The NSA and Snowden: Securing the All-Seeing Eye

8/12/2019 The NSA and Snowden: Securing the All-Seeing Eye

1/8

practice

44 COMMUNICATIONS OF THE ACM | MAY 2014 | VOL. 57 | NO. 5

ILLU

STRATION

BYPETER

CROWTHER

ASSOCIATES

EDWARD SNOWDEN, WHILE a contractor for the U.S.National Security Agency (NSA) at Booz Allen Hamiltonin Hawaii, copied up to 1.7 million top-secret andabove documents, smuggling copies on a thumbdrive out of the secure facility in which he worked andreleasing many of those documents to the press.2Thishas altered the relationship of the U.S. government

with the American people, as well as with othercountries. This article examines the computer-securityaspects of how the NSA could have prevented thisfrom happening, perhaps the most damaging breachof secrets in U.S. history.19The accompanying sidebarlooks at the Constitutional, legal, and moral issues.

According to Presidential Executive Order 13526,Top Secret shall be applied to information, the

unauthorized disclosure of which reasonably could

be expected to cause exceptionally grave

damage to the national security.24

There are clearance levels above topsecret, such as SCI (sensitive compart-

mented information), SAP (special ac-

cess programs), and CNWDI (critical

nuclear weapon design information).9

The British equivalent to top secret is

most secret.

What Did Snowden Do?

Snowden was a computer system ad-ministrator. Guarding against rogue

system administrators (a.k.a sys ad-

mins) is more difficult than guard-ing against users, but it can be done.Note that the NSA has an almost infi-

nite budget and resources, and thus

could have been following good secu-rity practices all along. In the words

of White House cybersecurity adviser

Richard Clarke, If you spend moreon coffee than on IT security, you will

be hacked. Whats more, you deserve

to be hacked.20

National Public Radios All Things

Considered last December 17 stated

the stolen documents were on Micro-softs SharePoint document-manage-

ment system. Of the 1.7 million docu-ments likely copied, Snowden shared

up to 200,000 documents with report-

ers; the NSA did not dispute this.2,19

Rick Ledgett, head of the NSAs task

force accessing the damage done

by Snowden, claimed system admin-istratorshave passwords that give

them the ability to go around those

security measures, and thats whatSnowden did.19

That the NSAs Ledgett claims tobe unaware of the past 30 years of

computer-security techniques and

technology for preventing a system

administrator from stealing data ispuzzling.10,15,29 This is discussed later

in the section Orange Book and Two-Person Authorization. The NSA no

longer uses SharePoint for this pur-

pose, which begs the question, why did

the NSA abandon secure Orange Bookcompliance and other good security

practices for computer systems that

handle classified data?

The NSA

and Snowden:Securing theAll-Seeing Eye

DOI:10.1145/2594502

Article development led by

queue.acm.org

How good security at the NSAcould have stopped him.

BY BOB TOXEN
http://dx.doi.org/10.1145/2594502http://dx.doi.org/10.1145/2594502


2/8

MAY 2014 | VOL. 57 | NO. 5 | COMMUNICATIONS OF THE ACM 45


3/8

practice


There are a numberof security methods

the NSA could haveused that wouldhave stoppedSnowden. Many ofthese have been inuse for a decade ormore, yet the NSAdid not use them.

In an interview with CBSs 60 Min-

utes, on December 15, 2013 General

Keith B. Alexander, director of the NSA,

admitted that part of Snowdens jobwas to transfer large amounts of clas-

sified data between NSA computer sys-

tems.19Snowden then copied files to a

USB memory stick and concealed it on

his person to smuggle vast amountsof data out of the NSA.11,26 A simple

one-minute scan on the way out by a

handheld metal detectorwanding,as used by the Transportation Secu-

rity Administration (TSA) and at court-

houseswould have found any flash

memory device.

Rings of Security

Lets digress briefly to discuss the im-portant concept of rings of security, my

term for the industry-standard but lessobvious term security in depth. Thismeans having multiple concentric

rings of security so that if attackers

get through the first or outermost ringthey encounter, then, hopefully, the

second or third or fourth ring will stop

them; no one security measure is 100%effective. These rings mostly are about

authentication and are unrelated to

what a user is allowed to do once au-

thenticated. Consider how rings of se-curity might apply to an ordinary net-

work; this ordinary level of securityis insufficient where very high securityis needed such as the NSA, banks, sys-

tems handling large numbers of So-

cial Security or credit-card numbers,among others.

Suppose we want to have a network

in which sys admins are able to SSH

(Secure Shell) into a server from home.In the first ring the firewall might al-

low SSH access only from a short list of

IP addresses of the sys admins homesystems. Thus, instead of being able

to attack from any of a billion systemson the Internet someone would have tolaunch her attack from one of, perhaps,

a dozen system administrators home

networks, a vastly reduced vulnerabil-ity profile. Modern TCP/IP implemen-

tations, used by SSH, are very immune

to IP spoofing. When combined with

end-to-end encryption person-in-the-middle attacks are virtually eliminated.

The second ring might allow SSH

authentication only via public/privatekeys on these home Linux or Unix sys-

tems. Prohibiting SSH from accepting

passwords prevents password-guess-

ing risks and thus access from unau-

thorized systems. The third ring wouldmonitor log files for attacks and block

those IPs, preferably automatically.

The fourth ring would be a strong pass-phrase on that SSH private key. A fifth

ring could require sys admins home

systems (and, of course, all systems atthe office) to lock the screen after a few

minutes of inactivity.

Stopping Snowden

There are a number of security meth-

ods the NSA could have used thatwould have stopped Snowden. Many of

these have been in use for a decade or

more, yet the NSA did not use them.

Islands of Security. The obviousplace to start in this case is with pre-

venting sys admins or others fromgetting into unauthorized systems.The islands-of-security concept is a

safeguard in case someone manages

to penetrate the network. In a high-security organization, different seg-

ments, even different systems, should

be treated as islands of security that donot trust each other or the network in

the vast ocean of systems. This means

different systems should have dif-

ferent root passwords, different userpasswords, different SSH passphrases,

and almost all traffic between systemsshould be encrypted. Systems shouldhave encrypted file systems and en-

crypted backups.

Physical Security. Each island of se-curity should be physically protected

against attack. This certainly would in-

clude the systems and peripherals andthe network carrying any unencrypted

confidential data. Even large commer-

cial collocation facilities have steel

cages around some systems and videocameras watching these areas. The pay-

ment card industry (PCI) security stan-dard requires such protection for largecredit-card processors. High-security

operations should install video cameras

and keep the recordings for a long time.One simple safeguard is to put two

high-security locks on each cage, each

lock needing a different key possessedby a different person. Thus, two people

must be present when the hardware is

accessed. Similarly, networking cables

could be secured (for example, insideof steel pipe), or the data encrypted

before sending it around the LAN


4/8

practice


or WAN. There is no indication that

Snowden took advantage of any lack of

physical security, although it is critical

for protection.

Prevent Unauthorized Copying.Theability to plug in a USB memory stick or

insert a blank DVD for writing shouldbe disabled. Most DVD burners and

USB jacks should be removed as well.Cameras, recorders, mobile phones,and any other unauthorized storage de-

vices should be forbidden and guarded

against. Metal detectors at doors woulddetect violators. Radio frequency (RF)

emissions should be monitored, and

Faraday cages could be incorporated

to block RF emissions. None of thesetechniques is expensive.

Two-Factor Authentication. EvenSnowdens top-secret clearance was

not sufficient to allow him access tosome of the documents he stole. The

NSA admitted that Snowden used thehigher-than-top-secret clearances of

the user accounts of some top NSA of-

ficials. This was possible because hehad created these accounts or used

his sys admin privileges to modify the

accounts to access even more highly

classified documents remotely usingNSAnet, the NSAs classified intranet.13

Snowdens access to accounts with

higher security clearance than his vio-

lated the long-accepted security policythat the system should prevent any-

one from accessing data with a higherclearance than the users. It would have

been a trivial matter for the computer

to prevent this and instead require theservices of a system administrator with

that higher clearance level to adjust

those accounts as needed.

This also violated the concept oftwo-factor authentication. Authenti-

cation is the ability of a computer (or

security guard or even a store clerk)

to determine if you really are who youclaim to be. Typically, an authentica-

tion method consists of what you know(password or PIN), what you have(cred-

it card or RFID-equipped badge issued

to employees and consultants or USBdongle), or what you are(your signature

or fingerprint or retina scan or your pic-

ture on a hard-to-forge document such

as a drivers license, employee badge,or passport). Each of these is called

a factor. None of these methods is ex-

pensive, and all are effective. Whilefingerprints can be faked with some ef-

fort, this is more difficult with modern

high-quality fingerprint readers, which

are available commercially.

Many organizations use the verypopular two-factor authentication to

grant access to computers or facilities

or money, requiring, for example, thatone does not get access without provid-

ing a password or an RFID-equippedbadge and a fingerprint. Three-factorauthentication would be even better.

Had the NSA required good two-

factor authentication, such as a finger-

print and password compared againstcentral databases to which Snowden

did not have administrative access, it

would have prevented him from imper-sonating others to use their accounts

which is how he obtained documents

above his security clearance. Collecting

these factors for the databases wouldbe done by two different sets of people,

neither being the set that managesclassified documents as Snowden did.

This separation of authority is critical

for good security as it requires multiple

people to effect a compromise.Even if the person managing us-

ers passwords went rogue, she would

not have access to the fingerprint da-tabase. The password manager could

be prevented from seeing the user en-

tering his password by having the user

enter a separate inner room via a one-person mantrap to which the person

managing password changes does nothave access. That room would have a

virtual keyboard on a physically hard-

ened touchscreen, making rogue use

of a keystroke logger difficult. Lack ofspace here does not allow discussion

of deeper exploits such as spoofing

fingerprints, guarding against keylog-gers, TEMPEST (the NSAs own set of

security standards for radio frequency

leakage of information), social engi-

neering, and more.Social engineering is where an at-

tacker tricks someone into revealinginformation that he should not reveal.

Email messages falsely claiming to be

from your bank asking you to click on

a link and provide your password or of-fering to share stolen money with you

are examples. Snowden used social

engineering to obtain the password ofat least one NSA employee who sub-

sequently resigned; it has been ad-

dressed extensively in other papers andbooks. Good recurrent education and

strict policy forbidding sharing onespasswords, badge, or dongle under any

circumstance might have prevented

this part of Snowdens breach.

Orange Book and Two-Person Au-thorization. Someone is less likely todo something dishonest if someoneelse is watching. This is why many

stores have at least two people work-ing and why armored car services usetwo people. It also is why you see Two

signatures required for amounts over

$5,000 at the bottom of some checks.

The NSA created the Orange Bookspecification for Trusted Computer

System Evaluation Criteria 30 years

ago, requiring the federal governmentand contractors to use it for comput-

ers handling data with multiple levels

of security classification. This author

enhanced one Orange Book-compliantUnix system to have additional security

capabilities. Such a computer wouldprevent, say, a user with only secret

clearance from viewing a top-secret

document. One also could create dif-

ferent compartments in which tokeep separate sets of documents. Only

someone allowed access to a particu-

lar named compartment could accessdocuments in that compartment, even

if that person otherwise has sufficient

security clearance.

This high-security clearance isknown as compartmentalized secu-

rity (a.k.a. need to know). An impor-tant aspect of protecting a body of se-

crets is that very few people should have

access to more than a small portion of

them. A person working with one criti-cal compartment should be barred

from accessing other critical compart-

ments. Those that know many of thesecrets, such as General Alexander, get

constant Secret Service protection.

One compartment might be spying

on Americans phone records withouta valid warrant. Another might be lis-

tening to Americans domestic phoneconversations and reading email

without a valid warrant.3,12,17,22A third

might be hacking the phones of lead-

ers of allied countries. As Snowdenshould not have been involved in any

of those projects and thus should lack

sufficient clearance, he would not have

been able to access those programsdocuments or even know that they

existed. In reality, however, the NSA

allowed one person, Snowden, unfet-


5/8

practice


ILLU

STRATION

BYPETER

CROWTHER

ASSOCIATES

one accesses and at what rate, and then

detect and limit this. It is astonishing,

both with the NSAs breach and simi-

lar huge thefts of data such as Targetslate-2013 loss of data for 40 million

credit cards (including mine), that no-

body noticed and did anything. Decentreal-time monitoring and automated

response to events would have detect-ed both events early on and could haveprevented most of each breach.

The open source Logcheck and Log-

watch programs will generate alerts ofabnormal events in near real time, and

the Fail2Ban program will lock out the

attacker. All are free and easily can be

customized to detect excessive quanti-ties of downloads of documents. There

are many comparable commercial ap-

plications, and the NSA certainly has

the budget to create its own.No Internet Access or HomeworkWhatsoever. Obvious, this policy is toprevent classified data from leaving a

secure building. For after-hours prob-

lems, a sys admin either must drive tothe office or be on-site at all times. One

former CIA director nearly was fired for

taking classified data home to work on,

violating a strict policy against it. (Hewas not stealing the data; he just want-

ed to work at home.) Snowden took

classified material home and worked

on it with a hood covering him and thecomputer so that his girlfriend could

not see it.19Clearly, then, he could havephotographed the screen.

Prevent Removable Media fromLeaving the Building.Recall the rings

tered, unmonitored access to 1.7 mil-lion documents.

Also important is the Orange Book

concept of not trusting any one systemadministrator. Instead, a role-1 sys ad-

min queues system changes, such as

new accounts or changes to an existingaccounts. A second person, in role 2,

cannot initiate such requests but mustapprove the queued requests before

they can take effect. An Orange BookOS also prevents use of a login simula-

tor by displaying a special symbol when

soliciting a password that no other pro-gram can display. Snowden may have

used a login simulator.

How expensive might this two-per-son authorization have been? In 2013,

the NSA had approximately 40,000 em-

ployees and perhaps 40,000 contrac-

tors, including 1,000 system admins.

8,25

Adding another 1,000 system adminis-

trators to watch the first set would have

increased the payroll by a trivial 1%.Given this, is the NSA going to adopt

two-person authorization and the Or-

ange Book policy that it created? No,the NSA is going to fire 90% of its sys-

tem administrators to limit human

access and put most of the servers in

the NSAs own cloud.1 A cloud is just

another name for a set of computers

remotely accessible over a network and

typically managed by others, usuallya vendor (a.k.a., contractor). Maybe it

will hire Booz Allen, Snowdens formeremployer, to manage this cloud.

Log Events and Monitor. The NSAshould monitor how many documents

of security. One ring would prevent re-movable media from leaving the build-

ing. Every gas-station owner has fig-

ured this out, attaching a large object

to each restroom key. The NSA couldput each thumb drive inside a large

steel box, or it could replace the stan-

dard USB connectors and those of the

computers with custom-designed con-nectors that are difficult to duplicate.

Creatively Use Encryption. Con-sider that one of Snowdens jobs was

copying large amounts of classified

data from one computer to a thumbdrive and then connecting that thumb

drive to another computer and down-

loading the data. He likely secreted

the thumb drive on his person afterdownloading the data he wanted and

took it home. This theft could have

been prevented rather easily with theuse of public-key encryption.33In pub-

lic-key encryption there are two relat-

ed keys: a public key and a secret key,also called a private key. If the original

clear text is encrypted with the pub-

lic key, then it can be decrypted onlywith the secret key, not with the public

key used to encrypt the data.

The NSA should have had a public/

secret-key pair created for each sysadmin needing to transfer data and a

separate account on each computer for

each sys admin to transfer this data.The person generating this encrypted

data on the source computer (for exam-

ple, Snowden) would have to providethe ID of the public key of a different

sys adminsay, Juliato the custom

program allowed to write to the USBthumb drive; software would not al-

low his own public key to be used. The

set of sys admins allowed to do trans-

fers of data would have no membersin common with the set of sys admins

on the source and destination comput-

ers with root access. In other words, aData Transfer System Administrator

such as Snowden would not have root

or physical access to computers andsys admins having root or physical ac-

cess would be prohibited from trans-

ferring data between systems. Thisseparation of responsibilities is criti-

cal. Only that custom program, not sys

admins, would be allowed to write to

the thumb drive. That computer wouldencrypt the data with Julias public key

and write that encrypted data to the

thumb drive.


6/8

practice


Snowden then would download

the encrypted data to the destination

computer via the thumb drive using a

custom program on the destinationcomputer (with that program having

sole access to the USB drive) after he

had logged into his account. That pro-gram would prompt Snowden for the

account in which to transfer that en-crypted data to (for example, Julias),and then move the encrypted file to

her account. Julia would log in to the

destination computer and provide thepassphrase that unlocks her encrypted

secret key and her fingerprint or RFID-

equipped badge to that custom pro-

gram, which then would decrypt thatdata into Julias account. After that, she

could move the data to the final loca-

tion on the destination computer. The

implementation is trivial.Needless to say, the sys admins

tasked with this data transfer would nothave the root (administrative) access to

these computers that would allow get-

ting around this custom programs re-strictions, and these computers would

be running modern versions of Orange

Book-compliant operating systems that

would require two system administra-tors for privileged access in any case.

Furthermore, Snowden would not have

Julias fingerprint or passphrase or, if

used, her badge for authentication. Theopen source GNU Privacy Guard (GPG)

stores private keys on disk or elsewherein an encrypted form that can be de-

crypted only by providing a passphrase

or other authentication.15

Thus, no sys admin acting alone

could decrypt data that he or she en-

crypted to a thumb drive. This wouldhave prevented Snowdens theft by

thumb drive. These custom programs

(which would run on the source anddestination computers) could be writ-

ten in a day or two using the opensource GPG encryption program by asubstantial percentage of those read-

ing this article. Thus, even if a USB

drive was smuggled out of a secure NSAfacility, it would have no value.

Similarly, there could be an addi-

tional ring of file-level encryption for

highly classified files with separatepublic/secret key pairs. Only those us-

ers entitled to read these documents

(and not even sys admins tasked withcopying files) would have the secret

keys to decrypt them. Those using the

destination system (after legitimate

copying by Snowden and Julia) would

be able to decrypt the files. The systemadministrator, however, never would

have seen the decrypted documents

even by reading the raw disk. By itself,this simple precaution would have

prevented the wholesale theft of many

documents by Snowden. Combinedwith the use of public-key encryp-

tion for transferring data between

systems, Snowden would have hadto defeat two extremely challenging

rings of security to steal data. Using

encrypted file systems or whole-disk

encryption on all computers handlingclassified data would offer an addi-

tional ring of security.

Plan for Break-in to MinimizeDamage. The NSAs Ledgett acknowl-

edges, We also learned for the firsttime that part of the damage assess-ment considered the possibility that

Snowden could have left a bug or virus

behind on the NSAs system[s], like

a time bomb.19 The agency should

have planned for a possible break-into minimize the harm and quickly and

reliably assess the damage. For exam-

ple, it could be prepared to compare asystems current state with a trusted

backup taken before the break-in.

This comparison could be run on a

different and trusted system.29

Theuse of islands of security and not put-

ting all of its eggs in one basket wouldhave minimized the damage greatly. It

could have been running a file-system

integrity checker all along to detecttampering with files.

Periodic Security Audits. Securityis an ongoing process. An outside se-curity audit performed quarterly or

annually would have found the NSAs

problems and, perhaps, fixed them

in time to stop Snowden. Such an au-

dit is quite common and consideredgood practice. This is similar to the

outside financial audit of large com-panies required by... the U.S. govern-

ment. The report should be reviewed

by the highest levels of managementto avoid lower levels simply ignoring

inconvenient findings.

Summary

The NSA seemingly had become lax

in utilizing even the most important,simple, and cheap good computer-se-

curity practices with predictable con-

An outside securityaudit performed

quarterly orannually wouldhave found theNSAs problemsand, perhaps,fixed them in timeto stop Snowden.


7/8

practice


Anothe r crit ical aspect of the NSAsspying on all Americans is theconstitutionality and morality, whichis what Snowden was trying to draw

attention toand succeeded in abig way. The Constitutions FourthAmendment s ays t his:

The right of the people to besecure in their persons, houses,papers, and effects, againstunreasonable searches and seizures,shall not be violated, and no warrantsshall issue, but upon probable cause,supported by oath or affirmation, andparticularly describing the place to besearched, and the persons or thingsto be seized.

Why did th e framers of theConstitution care, and whyshould we care? In short, because

when e nforced by honest andcompetent judges, the FourthAmendment preven ts se rious abuseby government officials againstinnocent people, including intrusioninto their private matters. In colonialAmeri ca, B ritain s King Georgeempowered officials to conductmass searches of houses, persons,their effects, and so on without awarrant or probable cause, despit ethe English Courts Samans Case of1603, which recognized the right ofthe homeowner to defend his houseagainst unlawful entry even by thekings agents in the absence of a

specific warrant based on probablecause.6,31This is the meaningbehind Every mans house is hiscastle. (One of the most powerfulexpressions of that maxim came fromWilli am Pitt spe aking to Parliamentin 1763, The poorest man may in hiscottage bid defiance to all the forceof the crown. It may be frail... but theKing of England cannot enterall hisforce dares not cross the threshold ofthe ruined tenement.)

It was confirmed again in Englandin 1705 in Entick v. Carr ington . TheEnglish court decided that a generalwarrant that cause d the raiding ofmany homesincluding Enticks,which the k ings men broke into a ndwhose locked desks and boxes werebroken into as well, with the seizureof many documents unrelated towhat w as be ing se arched for wasagainst English law. The court heldthe warrant used against Entick wastoo general, not based on probablecause, and allowed the seizing ofunrelated material; and, further, norecord was made of what was seized.Take note the court case was initiatedby Entick suing the crown.16,31Isnot ones computer and phone themodern equivalent of a locked desk?

Electronics certainly qualify aspersonal belongings, which is howthe Oxford English Dictionarydefineseffects. Ones effects are protected by

the Fourth Amendment.On December 28, 2013, U.S. Judge

Willi am H. Pauley III held that anAmeri can may not file sui t againstthe NSA for spying on Americans.Specifically, he dismissed a lawsuitby the American Civil Liberties Union(ACLU), saying, The ACLU wouldnever have learned about the section215 order authorizing collectionof telephone metadata related toits telephone numbers but for theunauthorized disclosures of EdwardSnowden.7,34Section 215 of thePatriot Act requires that this spyingon Americans be kept secret forever.

Pauleys ruling says anAmeri can may not challenge theconstitutionality of a governmentaction because the American foundout about it only through the illegalaction of another. That ruling soundsmore like the former Soviet Union tothe author. It also is contrary to morethan 200 years of U.S. Constitutionallaw precedent, which holds a person,regardless of citizenship, always isentitled to all Constitutional rightsand always may challenge a violation.The only government defense is thatno violation took place.

A 1969 U.S. court ruling found

the [Fourth] Amendment was inlarge part a reaction to the generalwarran ts an d warrantless searchesthat had so alienated the colonistsand had helped speed the movementfor independence [e.g., the AmericanRevolution]. In the scheme ofthe Amendment, therefore, therequirement that no Warrants shallissue, but upon probable cause playsa crucial part.4,31More similar U.S.court rulings can be found with littleeffort. In short, a reasonable searchwithout a w arrant requires probabl ecause, meaning a good reason tobelieve that someone possessessomething illegal or evidence of acrime.

According to the judici al branchof the U.S. government, Whethera particular type of search isconsidered reasonable in the eyesof the law is determined by balancingtwo important interests. On oneside of the scale is the intrusion onan individuals Fourth Amendmentrights. On the other side of the scaleare legitimate government interests,such as public safety.30Yet, theparameters of the Fourth Amendmentdo not cease in the realm of searchingelectronic devices.18

President Obamas ownindependent Privacy and CivilLiberties Oversight Board (PCLOB)says the NSAs phone-spying

program is illegal and should end,The Washington Postrevealed.We have not identified a singleinstance involving a threat to theUnited States in which the telephonerecords program made a concretedifference in the outcome of acounterterrorism investigation,the 238-page report says.

PCLOBs report also says theNSA phone data program cannotbe grounded in section 215 of ThePatriot Act, which requires thatrecords sought by the government[e.g., phone numbers] be relevantto an authorized investigation.28

Seizing all phone records of allAmeric ans j ust i n case clearlyis not reasonable by any possibleinterpretation of the Constitution.

On December 16, 2013, U.S.Federal Judge Richard J. Leonruled that bulk collection oftelephone metadata of Americantelephone companies likely violatesthe U.S. Constitution. The judgewrote, I cannot i magine a moreindiscriminate and arbitraryinvasion than this systematic andhigh-tech collection and retention ofpersonal data on virtually every singlecitizen for purposes of querying and

analyzing it without prior judicialapproval... Surely, such a programinfringes on that degree of privacythat the founders enshrined in theFourth Amendment. Leon said thegovernment does not cite a singleinstance in which... the NSAs bulkmetadata collection actually stoppedan imminent attack, or otherwiseaided the government...21

Recently my friend Josh asked meabout the NSAs spying on Americans,adding, Well, if it helps to catchterrorists, I dont mind them spyingon me. I pointed out that in sworntestimony before Congress, GeneralKeith B. Alexander, director of theNSA, admitted that not a singleAmeric an lif e has bee n saved fromthe NSAs deliberate spying on 300million Americans. I asked himwhat he thought about some NSAanalyst listening in on a romanticconversation with his wife. He did notseem so happy about it now.

Josh has a young daughter, so Iasked, What if in a few years as a16-year-old, your daughter phonesyou saying, Daddy, Im at a friends.Could you come get me? Ive beendrinking and Im not safe to drive.Im really sorry. How would Josh

Constitutionality


8/8

practice


sequences, even though it has virtually

unlimited resources and accessif it

wants itto the best computer-securi-

ty experts in the country.Most of the good security practices

covered here were discussed in the

authorsReal World Linux Securityfirstpublished in 2000.29 The most impor-

tant of these security practices alsowere discussed in this authors article,

The Seven Deadly Sins of Linux Secu-

rity, published in the May/June 2007

issue of ACM Queue.I am honored there are auto-

graphed copies of my book in the

NSAs headquarters. The vast majorityof NSA employees and contractors are

eminently talented law-abiding dedi-

cated patriots. It is unfortunate thata tiny percentage no doubt ignored

warnings that these security prob-lems desperately needed fixing toavoid a serious breach.

Related articles

on queue.acm.org

Communications Surveillance:

Privacy and Security at Risk

Whitfield Diffie and Susan Landau

http://queue.acm.org/detail.cfm?id=1613130

More Encryption Is Not the Solution

Poul-Henning Kamp

http://queue.acm.org/detail.cfm?id=2508864

Four Billion Little Brothers?: Privacy, mobilephones, and ubiquitous data collection

Katie Shiltonhttp://queue.acm.org/detail.cfm?id=1597790

References1. Allen, J. NSA to cut system administrators by 90

percent to limit data access. Reuters. Aug. 9, 2013;http://www.reuters.com/article/2013/08/09/us-usa-security-nsa-leaks-idUSBRE97801020130809.

2. Block, M. Snowdens document leaks shocked theNSA, and more may be on the way. National PublicRadio. Dec. 17, 2013; http://www.npr.org/templates/story/story.php?storyId=252006951.

3. Brosnahan, J. and West, T. Brief of Amicus CuriaeMark Klein. May 4, 2006; https://www.eff.org/files/filenode/att/kleinamicus.pdf.

4. Chimel v. California, 395 U.S. 752, 761 (1969).5. Cohn, C. and Higgins, P. Rating Obamas NSA reform

plan: EFF scorecard explained. Electronic FrontierFoundation, Jan. 17, 2014; https://www.eff.org/deeplinks/2014/01/rating-obamas-nsa-reform-plan-eff-scorecard-explained.

6. Cokes Reports 91a, 77 Eng. Rep. 194 (K.B. 1604).7. Davidson, A. Judge Pauley to the N.S.A.: Go Big. The

New Yorker.Dec. 28, 2013; http://www.newyorker.com/online/blogs/closeread/2013/12/judge-pauley-to-the-nsa-go-big.html.

8. Davidson, J. NSA to cut 90 percent of systemsadministrators. Washington Post.Aug. 13, 2013;http://www.washingtonpost.com/blogs/federal-eye/wp/2013/08/13/nsa-to-cut-90-percent-of-systems-administrators/.

9. Defense Logistics Agency. Critical nuclear weapondesign information access certificate; http://www.dla.mil/dss/forms/fillables/DL1710.pdf.

10. Department of Defense Trusted Computer SystemEvaluation Criteria, a.k.a., Orange Book 1985; http://

csrc.nist.gov/publications/history/dod85.pdf.11. Dilanian, K. Officials: Edward Snowden took NSA

secrets on thumb drive. Los Angeles Times. June 13,2013; http://articles.latimes.com/2013/jun/13/news/la-pn-snowden-nsa-secrets-thumb-drive-20130613.

12. Electronic Frontier Foundation (eff.org) . NSA spyingvideo, includes comments from many well-knownrespected people and reminders of past violations;http://www.youtube.com/watch?v=aGmiw_rrNxk.

13. Esposito, R. Snowden impersonated NSAofficials, sources say. NBC News. Aug. 28,2013; http://investigations.nbcnews.com/_

news/2013/08/28/20234171-snowden-impersonated-nsa-officials-sources-say?lite.

14. Everett, B. and Min Kim, S. Lawmakers praise, panPresident Obamas NSA plan. Politico.Jan. 17, 2014;http://www.politico.com/story/2014/01/rand-paul-response-nsa-speech-102319.html.

15. GNU Privacy Guard; http://www.gnupg.org.16. Howells State Trials 1029, 95 Eng. 807 (1705).17. Klein, M. and Bamford, J. Wiring Up the Big Brother

Machine...and Fighting It.Booksurge Publishing, 2009.18. Legal Information Institute, Cornell University Law

School. Fourth Amendment: an overview; http://www.law.cornell.edu/wex/fourth_amendment.

19. Miller, J. CBS News 60 Minutes. Dec. 15, 2013;http://www.cbsnews.com/news/nsa-speaks-out-on-snowden-spying/.

20. Lemos, R. Security guru: Lets secure the Net. ZDnet,2002; http://www.zdnet.com/news/security-guru-lets-secure-the-net/120859.

21. Mears, B. and Perez, E. Judge: NSA domestic phonedata-mining unconstitutional. CNN. Dec. 17, 2013;http://www.cnn.com/2013/12/16/justice/nsa-surveillance-court-ruling/.

22. Nakashima, E. A story of surveillance. WashingtonPost.Nov 7, 2007; http://www.washingtonpost.com/wp-dyn/content/article/2007/11/07/AR2007110700006.html.

23. Napolitano, A.P. A presidential placebo Obamasmassive NSA spying program still alive and well.Fox News. Jan. 23, 2014; http://www.foxnews.com/opinion/2014/01/23/presidential-placebo-obama-massive-nsa-spying-program-still-alive-and-well/.

24. Presidential Executive Order 13526 12/29/2009; http://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-information.

25. Rosenbach, M. Prism exposed: Data surveillance withglobal implications. Spiegel Online International.June 10, 2013: 2; http://www.spiegel.de/international/world/prism-leak-inside-the-controversial-us-data-

surveillance-program-a-904761.html.26. Schwartz, M. Thumb drive security: Snowden 1, NSA

0. InformationWeek. June 14, 2013; http://www.informationweek.com/infrastructure/storage/thumb-drive-security-snowden-1-nsa-0/d/d-id/1110380.

27. Shiffman, J., Cooke, K. Exclusive: U.S. directsagents to cover up program used to investigateAmericans. Reuters. Aug. 05, 2013; http://www.reuters.com/article/2013/08/05/us-dea-sod-idUSBRE97409R20130805.

28. Smith, C. BGR. Jan. 23, 2014; http://news.yahoo.com/watchdog-says-nsa-phone-spying-program-illegal-end-130014396.html.

29. Toxen, B. Real-world Linux Security: IntrusionDetection, Prevention, and Recovery.2nd Edition.Prentice Hall, 2002.

30. U. S. Courts. What does the Fourth Amendmentmean?; http://www.uscourts.gov/educational-resources/get-involved/constitution-activities/fourth-

amendment/fourth-amendment-mean.aspx.31. U.S. Government Printing Office. Fourth Amendment;http://beta.congress.gov/content/conan/pdf/GPO-CONAN-2013-10-5.pdf.

32. Washington Post.Transcript of President ObamasJan. 17 speech on NSA reforms, 2014; http://www.washingtonpost.com/politics/full-text-of-president-obamas-jan-17-speech-on-nsa-reforms/2014/01/17/fa33590a-7f8c-11e3-9556-4a4bf7bcbd84_story.html.

33. Wikipedia . Public-key cryptography; http://en.wikipedia.org/wiki/Public-key_cryptography

34. Wikipedia. Edward Snowden; http://en.wikipedia.org/wiki/Edward_Snowden#NSA_rulings_in_federal_court.

Bob Toxen ([email protected]) is chief technicalofficer at Horizon Network Security, which specializes inLinux and network security. He was one of the developersof Berkeley Unix.

Copyright held by Owner/Author. Publications rightslicensed to ACM. $15.00

like it if the NSA listened to thatconversation and provided thelocal police with his daughterslocation using the phones GPS and

a transcript of that private phoneconversation, and the police thenarrested his daughter for underagedrinking? Josh got real unhappy atthis point. Are you trying to keepyour sexual orientation or interestsprivate? How about your religiousbeliefs or even whom you voted forin the Presidential election? Whatabout that stock tip or patent idea? Isit the governments business to knowwhom y ou are telephoning?

Yes, the NS A really is li stenin gto your domestic phone calls andreading your email in addition toobtaining your private information

on the people you telephone.3,12,17,22

Reuters reported on August 5,2013, that the Drug EnforcementAdmini stration (DEA) admitted tocovering up the use of informationillegally obtained from the NSA andfalsifying the source of evidence. Thisincluded information obtained bythe NSA from intelligence intercepts,wiretaps, informants, and a massi vedatabase of telephone records, allwithout ben efit of a proper warran tor probable cause. The DEA thengave this information to authoritiesacross the nation to help themlaunch criminal investigations of

Ameri cans.27

Clearly this is exactlywhat the Fou rth Amendme ntwas i ntended to prevent. Is it thegovernments place to be doing this?

Judge Andrew P. Napolitan o,the youngest person ever to serveon the New Jersey Superior Court,called President Obamas promisedNSA reforms, announced January17, 2014, a presidential placebo.23,32

The Electronic Frontier Foundation(EFF) rated the Presidents reforms3.5 out of 12.5(The EFF is a nonprofitorganization dedicated to fightingfor peoples rights in the electronicworld and is , perhaps, the most activeorganization to fight in the courtsand elsewhere against the NSAsspying on Americans.) Sen. RandPaul (R-KY.) argued that Obamassuggested changes will amount tothe same unconstitutional programwith a new configuration.14Manyof these actions by the NSA werestarted under the second BushAdmini stration followin g 9/11 . Isthe NSAs spying on all Americansan unconstitutional and illegalviolation of the Consti tution s FourthAmendment? Given the 4 00 years ofhistory we have examined, this authorcan see only one conclusion.

The NSA and Snowden: Securing the All-Seeing Eye

Documents

Transcript of The NSA and Snowden: Securing the All-Seeing Eye