Follow by Email

Wednesday, October 30, 2013

What the NSA Can and Cannot Do

Good summary from the London Review of Books.

Tuesday, October 29, 2013

Arguing for NSA-Level Internet Surveillance

Jack Goldsmith argues that we need the NSA to surveil the Internet not for terrorism reasons, but for cyberespionage and cybercrime reasons. Daniel Gallington argues -- the headline has nothing to do with the content -- that the balance between surveillance and privacy is about right.

Monday, October 28, 2013

Understanding the Threats in Cyberspace

The primary difficulty of cyber security isn't technology -- it's policy. The Internet mirrors real-world society, which makes security policy online as complicated as it is in the real world. Protecting critical infrastructure against cyber-attack is just one of cyberspace's many security challenges, so it's important to understand them all before any one of them can be solved.
The list of bad actors in cyberspace is long, and spans a wide range of motives and capabilities. At the extreme end there's cyberwar: destructive actions by governments during a war. When government policymakers like David Omand think of cyber-attacks, that's what comes to mind. Cyberwar is conducted by capable and well-funded groups and involves military operations against both military and civilian targets. Along much the same lines are non-nation state actors who conduct terrorist operations. Although less capable and well-funded, they are often talked about in the same breath as true cyberwar.
Much more common are the domestic and international criminals who run the gamut from lone individuals to organized crime. They can be very capable and well-funded and will continue to inflict significant economic damage.
Threats from peacetime governments have been seen increasingly in the news. The US worries about Chinese espionage against Western targets, and we're also seeing US surveillance of pretty much everyone in the world, including Americans inside the US. The National Security Agency (NSA) is probably the most capable and well-funded espionage organization in the world, and we're still learning about the full extent of its sometimes illegal operations.
Hacktivists are a different threat. Their actions range from Internet-age acts of civil disobedience to the inflicting of actual damage. This is hard to generalize about because the individuals and groups in this category vary so much in skill, funding and motivation. Hackers falling under the "anonymous" aegis -- it really isn't correct to call them a group -- come under this category, as does WikiLeaks. Most of these attackers are outside the organization, although whistleblowing -- the civil disobedience of the information age -- generally involves insiders like Edward Snowden.
This list of potential network attackers isn't exhaustive. Depending on who you are and what your organization does, you might be also concerned with espionage cyber-attacks by the media, rival corporations or even the corporations we entrust with our data.
The issue here, and why it affects policy, is that protecting against these various threats can lead to contradictory requirements. In the US, the NSA's post-9/11 mission to protect the country from terrorists has transformed it into a domestic surveillance organization. The NSA's need to protect its own information systems from outside attack opened it up to attacks from within. Do the corporate security products we buy to protect ourselves against cybercrime contain backdoors that allow for government spying? European countries may condemn the US for spying on its own citizens, but do they do the same thing?
All these questions are especially difficult because military and security organizations along with corporations tend to hype particular threats. For example, cyberwar and cyberterrorism are greatly overblown as threats -- because they result in massive government programs with huge budgets and power -- while cybercrime is largely downplayed.
We need greater transparency, oversight and accountability on both the government and corporate sides before we can move forward. With the secrecy that surrounds cyber-attack and cyberdefense it's hard to be optimistic.

How to "Delete administrator Password" without any software

How to "Delete administrator Password" without any software

Method 1

Boot up with DOS and delete the sam.exe and sam.log files from Windows\system32\config in your hard drive. Now when you boot up in NT the password on your built-in administrator account which will be blank (i.e No password). This solution works only if your hard drive is FAT kind.

Method 2

Step 1. Put your hard disk of your computer in any other pc .
Step 2. Boot that computer and use your hard disk as a secondary hard disk(D'nt boot as primary hard disk)
Step 3. Then open that drive in which the victim’s window(or your window) is installed.
Step 4. Go to location windows->system32->config
Step 5. And delete SAM.exe and SAM.log
Step 6. Now remove hard disk and put in your computer.
Step 7. And boot your computer

Sunday, October 27, 2013

US Government Monitoring Public Internet in Real Time

Here's a demonstration of the US government's capabilities to monitor the public Internet. Former CIA and NSA Director Michael Hayden was on the Acela train between New York and Washington DC, taking press interviews on the phone. Someone nearby overheard the conversation, and started tweeting about it. Within 15 or so minutes, someone somewhere noticed the tweets, and informed someone who knew Hayden. That person called Hayden on his cell phone and, presumably, told him to shut up.
Nothing covert here; the tweets were public. But still, wow.

Saturday, October 26, 2013

Dynamic Biophotonics in Squid

Female squid exhibit sexually dimorphic tunable leucophores and iridocytes. Just so you know.
Here's the story in more accessible language.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

 Cyber War Will Not Take Place

Cyber war is possibly the most dangerous buzzword of the Internet era. The fear-inducing rhetoric surrounding it is being used to justify major changes in the way the Internet is organized, governed, and constructed. And in Cyber War Will Not Take Place, Thomas Rid convincingly argues that cyber war is not a compelling threat. Rid is one of the leading cyber war skeptics in Europe, and although he doesn't argue that war won't extend into cyberspace, he says that cyberspace's role in war is more limited than doomsayers want us to believe. His argument against cyber war is lucid and methodical. He divides "offensive and violent political acts" in cyberspace into: sabotage, espionage, and subversion. These categories are larger than cyberspace, of course, but Rid spends considerable time analyzing their strengths and limitations within cyberspace. The details are complicated, but his end conclusion is that many of these types of attacks cannot be defined as acts of war, and any future war won't involve many of these types of attacks.
None of this is meant to imply that cyberspace is safe. Threats of all sorts fill cyberspace, but not threats of war. As such, the policies to defend against them are different. While hackers and criminal threats get all the headlines, more worrisome are the threats from governments seeking to consolidate their power. I have long argued that controlling the Internet has become critical for totalitarian states, and their four broad tools of surveillance, censorship, propaganda and use control have legitimate commercial applications, and are also employed by democracies.
A lot of the problem here is of definition. There isn't broad agreement as to what constitutes cyber war, and this confusion plays into the hands of those hyping its threat. If everything from Chinese espionage to Russian criminal extortion to activist disruption falls under the cyber war umbrella, then it only makes sense to put more of the Internet under government -- and thus military -- control. Rid's book is a compelling counter-argument to this approach.
Rid's final chapter is an essay unto itself, and lays out his vision as to how we should deal with threats in cyberspace. For policymakers who won't sit through an entire book, this is the chapter I would urge them to read. Arms races are dangerous and destabilizing, and we're in the early years of a cyber war arms race that's being fueled by fear and ignorance. This book is a cogent counterpoint to the doomsayers and the profiteers, and should be required reading for anyone concerned about security in cyberspace.

Cognitive Biases About Violence as a Negotiating Tactic

Interesting paper: Max Abrahms, "The Credibility Paradox: Violence as a Double-Edged Sword in International Politics," International Studies Quarterly, 2013:
Abstract: Implicit in the rationalist literature on bargaining over the last half-century is the political utility of violence. Given our anarchical international system populated with egoistic actors, violence is thought to promote concessions by lending credibility to their threats. From the vantage of bargaining theory, then, empirical research on terrorism poses a puzzle. For non-state actors, terrorism signals a credible threat in comparison to less extreme tactical alternatives. In recent years, however, a spate of studies across disciplines and methodologies has nonetheless found that neither escalating to terrorism nor with terrorism encourages government concessions. In fact, perpetrating terrorist acts reportedly lowers the likelihood of government compliance, particularly as the civilian casualties rise. The apparent tendency for this extreme form of violence to impede concessions challenges the external validity of bargaining theory, as traditionally understood. In this study, We propose and test an important psychological refinement to the standard rationalist narrative. Via an experiment on a national sample of adults, We find evidence of a newfound cognitive heuristic undermining the coercive logic of escalation enshrined in bargaining theory. Due to this oversight, mainstream bargaining theory overestimates the political utility of violence, particularly as an instrument of coercion.

Friday, October 25, 2013

Useful UNIX SMB Commands

Learned a lot of SMB commands during the last test, thought to share with everyone:
##To list all the domain current machine can talk to
$ wbinfo —all-domains 
##To get the DC for a particular Domain
$ wbinfo —getdcname=<DOMAINNAME>
##List of all users in domain in /etc/passwd style
$ getent passwd > /tmp/users
$ wbinfo -u
##Same for groups
$ getent group
$ wbinfo -g
##To get info about a user on a DC (-P use the configured password on this machine)
$ net user info spider -P -S <DC_HOST>
<List of groups the user belongs to>
##To add a user to the domain
$ net user add <user> <pass> -P –S <DC_HOST>
##Get the current authorised user
$ net getauthuser
##if this works, you might want to check the secrets.tdb file 
$ strings /etc/samba/secrets.tdb | grep USER 
$ tdbdump /etc/samba/secrets.tdb

Thursday, October 24, 2013

DARPA Contest for Fully-Automated Network Defense

DARPA is looking for a fully-automated network defense system:
What if computers had a "check engine" light that could indicate new, novel security problems? What if computers could go one step further and heal security problems before they happen? To find out, the Defense Advanced Research Projects Agency (DARPA) intends to hold the Cyber Grand Challenge (CGC) -- the first-ever tournament for fully automatic network defense systems. DARPA envisions teams creating automated systems that would compete against each other to evaluate software, test for vulnerabilities, generate security patches and apply them to protected computers on a network. To succeed, competitors must bridge the expert gap between security software and cutting-edge program analysis research. The winning team would receive a cash prize of $2 million.

Code Names for NSA Exploit Tools

This is from a Snowden document released by Le Monde:
General Term Descriptions: HIGHLANDS: Collection from Implants
VAGRANT: Collection of Computer Screens
MAGNETIC: Sensor Collection of Magnetic Emanations
MINERALIZE: Collection from LAN Implant
OCEAN: Optical Collection System for Raster-Based Computer Screens
LIFESAFER: Imaging of the Hard Drive
GENIE: Multi-stage operation: jumping the airgap etc.
BLACKHEART: Collection from an FBI Implant
DROPMIRE: Passive collection of emanations using antenna
CUSTOMS: Customs opportunities (not LIFESAVER)
DROPMIRE: Laser printer collection, purely proximal access (***NOT*** implanted)
DEWSWEEPER: USB (Universal Serial Bus) hardware host tap that provides COVERT link over US link into a target network. Operates w/RF relay subsystem to provide wireless Bridge into target network.
RADON: Bi-directional host tap that can inject Ethernet packets onto the same targets. Allows bi-directional exploitation of denied networks using standard on-net tools.
There's a lot to think about in this list. RADON and DEWSWEEPER seem particularly interesting.

Wednesday, October 23, 2013

Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms

The enterprise governance, risk and compliance (EGRC) platform marketplace is maturing, and the experience of the users of EGRC platform solutions is deepening and getting broader. Taking into account this maturity and the increasing professional expertise of governance, risk and compliance (GRC) users, this year's Magic Quadrant analysis placed much more emphasis on reference customer feedback and market expectations. Gartner also has based the product evaluation criteria more on the ability of the vendors to address key use cases than on features and functions. As a result of these changes, the Magic Quadrant ratings better reflect the expectations that buyers in the market have, as well as vendor performance in meeting a globally diverse and growing market. These modified criteria have resulted in significant shifts in the positions of many vendors compared with the 2012 Magic Quadrant.
GRC as a marketplace can be broadly divided between GRC management (GRCM) products for the oversight and operation of risk management and compliance programs, and other GRC products for the automation and monitoring of controls. For a comprehensive description of the GRC marketplace, see "A Comparison Model for the GRC Marketplace, 2011 to 2013." Instead of acquiring separate solutions for finance, IT and other business units, many enterprises choose a single EGRC platform. When a single solution is not feasible, they may still integrate data from the many point and functional solutions to provide a GRC system of record for a single version of the truth. Reporting and managing through an enterprise GRC platform can give executives, auditors and managers a holistic view of the enterprise's risk and compliance postures, as well as views sorted by requirement, entity and geography. As the EGRC platform market continues to mature, most vendors are seeking to meet these new demands through an integrated platform with core modules for risk management, compliance and policy management, audit management, and regulatory change management; customers can grow into the solution through the phased implementation of interoperable modules. As the platform is more clearly defined, several vendors are beginning to develop industry- and function-specific applications that are overlaid on one or more of the core modules of the platform. Examples of these applications include privacy, anti-bribery compliance, business continuity management (BCM), PCI compliance, conflict minerals, Basel II, Solvency II, third-party risk management and many others.
The primary purpose of the EGRC platform is to automate much of the work associated with the documentation and reporting of risk management and compliance activities that are most closely associated with corporate governance and strategic business objectives. The primary end users include internal auditors and the audit committee, risk and compliance managers, legal professionals, and accountable business process owners. The key functions of importance to these groups are:
  • Risk management: Supports risk management professionals with the documentation, workflow, assessment and analysis in terms of business impact, reporting, visualization and remediation of risks. Supports business planners and analysts with analysis of risk-adjusted performance. The risk management component is generalized and can be applied to several risk management use cases, such as IT risk management and operational risk management; however, it may collect data from specialized risk analytics such as credit risk management and market risk management tools to provide a consolidated view of ERM. Many industry-specific risk management requirements may not be supported. For example, many banks require highly specialized capabilities for Basel II compliance. Only a few EGRC platform vendors support the operational risk management (ORM) needs of banking with advanced risk analytics. Instead, most vendors prefer to integrate the platform with specialized analytics solutions from other vendors.
  • Audit management: Supports internal auditors in developing the long-range audit plan, planning and executing individual audits, scheduling audit-related tasks, and managing work papers, time management and reporting.
  • Compliance and policy management: Supports compliance professionals with the documentation, workflow, reporting and visualization of controls objectives, controls and associated risks, surveys and self-assessments, attestation, testing, and remediation. At a minimum, compliance management will include financial reporting compliance (Sarbanes-Oxley [SOX] compliance), and also will support other types of compliance, such as ISO 9000, PCI, industry-specific regulations, SLAs, trading partner requirements and compliance with internal policies. This function includes a specialized form of document management that enables the policy life cycle from creation to review, change and archiving of policies; the mapping of policies to mandates and business objectives in one direction, and risks and controls in another; and the distribution to and attestation by employees and business partners.
  • Regulatory change management: Supports the ability to respond to changes in regulations. When a rule is changed or a new one emerges, it enables a business impact analysis and supports the management of the changes to related processes, controls, risk assessments, rule books and policies.
  • Incident or case management: Is used to track the occurrence and resolution of incidents, completely documenting investigations into legal matters and regulated activities. These tools are typically intended for the support of specific types of investigations, including HR; environmental, health and safety (EH&S); money laundering; fraud; and forensics. They may also be used to manage the resolution of significant audit findings and risk and control failures.
The EGRC platform can be integrated with business applications such as the general ledger, business intelligence (BI), enterprise content management, controls automation, monitoring solutions (such as segregation of duties), IT technical controls (such as server configuration auditing) and continuous controls monitoring (CCM) for transactions. The EGRC platform also integrates with specialized GRCM solutions, such as EH&S compliance, IT GRC management, quality management and industry GRCM applications.
The GRC market is nine years old, and buyers have high expectations for the performance of GRC solutions against a wide variety of use cases. Differentiation today is about the ability to deliver against multiple use cases, and provide advanced risk management functionality, with analysis of the impact of risks on strategic objectives and business performance, domain expertise in multiple highly regulated industries, ease of use — including mobile capabilities — and configurability.

Magic Quadrant

Vendor Strengths and Cautions

CMO Compliance

CMO Compliance is headquartered in London, with offices in the U.K., the U.S. and Australia. CMO Compliance 8.0 was the current version of the EGRC platform at the time of vendor evaluation for this Magic Quadrant.
  • With a legacy in EH&S compliance, CMO Compliance also has strong EGRC capabilities for asset-intensive industries such as heavy manufacturing, oil and gas, transportation and logistics, and utilities.
  • Its mobile capabilities surpass those of any other EGRC platform vendor, and enable a tablet user to access most functionality that would be available on a desktop — online and offline.
  • CMO Compliance has strengths in integrated performance and risk management, and several customers reported using the platform for strategic planning and assessing the impact of risks on strategic business objectives, mapping key risk indicators (KRIs) to key performance indicators (KPIs), assessing risk-adjusted performance, and doing balanced scorecard reports.
  • The vendor has above-average capability to support regulatory change management, including offering a customizable regulatory tracking and update service to customers. Incident management is also a strength, including investigations support.
  • Customers consistently rate CMO Compliance as exceeding expectations in a broad range of use cases.
  • CMO Compliance has good support in North America, Europe and the Asia/Pacific region, and is developing a stronger presence in South Africa.
  • Although banks and insurance firms that operate in remote areas may find the mobile and offline capabilities useful, CMO Compliance currently does not have the full breadth of financial services (FS) domain expertise to be competitive as a comprehensive EGRC solution for FS. It does, however, support FS customers with regulatory change management.
  • While CMO Compliance has good support and sales capacity, it is growing rapidly. To keep up with this growth, it will need to not only increase its organic support capabilities, but also develop more extensive partnerships with consultancies and system integrators.
  • As the company is transitioning from a small player to a more significant one, it needs to develop a more formal road map. Since GRC is a program and not a one-time implementation, prospective customers should press CMO Compliance to demonstrate how the road map will support their plans.



RSA, The Security Division of EMC, is headquartered in the U.S. and has global sales and support. RSA Archer Platform 5.2 was the current version of the EGRC platform at the time of the evaluation.
  • RSA Archer has an extremely loyal customer base within the IT GRC market, and is included in the "MarketScope for IT Governance, Risk and Compliance Management." The lobbying effort of this base enables RSA to open doors within the rest of the enterprise.
  • RSA provides excellent support and moderation for user communities, and has best-in-class capabilities for integrating users into the development process.
  • This is a very flexible and comprehensive GRC offering. RSA has developed the concept of focused solutions that overlay workflows and content on existing modules to address industry- or function-specific requirements. For instance, RSA has rolled out a regulatory change management solution, and it is using focused solutions to add additional risk analytics capabilities. RSA is executing well against an extensive road map for focused solutions and enhancements to the core modules.
  • Customer references report using RSA Archer in a very broad range of use cases. Several use cases were rated as exceeding expectations, and only a few were rated as failing to meet expectations. Almost all customers reported using RSA Archer for IT risk management (ITRM), reflecting the ongoing strength in IT GRC.
  • Several customers reported using RSA Archer for integrated performance and risk management, including strategic planning and assessing the impact of risks on strategic business objectives, mapping KRIs to KPIs, and assessing the impact of risks on operational performance.
  • RSA Archer maintains extensive content libraries, including standards and frameworks as well as regulations. It has dedicated staff to keep these libraries up-to-date.
  • The pricing model uses annual licensing, and its components are open and transparent. Discounting is more common than it used to be.
  • RSA Archer is also strong in BCM, and is included in the "Magic Quadrant for Business Continuity Management Planning Software."
  • Although RSA Archer promotes that zero custom code is needed to get started, most customers report significant customization in their implementations. One customer reference noted that it was moving away from customization because it interfered with the ability to take advantage of upgrades.
  • With 10 primary modules, on-demand applications and a growing number of focused solutions, the price of RSA Archer escalates quickly. Most customers will find that regardless of their role or purpose, at least three modules will be needed, and focused solutions will add to that. Most module pricing includes one on-demand application license, but customers who want to build out their own targeted capabilities will buy more. Customers will find themselves paying for more annual licenses than with other vendors. On the other hand, it is not as if pricing is hidden — the RSA Archer pricing model is open and transparent.
  • Focused solutions are priced in three tiers — Tier 1 is the most expensive due to the solution being more complex and having more support. For the second and third tiers, customers should not expect to receive the same level of ongoing improvements and upgrades.
  • Several customer references noted that RSA Archer support was slow in responding to requests. 


Enablon is headquartered in Paris, with offices in France, the U.S., Canada, Spain, and the U.K. Enablon 6.0 was the current version of the EGRC platform at the time of the evaluation.
  • Enablon has strong capabilities for asset-intensive industries such as heavy manufacturing, oil and gas, mining, and construction. It also has support for FS risk management and compliance.
  • Enablon has demonstrated some of the best examples of linking business performance, risk management and compliance. Customers reported using the platform for several integrated performance and risk management use cases, including strategic planning and assessing the impact of risks on strategic business objectives, mapping KRIs to KPIs, and calculating risk adjusted performance.
  • Linking sustainability performance to business performance is a strength, as are incident management— including support for investigations — and supplier management.
  • Enablon provides a large number of prepackaged analytical methods that address risk management, sustainability, and business performance requirements. As the enterprise GRC platform market looks for solutions that support integrated performance and risk management, Enablon has been able to gain traction.
  • Enablon maintains and moderates a strong user community, enabling customers to network and share.
  • Enablon's product is typically implemented with little customization, and customers report that it meets or exceeds expectations in most use cases.
  • If Enablon continues to execute well on its EGRC strategy and improves sales execution in regions beyond Europe, it could work its way into the Leaders quadrant.
  • While clearly committed to the enterprise GRC market, Enablon's overall focus remains on its larger business of EH&S compliance.
  • Many customers report that implementation takes a long time — some of these were large, complex implementations. Half of the customer references noted that the software is not easy to configure. A few customers expressed dissatisfaction with ongoing support.
  • Presence outside of North America and Europe is less than might be expected for a vendor focused on heavy asset industries. Prospective customers in other regions should press Enablon on how they will support them. Enablon is focusing more on investments in Australia and New Zealand and have a number of new customers there.  


IBM, headquartered in the U.S., provides global sales and support. OpenPages GRC Platform 6.2 was the current version of the EGRC platform at the time of the evaluation.
  • OpenPages is very strong in supporting the needs of financial services institutions, including support for operational risk management for Basel II/III and Solvency II, and that has been enhanced further with integration of the Algo First loss event content.
  • OpenPages is built on Cognos, which gives it strong analytics and reporting functionality. Improvements in integration with Algorithmics for risk modeling and SPSS for business data analytics should offer strong capabilities for integrated performance and risk management.
  • OpenPages demonstrated functional strengths in risk management and audit management. It also had a differentiating scenario analytics capability that easily can be used by a nonexpert.
  • IBM Global Services has developed capabilities to implement OpenPages, which has strong partnerships with many large consultancies. For example, PwC, KPMG, Ernst & Young and Deloitte have large numbers of consultants trained on OpenPages.
  • Rather than sell module by module, OpenPages licenses the entire platform, enabling users to pick and choose among all of its functional capabilities.
  • For four years, OpenPages has focused its growth strategy on large FS deals. As large FS buyers are few and far between, the growth rate at OpenPages has not kept up with some of the other leaders. While OpenPages does have a large number of clients in other industries, including energy and utilities, healthcare, manufacturing, telecom and IT, it has not focused on growth in these areas. This is the primary reason IBM has moved down in the Leaders quadrant compared with other vendors. OpenPages will need to add further industry domain expertise and make its solutions easier to deploy in order to grow further into manufacturing and other industries, as well as into Tier 2 banking. Its strategy to broaden the base of industry coverage will rely on what it calls "standard solutions"; these will enable delivery of industry- and function-specific capabilities overlaid on the core OpenPages modules, which should help growth into other industries.
  • Considering OpenPages' ability to integrate with other IBM analytics solutions, it was notable that only one customer reference reported a use case for integrated performance and risk management.
  • OpenPages has not taken full advantage of the reach and breadth of IBM's sales force to expand sales across multiple industries and to midtier buyers, perhaps because of the strong focus on large FS deals.
  • Several customers reported long implementation times, which is not unusual for large FS implementations.


Mega International is headquartered in Paris, with offices in France, the U.K., Italy, Germany, the U.S., Mexico, Morocco, Singapore and Japan, and affiliated distributors in several other countries. The Hopex platform 1.0 was the current version at the time of the evaluation.
  • Mega continues to evolve its EGRC platform, with a strong concentration on business architecture. Mega's business architecture focus emanates from its roots as an enterprise architecture software provider and serves as a key differentiator for its EGRC product. Management has successfully executed a transition over the past three years from a service-oriented firm to one with a focus on software sales.
  • In early 2013, Mega released a new platform called Hopex for its GRC and enterprise architecture solutions. The ability to model and analyze the impact of risks and controls on processes and key performance indicators is a strength for Mega. Hopex also has a much simpler user interface than earlier solutions.
  • Mega has focused on the FS market, and has strong capabilities to support operational risk management, Basel II/III and Solvency II. Mega is also making inroads into manufacturing, where its architectural orientation is an asset. Its audit management solution is also strong.
  • Customers report that the time to implement and time to value are relatively short.
  • Mega has grown its presence in North America to equal that in Europe. It has also had significant growth in Asia/Pacific.
  • The marketing of Hopex focuses on the benefits of integrating GRC with enterprise architecture. This feature may intrigue enterprise architects. However, to propel its sales growth and enter the Leaders quadrant, Mega will need to develop marketing that targets senior business and risk management executives.
  • Customers did not report using Mega broadly, but mostly on a narrow range of use cases. Mega needs a wider breadth of prepackaged solutions that can enable a greater range of use cases for its customers.
  • Even though it has clear capabilities to support integrated performance and risk management, it is notable that only one customer reference reported a use case for that purpose. This is further evidence that Mega needs to develop the marketing and reach to senior business and risk management executives.
  • Several customers reported significant customization was required, an issue that based on what was demonstrated to Gartner may be relieved with the Hopex platform. 


MetricStream, headquartered in Palo Alto, California, has offices in the U.S., Canada, the U.K., Switzerland, France, Italy, Australia, the United Arab Emirates (UAE) and India. MetricStream 6.0 was the current version of the EGRC platform at the time of the evaluation.
  • MetricStream 6.0 offers a broad-based EGRC platform to a wide range of customers across a number of industry verticals. It continues to grow organically in multiple regions, and recently acquired Certus, another EGRC platform vendor.
  • MetricStream takes a flexible approach that concentrates on providing customers with the specific capabilities that they are looking for. This strategy has enabled MetricStream to build a large client base across a number of industries.
  • In its efforts to maintain a flexible approach for its customers and minimize customization, during the past two years, MetricStream has focused on a standard application studio on which it can build scores of replicable applications for specific industry and functional needs. It has opened its Application Studio and new Zaplet technology to partners, who can build third-party applications on the MetricStream platform. For customers, this means that MetricStream will have a portfolio of applications from itself and a partner ecosystem that will plug and play with the core platform.
  • MetricStream's global support capabilities continue to grow, with sales and support capabilities in North America, Europe and Asia/Pacific. It also has brought a number of experienced risk management professionals onboard who can work with customers to align the solutions to their risk management and compliance programs, as well as provide advice on improving those programs.
  • MetricStream is strongly competitive in the IT GRC management market and is included in the "MarketScope for IT Governance, Risk and Compliance Management." A differentiator is its vPanorama application, which enables collecting metrics on cloud-based assets. MetricStream is also strong in BCM and is included in the "Magic Quadrant for Business Continuity Management Planning Software."
  • Several MetricStream customers reported using the platform for integrated performance and risk management, including mapping KRIs to KPIs, assessing the impact of risks on strategic objectives and implementing balanced scorecard reporting.
  • MetricStream is experiencing rapid growth. Goldman Sachs and other investors injected a large amount of cash into the company in 2013 that will fund further growth and development.
  • MetricStream is transitioning from a relatively small software vendor to a major player in a growing market segment. It has had some growing pains. So far in 2013, four clients have told us of implementation issues, including gaps between what was demonstrated to the customer and what was readily available out of the box, enhancements that drive up costs beyond what was budgeted, difficulty in communicating with MetricStream implementers, unexpected rotations in the implementation team, and a perceived lack of expertise among the implementers. Most of these issues have occurred in large implementations, and customers typically express a greater degree of satisfaction once implementation is complete. MetricStream has established a process to track implementation issues, correct them, and improve its implementation processes. For now, however, customers with large implementations should be diligent and raise issues to the vendor at the earliest sign of a problem.
  • MetricStream states that its Application Studio and Zaplet capabilities enable it to advance its capabilities without upgrading the core platform. In the meantime, customers still report that significant customization is needed. This customization work is performed by the largest support team of any EGRC platform vendor.

Nasdaq OMX (BWise)

Nasdaq OMX is headquartered in New York, with offices in the U.S., Canada, Australia, Brazil, South Africa, the UAE, and several countries in Europe and Asia. BWise 4.1 was the current version of Nasdaq OMX's EGRC platform at the time of the evaluation.
  • Nasdaq OMX acquired BWise in 2012 as part of its strategy to grow its Corporate Solutions group. While BWise should benefit in the long run from exposure to the broad Nasdaq OMX customer base, for now its industry strength is in financial services.
  • BWise has an explicit strategy to minimize customization and offer customers an out-of-the-box solution as much as possible. A very flexible data model enables a high degree of configuration with minimal customization.
  • BWise has a very good understanding of the market for GRC within financial services, and its road map reflects that. Looking forward, BWise's road map includes ongoing enhancements of advanced risk analytics; improved integration with Nasdaq Smarts, which is a compliance solution for securities regulators, exchanges and broker-dealers; and deployment of reputational risk management capabilities.
  • Many BWise customers report that time to value — that is, the time from implementation until they are getting the value they expect from the product — is short. Time to implement is average.
  • Overall, risk management and risk analytics are BWise strengths, including ERM, ORM and ITRM. Some BWise customers reported using the platform for integrated performance and risk management, including mapping KRIs to KPIs and assessing the impact of risks on strategic business objectives.
  • BWise is competitive against pure-play IT GRC management vendors.
  • While BWise espouses architecture that requires minimal customization, several customers report that significant customization was required for their implementations. This is not surprising, since many of the implementations are in complex FS environments. Still, buyers should be aware that there is a gap between the marketing around "no customization required" and the reality at implementation.
  • Since its acquisition by Nasdaq OMX, BWise has gained exposure to a broader market beyond FS. However, it has not yet achieved sufficient traction in other industries. Because large FS deals are becoming increasingly difficult to obtain these days with the market being fairly saturated, BWise's growth is not keeping up with many of the other leaders. In order to stay in the Leaders quadrant next year, BWise needs to focus more on Tier 2 banking, manufacturing and other industries.

Sunday, October 20, 2013


SecureDrop is an open-source whistleblower support system, originally written by Aaron Swartz and now run by the Freedom of the Press Foundation. The first instance of this system was named StrongBox and is being run by the New Yorker. To further add to the naming confusion, Aaron Swartz called the system DeadDrop when he wrote the code.
Here is a detailed security audit of the StrongBox implementation, along with some great researchers from the University of Washington and Jake Applebaum. The problems we found were largely procedural, and things that the Freedom of the Press Foundation are working to fix.
Freedom of the Press Foundation is not running any instances of SecureDrop. It has about a half dozen major news organization lined up, and will be helping them install their own starting the first week of November. So hopefully any would-be whistleblowers will soon have their choice of news organizations to securely communicate with.
Strong technical whistleblower protection is essential, especially given President Obama's war on whistleblowers. I hope this system is broadly implemented and extensively used.

Thursday, October 10, 2013

A New Postal Privacy Product

The idea is basically to use indirection to hide physical addresses. You would get a random number to give to your correspondents, and the post office would use that number to determine your real address. No security against government surveillance, but potentially valuable nonetheless.
Here are a bunch of documents.
I honestly have no idea what's going on. It seems to be something the US government is considering, but it was not proposed by the US Postal Service. This guy is proposing the service.

Tuesday, October 8, 2013

Why It's Important to Publish the NSA Programs

The Guardian recently reported on how the NSA targets Tor users, along with details of how it uses centrally placed servers on the Internet to attack individual computers. This builds on a Brazilian news story from a mid-September that, in part, shows that the NSA is impersonating Google servers to users; a German story on how the NSA is hacking into smartphones; and a Guardian story from early September on how the NSA is deliberately weakening common security algorithms, protocols, and products.
The common thread among these stories is that the NSA is subverting the Internet and turning it into a massive surveillance tool. The NSA's actions are making us all less safe, because its eavesdropping mission is degrading its ability to protect the US.
Among IT security professionals, it has been long understood that the public disclosure of vulnerabilities is the only consistent way to improve security. That's why researchers publish information about vulnerabilities in computer software and operating systems, cryptographic algorithms, and consumer products like implantable medical devices, cars, and CCTV cameras.
It wasn't always like this. In the early years of computing, it was common for security researchers to quietly alert the product vendors about vulnerabilities, so they could fix them without the "bad guys" learning about them. The problem was that the vendors wouldn't bother fixing them, or took years before getting around to it. Without public pressure, there was no rush.
This all changed when researchers started publishing. Now vendors are under intense public pressure to patch vulnerabilities as quickly as possible. The majority of security improvements in the hardware and software we all use today is a result of this process. This is why Microsoft's Patch Tuesday process fixes so many vulnerabilities every month. This is why Apple's iPhone is designed so securely. This is why so many products push out security updates so often. And this is why mass-market cryptography has continually improved. Without public disclosure, you'd be much less secure against cybercriminals, hacktivists, and state-sponsored cyberattackers.
The NSA's actions turn that process on its head, which is why the security community is so incensed. The NSA not only develops and purchases vulnerabilities, but deliberately creates them through secret vendor agreements. These actions go against everything we know about improving security on the Internet.
It's folly to believe that any NSA hacking technique will remain secret for very long. Yes, the NSA has a bigger research effort than any other institution, but there's a lot of research being done -- by other governments in secret, and in academic and hacker communities in the open. These same attacks are being used by other governments. And technology is fundamentally democratizing: today's NSA secret techniques are tomorrow's PhD theses and the following day's cybercrime attack tools.
It's equal folly to believe that the NSA's secretly installed backdoors will remain secret. Given how inept the NSA was at protecting its own secrets, it's extremely unlikely that Edward Snowden was the first sysadmin contractor to walk out the door with a boatload of them. And the previous leakers could have easily been working for a foreign government. But it wouldn't take a rogue NSA employee; researchers or hackers could discover any of these backdoors on their own.
This isn't hypothetical. We already know of government-mandated backdoors being used by criminals in Greece, Italy, and elsewhere. We know China is actively engaging in cyber-espionage worldwide. A recent Economist article called it "akin to a government secretly commanding lockmakers to make their products easier to pick -- and to do so amid an epidemic of burglary."
The NSA has two conflicting missions. Its eavesdropping mission has been getting all the headlines, but it also has a mission to protect US military and critical infrastructure communications from foreign attack. Historically, these two missions have not come into conflict. During the cold war, for example, we would defend our systems and attack Soviet systems.
But with the rise of mass-market computing and the Internet, the two missions have become interwoven. It becomes increasingly difficult to attack their systems and defend our systems, because everything is using the same systems: Microsoft Windows, Cisco routers, HTML, TCP/IP, iPhones, Intel chips, and so on. Finding a vulnerability -- or creating one -- and keeping it secret to attack the bad guys necessarily leaves the good guys more vulnerable.
Far better would be for the NSA to take those vulnerabilities back to the vendors to patch. Yes, it would make it harder to eavesdrop on the bad guys, but it would make everyone on the Internet safer. If we believe in protecting our critical infrastructure from foreign attack, if we believe in protecting Internet users from repressive regimes worldwide, and if we believe in defending businesses and ourselves from cybercrime, then doing otherwise is lunacy.
It is important that we make the NSA's actions public in sufficient detail for the vulnerabilities to be fixed. It's the only way to force change and improve security.

Silk Road Author Arrested Due to Bad Operational Security

Details of how the FBI found the administrator of Silk Road, a popular black market e-commerce site.
Despite the elaborate technical underpinnings, however, the complaint portrays Ulbricht as a drug lord who made rookie mistakes. In an October 11, 2011 posting to a Bitcoin Talk forum, for instance, a user called "altoid" advertised he was looking for an "IT pro in the Bitcoin community" to work in a venture-backed startup. The post directed applicants to send responses to "rossulbricht at gmail dot com." It came about nine months after two previous posts -- also made by a user, "altoid," to and Bitcoin Talk -- were among the first to advertise a hidden Tor service that operated as a kind of "anonymous" Both of the earlier posts referenced If altoid's solicitation for a Bitcoin-conversant IT Pro wasn't enough to make Ulbricht a person of interest in the FBI's ongoing probe, other digital bread crumbs were sure to arouse agents' suspicions. The Google+ profile tied to the address included a list of favorite videos originating from, a website of the "Mises Institute." The site billed itself as the "world center of the Austrian School of economics" and contained a user profile for one Ross Ulbricht. Several Dread Pirate Roberts postings on Silk Road cited the "Austrian Economic theory" and the works of Mises Institute economists Ludwig von Mises and Murray Rothbard in providing the guiding principles for the illicit drug market.
The clues didn't stop there. In early March 2012 someone created an account on StackOverflow with the username Ross Ulbricht and the address, the criminal complaint alleged. On March 16 at 8:39 in the morning, the account was used to post a message titled "How can I connect to a Tor hidden service using curl in php?" Less than one minute later, the account was updated to change the user name from Ross Ulbricht to "frosty." Several weeks later, the account was again updated, this time to replace the Ulbricht gmail address with In July 2013, a forensic analysis of the hard drives used to run one of the Silk Road servers revealed a PHP script based on curl that contained code that was identical to that included in the Stack Overflow discussion, the complaint alleged.
We already know that it is next to impossible to maintain privacy and anonymity against a well-funded government adversary.

Monday, October 7, 2013

How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID

The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA's application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world.
According to a top-secret NSA presentation provided by the whistleblower Edward Snowden, one successful technique the NSA has developed involves exploiting the Tor browser bundle, a collection of programs designed to make it easy for people to install and use the software. The trick identifies Tor users on the Internet and then executes an attack against their Firefox web browser.
The NSA refers to these capabilities as CNE, or computer network exploitation.
The first step of this process is finding Tor users. To accomplish this, the NSA relies on its vast capability to monitor large parts of the Internet. This is done via the agency's partnership with US telecoms firms under programs codenamed Stormbrew, Fairview, Oakstar and Blarney.
The NSA creates "fingerprints" that detect HTTP requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool that NSA boasts allows its analysts to see "almost everything" a target does on the Internet.
Using powerful data analysis tools with codenames such as Turbulence, Turmoil and Tumult, the NSA automatically sifts through the enormous amount of Internet traffic that it sees, looking for Tor connections.
Last month, Brazilian TV news show Fantastico showed screenshots of an NSA tool that had the ability to identify Tor users by monitoring Internet traffic.
The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the Internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.
After identifying an individual Tor user on the Internet, the NSA uses its network of secret Internet servers to redirect those users to another set of secret Internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems.
Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA.
Exploiting the Tor browser bundle
Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult. The NSA attacks we found individually target Tor users by exploiting vulnerabilities in their Firefox browsers, and not the Tor application directly.
This, too, is difficult. Tor users often turn off vulnerable services like scripts and Flash when using Tor, making it difficult to target those services. Even so, the NSA uses a series of native Firefox vulnerabilities to attack users of the Tor browser bundle.
According to the training presentation provided by Snowden, EgotisticalGiraffe exploits a type confusion vulnerability in E4X, which is an XML extension for JavaScript. This vulnerability exists in Firefox 11.0 -- 16.0.2, as well as Firefox 10.0 ESR -- the Firefox version used until recently in the Tor browser bundle. According to another document, the vulnerability exploited by EgotisticalGiraffe was inadvertently fixed when Mozilla removed the E4X library with the vulnerability, and when Tor added that Firefox version into the Tor browser bundle, but NSA were confident that they would be able to find a replacement Firefox exploit that worked against version 17.0 ESR.
The Quantum system
To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the Internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.
In the academic literature, these are called "man-in-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.
They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the Internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.
The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".
This same technique is used by the Chinese government to block its citizens from reading censored Internet content, and has been hypothesized as a probable NSA attack technique.
The FoxAcid system
According to various top-secret documents provided by Snowden, FoxAcid is the NSA codename for what the NSA calls an "exploit orchestrator," an Internet-enabled system capable of attacking target computers in a variety of different ways. It is a Windows 2003 computer configured with custom software and a series of Perl scripts. These servers are run by the NSA's tailored access operations, or TAO, group. TAO is another subgroup of the systems intelligence directorate.
The servers are on the public Internet. They have normal-looking domain names, and can be visited by any browser from anywhere; ownership of those domains cannot be traced back to the NSA.
However, if a browser tries to visit a FoxAcid server with a special URL, called a FoxAcid tag, the server attempts to infect that browser, and then the computer, in an effort to take control of it. The NSA can trick browsers into using that URL using a variety of methods, including the race-condition attack mentioned above and frame injection attacks.
FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious. is an example of one such tag, given in another top-secret training presentation provided by Snowden.
There is no currently registered domain name by that name; it is just an example for internal NSA training purposes.
The training material states that merely trying to visit the homepage of a real FoxAcid server will not result in any attack, and that a specialized URL is required. This URL would be created by TAO for a specific NSA operation, and unique to that operation and target. This allows the FoxAcid server to know exactly who the target is when his computer contacts it.
According to Snowden, FoxAcid is a general CNE system, used for many types of attacks other than the Tor attacks described here. It is designed to be modular, with flexibility that allows TAO to swap and replace exploits if they are discovered, and only run certain exploits against certain types of targets.
The most valuable exploits are saved for the most important targets. Low-value exploits are run against technically sophisticated targets where the chance of detection is high. TAO maintains a library of exploits, each based on a different vulnerability in a system. Different exploits are authorized against different targets, depending on the value of the target, the target's technical sophistication, the value of the exploit, and other considerations.
In the case of Tor users, FoxAcid might use EgotisticalGiraffe against their Firefox browsers.
FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. One of the top-secret documents provided by Snowden demonstrates how FoxAcid can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.
According to a top-secret operational management procedures manual provided by Snowden, once a target is successfully exploited it is infected with one of several payloads. Two basic payloads mentioned in the manual are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer.
These decisions are made in part by the technical sophistication of the target and the security software installed on the target computer, called Personal Security Products or PSP, in the manual.
FoxAcid payloads are updated regularly by TAO. For example, the manual refers to version of one of them.
FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. The operations manual states that a FoxAcid payload with the codename DireScallop can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.
The NSA also uses phishing attacks to induce users to click on FoxAcid tags.
TAO additionally uses FoxAcid to exploit callbacks -- which is the general term for a computer infected by some automatic means -- calling back to the NSA for more instructions and possibly to upload data from the target computer.
According to a top-secret operational management procedures manual, FoxAcid servers configured to receive callbacks are codenamed FrugalShot. After a callback, the FoxAcid server may run more exploits to ensure that the target computer remains compromised long term, as well as install "implants" designed to exfiltrate data.
By 2008, the NSA was getting so much FoxAcid callback data that they needed to build a special system to manage it all.

This essay previously appeared in the Guardian. It is the technical article associated with this more general-interest article. I also wrote two commentaries on the material.
EDITED TO ADD: Here is the source material we published. The Washington Post published its own story independently, based on some of the same source material and some new source material.
Here's the official US government response to the story.
The Guardian decided to change the capitalization of the NSA codenames. They should properly be in all caps: FOXACID, QUANTUMCOOKIE, EGOTISTICALGIRAFFE, TURMOIL, and so on.
This is the relevant quote from the Spiegel article:
According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides.
That should be "QUANTUMINSERT." This is getting frustrating. The NSA really should release a style guide for press organizations publishing their secrets.
And the URL in the essay (now redacted at the Guardian site) was registered within minutes of the story posting, and is being used to serve malware. Don't click on it.

Friday, October 4, 2013

Is Cybersecurity a Profession?

A National Academy of Sciences panel says no:
Sticking to the quality control aspect of the report, professionalization, it says, has the potential to attract workers and establish long-term paths to improving the work force overall, but measures such as standardized education or requirements for certification, have their disadvantages too. For example, formal education or certification could be helpful to employers looking to evaluate the skills and knowledge of a given applicant, but it takes time to develop curriculum and reach a consensus on what core knowledge and skills should be assessed in order to award any such certification. For direct examples of such a quandary, InfoSec needs only to look at the existing certification programs, and the criticisms directed that certifications such as the CISSP and C|EH.
Once a certification is issued, the previously mentioned barriers start to emerge. The standards used to award certifications will run the risk of becoming obsolete. Furthermore, workers may not have incentives to update their skills in order to remain current. Again, this issue is seen in the industry today, as some professionals chose to let their certifications lapse rather than renew them or try and collect the required CPE credits.
But the largest barrier that some of the most talented individuals in cybersecurity are self-taught. So the requirement of formal education or training may, as mentioned, deter potential employees from entering the field at a time when they are needed the most. So while professionalization may be a useful tool in some circumstances, the report notes, it shouldn't be used as a proxy for "better."
Here's the report.

Thursday, October 3, 2013

Gabriella Coleman has published an interesting analysis of the hacker group Anonymous:
Abstract: Since 2010, digital direct action, including leaks, hacking and mass protest, has become a regular feature of political life on the Internet. The source, strengths and weakness of this activity are considered in this paper through an in-depth analysis of Anonymous, the protest ensemble that has been adept at magnifying issues, boosting existing ­ usually oppositional ­ movements and converting amorphous discontent into a tangible form. This paper, the third in the Internet Governance Paper Series, examines the intersecting elements that contribute to Anonymous’ contemporary geopolitical power: its ability to land media attention, its bold and recognizable aesthetics, its participatory openness, the misinformation that surrounds it and, in particular, its unpredictability.
Click to download the file

"When everything is classified, then nothing is classified."
I should suppose that moral, political, and practical considerations would dictate that a very first principle of that wisdom would be an insistence upon avoiding secrecy for its own sake. For when everything is classified, then nothing is classified, and the system becomes one to be disregarded by the cynical or the careless, and to be manipulated by those intent on self protection or self-promotion. I should suppose, in short, that the hallmark of a truly effective internal security system would be the maximum possible disclosure, recognizing that secrecy can best be preserved only when credibility is truly maintained.

Wednesday, October 2, 2013

NSA Storing Internet Data, Social Networking Data, on Pretty Much Everybody

Two new stories based on the Snowden documents.
This is getting silly. General Alexander just lied about this to Congress last week. The old NSA tactic of hiding behind a shell game of different code names is failing. It used to be they could get away with saying "Project X doesn't do that," knowing full well that Projects Y and Z did and that no one would call them on it. Now they're just looking shiftier and shiftier.
The program the New York Times exposed is basically Total Information Awareness, which Congress defunded in 2003 because it was just too damned creepy. Now it's back. (Actually, it never really went away. It just changed code names.)
I'm also curious how all those PRISM-era denials from Internet companies about the NSA not having "direct access" to their servers jibes with this paragraph:
The overall volume of metadata collected by the N.S.A. is reflected in the agency's secret 2013 budget request to Congress. The budget document, disclosed by Mr. Snowden, shows that the agency is pouring money and manpower into creating a metadata repository capable of taking in 20 billion "record events" daily and making them available to N.S.A. analysts within 60 minutes.
Honestly, I think the details matter less and less. We have to assume that the NSA has everyone who uses electronic communications under constant surveillance. New details about hows and whys will continue to emerge -- for example, now we know the NSA's repository contains travel data -- but the big picture will remain the same.
Related: WE've said that it seems that the NSA now has a PR firm advising it on response. It's trying to teach General Alexander how to better respond to questioning.