A free monthly newsletter providing summaries, analyses, insights, and

commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/cryptogram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1410.html>. These same essays and
news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively and intelligent comment
section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Data and Goliath Is Finished
iPhone Encryption and the Return of the Crypto Wars
News
Fake Cell Phone Towers Across the US
FOXACID Operations Manual
Schneier News
NSA Has Undercover Operatives in Foreign Companies
DEA Creates Fake Facebook Page in Woman's Name
** *** ***** ******* *********** *************
Data and Goliath Is Finished

"Data and Goliath: The Hidden Battles to Collect Your Data and Control Your
World" is finished. I recently submitted it to my publisher, Norton. In a few weeks,
I'll get the copyedited manuscript back, and a few weeks after that, it'll go into
production. Stacks of printed books will come out the other end in February, and
the book will be published on March 9. There's already an Amazon page, but it's
still pretty preliminary. And I expect the price to go down.
Books are both a meandering and clarifying process for me, and I figure out what
I'm writing about as I write about it. Data and Goliath started out being about
security and power in cyberspace, and ended up being about digital surveillance
and what to do about it.
This is the table of contents:
Part 1: The World We're Creating
Chapter 1: Data as a By-Product of Computing
Chapter 2: Data as Surveillance
Chapter 3: Analyzing our Data
Chapter 4: The Business of Surveillance
Chapter 5: Government Surveillance and Control
Chapter 6: Consolidation of Institutional Surveillance Part 2: What's at Stake
Chapter 7: Political Liberty and Justice

Chapter 8: Commercial Fairness and Equality

Chapter 9: Business Competitiveness
Chapter 10: Privacy
Chapter 11: Security
Part 3: What to Do About It
Chapter 12: Principles
Chapter 13: Solutions for Government
Chapter 14: Solutions for Corporations
Chapter 15: Solutions for the Rest of Us
Chapter 16: Social Norms and the Big Data Trade-Of
Fundamentally, the issues surrounding mass surveillance are tensions between
group interest and self-interest, a topic I covered in depth in Liars and Outliers.
We're promised great benefits if we allow all of our data to be collected in one
place; at the same time, it can be incredibly personal. I see this tension playing
out in many areas:
location data, social graphs, medical data, search histories. Figuring out the
proper balances between group and self-interests, and ensuring that those
balances are maintained, is the fundamental issue of the information age. It's
how we are going to be judged by our descendants fifty years from now.
Anyway, the book is done and at the publisher. I'm happy with it; the manuscript
is so tight you can bounce a quarter of of it. This is a complicated topic, and I
think I distilled it down into 80,000 words that are both understandable by the
lay reader and interesting to the policy wonk or technical geek. It's also an
important topic, and I hope the book becomes a flash point for discussion and
debate.
But that's not for another five months. You might think that's a long time, but in
publishing that's incredibly fast. I convinced Norton to go with this schedule by
stressing that the book becomes less timely every second it's not published. (An
exaggeration, I know, but they bought
it.) Now I just hope that nothing major happens between now and then to render
the book obsolete.
For now, I want to get back to writing shorter pieces. Writing a book can be allconsuming, and I generally don't have time for anything else.
Look at my essays. Last year, I wrote 59 essays. This year so far: 17.
That's an efect of writing the book. Now that it's done, expect more essays on
news websites and longer posts on this blog. It'll be good to be thinking about
something else for a change.
If anyone works for a publication, and wants to write a review, conduct an
interview, publish an excerpt, or otherwise help me get the word out about the
book, please e-mail me and I will pass you on to Norton's publicity department. I
think this book has a real chance of breaking out of my normal security market.
https://www.schneier.com/book-dg.html
http://books.wwnorton.com/books/Data-and-Goliath/
https://www.schneier.com/book-dg.html
Previous postings about the book:
https://www.schneier.com/blog/archives/2014/03/new_book_on_dat.html
https://www.schneier.com/blog/archives/2014/04/book_title.html

My essays:
https://www.schneier.com/essays/2013/
https://www.schneier.com/essays/2014/
** *** ***** ******* *********** *************
iPhone Encryption and the Return of the Crypto Wars

Last week, Apple announced that it is closing a serious security vulnerability in

the iPhone. It used to be that the phone's encryption only protected a small
amount of the data, and Apple had the ability to bypass security on the rest of it.
From now on, all the phone's data is protected. It can no longer be accessed by
criminals, governments, or rogue employees. Access to it can no longer be
demanded by totalitarian governments. A user's iPhone data is now more secure.
To hear US law enforcement respond, you'd think Apple's move heralded an
unstoppable crime wave. See, the FBI had been using that vulnerability to get
into people's iPhones. In the words of cyberlaw professor Orin Kerr, "How is the
public interest served by a policy that only thwarts lawful search warrants?"
Ah, but that's the thing: You can't build a backdoor that only the good guys can
walk through. Encryption protects against cybercriminals, industrial competitors,
the Chinese secret police and the FBI. You're either vulnerable to eavesdropping
by any of them, or you're secure from eavesdropping from all of them.
Backdoor access built for the good guys is routinely used by the bad guys. In
2005, some unknown group surreptitiously used the lawful-intercept capabilities
built into the Greek cell phone system.
The same thing happened in Italy in 2006.
In 2010, Chinese hackers subverted an intercept system Google had put into
Gmail to comply with US government surveillance requests. Back doors in our
cell phone system are currently being exploited by the FBI and unknown others.
This doesn't stop the FBI and Justice Department from pumping up the fear.
Attorney General Eric Holder threatened us with kidnappers and sexual
predators.
The former head of the FBI's criminal investigative division went even further,
conjuring up kidnappers who are also sexual predators. And, of course, terrorists.
FBI Director James Comey claimed that Apple's move allows people to "place
themselves beyond the law" and also invoked that now overworked "child
kidnapper." John J. Escalante, chief of detectives for the Chicago police
department now holds the title of most hysterical: "Apple will become the phone
of choice for the pedophile."
It's all bluster. Of the 3,576 major ofenses for which warrants were granted for
communications interception in 2013, exactly one involved kidnapping. And,

more importantly, there's no evidence that encryption hampers criminal

investigations in any serious way. In 2013, encryption foiled the police nine
times, up from four in 2012 -- and the investigations proceeded in some other
way.
This is why the FBI's scare stories tend to wither after public scrutiny. A former
FBI assistant director wrote about a kidnapped man who would never have been
found without the ability of the FBI to decrypt an iPhone, only to retract the point
hours later because it wasn't true.
We've seen this game before. During the crypto wars of the 1990s, FBI Director
Louis Freeh and others would repeatedly use the example of mobster John Gotti
to illustrate why the ability to tap telephones was so vital. But the Gotti evidence
was collected using a room bug, not a telephone tap. And those same scary
criminal tropes were trotted out then, too. Back then we called them the Four
Horsemen of the
Infocalypse: pedophiles, kidnappers, drug dealers, and terrorists.
Nothing has changed.
Strong encryption has been around for years. Both Apple's FileVault and
Microsoft's BitLocker encrypt the data on computer hard drives. PGP encrypts email. Of-the-Record encrypts chat sessions. HTTPS Everywhere encrypts your
browsing. Android phones already come with encryption built-in. There are
literally thousands of encryption products without back doors for sale, and some
have been around for decades. Even if the US bans the stuf, foreign companies
will corner the market because many of us have legitimate needs for security.
Law enforcement has been complaining about "going dark" for decades now.
In the 1990s, they convinced Congress to pass a law requiring phone companies
to ensure that phone calls would remain tappable even as they became digital.
They tried and failed to ban strong encryption and mandate back doors for their
use. The FBI tried and failed again to ban strong encryption in 2010. Now, in the
post-Snowden era, they're about to try again.
We need to fight this. Strong encryption protects us from a panoply of threats. It
protects us from hackers and criminals. It protects our businesses from
competitors and foreign spies. It protects people in totalitarian governments from
arrest and detention. This isn't just me
talking: The FBI also recommends you encrypt your data for security.
As for law enforcement? The recent decades have given them an unprecedented
ability to put us under surveillance and access our data.
Our cell phones provide them with a detailed history of our movements.
Our call records, e-mail history, buddy lists, and Facebook pages tell them who
we associate with. The hundreds of companies that track us on the Internet tell
them what we're thinking about. Ubiquitous cameras capture our faces
everywhere. And most of us back up our iPhone data on iCloud, which the FBI
can still get a warrant for. It truly is the golden age of surveillance.
After considering the issue, Orin Kerr rethought his position, looking at this in
terms of a technological-legal trade-of. I think he's right.
Given everything that has made it easier for governments and others to intrude
on our private lives, we need both technological security and legal restrictions to

restore the traditional balance between government access and our

security/privacy. More companies should follow Apple's lead and make encryption
the easy-to-use default. And let's wait for some actual evidence of harm before
we acquiesce to police demands for reduced security.
This essay previously appeared on CNN.com
http://www.cnn.com/2014/10/03/opinion/schneier-apple-encryptionhysteria/index.html
or http://tinyurl.com/lsluwpt
Apple's announcement:
http://arstechnica.com/apple/2014/09/apple-expands-data-encryption-under-ios8-making-handover-to-cops-moot/
or http://tinyurl.com/nthx3yh
http://www.nytimes.com/2014/09/27/technology/iphone-locks-out-the-nsasignaling-a-post-snowden-era-.html
or http://tinyurl.com/kg2k6z8
http://www.washingtonpost.com/business/technology/2014/09/17/2612af583ed2-11e4-b03f-de718edeb92f_story.html
or http://tinyurl.com/nwuah37
Law enforcement response:
https://www.techdirt.com/articles/20140923/07120428605/law-enforcementfreaks-out-over-apple-googles-decision-to-encrypt-phone-info-default.shtml
or http://tinyurl.com/nfa7bae
http://arstechnica.com/tech-policy/2014/10/us-top-cop-decries-encryptiondemands-backdoors/
or http://tinyurl.com/p24aygw
http://online.wsj.com/articles/new-level-of-smartphone-encryption-alarms-lawenforcement-1411420341
or http://tinyurl.com/pxwqwsb
http://www.washingtonpost.com/business/technology/2014/09/25/68c4e08e4344-11e4-9a15-137aa0153527_story.html
or http://tinyurl.com/m9z2h9d
http://www.huffingtonpost.com/2014/09/25/james-comey-appleencryption_n_5882874.html
or http://tinyurl.com/ovagols
http://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/09/26/thephone-of-choice-for-the-pedophile/
or http://tinyurl.com/m7dgfwh
Orin Kerr essays:
http://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/09/19/applesdangerous-game/
or http://tinyurl.com/pkg8j9p
http://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/09/22/applesdangerous-game-part-2-the-strongest-counterargument/
or http://tinyurl.com/mfrtny5
http://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/09/22/applesdangerous-game-part-3-where-do-you-draw-the-line-and-whats-the-privacytradeof/
or http://tinyurl.com/n876g2s
Stories of other backdoors being exploited:

http://spectrum.ieee.org/telecom/security/the-athens-afair
http://www.theregister.co.uk/2008/04/14/telecom_italia_spying_probe_update
or http://tinyurl.com/m7dvgfz
http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html
or http://tinyurl.com/y9fz5ew
Data on wiretaps and encryption:
http://www.uscourts.gov/uscourts/Statistics/WiretapReports/2013/Table3.pdf
or http://tinyurl.com/lazwxfq
http://www.wired.com/2014/07/rising-use-of-encryption-foiled-the-cops-a-record9-times-in-2013/
or http://tinyurl.com/l8me4wd
Kidnapping story:
http://www.washingtonpost.com/posteverything/wp/2014/09/23/i-helped-save-akidnapped-man-from-murder-with-apples-new-encryption-rules-we-neverwouldve-found-him/
or http://tinyurl.com/pnfr99e
https://twitter.com/xor/status/514582730126790656
The Crypto Wars:
http://archive.wired.com/wired/archive/1.02/crypto.rebels_pr.html
Four Horsemen of the Infocalypse:
https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalypse
Other encryption software:
http://support.apple.com/kb/HT4790
https://en.wikipedia.org/wiki/BitLocker
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
https://otr.cypherpunks.ca/
https://www.ef.org/https-everywhere
Android encryption:
https://source.android.com/devices/tech/encryption/android_crypto_implementati
on.html
or http://tinyurl.com/ldryhul
CALEA and follow-on:
https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_
Act
or http://tinyurl.com/7v4qm37
http://www.ef.org/deeplinks/2010/09/government-seeks
FBI recommends encrypting your data:
http://www.fbi.gov/news/speeches/responding-to-the-cyber-threat
Golden age of surveillance:
https://cdt.org/blog/%E2%80%98going-dark%E2%80%99-versus-a%E2%80%98golden-age-for-surveillance%E2%80%99/
or http://tinyurl.com/ljmjjj3
Supreme court on police data search and collection:
http://www.wired.com/2013/10/warrant-required-gps-trackers/

http://edition.cnn.com/2014/06/25/justice/supreme-court-cell-phones/
Other essays worth reading:
http://www.cato.org/blog/old-technopanic-new-ibottles
http://www.theguardian.com/commentisfree/2014/sep/30/iphone-6-encryptedphone-data-default
or http://tinyurl.com/p7xklwh
http://www.slate.com/articles/technology/future_tense/2014/09/ios_8_encryption_
why_apple_won_t_unlock_your_iphone_for_the_police.html
or http://tinyurl.com/kmd9mgk
https://twitter.com/evacide/status/514233569980317697
http://edition.cnn.com/2010/OPINION/09/29/schneier.web.surveillance/index.html
or http://tinyurl.com/mms846x
http://www.slate.com/blogs/future_tense/2014/10/01/law_enforcement_has_decla
red_war_on_encryption_it_can_t_break.html
or http://tinyurl.com/kat8l7r
http://www.lawfareblog.com/2014/09/securing-phones-and-securing-us/
http://www.salon.com/2014/10/06/americas_huge_iphone_lie_why_law_enforcem
ent_really_hates_its_new_policy/
or http://tinyurl.com/pbcxy9w
https://firstlook.org/theintercept/2014/09/22/apple-data/
https://www.cs.columbia.edu/~smb/blog/2014-09/2014-09-23.html
https://keybase.io/blog/2014-10-08/the-horror-of-a-secure-golden-key
http://www.wired.com/2014/10/golden-key/
https://news.vice.com/article/what-default-phone-encryption-really-means-forlaw-enforcement
or http://tinyurl.com/pcz5ou8
http://www.theguardian.com/technology/2014/oct/09/crypto-wars-redux-why-thefbis-desire-to-unlock-your-private-life-must-be-resisted
or http://tinyurl.com/oms9uho
http://www.nytimes.com/roomfordebate/2014/09/30/apple-vs-the-law/securingour-data-should-come-first
or http://tinyurl.com/k78xdjn
Pretty sad Washington Post editorial.
http://www.washingtonpost.com/opinions/compromise-needed-on-smartphoneencryption/2014/10/03/96680bf8-4a77-11e4-891d-713f052086a0_story.html
or http://tinyurl.com/lgqvc4c
Other ways Apple and law enforcement have to get at your data:
https://firstlook.org/theintercept/2014/09/22/apple-data/
** *** ***** ******* *********** *************
News

Good article on the insecurity of SHA-1 and the need to replace it sooner rather
than later.
https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1
or http://tinyurl.com/mredy8l

New Zealand is spying on its citizens. Edward Snowden weighs in personally.

https://firstlook.org/theintercept/2014/09/15/new-zealand-gcsb-speargun-masssurveillance/
or http://tinyurl.com/n8ehasm
https://firstlook.org/theintercept/2014/09/15/snowden-new-zealand-surveillance/
or http://tinyurl.com/maogbhm
The NSA and GCHQ are mapping the entire Internet, including hacking into
Deutsche Telekom.
http://www.spiegel.de/international/world/snowden-documents-indicate-nsa-hasbreached-deutsche
https://firstlook.org/theintercept/2014/09/14/nsa-stellar/
http://www.emptywheel.net/2014/09/15/treasure-map-its-about-location-notgold/
or http://tinyurl.com/phw54jk
There's a vulnerability in SS7 that allows your cell phone's location to be tracked.
What's interesting about this story is not that the cell phone system can track
your location worldwide. That makes sense; the system has to know where you
are. What's interesting about this story is that *anyone* can do it. Cyberweapons arms manufacturers are selling the capability to governments
worldwide, and hackers have demonstrated the capability.
http://www.washingtonpost.com/business/technology/for-sale-systems-that-cansecretly-track-where-cellphone-users-go-around-the-globe/2014/08/24/f0700e8af003-11e3-bf76-447a5df6411f_story.html
or http://tinyurl.com/kuazdjs
http://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf
According to court documents, Dread Pirate Roberts was identified because a
CAPTCHA service used on the Silk Road login page leaked the users' true
location.
http://krebsonsecurity.com/2014/09/dread-pirate-sunk-by-leaky-captcha/
or http://tinyurl.com/no5klnm
In 2008, Yahoo fought the NSA to avoid becoming part of the PRISM program. It
eventually lost the court battle, and at one point was threatened with a $250,000
a day fine if it continued to resist. I am continually amazed at the extent of the
government coercion.
http://gizmodo.com/the-nsa-was-going-to-fine-yahoo-250k-a-day-if-it-didnt1633677548
or http://tinyurl.com/pan3hdf
This is a terrible article on Vernam ciphers. If there's anything that confuses
wannabe cryptographers, it's one-time pads.
http://io9.com/is-this-wwii-era-cipher-the-most-unbreakable-code-ever1635035836
or http://tinyurl.com/l3o3jpr
The National Highway Traffic Safety Administration (NHTSA) has released a report
titled "Vehicle-to-Vehicle Communications: Readiness of V2V Technology for
Application." It's very long, and mostly not interesting to me, but there are
security concerns sprinkled throughout: both authentication to ensure that all the
communications are accurate and can't be spoofed, and privacy to ensure that
the communications can't be used to track cars. It's nice to see this sort of thing

thought about in the beginning, when the system is first being designed, and not
tacked on at the end.
https://www.schneier.com/blog/archives/2014/09/security_for_ve.html
Vehicle-to-Vehicle Communications: Readiness of V2V Technology for
Application:
http://www.nhtsa.gov/staticfiles/rulemaking/pdf/V2V/Readiness-of-V2VTechnology-for-Application-812014.pdf
or http://tinyurl.com/lm2v5mj
Jonathan Zittrain argues that our military weapons should be built with a kill
switch, so they become useless when they fall into enemy hands.
http://www.scientificamerican.com/article/the-case-for-kill-switches-in-militaryweaponry/
or http://tinyurl.com/oh4gbt5
I found the story of the Federal Reserve on 9/11 to be fascinating. It seems they
just flipped a switch on all their Y2K preparations, and it worked.
http://www.dailykos.com/story/2014/09/10/1328813/-The-Astonishing-Story-ofthe-Federal-Reserve-on-9-11
or http://tinyurl.com/lc7dhjy
Interesting article on the arms race between creating robot "handwriting" that
looks human, and detecting text that has been written by a robot. Robots will
continue to get better, and will eventually fool all of us.
https://medium.com/message/how-to-tell-when-a-robot-has-written-you-a-letter701562705d59
or http://tinyurl.com/pe29jd8
Julian Sanchez of the Cato Institute has a lengthy audio interview on NSA
surveillance and reform. Worth listening to.
https://soundcloud.com/libertarianism/episode-48-deconstructing-thesurveillance-state-with-julian-sanchez
or http://tinyurl.com/mntkt7o
Shellshock is a nasty vulnerability found in Bash. Inevitably we're going to see
articles pointing at this and at Heartbleed and claim a trend in vulnerabilities in
open-source software. If anyone has any actual data other than these two
instances and the natural human tendency to generalize, I'd like to see it.
http://www.csoonline.com/article/2687265/application-security/remote-exploit-inbash-cve-2014-6271.html
or http://tinyurl.com/lg7webl
http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered7000034044/
or http://tinyurl.com/pyydz8o
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-securityhole-on-anything-with-nix-in-it/
or http://tinyurl.com/p67xw2z
http://seclists.org/oss-sec/2014/q3/650
http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerabilityfound-in-bash
or http://tinyurl.com/pfcqpvk
https://news.ycombinator.com/item?id=8366745
This is a good essay on the security trade-ofs with cloud backup.

http://daringfireball.net/2014/09/security_tradeofs
There's a Reuters article on new types of fraud using stolen medical records. I
don't know how much of this is real and how much is hype, but I'm certain that
criminals are looking for new ways to monetize stolen data.
https://news.yahoo.com/medical-record-worth-more-hackers-credit-card182251915--finance.html
or http://tinyurl.com/kf4gv8s
There's a new article on NSA's Technology Transfer Program, a 1990s-era
program to license NSA patents to private industry. I was pretty dismissive about
the oferings in the article, but I didn't find anything interesting in the catalog. My
guess is that the good stuf remains classified, and isn't "transferred" to anyone.
http://www.dailydot.com/politics/nsa-technology-transfer-program-nationalsecurity-agency-ttp/
or http://tinyurl.com/mq6cddu
https://www.nsa.gov/research/_files/tech_transfers/nsa_technology_transfer_prog
ram.pdf
or http://tinyurl.com/pnhrczw
http://yro.slashdot.org/story/14/09/26/1451223/how-the-nsa-profits-of-of-itssurveillance-technology
or http://tinyurl.com/q3wkspk
The Chinese government checked ten thousand pigeons for "dangerous
materials." Because fear.
http://www.aljazeera.com/news/asia-pacific/2014/10/chinese-security-bodysearches-10000-pigeons-201410152532719788.html
or http://tinyurl.com/pre7xls
Firechat is a secure wireless peer-to-peer chat app.
http://boingboing.net/2014/09/29/faced-with-network-surveillanc.html
It has security issues.
https://citizenlab.org/2014/07/asia-chats-update-line-kakaotalk-firechat-china/
or http://tinyurl.com/kgbh5un
https://citizenlab.org/2014/07/iraq-information-controls-update-analyzinginternet-filtering-mobile-apps/
or http://tinyurl.com/lp5b8xk
The NSA is building a private cloud with its own security features.
http://www.cio.com/article/2688434/private-cloud/exclusive-inside-the-nsasprivate-cloud.html
or http://tinyurl.com/l2zr5kt
Former NSA employee and whistleblower William Binney explains NSA
surveillance using Snowden's documents.
http://www.alexaobrien.com/secondsight/wb/binney.html
In July, I wrote about an unpatchable USB vulnerability called BadUSB.
Code for the vulnerability has been published.
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/ or
http://tinyurl.com/q993xbx http://arstechnica.com/security/2013/10/meetbadbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
or http://tinyurl.com/q3e4zgj
https://github.com/adamcaudill/Psychson

https://www.schneier.com/blog/archives/2014/07/the_fundamental.html
USB cufflinks: just the thing for smuggling data out of secure locations.
http://www.dalys1895.com/designer/dalys/dalys1895-silver-rectangular-usb16gb-cufflinks.html
or http://tinyurl.com/og2wejf
This article reads like snake oil. But the company was founded by Lars Knudsen,
so it can't possibly be. I'm curious.
http://www.sciencedaily.com/releases/2014/10/141007092106.htm
Good essay by Molly Sauter: basically, there is no legal avenue for activism and
protest on the Internet.
http://boingboing.net/2014/09/26/fuckthecfaa.html
Also note Sauter's new book, The Coming Swarm.
http://www.amazon.com/The-Coming-Swarm-HacktivismDisobedience/dp/1623564565
or http://tinyurl.com/pokmpgm
Interesting essay about James Bamford and his eforts to publish The Puzzle
Palace over the NSA's objections. Required reading for those who think the NSA's
excesses are somehow new.
https://firstlook.org/theintercept/2014/10/02/the-nsa-and-me/
** *** ***** ******* *********** *************
Fake Cell Phone Towers Across the US

Earlier this month, there were a bunch of stories about fake cell phone towers
discovered around the US. These seem to be IMSI catchers, like Harris
Corporation's Stingray, and are used to capture location information and
potentially phone calls, text messages, and smart-phone Internet traffic. A couple
of days ago, the Washington Post ran a story about fake cell phone towers in
politically interesting places around Washington DC. In both cases, researchers
used security software that's part of CryptoPhone from the German company
GSMK. And in both cases, we don't know who is running these fake cell phone
towers. Is it the US government? A foreign government? Multiple foreign
governments?
Criminals?
This is the problem with building an infrastructure of surveillance: you can't
regulate who gets to use it. The FBI has been protecting Stingray like it's an
enormous secret, but it's not a secret anymore. We are all vulnerable to
everyone because the NSA wanted us to be vulnerable to them.
We have one infrastructure. We can't choose a world where the US gets to spy
and the Chinese don't. We get to choose a world where everyone can spy, or a
world where no one can spy. We can be secure from everyone, or vulnerable to
anyone. And I'm tired of us choosing surveillance over security.

http://arstechnica.com/tech-policy/2013/09/meet-the-machines-that-steal-yourphones-data/
or http://tinyurl.com/o9vd4u9
https://www.schneier.com/blog/archives/2014/09/fake_cell_phone.html
http://www.wired.com/2014/09/cryptophone-firewall-identifies-rogue-cell-towers/
or http://tinyurl.com/m7fx96
http://www.popsci.com/article/technology/mysterious-phony-cell-towers-could-beintercepting-your-calls
or http://tinyurl.com/mpx5vad
http://io9.com/fake-cell-phone-towers-could-be-taking-control-of-your1630378142
or http://tinyurl.com/m45zvll
http://gizmodo.com/phony-cell-towers-could-be-intercepting-your-data1629478616
or http://tinyurl.com/lqyzvva
http://venturebeat.com/2014/09/02/who-is-putting-up-interceptor-cell-towers-themystery-deepens/
or http://tinyurl.com/qhsjq9d
https://news.ycombinator.com/item?id=8264540
http://www.washingtonpost.com/world/national-security/researchers-try-to-pullback-curtain-on-surveillance-eforts-in-washington/2014/09/17/f8c1f590-3e8111e4-b03f-de718edeb92f_story.html
or http://tinyurl.com/pc2geg5
Stingray:
http://www.extremetech.com/mobile/184597-stingray-the-fake-cell-phone-towercops-and-providers-use-to-track-your-every-move
or http://tinyurl.com/ooxxgms
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2437678
** *** ***** ******* *********** *************
FOXACID Operations Manual

A few days ago, I saw this tweet: "Just a reminder that it is now *a
full year* since Schneier cited it, and the FOXACID ops manual remains
unpublished." It's true.
The citation is this: "According to a top-secret operational procedures
manual provided by Edward Snowden, an exploit named Validator might be
the default, but the NSA has a variety of options. The documentation
mentions United Rake, Peddle Cheap, Packet Wrench, and Beach Head--all
delivered from a FOXACID subsystem called Ferret Cannon."
Back when I broke the QUANTUM and FOXACID programs, I talked with the
Guardian editors about publishing the manual. In the end, we decided not
to, because the information in it wasn't useful to understanding the
story. It's been a year since I've seen it, but I remember it being just
what I called it: an operation procedures manual. It talked about what

to type into which screens, and how to deal with error conditions. It
didn't talk about capabilities, either technical or operational. I found
it interesting, but it was hard to argue that it was necessary in order
to understand the story.
It will probably never be published. I lost access to the Snowden
documents soon after writing that essay -- Greenwald broke with the
Guardian, and I have never been invited back by the Intercept -- and
there's no one looking at the documents with an eye to writing about the
NSA's technical capabilities and how to securely design systems to
protect against government surveillance. Even though we now know that
the same capabilities are being used by other governments and cyber
criminals, there's much more interest in stories with political
ramifications.
The tweet:
https://twitter.com/puellavulnerata/status/521333453439004672
The citation:
http://www.theatlantic.com/technology/archive/2013/10/how-the-nsa-thinksabout-secrecy-and-risk/280258/
or http://tinyurl.com/nnmq8sm
QUANTUM and FOXACID:
http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-onlineanonymity
or http://tinyurl.com/onbjqju
https://www.schneier.com/blog/archives/2014/08/quantum_technol.html
** *** ***** ******* *********** *************
Schneier News

I'm speaking at the 2014 Indianapolis Enterprise Security Solutions

Summit on October 16.
http://pages.fishnetsecurity.com/IndyES3_Home1.html
I'm speaking at an MN ISSA After Hours Event in Roseville, Minnesota on
October 30.
http://mn.issa.org/news/mn-issa-having-after-hours-event-bruce-schneier-andcharles-herring
I'm speaking at the MassTLC conference in Boston on October 22.
http://www.masstlc.org/events/event_details.asp?id=477322
I'm speaking at QCon in San Francisco on November 3.
http://qconsf.com/
** *** ***** ******* *********** *************

NSA Has Undercover Operatives in Foreign Companies

The latest Intercept article on the Snowden NSA documents talks about
their undercover operatives working in foreign companies. There are no
specifics, although the countries China, Germany, and South Korea are
mentioned. It's also hard to tell if the NSA has undercover operatives
working in companies in those countries, or has undercover contractors
visiting those companies. The document is dated 2004, although there's
no reason to believe that the NSA has changed its behavior since then.
The most controversial revelation in Sentry Eagle might be a
fleeting reference to the NSA infiltrating clandestine agents
into "commercial entities." The briefing document states that
among Sentry Eagle's most closely guarded components are "facts
related to NSA personnel (under cover), operational meetings,
specific operations, specific technology, specific locations
and covert communications related to SIGINT enabling with
specific commercial entities (A/B/C)""
It is not clear whether these "commercial entities" are
American or foreign or both. Generally the placeholder
"(A/B/C)" is used in the briefing document to refer to American
companies, though on one occasion it refers to both American
and foreign companies. Foreign companies are referred to with
the placeholder "(M/N/O)." The NSA refused to provide any
clarification to *The Intercept*.
That program is SENTRY OSPREY, which is a program under SENTRY EAGLE.
The document makes no other reference to NSA agents working
under cover. It is not clear whether they might be working as
full-time employees at the "commercial entities," or whether
they are visiting commercial facilities under false pretenses.
Least fun job right now: being the NSA person who fielded the telephone
call from the Intercept to clarify that (A/B/C)/(M/N/O) thing. "Hi.
We're going public with SENTRY EAGLE next week. There's one thing in the
document we don't understand, and we wonder if you could help us...."
Actually, that's wrong. The person who fielded the phone call had no
idea what SENTRY EAGLE was. The least fun job belongs to the person up
the command chain who did.
https://firstlook.org/theintercept/2014/10/10/core-secrets/
http://www.wired.com/2014/10/nsa-may-undercover-operatives-foreigncompanies-new-documents-show/
or http://tinyurl.com/kxzo8c8
http://beta.slashdot.org/story/208367
https://news.ycombinator.com/item?id=8441055
** *** ***** ******* *********** *************

DEA Creates Fake Facebook Page in Woman's Name

This is a creepy story. A woman has her phone seized by the Drug
Enforcement Agency and gives them permission to look at her phone.
Without her knowledge or consent, they steal photos of of the phone
(the article says they were "racy") and use it to set up a fake Facebook
page in her name.
The woman sued the government over this. Extra creepy was the
government's defense in court: "Defendants admit that Plaintif did not
give express permission for the use of photographs contained on her
phone on an undercover Facebook page, but state the Plaintif implicitly
consented by granting access to the information stored in her cell phone
and by consenting to the use of that information to aid in an ongoing
criminal investigations [sic]." The article was edited to say: "Update:
Facebook has removed the page and the Justice Department said it is
reviewing the incident." So maybe this is just an overzealous agent and
not official DEA policy.
But as Marcy Wheeler said, this is a good reason to encrypt your cell
phone.
http://www.buzzfeed.com/chrishamby/government-says-federal-agents-canimpersonate-woman-online
or http://tinyurl.com/mf3b9q4
https://www.emptywheel.net/2014/10/07/a-good-reason-to-encrypt-your-iphoneto-prevent-dea-from-creating-a-fake-facebook-account/
or http://tinyurl.com/nkbn85x
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address on
the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are
also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its
entirety.
CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an
internationally renowned security technologist, called a "security guru"
by The Economist. He is the author of 12 books -- including "Liars and
Outliers: Enabling the Trust Society Needs to Survive" -- as well as
hundreds of articles, essays, and academic papers. His influential
newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by
over 250,000 people. He has testified before Congress, is a frequent

guest on television and radio, has served on several government

committees, and is regularly quoted in the press. Schneier is a fellow
at the Berkman Center for Internet and Society at Harvard Law School, a
program fellow at the New America Foundation's Open Technology
Institute, a board member of the Electronic Frontier Foundation, an
Advisory Board Member of the Electronic Privacy Information Center, and
the Chief Technology Officer at Co3 Systems, Inc. See
<http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Co3 Systems, Inc.
Copyright (c) 2014 by Bruce Schneier.
** *** ***** ******* *********** *************