Yesterday's article on CSE email security practices in The Intercept inspired me to compile a list of over sensationalized coverage sourced from Edward Snowden's trove. This is not meant as a criticism of Snowden, or the NSA for that matter, simply a rebuke to misleading reporting and the inevitable histrionics it provokes.
This list is by no means finished or complete--I plan to continue to update it.
02/26/15, The Intercept: Canadian Spies Collect Domestic Emails in Secret Security Sweep
Like the NSA, CSE has both offensive and defensive roles written into it's charter. Given the prevalence of spear phishing campaigns being used to break into networks, monitoring inbound e-mails at network edges is a common security practice. The approach outlined in the documents sounds analogous to deploying a custom FireEye.
If there were any reason to believe that emails were being used for intelligence collection in addition to defensive security there would be cause for concern, but no such evidence was presented.
02/04/15: The Intercept: Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise
The article's discussion on fourth party collection (previously covered by Der Spiegel) and Anonymous' capabilities are notable; however, the discussion about a GCHQ program called LOVELY HORSE can be summarized as: GCHQ reads blogs and public Twitter accounts relating to computer security. This program is not worth calling out (short of stroking the mentioned researchers egos.)
01/24/15, Le Monde: MoreCowBell: Nouvelles révélations sur les pratiques de la NSA
This entire article could be summarized as: the NSA has built their own Pingdom. The note that the NSA stores interesting DNS records is perhaps the only redeeming note, but given the wide coverage about full-take collection beforehand it's hardly note worthy on it's own.
12/28/14, Der Spiegel: Prying Eyes: Inside the NSA's War on Internet Security
This article was full of interesting documents and new revelations; however, some of the analysis deserves mention here:
- The discussion of NSA's cryptanalysis of AES was seriously overblown, the supporting materials were from an undergraduate research project. Robert Graham wrote a blog post on it.
- The discussion of secure (GPG, OTR) versus 'broken' crypto systems (IPsec, HTTPS) is flawed: the 'attacks' presented against the 'flawed' protocols are simple passive decryption enabled by stealing keys or brute forcing weak pre-shared keys. These are not new or interesting attacks, and the 'secure' systems they mentioned are also vulnerable.
- The article highlights that CSE performs domestic surveillance of 'hockey talk' sites, the documents make it clear this was a fictitious example in 'Canukistan'.