<<< Date Index >>>     <<< Thread Index >>>

[IP] worth reading -- loophole in FISA?





Begin forwarded message:

From: Ridgely Evers <revers@xxxxxxxxx>
Date: December 24, 2005 12:25:40 PM EST
To: "'David Farber'" <dave@xxxxxxxxxx>
Subject: RE: worth reading -- loophole in FISA?

Dave,

David Reed is right on the money in terms of the false positive issue.

Actually, the "more hay" methodology has been shown to be ineffective in
other, related fields, and even worse has been shown to be an effective tool
for _evading_ detection.

Simply put, it is relatively easy for an attacker to determine the kinds of
things that trigger alerts, and to flood the detection system with those
types of events. Intrustion detection systems on networks are classic cases
in point: they are so overwhelmeed by false positives that in very short
order the people monitoring the systems stop paying attention. A "boy who
cried wolf" problem, exacerbated by the fact that the marginal cost of
creating a false positive is many orders of magnitude less than the cost of
responsing to one.

Ultimately, the IDS systems end up being used either (a) to show uninformed management that "we're doing something", and/or (b) as part of the forensic process _after_ a breach has occurred to try to see if the attacker left any
useful footprints (hint: the answer is "no").

There's a trend to watch for, as well.  The follow-on technology to IDS,
optimistically referred to as Intrusion Prevention Systems, has been touted
as a tool to actually stop attacks in progress.  Essentially, it's a
combination of detection capability coupled with 'drop the connection'
capability. It came into existence because security people thought it would be cool, and because customers were complaining about the overload on human resources that the IDS technologies imposed. The theory was that technology could operate with sufficient speed to prevent bad things from happening.

The real world response (as noted in a recent Network World review of IPS) has been that the systems are getting deployed, but without the 'P' feature enabled. It seems that users are not willing to take the risk of shutting off a good connection (the 99.9999% case) in order to prevent an attack (the
0.0001% case).

But I expect that the next layer of proposals out of the NSA data mining
mess will be to create and deploy some magic system that can operate at the
speed of the technology being monitored.

<Insert massive (unsuccessful) budget here.>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Ben Franklin, ~1784

--Ridge

-----Original Message-----
From: David Farber [mailto:dave@xxxxxxxxxx]
Sent: Thursday, December 22, 2005 3:40 PM
To: Ip Ip
Subject: worth reading -- loophole in FISA?



Begin forwarded message:

From: "David P. Reed" <dpreed@xxxxxxxx>
Date: December 22, 2005 5:47:25 PM EST
To: dave@xxxxxxxxxx
Cc: ip@xxxxxxxxxxxxxx
Subject: Re: [IP] worth reading -- loophole in FISA?

Well, Dave, here's a couple of relevant personal thoughts regarding
vacuum-cleaner-like data gathering...

1) there's a saying I heard recently that the NSA's approach to
intelligence is like trying to find a needle in the haystack by
sending tractors in the field to gather more hay.  Based on my
understanding of the reliability of inference-making I suspect the
problem is that and worse.   So these so-called vacuum-cleaner
technologies probably won't improve the ability to predict terrorism
that much, but the elimination of checks and balances will almost
certainly result in lots of "false positives" that can be used as
presumptive reasons to harass both US citizens and foreigners for
"inferences" that are little more than wild-ass intuitions about what
kind of activity might be correlated with bad actors.   Of course
there are lots of technology companies who sell stuff to the
intelligence community who are full of hyperbolic claims about the
wonders of mass data collection and analysis, but if they were so
good, why don't they predict the stock market instead and make money
the old fashioned way?   Predicting the stock market is a trivial
problem compared to predicting and preventing terrorism, but in the
market there is actually a measure of success, whereas the measure of
success in the beltway intelligence technology business is getting
another, bigger contract.  (that's what comes from outsourcing to a
military-industrial complex that is so big it can buy members of
Congress, lock stock and barrel, as we saw with Duke Cunningham).

2) what the NSA does outside the US may be legal under US law, but by
no means is it either legal or a source of pride when viewed in other
countries or in international law.

The grand glorious endeavor of spying is fundamentally anti-social
and anti-humanity.   Apparently, part of the standard CIA induction
briefing is being reminded that humint is just another word for
fraud, deception, burglary, and other things that we do not tolerate
in civilized societies.   If agents carrying out such acts are
discovered in our country they can be executed, and by symmetry most
countries can and will execute our spies if caught.   (this may be
cruel and unusual, because theft of information inside a country is
usually punished by more lenient methods).

Sigint (though the hands *seem* cleaner) is legally and morally just
wire fraud and peeping-tomism etc. by another name, and again, agents
who listen in on radio or wire conversations in other countries are
violating their laws, just as agents doing that in the US would be
guilty of espionage and subject to execution or harsh penalties.   So
by any "golden rule" standard of justice we should be careful.

One can argue that, just as war is sometimes thought to be necessary
to deal with threats to the citizens of our nation, intelligence
gathering, however illegal, might also be sometimes necessary.   But
it's not a "good" at any level, and hardly something we should be
proud of.

However, the thrill of hanging out with the codebreakers shouldn't be
used to glamorize what is, at its core, just a government-sanctioned
form of antisocial behavior.  It's practitioners cannot be trusted to
decide what is appropriate, because they are by definition able to
carry out acts that are antisocial and illegal.






-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/