The Schneier Briefing: Some Observations

6 Congresspersons and a security researcher walk into an unsecure room. … And that’s the best briefing they can get on some of the things NSA might be doing.

This morning I spent an hour in a closed room with six Members of Congress: Rep. Logfren, Rep. Sensenbrenner, Rep. [Bobby] Scott, Rep. Goodlate, Rep [Mike] Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn’t forthcoming about their activities, and they wanted me — as someone with access to the Snowden documents — to explain to them what the NSA was doing. Of course I’m not going to give details on the meeting, except to say that it was candid and interesting. And that it’s extremely freaky that Congress has such a difficult time getting information out of the NSA that they have to ask me. I really want oversight to work better in this country.

I’m as intrigued by the make-up of the group as I am by the fact they needed to do this.

Schneier makes it clear that Lofgren — who is not only a strong supporter of civil liberties, but also happens to represent Silicon Valley — set up the briefing. In addition to her House Judiciary Committee colleagues Sensenbrenner, Scott, and Goodlatte, she invited Amash (who’s not on the Committee but a loud defender of civil liberties — thanks, my Rep!), and N and E Bay Area Republican Democratic colleague Mike Thompson, who’s not a member of the Committee either, but is a member of the Intelligence Committee.

As I’ve noted, Goodlatte is not a named sponsor of USA Freedom; neither is Thompson (though Schneier describes them as all people who want to “rein in the NSA”).

And yet these are the individuals whom Lofgren chose to bring to this briefing.

Schneier, of course, is not focused on the actual spying that NSA is doing, but on the corruption of encryption, a threat to the business model of Lofgren’s district. [See Saul’s well-take correction here.]

Also note, while I’ve got real worries about some opponents to reining in the NSA in the Senate, I do think people are not considering the significance of the House Judiciary Chair, who voted against Amash-Conyers, increasingly complaining about the NSA.

I’m not sure what the best way to stop the NSA from making us all less safe (especially since NSA has apparently not even told HPSCI members what they’re doing). But I gather than Lofgren is trying to figure out a way to do so.

image_print
23 replies
  1. joanneleon says:

    That’s really interesting. You should contact Amash and offer to do a briefing as well, if he’s interested.

  2. Saul Tannenbaum says:

    i don’t think this:

    Schneier, of course, is not focused on the actual spying that NSA is doing, but on the corruption of encryption, a threat to the business model of Lofgren’s district.

    is fair to Schneier.

    He is, of course, a cryptologist, so has a special interest in encryption. But in his recent speeches and writings, he’s been very much focused on NSA spying (see https://www.schneier.com/blog/archives/2014/01/how_the_nsa_thr.html as a good summary of what he’s been saying). He’s not parsing the details like you are, but that’s mostly because he thinks that the dragnet surveillance has to stop no matter what the details turn out to be. Or, more precisely, he thinks that internet protocols need to be redesigned and internet services restructured so that the cost of effective dragnet surveillance makes it impossible to continue.

    He reminds people that the NSA “isn’t made of magic” and that it’s still governed by physics, math and economics. He sees no evidence that NSA has cracked encryption in general, so building encryption into internet protocols will require that the NSA take the more expensive steps of having to “exfiltrate” keys. He thinks that we need a thousand email providers, not just a handful, dispersing targets, again making dragnet collection economically impossible. He takes this as far as suggesting we redesign the phone networks so they are peer-to-peer, thus distributed with no one place that has all the metadata. He’s realistic that these are very long term goals, but he’s not just writing on his blog, he’s going to the internet engineering meetings to say the same things.

    He’s also using his blog to crowdsource analysis of the NSA “implants” that Der Spiegel revealed a few weeks ago. He’s putting up one a day, and, after you weed out the paranoia and posturing, the comments make for a fascinating read.

    Remember, he has a full set of the Snwoden documents though the Guardian, and he also has the technical reputation to change minds in things like the Internet Engineering Tasks Force, the body that governs internet protocols. I wouldn’t sell him short.

  3. Greg Bean (@GregLBean) says:

    @Saul Tannenbaum: “He takes this as far as suggesting we redesign the phone networks so they are peer-to-peer, thus distributed with no one place that has all the metadata.”

    Technically it should not be all that difficult to switch the internet from client-server with big hubs, as it is at current, to a peer-to-peer network and no hubs, or very few.

    I wonder why no one is talking about this?

  4. tryggth says:

    @Saul Tannenbaum: I was going to say something similar, but was going to coach it more as a question to try to understand if EW meant the implication.

    I haven’t read Scheier’s non-crypto tech books, but everything else I have read indicates he is on team ‘us’ and in a significant way.

  5. TarheelDem says:

    The first step to reining in the NSA (and other intelligence agencies) is to recognize that there is no baby in the dirty bathwater. There is no other way to do it but remove the authorizing legislation going back to 1945 and restore a constitutional basis to national security through totally new, clear legislation that allows the entire Congress once again to exercise oversight over a minimal set of secrets not subject to absolute state secrecy determinations. There must be a way to penetrate the bureaucratic shroud in order to determine culpability for misdeeds. Habeas corpus, probable cause, and other elements of the Bill of Rights must be restored as human rights, not the carefully circumscribed rights that accrue as privileges of American citizenship.

  6. jerryy says:

    While someone is considering ‘threats to business models in their district’, maybe they will also opine as to how that same NSA missed the recent Target hacks. Latest estimates are that there are over 100 million customers’ info that got taken (this may include Target’s Canadian customers as well, so it is not really almost 1/3 of the US’ population in danger of having their bank accounts and credit cards drained). Is that not a threat to national security?

  7. C says:

    @joanneleon: I agree. You are as prepped as Schnier on this, especially on the points where their public statements diverge from reality. A one-on-one briefing with the rep and staffers could do a world of good if only by giving him ammunition.

  8. Saul Tannenbaum says:

    @Greg Bean (@GregLBean): Bob Frankston has been pointing out for a few years now that we’re carrying radio equipped computers in our pockets and that the should be talking to each other, not all to central relaying points. (If you don’t know the name, he helped invent the spreadsheet: http://www.frankston.com/).

    The reason this gets no traction is that it isn’t in the economic interests of any incumbent vendor in the mobile phone value chain to disrupt things that way. Every once in awhile, somebody pops up talking about peer to peer networking (see this: http://oti.newamerica.net/commotion_wireless_0 for an example), but it never attains anything close to critical mass. Or, like MIT’s Roofnet, it ends up purchased by Cisco and turned into an “enterprise” product.

  9. Nell says:

    I am flat amazed that Goodlatte came to this briefing. He has been the most obedient of lapdogs for the many years he’s occupied his extremely safe seat.

  10. orionATL says:

    @jerryy:

    “is that not a threat to national security”.

    no,it is a threat to individual citizens like you and i, and our concerns and need for protection don’t count for shit.

    to the extent a concern for “cybersecurity” exists at nsa – and i believe that that term is just another term like “terrorists” to scare politicians about losing their seats of power if the don’t support nsa –

    it is some sort of concern for institutions that might be “vulnerable”.

    but gosh darn! nsa missed the bank break-ins and the oil company break-ins, and the target break-in.

    when are they going to actually do some cyber securitizing?

    answer: NEVER.

    some peremptory terrorist catching?

    never.

    some protection of our computer networks from viruses/trojans/worms/root kits/super-flash cookies?

    never.

    some identity theft and money theft?

    never.

    at its core, nsa is a doughnut hole.

    a hollow place.

    nsa is an organization that has been on a mind-bending intellectual and engineering effort that never had, and does not now have, any coherent focus

    except to provide those in the executive branch who are politically useful to with tidbits of gossip about foreign leaders, foreign drug lords, captured foreign terrorists, disruptive elements in society, political opponents, trade and business negotiations, and the occassional american muslim.

    all the rest is just playing with electronics, systems, and engineering to see what can be done.

  11. Greg Bean (@GregLBean) says:

    @Saul Tannenbaum: Interesting article on peer-to-peer. Thanks for the link.

    After my last post I got thinking about it and realized that Tor is peer-to-peer. The strength of its encryption is more often discussed but maybe the relay architecture is a stronger feature.

    For example, with enough users and enough Tor relays, even if the encryption was defeated, the structure makes it almost impossible to contain and surveil.

    Comm’s bandwidth exists and even laptops are capable of handling a reasonable load. Peer-to-peer is not that big a leap from where we are now.

  12. emptywheel says:

    @jerryy: That’s not actually their job, nor should we want it to be (that would make them a domestic law enforcement agency).

    While their responsibility for the security of DOD’s networks has been extended, with all sorts of problematic effect, to critical infrastructure (so we might ask why Comcast were hacked, if it were), Target’s purchase computers are not critical infrastructure.

  13. Bay State Librul says:

    Help

    Bmaz/Emptywheel

    The Jersey cats are lawyering up.
    We need a post on whodunit in Christie Land

  14. Snarki, child of Loki says:

    “I’m not sure what the best way to stop the NSA from making us all less safe”

    Nuke them from orbit, it’s the only way to be sure.

    (and, interestingly, this is ONE CASE where that old chestnut is on target)

  15. jerryy says:

    @emptywheel: There is some discussion that the ones who pulled this off are situated overseas, it was not just a few improperly secured back room servers that got whacked.

    Additionally, Target is part of that big banking commercial network where the data flows around the world… the how-tos of this attack are far more involved than taking out, oh say, a network of centrifuges or an electrical grid.

  16. orionATL says:

    @jerryy:

    and those are my concerns.

    we’ve heard for years about bulgarian virus makers and russian internet theft “consortiums”.

    is “national security” an abstraction without any concrete reference?

    does it refer only to “critical” institutions?

    as a not-so-humble citizen, why don’t i ever get to benefit from any of my gov’s security action.

  17. jerryy says:

    @orionATL: If we look at how the FBI used NSLs, then apparently national security is in the eye of the beholder.

    But like it or not, the commercial money flow is part of the critical infrastructure. Consider that for all of the damage Wall Street institutions have done, angry responses have been to throw executives in jail, break up the bigger ones, etc., but never to shut the system down, because the only offered alternative is to go back to bartering. No one wants to do that, not the surgeon repairing damaged lungs, not the house painter risking their life while perched on rickety ladders, nor the food server or librarian. As long as we have currency exchange in some form, as part of our society, it will be infrastructure just as much as roads and water supply.

Comments are closed.