NSA Chief Speaks At Black Hat

After Bradley Manning and Edward Snowden and Congressional push back, NSA Chief Gen. Keith Alexander speaks to Black Hat, a conference for security professionals.

The gusher of news on the NSA and surveillance keeps coming. This week, one of the keenest audiences is in Las Vegas: hackers and security geeks and execs. Lots of them. At the conferences called Black Hat and DEF CON, where hacker T-shirts say "Hack Naked" and "Stay Anonymous."

The NSA needs these people. They are the talent, the American cyber pros.

While hearings in Washington banged on the NSA and more news was leaked, the head of the NSA came to Vegas to appeal to the pros.

Up next On Point: NSA surveillance and the hacker perspective.
-- Tom Ashbrook

Alan Butler, privacy advocate and attorney for the Electronic Privacy Information Center. (@AlanInDC)

Moxie Marlinspike, computer security researcher and co-founder and former chief technology officer for Whisper Systems, which provides mobile apps for security and privacy. (@moxie)

Moxie Marlinspike on balancing freedom and privacy:

People tend to try and frame this in terms of a balance between freedom and privacy, to the extent that that’s true. I think the problem is that people like the NSA are not incentivized to be looking for that balance. They are working on things that are built out of careers, billions in revenue, enormous defense contracts. It’s this giant steam roller that is not actually looking for balance.

Alan Butler on the Senate FISA hearing:

What we're dealing with in the Senate hearing [on July 31, 2013] ... is that Congressional leaders are shocked at the extent of this program, specifically the metadata program. And that's a sign that we don't have enough push back, that we don't have enough public knowledge about how these systems work in order to make sure that they're complying with the law and to make sure we can keep them in check.

Kelly Zetter on company push back and transparency of the courts:

There’s a danger in lumping all companies together. There are companies that are not bothered by this at all and take the view that they need to help the NSA protect the country.

But I think that there are some significant companies (particularly technology companies) that have tried to fight and push back. We don’t know the full extent of these activities.

We had an interesting peek at this recently with some documents that came out regarding Yahoo. Yahoo had attempted to fight a court order back in 2008 seeking collection of data. They cited the Fourth Amendment; they cited a number of issues. And in that case, the judge forced Yahoo to comply … the judge said that the government had assured her that it would not maintain a database of incidentally collected info from non-targeted U.S. persons. In fact, we now know that’s not true. And the XKeystore talks about this database of information that of course is going to include incidentally collected information on Americans.

This goes to speak to the transparency of the courts. We don’t know full extent of what has gone on there. We don’t know how many companies have tried to fight this. We know that they’ve been unsuccessful. I believe that there are companies that are pushing back, but we just don’t know the extent of this because this is all secret.

Marlinspike on the changing way hackers fit into society:

It’s not clear what our cultural norms really are. In some ways, I think we are operating based on a cultural context in the '90s or whenever the hacker community really coalesced. And that context has changed. I think it's time for us to re-evaluate. What are the things that we value? What are the things that we want to encourage?

Marlinspike on hackers selling security vulnerabilities:

Hackers and people from this community do a tremendous amount of security research and publish their results, which oftentimes allows those vulnerabilities to be addressed. At the same time, however, there are many people now who have started selling their security research in private. So, for instance, there are people that find vulnerabilities in things like your cell phone or programs that run on your computer or the servers of major web providers. And instead of publicly disclosing them or working with the vendors to fix them, they sell that information to brokers for a lot of money. And, for the most part, those are then turned around and sold to governments ... the people selling the vulnerabilities usually don’t have the visibility as to where they go. In all cases, they’re used in the same way, generally offensively by governments in order to gain access to people’s computers, the servers of major providers and things like that.

"Top federal security chiefs from the NSA, FBI, Office of National Intelligence and the Justice Department go before the Senate Judiciary Committee to discuss the FISA surveillance program. A legal panel also testifies on constitutional protections."

Wired: Buffeted By New Disclosures, NSA Chief Defends Surveillance Programs At Black Hat: "Facing occasional hecklers from the audience, Alexander asserted that the surveillance programs have been mischaracterized by the media and others and that as a result the reputation of NSA workers has been tarnished. Extensive oversight from Congress and the courts, as well as technical protections in place — including internal auditing — prevent NSA workers from abusing their surveillance capabilities."

PC Magazine: Black Hat 2013: NSA Chief Reveals Details About PRISM As Hecklers Call Him a Liar: "The Section 215 Authority, the business records program, collects only telephone metadata and is used only for counterterrorism purposes, Alexander said. The NSA collects the data and time of the call, the phone number initiating the call and the number of the recipient, the duration of the call, and the source and site of the call—such as carrier name. The NSA does "not collect the content of the communications," such as recording the calls or intercepting the SMS messages. Identifying information such as names, addresses, or credit card information, are not collected. Location data is also not used."

Slate: One Major Hacker Conference Bans The Feds. Another Welcomes Them: "Two of the largest, most well-known information security conventions, DEF CON and Black Hat, have decided to take very different approaches to how they will interact with representatives of federal agencies (who, in the past, have regularly attended and spoken at these events) ... The difference in opinions about socializing with feds can, in large part, be tallied up to economics."