Best -- at least to me -- is
the list of things missing, which we'll have to address if we do another
http://sockpuppet.org/blog/2013/07/22/applied-practical-cryptography/ or

Mikko Hypponen and I answered questions about PRISM on the TED website.
or http://tinyurl.com/no2rbpx

** *** ***** ******* *********** *************

Michael Hayden on the Effects of Snowden's Whistleblowing

Former NSA director Michael Hayden lists three effects of the Snowden

* "...the undeniable operational effect of informing adversaries of
American intelligence's tactics, techniques and procedures."

* "...the undeniable economic punishment that will be inflicted on
American businesses for simply complying with American law."

* "...the erosion of confidence in the ability of the United States to
do *anything* discreetly or keep *anything* secret."

It's an interesting list, and one that you'd expect from a NSA person.
Actually, the whole essay is about what you'd expect from a former NSA

My reactions:

* This, I agree, is actual damage. From what I can tell, Snowden has
done his best to minimize it. And both the Guardian and the Washington
Post refused to publish materials he provided, out of concern for US
national security. Hayden believes that both the Chinese and the
Russians have Snowden's entire trove of documents, but I'm less
convinced. Everyone is acting under the assumption that the NSA has
compromised everything, which is probably a good assumption.

* Hayden has it backwards -- this is good. I hope that companies that
have cooperated with the NSA are penalized in the market. If we are to
expect the market to solve any of this, we need the cost of cooperating
to be greater than the cost of fighting. If we as consumers punish
companies that have complied with the NSA, they'll be less likely to
roll over next time.

* In the long run, this might turn out to be a good thing, too. In the
Internet age, secrecy is a lot harder to maintain. The countries that
figure this out first will be the countries that do well in the coming

And, of course, Hayden lists his "costs" without discussing the
benefits. Exposing secret government overreach, a secret agency gone
rogue, and a secret court that's failing in its duties are enormously
beneficial. Snowden has blown a whistle that long needed blowing --
it's the only way can ever hope to fix this. And Hayden completely
ignores the very real question as to whether these enormous NSA
data-collection programs provide any real benefits.

I'm also tired of this argument: "But it takes a special kind of
arrogance for this young man to believe that his moral judgment on the
dilemma suddenly trumps that of two (incredibly different) presidents,
both houses of the U.S. Congress, both political parties, the U.S. court
system and more than 30,000 of his co-workers."

It's like President Obama claiming that the NSA programs are
"transparent" because they were cleared by a secret court that only ever
sees one side of the argument, or that Congress has provided oversight
because a few legislators were allowed to know some of what was going on
but forbidden from talking to *anyone* about it.

or http://tinyurl.com/ko6bpus

The NSA has gone rogue:

NSA surveillance cost/benefits:
or http://tinyurl.com/klmv6df

Obama's comments on NSA transparency:
or http://tinyurl.com/l2slx9f

** *** ***** ******* *********** *************

Counterterrorism Mission Creep

One of the assurances I keep hearing about the U.S. government's spying
on American citizens is that it's only used in cases of terrorism.
Terrorism is, of course, an extraordinary crime, and its horrific nature
is supposed to justify permitting all sorts of excesses to prevent it.
But there's a problem with this line of reasoning: mission creep. The
definitions of "terrorism" and "weapon of mass destruction" are
broadening, and these extraordinary powers are being used, and will
continue to be used, for crimes other than terrorism.

Back in 2002, the Patriot Act greatly broadened the definition of
terrorism to include all sorts of "normal" violent acts as well as
non-violent protests. The term "terrorist" is surprisingly broad; since
the terrorist attacks of 9/11, it has been applied to people you
wouldn't normally consider terrorists.

The most egregious example of this are the three anti-nuclear pacifists,
including an 82-year-old nun, who cut through a chain-link fence at the
Oak Ridge nuclear-weapons-production facility in 2012. While they were
originally arrested on a misdemeanor trespassing charge, the government
kept increasing their charges as the facility's security lapses became
more embarrassing. Now the protestors have been convicted of violent
crimes of terrorism -- and remain in jail.

Meanwhile, a Tennessee government official claimed that complaining
about water quality could be considered an act of terrorism. To the
government's credit, he was subsequently demoted for those remarks.

The notion of making a terrorist threat is older than the current spate
of anti-terrorism craziness. It basically means threatening people in
order to terrorize them, and can include things like pointing a fake gun
at someone, threatening to set off a bomb, and so on. A Texas
high-school student recently spent five months in jail for writing the
following on Facebook: "I think I'ma shoot up a kindergarten. And watch
the blood of the innocent rain down. And eat the beating heart of one of
them." Last year, two Irish tourists were denied entry at the Los
Angeles Airport because of some misunderstood tweets.

Another term that's expanded in meaning is "weapon of mass destruction."
The law is surprisingly broad, and includes anything that explodes,
leading political scientist and terrorism-fear skeptic John Mueller to

As I understand it, not only is a grenade a weapon of mass
destruction, but so is a maliciously-designed child's rocket
even if it doesn't have a warhead. On the other hand, although
a missile-propelled firecracker would be considered a weapon of
mass destruction if its designers had wanted to think of it as
a weapon, it would not be so considered if it had previously
been designed for use as a weapon and then redesigned for
pyrotechnic use or if it was surplus and had been sold, loaned,
or given to you (under certain circumstances) by the secretary
of the army ....

All artillery, and virtually every muzzle-loading military long
arm for that matter, legally qualifies as a WMD. It does make
the bombardment of Ft. Sumter all the more sinister. To say
nothing of the revelation that The Star Spangled Banner is in
fact an account of a WMD attack on American shores.

After the Boston Marathon bombings, one commentator described our use of
the term this way: "What the United States means by terrorist violence
is, in large part, 'public violence some weirdo had the gall to carry
out using a weapon other than a gun.' ... Mass murderers who strike with
guns (and who don't happen to be Muslim) are typically read as
psychopaths disconnected from the larger political sphere." Sadly,
there's a lot of truth to that.

Even as the definition of terrorism broadens, we have to ask how far we
will extend that arbitrary line. Already, we're using these surveillance
systems in other areas. A raft of secret court rulings has recently
expanded the NSA's eavesdropping powers to include "people possibly
involved in nuclear proliferation, espionage and cyberattacks." A
"little-noticed provision" in a 2008 law expanded the definition of
"foreign intelligence" to include "weapons of mass destruction," which,
as we've just seen, is surprisingly broad.

A recent "Atlantic" essay asks, somewhat facetiously, "If PRISM is so
good, why stop with terrorism?" The author's point was to discuss the
value of the Fourth Amendment, even if it makes the police less
efficient. But it's actually a very good question. Once the NSA's
ubiquitous surveillance of all Americans is complete -- once it has the
ability to collect and process all of our emails, phone calls, text
messages, Facebook posts, location data, physical mail, financial
transactions, and who knows what else -- why limit its use to cases of
terrorism? I can easily imagine a public groundswell of support to use
to help solve some other heinous crime, like a kidnapping. Or maybe a
child-pornography case. From there, it's an easy step to enlist NSA
surveillance in the continuing war on drugs; that's certainly important
enough to warrant regular access to the NSA's databases. Or maybe to
identify illegal immigrants. After all, we've already invested in this
system, we might as well get as much out of it as we possibly can. Then
it's a short jump to the trivial examples suggested in the "Atlantic"
essay: speeding and illegal downloading. This "slippery slope" argument
is largely speculative, but we've already started down that incline.

Criminal defendants are starting to demand access to the NSA data that
they believe will exonerate themselves. How can a moral government
refuse this request?

More humorously, the NSA might have created the best backup system ever.

Technology changes slowly, but political intentions can change very
quickly. In 2000, I wrote in my book "Secrets and Lies" about police
surveillance technologies: "Once the technology is in place, there will
always be the temptation to use it. And it is poor civic hygiene to
install technologies that could someday facilitate a police state."
Today we're installing technologies of ubiquitous surveillance, and the
temptation to use them will be overwhelming.

This essay originally appeared in TheAtlantic.com.
or http://tinyurl.com/l2ddac9

The definition of terrorism has broadened:
or http://tinyurl.com/y9x5tst

The anti-nuclear pacifists:

Tennessee official story:
or http://tinyurl.com/ktlhyhn
or http://tinyurl.com/kfybaup

Texas high-school student story:
or http://tinyurl.com/kd7773n

Irish tourist story:

"Weapon of mass destruction" story:

Mueller comment:

Quote about what a terrorist is:
http://www.salon.com/2013/04/28/is_dzohkhar_tsarnaev_a_suspected_murderer_or_terro rist_partner/
or http://tinyurl.com/cbet4mj

Secret court rulings on NSA power:
or http://tinyurl.com/k2q8ttu

Atlantic article:
or http://tinyurl.com/kyfnyvl

Other agencies are already asking to use the NSA data: "Agencies
working to curb drug trafficking, cyberattacks, money laundering,
counterfeiting and even copyright infringement complain that their
attempts to exploit the security agency’s vast resources have often been
turned down because their own investigations are not considered a high
enough priority, current and former government officials say."
or http://tinyurl.com/oenejmk

The Drug Enforcement Agency is already using this data, and lying about it:
or http://tinyurl.com/kbsc4k9

Defendants demanding NSA data:
or http://tinyurl.com/mgvowwj

NSA as a backup system:
or http://tinyurl.com/laa5axo

Ubiquitous surveillance:

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address on
the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are
also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an
internationally renowned security technologist, called a "security guru"
by The Economist. He is the author of 12 books -- including "Liars and
Outliers: Enabling the Trust Society Needs to Survive" -- as well as
hundreds of articles, essays, and academic papers. His influential
newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by
over 250,000 people. He has testified before Congress, is a frequent
guest on television and radio, has served on several government
committees, and is regularly quoted in the press. Schneier is a fellow
at the Berkman Center for Internet and Society at Harvard Law School, a
program fellow at the New America Foundation's Open Technology
Institute, a board member of the Electronic Frontier Foundation, an
Advisory Board Member of the Electronic Privacy Information Center, and
the Security Futurologist for BT -- formerly British Telecom. See

Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.

Copyright (c) 2013 by Bruce Schneier.

20th August 2013, 16:02
Hi all just found this in my home Inbox.
Thought i'd post it here
This story is almost too awful to believe -- and it's taken a turn for the worse. First teenager Justin Carter was jailed for making a bad joke on Facebook. And now he's on SUICIDE WATCH.

Let's try to make things better, and be sure that Justin knows that thousands of us stand with him.

According to his dad, while Justin was playing a video game "[S]omeone had said something to the effect of 'Oh you're insane, you're crazy, you're messed up in the head. To which [Justin] replied 'Oh yeah, I'm real messed up in the head, I'm going to go shoot up a school full of kids and eat their still, beating hearts,’ and the next two lines were 'lol and jk' [all sic]."

Even though it was a clear joke -- underscored by the shorthand for "laugh out loud" and "just kidding" -- a woman who saw the post reported Justin to the police. Now he's in jail for making "terroristic threats" and faces $500,000 for bail and up to 8 years in prison!

And this weekend his dad told CNN: "He's very depressed, very scared, and ... concerned that he's not going to get out.... He's pretty much lost all hope."

Please sign our petition to Justin -- we'll deliver it to his family, and also to the people who are persecuting him.

PETITION TO JUSTIN CARTER: Justin, please know that thousands of people across the country are horrified by what you're going through, and will stand with you and try to make things right.
Click here to sign -- it just takes a second.

-- The folks at Watchdog.net

P.S. If the other links aren't working for you, please go here to sign: http://act.watchdog.net/petitions/3554?n=33252238.eiPi-6

20th August 2013, 16:05
It was on a thread before and it seems he is now out of jail, awaiting trial, someone paid the 500,000 (a benefactor) for his release.

This won't go further I bet, but the pressure has to go on.

I suggest however that you merge with the other thread on the topic.

20th August 2013, 16:11
Thx Flash thats good news.

How do I merge this post to the other?
MOD needed plz

It was on a thread before and it seems he is now out of jail, awaiting trial, someone paid the 500,000 (a benefactor) for his release.

This won't go further I bet, but the pressure has to go on.

I suggest however that you merge with the other thread on the topic.

20th August 2013, 16:23

I clicked the triangle at the bottom left, near the "thanks" button for assistance.

Click here (http://projectavalon.net/forum4/showthread.php?62387-CRYPTO-GRAM-Bruce-Schneier-August-15-2013--NSA-coverage-opinion-&p=716287&viewfull=1#post716287) for the thread that Flash mentioned. Post #2

20th August 2013, 17:46
Threads Merged! Thanks for the note Paula!