April 24, 2014

Ed Felten

avatar

Mesh Networks Won’t Fix Internet Security

There’s no doubt that the quality of tech reporting in major newspapers has improved in recent years. It’s rare these days to see a story in, say, the New York Times whose fundamental technical premise is wrong. Still, it does happen occasionally—as it did yesterday.

Yesterday’s Times ran a story gushing about mesh networks as an antidote to Internet surveillance. There’s only one problem: mesh networks don’t do much to protect you from surveillance. They’re useful, but not for that purpose.
[Read more...]

avatar

How to protect yourself from Heartbleed

The Heartbleed vulnerability is one of the worst Internet security problems we have seen. I’ll be writing more about what we can learn from Heartbleed and the response to it.

For now, here is a quick checklist of what you can do to protect yourself.
[Read more...]

avatar

Secure protocols for accountable warrant execution

Last week the press reported that the White House will seek to redesign the NSA’s mass phone call data program, so that data will be held by the phone companies and accessed by the NSA, subject to a new warrant requirement. The Foreign Intelligence Surveillance Court will issue the warrants.

Today Josh Kroll and I, with colleagues at Stanford University, released a draft paper on how to use cryptography to implement warrants to data in a secure, private, and accountable way.
[Read more...]

avatar

Algorithms can be more accountable than people

At an academic meeting recently, I was surprised to hear some social scientists accept as obviously correct the claim that involving “algorithms” in decision-making, instead of sticking with good old-fashioned human decision-making, necessarily reduces accountability and increases the risk of bias. I tend to believe the opposite, that making processes algorithmic improves our ability to understand why they give the results they do. Let me explain why.
[Read more...]

avatar

Why Dorian Nakamoto Probably Isn’t Satoshi

When Newsweek published its cover story last week claiming to have identified the creator of Bitcoin, I tweeted that I was reserving judgment on their claim, pending more evidence. At this point it looks like they don’t have more evidence to show us—and that Newsweek is probably wrong.
[Read more...]

avatar

Understanding Bitcoin’s transaction malleability problem

In recent days, several Bitcoin exchanges have suspended certain kinds of payments due to “transaction malleability” issues. There has been a lot of talk about why this happened, and some finger-pointing. In this post, I will try to unpack what “transaction malleability” is and why it has proven to be a problem for some companies.
[Read more...]

avatar

It matters what the NSA does

It seems axiomatic that if we want to have an informed conversation about the legality, ethics, and policy implications of the NSA’s actions, it is useful to know what the NSA is doing. Yet a vocal subset of NSA defenders seem to be taking the contrary position, that information about the agency’s activities serves no public purpose.

Consider Tuesday’s Washington Post op-ed by Mark Thiessen. He argues that information about the NSA’s activities is just “espionage porn:”

As President Obama prepared to address the nation on surveillance, the New York Times revealed that the National Security Agency (NSA) has developed the capability to access computers that are not connected to the Internet. According to the Times, based on classified documents obtained from Edward Snowden, the NSA uses “a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into . . . computers” or in some cases “a briefcase-size relay station that intelligence agencies can set up miles away from the target.”

Evidence of another NSA plot to spy on Americans? Not at all. The Times reports, “There is no evidence that the N.S.A. has implanted its software or used its radio frequency technology inside the United States.” And the NSA confirmed that the “N.S.A.’s activities are focused and specifically deployed against — and only against — valid foreign intelligence targets.”

In other words, this (no longer) secret program poses precisely zero threat to American civil liberties.

So what is the redeeming social value of the Times’ story? What “abuse” is being revealed? Why is this something the public needs to know?

The answers are: None. None. And it isn’t.

Thiessen seems unaware that the Times was not the first to report on this capability—a German publication, Spiegel, had already published much more detailed information including the so-called “Spy Mall Catalog” detailing specific NSA “implant” technologies used for these attacks.

And of course it has been known for a long time that, even without any secretly implanted antennas, computers disconnected from the network can radiate information over a considerable distance. There are entire book chapters devoted to this, and the NSA itself has released non-classified articles about it.

Our adversaries surely knew all of this, even if DC pundits did not.

But even if this information was previously unknown, it would still have implications for the public debate. As Steve Vladeck argues, the NSA debate is not just about the legality of the agency’s actions, but also about whether they are good public policy—which surely depends at least in part on how they affect people internationally, especially our allies.

Of course, there might be a good argument in a specific case that publication of certain facts would cause national security harm that outweighs the benefit to public debate. Sanger and the Times have said that they will withhold facts if they believe this is the case. But Thiessen’s argument is not just that there is more weight on the national security side of the scale—he is arguing that there is nothing at all on the public debate side. “None.”

There is another subtext in the “espionage porn” argument that bears discussion: the label tends to get thrown at information that is technical in nature. The DC debate, which is dominated by lawyers, has no trouble accepting the relevance of every last detail of the statutory history of Section 215 or the wording of opinions in U.S. v. Jones. Yet somehow the facts about what the NSA is actually doing are seen as peripheral, if those facts involve technology.

Technical facts are not “porn.” They are more like an MRI—information about the patient’s body, yes, but information you need to get if you care about the patient’s health.

avatar

NSA call data analysis: inside or outside government?

Last week the President suggested that the NSA’s database of phone call data be stored outside the government, and he asked his Administration to study how this could be done. Today I’d like to start unpacking the options.
[Read more...]

avatar

Can Washington re-architect the NSA phone data program?

In the President’s NSA reform speech last week, he called for a study of how to re-architect the NSA’s phone call data program, to change where the data is stored. This raises a bunch of interesting computer science questions, which I’m planning to explore in a series of posts here.
[Read more...]