White House considered bypassing encryption with malware disguised as updates

How do you serve a warrant on an encryption algorithm? For 20 years, governments have been struggling with that question, putting pressure on tech companies to build backdoors into security systems as the companies increasingly tell them it simply can't be done. The tension has grown particularly strong after the Snowden revelations caused companies to tighten up, leading the government to look for ever more creative ways to break the deadlock.

A new report from The Washington Post details some of the latest ideas, including some that already have civil libertarians raising the alarm. The news comes from a draft memo from the president's encryption working group, which was tasked with finding solutions that would be acceptable to tech companies and law enforcement alike. The result isn't intended for public consumption, but it shows just how far we might need to go to appease law enforcement's desire for backdoor access. The paper suggests four main proposals, including a forced backup system and a system triggered by combined consent from multiple parties. Another proposal suggested installing a special encrypted port that only the government would have access to.

Read  more @ http://www.theverge.com/2015/9/24/9393091/white-house-break-encryption-updates-working-group

KARMA POLICE: GCHQ spooks spied on every web user ever

Leaked docs show how out-of-control spy agency went full Stasi on innocent surfers

New documents revealing GCHQ's mass-surveillance activities have detailed an operation codenamed KARMA POLICE, which slurped up the details of "every visible user on the Internet".

The operation was launched in 2009, without Parliamentary consultation or public scrutiny, to record the browsing habits of "every visible user on the Internet" without the agency obtaining legal permission to do so, according to documents published by The Intercept.

KARMA POLICE was constructed between 2007 and 2008, and according to slides was developed with the explicit intention of correlating "every user visible to passive SIGINT with every website they visit, hence providing either (a) a web browsing profile for every visible user on the Internet, or (b) a user profile for every visible website on the Internet."

Its 2009 run was particularly interested in those listening to online radio shows, although one slide also shows tracking of those who have visited spook-baiting Cryptome.org, and pornography site RedTube.

A summary document reveals that the operation affected "224,446 unique listener IP addresses over a three month period, covering approximately 108448 /24 subnets."

Another programme, codenamed BLAZING SADDLES, was used to target listeners of "any one particular radio station ... to understand any trends or behaviours."

The summary report states how:

A wealth of datamining techniques could be applied on small closed groups of individuals, to look for potential covert communications channels for hostile intelligence agencies running agents in allied countries, terrorist cells, or serious crime targets.

One user was targeted, without any stated suspicion of being involved in terrorism or posing a threat to national security, and was found to have visited popular porn purveyor Redtube, as well as social media sites and several Arabic and Islamic sites, which appeared to be commercial enterprises.


Read more @  http://www.theregister.co.uk/2015/09/25/gchq_tracked_web_browsing_habits_karma_police/

"What lies behind us and what lies before us are small matters compared to what lies within us."  ~ Ralph Waldo Emerson ~