Torturing The Norms

Of a Financial Times online >poll about torture, Alice Marshall asks “

How did this even get to be part of the conversation?

Meanwhile, the BBC reports on the investigation of a Swiss Senator in “CIA abduction claims ‘credible:'”

He went on: “Legal proceedings in progress in certain countries seemed to indicate that individuals had been abducted and transferred to other countries without respect for any legal standards.”

I’ve been putting off the big news, which is the passage of the McCain bill, because I wasn’t sure if it mattered, and I could make my hoped-for transition to blogging about torture to blogging about the prosecution of torturers. I’ve now read Marty Leberman’s “The McCain Amendment — The Good,” “The (Potentially) Bad” and “The Ugly,” and am sad to report that I can not make that transition. After a very hard Senate fight, the rules are still subject to implementation by an administration that has demonstrated active and repeated contempt for the rule of law.

Finally, be sure to read Vladimir Bukovsky’s important essay, “Torture’s Long Shadow” about the history of torture in the Soviet Union. (John Quarterman caught a paragraph I had missed, and discusses it in his post on “Historical Externalities.”)

" L'état c'est moi"

Via USA Today:

Days after the Sept. 11 attacks, the head of the National Security Agency met his workforce at the nation’s eavesdropping and code-breaking headquarters at Fort Meade, Md., near Washington, for a pep talk.
“I told them that free people always had to decide where to draw the line between their liberty and their security,” Air Force Gen. Michael Hayden told lawmakers a year later. “I noted that the attacks would almost certainly push us as a nation more toward security.”
Within weeks of Hayden’s talk, Bush did just that

(emphasis mine)

America Needs a Full Time President

  • Ryan Singel has a post “Bush Wiretaps Supremely Illegal,” in which he discusses how this aspect of wiretaps are settled law.

  • Perry Metzger’s excellent “A small editorial about recent events” is also worth reading:

    As you may all be aware, the New York Times has reported, and the administration has admitted, that President of the United States apparently ordered the NSA to conduct surveillance operations against US citizens without prior permission of the secret court known as the Foreign Intelligence Surveillance Court (the “FISC”). This is in clear contravention of 50 USC 1801 – 50 USC 1811, a portion of the US code that provides for clear criminal penalties for violations. See:

    The President claims he has the prerogative to order such surveillance. The law unambiguously disagrees with him.

  • See also Matt Rustler’s “A Little Honesty, Perhaps” which contains this excellent argument after lots of detailed legal analysis:

    If that’s not enough, allow me to offer what I’ll call the proof from common sense: If the NSA eavesdropping fit into any exception to the general FISA requirements, you can bet your sweet keister that the administration would be trumpeting the details from the rooftops. It isn’t.

    Also, his “Questions and Suggestions for the Left and Right” is worth reading. I’d like to respond to his argument:

    Do you have any background in counterrorism and intelligence? If not, how do you know that the existing FISA procedures were adequate for the task at hand? If you do have such a background, please enlighten the rest of us. Uninformed opinion about factual matters with which few of us have any practical experience is seldom helpful.

    With one that mirrors his own: If existing FISA procedures were inadequate, then over the course of four years, that argument could have been brought to the Congress for a revision of the law. None was. Proof from common sense?

If you don’t catch the titular reference, you might want to read Richard Nixon’s resignation speech. You may believe that the commentators who have said the law is not clear are correct. If you do, I urge you to read the articles linked above. The law is not complex in this instance. It offers clear and unambiguous requirements for wiretapping. It offers secrecy in the cases. It offers exceptions that address the various urgencies that might exist, including a provision that allows wiretaps if, after they’re started, the agency goes and gets retro-active permission. Read the law.

Meth Addicts and ID Theft

There’s a great article in USA Today, “Meth addicts’ other habit: Online theft.” Unlike many articles of this type, the reporting is measured and carefully reported, and full of details that make it believable:

One dumpster behind a call center in suburban Mill Woods proved to be a jackpot. In a nondescript strip mall just two blocks from the spacious three-bedroom apartment where Frank lived with his divorced dad, it brimmed with valuable data. The company using the dumpster, Convergys, often tossed out paperwork related to customer-service calls from Sprint cellphone subscribers in the USA, Mary says.

“We’d get credit check information from Equifax, credit card numbers to make payments, Social Security numbers, date of birth, addresses,” Mary says. “They would make a printout, then just throw it out.”

Convergys spokeswoman Lauri Roderick disputes Mary’s account. The Cincinnati-based company has a “strict clean-desk policy” that requires shredding of any sensitive paperwork, she says. And Sprint customer-service calls, she says, were never handled by the 1,200 workers at the Mill Woods facility, one of 14 in Canada. “We’re confident there has been no breach in security of our customers’ data,” Roderick says.

Managing and the Red Cross

bernadine-healy.jpgThe other day on “On Point,” I heard some astoundingly clear exposition of executive management, in the words of Dr. Bernadine Healy, the former CEO of the Red Cross. The program, Examining The Red Cross was promoted as:

When 9/11 came, the Red Cross was there — with mountains of Americans’ donations and support for the stricken. And then came criticism and the ouster of its chief.

When Hurricane Katrina came, the Red Cross was there again, with more mountains of American charity. And again came criticism — more heated this time — that the Red Cross response was too slow, too patchy, too heavy-handed. And again, yesterday, another chief of the organization was shown the door.

Dr. Healy was crystal clear on the need for governance and adherence to mission. She praised the effective response of some parts of the organization, and had specific examples of failures, like having no response at the Pentagon on 9/11, except two volunteers who showed up without support of their local organization.

Executive management is not complex. It is merely exceptionally hard. What needs to be done as a manager can be captured in a small book. (I suggest “What Management Is” by Joan Magretta.) What needs to be done to ensure that goals are properly set and met is often intellectually and emotionally challenging. Nevertheless, the high level goals are simple, and Dr. Healy expounded on them beautifully.

Bugger Frequent Flyer Miles

I want Frequent Flyer Hours. They’d work almost the same. You’d get 550 or so points per hour from gate to gate. So all that time, sitting on the runway, circling in a holding pattern, waiting for the previous plane to vacate your gate? All would be paid back in some small way to the suffering traveller.

I think the economic questions are fascinating. Would additional trips cost more than the other restitution airlines make? What would be the inflationary effect on the currency? Would the qualifying milage levels for various benefits packages change?

Most importantly, would this be an effective way of mollifying customer resentment, and what would the brand advantage be for the first airline to introduce it?

The shame of it all

[Adam updates: The reporter has recanted his story, “Federal agents’ visit was a hoax .”]

Apparently, the Staasi are watching what we read.

A senior at UMass Dartmouth was visited by federal agents two months ago, after he requested a copy of Mao Tse-Tung’s tome on Communism called “The Little Red Book.”
Two history professors at UMass Dartmouth, Brian Glyn Williams and Robert Pontbriand, said the student told them he requested the book through the UMass Dartmouth library’s interlibrary loan program.
The student, who was completing a research paper on Communism for Professor Pontbriand’s class on fascism and totalitarianism, filled out a form for the request, leaving his name, address, phone number and Social Security number. He was later visited at his parents’ home in New Bedford by two agents of the Department of Homeland Security, the professors said.
The professors said the student was told by the agents that the book is on a “watch list,” and that his background, which included significant time abroad, triggered them to investigate the student further.
“I tell my students to go to the direct source, and so he asked for the official Peking version of the book,” Professor Pontbriand said. “Apparently, the Department of Homeland Security is monitoring inter-library loans, because that’s what triggered the visit, as I understand it.”
Although The Standard-Times knows the name of the student, he is not coming forward because he fears repercussions should his name become public.

There’s more — including Professor Williams reconsidering teaching a class on terrorism out of fear that his students might get a knock at the door because of their classwork-related surfing.

Government Secrecy and Wiretaps

I’d like to respond to Dan Solove’s article “How Much Government Secrecy Is Really Necessary” with the perspective of a veteran of the 1990s crypto wars, in which we fought the NSA for the practical right to build and use encryption to protect sensitive data. A central tenat of the government’s position was that there were important things that the public did not know, and could not be told. This was the “if you knew what we knew” argument, and in its most effective form, was delivered in the form of “the brief,” a theatrical presentation involving clearances, special bug-sweeping teams, and finally, details about how various forms of wiretaps had protected truth, justice, and the American way from evildoers. We called those bad guys the four horsemen of the infopocalypse, and they were terrorists, drug dealers, money launderers, and child-pornographers. They were sufficiently a stereotyped part of the debate that sometimes we even laughed at them.

The claim that the debate couldn’t be participated in by the public was a powerful appeal to anyone who trusted that the people in government had any shred of decency. Worse, most of the people on the other side were in fact decent folks, trying to do their banal jobs.

Solove quotes President Bush as saying:

“The existence of this secret program was revealed in media reports after being improperly provided to news organizations. As a result, our enemies have learned information they should not have, and the unauthorized disclosure of this effort damages our national security and puts our citizens at risk.”

That is an utter lie. Before I explain how it is a lie, I’d like to finish with my story from the crypto wars. The wars eventually got hot enough that Congress asked the National Academy of Science to weigh in. A team of the great and good who had served their country was assembled. Protests were voiced over the composition of the team: It was a collection of heads of NSA, CIA, Generals and Admirals, with only a few token liberals. We were all shocked when the report, “Cryptography’s Role In Securing The Information Society” came out. Herb Lin had done an outstanding job of putting together a detailed, fair study of the issues.

I believe it was Ron Rivest who pointed out the most important part of the study, which was that the great and good and Top-secret-cleared committee swept aside the claims that anything classified illustrated any point that had not been made in the open debate. That is, classified details helped tell the stories, but the stories, in broad form, were all public. The American people could have an informed debate about the issues.

Returning to Solove’s comments:

The argument seems to be that we can’t have a national debate about the nature and extent of government surveillance because such information will help the terrorists. But central to any viable democracy is a government that is publicly accountable, and that requires that the people have the information they need to assess their government’s activities.

So, allow me to ask: what is the class of communication which may not be wiretapped? The NSA has broad legal authority under US law to snoop on those outside the United States without warrants. With warrants, it may assist on snooping on those inside the United States. Local police and the FBI both have the ability to obtain wiretap warrants. What’s left? Nothing. What is secret about the previous statements? Certain details of the Foreign Intelligence Surveillance Court. But what of the President’s claim “our enemies have learned information they should not have?” The ability of the United States to tap every communication is not secret. What is being debated is the need for a warrant and judicial oversight of the acts, not the acts themselves. Is the number of wiretaps a secret? Nominally. The numeric scale and capacity of the Echelon system was reported on in Nicky Hager’s “Secret Power.” (1996) The capacity and fail-over capabilities were disclosed to Congress and the press in the aftermath of the NSA year 2000 meltdown.

The second half of the President’s key sentence is: “and the unauthorized disclosure of this effort damages our national security and puts our citizens at risk.” That is also not so. Anyone fighting the United States will study our operational methods, and be aware of the Echelon system. They will be fully aware that we can listen to every phone call they make. There are claims that Bamford’s revelation that we listened to bin Laden talking on his satellite phone caused operational changes in al Qaeda in the mid-1990s. It is possible that stories such as these call attention to the fact that we’re listening, and cause a temporary uptick in the quality of al Qaeda tradecraft and operational security practices.

If that is so, then the correct response would be to follow the law in wiretapping, because the government already has the authority to do it anywhere it has any reasonable reason to want to. If the law had been obeyed, there would be no news. [Update: The law in question is Title 50, Subchapter 1, and provides for criminal penalties. Thanks to Perry Metzger for pointing this out.]

The real core of this story is that the President is fond of his power to act unfettered, to use his vast power as he sees fit. Power really does tend to corrupt. The power to listen to anyone, anywhere is not enough. What the President is arguing for is that his powers to do so should be un-restrained and un-reviewed. That the trifecta of Executive, Legislative and Judicial is quaint, and that we should trust him to prosecute the war on terror without limits. I wish his administration would behave such that we could be comfortable with such trust. It has not, and their response to our questions further erodes such trust.

Lasalle Bank, 2 million mortgagees, SSNs, acct #s, "lost" tape

From Crain’s Chicago Business:

LaSalle Bank Corp. says a computer tape bearing confidential information on about 2 million residential mortgage customers disappeared last month as it was being transported to a consumer credit company in Texas.
The Chicago bank has alerted law enforcement authorities and is also monitoring transactions closely to detect any unusual or fraudulent activity affecting its customers. The tape contained customers’ names, account numbers, payment histories and Social Security information.
A package containing the tape disappeared sometime after Nov. 18, when it was picked up by DHL from LaSalle’s data center in Chicago. It never arrived at its intended destination: an Experian credit bureau office in Allen, Texas.

This latest data loss bears a remarkable similarity to one suffered by Citigroup, which Adam reported on in June.
The Citi incident, claims Stephen Spoonamore, was an inside job involving 15-20 people. This claim has been picked up by Bruce Schneier, and will now garner much infosec community attention.
If Spoonamore is correct, and I hasten to add that his assertions appear in a trade mag and are not sourced or corroborated, the Lasalle Bank incident becomes even more interesting, since very similar unencrypted data just happen to have been on their way from a large bank to Experian’s data center in Allen, Texas, and just happen to have gone missing.
If there is foul play in the Lasalle incident, then either the conspiracy is broader than heretofore suspected, since Lasalle shipped via DHL, whereas Citigroup used UPS, or the shipping firms are not to blame (since they differ across cases), or we have more than one group of bad actors at work here. None of the above is particularly good news for any of the jillion or so people who have a loan in the U.S.
Since the “if” in the preceding paragraph is a rather big one, I’d like to see Spoonamore’s assertion concerning the fact pattern subjected to a good deal of scrutiny. If it holds water, now that Lasalle has been hit this gets very, very interesting.
I sure hope Rudolph is getting plenty of sleep, because when Santa visits Allen, Texas it seems that some extra care will be needed to ensure that the presents actually show up.
December 19 Update: Bob Sullivan notices the similarity between this and the Citibank incident, too. Now start making calls, Bob. I bet Spoonamore’s number is listed. :^)
A quick note — Lasalle Bank is a subsidiary of ABN Amro. Since the latter is better known outside of Chicago, reports elsewhere may use the ABN Amro name.

Friday Star Wars: Open Design

This week and next are the two posts which inspired me to use Star Wars to illustrate Saltzer and Schroeder’s design principles. (More on that in the first post of the series, Star Wars: Economy Of Mechanism.) This week, we look at the principle of Open Design:

Open design: The design should not be secret. The mechanisms should not depend on the ignorance of potential attackers, but rather on the possession of specific, more easily protected, keys or passwords. This decoupling of protection mechanisms from protection keys permits the mechanisms to be examined by many reviewers without concern that the review may itself compromise the safeguards. In addition, any skeptical user may be allowed to convince himself that the system he is about to use is adequate for his purpose. Finally, it is simply not realistic to attempt to maintain secrecy for any system which receives wide distribution.

The opening sentence of this principle is widely and loudly contested. The Gordian knot has, I think, been effectively sliced by Peter Swire, in “A Model For When Disclosure Helps Security.”

In truth, the knot was based on poor understandings of Kerckhoff. In “La Cryptographie Militare” Kerckhoff explains that the essence of military cryptography is that the security of the system must not rely on the secrety of anything which is not easily changed. Poor understandings of Kerckhoff abound. For example, my “Where is that Shuttle Going?” claims that “An attacker who learns the key learns nothing that helps them break any message encrypted with a different key. That’s the essence of Kerkhoff’s principle: that systems should be designed that way.” That’s a great mis-statement.

In a classical castle, things which are easy to change are things like the frequency with which patrols go out, or the routes which they take. Harder to change is the location of the walls, or where your water comes from. So your security should not depend on your walls or water source being secret. Over time, those secrets will leak out. When they do, they’re hard to alter, even if you know they’ve leaked out.

Now, I promised in “Star Wars and the Principle of Least Privilege” to return to R2’s copy of the plans for the Death Star, and today, I shall. Because R2’s copy of the plans–which are not easily changed–ultimately lead to today’s illustration:


The overall plans of the Death Star are hard to change. That’s not to say that they should be published, but the security of the Death Star should not rely on them remaining secret. Further, when the rebels attack with stub fighters, the flaw is easily found:

OFFICER: We’ve analyzed their attack, sir, and there is a danger.
Should I have your ship standing by?

TARKIN: Evacuate? In our moment of triumph? I think you overestimate
their chances!

Good call, Grand Moff! Really, though, this is the same call that management makes day in and day out when technical people tell them there is a danger. Usually, the danger turns out to go unexploited. Further, our officer has provided the world’s worst risk assessment. “There is a danger.” Really? Well! Thank you for educating us. Perhaps next time, you could explain probabilities and impacts? (Oh. Wait. To coin a phrase, you have failed us for the last time.) The assessment also takes less than 30 minutes. Maybe the Empire should have invested a little more in up-front design analysis. It’s also important to understand that attacks only get better and easier as time goes on. As researchers do a better and better job of sharing their learning, the attacks get more and more clever, and the un-exploitable becomes exploitable. (Thanks to SC for that link.)

Had the Death Star been designed with an expectation that the plans would leak, someone might have taken that half-hour earlier in the process, when it could have made a difference.

Next week, we’ll close up the Star Wars and Saltzer and Schroeder series with the principle of psychological acceptability.