Bamford’s latest update on the NSA

James Bamford is well known for his revealing of the National Security Agency in The Puzzle Palace, published in 1983.  He has written two updates since then, Body of Secrets and The Shadow Factory, the latest one covering the Bush Administration in some detail.  Bamford’s technical details in The Shadow Factory are nowhere near as good as they were in The Puzzle Palace, which is something that really attracted me to his writing.  Also, in this book, Bamford seems to play both sides of the fence, at one point arguing that the attacks on 9/11 were an intelligence failure, while at the same time arguing that we must safeguard our civil liberties.  This works, mostly because he successfully argues (in my opinion) that the government had all the power it needed to stop the attacks, but that incompetence ruled the day.

To be sure there are a few points I would take issue with.  For one, although I despise the name, it was probably a good idea to roll together many agencies into the Department of Homeland Security.  But quite frankly even that was done ineptly, as we have seen from auditor reports, again and again.

Returning to the Shadow Factory, in this update Bamford highlights the role of the Internet and the change in the nature of communications, where many communications have moved from sattelite to fiber, and from simple voice circuits to voice over IP.  He talks about certain organizations wanting to hire Cisco employees simply to reverse engineer IOS and find ways to install back doors.  I have no way of knowing if that has happened.

Bamford retreads much of the story about the illegal spying the NSA did within the United States, and how James Comey would not recertify the program.  While it makes my blood boil to think that anyone in government would think that such a program was legal (certified by the attorney general or not), that part of the story isn’t so much about the NSA as it is about Dick Cheney and David Attington.  Quite frankly I think Bob Woordward has covered that ground as well as could be covered.

Were I to give advice to Mr. Bamford it would be simply this: it is difficult to read just one of the three books he’s written, as either the earliest is woefully out of date, or the latest doesn’t stand on its own without having read the earliest.  A consolidated update that combines all three seems in order.

Mr. Bush, you’re no Harry Truman

Some people are really not meant for this earth.  They happen to exist through luck or by the grace of others, or simply because evolution has not provided sufficient stimulus to cause them to bring themselves to an end.

Such was the case with union leaders in early 1980s, and not it seems to be the case with the Wall Street Journal.  In this lovely editorial, Jeffrey Scott Shapiro wonders why President Bush is receiving such a public flogging as hasn’t been seen since Truman, and whines that the attacks on Mr. Bush have been slanderous.  Perhaps some have been, but there have been plenty more that are well deserved.  Let’s review a bit with Mr. Shapiro, who appears to need the lesson.

The Economy

He argues that the current administration has little to do with the current economic mess.  Their appointee to chair the SEC, Christopher Cox led the commission that weakened the firewall within banks between lending and investing so that an investment failure could cause a banking failure, which is what happened.

Taking Deregulation to Its Illogical Conclusion

Over the last eight years we have seen more food scares than in the previous forty.  At one time it’s meat, and then it’s spinach, and then tomatoes.  Today we all worry about products brought in from China.  The regulatory regime of the FDA is so lax its amazing anything is safe to eat.  At the same time we are polluting our air and water while consuming as much oil as ever.  Mr. Bush entered the stage with corporate greed on everyone’s mind.  Enron and Worldcom were household names.  You would think we would keep a closer eye on Corporate America, and the Sarbanes Oxley act was meant to do just that.  And yet we have just shoveled another $700 billion into the banks.

Losing Two Wars

It was perhaps inevitable and likely necessary that we would go to war with the Taliban in order to root Al Qaida out of Afghanistan.  That we haven’t won the war is inexcusable.  President Bush doesn’t understand what winning a war is.  It is not enough to simply have moved troops into a particular piece of real estate, but rather to accomplish a particular political objective.  In Afghanistan that was to install a stable democratic government.  Stability requires lots and lots of time, effort, planning, and money, which Mr. Bush denied the Afghans by devoting his attention elsewhere.  Today we see fighting along the border, a resurgence of the Taliban outside of Kabul, and war lords re-emerging as power centers.  All of this was not inevitable.  It is one thing to try and fail, but we failed to try.

The other war was a war of choice that we entered because we were not told the truth.  President Bush claimed on more than one occasion that he acted on the same intelligence that President Clinton had.  If that was the case (and it seems that it was), then Mr. Bush demonstrated a shocking lack of judgment for the job in which he found himself.

But that wasn’t the worst of it, once in Iraq we failed to stabilize the situation, to provide basic services to the citizens, and to re-establish any semblance of normality in their lives.  Rather than paying attention to the deteriorating situation, Mr. Bush believed his chief lieutenants, Donald Rumsfeld, Dick Cheney, and Condoliza Rice, as was well documented by Bob Woodward.

Loss of Moral Authority

Engaging in a war of choice against the wishes of most of the world was one of the many ways in which we lost the respect of the common individual in many countries.  By creating prisons and holding people indefinitely without trial, the administration flouted the law.  Allowing people to be transported to far away countries for the purposes of torture demonstrated to people outside the U.S. that we would do anything that we thought justifiable in the name of national security.  Denying them public trials further demonstrates a level of depravity usually attributed to petty dictators.

Isolation of America

Every foreign visitor has been subject to treatment that is usually reserved for common criminals.  Upon entry their pictures and fingerprints are taken, stored in a system of questionable security, subjecting them to potential identity theft, a problem that this administration has generally ignored.  It has been all but impossible for residents of the middle east to visit, due to extensive consular demands.  The effort required to visit the U.S. has cost us tourism and business as organizations have moved their meetings elsewhere.

Fear

I reserve my strongest ire for Mr. Bush and his sidekick for having led America, not from a position of strength, where he could have told people after 9/11 that the best way to get back at people who do not believe in our way of life is to rebuld and outmarket them; but instead from a position of fear.  Mr. Bush spread fear everywhere he went.  He did it perhaps because he was fearful.  But he also profited from fear, scoring political points off of peoples’ fear.  He imposed onerous rules at airports, treated foreigners like criminals, snooped into people’s private lives, and violated principles many Americans hold dear.

And so perhaps some level of disrespect is deserved.  Mr. Shapiro points out that after a generation people came to value Harry Truman and his presidency, and he argues that the same could happen with President Bush.  Harry Truman stood up to his military by integrating them, ended WWII in the Pacific through what could only have been a terrible choice, stood up against Stalin in Germany, and stood up against his own general in Korea.  He was attacked from the right because of wrongful accusations against his secretary of state by a Republican whacko named Joe McCarthy.  History showed he was right in each of the above cases, and his critics were wrong.  Does anyone seriously believe President Bush is in the same league as President Truman?  If so, please pass me what you’re smoking.

How Much Do You Value Privacy?

People in my company travel a lot, and they like to have their itineraries easily accessible.  My wife wants to know when and where I will be, and that’s not at all unreasonable.  So, how best to process and share that information?  There are now several services that attempt to help you manage it.  One of those services, TripIt.Com, will take an email message as input, organize your itinerary, generate appropriate calendar events, and share that information with those you authorize.

The service is based in the U.S., and might actually share information with those you do not authorize, to market something to you- or worse.  If the information is stolen, as was the case with travel information from a hotel we discussed recently, it can be resold to burglars who know when you’re way.  That can be particularly nasty if in fact only you are away, and the rest of your family is not.

But before we panic and refuse to let any of this information out, one should ask just how secure that information is.  As it happens, travel itineraries are some of the least secure pieces of information you can possibly have.  All a thief really needs is an old ticket stub that has one’s frequent flyer number, and we’re off to the races.  In one case, it was shown that with this information a thief could even book a ticket for someone else.

So how, then, do we evaluate the risk of using a service like TripIt? First of all, TripIt does not use any form of encryption or certificate trust chain to verify their identity.  That means that all of your itinerary details go over the network in the clear.  But as it turns out, you’ve probably already transmitted all of your details in the clear to them by sending the itinerary in email.  Having had a quick look at their mail servers, they do not in fact verify their server identities through the use of STARTTLS, not that you as a user can easily determine this in advance.

Some people might have stopped now, but others have more tolerance for risk.

Perhaps a bigger problem with TripIt is that neither its password change page nor its login page make use of SSL.  That means that when enter your your password, the text of that password goes over the network in the clear, for all to see.  It also means that you cannot be sure that the server on the other end is actually that of TripIt.  To me this is a remarkable oversight.

For all of these concerns, you still get the ability to generate an iCal calendar subscription as well as the ability to share all of this information with friends and family.  Is it worth it?  One answer is that it depends on whether you actually want to enter the information yourself, whether you care about security concerns, and whether you like using calendaring clients.  It also depends on what other services are available.

Another service that is available is Dopplr.  It also attempts to be a social networking site, not unlike Linked In.  Dopplr allows you to share you itineraries with other people, tells you about their upcoming trips (if they’re sharing with you), and it lets you create an iCal subscription.

Dopplr also has some security problems, in that they do not use SSL to protect your password.  They also do not use SSL for their main pages.  They do, however, support OpenId, an attempt to do away with site passwords entirely.  I’ll say more about OpenId in the future, but for now I’ll state simply that just because something is new does not make it better.  It may be better or worse.

And so there you have it.  Two services, both with very similar offerings, and both with almost the same privacy risks.  One of them, by the way, could distinguish themselves by improving their privacy offering.  That would certainly win more of my business.

Social Contracts on Internet Security

Everyone and I mean EVERYONE tells you that the best thing you can do for yourself and others if you have a Windows system on the Internet is to run anti-virus software, and keep your patches current.  Otherwise your system can be a nuisance to others, as it is broken into and used as a bot to attack others.

That doesn’t work so well when the anti-virus software causes the user problems.  These systems take a performance hit, that is for sure.  But they can have bugs as well, as this page from McAfee  demonstrates.  What has happened here is that a program called “McScript_InUse.exe” has gone crazy, pegging the system’s CPU.  Not only does this kill performance of every other application on a system, but it can have an impact on your energy bill, because a 100% used CPU means that it will run faster with more fans on and more cooling required.

McAfee cannot be condemned for having bugs in their software, even though it is ironic that they exist in large part because Microsoft Windows has bugs that are taken advantage of.  It never-the-less brings up the question of whether such active scanning technology is the right approach, or whether we have to do better at providing better underlying security.  The extreme version of this would be provably secure programming, a field in which Dr. Gene Spafford (a network legend) has devoted his career.

In the meantime, however, we have to hold McAfee to a higher standard, just as we should Microsoft.  When people believe that they will be harmed by the very software that is meant to protect them and others, especially when the more negative consequences impact others, they will not upgrade.  We discussed this with the ETH Study, some time ago, and now we can expect additional consequences.

The Giant Bear roars again…

Prime Minister Putin – er – President Medvedev has laid out five “principles” of foreign policy, according to this article from the BBC.  The funny thing about principles is that there things people aspire to, but often times don’t meet.  And Russia is no exception.  And to be fare, principles often conflict with one another.  Let’s see…

3. No isolation

“Russia does not want confrontation with any country; Russia has no intention of isolating itself. We will develop, as far as possible, friendly relations both with Europe and with the United State of America, as well as with other countries of the world.”

You would think that means not overrunning your neighbors with troops, but the Russians may choose to hide behind the next one to get around that little inconvenient fact:

4. Protect citizens

“Our unquestionable priority is to protect the life and dignity of our citizens, wherever they are. We will also proceed from this in pursuing our foreign policy. We will also protect the interest of our business community abroad. And it should be clear to everyone that if someone makes aggressive forays, he will get a response.”

While one cannot argue with the general idea, there are many Russians in neighboring countries who have Russian passports.  Is that grounds for invasion?  But if it is not, perhaps the next one is:

5. Spheres of influence

“Russia, just like other countries in the world, has regions where it has its privileged interests. In these regions, there are countries with which we have traditionally had friendly cordial relations, historically special relations. We will work very attentively in these regions and develop these friendly relations with these states, with our close neighbours.”

As Bill Cosby would say, “Riiggght.”  Read: if you aren’t friendly to us, we’ll invade to “protect our citizens”.

Cuba, are you listening?  Still, better to oppose the principles and the bad behavior of one state rather than compound it.  Of course that might depend on who makes the decision.  President Bush might decide that one more crusade is in order.