NSA whistleblower William Binney: Bulk data collection costs lives

News roundup: NSA whistleblower William Binney testifies in the U.K. against bulk data collection, a new Snowden revelation, Windows 10 snooping revealed, JavaScript ransomware, and more.

Bulk surveillance data collection makes citizens more vulnerable to terror attacks and costs lives, according to...

former NSA whistleblower William Binney.

Testifying before the U.K. government's Joint Select Committee reviewing the controversial draft Investigatory Powers Bill (IP Bill), Binney argued that bulk data collection has already cost lives in the United States, and that it tends to swamp intelligence analysts with too much information rather than allow them to be more selective about what information they gather.

Binney said that if they had been using a more targeted approach to data collection, French intelligence "could have had the opportunity to stop them before the attack" in the November 2015 terror actions in Paris. Binney also said that the U.K.'s Government Communications Headquarters (GCHQ) should not do bulk data collection given that the law to allow it is currently still in draft form.

When the committee asked whether bulk data collection would give the GCHQ another tool "to find needles in haystacks," Binney answered: "It's not helpful to make the haystack orders of magnitude bigger, because it creates orders of magnitude more difficulty in finding the needle," adding that "using a targeted approach would give you the needles and anything closely associated to the needles right from the start."

Speaking about NSA's bulk data collection program, Binney said it "has made their analysts fail, and they have failed consistently since 9/11, and even before that." Binney testified that using a more targeted approach to data collection "will give privacy to everybody in the world."

Unredacted Snowden disclosure

The NSA targeted "the two leading encryption chips used in Virtual Private Network and Web encryption devices," reported Glenn Greenwald of The Intercept this week. That information had been redacted in earlier reports from The Intercept about NSA activity revealed in the Snowden leaks in 2013, due to concerns that terrorists might be able to use the information to identify and avoid using encryption products that had been subverted by NSA.

Greenwald revisited the original leaked documents in light of the recent disclosures about backdoors in Juniper Networks firewalls, and decided that it was in the public interest to publish the unredacted sentence.

Speaking to The Intercept, Matthew Green, a cryptography expert at Johns Hopkins, declined to speculate on which manufacturers the NSA document references. But Green told The Intercept that "the damage has already been done," and that he believes foreign companies are increasingly concerned about working with encryption technology from U.S. companies.

Windows 10 knows what you've been doing

Microsoft is also making privacy inroads -- but not the good kind. The software giant collected a lot of what some users may consider private information through Windows 10. To celebrate the success of the newest version of Windows, Microsoft released some of the data they had collected from the 200 million systems on which Windows 10 has already been installed.

For example, Microsoft reported that 82 billion photos had been viewed with the Windows 10 Photo app, and gamers spent over 4 billion hours playing PC games on Windows 10. Speculation was rife over how much detail on this type of data Microsoft has acquired and stored.

The revelations should be worrisome, according to Martin Brinkmann, founder of Ghacks.net: "While it is unclear what data is exactly collected, it is clear that the company is collecting information about the use of individual applications and programs on Windows at the very least."

In other news

  • Ransom32, the first JavaScript ransomware, was reported this week by Fabian Wosar of antimalware vendor Emsisoft. While at first glance Ransom32 appears similar to many other malware campaigns, according to Wosar, the key difference is that it is a JavaScript program, delivered in a self-extracting WinRAR archive. So far, Ransom32 has only been seen attacking Windows systems, but there is no reason it could not be repackaged to attack Linux or Mac OS X. Ransom32 is "built entirely on JavaScript, something which has not been seen before," according to Will Gragido, head of threat intelligence research at Digital Shadows. "It's cross-platform applicable, meaning that it can be effectively used on Windows, Mac, and Linux devices," Gragido told SearchSecurity.
  • The Netherlands is the latest nation to weigh in on the issue of strong encryption and backdoors -- but they are bucking the trend toward less privacy. The Dutch government moved to endorse the use of strong cryptography, without backdoors, in a government position paper (Dutch language) released this week. The paper stated: "The government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands," according to a report by The Register. Unlike in the U.S. or China, the Dutch approach recognizes that providing access to encrypted data to law enforcement would make systems more vulnerable to criminals, terrorists and foreign intelligence agencies.
  • Entering the cybersecurity education field this week is CyberVista, a wholly owned subsidiary of SAT test preparation giant Kaplan Inc., and sister company Graham Holdings Company. "We see an enormous opportunity in cybersecurity education and workforce development," said Timothy O'Shaughnessy, president and CEO of Graham Holdings Company, in a press release. "There is a documented cyber workforce shortage that continues to grow. With the strength of our company coupled with the world-class education expertise gleaned from Kaplan, CyberVista is well-equipped to meet this critical need in the market."
  • Adobe closed last year off with a set of critical patches for Flash, but this week, zero-day exploit seller Zerodium began soliciting exploits that defeat the patched Flash. Zerodium tweeted: "Adobe added isolated heap to Flash. This month we pay $100K (with sandbox) and $65K (without sandbox) per #exploit bypassing this mitigation."
  • Internet of things users should be aware: A list of default root/admin passwords for over 100 ICS/SCADA devices has been published on GitHub, including device models, vendors, and source of the default login information. Also included are the port and protocols by which access is made available.

Next Steps

Read more about what the U.K.'s Investigatory Powers Bill will mean for the telecommunications industry.

Find out more about William Binney's argument against bulk data collection.

Learn how recent NSA revelations could point to the potential for creating a police state.

Dig Deeper on Information Security Laws, Investigations and Ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you believe that unlimited bulk data collection will aid or hamper anti-terror efforts by government agencies? Will the resulting loss of privacy be worth it?
Cancel
Well, Mr. Binney, who was a career NSA employee, found himself on the "outside" when the NSA declined to use his "Thin Thread" application in favor of a more invasive approach to bulk data collection analysis. The PBS Frontline two-part program titled the "United States of Secrets" features Mr. Binney as well as Mr. Snowden and others. It provides an excellent background in NSA's criminal behavior and lying. It is interesting to contrast Mr. Binney and Mr. Snowden and how they worked to "right the wrongs" that the NSA was engaged in through their warrant-less spying on Americans. Mr. Binney thought the NSA could be reformed from within. He was proved wrong, harassed, and charged with crimes. Mr. Snowden was a NSA contractor, and didn't have any illusion that he alone or in collaboration with a few co-workers could reform the NSA. Instead, Mr. Snowden stashed the incriminating NSA documents and carefully worked with selected third parties in certain media organizations to carefully and intelligently shine the light on NSA abuses, most of which were claimed by NSA to be "legal" by grotesquely stretching the meaning of Section 215 of the so-called USA Patriot Act. That said, it is good to read that Mr. Binney has offered his expert testimony in matters related to bulk data collecting to this committee in the U.K. Hopefully, they will avoid the mistakes made in the U.S. when it comes to the "wisdom" or even the utility of bulk data collection.
Cancel
Interesting.

This is the problem with whistle blowing: try to do it through the system, be subject to harassment and be charged with crimes; try to do it outside the system, be subject to harassment and be charged with crimes.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close