What the Ashley Madison hack could mean for national security

The release of information stolen from Ashley Madison, a site devoted to helping married individuals cheat on their spouses, could harm many people. But there is one group in particular — members of the military — that might suffer more than their civilian counterparts if they’re implicated by the data dump.
An estimated 32 million Ashley Madison users were affected by the company’s hacking. Their email addresses, partial credit card information, and IP addresses were revealed over the weekend. For most people, the release of this data could be a problem. But for military members, being outed as adulterers could ruin their lives.
The Uniform Code of Military Justice is explicit about its stance on cheaters: they should be punished. Adultery itself rarely leads to a court-martial, but the charge is often added to other accusations against a serviceperson to increase their punishment, and could lead to much more severe disciplinary actions.
How severe? Well, adulterers could be punished with a year in confinement and a dishonorable discharge, which would lead them to lose all veteran benefits. Some, like former President George W. Bush, have advised against taking all adulterers to the court-martial. But still, the rule remains a part of the UCMJ.
It’s possible that many of the military email addresses used to sign up for Ashley Madison were fake. The company didn’t verify all account information, and someone might have used a fake email address to avoid a spouse’s ire, although that seems like a bit of a stretch. But given the other information available — including location data and the last four digits of customers’ credit cards — it doesn’t seem hard to identify personnel.
And this isn’t just a problem for the members of the military themselves. If the data wasn’t made public and was instead used for the hackers’ personal gain, holding this information over the head of someone in the military could have led to blackmail. That’s one of the main fears of any major security breach.
Just look at the breach at Anthem, the nation’s second-largest health insurer. One of the primary concerns was that whoever hacked the company had access to data that could inform phishing attacks against the military or government. (Anthem later said the hackers receiving such information was highly unlikely.)
Imagine if someone combined information from the two sources. You know who someone is, where they live, and that they joined a site to help them cheat. Would it really be that hard to come up with a phishing attack, or a compelling bit of blackmail, which could lead that person to making some kind of mistake?
Then there is the “potential for an attacker to reuse the stolen credentials on other Internet services or even government systems,” says Marcus J. Carey, chief technical officer of vThreat, a company that facilitates network attack simulations for enterprise networks. Should the AM data be used to eventually gain access to popular social networks, it could lead to a more long-term security threat to national security — leading military or federal workers to lose clearances, according to Carey.

“Something like Facebook or Twitter could be used to send people to malicious sites. Other federal employees would trust links from other people they know and follow online. Huge phishing potential for federal and military personnel,” Carey told me.

It’s easy to make jokes about Ashley Madison users deserving to be revealed, or how the company might pivot to become a dating service for recent divorcées (Zing!). But underneath that dubious moral posturing lies a serious warning about how stolen data from any large website could be more dangerous than you’d think.
Still, it’s hard not to ask one facetious question: Why would people with so much to lose attach their Ashley Madison accounts to their work email? Carey can answer that, too.
“There is a popular saying in the cybersecurity world,” he says. “There is no patch for stupid. People are always the weakest link.”
Carey’s point about people being the weakest link in any security system might be troublesome for another reason: the potential that anyone affected by this hack used the same password across multiple sites. (Microsoft researchers said in 2014 that many people are unable to remember long, unique, complex passwords, so they often repeat them across multiple sites or use less-secure options.)
This might not be a huge concern, since Ashley Madison did use a decent encryption for passwords, as Quartz points out. Yet, dedicating all efforts to crack a particular account’s encryption is very possible. And depending on the person and the nature of their private online discussions, that could mean a lot of sensitive information could eventually slip into the wrong hands.
“When the OPM hack of government employees’ data occurred so close to the Ashley Madison hack pundits were quick to point out the possibility of applying big data analytics to a combined data set,” security industry analyst Richard Stiennon told Gigaom. “Now that the data has been dumped, it would be trivial to match up the records from OPM with anyone who works in government or has a security clearance and was also foolish enough to use their real name and email address on Ashley Madison.
“Of course journalists and researchers are all busy doing this today so those victims already have a problem,” he adds.
That’s more than a bit scary — not to mention that it may also increase the odds that hackers will attempt to use blackmail as a tactic to get what they want, according to Stiennon.
But there is one potential upside: Perhaps now people will take their privacy a little more seriously.
Ashley Madison’s breach is “Going to have a big impact on this sort of behavior in the future,” Stiennon said. “That is the upside of breaches. Nobody takes security seriously until they have been personally impacted.” Maybe now some of the country’s most valuable targets will be just a little bit more cautious.

Tempered Networks wants to secure critical infrastructure so hacks don’t lead to sewage spills

Although the rise of the internet of things means that organizations could gather enormous quantities of data through the billions of connected devices out there today, the big elephant in the room is that security is not where it needs to be, which means there’s a lot more access points for thieves to hack into. Tempered Networks, a Seattle-based security startup, aims to solve this problem and it plans to announce on Tuesday that it brought in a $15 million series A investment round, bringing the company’s total funding to $22 million.

Tempered Networks focuses on protecting the type of critical infrastructure that people “take for granted” in their daily lives, said Tempered Networks President and CEO Jeff Hussey. This type of infrastructure includes facilities like electric dams, pipelines that distribute natural gas, nuclear power plants and wastewater plants.

This type of infrastructure helps move the gears of the modern world and if something were to go awry in one of these facilities, there’s a chance that the pandemonium caused could be of several times more magnitude than your typical run-of-the-mill data breach. Just imagine a world in which a wastewater facility getting hacked causes raw sewage to flow down to the nearest fresh-water system, Hussey explained.

According to Hussey, who was a co-founder of networking company F5 Networks, the thirst for big data has led to government agencies, municipalities and companies running these types of facilities to hook together the networks that support critical infrastructure to corporate data networks in the hopes of uniting the data flow between the two networks.

What makes this somewhat worrisome is the fact that the networks supporting critical infrastructure now have security vulnerabilities because the applications and hardware on those networks are united under the transmission control protocol/internet protocol (TCP/IP), which is the standard protocol of the internet. Hussey said it wasn’t always this way as these networks used to rely on several different protocols, which created “air gaps” between the different hardware devices hooked onto the networks.

Now that everything operates under the same protocol, these “air gaps” that once acted as security buffers in the network no longer exist, which means that a hacker can now do more damage in these critical networks than he could have done in the past.

“Everything speaks the same language,” said Hussey. “It’s a relatively straight hack.”

To secure those now open networks, Tempered Networks sells little devices called HIP (Host Identity Protocol) switches that users can install in their data centers. These devices can be linked up to the critical infrastructure networks and, when working in tandem with Tempered Networks’s networking orchestration system, can create a “secure encrypted channel” from which all the data can now flow through.

Tempered Networks - overlay network

Tempered Networks – overlay network

Instead of having those gaps as a security mechanism, Tempered Networks basically encrypts the backend where the networking data has to pass between devices and applications.

Of course anything involving encryption means that there will be a hit in performance because of the amount of compute required, but Hussey said that “most of the devices we are protecting” don’t necessarily need top-of-the-line speed to operate correctly and efficiently.

“There needs to be a solution to securely connect [these devices] to a modern networking infrastructure and that is what we are doing,” said Hussey.

Hussey said Tempered Networks will sell the device “to anybody who will return our phone call” but it’s right now eyeing public utilities and industries like oil and gas or electricity. The startup counts [company]Boeing[/company], Washington Gas and the University of Washington as customers, among others.

Ignition Partners drove the funding round along with IDG Ventures. As part of the financing, Ignition Partners managing partner John Connors is taking a seat on the startup’s board.

Uber discloses data breach that may have affected 50,000 drivers

Uber suffered a data breach in 2014 that affected 50,000 Uber drivers across the U.S., the ride-sharing startup disclosed in a statement on Friday.

The company determined on September 17, 2014 that a third party could have accessed one of its databases. After Uber “changed the access protocols for the database” and looked into the situation, it learned through an investigation that someone apparently accessed one of its databases on May 13, 2014, wrote Katherine M Tassi, Uber’s managing counsel, privacy.

Supposedly, the information that may have been compromised included driver names and their driver license numbers, but the startup said that it is not aware of any “reports of actual misuse” of that data. The company said it will be contacting the drivers, issuing them memberships in identity-alert services and filing a lawsuit to obtain more information to learn who was the third party that accessed the database.

While this data breach is small compared to the mega breaches that affected JPMorgan Chase, Sony Pictures Entertainment and Anthem in recent months, it’s notable because it seems to be the first publicly known data breach affecting a ride-sharing service.

The data breach also highlights the importance of setting up proper identity management and access controls for a company’s infrastructure, something on which many security startups are concentrating their efforts. At this time, it’s unclear how an unauthorized party was able to access an internal database. However, it’s obvious that Uber will have to ensure better access-management policies for all points in its infrastructure if it wants to make its system less vulnerable to breaches.

The breach comes at a time when President Obama recently proposed a federal law that calls for companies to notify their customers within 30 days of the discovery of a hack. Uber’s discovery of its announced data breach appears to have fallen well outside the 30-day mark and as far as we know, only appears to have affected its own employees.

Law firms will start sharing security data to prevent attacks

It’s clear that big banks provide a lot of incentive for hackers to launch cyber attacks, given the amount of sensitive data they hold and the cash they oversee. But banks aren’t the only entities hackers are targeting. The law firms that represent financial institutions are also subject to attacks, and as a result a group of law firms is banding together to share security data in order to prevent attacks, according to a New York Times report.

The data held by law firms is a treasure trove for hackers because it includes some of the most secretive aspects of companies, including their business operations, deal making and legal disputes. However, the general public may not be aware of law firm hacks because the firms are private entities and don’t have to abide by the same set of rules as public companies, especially when it comes to disclosing their breaches.

The Times report states that both banks and law firms have been working to create a separate legal group that would be connected to the Financial Services Information Sharing and Analysis Center, which acts as the meeting ground where financial entities can share and analyze security related information. A similar group for law firms could form by the end of 2015.

Supposedly, a half-dozen law firms were hacked over the past couple of months and the security company Mandiant has been working with these organizations on the breach, the Times reports, citing an unidentified source.

There’s not a lot of information out there as to the specifics of the cyber attack, but the Times reports that Mandiant recently said during a conference that “many of the bigger hackings of law firms had ties to the Chinese government, which was seeking information on patent applications, trade secrets, military weapons systems and contract negotiations.”

Sharing security data between organizations appears to be a trend, with President Obama recently signing an executive order calling for businesses and the Federal Government to create some kind of hub where they can exchange information.

Additionally, [company]Facebook[/company] just released its own collaborative threat detection framework, which includes a number of tech companies pledging support, including Pinterest, [company]Yahoo[/company], [company]Twitter[/company] and Dropbox.

What separates the proposed law firm information-sharing group and Facebook’s threat-detection framework from what President Obama is calling companies to establish is the fact that, as far as we know, law enforcement will not be participating in both projects. The White House wants the government to be a part of these data-sharing endeavors, under the premise that it has valuable information, but if organizations want that data, they’ll have to pony up their own.

But privacy concerns in light of the Edward Snowden leaks have caused tech companies to be wary of disclosing information to the government, and in a telling sign, Facebook, [company]Google[/company] and Yahoo chose not to participate in the White House’s Summit on Cybersecurity and Consumer Protection held in Stanford a few weeks ago.

Lenovo in hot water over Superfish adware, but dismisses security worries (updated)

Reports from security consultants, media, and Lenovo users indicate that there’s bloatware pre-installed on recent Lenovo Windows PCs that’s a bit more sinister than a set of superfluous ThinkPad tools. It appears that adware called Superfish had been running on consumer laptops sold by Lenovo between September 2014 and this past January, raising significant security concerns.

In a statement issued on Thursday, Lenovo said although it had disabled Superfish “server side interactions” since January, it could “not find any evidence to substantiate security concerns.” It also promised not to pre-load Superfish in the future, while clarifying that Superfish requires users to approve its terms of use, and that it hasn’t been installed on devices since “December.”

Update: Sometime today, Lenovo changed its statement and quietly removed the line “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” The statement was most likely tweaked because there is actually a lot of evidence to back up that Superfish is a security problem. Lenovo also posted a PDF with instructions how to remove Superfish.

The Electronic Frontier Foundation called Superfish “horrifically dangerous” and a “security catastrophe.”

The worst part is, Superfish isn’t even tangentially useful to the consumer. It’s ad-placing software — so far, what it appears to do is to place it own ads against Google search results, which presumably generates income for both Lenovo, and Superfish, which is a privately-held Palo Alto-based company. Lenovo’s statement said that Superfish was included to “to help customers potentially discover interesting products while shopping.”

While ads might be annoying, the real problem with Superfish is the liberties it takes with users machines’ to serve those ads, which resembles a “man-in-the-middle” attack. The adware makes itself an unrestricted root certificate authority in Windows, so it is able to spoof SSL certificates. If you connect to a secure website, such as your bank, from Internet Explorer or Google Chrome on an affected Lenovo laptop, the security certificate will have been signed by Superfish, as opposed to a trusted SSL certificate services provider like VeriSign.

Essentially, this discovery means that HTTPS browsing on an affected Lenovo laptop is insecure. In fact, researchers have already cracked Superfish’s private key — which was the same on all affected laptops — meaning hackers could snoop on encrypted traffic while on the same network, or even install malware under the guise of a trusted program. Simply uninstalling the program doesn’t remove the unrestricted root certificate.

Lenovo is the top PC vendor in the world, according to IDC, and shipped over 16 million PCs in the fourth quarter of last year, part of the time period where Superfish was preinstalled on some devices. Here’s a online test to check whether your device is affected.

Hackers stole up to $1B from banks worldwide, Kaspersky says

A gang of hackers has, over the course of a year or more, stolen up to $1 billion from financial institutions around the world, including some in the U.S., according to a new report by cybersecurity firm Kasperksy Lab. 

The Carbanak gang — named after the malware they installed on computers at financial institutions — targeted marks in the U.S., Germany and Asia and possibly elsewhere, according to Kaspersky’s Threatpost blog. Instead of relying on phishing attacks that goes after end-user passwords, they targeted bank employees themselves, sending email messages containing malware that then recorded internal interactions to learn the banks’ procedures and processes, in some cases feeding video back to their mothership.

One reason the payoff may have been so big was that the gang was patient, waiting to make their move for months and also moving on from one bank to another after making their, um withdrawals, typically grabbing up no more than $10 million per institution. In some cases, ATM just started spewing cash without anyone requesting it. The money was then picked up by cash “mules.” In others, the banks network was used to move money out of the organization into the cybercriminal’s own accounts. And in some cases, fake accounts were created with high balances which were then tapped by mules.

From the Threatpost blog:

The hackers lived on the bank networks for months after successfully gaining a network foothold, generally through a spearphishing email laced with a malicious .CPL attachment, and in some cases, Word documents. The attachments contained the backdoor named Carbanak which is capable of many of the same data stealing capabilities as notorious APT-style attacks, including remote control.

carbanak targetsKaspersky posted its full report on Monday, an advance copy of which it provided the New York Times. Speaking with that paper, Chris Doggett, managing director of Kaspersky’s North America office characterized this as “the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert.” 

As is usually the case, no institutions were named because of non-disclosure agreements. It’s not exactly good advertising to admit that your customers funds are at risk, after all.

Kaspersky told the Times it worked with Interpol and Europol to gather information. Sanjay Virmani, director of Interpol’s digital crime center told BBC News that the “attacks again underline the fact that criminals will exploit any vulnerability in any system.”


Obama’s executive order calls for sharing of security data

President Barack Obama signed an executive order on Friday designed to spur businesses and the Federal Government to share with each other information related to cybersecurity, hacking and data breaches for the purpose of safeguarding U.S. infrastructure, economics and citizens from cyber attacks. He signed the order in front of an audience at Stanford University during his keynote address for the White House’s Summit on Cybersecurity and Consumer Protection.

Obama’s speech started off relatively light-hearted with the President pointing out how much technological innovation could be traced back to Silicon Valley and Stanford and even joking that the big webscale companies of [company]Yahoo[/company] and [company]Google[/company] “were pretty good student projects.”

Things took a turn to the dark side, however, with Obama segueing into the devastation that modern-day technology can bring as exemplified by the major data breaches we’ve seen at Sony Pictures Entertainment and insurance provider Anthem.

The new executive order is supposed to help nullify future attacks with the idea that companies have information related to data breaches that could be helpful to the Federal Government and vice versa.

“So much of our computer networks and critical infrastructure are in the private sector, which means government can’t do this alone,” Obama said. “But the fact is that the private sector can’t do it alone either, because it’s government that often has the latest information on new threats.”

With the new executive order, Obama wants both the private and public sector to create hubs where they can trade information with each other and respond to threats “in as close to real time as possible,” according to the executive order.

Obama insisted at several points throughout his speech (and in the executive order itself) the need to balance privacy concerns with national security concerns, a hot topic that has privacy advocates worried that giving government access to business and personal data will lead to intelligence agencies overstepping their boundaries.

“I have to tell you that grappling with how the government protects the American people from adverse events, while at the same time making sure that government itself is not abusing its capabilities, is hard,” said Obama.

Indeed, this delicate line between privacy and security led to senior executives from Google, Yahoo and [company]Facebook[/company] declining to attend the security summit. It’s no secret there’s been bad blood between these companies and the U.S. government ever since the leaked Edward Snowden documents detailed the government’s data-collection methods as they relate to the tech giants.

Ironically, Facebook earlier this week revealed its own collaborative-threat detection framework dubbed ThreatExchange, in which its purpose is to provide an online hub (hosted by Facebook, of course) where companies can exchange security-related information in order to prevent further data breaches and hacks. Among the companies participating with Facebook on the project are Pinterest, Tumblr, [company]Twitter[/company] and Yahoo.

While ThreatExchange allows the trading of security data, it’s probably not exactly what the U.S. government is looking for since its only available for businesses to tap into.

Whether the private sector wants to voluntarily disclose more information to the U.S. government in the name of security remains to be seen, but in the time being, it’s looking like companies are at least open to sharing information with each other sans government.

Facebook launches collaborative threat-detection framework

It might be a bit more difficult for hackers to launch coordinated attacks against several different companies at the same time thanks to a new collaborative threat-detection framework by Facebook called ThreatExchange.

The new security framework, which Facebook plans to announce on Wednesday, works like an online hub where multiple organizations can sign up and deposit data pertaining to the types of hacks and malicious activities they may have experienced. This type of data includes malicious URLs, bad domains, malware and any sort of analytical data a company might have that’s related to that malware, explained Mark Hammell, [company]Facebook[/company]’s manager of threat infrastructure and the author of the blog post detailing the framework.

Once all that information is dumped in, Facebook’s graph-database technology can correlate all the data points together and figure out new relationships, such as which malware seems to be talking to a particular domain or if a domain happens to be hosted on a bad IP address, said Hammell. The point is for the framework to ingest all the different security data points between companies so they can keep each other abreast of threats they are experiencing in real-time. If the technology does its job right, users can discover patterns from the data that could help them prevent future attacks.

“We needed to have a platform that lets us share this data in real-time so that when the next attack comes online we are all aware simultaneously,” said Hammell.

The idea behind the new framework came about when Facebook, along with other big tech companies, suffered an attack last year (Hammell said the situation was quickly remedied, which is why there was little mention in the press) from some sort of Windows-related malware “that would try to hijack a variety of social-sharing accounts and use those accounts to propagate.” Essentially, the malware could spread itself across the various services of each company because of the way each service happens to be connected to one another.

For example, Hammell said that the attack might have started out from a private Facebook message that sent a corrupted link to a Tumblr blog that happened to be created with a [company]Yahoo[/company] account.

Although the malware was eventually stopped, Facebook decided to build upon its existing
ThreatData framework and open it up to other companies to use through APIs. It’s similar to how developers can connect to Facebook through APIs and create applications on its platform, explained Hammell.

[company]Pinterest[/company], Tumblr, [company]Twitter[/company], and Yahoo all gave Facebook feedback on the new framework and Bitly and Dropbox have now signed on to contribute as well.

As an example of how someone might use ThreatExchange, Hammell said participants will be able to search for any “malicious domains that have been added in the past day to the system.” If they want to add to ThreatExchange a malicious domain that they might have discovered, they can put it into the system and the underlying graph database technology can spew out a list of urls that it might associate with the bad domain, which could be be an indication that the malware is trying to spread across numerous sites.

Now that users can see who else might be affected, they can then ping the appropriate parties within the framework, said Hammell.

“Where we see the most success is when folks start taking the attacks they are seeing and share those with the folks they think might be affected,” Hammell said.

ThreatExchange is now available in beta and interested participants will have to fill out a form on Facebook’s site if they want to partake.

Facebook: Downtime was caused by an internal boo-boo, not a hack

Facebook’s outage early on Tuesday, which also took out linked services such as Instagram and Tinder, was down to a technical issue caused by the company itself rather than external factors.

The outage affected users around the world. According to a technical note, the outage lasted an hour — individuals may have experienced it for up to 50 minutes, sources told me.

The Lizard Squad hacking group, which apparently successfully hijacked the website of Malaysia Airlines on the weekend, claimed responsibility for Facebook’s downtime in a tweet. However, according to the company itself, that’s nonsense.

It said in a statement:

Earlier this evening many people had trouble accessing Facebook and Instagram. This was not the result of a third party attack but instead occurred after we introduced a change that affected our configuration systems. We moved quickly to fix the problem, and both services are back to 100 percent for everyone.

No data was compromised, the sources added.

Defending encryption doesn’t mean opposing targeted surveillance

David Omand, the former head of British spy agency GCHQ, has made an extraordinary threat. Speaking earlier this week, he said that if companies such as Apple and Google don’t abandon their end-to-end encryption efforts, intelligence services will have to employ more “close access” surveillance on people they suspect of evil deeds.

This means physical observation, or bugging rooms, or hacking into phones and computers. According to Omand, such actions are “more targeted but in terms of intrusion into personal privacy – collateral intrusion into privacy – we are likely to end up in an ethically worse position than we were before.”

No, you’re not. Surreptitiously getting a key to a suspect’s communications is no more ethical than conducting close personal surveillance — but in the big picture, the latter is vastly preferable.

The ethics of spying

Targeted surveillance will always mean “collateral intrusion” into the privacy of people associated with a suspect, regardless of whether communications are read by having a master key or by hacking into client devices. Either way, communications with innocent people will probably be scooped up. When the master key mechanism means a weakening of security for the public at large, though, that option has the added downside of being dangerous and counterproductive.

Omand was spouting what is either a misinterpretation of the pro-end-to-end-encryption argument, or (more likely) a willful misdirection. His implication is that those who favor end-to-end encryption – which leaves your Apples and Googles without any keys to offer the spooks – are against the surveillance of people who want to blow things up.

That’s nonsense. I can’t speak for everyone, but I don’t personally fancy being murdered by terrorists, nor would I like anyone else to be. We do need to have intelligence services, and they do need to keep us safe.

However, strong encryption also keeps us safe from criminals and potentially foreign agents too (GCHQ and the NSA aren’t the only ones with mean hacking skills). Our ecommerce infrastructure wouldn’t work without it. A trustworthy internet will not work without it. The next-best alternative to end-to-end encryption is arguably the use of key escrow databases, which are inherently less secure. There’s a reason the U.S. government’s own cybersecurity department recommends people use end-to-end encryption.

That’s why we should ignore calls by Omand and David Cameron and Barack Obama and the EU’s counter-terrorism coordinator to abolish end-to-end encryption in communications tools, and why we should be deeply annoyed at the intelligence community’s surreptitious attempts to weaken encryption standards. Sure, security will always be an arms race — attackers make better attacks, so defenders make better defenses; rinse and repeat — but hyperconnected societies require state-of-the-art defenses for regular citizens.

The case for friction

There’s an added benefit to proper encryption technology, which may be the real reason spies and securocrats want it stamped out. Intelligence services can, to put it generously, get somewhat carried away, particularly when a framework such as the internet makes it so much easier and cheaper to spy on people’s communications than ever before, by encouraging everyone to live their lives on spy-friendly infrastructure.

This lack of friction makes mass surveillance relatively efficient and secretive, as there’s no need for a lumbering, conspicuous Stasi-like system (something that really had extra ethical downsides, creating a society based on mutual suspicion). When the secrecy associated with the agencies’ programs also leads to fewer judicial and political safeguards, an excess of efficiency may also encourage the overuse of targeted surveillance, because who would know?

In short, the internet’s opportunities for surveillance efficiency create the potential for intelligence agencies to become too powerful. End-to-end encryption adds friction and acts as a counterbalance. It doesn’t make targeted surveillance impossible – Omand himself noted that client device hacking and physical surveillance render encryption moot – but it does make it more resource-expensive, and therefore discourages its overuse.

We don’t want intelligence agencies to be unable to do their job. We do want them to focus more and even keep a more watchful eye on those who need watching — perhaps by diverting resources from mass surveillance efforts to targeted surveillance. We also want the necessary security underpinnings of our digital economy to be genuinely secure.

These things can and should coexist, and there’s no reason to inaccurately paint them as being in opposition. So, spies and law enforcement, please go right ahead and employ close access surveillance where it’s necessary. You have more support in that regard than you’re making out.