There has been significant fallout about this weeks revelations of the NSA being able to crack much of the Cryptography that is used on the Internet between Govts. Etc. I will point out again that Bramford announced the NSA had made a significant crypto breakthrough several years ago. In fact in his wired article he mentions many of the same things that Snowden is being vilified for.
I do not trust this guy at all. He lied to Congress and admitted he did. Instead of losing his job and being charged in court he has gotten a promotion. He is now in charge of Obamas look into the NSA.
September 10, 2013
In June of this year, President Obama directed me to declassify and make public as much information as possible about certain sensitive intelligence collection programs undertaken under the authority of the Foreign Intelligence Surveillance Act (FISA) while being mindful of the need to protect national security. Consistent with this directive, today I authorized the declassification and public release of a number of documents pertaining to the Government’s collection of bulk telephony metadata under Section 501 of the FISA, as amended by Section 215 of the USA PATRIOT Act. These documents were properly classified, and their declassification is not done lightly. I have determined, however, that the harm to national security in these circumstances is outweighed by the public interest.
Release of these documents reflects the Executive Branch’s continued commitment to making information about this intelligence collection program publicly available when appropriate and consistent with the national security of the United States. Some information has been redacted because these documents include discussion of matters that continue to be properly classified for national security reasons and the harm to national security would be great if disclosed. These documents will be made available at the website of the Office of the Director of National Intelligence (www.dni.gov), and on the recently established public website dedicated to fostering greater public visibility into the intelligence activities of the Government (IContheRecord.tumblr.com).
The documents released today were provided to Congress at the time of the events in question and include orders and opinions from the Foreign Intelligence Surveillance Court (FISC), filings with that court, an Inspector General Report, and internal NSA documents. They describe certain compliance incidents that were discovered by NSA, reported to the FISC and the Congress, and resolved four years ago. They demonstrate that the Government has undertaken extraordinary measures to identify and correct mistakes that have occurred in implementing the bulk telephony metadata collection program – and to put systems and processes in place that seek to prevent such mistakes from occurring in the first place.
More specifically, in response to the compliance incident identified in 2009, the Director of NSA instituted a number of remedial and corrective steps, including conducting a comprehensive “end-to-end” review of NSA’s handling of telephony metadata obtained under Section 501. This comprehensive review identified additional incidents where NSA was not complying with aspects of the FISC’s orders.
The compliance incidents discussed in these documents stemmed in large part from the complexity of the technology employed in connection with the bulk telephony metadata collection program, interaction of that technology with other NSA systems, and a lack of a shared understanding among various NSA components about how certain aspects of the complex architecture supporting the program functioned. These gaps in understanding led, in turn, to unintentional misrepresentations in the way the collection was described to the FISC. As discussed in the documents, there was no single cause of the incidents and, in fact, a number of successful oversight, management, and technology processes in place operated as designed and uncovered these matters.
Upon discovery of these incidents, which were promptly reported to the FISC, the Court, in 2009, issued an order requiring NSA to seek Court approval to query the telephony metadata on a case-by-case basis, except when necessary to protect against an imminent threat to human life. Thereafter, NSA completed its end-to-end review and took several steps to remedy these issues, including making technological fixes, improving training, and implementing new oversight procedures. These remedial steps were then reported to the Court, and in September 2009, the Court lifted the requirement for NSA to seek approval to query the telephony metadata on a case-by-case basis and has since continuously reauthorized this program. The Intelligence and Judiciary Committees were informed of the compliance incidents beginning in February 2009 and kept apprised of the Government’s corrective measures throughout the process, including being provided copies of the Court’s opinions, the Government’s report to the Court, and NSA’s end-to-end review.
Upon discovery of these issues in 2009, NSA also recognized that its compliance and oversight infrastructure had not kept pace with its operational momentum and the evolving and challenging technological environment in which it functioned. Therefore NSA, in close coordination with the Office of the Director of National Intelligence and the Department of Justice, also undertook significant steps to address these issues from a structural and managerial perspective, including thorough enhancements to its compliance structure that went beyond this specific program. For example, in 2009, NSA created the position of the Director of Compliance, whose sole function is to keep all of NSA’s mission activities consistent with the law and applicable policies and procedures designed to protect U.S. person privacy by strengthening NSA’s compliance program across NSA’s operational and technical personnel. NSA also added additional technology-based safeguards, implemented procedures to ensure accuracy and precision in FISC filings, and initiated regular detailed senior leadership reviews of the compliance program. NSA has also enhanced its oversight coordination with the Office of the Director of National Intelligence and the Department of Justice.
Since 2009, the Government has continued to increase its focus on compliance and oversight. Today, NSA’s compliance program is directly supported by over three hundred personnel, which is a fourfold increase in just four years. This increase was designed to address changes in technology and authorities and reflects a commitment on the part of the Intelligence Community and the rest of the Government to ensuring that intelligence activities are conducted responsibly and subject to the rule of law. NSA’s efforts have proven successful in its implementation of the telephony metadata collection program since the changes made in 2009. Although there have been a handful of compliance incidents each year, these were the result of human error or provider error in individual instances and were not the result of systemic misunderstandings or problems of the type discovered in 2009. Each of these individual incidents upon identification were immediately reported to the FISC and remedied.
Moreover, the FISC in September of 2009 relieved the Government of its requirement to seek Court approval to query the metadata on a case-by-case basis and has continued to reauthorize this program. Indeed, in July of this year the FISC once again approved the Government’s request for reauthorization.
The documents released today are a testament to the Government’s strong commitment to detecting, correcting, and reporting mistakes that occur in implementing technologically complex intelligence collection activities, and to continually improving its oversight and compliance processes. As demonstrated in these documents, once compliance incidents were discovered in the telephony metadata collection program, additional checks, balances, and safeguards were developed to help prevent future instances of non-compliance.
James R. Clapper, Director of National Intelligence
Thoughts on Crypto breakthrough by MIT
When a New York Times report appeared Thursday saying the National Security Agency had “circumvented or cracked much of the encryption” protecting online transactions, computer security professionals braced for news of breakthroughs undermining the fundamentals of their field.
However, cryptography experts tell MIT Technology Review that a close reading of last week’s report suggests the NSA has not broken the underlying mathematical operations that are used to cloak online banking or e-mail.
Instead, the agency appears to rely on a variety of attacks on the software used to deploy those cryptographic algorithms and the humans and organizations using that software. Those strategies, revealed in documents leaked by Edward Snowden, came as no surprise to computer security researchers, given that the NSA’s mission includes the pursuit of America’s most technologically capable enemies.
“The whole leak has been an exercise in `I told you so,’ ” says Stephen Weis, CEO of server encryption company PrivateCore. Weis previously worked on implementing cryptography at Google. “There doesn’t seem to be any kind of groundbreaking algorithmic breakthrough,” he says, “but they are able to go after implementations and the human aspects of these systems.”
Those tactics apparently include using legal tools or hacking to get the digital keys used to encrypt data; using brute computing power to break weak encryption; and forcing companies to help the agency get around security systems.
“If the crypto didn’t work, the NSA wouldn’t bother doing all of these other things,” says Jon Callas, a cryptographer who cofounded PGP Corporation and is now chief technology officer of secure messaging company Silent Circle (see “An App Keeps Spies Away from Your Phone”). “This is what you do because you can’t break the crypto.”
After seeing the documents behind last week’s reports, security expert Bruce Schneier wrote in the Guardian that people should still “trust the math” that underlies cryptography. In June, Snowden said in an online chat that “properly implemented strong crypto systems are one of the few things you can rely on.”
Cryptography systems and security software often improve through a cycle in which researchers publish details of flaws, which are then fixed. Looking at last week’s reports in that way doesn’t suggest the security community needs to rethink the fundamentals of its tools and strategies, says Callas. Rather, adoption of known security improvements should be accelerated, and scrutiny of known weak points increased, he says. “Things have always had to be tested continuously.”
Guardian article on revelations
A judge on the secret surveillance court was so disturbed by the National Security Agency’s repeated violations of privacy restrictions that he questioned the viability of its bulk collection of Americans’ phone records, according to newly declassified surveillance documents.
Judge Reggie Walton, now the presiding judge on the Foreign Intelligence Surveillance (Fisa) court, imposed a significant and previously undisclosed restriction on the NSA’s ability to access its bulk databases of phone records after finding that the agency repeatedly violated privacy protections.
The documents, mostly from 2009 and declassified Tuesday, describe what Walton said were “thousands” of American phone numbers improperly accessed by government counterterrorism analysts.
They also indicate that US government officials, including NSA director Keith Alexander, gave misleading statements to the court about how they carried out that surveillance.
Despite repeated public assurances of NSA competence, the agency told the Fisa court in 2009 that “from a technical standpoint, there was no single person who had a complete understanding” of its phone records “architecture”.
All that led to “daily violations” for more than two years of call records from Americans “not the subject of any FBI investigation and whose call detail information could not otherwise have been legally captured in bulk,” Walton wrote.
In 2009, Walton questioned whether the program could be allowed to continue, asking if “the value of the program to the nation’s security justifies the continued collection and retention of massive quantities of US person information”.
He considered the violations serious enough to order the authorities not to “access the data collected until such a time as the government is able to restore the court’s confidence that the government can and will comply with previously approved procedures for accessing such data.”
An internal government review launched in response to the order disclosed that in 2006, the NSA discovered one of its partner agencies – its name is redacted – improperly included credit card numbers in its databases.