Former NSA Official Disputes Claims by NSA Chief

Gen. Keith Alexander, head of the NSA and U.S. Cyber Command appearing at the 2012 DefCon hacker conference in Las Vegas on Friday. Photo: Kim Zetter/Wired

LAS VEGAS — A former NSA official has accused the NSA’s director of deception during a speech he gave at the DefCon hacker conference on Friday when he asserted that the agency does not collect files on Americans.

William Binney, a former technical director at the NSA, said during a panel discussion that NSA Director Gen. Keith Alexander was playing a “word game” and that the NSA was indeed collecting e-mails, Twitter writings, internet searches and other data belonging to Americans and indexing it.

“Unfortunately, once the software takes in data, it will build profiles on everyone in that data,” he said. “You can simply call it up by the attributes of anyone you want and it’s in place for people to look at.”

He said the NSA began building its data collection system to spy on Americans prior to 9/11, and then used the terrorist attacks that occurred that year as the excuse to launch the data collection project.

“It started in February 2001 when they started asking telecoms for data,” Binney said. “That to me tells me that the real plan was to spy on Americans from the beginning.”

Binney is referring to assertions that former Qwest CEO James Nacchio made in court documents in 2007 that the NSA had asked Qwest, AT&T, Verizon and Bellsouth in early 2001 for customer calling records and that all of the other companies complied with the request, but Nacchio declined to participate until served with a proper legal order.

“The reason I left the NSA was because they started spying on everybody in the country. That’s the reason I left,” said Binney, who resigned from the agency in late 2001.

Binney was contradicting statements made on Friday by Alexander, who told the crowd of hackers and security professionals that his agency “absolutely” does not maintain files on Americans.

“And anybody who would tell you that we’re keeping files or dossiers on the American people,” Alexander continued, “knows that’s not true.”

Alexander also told the audience that the NSA targets only foreign entities and that if it “incidentally” picked up the data of Americans in the process, the agency was required to “minimize” the data, “which means nobody else can see it unless there’s a crime that’s been committed.” Minimization refers to legal restrictions under the United states Signals Intelligence Directive 18 on how data pertaining to U.S. citizens can be handled, distributed or retained.

Following the panel discussion, a former attorney for the NSA elaborated on this to Threat Level.

“You’re looking at a data stream that originates in a foreign country. It just happens to be transiting the United States,” said Richard Marshall, former associate general counsel for information assurance at the NSA. “You’re authorized by law to collect that data and to analyze that data. Even though it was captured on U.S. soil, it’s against a foreign target. Now in the process of doing that, yes, there is a possibility, more than a possibility I guess, that there will be some U.S. person who is involved in a conversation with a foreign entity, a foreign person. So what? If you’re not collecting data against that U.S. person, what’s the harm?”

But ACLU staff attorney Alex Abdo, who was also on the panel, noted that a gaping loophole in the laws governing the NSA allows the agency to do dragnet surveillance of non-Americans and, in the process sweep up the data of Americans they may be communicating with, and hold onto that data even though the Americans aren’t the target. The NSA can then “target [the Americans] after-the-fact.” If, for example, new information came to light involving an American whose information is in the database, the NSA can sift through the “minimized” data and at that point “get the info that they couldn’t target from the outset.”

Earlier this month, the Office of the Director of National Intelligence admitted in a letter sent to Senator Ron Wyden that on at least one occasion the NSA had violated the Constitutional prohibitions on unlawful search and seizure.

According to the letter, the Foreign Intelligence Surveillance Court found that “minimization procedures” used by the government while it was collecting intelligence were “unreasonable under the Fourth Amendment.”

Author James Bamford, speaking with Abdo and Binney, said that the NSA could also get around the law against targeting Americans by targeting a call center for a U.S. company that is based overseas, perhaps in India. When Americans then called the center to obtain information about their bank account or some other transaction, the NSA would be able to pick up that communication.

Finally, Binney contradicted Alexander’s earlier claims that the agency could not violate the law even if it wanted to do so because the NSA is monitored by Congress, both intel committees and their congressional members and their staffs. “So everything we do is auditable by them, by the FISA court … and by the administration. And everything we do is accountable to them…. We are overseen by everybody,” Alexander had said.

But these assertions are disingenuous since, Binney said, “all the oversight is totally dependent on what the NSA tells them. They have no way of knowing what [the NSA is] really doing unless they’re told.”

Highlights From Black Hat Conference

Black Hat is over. The year’s biggest and probably most influential IT security conference again had a lot of interesting talks to offer, and of course also the most important part: Meeting with other people from the industry to share news, ideas (and beer). As for the talks, there wasn’t much earth-shattering this year. Aside from sessions on Apple’s view on security and improvements in Windows 8, the mobile talks were what got most of my attention.

Because mobile platforms have become so important, they have gotten the attention of cybercriminals. (Check the McAfee Threats Report for more information.) There is also a lot of interesting stuff going on. And a lot of mistakes being repeated. Again. An eye opener should be Collin Mulliner’s talk about scanning mobile IP ranges and seeing what kind of devices are there. The result is really scary. Apparently people do not realize that often when you’re online with a mobile device using GSM, GPRS, G3, etc. that the device is not only able to access the Internet. It is also accessible from the Internet. So putting up sensitive hardware without any access authorization is a bad idea. Bad as in “it could cause a power failure in the company” or “it may cause the plant to burn down.” To have your surveillance cameras exposed is not exactly ideal either.

Even more disturbing was Charlie Miller’s talk on near-field communications (NFC) on some mobile devices. He highlighted one major point of failure in the IT industry that is repeated over and over again. Say you have something that security wise is pretty solid. Meanwhile marketing and product management add an additional feature. That’s happened in the case of NFC on mobile devices, which would be great for authentication or payments. They just got “enhanced” with device-to-device communications. What’s wrong about that?

Instead of exposing just NFC-related apps, if you can send someone to a web page without his acknowledging it, your attack surface is suddenly the web browser and everything (multimedia, documents, Flash, etc.) related to it. During the session Georg Wicherski demonstrated such an attack nicely using a webkit exploit. Thus another good technology turns into a security hazard because of one too many additions. My obvious advice: Disable NFC on your phone until vendors came up with ways to secure it.

Time for Defcon

Now I have another three days of conference to attend: Defcon, which has run for 20 years. (That time is exceeded only by the Chaos Communication Congress, which will take place for the 29th time this year.) Defcon looks massive in the number of its sessions and attendance. (Some major talks, such as “FX” and Greg’s event on Sunday, for example, were not presented at Black Hat, instead exclusively at Defcon.) We’ll see what is going on there.

PS: Best hack at Black Hat? I met a woman at a vendor’s party who hacked her way into the VIP area. The vendor had given out different “coins,” one golden, another black, which was the VIP coin. After obtaining the normal gold coin, which wasn’t easy as she had no ticket for Black Hat to begin with, she simply painted the background black with a pen. Worked.

I gave her a new challenge: Gatecrash the VIP area of Defcon’s Freak Show, which McAfee will sponsor this year. Infected Mushroom will play. See you there! :)