LWN.net Logo

Security quotes of the week

Consider the following hypothetical example: A young woman calls her gynecologist; then immediately calls her mother; then a man who, during the past few months, she had repeatedly spoken to on the telephone after 11pm; followed by a call to a family planning center that also offers abortions. A likely storyline emerges that would not be as evident by examining the record of a single telephone call.
Ed Felten [PDF] in a declaration on the dangers of "it's just metadata"

National Security Agency officers on several occasions have channeled their agency’s enormous eavesdropping power to spy on love interests, U.S. officials said.

The practice isn't frequent — one official estimated a handful of cases in the last decade — but it's common enough to garner its own spycraft label: LOVEINT.

The Wall Street Journal

So we're left with an agency that collects a ridiculous amount of info, and has around 1,000 employees (who are mostly actually employed by outside contractors) who can look through anything with no tracking, leaving no trace, and we're told that the data isn't abused. Really? Do Keith Alexander, James Clapper, President Obama, Dianne Feinstein and Mike Rogers really believe that none of those 1,000 sys admins have ever abused the system? And, do they believe that none of the people whom those thousand sys admins are friends with haven't had their friend "check out" information on someone else? Hell, imagine you were someone at the NSA who understood all of this already. If you wanted to abuse the system, why not befriend a sys admin and let him or her do the dirty work for you -- knowing that there would be no further trace?

Basically, it seems clear that the NSA has simply no idea how many abuses there were, and there are a very large number of people who had astounding levels of access and absolutely no controls or way to trace what they were doing.

Mike Masnick

The chilling of free speech isn't just a consequence of surveillance. It's also a motive. We adopt the art of self-censorship, closing down blogs, watching what we say on Facebook, forgoing "private" email for fear that any errant word may come back to haunt us in one, five or fifteen years. "The mind's tendency to still feel observed when alone... can be inhibiting," writes Janna Malamud Smith. Indeed.
Josh Levy
(Log in to post comments)

Security quotes of the week

Posted Aug 29, 2013 10:13 UTC (Thu) by acunningham (subscriber, #9368) [Link]

The NSA scandal is doubtless of interest to many LWN readers, but it's not obvious what these quotes have to do with Linux specifically?

Security quotes of the week

Posted Aug 29, 2013 11:39 UTC (Thu) by drag (subscriber, #31333) [Link]

It has to do with security.

As a extension of that it's obvious that Linux security concerns itself not with just criminal behavior from 'hackers', but criminal activity from governments.

Security quotes of the week

Posted Aug 29, 2013 11:43 UTC (Thu) by etienne (subscriber, #25256) [Link]

> NSA scandal

Because someone has to tell them that a sysadmin usually not only have read access to everything, but also write access to everything - and he also manages backups?

Security quotes of the week

Posted Aug 29, 2013 15:29 UTC (Thu) by raven667 (subscriber, #5198) [Link]

I'd be interested in an explanation of what tools for access control and audit were used and how they were configured considering that the systems involved presumably run Linux and that the Audit subsystem and SELinux were developed specifically for this user and use case.

A nonhypothetical example - solving bank robberies

Posted Aug 29, 2013 20:09 UTC (Thu) by southey (subscriber, #9466) [Link]

"How “cell tower dumps” caught the High Country Bandits—and why it matters" Not only did they get the actual phone numbers but also able to track where those phones went. There is also no mention of what happens to the data they did not use.

Security quotes of the week

Posted Sep 3, 2013 6:28 UTC (Tue) by kleptog (subscriber, #1183) [Link]

The only thing about Felten's example that bugs me is that there's already a large amount of meta-data added. Somehow you know which phone number is the gynaecologist, which is the mother, etc. Given that the phone company doesn't track family relationships nor employment this information has to come from somewhere else.

If all those people in the example were replaced with just numbers it would become much less obvious. In other words, such a database might be helpful if you already know something about the person being searched, but for "trawling" it's not really useful.

Security quotes of the week

Posted Sep 3, 2013 19:32 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

>Given that the phone company doesn't track family relationships nor employment this information has to come from somewhere else.
They do, quite often. It's called 'family plans'.

Security quotes of the week

Posted Sep 6, 2013 13:11 UTC (Fri) by arafel (subscriber, #18557) [Link]

A lot of the metadata present is fairly easy to infer.

Most businesses advertise, for example, so a reverse lookup on the gynecologist number would show that; same for the clinic. If this is sucking in all phone metadata, they would have the mother's name and residence. Another woman with the same family name living at the same location, reasonable inference it's either a mother or sister. (And of course it's on the public records who the woman's mother is, and if the mother has any other daughters.)

this information has to come from somewhere else

Posted Sep 8, 2013 14:47 UTC (Sun) by Wol (guest, #4433) [Link]

My phone company (British Telecom) encourages us to link phone numbers with names so they show up as names not as numbers on the online bill.

I guess that info must be accessible somehow ... :-)

Cheers,
Wol

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds