315 comments

[ 2.8 ms ] story [ 278 ms ] thread
How do we know it's Snowden?

So are more documents going to drop?

If yes the the former, why can't The Guardian do an all-out dump instead of piecemealing it?

How do we know you're aroch?
Why do you care unless he's making statements which depend on his authoritative experience, as Snowden is doing?

The real question is why Snowden needs a secure internet connection, seeing as how everyone knows (1) who he is (2) where he is and (3) it's a public Q&A so the idea is for everyone to hear what he says.

Were he really concerned about tampering, the more important issue would be distributing an authenticated public key to prove his responses weren't being quickly edited in flight. Which popping on and offline...doesn't really assure anyone about.

I don't know, maybe because an anonymous user is casting dispersions on the authenticity of someone who has very much put themselves forward as a real identity?
So because we "know" Snowden leaked the documents we should automatically "know" that he's the one responding? There's no web of trust or verification that we know of; we're taking the Guardian at its word. How do we know its not just some intern who has a list of answers given to probable questions?
The Guardian (a newspaper cum hyperblog) is inventing and impersonating a whistleblower for it's nefarious, I mean, link bait purposes now?
Wow, that's not at all what I said. I like how you're deliberately taking things out of context.

We, the public, have no way of knowing if indeed its Snowden answering. It could be any number of persons, we just know that The Guardian says it's Snowden (probably). I'm all for calling the USG out on this matter, but I'd like if we could get some public verification of who is answering.

Many papers publish reports on things where the sources are not even named; indeed, the protection of anonymous sources is one of the tenets of journalism.

Requiring not only a named source, but a way of verifying that statements / correspondence were provably from that source, seems an impossibly high standard to meet (eg., he could sign each comment with a PGP key. But then, "How do we know it's his PGP key?". Etcetera etcetera, ad infinitum)

> Many papers publish reports on things where the sources are not even named; indeed, the protection of anonymous sources is one of the tenets of journalism.

Except this isn't the WSJ reporting on a new iPhone "rumor", this is a very public release of important information. He's already outed himself, so this isn't about protection of anonymity.

It really isn't hard for the Guardian and Snowden to setup a CoT including PGP. They can verify it using a key pair they have ultimate trust in and then include that verification in their posts. It isn't asking a whole lot for them to say why or how they have trust in the responses they're getting. I trust the Guardian, what I don't trust is whether or not we're actually getting answers from Snowden that aren't being manipulated en route or otherwise not "live" and intact.

Most means of verifying his identity are at least somewhat suspect. What sort of verification would satisfy you?
Something more than "oh, yeah, that's him". I'm well aware its hard to be 100% certain, but surely they can offer something beyond "because we said it is".
Well, what would you propose?

I mean, pretty much every photo and video I've seen of the guy comes from the guardian - they could easily just be of a Guardian intern. So a photo of him holding a sign is out. A GPG key which is reputedly his is of extremely questionable provenance so a signature from that would be meaningless. He could leak some new top secret data to establish that he has access to it - but we know guardian journalists have had access to such data already and surely they have some stuff on file for future reports.

I'm curious as to what sort of proof you'd like?

We don't, but we also don't care. I'm not making substantive claims which impact millions if not billions around the world.
Substantive claims that haven't been denied by President Obama? ...other than America has nothing to worry about waves hand retreats behind curtain
What are you going on about?
President Obama stated the surveillance was good for America. Just trust him, no?

Kinda has 'allies' such as myself in Australia wondering about the extent and the utility of the dragnet.

And this has to do with this comment thread how? When President Obama makes a statement, we know he's the one making it. It's publicly televised, he's the one saying it and we have very little reason to doubt that he is indeed saying the thing. This thread makes no claims about whether the things the person is saying are true, it's about whether we can verify who is making the claims.

But, by all means, continue to ignore what I'm talking about and interject your own sputum.

Because the point whether or not you believe they care about the content, or are cynical and assume it is just about their traffic, is to get maximum mileage out of it. And the way to do that is to drag it out.

If they dumped everything at once, a lot of it would get drowned out by a small number of the most interesting revelations.

You can dump everything and then spend the next 6 months going through it with a fine-toothed comb and writing articles daily. Is the public really better served by waiting months to hear everything?
Yes, it gives Greenwald and Snowden the ability to exercise at least a little control of the story at the expense of Washington. So far I'm unimpressed by how revelations have played out under scrutiny but I hope they have something that allows them to just wait for the US government to back itself into a corner before they release hopefully more detailed and informative documents and primary sources.

Maybe they have one really big scoop that must be released at the right time and the rest of their hand is just bad PRISM powerpoints and warrants. Yay speculation

Other journalists would try to beat The Guardian to the scoop, with the same result. Everyone would be talking about it for two weeks, then we'd forget.

By controlling the flow, they can make sure that each important revelation is allowed some time in the spotlight. The issues gets a lot more attention that way.

You people are un-fucking-believable. You are literally lauding -- no, contorting yourselves to defend -- the hoarding of information you consider vital to the public good, and the slow, drawn out manipulation of the public's attention for private gain. This is, at a high level, directly analogous to whatever evil you think the NSA is committing.

And the dumbest of all ironies, which I'm sure is lost on all of you, is that you are employing utilitarian ethics to defend it. That is exactly how a spy program is considered ethical.

God. The humanities really are dead if this kind of clueless doublethinking represents the future thought leadership of our world.

No, I think the unbelievable people are supporting the gradual release as they feel it maximises the impact of the revelations, for the public good. What with news cycles and short attention spans and everything.

You seem to disagree, but don't make any convincing arguments that dumping all the information immediately is better for the public good. Probably because it's a very hard task.

I'm not saying whether it should or shouldn't be released. IMO there is no "there" to this story anyway, as will be revealed when/if these mysterious documents arrive. My critique is of the naked speculation run rampant on HN, and the post hoc rationalizations for believing wholeheartedly claims which are, at best, dubious and in any case unsubstantiated.

The story doesn't even pass the simplest of tests for self-consistency. An NSA contractor claims that the government is listening to all digital communications, but is somehow able to transfer classified files, taken from the NSA, to a journalist in the UK. If we believe the first part, how could the second part happen? If the agency had such a capability, I would assume that a call between low-level NSA employees and journalists (foreign ones especially) would trigger all sorts of alarms.

Huh? He didn't assert that the NSA has omniscience and the ability to instantly target, decrypt and analyze every piece of digital communication in the world. What he's talking about is the broad collection and storage of this data that can then be retroactively mined, possibly decrypted (for cases where encryption is even used) and analyzed when the sender and/or recipient becomes "interesting" to them.

Do you think he used his work phone to call Glenn Greenwald's personal phone or something? I think it can be rationally assumed that he used the best anonymizing techniques and encryption he's aware of to transmit the information.

IMO there is no "there" to this story anyway

I disagree, there have been significant leaks - confirmation of the NSA collecting every phone record in the US on a daily basis, confirmation that the DNI lies to his oversight committee, confirmation that the NSA has collected almost 3 billion records on the US in march 2013, allegations that the NSA is attempting to collect all internet traffic, both outside and inside its borders, in the broadest possible sweeps. If it was such a non-story, I don't think Obama would have done a press conference about it, would he? That's a lot of 'there' for a non-story if you ask me, and sounds like the NSA has significantly expanded its mandate without proper authorisation or oversight.

An NSA contractor claims that the government is listening to all digital communications, but is somehow able to transfer classified files, taken from the NSA, to a journalist in the UK. If we believe the first part, how could the second part happen?

Just because lots of data is collected, that doesn't mean they can find what they want from it, except in retrospect, so I'm not sure where the contradiction lies there for you - I think his communications with Greenwald were encrypted (according to the film-maker he contacted first) after first contact.

Also, I don't remember him saying specifically that they are listening to all digital communications, just that they can if they want to listen in to any communications, did he allege that somewhere?

They are doing us a huge favor by dripping the content. This forces other media outlets to continue the coverage of the (relatively un-sexy) topic.

We were complaining for ages that nobody covers and addresses privacy related issues. Thanks to Greenwald's and Sowden's media strategy it finally becomes frontpage news. Plus, with a little bit of luck we see the US government getting a few more times caught lying to the public in very clear terms.

In my opinion this is going to be a case study on how to masterfully orchestrate a press campaign. Just look at this week, Sunday: Release of the G20 spying story, Monday: Live Q&A, Tuesday: Most likely discussion of something he revealed in the Q&A, etc. Wouldn't be surprised if they had scheduled out a few weeks ahead. I'm sure there is at least a prime-time TV interview with Snowden still to come.

I think it might also be a case study in journalistic ethics classes in the future about how much a news organization should "push" a story or topic. The Guardian clearly has a point of view they want to push on this story (which isn't inherently bad) and I think some will argue that this distorts or distracts from the underlying story.
Like it happened with the Wikileaks diplomatic cables.
We don't know it's Snowden, but The Guardian is putting its reputation at risk, so I suppose their journalists have some degree of certitude about it.
> why can't The Guardian do an all-out dump instead of piecemealing it?

I suspect they're laying a trap for the gov't; hoping to catch them in a big irrefutable lie.

"How do we know it's Snowden?"

The same way you attribute credibility to any story you read (on the Internet or anywhere else), the reliability of its source.

The Guardian says it's Snowden, confidently enough to make it public. It boils down to how much you trust them as a reliable news source.

If they weren't sure, I believe they'd evaluate the possible backlash to their credibility and not run the story at all.

"How do we know it's Snowden?"

Because if it was found out that it wasn't, the Guardian would be finished. Faking this would be a scandal on a level with journalists "phone tapping". Literally, the news paper would be shut down. Not by some judge or government evil, it would become a laughing stock and its readers would abandon it.

"If yes the the former, why can't The Guardian do an all-out dump instead of piecemealing it?"

You publish a small amount. Let the accused say what they want to say. As they have done, they seek to minimize everything and covering their backs. Then you hit them with more, hopefully the next set of information will contradict what they have already said. Potentially they get caught lying "directly" in public.

So, simply: (Leak 1)I saw you at the pub. You deny it. (Leak 2)I offer the evidence of a witness. You claim the witness is wrong. (Leak 3)I produce CCTV footage. I prove my case (assuming in this example we accept the CCTV as "fact"), and you lied twice instead of telling the truth at the first opportunity. You are then well and truly fecked.

    He will be online today from 11am EST/4pm BST today. An 
    important caveat: the live chat is subject to Snowden's 
    security concerns and also his access to a secure 
    internet connection. It is possible that he will appear 
    and disappear intermittently, so if it takes him a while 
    to get through the questions, please be patient.
Hah, nice. Reading that just made me smile. Loads of people are going to be patiently watching out for the lag, for the possible periodic disconnects/reconnects, and they will be vaguely internalizing why Snowden has to do this. And this is pretty mainstream news at this point, people are going to be on edge listening for his words. I like the cyberpunk feel of these happenings. We live in interesting times.
"he will appear and disappear intermittently"

How frustrating a taunt to those in the NSA who would rather make him disappear permanently.

Edward, do you believe winning the Nobel Peace Prize would help get the hunter-killers off your back?
Has some truth to it. It would compensate the horrible mistake of 2009.
Imagine the US assassinating or imprisoning a Nobel Peace Prize winner. It wasn't that long ago where we would fight regimes who did that.
Or one Nobel Laureate jailing another.
Chile is eager to imprison a particular Nobel Peace Prize winner... and frankly, I more or less support them.
Can you state which one you're talking about for ease of Googling?
At least he and Obama would have something in common then.
I find it somewhat amusing that he's at least somewhat likely to use Tor, which was developed by the US Naval Research Laboratory.
Actually that would be a good question to ask him.

Him intimately knowing about how NSA does stuff, what would be his suggestion of ensuring anonymity. What steps should one take, what tools should one use, etc. His answers on this would be very telling. Someone please ask him that!

That would be also my question to him. How secure is Tor? How many Tor nodes has NSA for timing analysis?
My question: How secure is I2P and why did you choose Tor over it?

If not Tor or I2P, what steps would you have taken? What other measures can you publicly reveal you are using/have used in the process of securing yourself?

How do you recommend those technologically able protect themselves, along with the general public?

I find it highly unlikely he will reveal what his strategy for staying free is. This would kind of be a dumb reveal even though I am curious what it is.
PSA: 11am EST is when this comment turns 55 minutes old.
(comment deleted)
Let's upvote here questions to him - then someone will post them at the chat.
The mentions of his security concerns reminded me of this: http://grugq.github.io/blog/2013/06/14/you-cant-get-there-fr...

"As a thought experiment, imagine that Osama bin Laden was still alive and that he used the Tor network to do a Reddit AMA once a month. How long do you imagine it would take for the US to find and neutralize him? I posted this question on Twitter and, while responses varied, ex-NSA Global Network Exploitation Analyst Charlie Miller guessed one to two months. I would be very surprised if it took more than three."

"neutralize"? Say what you really mean.
Probably "kill". I don't think that was the point though.
I think it's intended more technically than what the other posters are inferring. I.e. the gov't doesn't care if he's dead, disabled, or otherwise unable to continue. Any and all of the above are intended by neutralize, and I think it's being used precisely rather than euphemistically.
I'm curious if the US govt will DDoS The Guardian during the q&a
Ha, we should be so lucky. That would just fan the flames of an already kindling fire.
Doubtful, but certainly a curious thought. I'm skeptical that actively censoring the media via "hacking" (because DDoS is classified as hacking to them) will bode well for their situation. Still, they could blame it on citizen traffic.
While some say "government intelligence" is a contradiction in terms, I presume the intelligence agencies we've got are savvy enough to know about the Streisand Effect.
I'd like to ask him how people can support him financially. A Bitcoin address would be cool, but he'd still have to convert it to local currency.
This guy is amazing. The thing I love about him is he truly embodies the bravery that goes along with the idea that it's better to live in a free society with a modest threat of terror attacks than to live in an oppressive society where we are supposedly kept "safe" from the terrorists hiding behind every corner.

It takes courage to make such an assertion. The NSA spying route is fundamentally based on cowardice.

Amazing poetic writing skills, love it:

  "Ask yourself: if I were a Chinese spy, why wouldn't
   I have flown directly into Beijing? I could be living
   in a palace petting a phoenix by now."
why did I not drop our of school and get a 200K job:-(
The money quote:

"Bathtub falls and police officers kill more Americans than terrorism, yet we've been asked to sacrifice our most sacred rights for fear of falling victim to it."

Variants of that argument (usually related to smoking, alcohol, and backyard pools) have not persuaded anyone in debates over the Second Amendment. They seem unlikely to persuade anyone in debates over the Fourth.
Even if nobody listens, it still needs to be said.
It's a different situation. American's really like the idea of having the power to protect themselves. That's why when you throw the statistic that you will most likely never need the gun they don't care. This is because despite the odds being so low they are afraid of being that 1 or 2%.

However, American's really don't like the idea of an overly powerful government watching over your shoulder. The idea that the government is supposedly using gathering this information and that it doesn't even have a legitimate use case is unappealing to most.

I think you interpreted the parent as saying people should be persuaded to support gun control; I think the parent was saying people should be persuaded to oppose gun control. I base this on the "(usually related to smoking, alcohol, and backyard pools)" - the implicit argument being "each of these things kill more people than firearms, why is it the firearms you want to regulate?"
It's because one has a decision to drink, smoke, or buy a pool. One doesn't get to choose if they will be shot.
No, I don't think that is the reason.

Many parents would rather that their children not visit the home of a friend that had guns in it. Would as many parents be apprehensive about sending their children to a home with a pool? I suspect not.

There may be legitimate reasons that they are treated differently in a way that does not immediately make sense when you examine the risks they pose, but I don't think that choice or lack of it is that reason. I think that you are looking for something more subtle.

Agency is scarier than lack of agency.
Speaking as a parent who has left his children to be babysat at houses with both guns and pools, the pools are a far bigger concern. When both are treated as the dangers they can be, neither is a threat. It's much easier to forget about a pool than a gun, though, and a gun is much less likely to be accessible to a child than a pool. Kids who can't swim can fall into a pool and drown before you realize that anything's wrong, and playing around pools is normal kid behavior, while playing with Actual Real Firearms is not.

I wouldn't leave my kids at any place that I felt was going to be a tangible danger to them - be that a house with a pool and a back door that doesn't have a child lock or pool gate, or a house of an irresponsible gun owner, or a house with exposed electrical wiring, or anything else that I feel poses a material threat to my child's life.

(comment deleted)
> Americans really don't like the idea of an overly powerful government watching over your shoulder

Most Americans haven't thought about it hard enough to make a meaningful personal decision and have allowed themselves to adopt the first external opinion they were offered, so it's about 50-50 pro-con on the question.

What you're doing, is giving yourself permission to not engage other people about the issue. "Oh, I don't need to talk to grandma, I'm sure she's already on my side."

Very effective too "Being called a traitor by Dick Cheney is the highest honor you can give an American"
By far my favorite quote against my most hated American.
You've just been added to the "List"
I might hate that guy who kept those women locked up a bit more...
Well that guys actions resulted in only 3 women and a child being locked up and tortured for a length of time that is now over...
I said might.

Actual outcomes need to be weighed against counterfactuals, and I think the claim that the alternative would have been worse in Cheney's case - while I dispute it - is better than in the other.

I understand you were not being definitive and I doubt very much that people would disagree that Cheney is a better person than that rapist given the same ability to effect the world.

Having said that Cheney had a lot of power and a lot of impact. In relative terms the alternative to Cheney in power does not need to be much better to result in an absolute impact greater than the 4 lives affected by that rapist.

My statement was meant to point out that the absolute rather than the relative "evilness" of him is a viable reason for some to hate him.

I understood, and I don't mean to say there's not some validity to the perspective.

  "If they had taught a class on how to be the kind
  of citizen Dick Cheney worries about, I would have
  finished high school."
Wow, clearly there is a historical quote being born in this text..
This was by far my favorite quote from his answers. Perfect way to cap off that whole paragraph.
Yeah, that's incredibly cool. Make a meaningful statement whilst throwing their own rhetoric back at them. The more I hear/read from this guy, the more I like him!
Of course, if you were a Chinese spy but you also wanted the world to believe you were not, this is exactly what you would say.
If you were a Chinese spy, why would you play the game of releasing the information to the public at all? You'd just go straight to the Chinese and disappear into their protection. There's nothing to be gained by an elaborate charade as a whistleblower.
A damning allegation with global economic consequences is easily dismissed as propaganda if it comes from the Chinese government. Not so if it comes from a whistleblower.
So NSA hired a Chinese spy and didn't know it?
Well, his revelations about the extent of US spying in China/HK certainly helps take the focus off of how much cyber-spying China does on the US.
Of course, if you were an American spy and wanted to discredit him, this is exactly what you would say.

We can do this all day...

But that's taking the second derivative of the situation. Most people can barely take the first.
The point is that it's a ridiculous nonsense statement. It can be applied to anyone about anything. I have no problem with someone believing he's a spy based on evidence or even intuition. I do have a problem with a tautology being used as evidence, or to sway opinion.

If the person is trying to deceive you they will attempt to deceive you. Well, duh.

The phoniexs and palaces is what the officer who is your handler says you will get :-)
Heh - Just like all the promises of the military recruiters to me when they saw I aced the asvab.

"No thanks!"

That is an evasive answer to the question: "The US Government alleged that you gave sensitive information to the Chinese."

Based on his answer, he probably did give sensitive information to the Chinese.

Just for people like you: No. I have had no contact with the Chinese government. Just like with the Guardian and the Washington Post, I only work with journalists.

The things you can learn if you click the link, huh?

We learned that (taking him at his word), he hasn't personally handed classified information over to the Chinese government, but he has handed it over to an unknown number of journalists.

Who have the journalists passed it along to, voluntarily or through coercion? We have no idea. Once it's out of his hands, Snowden himself can't know for sure.

And? There's a huge gulf between "maybe China will find out if he leaks stuff to the public" (duh) and "maybe he's a Chinese spy." (huh?)

Are we supposed to believe that Chinese intelligence has been wringing its hands for the past decade, just wishing a US whistleblower would reveal a bunch of stuff to the media so they can figure out what's going on? They do have real spies, you know.

This is a smokescreen.

I didn't say he's a Chinese spy. Neither did the person asking the question ("The US Government alleged that you gave sensitive information to the Chinese.")

I'm saying, he very possibly gave sensitive information to the Chinese government, perhaps inadvertently or through indiscretion. You don't have to be a Chinese spy to do that (he was actually the one who presented the false equivalence).

Talk about moving the goal-posts...
That is not the reason why the "Chinese spy" thing has popped up. Of course the Chinese government is getting classified information from this: They can read newspapers at the very least.

The issue here is an attempt to paint him as influenced or controlled by the Chinese in his decision to take documents, which would instantly make him reviled by a lot of people who will hail him as a hero as long as believe he did it of his own accord.

You don't have to be in direct contact with the Chinese government to provide them information. It is probably the case that spies do not have direct contact with the government they are spying for. He namedropped the Guardian/WashPo. Sure, I can believe that journalists from these papers aint' Chinese spies, but how about the Chinese papers that he talked. Oh, he conveniently did not mention them.
"The consent of the governed is not consent if it is not informed." - Snowden
What would you say to others who are in a position to leak classified information that could improve public understanding of the intelligence apparatus of the USA and its effect on civil liberties?

"This country is worth dying for." - Snowden

That's the stuff History is made. I'm not American, don't think that it even matters at this point, but I'm printing a picture of the guy to stick it where everybody can see what a great thing a decent human being can be.
Interestingly, the same person also asked:

> What evidence do you have that refutes the assertion that the NSA is unable to listen to the content of telephone calls without an explicit and defined court order from FISC?

And it was the only question Snowden ignored.

I'd disagree that he ignored it. A later question covers the same (or very similar) ground.

""" Q. Can analysts listen to content of domestic calls without a warrant?

A. NSA likes to use "domestic" as a weasel word here for a number of reasons. The reality is that due to the FISA Amendments Act and its section 702 authorities, Americans’ communications are collected and viewed on a daily basis on the certification of an analyst rather than a warrant. They excuse this as "incidental" collection, but at the end of the day, someone at NSA still has the content of your communications. Even in the event of "warranted" intercept, it's important to understand the intelligence community doesn't always deal with what you would consider a "real" warrant like a Police department would have to, the "warrant" is more of a templated form they fill out and send to a reliable judge with a rubber stamp. """

What I took from this is that the process is so 'optimised' that even a court order doesn't mean what most people would think it does (i.e proper oversight and consideration).

I imagine that today will be a very interesting day for the Guardian's operations team.
Can't wait for the twitter pic of him holding up a piece of paper saying:

"Hi Reddit! 17th June, 2013"

Oooh, this one from the article comments, one that tptacek will be happy about ;) (and it's a good question, to settle):

> Define in as much detail as you can what "direct access" means.

Unfortunately he didn't really answer it.

"More detail on how direct NSA's accesses are is coming, but in general, the reality is this: if an NSA, FBI, CIA, DIA, etc analyst has access to query raw SIGINT databases, they can enter and get results for anything they want. Phone number, email, user id, cell phone handset id (IMEI), and so on - it's all the same. The restrictions against this are policy based, not technically based, and can change at any time. Additionally, audits are cursory, incomplete, and easily fooled by fake justifications. For at least GCHQ, the number of audited queries is only 5% of those performed."

No, he did answer the question, with the biggest walk-back in the history of whistle-blowing. He defined it as "direct access" to internal databases of shit the NSA has already collected. Absolutely not the same as what Snowden was selling the newspaper reporters a week ago, which was "direct access" to Google servers.

Also, by the way, 5% auditing is an very high rate. With a 5% audit rate, you'll catch evil-doers in no time at all.

Not necessarily, if those audits are "cursory, incomplete, and easily fooled".
I don't think Snowden would have any idea whether the audits were effective or not. An analyst in the position of auditing is likely segregated from the employees whose searches are audited.
He may have guidance about the types of things that auditors are looking for.

For example, checking out your neighbor, girlfriend or a public person's records for curiosity is probably a big red flag.

I think it is entirely plausible that a sysadmin would know exactly what logs the auditors inspect and that he would know the things like how often the logs were deleted as well as exactly what information is (and is not) captured in the logs. He may even have had access to the same tools the auditors used so that he could run them himself and see what they flagged and didn't flag.

It is my experience that systems auditors rely heavily on sysadmins to do their jobs. At a minimum the auditors are "just" another set of users and the sysadmins' responsibilities include supporting the auditors even more closely than they support regular users of classified systems. Frequently the auditors themselves do not have systems-level knowledge of the computers they are auditing.

Security on every classified system that I've seen was generally limited to a series of a checklists that some talented specialists once put down in a manual and are left to low-skilled employees to check off each day/week/month - if it isn't specifically on the checklist they have little to no knowledge of it. That includes glaring procedural holes. Essentially security is all CYA, so that everybody involved can say they followed the rules and not lose their job if something goes wrong.

But the picture I'm getting is that they 'collect' everything (via fibre intercepts etc), because they've interpreted the rules as being "collect everything but then ask permission to look at it"
Which still doesn't mean that the NSA has "direct access" to any server owned by Google/Facebook/Microsoft.
Did Snowden say "direct access" in his interview or elsewhere? I thought that was an extrapolation of journalists writing about his story afterward (who also got details like the salary slightly wrong), taken from the wording on the slides, and reinforced in people's minds by the denials from Google et al which talked of backdoors etc? I don't think he made any claims about direct access, only that he could access all account details including emails etc if he had 'the proper authorities' as he puts it (which is pretty consistent with the slides and with the Google claims).

I don't remember him using that particular phrase at all at least in his initial video - I remember him talking about the ease with which they could access data using a 'selector' like an email address, not making claims about specific connections to servers or anything similar. He's not responsible for what journalists say, and we can't expect them to clearly restate it all the time, but what we do know about the extent of surveillance is disturbing. It's still unclear exactly what is recorded, when and how and I'm sure we'd all love to know more, but in the meantime it's not very useful to try to discredit his claims based on the interpretations of others.

https://eslkevin.wordpress.com/2013/06/10/edward-snowden-int...

Yes, it's an extrapolation from the slides.

My beef with the phrase though is that Greenwald keeps repeating it and sticks by the story that the NSA slides said it so it must mean something, without bothering to ask his supposedly very knowledgable source to expand further on the topic.

"Collect everything; analyze later" is not a feasible strategy. Nobody has that kind of storage, and even if they did, nobody has the CPUs to ingest the stream. I think it goes without saying that you need a Google-scale computer to ingest Google-scale network traffic, and that's just one of the companies in question, on top of all the public transit bandwidth. Nobody has presented any evidence that the NSA has computing facilities on that scale. The only one we know of is not yet built, and way too small.

I think it is completely feasible that the NSA would or does collect all or a great deal of voice traffic, because that's a tiny piece of network traffic these days.

I've always assumed the US gov't does have this computing power and that's why we spend so much on national defense. Besides, when you employ more mathematicians than anyone else, I'm sure you can come up with some smart ways to store big data. Also, I think it would be fairly cheap to just write everything out to tapes or disk and dump them in a closet, even if you don't have the money to load them all in a database (so that you can put them online when technology improves or you have more budget/time). Further, I haven't seen where Snowden clearly retracted his 'direct access' assertion. You might keep some identifiers in a database and the whole dataset on a user can be ingested on demand from Google or whichever company (even if that means sending an automated request to Google which automatically responds by dumping data to FTP).
Why is "walkback" the term everyone is using?
To walk a story back is journalism industry jargon for slowly dropping claims made in your initial story, until there's nothing of substance remaining.

Going from "NSA has direct access to servers of major internet companies" to "Some NSA analysts' database accesses inadequately audited, according to random sysadmin" is a textbook walk-back. Of course you will never see the latter headline on Greenwald's blog.

In answer to the first question, he writes:

"...Not only that, when NSA makes a technical mistake during an exploitation operation, critical systems crash. ..."

Well, if they have no access to the actual company servers, how could you then reconcile the above statement?

That statement was in regards to their widespread international network intrusions into potentially critical networks, not authorised access to American companies.
What are the contents of the raw SIGINT databases with respect to telephone audio? Is that audio dragnet? Can an analyst, from a technical perspective, initiate monitoring of a person unilaterally?
The impression I get is that they collect everything they can. If they want to actually _look_ at what they've collected, they are supposed to ask secret permission from a secret court that gives a secret answer. Of course, we trust that they _always_ ask this secret court.
He answered the question that was asked.

He didn't answer the question that the person asking probably wanted an answer to, which was about direct access in regard to Prism. But that's the fault of the person asking not being precise...

You have to remember there are tons of programs going on. To the people who have been paying attention to the Prism "direct access" debate, it's probably pretty clear what the person asking the question was getting at. But it makes total sense that someone as familiar with the programs as a whole would answer about "direct access" in general.

(comment deleted)
(comment deleted)
From the chat -

"Anthony De Rosa 17 June 2013 2:18pm 1) Define in as much detail as you can what "direct access" means.

2) Can analysts listen to content of domestic calls without a warrant?"

Answer (Snowden)

"1) More detail on how direct NSA's accesses are is coming, but in general, the reality is this: if an NSA, FBI, CIA, DIA, etc analyst has access to query raw SIGINT databases, they can enter and get results for anything they want. Phone number, email, user id, cell phone handset id (IMEI), and so on - it's all the same. The restrictions against this are policy based, not technically based, and can change at any time. Additionally, audits are cursory, incomplete, and easily fooled by fake justifications. For at least GCHQ, the number of audited queries is only 5% of those performed."

(comment deleted)
I understand "direct access" to be the conflation of 2 different things: the first is the FISA-stamped requests to private companies for their records, and the second is the intercepts of data transmitted over the internet or phone networks by being listening in on the wires/radio-waves themselves (raw SIGINT). This seems overly schematic, however, and I would welcome corrections.
Oh wow:

MP_Stroebele_GER 17 June 2013 3:53pm

Mr Snowden, as a deputy at the Bundestag (German Parliament) who is responsible for the supervision of the intelligence apparatus, I am eager to know if you have any knowledge about information which was given to the German Government or the Bundesnachrichtendienst by the NSA within the PRISM programme. If so, do you know how much and what kind of information was given to them and if the BND knew that it was gathered by PRISM? Best regards, Hans-Christian Ströbele

He's not dumb - i doubt he is going to answer a question from an official of another government.
What matters is that the message suggests that a German MP 'responsible for the supervision of the intelligence apparatus' is not certain whether German intelligence has access to PRISM and other related programs' data.
Or is trying to suss out what, if anything, related to himself may be leaked in the upcoming days.
Given he's from the Green Party, my money would be on the GP's theory.
good point - but I just didn't think that he should expect a response.
(comment deleted)
(comment deleted)
His answer to the question "What direct access means":

1) More detail on how direct NSA's accesses are is coming, but in general, the reality is this: if an NSA, FBI, CIA, DIA, etc analyst has access to query raw SIGINT databases, they can enter and get results for anything they want. Phone number, email, user id, cell phone handset id (IMEI), and so on - it's all the same. The restrictions against this are policy based, not technically based, and can change at any time. Additionally, audits are cursory, incomplete, and easily fooled by fake justifications. For at least GCHQ, the number of audited queries is only 5% of those performed.

For me, this was a really unsatisfying answer. Maybe the question should have been more specific, but I took it to relate to the PRISM programme and the specific technology that provided direct access to data at the companies involved. His reply seemed to focus on the policies (or lack thereof), with an example relating to call logs (which I already assumed would be provided by some (S)FTP feed from the carriers and bulk loaded into a database anyway).
Maybe he doesn't know how every server is configured. Why would he be expected to?

If one data feed uses a fiber tap and another uses a daily sftp transfer, does it really matter if some/most/all of Americans' communications is ending up in a database to be queried by analysts today and god-knows-who 30 years from now?

I'd like to know if geolocation data is collected as part of the "meta data" in any of these sigint databases. Rep. Jason Chaffetz asked at the FBI hearing about the implications in light of US v. Jones.
"2) How many sets of the documents you disclosed did you make, and how many different people have them? If anything happens to you, do they still exist?"

Answer - 2) "All I can say right now is the US Government is not going to be able to cover this up by jailing or murdering me. Truth is coming, and it cannot be stopped."

That last sentence must have Obama quaking. I wonder just how much more can/will come? And if/when it does - I wonder just how bad it will be?

I just hope that documents are leaked in response to any outright lies by the executive branch, congress or the NSA. It's clear that they have lied and continue to lie, but we don't know what is and is not a lie. Having a bunch of documents lined up to call anyone out for lying to the American people is a powerful incentive for those in charge to be honest and candid.

Reminds me of War Games... "The only winning move is not to play"

He's retaining a sense of humor:

> Our founders did not write that "We hold these Truths to be self-evident, that all US Persons are created equal."

I loved this line. A lot of people don't seem to understand that our constitution explicitly denotes between rights provided to citizens and rights provided to "persons." Most of the constitution and the bill of rights is worded to apply to persons, not necessarily US citizens.
Don't forget the Declaration of Independence:

    We hold these truths to be self-evident, that all men are created equal, that they
 are endowed by their Creator with certain unalienable Rights, that among these are
 Life, Liberty and the pursuit of Happiness.
EDIT: I quote it because it too makes a universal claim
> [...] if I were a Chinese spy, why wouldn't I have flown directly into Beijing? I could be living in a palace petting a phoenix by now.

If I didn't like this guy before...I certainly do now.

The key point in the answers thus far is that when he refers to "direct access" he means to some database that has all the stuff in it, and not (e.g.) via a direct conduit to Google or whoever's database.

So what I think is going on is that the NSA archives packets it can see in transit, but doesn't necessarily know who all the endpoints are. (It probably has a VERY good idea most of the time.) When someone becomes of particular interest they can execute a warrant on Google et al and get more detailed information on a specific target which lets them make better use of data they've already got.

The key thing they're doing is, fundamentally, logging packets that they can see going past any number of bottlenecks in the internet, which should have been perfectly obvious that they would try to do from day one. This alone is enormously powerful and all the extra info from service providers is probably only icing on the cake. If you can be identified from some cleartext comms somewhere then all you other dealings have been archived, and can be correlated, and then decrypted and traced back to you posthoc.

This is my belief as well. A few years ago I worked for a company that sold packet capture appliances to unnamed government agencies. The higher end appliances were capable of 10Gb/s packet to disk streaming. I helped write a search interface for the resulting data capable of the type of filtering and data reconstruction described. If organizations directly, indirectly, knowingly or unknowingly allowed the NSA to tap Internet links, they could theoretically provide full data access, while at the same time publicly deny direct server or backdoor access.
How do they get past the ssl encryption? Mmmm? You don't have to answer that...
When I left they hadn't worked it out, only plaintext artifacts could be extracted. There was discussion of server plugins to intercept and store SSL keys and later use those to decrypt data, but this would require endpoint access and complex interaction back to the appliance. However, in the case of email, although you might utilize encrypted protocols to send/receive, a direct or indirect recipient might not, so at some point the message may cross the wire in plaintext.
For a government agency like the NSA, that's easily accomplished by a man-in-the-middle attack. They can almost certainly convince multiple US-based certificate authorities to give them a certificate that will be included in the default set of trusted certificates by all mainstream browsers. They would only have problems with the very small number of people who are both paranoid and tech-savvy enough to change the certificates that there browser trusts.
Chrome, at least, has certificate pinning for Google properties (and perhaps some other big sites?), which prevent the use of a different but otherwise valid certificate from a trusted CA.
It's also possible, although I don't know how likely, that there are employees of Google, Facebook, etc.. who are secretly working for the NSA to gather specific information that they would otherwise miss.
This is the impression that I took away from his remarks, too. However, this prompts a question: is it feasible to capture everything, store those data, and filter after the fact? How much traffic are we discussing, how much storage over what period, etc.? The costs to capture and store everything for any significant length of time seem astronomical; am I wrong? And if it's not everything, how useful is it?
They could filter for communication related packets based on port numbers: email, chat, voip, etc. The resulting data feed would be more manageable to capture and store long term.
"NSA employees must declare their foreign travel 30 days in advance and are monitored."

So how was he allowed on the plane? Surely part of the passport/no-fly-list check would have caught that. Or did he drive to Mexico and fly from there?

The drive from Hawaii to Mexico must be an interesting one.
Well that's embarrassing...

Still, why aren't airports checking if people specifically banned from flying are trying to fly?

They are, but he wasn't (and probably isn't) specifically banned from flying.
Snowden says that NSA employees (and presumably, NSA subcontractors) are expected to file notices of intent to travel 30 days prior to departure, and notes that they will be tracked while they're away. He also says he took a huge risk by traveling without notice. It sounds like he discovered a (soon to be closed) loophole in that people subject to this rule aren't placed on a no-fly list by default.

I wonder if one official response will be to change that rule, so that the 30 days advance notice becomes "hand your passprot to your employer, and don't expect to get it back without making a request at least 30 days in advance."

people subject to this rule aren't placed on a no-fly list by default

My understanding is that it's nearly impossible to get a name removed from a no-fly list. It seems like a very imprecise tool for this sort of problem.

That's true of the list in its current form because the security agencies have (or had) zero interest in making it otherwise and because they're largely insulated from public pressure.

However, having realized that this inflexibility means it can't be used to effectively govern the travel of people with security clearances, there's a very good chance that the system that was perviously impervious to change will suddenly become very flexible - at least so far as development benefits the security agencies.

I would think the impetus is on not clearing "bad apples" in the first place and getting physical security improved (he walked off with a USB pen drive). After all, you can still trivially leak from inside the US - also, it's not like you can keep NSA employees from ever taking trips abroad, and if you have measure in place that can find people who are about to leak stuff when they put in their 30 days foreign holiday request, the much simpler solution is to just run that measure all the time.
It's an employer policy, and it has nothing to do with the passport or no-fly-list. In normal circumstances, flying without declaring his travel would put his clearance in jeopardy and he'd have federal marshals waiting for him upon his return. Similarly, he'd have security officers checking up on him at home if he failed to show up at work on time (and failed to answer the check up call).
If he failed to show up for work, officers would be sent out of concern for his wellbeing.

The whole point of banning him from leaving the country is to try to prevent him "defecting". Waiting for him to come back is pointless. He's already not allowed "to defect" - so not allowing him to leave the country is stupid if no one is going to enforce it.

Finally, when your employer is the NSA, I figure they'd have different/special rules. Do any non-governmental jobs forbid flying due to "policy"?

defect may not be quite the right word - flee?

> If he failed to show up for work, officers would be sent out of concern for his wellbeing.

Right, but it's dishonest to pretend that's the only motivation.

> The whole point of banning him from leaving the country is to try to prevent him "defecting". Waiting for him to come back is pointless. He's already not allowed "to defect" - so not allowing him to leave the country is stupid if no one is going to enforce it.

Preventing defection takes a lot of different tacks (social pressure, education, threat of prosecution, etc.).

There can be corporate policies that forbid two or more key employees from flying on the same plane for fear of losing irreplaceable knowledge & skills if it crashes.
Because he is not an NSA employee. I don't think he ever was. In fact I'm confident he never was. A govie contractor is not even in the same hemisphere as a government employee.
Man this guy can write,

"Being called a traitor by Dick Cheney is the highest honor you can give an American, and the more panicked talk we hear from people like him, Feinstein, and King, the better off we all are. If they had taught a class on how to be the kind of citizen Dick Cheney worries about, I would have finished high school"

Who is 'King'?
Rep Peter King of NY who has a hardon for protecting the children from terrorists.
Lemme get out the `FUEL' moleskin, ....ah,yes:

Mitch McConnell James Baker Dick Cheney Bush POTUS' Feinstein Peter King

Got it. thank you.

Obama, The NSA and the usual internet suspects: Google, Yahoo, Facebook are getting their asses kicked. This man is the Thomas Paine of our day: "Give me liberty or give me death."
Actually he's coming off as arrogant with delusions of grandeur.
That's a predictable smear that's aimed at every whistleblower.
predictability doesn't imply innacuracy
Perhaps in the sense that predictably broken clocks are correct twice a day.
I'd say that described Thomas Paine.
Why?
The theatrics around this entire story make me question his true intentions. His answers today are anything but straightforward, and the majority of them don't actually deal with information he leaked, but rather his opinions on surveillance, politics, and thinly veiled threats to the government. If his intentions are truly to change the state of NSA's surveillance, then given his position, he should be publicizing raw information (such as PowerPoints, documents, and actual events).
It's my understanding that he gave the Guardian a lot more raw data than what they've released so far.
What does leaking details slowly have to do with delusions of grandeur or arrogance? It seems like he is not operating as you would operate, so you are slinging unrelated insults.

I think that a slow controlled leak that keeps the story in the media is more likely to cause positive change, as I expect he does. Does this make me arrogant as well?

> This man is the Thomas Paine of our day: "Give me liberty or give me death."

Patrick Henry is known for that quote, not Paine.