When Katie Moussouris is so excited about something she’s almost vibrating, you know it has to be big. So when she came Chris John Riley and I earlier this week and said she had news from Microsoft, we had to make time to talk to her. Katie’s been working on the Microsoft Bug Bounty program for over three years and it’s no wonder; getting a company like Microsoft to recognize the importance of working with the researcher community as early in the process as possible, and getting the funding to make it happen is no small feat.
The basics of the three programs are like this: Researchers who develop novel, new exploitation techniques (not just bugs, but new techniques) can receive $100,000 for the technique. If they also come up with a mitigation technique for the exploitation, they can receive another $50,000. The third program is specific to IE 11 which gives researchers the opportunity to earn $11,000 per bug for the first month of the beta for IE 11.
It’ll be interesting to see how other companies respond to Microsoft’s move. Rather than simply wait for the vulnerability
pimps resellers to bring up exploitation techniques and vulnerabilities to Microsoft once the product has been released, this encourages them to do the same during the development lifecycle, and at a healthy rate. Will other vendors be able to do the same, will they cast aspersions on Microsoft’s efforts, or will they simply pretend it never happened? Only time will tell.
FIRST 2013 – Katie Moussouris of Microsoft on the Bug Bounty Program
While it was good to maintain a list of the stories coming out about the NSA spying scandal, today I realized we’re starting on the second phase of this event. Most of what we heard late last week and over the weekend was the initial reaction and often contain speculation and hyperbole. But now that a few days have passed, we’re starting to see more details emerge and the battle lines being drawn. Luckily those lines aren’t along familiar party lines, but instead they’re being drawn along the division of people who think the government is worthy of our trust and is protecting us versus those who don’t trust it. And the discussion is spreading out from just this leak to a greater discussion of what privacy means. I am obviously in the camp that believes any tool of this magnitude is going to be misused massively, if not right now, then some time within our generation. And given some of what we’ve seen recently, I can’t really see how the people who say “Trust the government” can support that position.
For the first in this series (I hope), read Rage Against the Machine. I’ll admit it starts off a bit hyperbolic, but I was, and am, pissed at our government. And I’m reading every one of these stories before posting, so you hopefully don’t have to.
- U.S. Surveillance Leak in Criminal, Congressional Probes – (Added 20:45, 11 June 13) This is less an actual story and more a collection of the facts, such as who’s calling for probes and special committees. There’s very little analysis, which is actually a bit refreshing, given how rabid some people on both sides of the argument have been.
- Defeatism is Premature: You Better Fight for Your Right to Privacy – (Added 20:55, 11 June 13) I like this article because it has an odd sort of optimism in the midst of all the doom and gloom on both sides. We can decide what privacy looks like in the future, we don’t have to let the current situation persist. But We the People have to stand up and start making a difference in how our government treats us and our information. We can change reality if our will is strong enough!
- StopWatching.Us: Mozilla launches massive campaign on digital surveillance – (Added 21:00, 11 June 13) Leave it to Mozilla to charge in where angels (and most other businesses) fear to tread. Get involved with activists, though I’m not sure how much effect online campaigns have on the members of Congress. Too easy to delete those emails, unless they’re using Gmail (stupid Android update!)
- FISA Court Has Rejected .03 Percent of all Government Surveillance Requests – (Added 21:10 11 June 13) Sigh. I don’t care what those in government call the FISA Court, the rest of us call it a rubber stamp. 11 rejected requests out of 33,900. I’m surprised we were even allowed to know how many requests there really were. If we were given the truth at all.
- First Lawsuit Over NSA Phone Scandal Targets Obama, Verizon – (Added 21:15, 11 June 13) It’ll be interesting to see if this lawsuit goes anywhere, since some of the previous lawsuits have been shot down because the plaintiffs couldn’t prove they were affected by the spying. But since EVERYONE who’s a Verizon customer was being spied on, that’ll be a weak defense.
- NSA Leakes Present a Business and Ethics Crisis for Silicon Valley – (Added 05:40, 12 June 13) I don’t think it’s to much of an exaggeration to say this may be one of the events that shapes Silicon Valley for years to come. All of the CEO’s of the major companies have denied any involvement (using a lot of weasel words, of course) with PRISM, and they need to decide where the line stands in being complicit with this program. So far, they’re on the side of the government, but that could change. Who will be the first to cross over?
- You’re Being Monitored all the Time – Deal With It – (Added 05:50, 12 June 13) I hate the attitude that it’s too late to do anything about it, so get over being monitored. It’s not too late, we just have to stand up for our rights and decide what’s right and wrong in the new digital age.
- It’s Not About Your Cat Photos – (Added 06:00, 12 June 13) You need to read this article for a historical perspective on spying powers in the United States. It’s not a matter of if the government will abuse their power, it’s a matter of when and how often. The NSA is filled with bright people willing to do anything to protect the American people. All it takes is a few who are too zealous to step over that line to make us into a full blown police state. Hopefully we’re not there quite yet.
- Lawmakers question legal basis for NSA surveillance – (Added 17:30, 12 June 13) In theory, we still live in a democracy and vigorous discussion of ideas should be a good and proper way to govern. In reality, we live in a republic that’s mangled the concept of free speech and privacy beyond anything that would be recognizable from 20 years ago. Whether you believe the NSA is good or evil, we need to have a national debate on what is appropriate. I’d love to see not only the NSA, but all businesses have their access to our personal data heavily curtailed.
- Asking the U.S. government to allow Google to publish more national security request data – (Added 17:35, 12 June 13) I still don’t quite understand how allowing any sort of reporting on the statistics around the National Security Letters would curtail the NSA’s ability to do their job. If the bad guys aren’t utter morons, they already know that their movements are being monitored. So telling the world how many NSL’s have been sent out wouldn’t do more than …, nothing. From what I can tell, it would have no effect, unless someone can explain to me otherwise.
- Former NSA Whistleblower Sheds Light on the Science of Surveillance – (Added 17:45, 12 June 13) Here’s someone who’s already suffered to bring to light the abuses our government has committed, talking to a magazine that understands the scientific issues with monitoring, not just the moral and constitutional angles. If you’re curious why ‘metadata’ is so important, here’s a good resource for you.
- WH defends DNI director Clapper after congressional testimony draws fire – (Added 17:55, 12 June 13) “the most truthful, or least untruthful” response he could? Even in Washington, DC, that’s called ‘lying’. It’s one thing when the head of the NSA lies to the public, that’s almost expected. But when he lies under oath to the very people he’s supposedly responsible to, he’s gone too far.
- CloudFlare, PRISM and Securing SSL Ciphers – (Added 18:05, 12 June 2013) I find Matthew’s logic on this pretty spot on for how attacks against encryption ciphers could happen. But I find that the simplest solution that answers all of the questions we have indicate that someone handed over cipher keys from each of the companies listed in the PRISM program instead. Senior management wouldn’t be told if the NSL’s involved were worded in such a way that restricted who could be told. Best of both worlds for the NSA and the companies involved, thanks to plausible deniability.
- Why NSA spying scares the world – (Added 18:15, 12 June 2013) I just noticed as I tried the link for this story that it’s title changed since I first opened it. Makes me wonder what else gets changed in articles when we’re not paying attention. In either case, we’re scaring the hell out of the rest of the world right now. We claimed to be this bastion of civil liberties and a functioning democracy, yet now we’re in the process of proving we’re neither.
- Upcoming revelations speculations – (Added 18:20, 12 June 13) Once again, Robert Graham predictions. I’m especially taken with his ideas around TOR and how the NSA could be snooping there. And I’m totally in agreement with his points about the NSA being the biggest ‘fusion center’ for all of the different law enforcement branches. Rob, they haven’t come for me either. Yet.
- Convenient Surveillance is at the Expense of the Constitution and Taxpayers and Americans Must Call for Independent Counsel and Ouster of Clapper – (Added 18:30, 12 June 13) Both of these stories by Jody Westby are worthy of reading slowly and rereading the important parts. The idea of Obama as a Constitutional Scholar is laughable, unless you realize he was simply studying how to dismantle it. Asking for Clapper to step down is a must, since it’s the only way we’re going to get a full investigation into what’s happening. I mean, we had people step down because they were having an affair! Why should the idea of stepping down because you lied to Congress be so far fetched?
- We Should All Have Something to Hide – (Added 18:40, 12 June 13) This is a good story to end tonight’s writing on. Moxy does an excellent job of explaining why the ability to live unmonitored lives is so vitally important to human beings in general and a democratic society in particular. Without the ability to have thoughts and ideas that are ‘dissident’ in nature, we stagnate and lose the ability to adapt to new situations. This is especially important in Silicon Valley, where “disruption” is a way of life and what makes us great.
More in the morning.
Time for Captain Privacy to fly again!
If you follow me on Twitter (@mckeay) you’ll already know this: I’m pissed! We long suspected intellectually that that the US government had stepped over the line in their monitoring, but between learning that Verizon was willingly giving the NSA ‘metadata’ about every phone call on their network and about the PRISM program where all the major Internet companies are likely sending the Feds information on every packet we send, it is reasonable to think that we have moved beyond the pale. What I once thought were paranoid delusions may have been demonstrated to be more innocent than the reality that’s being laid out before us. Is it really getting that bad in the United States? But I’ll save my ranting for twitter and simply use this post to add stories about governmental spying, one after another. I’ll also be putting up stories about why this affects us as security professionals and why I believe things are going to get much worse before they get better.
- Edward Snowden: The whistleblower behind the NSA surveillance revelations – (Added 15:45, 9 June 13) You need to watch this video and understand the nature of the person who turned over information about NSA spying on the American people. Many will call him a traitor, but I think he’s the hero America needed right now.
- The Global Cyber Game – Recently published by the Defence Academy of the United Kingdom, this is the most thought provoking paper I’ve read in a long time. It’s long, it’s complex, but it may change the way you view ‘cyber’ and the current situation. Make sure you get to the sections talking about ‘N-Dystopia’, because I think that’s where we’re headed.
- The DNI’s Non-Denial of Mass Surveillance of Security – If you don’t know who Jennifer Granick is, get out of security. She was one of the major lawyers at the EFF for years and has done more than most of us will ever know to defend our rights. This article breaks down the legal basis for the current spying scandal.
- Demand Progress – I’m not sure how much this will really help, but there has to be a way to push on our Congress critters and make them stop this spying. This might not be the answer, but it’s one way to apply pressure.
- What We Don’t Know About Spying on Citizens: Scarier Than What We Know – Love him or hate him, Bruce Schneier is one of the most publicly visible members of the security community in the world. And he’s a smart guy. His point is that it’s what the government is still hiding that’s even more important than what we’ve learned so far. He also calls for more whistleblowers, more people to expose the programs within the government that are like cancerous sores eating away at our liberties (my words, not his.)
- Cowards – Michael Arrington is one of my least favorite people in Silicon Valley, and that’s from personal experience, not merely reading about him. But I have to agree with him in calling the CEO’s of all the companies accused of being part of PRISM cowards. He’s absolutely right, they are weak and cowardly in not standing up to the federal government. If even one of these CEOs would come clean, we might be able to have an honest conversation about what’s wrong with wholesale spying and what might be an acceptable alternative.
- Ex-Microsoft Engineer: PRISM is Highly Improbable for these Four Reasons – I offer this up as a counterpoint to the other articles about spying. But I also want you to read between the lines and try to see what this engineer isn’t denying and why this denial is full of logical fallacies.
- What if China Hacks the NSA’s Massive Data Trove – (Added 9:55, 8 June 13) Think about that for a little while. When you gather massive amounts of data, they become massive targets for some of the best hackers in the world, both state sponsored and otherwise. Even if you trust our own government with this data, do you really think they can keep it safe forever?
- The spy who came in for your soul – (Added 10:31, 8 June 13) A good OpEd piece about why we need whistle-blowers and why journalists should be pushing so hard on the issues of governmental spying.
- NSA’s Verizon surveillance: How the White House tramples our Constitution – (Added 04:10, 9 June 13) Ron Paul points out that President Obama is doing many things that Senator Obama would never have stood for. What was the tipping point for Obama? I hope that pressure from the American people help pass his bills propping up a 4th Amendment that is currently on it’s death bed.
- US surveillance revelations deepen European fears – (Added 04:15, 9 June 13) Part of my job is explaining how and why the government can’t surveil the traffic of EU citizens. It’s going to take some real thinking and soul searching before I can have that conversation again. The German data commissioner is right to call this monitoring ‘monstrous’. We’ve spent so much time condemning the exact same practices in other states, how can we accept them in our own?
- Spy Agency seeks criminal probe into leaks – (Added 04:35, 9 June 13) The current administration has done more to find and punish whistle-blowers than any in modern history. Explaining why it’s appropriate to monitor all communications is secondary to the administration when compared to finding out where the leak came from.
- The Difference Between Wiretapping from Bush and Obama – (Added 06:00, 9 June 13) I disagree, rather vocally, with Daniel’s portrayal of the issues around the wiretapping, starting with the fact that he makes this a Bush vs. Obama issue and not a civil liberties issue. Daniel and I have gone a couple of rounds about this on Twitter and hopefully we’ll find some time to get together for beer and talk it over. I think he’s dead wrong on almost every issue and he thinks I’m overly emotional and relying too much on the media. We probably both have some valid points.
- U.S., company officials: Internet surveillance does not indiscriminately mine data – (Added 06:00, 9 June 13) Pay special attention to the details about how the NSA mines the data. Basically, they send a request to the FBI, who mines the data for them. Why aren’t we talking about the access the FBI has more?
- June 6, 2013: The Day America Found Big Brother in Big Data – (Added 08:45, 9 June 13) This will be a day that goes down in history, one way or the other. I have to back Judy Westby in calling for an Independent Council, though I’m not sure even that would be enough at this point in time.
- “This Week” Transcript: Sen. Dianne Feinstein and Rep. Mike Rogers – (Added 08:45, 9 June 13) I guess it’s not much better for me to be screaming at my monitors than at my TV. Sen. Feinstein has known what’s been going on since the beginning and she’s okay with it. By itself, that’s a red flag to me.
- Congress on the FISA Order and Data Mining Stories – (Added 08:45, 9 June 13) This is a great post for keeping up on what individual representatives have had to say on the NSA spying story. Look for your own Congress-people on the list.
- Government Says Secret Court Opinion on Law Underlying PRISM Needs to Stay Secret – (Added 04:55, 10 June 13) I have a hard time understanding (or at least agreeing) that any program that is already known to the general public has to be so secret you can’t even discuss the laws that let you put them in place. This sounds like the excuse of a totalitarian government, not something that should be happening in a free, open, democratic society.
- What’s the Matter with Metadata? – (Added 05:05, 10 June 13) It’s important to understand the danger of “just the metadata”. It’s a bit hyberpolic to say that you can learn more from the metadata than you can from actually listening to the phone call, but only a little.
- NSA is wrong, not evil – (Added 05:15, 10 June 13) On more than one occasion, Robert and I have had to ask each other “Are you mad at me?”. We have very different views on reality, but we’re both willing to argue and change those views when provided with enough evidence. In this case, Robert has something that most of us have never had and hopefully never will – Direct experience with the NSA. I agree with Robert that the majority of the people in the NSA are not evil, but they may be misguided. However, I think there are some people who actually are evil inside the NSA, and those are the ones we need to guard against.
- Code name ‘Verax’: Snowden, in exchanges with Post reporter, made clear he new the risks – (Added 05:30, 10 June 13) He knew exactly what he was doing and what the price will be. He’ll be living a life in exile from the US forever and looking over his shoulder as long as he lives.
- 29-Year Old NSA Whistleblower Makes Mindblowing Claims About What Kind of Power He Had – (Added 05:30, 10 June 13) If you’ve ever been a system administrator on a poorly constructed network or system, you shouldn’t be at all surprised by Snowden’s claims of access. It’s not unusual to have access to everything in a modern enterprise, so why should the NSA be that much different?
- Government Secrets and the Need for Whistleblowers – (Added 05:40, 10 June 13) He’s Bruce Schneier, so just go read.
- Edward Snowden: saving us from the United Stasi of America – (Added 13:50, 10 June 13) I’m not sure if I agree with Daniel Ellsberg’s evaluation that this is the most important leak in American history, but it’s definitely the most important in my adult life. Yes, the things Bradley Manning exposed were horrendous, but they didn’t effect the entire population of the United States. I do like the hyperbole of comparing the NSA to the German Secret Police.
- NSA’s PRISM: Balancing Security, Privacy – (Added 14:00, 10 June 13) While this article gives a decent amount of background to the NSA spying story, it really fails to build up anything on the balance between security and privacy. If you’re going to have a headline like that, at least try to explore your main topics.
- This is, hands down, the scariest part of the NSA revelations – Added 14:10, 10 June 13) Shane Harris is talking about the phone record metadata, which he finds much scarier than PRISM. And I think that’s correct; the metadata has none of the controls and protections around it that PRISM does, as minimal as those might be. I can almost tell more about you from the metadata of about your calls than if I listened to a few of them directly.
- Privacy isn’t about having something to hide – (Added 14:10, 10 June 13) No one’s a saint. They don’t exist in the modern age where everything you can be tracked and there’s no hiding even the smallest detail. It doesn’t mean you’re a sinner, but we’ve all made mistakes.
- NSA’s phone snooping is a different kind of creepy – (Added 14:30, 10 June 13) The point of this article is that we carry miniature tracking devices in our pockets called ‘smart phones’. Every moment of every day, we’re leaving a digital trail and it’s only going to get worse as time goes by. He’s right, but we have a choice to change the laws on how that data is used, if we have the will.
- Edward Snowden is no hero – (Added 15:00, 10 June 13) I’m including this for more counterpoint. If you trust your government and believe that the checks and balances that are in place are sufficient, then you’ll agree with this article. I don’t though. Calling the FISA court a check on the power is false, it’s more of a rubber stamp than anything. And simply because something is legal, it’s not necessarily right.
- Facts and fiction, secrets and sci-fi: Breaking down the NSA – (Added 15:05, 10 June 13) Cringely gives a decent summation of many of the issues around the spying in a fairly even handed way. But he doesn’t add too much to the discussion.
- where “nothing to hide” fails as logic – (Added 06:15, 11 June 13) This post does a pretty good of explaining that everyone does things on a daily basis that can be accidentally or purposefully misinterpreted to paint a person as guilty or evil. If you’ve ever had an audit, you understand the “guilty until proven innocent” mentality that many people in positions of power employ to find people they think are ‘bad’.
- State Dept. dismisses allegation of “endemic” misconduct – (Added 06:20, 11 June 13) I include this story not because it’s directly linked to the NSA spying story, but because it highlights why allowing the NSA to have so much power over the American people is a really bad idea. There are people who will abuse power in ways big and small in every organization and the more power exists, the more the temptation to use it will be. We’ve seen too many governmental agencies give into this temptation in recent years, from the Secret Service to the IRS to the State Department. No organization is immune to temptation.
- Connecting the PRISM Dots: My new theory – (Added 06:40, 11 June 13) This is one of the better efforts to tie everything about PRISM and NSA metadata collection that I’ve seen. Arrington is a lawyer by trade himself, so he’s more than familiar with the weasel words that lawyers use and how to read between the lines.
- Why the NSA PRISM Program Could Kill U.S. Tech Companies – (Added 06:50, 11 June 13) This is a very specific concern for me; how do I explain to companies in Europe that their data is safe with us despite the fact the NSA could produce a National Security Letter at any time? The next year is going to be very interesting, as I move to London.
- 86 Civil Liberties Groups and Internet Companies Demand an End to NSA Spying – (Added 07:00, 11 June 13) I’m a long time supporter of the EFF and I have never been as thankful for them as I am right now. I hope they are successful in waking up Congress and the Judicial branch, but I have to assume they’ll be stonewalled in the same way they have been for years.
There will be more to come, some I’ll add to this page, some I’ll post separately. I don’t want people to blindly follow my ranting any more than I want them to blindly believe the governments lies about the spying going on. Use your own judgement and learn everything you can. And if you’re someone who’s brave enough to be a whistle-blower, I have nothing but the utmost respect for you. We need more.