The day after a Snowden leak revealed that the NSA builds fake versions of Facebook and uses them to seed malicious software in attacks intended to hijack “millions” of computers, Facebook CEO and founder Mark Zuckerberg telephoned President Obama to complain about the NSA’s undermining of the Internet’s integrity. As many have pointed out, it would have been nice to hear Zuckerberg taking the Internet’s side before his own stock portfolio was directly affected, but better late than never. Zuckerberg’s post on his conversation excoriates the US government for its Internet sabotage campaign, and calls on the USG to “be the champion for the internet, not a threat.” Curiously, Zuckerberg calls for “transparency” into the NSA’s attacks on the Internet, but stops short of calling for an end to government-sponsored attacks against the net. In the end, though, Zuckerberg calls on companies to do a better job of securing themselves and their users against intrusive spying. It’s not clear how that will work for Facebook, though: its business model is predicated on tricking, cajoling, and siphoning personal data out of its users and warehousing it forever in a neat package that governments are unlikely to ignore. I’m told that 90% of US divorce proceedings today include Facebook data; this is a microcosm of the wider reality when you make it your business to stockpile the evidentiary chain of every human being’s actions. The internet works because most people and companies do the same. We work together to create this secure environment and make our shared space even better for the world. This is why I’ve been so confused and frustrated by the repeated reports of the behavior of the US government. When our engineers work tirelessly to improve security, we imagine we’re protecting you against criminals, not our own government. The US government should be the champion for the internet, not a threat. They need to be much more transparent about what they’re doing, or otherwise people will believe the worst. I’ve called President Obama to express my frustration over the damage the government is creating for all of our future. Unfortunately, it seems like it will take a very long time for true full reform. So it’s up to us — all of us — to build the internet we want. Together, we can build a space that is greater and a more important part of the world than anything we have today, but is also safe and secure. I’m committed to seeing this happen, and you can count on Facebook to do our part. As the world becomes more complex and governments everywhere struggle, trust in the internet is more important today than ever. ( Image: Mark Zuckerberg Facebook SXSWi 2008 Keynote , a Creative Commons Attribution (2.0) image from deneyterrio’s photostream )
The CIA’s Inspector General has asked the Justice Department to consider criminally charging CIA agents who spied on a senate committee that was engaged in writing a report that was highly critical of the CIA’s use of torture. Senator Mark Udall, who sits on a CIA oversight committee and whose staff was spied on by the CIA alleges that the CIA surveilled overseeing senators and their staff with Obama’s knowledge and consent. In a recent hearing, Senator Ron Wyden asked the CIA director repeatedly whether the Computer Fraud and Abuse Act, America’s major anti-hacking statute, applied to the CIA, and whether the CIA spied domestically. CIA director John Brennan replied “yes” and “no,” respectively. If Udall’s allegations are correct, this means that Brennan lied to Congress (in the second instance) and committed a felony (in the first instance). The report that caused some CIA agents to spy on their bosses was about how the CIA was wasting time, getting nowhere and doing something illegal and cruel when it kidnapped terror suspects and tortured the shit out of them. McClatchy and the New York Times reported Wednesday that the CIA had secretly monitored computers used by committee staffers preparing the inquiry report, which is said to be scathing not only about the brutality and ineffectiveness of the agency’s interrogation techniques but deception by the CIA to Congress and policymakers about it. The CIA sharply disputes the committee’s findings. Udall, a Colorado Democrat and one of the CIA’s leading pursuers on the committee, appeared to reference that surreptitious spying on Congress, which Udall said undermined democratic principles. “As you are aware, the CIA has recently taken unprecedented action against the committee in relation to the internal CIA review and I find these actions to be incredibly troubling for the Committee’s oversight powers and for our democracy,” Udall wrote to Obama on Tuesday. Obama knew CIA secretly monitored intelligence committee, senator claims [Spencer Ackerman/The Guardian] 
According to a report in Der Spiegel , the NSA has cracked the protection on Android, iOS and Blackberry devices, and can access protected files, including contacts and location history. 
In an urgent, important blog post, computer scientist and security expert Ed Felten lays out the case against rules requiring manufacturers to put wiretapping backdoors in their communications tools. Since the early 1990s, manufacturers of telephone switching equipment have had to follow a US law called CALEA that says that phone switches have to have a deliberate back-door that cops can use to secretly listen in on phone calls without having to physically attach anything to them. This has already been a huge security problem — through much of the 1990s, AT&T’s CALEA controls went through a Solaris machine that was thoroughly compromised by hackers, meaning that criminals could listen in on any call; during the 2005/6 Olympic bid, spies used the CALEA backdoors on the Greek phone company’s switches to listen in on the highest levels of government. But now, thanks to the widespread adoption of cryptographically secured messaging services, law enforcement is finding that its CALEA backdoors are of declining utility — it doesn’t matter if you can intercept someone else’s phone calls or network traffic if the data you’re captured is unbreakably scrambled. In response, the FBI has floated the idea of “CALEA II”: a mandate to put wiretapping capabilities in computers, phones, and software. As Felten points out, this is a terrible idea. If your phone is designed to secretly record you or stream video, location data, and messages to an adverse party, and to stop you from discovering that it’s doing this, it puts you at huge risk when that facility is hijacked by criminals. It doesn’t matter if you trust the government not to abuse this power (though, for the record, I don’t — especially since anything mandated by the US government would also be present in devices used in China, Belarus and Iran) — deliberately weakening device security makes you vulnerable to everyone, including the worst criminals: Our report argues that mandating a virtual wiretap port in endpoint systems is harmful. The port makes it easier for attackers to capture the very same data that law enforcement wants. Intruders want to capture everything that happens on a compromised computer. They will be happy to see a built-in tool for capturing and extracting large amounts of audio, video, and text traffic. Better yet (for the intruder), the capability will be stealthy by design, making it difficult for the user to tell that anything is amiss. Beyond this, the mandate would make it harder for users to understand, monitor, and fix their own systems—which is bad for security. If a system’s design is too simple or its operation too transparent or too easy to monitor, then wiretaps will be evident. So a wiretappability mandate will push providers toward complex, obfuscated designs that are harder to secure and raise the total cost of building and operating the system. Finally, our report argues that it will not be possible to block non-compliant implementations. Many of today’s communication tools are open source, and there is no way to hide a capability within an open source code base, nor to prevent people from simply removing or disabling an undesired feature. Even closed source systems are routinely modified by users—as with jailbreaking of phones—and users will find ways to disable features they don’t want. Criminals will want to disable these features. Ordinary users will also want to disable them, to mitigate their security risks. Felten’s remarks summarize a report [PDF] signed by 20 distinguished computer scientists criticizing the FBI’s proposal. It’s an important read — maybe the most important thing you’ll read all month. If you can’t trust your devices, you face enormous danger. CALEA II: Risks of wiretap modifications to endpoints