Kevin Drum - 2013

NSA Paid Security Company to Adopt Weakened Encryption Standards

| Sat Dec. 21, 2013 7:49 PM PST

A few months ago, we learned via the Snowden leaks that the NSA had been busily at work trying to undermine public cryptography standards. One in particular was a random number generator used for creating encryption keys in RSA's BSafe software. But Reuters reports there's more to the story:

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

....Most of the dozen current and former RSA employees interviewed said that the company erred in agreeing to such a contract, and many cited RSA's corporate evolution away from pure cryptography products as one of the reasons it occurred.

But several said that RSA also was misled by government officials, who portrayed the formula as a secure technological advance. "They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption.

Well, look. There are a very limited number of reasons that the NSA would be so eager for you to use their encryption software that they'd be willing to pay you $10 million to do it. Surely someone at RSA must have had some inkling of what was going on.

Probably more than an inkling, if I had to guess. But this certainly goes to show just how serious and relentless the NSA has been about crippling the public use of cryptography. The president's surveillance commission recommended on Friday that this stop, and since trustworthy encryption is critical to trust in the internet as a whole, it would sure be nice if President Obama put a stop to this.

Advertise on MotherJones.com

Here's the Worst Part of the Target Data Breach

| Sat Dec. 21, 2013 7:00 PM PST

You know what the most infuriating part of the massive data breach at Target is? This:

Over the last decade, most countries have moved toward using credit cards that carry information on embeddable microchips rather than magnetic strips. The additional encryption on so-called smart cards has made the kind of brazen data thefts suffered by Target almost impossible to pull off in most other countries.

Because the U.S. is one of the few places yet to widely deploy such technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.

There's really no excuse for this. The technology to avoid this kind of hacking is available, and it's been in real-world use for many years. Every bank and every merchant in American knows how to implement it. But it would cost a bit of money, so they don't. And who pays the price? Not the banks:

J.P. Morgan Chase & Co. Saturday told debit-card holders who shopped at Target during a 20-day data breach that the bank would be limiting cash withdrawals to $100 and putting on a $300 daily-purchasing cap, a move that shows how banks will try to limit exposure to potential fraud.

In a letter to debit card holders posted on its website, the bank said such limitations on spending would be temporary while it plans to reissue cards. The spending restrictions don't affect credit card users, the bank said.

That's right: it's you who pays the price. Oh, these breaches are a pain in the ass for card-issuing banks and for Target itself, and it will end up costing them some money. But mainly it's a pain in the ass for consumers. And if this breach causes you to be a victim of identity theft, you can be sure that neither Target nor your bank nor your credit rating agency will give you so much as the time of day. It'll be up to you to reclaim your life even though it wasn't your fault in any way. It's a disgrace.

Halftime Report: Chrome Out, Firefox In

| Sat Dec. 21, 2013 5:49 PM PST

Well, my switch to Chrome didn't go well after all. It turned out that the MoJo tech team had an excellent reason for not supporting it: For some reason, when you paste text into our blog software, Chrome copies over every last bit of HTML formatting from the source document. Why? Beats me. But it doesn't really matter, because Chrome lacked so many handy features that I've gotten used to in Opera that I would have given up on it anyway. So I tried Firefox again, and so far it's been great. It had most of the features Chrome didn't, and the few it lacked could be easily added via extensions. Performance is fine, and it mostly works well with the MoJo web software.

It doesn't have a built-in email client, which is one of the Opera features I like best, but that was eliminated in the most recent Opera update anyway. Given all this, there's really not much reason to stick with a browser that's supported by nobody and that merely produces shrugs (or worse) when you complain about their site not rendering properly.

But before I make the switch permanently, I have a question for the hive mind. I don't really recall why I gave up on Firefox a couple of years ago, but my recollection is that it had gotten slow and crash-prone. Anyone have any comments on that? Has it gotten better? Or does it still tend to crash at inopportune moments?

Also: Are there any add-ons that are so fabulous I should check them out immediately?

Friday Cat Blogging - 20 December 2013

| Fri Dec. 20, 2013 12:59 PM PST

This is the second of Marian's watercolor heart quilts. (You saw the other one in August, and yet another heart-themed quilt on Valentine's Day.) It's machine pieced and machine quilted. It's also nearly our last quilt of the year. There's one more to go next Friday, which will make for a grand total of 23 quilts if I've counted correctly, and then in 2014 we'll return to garden-variety catblogging. In the meantime, enjoy your weekend and watch out for the shopping mobs.

Are You An Atheist at Heart? Take This Simple Test to Find Out!

| Fri Dec. 20, 2013 12:46 PM PST

Chris Mooney writes today about research from Ara Norenzayan that isolates some of the cognitive traits that seem to be associated with atheists:

Less "mentalizing." One of the most surprising scientific findings of the research on the causes of religiosity (or the lack thereof) involves a trait called "mentalizing."....On a social level, mentalizing helps you connect with and relate to others....As for atheists? Norenzayan's research suggests they tend toward less mentalizing, which makes religious beliefs less intuitive to them.

....Analytical thinking style. In addition to mentalizing, a number of other basic cognitive traits have also been shown to promote religiosity. One very important one is having an intuitive style of thinking, as opposed to an analytic, contemplative style that favors in-depth, effortful thought.

Well, he sure has me pegged. A third (non-cognitive) trait that Norenzayan thinks promotes atheism is material security: "Again and again in Norenzayan's research, societies that are existentially secure—meaning that people have access to health care and a strong social safety net, that there is a strong rule of law, but also that they are not facing deadly diseases or natural disasters—tend toward less religion and also more tolerance of atheism." So maybe those crazy conservatives are right after all. Maybe Obamacare really is a secular plot.

More at the link.

Chart of the Day: Here's Why Our Current Recovery Sucks So Bad

| Fri Dec. 20, 2013 11:25 AM PST

Nobody asked me for my favorite chart of the year, which is too bad. Because I actually have one. It's the chart from my austerity piece a couple of months ago that shows how government spending has plummeted during the current recovery, something that's never happened before. If you want to understand the weakness of our economic recovery over the past five years, it tells about 90 percent of the story.

But there are other versions of the same chart. Matt O'Brien has one today that shows government employment during every recession since World War II. As you can see, only two others have featured employment declines of any kind, and our current recovery features the biggest decline of all:

As Ben Bernanke put it, "people don't appreciate how tight fiscal policy has been." And how much that's knee-capped the economy. Take jobs. Bernanke points out that total public sector employment—local, state, and federal—has fallen by over 600,000 during the recovery alone. As point of comparison, it rose by 400,000 during the previous one.

How is it possible that government added more jobs after World War II demobilization than now? Or after the 1980 recession, which was followed by another recession a year later? Well, it's what Paul Krugman calls the 50 Herbert Hoovers effect....Like Hoover in the 1930s, [states] tried to balance their books amidst a depressed economy. And like Hoover in the 1930s, it didn't work out too well. They went on a cops-and-teachers firing spree the likes of which we've never seen before. And one that was the difference between unemployment being 6 instead of 7 percent today.

The greatest trick austerians ever pulled was convincing people that it was stimulus that had failed.

It was a great trick, and they did it by focusing attention like a laser on the federal government. If you do that, spending and employment don't look too bad. But if you look at the big picture, the modest federal stimulus we enacted never came close to making up for the brutal austerity at the state and local level. It's the same trick conservatives use when they moan about tax rates hitting the rich too hard: They look solely at the federal income tax, which is fairly progressive. But they studiously ignore all the other taxes that make our system look a whole lot flatter.

The plain truth is that stimulus never failed. As Bernanke says, we never really had any serious stimulus. Sure, the little bit we got helped, but if we'd had a Congress that actually cared more about the economy than it did about the next election, we'd be in a whole lot better shape today than we are.

Advertise on MotherJones.com

Red States Remain Adamantly Opposed to Medicaid Expansion

| Fri Dec. 20, 2013 10:00 AM PST

A lot of people, myself included, have hoped that pressure from health care groups will eventually persuade even deep red states to enact the Medicaid expansion that's part of Obamacare. After all, the expansion is almost entirely paid for by the federal government, and the loss of Medicaid money hurts doctors and hospitals in the affected states.

Today, Dylan Scott reports that the key word here is "eventually." For now, anyway, red-state politicians are adamant about never, ever expanding Medicaid by even a dime:

Top officials for powerful trade organizations in three of the largest states not expanding Medicaid under Obamacare told TPM that they have effectively given up that fight until political conditions change, setting their sights on 2015 at the earliest.

"What I'm really struggling with is — I don't even know how to talk about expanding Medicaid without just pissing Republicans the hell off and making them think I'm part of the problem," said a top official for one of the industry groups, who spoke on the condition of anonymity to talk frankly about the political reality in their state and avoid upsetting the chances of expansion in the long term.

....These organizations approached Medicaid expansion as a typical legislative issue last year -- the kind where the promise of billions in federal dollars and opportunity to insure thousands of your constituents would trump ideological purity...."We found that this issue is much bigger than that. The influences are much stronger than a state-derived influence in terms of keeping states in the 'No' column," a trade group official in a third state said. "We can't even call it Medicaid expansion here. That's a politically incorrect way of saying it."

Ideological purity continues to trump the prospect of helping the poor, even when that help is all but free. Ladies and gentlemen, this is your modern Republican Party.

Quote of the Day: In Shocking Development, Media Org Gets Suckered By Darrell Issa Once Again

| Fri Dec. 20, 2013 8:39 AM PST

From ABC News:

This post has been updated to include an expanded response from CMS and a statement from the ranking member of the House Oversight Committee.

OK, I admit that doesn't seem like much of a quote. But Steve Benen provides the backstory: ABC ran a story today about "two high findings of risk" in the Obamacare website. This came via a leak from Darrell Issa, who is practically infamous for leaking partial transcripts of hearings that are wildly misleading. But ABC ran with it anyway. So here's what CMS said when they got a chance to respond:

In one case, what was initially flagged as a high finding was proven to be false,” the agency said in a statement. “In the other case, we identified a piece of software code that needed to be fixed and that fix is now in place. Since that time, the feature has been fully mitigated and verified by an independent security assessment, per standard practice.”

The administration maintains that no components of the website were allowed to go live after Oct. 1 with “open [unresolved] high findings.”

....The ranking Democrat on the committee, Rep. Elijah Cummings, D-Md., has accused Issa of a “reckless pattern of leaking partial and misleading information” about the website operations.

“The very same witness interviewed by the Committee also said there have been absolutely no security breaches of the website and that she is satisfied with the current security testing,” Cummings said in a statement responding to the release of Fryer’s testimony. “This effort to leak cherry-picked information is part of a deliberate campaign to scare the American people and deny them the quality affordable health insurance to which they are entitled under the law.”

Naturally, Cummings' statement was relegated to the very last paragraph of the piece. But that's basically the whole story. One bug turned out to be trivial and the other has been fixed and never caused any problems. This is exactly what's supposed to happen with bugs. For all practical purposes, the update undermines the entire story.

When will reporters learn not to trust Issa? Judging by current practice, never.

UPDATE: It turns out this is even worse than I thought. Michael Hiltzik has the full story here.

Obamacare Enrollments Are Starting to Surge

| Thu Dec. 19, 2013 4:01 PM PST

Over the past 24 hours, I have managed to say not a single word about either Duck Dynasty or Pajama Boy. So what do I get for my reward? This:

HORSEBACK GUESSTIMATE WARNING: Unless it's hidden away somewhere, California hasn't released weekly enrollment numbers. But they've released numbers for October, and for the first two weeks of November, and then for October+November. Then today they released numbers for the first three days of this week: 13K on Monday, 19K on Tuesday, and 20K on Wednesday. If you put that all together and then take a reasonable swag at filling in the gaps, you get the chart above. It's not official or anything, but it's probably not too far off.

And what it shows is that with deadlines finally looming, all those people who have been shopping for the past month or two are finally enrolling at a furious pace. Other states are reporting a similar surge. Obamacare still has a long way to go, but things are definitely starting to perk up.

Pet Peeve Watch: I. Am. Not. A. Guest.

| Thu Dec. 19, 2013 12:53 PM PST

Yet another store has been hacked, losing data on millions of credit and debit cards. This time the victim was Target, but it could have been anyone. Once again, corporate America has demonstrated that it couldn't care less about customer security and privacy.

But you already knew that. Instead, I'm curious whether I'm alone in hating, hating, hating this particular euphemism from Target's CEO:

Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause.

I. Am. Not. A. Guest. A guest is someone I invite into my home and ply with free food and drink. Because, you know, they're my guest. Target doesn't do that. They sell me stuff. I pay for it. (Probably with cash from now on.) I can complain about poor service. I can return stuff I don't like. I can choose what I want to buy and what I don't. That makes me a customer. Not. A. Guest.

So knock it off.