The House hearing was canceled several days ago to make time for the House Democrats to meet with Obama this morning. As far as I know they have not been rescheduled yet and I will be surprised if they happen before the August recess. Although Glenn Greenwald did say yesterday he hopes they get rescheduled in the next 24 - 48 hours.
This bit both somewhat limits the impact and makes Greenwald et. al.'s claims that most everything is being Hoovered up a lot more credible:
"The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: "At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours.""
Of course, as the article goes on to detail, anything that's found to be of interest in that window can be saved permanently, and NSA analysis do that a lot.
>"To solve this problem, the NSA has created a multi-tiered system that allows analysts to store "interesting" content in other databases, such as one named Pinwale which can store material for up to five years."
It does not describe "interesting". Maybe metadata, encrypted sessions etc? Any conversations in threads linking to these articles?
...and so have the compression and filtering tech, I'm sure. If you strip out most attachments, the average email message is incredibly tiny when gzipped.
Tempora in the UK stores all internet data for 3 days and metadata for 30 days too. Wouldn't surprise me if most western governments use XKeyscore along with data sharing agreements with each other.
I would imagine that their top priority since 2008 has been improving storage systems. It's clear that their ultimate goal is a fully indexed archive of the entire digital universe.
I don't quite know what you intend "1 TB GB/s drives" to mean.
But note that you can buy off the shelf PCIe cards with SSD's mounted that will give you 1TB storage and an aggregate read bandwidth of more than 1GB/sec today. I've got three sitting in various servers. They're expensive, and frankly for the future I'll rather get a couple of extra SATA III controllers and get multiple "regular" SSDs on separate controllers for that reason, but they're available.
For NSA style data collection, though, the collection is trivially to do in parallel: Hash all keys to a "virtual bucket", and hold a map of virtual buckets to physical servers. Then when you want more capacity, you add some physical servers, reassigns some of the virtual buckets from other physical servers to the new ones, and synchronises any old data (given that NSA claims they could only hold the full data stream for three days, you don't even need the hassle of moving data, just make collection on different days map to different virtual buckets, so that on day one you "just" reassign virtual buckets the content of which is being expired on the old servers anyway, on day two, the next set etc. - you maintain full spread of read/write traffic by ensuring that in normal operation all servers have an even spread of "day 1", "day 2" and "day 3" buckets).
It's amusing they see storage as an issue, but of course this was in 2008. Today I have 6TB in my home NAS, and my perfectly off the shelf tower case can easily fit 40TB+ with current size harddisks (though I doubt the noise would make me popular at home).
I wonder how they store all that. Surely a side benefit of this could be NSA contributions to CS journals about database techniques.
Also I doubt the veracity of the claim that they collect "nearly everything". Wouldn't they show up on, say, Sandvine's Internet traffic reports? I think it's more likely this claim is made simply to generate FUD in the general population.
I think the era of government being far ahead of commercial tech capability is over. The government mostly outsources now (a problem Snowden identified in terms of information control) or develops in-house with vendors.
The government mostly outsources now (a problem Snowden identified in terms of information control) or develops in-house with vendors.
There are a lot of fingers in that pie. Oracle, for example, has a National Security Group, whose job is to come up with "solutions" and then try to sell them to three-letter-agencies.
Another benefit could be realised in the future if historians and linguists manage to get access to all this data. I imagine that researchers of the social sciences would end up enjoying the same sort of large-scale collaborative projects that particle physicists or genomic bioinformaticians currently have with their huge datasets.
Well, now they have a massive data center in Utah. That's most likely where it's all going today. Standard open source tools are all you really need.
> Wouldn't they show up on, say, Sandvine's Internet traffic reports?
No. If some script kiddie/hacker type installs a packet sniffer and logs all your traffic to your ISP, that won't show up anywhere. Traffic goes somewhere. You're sending packets out. Merely logging packets is entirely passive and undetectable.
The Guardian strongly implies this system is used to intentionally target US citizens in violation of the law, but then admits that would be "illegal." I wonder if the leaked presentation touches on this point.
The Guardian doesn't 'admit' anything (it wasn't hiding anything in the first place), and legality doesn't predict whether actions are being taken or not.
>I wonder if the leaked presentation touches on this point.
That seems unlikely to me, as this is a technical presentation.
That UI looks awfully similar to a theme I've seen used in SharePoint Portal Server. I hope that's not what they use for the front end, but I wouldn't put it past them.
Having worked with SharePoint extensively for years, I'm highly confident this isn't the case. It's just plain-old crappy custom-coded HTML4 forms from what I can tell and similar colors, so one could easily think so. But at closer look, it definitely not any of the SP versions 2003, 2007, 2010 or 2013. Maybe 2001 but I highly doubt even that.
says: Top Secret Comm(?) REL() to USA, AUS, CAN, GBR, NZL
confirming the previous suspicions that many other governments are on board.
Der Spiegel actually has reported a few weeks back about XKeyscore [1] and that it is used by the BND (Germany's NSA). I.e. all this data is also available to the NSA equivalents of Australia, Candana, Great Britain and New Zealand.
Many Americans trust their government (unfortunately), will they also trust the other governments?
Good catch -- and really, I find it to be quite foreboding in terms of how indomitable it is precisely because of the secrecy of the program.
"This was a secret treaty, allegedly so secret that it was kept secret from the Australian Prime Ministers until 1973."
This is indeed a trend, and I speculate that NSA (and NSA-like entities in the other 4 eyes/countries) probably communicate information and abilities to prime ministers and presidents of the respective countries very selectively.
Bonus: The NSA likely can get around the "no spying on US citizens" by just requesting data from those governments, who proceed to pull it out of the NSA's web interface.
That's COMINT, or Communications Intelligence, basically the type of intelligence that XKeyscore is part of. It might say HUMINT if the intelligence was collected from human sources.
REL TO likely means release to.
As I've said before, the realisation that most countries do this sort of thing comes as no surprise.
Kind of puts into perspective why they would coordinate such a massive raid on Megaupload. The target may not have even been the data - merely seizing the data puts anybody who has accessed the megaupload website as an easy target.
You crossed the tinfoil line. Copyright infringement was sufficient motivation for the actions taken. The megaupload raid was not okay, but I am pretty sure Hollywood was behind it, not the NSA.
Just a few years ago this very article would cross the tinfoil line. Plus, don't be naive to think that the government wouldn't use an accusation of committing a crime to cover what they really want to do.
For instance, need data from a server's hard drive? Accuse someone you know who has data on that server, not necessarily the data you want, to have an excuse to seize said hard drive and analyze it. Nope, turns out the accusation was incorrect, here's the hard drive back. Ah, is getting other data not covered by the warrant illegal? It just might be, but you can't complain if you don't know they did it and you probably don't have standing to sue over it to find out. Plus with authorities able to get double-secret warrants based on triple-super-secret laws issued by not-so-secret courts with "you can't even admit you were here" secret proceedings, how would anyone know in the first place?
Remember, government agents have the authority to lie to you in an effort to complete their goals.
Not that I'm saying the NSA was behind MegaUpload or anything, just saying it's feasible.
Hollywood by itself had absolutely no chance of reaching across to new zealand and persuading the NZ police to break NZ laws to arrest him.
Just to be clear, Kim Dotcom was a NZ resident, and had broken no NZ laws.
At this point it would be a bold man who made the claim that the NSA had nothing to do with investigating a foreign person and/or their company, tracking that company's international internet usage, monitoring their involvement in possible illegal activities and providing that information to US authorities who could use it to reach out across the world and attempt to have that person extradited to the US.
In fact, I cannot understand for a second why you are trying to make that claim?
> It's quite easy to lose the protections of a U.S. citizen indeed!
That, coupled with the fact that they only require 51% certainty in the foreignness factor makes me think this is intentionally designed to make every single person they come across a subject to surveillance.
I can see Weasel terms like "use of storage media seized outside of the U.s." be extended to mean pretty much anything.
The fact that they don't require a wiretap order or even a warrant to monitor foreign citizens is disturbing in itself and is based on a questionable internal interpretation of the law.
On cspan this morning, the phrased it as: a secret interpretation. the fact that those two words can even sit together hurts my head. How do you secretly interpret something one way, but openly interpret another way.
What is really interesting here, is that this disproves what has been said. EVERYBODY'S DATA IS COLLECTED, but to query the data of a US citizen you need to simply provide a 'mitigation reason' as to why you accessing that data.
That then provides an audit trail, where something, or more likely, nothing is done to check that decision was valid,.
Forget amusing, that would have been a perfect action trigger: people are OK with privacy infringement on others, but when it happens to them, they are more likely to be upset.
I suspect, or maybe just hope, that politicians are protected in some way from this. While it is unfair, at least it would mean less opportunities to extort or threaten lawmakers. Though, obviously, it would be best if we ALL were safe from that kind of crud.
I think it's a test account. The text string which reads something like 'does it still recognize me?' is very much like the kind of thing I'd type in my QA days when I was testing a new system.
If I were putting together a deck on that system I'd also probably favor test data over live data, if for no other reason than it's easy to come by.
They may have used an existing public profile since he's already displayed it openly. He's a realestate broker after all so, presumably, he's got "nothing to hide".
In keeping with that line of thought would it not be better to redact the information you are presenting? I don't see why you need to write it out in full.
You could say 153xxxxxxx and "Arxxx Goxxxxxxx" just to be sure and if you need to post links you could use a URL shortener.
HN fields roughly 200,000 unique visitors each day, most of which have a markedly anti-gov't-spying slant[1], that's enough evidence to be in their cross-hairs.
[1]: Such that in some capacity you might participate in the creation/promotion of methods or software to get around their snooping technologies.
Yup. I think that we all classify as "Enemy sympathizers". I wonder when we will be classified as "Enemy combatants?". As soon as somebody mentions violence, I suppose.
The relevant slide is inline in the article, under the first appearance of the string "facebook". It was apparently redacted by the gaurdian; see nwh's link to the archived page below.
Just FYI (almost certainly of no importance because this individual was chosen at random for the slides): his name (both first and surname) are Persian. I'd guess he was an Iranian (graduate) student who has decided to stay in Canada after his studies; possibly to be "free" from an oppressive government's espionage and meddling in his private life. The irony...
At what point do the mathematical limits of data mining kick in here? How useful is all this information?
I'm not an expert in this area of mathematics, so I could be wrong, but my impression is that as the haystack becomes larger the problem of false positives becomes more and more severe.
As a data miner, what you want is the maximum number of "hits" (of whatever you're trying to hit) with the minimum number of misses and the minimum number of false positives. My impression is that this becomes progressively harder-- the golden region between too many false positives and too many false negatives becomes smaller and smaller and harder to hit.
Eventually you either miss important hits, namely the next terrorist attack, or you get swamped with false positives that you have to manually investigate and rule out.
I'd love someone who does know more here to chip in, but my personal suspicion is that this actually has a pretty huge pork angle to it. How much money are the contractors getting for building this stuff?
The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: "At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours."
so let's say there's a law that says "any American company doing business with a company that does business with a known terrorist organization will have a bad day"
you don't need to use some kind of fancy data mining algorithm for this to work (generating false positives), you just need a ho-hum graph traversal algorithm and unbelievable amounts of graph data to generate "candidates for investigation".
US Company A -> intermediate 1 -> known terrorist group B
US Company A -> intermediate 2 -> known terrorist group B
US Company A -> intermediate 3 -> known terrorist group B
Each set of links is just one lead to investigate, but having a giant graph to work off of would make generating those leads simply. You might find out that intermediate 1 is a local falafel delivery place that "US Company A" uses for lunch catering. Can probably strike that one off the list. intermediate 2 is a utility (no choice but to use the local water monopoly), but intermediate 3 is a material supplier that employs several low level delivery guys from known terrorist group B, and the founder of the company is a cousin of the founder of known terrorist group B.
So I'd wager it's not as simple as just running an algorithm and automatically sending out Skynet drones to blow things up. There's some kind of more subtle assessment being made, with the systems just providing help to the analysts.
If yesterday we were "conspiracy theorists" when we suspected things like XKeyscore, what are we today if we suspect things like "Person of Interest"-like programs?
"You are being watched. The government has a secret system: a machine that spies on you every hour of every day. I know, because I built it. I designed the machine to detect acts of terror, but it sees everything. Violent crimes involving ordinary people; people like you. Crimes the government considered 'irrelevant'. They wouldn't act, so I decided I would. But I needed a partner, someone with the skills to intervene. Hunted by the authorities, we work in secret. You'll never find us, but victim or perpetrator, if your number's up... we'll find you".
It's in the full presentation linked at the top of the article. Under the heading "Finding Targets", "someone who is using encryption" is one of the listed means of identifying someone for targeting (along with "someone whose language is out of place for the region they are in"…).
Using PGP as part of a filter makes perfect sense. If you're looking for "bad guys" that do certain activities, as a starting filter, it doesn't hurt to say "OK, show me everyone in this region doing these activities. Now filter by language, etc. etc.".
Just like if I was looking for gang members, I might start off a filter with "look for tattoos". It doesn't mean I'm saying everyone with a tattoo is gang member, it's just a way to start filtering.
The NSA analysts are presumably actually trying to get something done (find people they think are bad). How stupid do you think they are? If you were an NSA analyst, would you tag "person of interest" on everyone using PGP? How would that help your goal of finding actual people of interest?
They say they caught 300 "terrorists" with this program and other success stories. Presumably, they didn't achieve any success by wasting lots of time flagging random PGP users.
To be canonized you have to have performed a miracle, but If he somehow get's pardoned by the DoJ or the Obama administration we could probably consider that requirement met.
This is overwhelming. Even when you always hear the claims about we knew this was going on, somehow it is still shocking when you see it all laid out infront of you with screenshots and the capabilities described.
I can see how they get HTTP information, since they would intercept at transit hubs - but how are they getting all Facebook private messages and Gmail?
I was also looking for another unique ID that users are identified by - perhaps a machine or browser fingerprint or some form of intel that can 'glue' different browsers together and make a best guess if they are the same person (Facebook does this with device and user cookies) but couldn't find anything. It seems they rely solely on email addresses, IP addresses, cookies and HTTP headers.
So if you are browsing via 16 tor circuits and a browser that defaults to incognito with session histories being wiped, they couldn't reconstruct your history.
Users of PGP/encryption products being singled out is terrifying. The sooner we have the whole world using decent encryption tools, the better.
They must only be getting a slice of the Facebook chat data, since the transport there is also https.
Facebook Messenger, on the other hand, uses MQTT, so it transmits and stores in plaintext. It has support for encrypted + signed messages with OTR if you are using an alternate client such as Adium or Pidgin.
Really need to go out an audit all of these services and let users know which are better.
Hidden services are still secure, presumably, because there is no exposed section of the network to inspect. All they can do is monitor and do statistical analysis, and maybe mess with the traffic to try to get more ideas of flow.
I wouldn't for a second bet on it. A hidden service has exactly the same issue as traffic that exits the network. The topography looks like this.
httpd > tor node > tor node > tor node > rendezvous point < tor node < tor node < tor node < client
With enough monitoring, the location of the web server (or other hidden service) can just be found out by bombing the hidden service with traffic and seeing what end point lights up with traffic. With fine enough monitoring you wouldn't really need long to find out the real location of the server. It's just not something the network can effectively hide, even if it used chaff (padding) to hide the wheat.
There's practical attacks for enumerating hidden service public keys, and so I wager that there's somebody somewhere with a complete map of the real server locations as well.
According to tor metrics only 17% of tor endpoints [1] and a similar percentage of relays [2] are in the USA. The kind of monitoring you propose would require a much higher portion of them to be under NSA control.
The question isn't how many endpoints the NSA has, it is how much bandwidth they have at the endpoints (actually, it is more about how many unique users use their endpoints). But, assume that 1% of Tor connections goes through an NSA exit node. 1% of that 1% would go through both an NSA exit node at both ends, and is therefore comprimised.
Tor tries to mitigate this by always using the same exit nodes for your connection (reducing the chance of ever being compromised, but if you are compromised, it is for much longer). However, inevitably you occasionally do need to change your exit nodes, which gives the NSA another roll of the dice. Additionally, when talking about drag-net surveillance, 1% of 1% is still a lot.
The bigger protection is the ease with which the NSA can mount this attack on TOR. I have no doubt that they could do it, however I do question if they can do it on a massive scale.
I imagine that when you have taps at all the colocation centers (which each node would need to go through - and even a surprising number of hops overseas go through the US due to the cheaper price of bandwidth) you may not need to control the endpoints to break anonymity, with enough statistical analysis of the packets entering and exiting the known tor nodes. Tor doesn't work against attackers who can monitor the whole network, and the developers say so up front.
"Tor tries to mitigate this by always using the same exit nodes for your connection"
Think you're getting your entry and exit nodes mixed up there. Tor chooses a small number of entry nodes (entry guards) and attempts to only use those.
If every police officer had access to these tools, the news would leak much sooner.
So I would think these tools are available only to a select few, and those are more interested in more high-profile tasks like catching extremists or going after political opponents.
I, frankly, don't think SR is that high on government list. Not yet.
Absolutely not. The government is not one unitary piece. The NSA is not the ATF is not the FBI. These capabilities were likely kept secret from other governmental agencies as much as the public.
Furthermore intelligence agencies are well aware that every action communicates information back to their adversaries. It's a no-brainer to let Silk Road exist if you think doing so gives you the edge on terrorism, or otherwise furthers the national interest.
Silk Road is a few pennies and few gram transactions. [See the data here http://arxiv.org/abs/1207.7139]
It would be foolish to expose their snooping capabilities for this, right?
Wow, Tor is not considered safe... Amazing
No way. What you forget is that once they bust it -- then they've REVEALED that they have the capability to do that.
Once they've revealed that, then people take account of it, and it becomes harder for the NSA to monitor them.
Half of the signals intelligence game is keeping your capabilities secret, so you can keep monitoring the signals, rather than have your target change their game.
That is to say, if they can get into Silk Road, then they probably ARE already monitoring everything that happens on Silk Road, and they'd rather it stay UP so they can keep monitoring the people on it (being very careful never to reveal that they can monitor it), then bust it so the people go elsewhere.
Connections secured with TLS aren't effective if a) you can compromise the CA, b) have the private keys, c) have cooperation of the appropriate company (most likely), d) have compromised the server, e) are aware of flaws in the encryption algorithm, f) weak keys have been used, or g) have compromised the client computer.
Compromising the CA isn't as powerful as most would think. It does allow you to MITM, however it does not allow you to do so invisibly. Someone who is paying attention to the public key could notice that it changed.
This presentation is from 2008. According to the presentation on PRISM Facebook joined the program on 3 June 2009. That would indicate that the searches here are based, most likely, not on participation by Facebook but by passive sniffing of HTTP traffic and then session reconstruction.
In 2008 Facebook ran on HTTP, so back then it would have been easy to sniff this data. I believe Gmail also transferred in plain text back then. When those companies switched to HTTPS, the NSA likely 'leverage some pressure' to get them to join PRISM, which puts the data back in this system.
Around about the time when people started rolling out SSL as standard. That'd make sense, as they'd need to move their beam-splitters (prisms!) to behind the SSL endpoints.
I think PRISM is just the public-private partnership aspect of this, where they have to go to service providers and install kit, as they can't tap SSL traffic.
From the screenshots it's obvious that the captured data is an HTTP form submission in facebook.
So they didn't have access to private messages, they just intercepted internet traffic and relied on it being unencrypted. Facebook didn't always enforce https by default like it does now
PRISM allows them to retrieve individual users' messages via a FISA court order. It doesn't allow analysts to instantly obtain private data for any user they want. :)
With regards to the data collection, the thing to realize (which I did so myself) is that email truly is the glue that ties together most internet services.
Take facebook for example. By default, almost any and all activity on the site is catalogued for you by email -- for your convenience. Someone mentioned you in an update, you get a notification. A friend sent you a private FB message, you can an email notification with the content in line (even with the support of replying to message via email as well).
Now, because email traffic on the internet is not encrypted by default, one is able to piece together the contents of communications just by looking at the email.
Essentially anything that you receive via email (e.g. password reset links; credit card statement summaries etc) is subject to capture and analysis. Given this, it may make sense to perhaps disable (potentially sensitive) email notifications as a workaround around this particular collection method.
The main thing that this new release reveals is not the scope of the data collection, but confirmation that analysts are given free reign to perform queries. Until this, there was an outside chance that the system required all database queries to be signed by a Judge prior to execution. This is not the case though; all queries are processed immediately, with essentially nothing more than a repo commit message as justification, and basically any analyst can do it.
Exactly. There were a lot of people from the government that came out in the past few months and said there are checks and balances and a lot of oversight in these processes. That clearly isn't true.
It will be interesting to go back through all of those statements with this new information/evidence on hand.
Greenwald has timed this well. He put out enough information early on to give Snowden opponents enough rope with which to hang themselves.
And if his comment further down in the thread is anything to go by then there is a lot more to come.
It's an interesting problem for the talking heads: How much will be revealed? They're caught between a rock and a hard place, if they start telling the truth they might reveal something that the leaked docs don't support, but if they tell a lie they might be found out.
This trickle strategy is working very well. The best cause of action for the people under the microscope would be to shut up and if they are compelled to talk to say the absolute minimum but to still tell the truth.
It's pretty impressive how Greenwald, Snowden et al are organizing the staggering/trickling. They're not just releasing any old info at periodic intervals. They seem to be anticipating the responses NSA/USG will give to particular leaks (e.g. analysts can't run searches, there are checks and balances) and choosing next leaks based on how they can prove those NSA/USG statements wrong.
It's like the Socratic method for public/government relations.
The goal seems not just to be exposing the magnitide of this surveillance system, but also the government's systemic disregard for public mandate in the USA right now.
>Greenwald has timed this well. He put out enough information early on to give Snowden opponents enough rope with which to hang themselves.
I have to wonder if the staggered deployment of the leak has anything to do with savvy, or more with his own need to digest what he's got as he works through it and reports as he goes.
Either way, the story has more legs than past revelations, so I'm happy for that, and I certainly would love for it to be the case that there is a degree of effective calculation behind the deployment of the info with the goal of keeping the conversation alive and neutering critics. Goodness knows that this story needs all the help it can get. It's up against not only the resources of some of the most powerful governments on the planet, but also the lacking attention spans of their populations combined with relatively disinterested media.
I'm heartened that the noise level has remained so high since the first Guardian article (in this latest series).
Q: Thanks for reporting this. I have to ask though, why is it that you are doling out this information now after the recent congressional inquiry into NSA spying and not earlier?
A: We've published almost two dozen exclusive articles about NSA spying in the last 7 weeks, in multiple different countries around the world. Is that pace not fast enough?
There are thousands upon thousands of documents and they take time to read, process, vet, and report. These are very complex matters. On top of everything else that has to be done with these articles, from explaining, debating and defending them in the media to dealing with the aftermath.
People can accuse us of many things. Not publishing enough or fast enough is hardly one of them.
That House vote was about one specific topic - bulk collection of phone records - that this newest article has nothing to do with. That House vote isn't the be all and end all: it's just one small battle in what I can assure you will be a sustained and ongoing discussion/controversy.
There is a lot more to report still. Accuracy is the number one priority. That takes time.
Devils advocate here: If in fact all of this is being collected, is it actually illegal to search without a warrant? If all of the above items are being siphoned off the internet via taps in concentrated NAPs around the USA and the world, and everything is in plaintext, this doesn't seem to be technically against the law.
Haha, suspect. You know their tool for importing new types of data into a Palantir system is called Prism, right? Aggregating data from different sources and linking it is all they do.
> Why would Google (or anyone) link to them directly? with fiber no less! this stuff is alarming enough no need for FUD.
Who says Google has a choice or is even complicit? The backbone providers have mostly stayed mum and it's known that the likes of AT&T split their fiber for the NSA. If we're willing to go to the bottom of the ocean to tap fiber lines it's pretty easy to believe that we'd tap terrestrial lines too.
My understanding is that internet firms enjoy slightly more leverage, and that is why in contrast to telecos they are now petitioning the courts to reveal the scope of the orders.
That's all hand-waving. The courts won't allow it, the giants know that, so the internet giants use it as a chance to look good. Furthermore, it benefits the NSA for us all to think that Google, Yahoo, et. al., are not in their pocket.
Beam splitters are, in general, not prisms. A prism, as traditionally referred-to (and in the NSA PRISM graphic) separates light of different wavelengths. In a signal tap, you want to split the intensity, not the wavelength. In simplest form, telecom signals are at a single wavelength; passing it through a 'Dark side of the moon' prism will only deflect the beam, not split it.
When one refers to a beamsplitter, it's usually a partially silvered mirror.
If it's fancy, it might use an evanescent wave to do the coupling, as in some cube beamsplitters.
Beamsplitters for optical fiber are more generally referred to as 'couplers' and involve bringing two fiber cores close enough for a long enough distance that the probability of coupling light from one to the other is the desired amount.
Disclaimer for the following: I only work with optical fiber couplers occasionally, and not for telecom. Someone who works on telecom fibers daily will be more informed.
In summary, if someone wanted me to tap an optical fiber, I'd call up ThorLabs, get a matching coupler shipped overnight, cut the relevant fiber, slap APC ends on the fiber ends, and jack in. Splitting the beam in free space (outside of a fiber) with a prism is far more errorprone, unstable, and no more efficient. A fiber coupler has no moving parts, can't break, and won't take down a telecom's trunk line if someone breathes on it funny.
If they're actually using a prism, it's because of some sort of impedance/reflection minimization scheme; I can't conjure one that would work better than using simpler techniques though.
You can/do/might use actual prisms for a variety of reasons, however, such as if you're trying to get a frequency-multiplexed set of signals off a single fibre broken down as their constituent components - i.e. bulk data collection from a single tap on a mass fibre bridge.
Anyway, you're probably right, it's probably just bog standard parts, and PRISM was a buzzword for management.
> Gmail messages must only be captured when they leave the Google network. They are the only provider to support server-to-server TLS
We should start lobbying for broader support for server-to-server TLS with perfect forward secrecy. While it alone is not sufficient to prevent the wiretapping of targeted individuals, it still makes fishing expeditions or "Big Data" level surveillance much harder. It would help keeping ordinary users' emails protected on the wire and secure the meta data of PGP emails.
Most of the identifying information used by panopticlick requires using javascript/flash/java to obtain. As such, it isn't available when simply parsing HTTP headers and packets (as much of the data in XKeyScore appears to come from).
(That is, unless you visit panopticlick.eff.org, which then sends all of the processed information over the wire in the clear...)
> I can see how they get HTTP information, since they would intercept at transit hubs - but how are they getting all Facebook private messages and Gmail?
I don't know how they're getting GMail(and this is probably a slide from when GMail was accessible via HTTP and not HTTPS), but Facebook chat specifically is done over a non-secure XMPP server. The only 'secure' part of that transaction is login, as far as I remember, once you're past that none of it is encrypted.
With Gmail, all it takes is one request to almost any Google service to leak through a non http connection and they have your Auth cookie. Once they have that, they are you. And yes it is that easy, anyone can pull it off at Starbucks, hotels, even some ISPs.
Sorry for being so naive... does that cookie expire eventually? I have been using HTTPS everywhere on my machine, but if I log in to my Google account for YouTube, for example, from someone else's computer, how much data can they realistically download and how long would they have that ability?
Not speaking for Google, but in general, auth cookies (rather than identity cookies) will only be sent over HTTPS using the "Secure" cookie attribute. This is something done at the browser level, so short of using a very badly behaved browser or HTTP client, this is unlikely to happen.
You're right the slides are pre default HTTPS gmail (2007/8).
But even then gmail is the only webmail service that offers server-to-server encryption, so data can still get intercepted when communicating with someone using yahoo mail or hotmail for example: http://news.cnet.com/8301-13578_3-57590389-38/how-web-mail-p...
>This is overwhelming. Even when you always hear the claims about we knew this was going on, somehow it is still shocking when you see it all laid out infront of you with screenshots and the capabilities described.
It has become a bit of a pet peeve of mine recently to see self-aggrandizing comments from users around the net about how "we should have known" and "none of this is new."
I'm a practically addicted news junkie (especially tech news) and while I've been aware of a fair amount of what has been exposed in this latest leak, it seems that every day there are revelations new to me, and what is revealed absolutely shocks the conscience. And I'm an outlier. I'm more plugged in to reporting on this subject than 99% of the globe's population, and this subject tangles with the rights and treatment of a large portion of the population of said globe.
The staggering majority had no clue, has no clue, and no, they were never informed. For all intents and purposes, the global media has been asleep or complicit.
It's staggeringly important to keep telling this story at every level specifically because "we" don't know, and still don't.
Second: realizing that "we should have known" and "none of this is new" isn't so much about reading news articles and being "plugged in", but rather having an understanding of how the Internet works. To oversimplify greatly, you're essentially playing a very precise game of telephone between around 10-20 different people, and usually about 1-3 different publicly-owned corporations. To be surprised at the possibility of storing packets is somewhat naive considering how simple it is to do.
Maybe I am just having trouble seeing the point of "see I was right all along"? Why would we be upset at the newcomers to the ranks of the enlightened? I would prefer to just nod, point to the preexisting evidence, instead of driving people away with unproductive "I told you so" hostility.
I agree completely. We need more education on the subject as opposed to back patting, and we definitely don't need to attack the very people that need to hear and understand the reporting most, as the person you are replying to is doing, by calling them naive. A bit sad imho.
My issue with the conversation now that this has gone "mainstream" is that people are now allowing the media to shape their viewpoints (like everything else that seems to blow up in peoples minds who are normally distracted with reality tv or how awesome they think their life is[personal experience from family members/friends/how I lived for some time]), without digging further beyond what people are talking about at the surface.
The emotions are most likely to be anger and disgust of having their sense of reality shattered, inciting most people who feel powerless to change their habits, to go and protest. And as we all have seen around the world and even within the united states, protests can get pretty hairy, pretty quickly and not in the favor of people who want to live peacefully…
Outside of the issue of inciting the masses to act out physically, there is very little public "mainstream" acknowledgement that corporations are collecting and sharing the same types of data (and more) between one another, where issues surrounding any type of morality become selling points for products. So then the theoretical situation becomes: Government agrees to stop its dragnet programs, non governmental entities will continue to do so as long as people use their services… where's the protest for that (and when that comes they'll hire private contractors to protect them and their interests [remember OWS 2011])?
I posted this a while back on information asymmetry and the surveillance state [0], which lays out simply what is going on now in the minds of people and what is at the core of the issue people are talking about. I also propose an idea about the direction I feel would be more beneficial for the energy to be placed on my post as apposed to the logical conclusion of where all the anger will be placed by people who are now willing to enter the conversation from recent "mainstream" exposure [1].
That being said, I can also imagine how frustrating it must be to be a person who's spent years (maybe decades) worrying about something that's really happening, only to have their concerns dismissed with a wave of the hand or marginalized as "tinfoil hat" conspiracy theories. It's not hard to imagine how that could sour the disposition of even the sunniest person.
The technical possibility isn't the new and staggering part, it's the profound lack of morality, respect for any ideal whatsoever, and compete apathy towards the oaths these people took to serve us.
They have compeley misused the power we granted them in sacred trust. We should remove it from them at once. If this has become impossible, we need to know that as soon as we can.
I could not agree with you more re: removing them at once. Sadly, I don't think an overly militarized police force, rapid transfer of wealth to the top and the post-911 power grab is going to challenged anytime soon.
Most Americans still believe they have more to lose than to gain by asserting themselves...
> The technical possibility isn't the new and staggering part, it's the profound lack of morality, respect for any ideal whatsoever, and compete apathy towards the oaths these people took to serve us.
Again, I'll chime in as the resident apologist. The people working at Fort Meade are not evil. They truly believe they're doing a great service to the nation. They may be wrong, and they've certainly thrown privacy out the window. But they are following an ideal: national security.
Post 9/11, the nation went on a war footing. We reacted the way we did to the Nazis and the Soviets. And in their search for an existential threat, the intelligence community seized on nuclear terrorism. These analysts live in constant fear of the day they miss a piece of information and New York, Washington, or London is enveloped in a mushroom cloud.
The best explanations for this type of reasoning that I have heard came from an unlikely source, my grandfather. He's a former FBI agent and WWII Navy veteran. In war time, we threw all sorts of civil, economic, and political liberties out the window to defend ourselves. When I asked him how this was allowed to happen, he said simply, "When you're facing an enemy that wants to cross over the hill into the valley where you, your family, and everyone you've ever known or loved lives, you'll do anything to protect them."
Our grandparents grew up with the threat of the Nazis. Our parents faced the prospect of annihilation by the Soviets. We have had the luxury of coming of age in a time where there is no credible threat to our very national and physical existence.
As a result, it's difficult for us to understand the mindset of someone that spends all day, every day, thinking of the most horrible ways we could be attacked, and then trying to devise countermeasures. It's almost inevitable their perspective on the balance between security and privacy is altered.
I'm not saying this reasoning is morally correct or justifiable, especially when applied to the current surveillance programs, but simply that it is understandable.
The key danger is that these efforts are qualitatively distinct from those in previous generations. The difference between extraordinary measures now and then is twofold.
First, our capacity to surveil the citizenry has exploded over the past two decades, and our legal framework is still grappling with that change. The courts are having trouble understanding that a change in scale can be a change in kind.
For example, it's one thing to have the occasional surveillance flight to search for drug operations. It's quite another to have aerostats and quadrotors watching every inch of a city all the time. But the legal rational that there is no right to privacy in public spaces allows both.
Similarly, it's one thing to say the records generated by my water company are business records not subject to the Fourth Amendment, but it's quite another to use that rationale to justify monitoring the location of my cell phone simply because my cellular provider maintains the records.
Second, wars have a point where they end, and the extraordinary measures are supposed to be reversed. That's why the "war on terror" and the "war on drugs" are so dangerous to civil liberties. They essentially extend the extraordinary measures during wartime to police problems that have no logical end.
I agree that we've gone too far as a nation. The fact that these queries don't require FISA orders flat out shocked me, even as a careful observer of these issues. But let's not demonize the individuals. After all, they're only doing what the people demanded after we were attacked. This is a democracy, and immediately after 9/11 such measures were resoundingly approved by the public and our representatives, beginning with the PATRIOT Act.
None of that changes the current reality however. We must slowly learn the lesson the British did when dealing wi...
I'm not American, so I'm wondering: was the public really actually behind the PATRIOT Act, or were they merely giving leeway in a time where everyone was supposed to go along? Or were you thinking that's the same thing?
Same with the politicians; were they really for it, or simply incredibly afraid of the political suicide that would be the results of standing up against it? Because this was a time when people did not question Bush. From today's perspective on his administration's actions, that seems odd, but it was the reality at the time.
How can anyone really be behind something they barely know anything about? When a bill like that comes around, the general reactions usually run from If You Say So to They'd Better Not Screw This Up. Some are completely deferential, some are completely skeptical. Nobody knew the details of what the law entailed for certain, so argument over it is like kickboxing on a waterbed: pointless, but vaguely resembling real fighting/debate. EDIT: to be clear, the general assumption is that Congressman know enough about the law to understand it (some things can be withheld from the public).
> incredibly afraid of the political suicide
Afraid is not the right word. Aware. When all (public) evidence concerning a law says "fight the terror!" and buildings are still blowing up, you'd have to represent a very interesting district to be "soft on terror".
The public was behind doing something. Much of Congress didn't want to be seen as impeding something.
It was obvious from the length of the act alone that even Congressional staffers couldn't have read it carefully between the time of submission and the time it passed. Quite a few people that I knew were weakly opposed, but the sunset provisions may have made it more palatable.
It takes character to stand up and defend doing nothing when something "must be done".
>It was obvious from the length of the act alone that even Congressional staffers couldn't have read it carefully between the time of submission and the time it passed.
This is a little off topic, but I always see this trotted out when people talk about big laws (like Obamacare, PATRIOT Act, etc) and it's not really true. Lawmakers usually work with and read a "normal language" version of laws that then gets transformed into a stricter legal version by staffers and experts. They will look at the actual legal version of the law if they care about a specific rule or section, but they usually don't need to.
It is an incorrect characterization when referring to the Affordable Care Act, as that went through so many revisions and debate over such a long period, that anyone who did not read it has zero excuse (including the public who allows itself to be misinformed about its contents). But it's not quite unfair wrt the PATRIOT Act. There was widespread reporting, complaining, and outright indignation that the PATRIOT Act was never read by a majority of congresspersons who voted for it. It was so massive, that there was little time to actually read the legal language overnight.
Of course, I expect my lawmakers to actually read the legal language.
The point is more that for most lawmakers there's not really a need to read all of the nitty gritty legal language. If you're a House Rep from Kansas who's core issue is corn subsidies, reading all of the PATRIOT Act isn't really going to do you much good. Instead, you read the summaries and listen to the opinion of the experts in your party who have read the whole act.
It's important too to note that this isn't a "big law" or even an American thing. Virtually all bills of any substance work this way and it's pretty much standard practice in most countries.
That being said, I'm not defending the PATRIOT Act. I just think the argument that not enough people read it is weak, especially considering all the real arguments you can make that actually attack the substance of the act.
You make some decent points. However, I'm still going to counter that 'the argument that not enough people read it'--i.e., proposed laws--is strong, not weak.
The point is that for all lawmakers, there is both a need and sworn obligation, in addition to national expectation, that they read all the nitty gritty legal language they are voting on, by which all Americans are bound to abide.
That's what lawmakers are there for--to know what in the hell they are passing as laws. If they can't be bothered to do their job--which, at the national level, goes far beyond just securing corn subsidies, because they're voting on legislation that touches on all Americans--then fuck 'em. Throw the bastards out on their asses, and send them back to the cornfields.
For the most part, we as Americans didn't actually ever read the Patriot Act, and we didn't get to vote on it. Our representatives that we elected before we ever knew 9/11 would happen voted for it in a climate that made it politically suicidal to not vote for it.
To be clear, the "hawk" politicians (and let's be honest, -many on the left) believed in the legislation but also exploited the tragedy to ram it through and neutered the ability of the other side to have a reasoned debate.
Our population was attacked, angry, and for the most part followed the lead of politicians who said we needed these laws to fight the people that attacked us.
In the aftermath, the scrutiny on the part of the American people never materialized. You're basically witnessing the moment where the most scrutiny on these types of programs/laws has ever occurred since 9/11. Worth keeping in mind that many components of these surveillance programs also predate 9/11.
Many of us were, and still are, against it. Its passage was very questionable and suspicious, particularly regarding the lack of informed and reasonable debate on its requirements and broadly invasive permissions. It was passed overnight. There was word that many (most?) congresspersons did not even read the bill before passing it by a huge majority. It was emotionally charged and rational criticism was nearly non-existent before it was passed.
Only 66 Representatives voted against it--62 Democrats, 3 Republicans, 1 Independent. Only 1 Democratic Senator voted against it, while another Democrat abstained from the vote.
At the time the Act passed, Americans were in the midst of a fear frenzy. It was a pervasive culture of fear and panic, the likes of which I can only compare to anti-Soviet fears of the Cold War. People all over the country actually went to stores to buy all kinds of emergency and survival supplies to build up their own anti-terror kits (I forget the name for this that was popular at the time).
Many of us questioned Bush from the moment he was declared the winner of the 2000 election by the Supreme Court. We took part in protests all over the country after 9/11 to oppose the buildup to war in Iraq. I took part in protests in D.C. It was all ineffectual. Fear gripped the country and few paused to consider the long-term ramifications of the actions taken in September's wake.
While I feel that the programs the NSA employs are profound existential threats to our liberty and rights, I do agree with you on the balance that the human parts that make up the whole of these organizations fundamentally see themselves as benign and beneficial on the balance. I think it bears mentioning, and its worthwhile to keep this in mind while we do the necessary work of attempting to dismantle and remove a lot of their power and tools, -the ones that have gone far past the line.
Demonizing people and falsely assigning ill-intent doesn't help us address and correct the problem, even if it feels good to do so. I personally have to fight the urge constantly myself because I feel so strongly in the immorality of the net output of the programs themselves.
The issue is that we need to demonize the people who are in fact evil and deliberately built this out and got it going. That list is surprisingly short:
GHW Bush
GW Bush
D Cheney
D Rumsfeld
C Rice
G Clapper
G Alexander
P Wolfowitz
These are the guys that created the orders that the soldiers are following, and the war they are dying in for these criminal's profits.
Naive and unnecessary. The Patriot Act was overwhelmingly supported across the aisle. And it should be obvious by now that Obama is an enthusiastic supporter, based on his treatment of Snowden. Not to mention Pelosi and Feinstein aggressively defending the government's right to suppress information.
This has nothing to do with party affiliation. If you believe in Republican Vs Democrat, you're still in the Matrix, and, sadly, sipping the koolaid.
I think you're missing what I am saying, which firstly, is in no way party related.
The people I listed have a decades long history which brought them to the US Coup of 9/11: Cheney in particular.
The above are at the core of PNAC, the CIAs takeover of the executive branch (both Clinton and Obama are their puppets here)
GHW Bush has been running shit since the 70s.
Cheney setup the framework for the current MIC exploitation of the world when he was in Sec. Defense position in the early 90s - then setup Halliburton to be in the position to receive all the mandated private-sector contracts so the military could focus on its "core" -- the same with the Carlyle group.
(Carlyle owned CRG West (MAE WEST) and other fiber infra and DCs)
These guys worked diligently to put all this into place. Obama is just a puppet who was meant to quell the outrage that the Bush regime was bringing.
I posted a list of the key players in this, I did not post any party affiliation....
I can provide a hell of a lot more detail than this too - going back to 1920 with these guys...
It is excessively naive and completely discredits your otherwise potentially salient points to suggest President Obama is a puppet.
You're wading far too deeply into conspiracy territory to suggest that this puppet 'was meant to quell' anything. He is a leader whose administration stands and falls on its own merits.
I think it is naive to believe that each and every administration "stands and falls on its own merits" -- and then in the same breath talk about partisanship.
There is no party but the MIC party - and clearly, the NSA owns that party.
America has died, completely, 100%. There is no such thing as "Land of the Free, Home of the Brave"
This is tin-foil hat territory. The CIA was practically dismantled under Bush 43, and the intelligence agencies fight amongst one another like boisterous stepbrothers. To think the intelligence agencies control the government is vastly overestimating their internal political cohesion and capability.
The IC isn't running the government. They've got their hands full just running themselves.
The idea that we are not free is absurd. If I want to hold a rally for the Ku Klux Klan, that activity will be protected by the full force and power of the United States government. I can worship as I wish, read the books I choose, and write whatever I want (excepting direct threats of violence) with little fear, knowing that laws and courts stand ready to vindicate my rights.
I would take our extensive package of rights over single party political control, strongman leadership, civil law jurisdictions, and common law libel standards any day.
We are certainly no longer the most free nation on the planet, which saddens me deeply. But we are certainly amongst the best on that metric.
You forgot to add President Obama and other current leaders to the list. Expansion and utilization of these programs has also occurred during his administration.
I was talking specifically about the ones who setup the current situation. Clearly there is no argument that its been embraced and extended by the current puppet regime.
That's way too simple. Many people on that list belong on that list, but...
The American people overwhelmingly approved the Patriot Act, and the idea of surveillance, and the war on terror, and the actual wars on place.
The Obama administration resumed surveillance programs which had been previously shut down.
The military industrial complex has been growing steadily larger since the 1950s.
Congress people from both parties repeatedly approve the growth of the defense budget, and especially parts which gain them money and jobs for their own states and districts.
There are certainly people to demonize, but sorting them out from the well intentioned would be incredibly complicated.
> The people working at Fort Meade are not evil. They truly believe they're doing a great service ...
That isn't really a strong argument. Firstly, their actions is supposed to reflect the ideology of the US citizens in general. If it doesn't, either they are not being administered as well as they should be or they are purposefully ignoring the will of the citizens. Secondly, the idea that because they truly believe that they are doing great service doesn't actually justify any of the actions. If we are forgoing the label of evil because they think that they are doing great work (and I am OK will that, I hate the label 'evil'. It is unconditionally partisan) then it does question whether Nazis/Soviet union deserved the label as well. Because I fear that they too believed in their actions.
> our legal framework is still grappling with that change
US legal framework does not seem to be struggling (I am not a native speaker, so I am assuming that is what you meant). It has expanded the power to monitor and interfere knowingly and willfully. Let's not blame this on misunderstanding or incompetence. While it is the first thing that this should attribute to, the people who have built this system seem highly skillful and knowledgeable. If you claim that decision makers do not understand the new world that has suddenly bubbled up, well it's your responsibility and that of the NSA employees who seem to be following orders without questioning, to either make them understand or replace them. And in all fairness, US voters did. The man even won a Nobel Peace Prize for some reason I cannot understand. But his actions behind the doors seem totally contrary to what his words have been in past. Not really the fault of the voters but it definitely raises questions if he truly understood the costs and still took the leap.
> Firstly, their belief is supposed to reflect the ideology of the US citizens in general. If it doesn't, either they are not being administered as well as they should be or they are purposefully.
I think this is a very difficult question to answer. If you're a lowly NSA tech tasked with something seemingly mundane (say, writing some automated tool to be used by an internal billing dept), at what point do you refuse to contribute to an organization that may be operating against the will of the people? Who is responsible?
> The people working at Fort Meade are not evil. They truly believe they're doing a great service to the nation.
Evil doesn't require intent. Some of the most evil acts in history were carried out by people who believed they were doing a good and moral thing. Most evil people don't go around thinking "I'm going to be so evil today!"
I suspect you are correct and that the vast majority of NSA employees think they are doing the right thing for America. That doesn't make their actions any less evil.
>The people working at Fort Meade are not evil. They truly believe they're doing a great service to the nation.
I don't want to Godwin the discussion here, but it's not at all rare for people to act in an evil (or whatever you want to call it -- bad, harmful) way while not recognizing their own actions as evil.
That people don't think their actions are evil doesn't prove that their actions aren't evil.
Add to that, evil acts are almost always done in service of an ideal. For example the USA has economically and socially gutted many nations by force in service of the democratic/free-market ideal. Yet it's rare to find an American who sees it this way. US-USSR proxy wars in the Middle East and Latin America from the 60s-90s weren't destructive, we were just trying to help those countries out. We wanted to modernize them, to improve their lives, not to destroy them. They were just too uncivilized, too barbaric to get it. Why would they hate us for that?
Hence 'ideology'. Easy to serve, hard to view objectively when you've spent a lifetime on the inside.
>We have had the luxury of coming of age in a time where there is no credible threat to our very national and physical existence.
The Berlin wall didn't fall until 1989. The Soviet Union didn't dissolve until 1991. The period of 1991-2001 was spent fighting proxy wars in former USSR terrories or allies [1]. Iraq. The Yugoslav Wars in Bosnia, Macedonia, Kosovo. Haiti. All of this was an extension of the cold war. The Red threat didn't officially end until 09/11/01, Communism continued to be a spectre held over the head of the American public. It's just the discourse shifted from "the USSR has bombs that can kill us right now" to "Communism is bad therefore we're preventing it from spreading". The constancy of threat and surety of the potential for complete annihilation was always there.
And of course, from 2001 on everyone spent all day, every day thinking of the most horrible ways they could be attacked by terrorists. With great encouragement by media and government apparatuses.
>But let's not demonize the individuals. After all, they're only doing what the people demanded after we were attacked.
Again avoiding Godwinning, but to a certain extent you must demonize the individuals. Else there is no incentive for people to be vigilant of runaway ideology, like the US is operating under currently. Else there is no incentive for individuals to formulate a moral compass external to the state, because why bother when "they told me to do it" is a legitimate excuse? The state idology becomes your morality. After all, you're just tryin' to put food on your family.
> That people don't think their actions are evil doesn't prove that their actions aren't evil.
Certainly not. The issue is not their beliefs, but rather the reasoning behind them. Different experiences of the world give rise to different world views. The world view of those that operate, condone, and approve the surveillance arises from a set of historical understandings and modern experiences that neither you nor I share.
To suggest that the scare tactics of CNN and the like is comparable to the psychological effect upon an ordinary analyst of regular intelligence reports of weapons-grade uranium being smuggled out of Russia via Kazakhstan is naive at best.
The threat of true national annihilation, not a specter concocted by a manipulative elite, has been the norm rather than the exception throughout history.
Modern totalitarianism has its roots in a not too distant past in which totalitarianism was the surest defense against large armed groups of humans that would burn your fields, kill your family, and subjugate your people.
That threat didn't disappear until very recent times. The cultural history of the American people is replete with threats to our existence: the CCCP and Warsaw Pact, the Axis, the German Empire, Spanish colonial North American empires, the British Empire, the Quadruple Alliance, the Normans. The intelligence community takes it's cues from a long history of existential threats.
What seems so obvious to us is that the current world is stable, and thus extraordinary measures to protect our safety aren't justified. Those charged with national security take a longer view. They see our nation as balanced on a knife's edge between internal strife and external threats. And thus, threats to either must be vigilant observed, documented, and understood, so that if the time should come when a conflict does occur, we stand prepared.
That line of reasoning is often alien to privacy advocates. I neither endorse it nor deny it. I simply acknowledge that those who study, train, and practice for our defense are not naive when it comes to the risk of violating civilian privacy. They simply set a different value to each of the variables in the risk-reward equation. You may disagree with those values, but it is important to understand them. Blindly denouncing such views as morally bankrupt simply factually incorrect.
> The Berlin wall didn't fall until 1989. The Soviet Union didn't dissolve until 1991. The period of 1991-2001 was spent fighting proxy wars in former USSR terrories or allies [1]. Iraq. The Yugoslav Wars in Bosnia, Macedonia, Kosovo. Haiti. All of this was an extension of the cold war.
The wars you cited were in no way related to the Cold War. Yugoslavia was a strategically unimportant area, relevant to no one in the geopolitical sphere.
The intervention occurred as a direct result of ethnic cleansing that was taking place in obvious, organized, and deliberate fashion. To suggest otherwise is simply incorrect. I've spoken with the head of UNPROFOR from the Srebrenica Massacre. It was a war crime on par with the worst parts of World War II. Clinton himself stated that his reluctance to intervene was based upon the "ancient ethnic hatreds" argument of Balkan Ghosts. The Yugoslavian intervention was about genocide. As a simple fact, it had nothing to do with the Cold War.
> Communism continued to be a spectre held over the head of the American public. It's just the discourse shifted from "the USSR has bombs that can kill us right now" to "Communism is bad therefore we're preventing it from spreading".
Containment of communism was simply not a factor during the nineties. Moscow was crushed, the former Soviet block in shambles, and Russian interests retreating from throughout the world. Hence the remarkable cooperation on nuclear arms, energy policy, and democratization between the Yeltsin administration and the Clinton administration.
"War is peace. Freedom is slavery. Ignorance is strength."
Orwell in 1984:
"Part
of the reason for this was that in the past no government had the power to keep
its citizens under constant surveillance. The invention of print, however, made
it easier to manipulate public opinion, and the film and the radio carried the
process further. With the development of television, and the technical advance
which made it possible to receive and transmit simultaneously on the same
instrument, private life came to an end. Every citizen, or at least every citizen
important enough to be worth watching, could be kept for twenty four hours a
day under the eyes of the police and in the sound of official propaganda.")
I have a tremendous amount of respect for those in the security services, who have been given a rather difficult job to do, and who seem (from the vanishingly small amount that I know) to be approaching it in a professional and objective manner.
I have no desire to be nasty, and if I have personally offended anybody by what I have written, I most profoundly apologize for the hurt.
However.
This is an important issue, and it deserves public attention and a detailed debate. I hope that some of my provocative wailing and doom-mongering has done what was intended: provoked some thought and consideration.
This is, after all, politics, and, as I have mentioned before, we sometimes need to make a caricature out of our own positions in order to make a point. Omlettes and eggs and all that.
I understand Nazi concentration camps. It was a manipulation of nationalist sentiment against an imagined internal enemy, conveniently one that could be dispossessed of a great deal of property, coupled with a never before seen combination of the pure survivalist id meeting modern state capitalism.
I understand United States concentration camps. While we certainly didn't starve, gas, or force Japanese, German, and Italian Americans, we did relocate large numbers of them to temporary camp facilities for the duration of the war. It was believed that recent immigrants and their children might harbor loyalty to extremely dangerous enemies and could serve as a fifth column in the event of an invasion. For what it's worth, despite the indignity and suspect constitutionality, that's a far cry better than most nations have acted in similar circumstances.
Both of those events are understandable, in that I can understand the thinking of the people involved. It does not mean I morally condone it. What I'm attempting to combat is the notion that all acts with which one disagrees must be the result of moral bankruptcy or internal failing.
Usually there is a logic, however skewed, behind even the most heinous events in human history. The first step to preventing those events is to understand that logic. Only then can we address the root causes of the problems we wish to solve.
In this case, I'm suggesting that the root cause was a panicked citizenry seeking shelter from a very real threat, not a government seeking to blindly expand its power. That's an unpopular opinion, but alternative interpretations lead to different actions.
Interestingly that's not the part I find new or staggering at all. I suppose that's just an exceptionally cynical worldview at work? No matter how "sacred" the trust I always expect this amount of power to be misused to this degree when it's secret and consistent with the ideologies present among those with that power.
>Second: realizing that "we should have known" and "none of this is new" isn't so much about reading news articles and being "plugged in", but rather having an understanding of how the Internet works.
These are exactly the kinds of comments I'm talking about. The preponderance of people affected by this program on the globe (a staggering amount if you will) had no knowledge of this because the media failed, and are not, in fact, technically savvy on any level and don't understand, at all how the internet works in relation to the technologies employed by these programs.
>To be surprised at the possibility of storing packets is somewhat naive considering how simple it is to do.
For the vast majority of the potential consumers of this knowledge, this just simply is not the case. At all. They aren't being naive. This is highly technical to them and severely under-reported, and where it was reported it was not explained terribly well, nor was there meaningful conversation surrounding the reporting's aftermath.
But congratulations, rmrfrmrf, on being one of the select few that are not naive. We need to get you some sort of prize.
> These are exactly the kinds of comments I'm talking about. The preponderance of people affected by this program on the globe (a staggering amount if you will) had no knowledge of this because the media failed, and are not, in fact, technically savvy on any level and don't understand, at all how the internet works in relation to the technologies employed by these programs.
Of course at least the mainstream media (MSM)
failed. Why? It's a very old story, rock
solid in the media: An MSM media company is
in business to make money. They have some
old techniques for doing so. Their main technique
is to get eyeballs for ad revenue; for that their
main technique is to grab people by the heart,
gut, and below the belt, always below the shoulders,
never between the ears; the content is essentially
only light entertainment following the framework
of the ancient Greeks we now call formula fiction;
the content is nearly never the information needed
by an "informed citizenry".
The best hope for the information citizens need
is Web sites on the Internet and search engines
that can help people find that information.
I understand your point, but you fail to realize that comments like "why are you surprised?" induce a kind of digital bystander effect: they're essentially defusing moral outrage via social proof. If you read a comment like that, you may think to yourself, "well, this originally seemed like something worth loudly protesting, but if everyone already knows about it, then I guess it must not be that big of a deal." It has the effect of numbing outrage regardless of the outrage's merit, and I can't see how that's productive.
If you feel that the outrage is in fact without merit, then attack that on logical/rational grounds, not by appealing to social proof.
You're both right. If you read the PATRIOT Act, it's easy to look backwards and see that the things we're becoming aware of now are logical extensions of what was being asked for way back then.
It is, however, VERY easy not to have been able to have that foresight, and I think that the insights people were expecting the government to have been constrained by the fact that all the information of value is collected by neutral third parties. Google, Yahoo, Twitter, etc., aren't likely colluders with the government.
Plus, at the time of the PATRIOT Act's passage, there wasn't quite as much information being put on social media, or out to the public in general. Not as much was online, digital, or otherwise easily indexable.
There were those predicting this sort of possibility before the PATRIOT Act's enactment, and since, to be sure, but you shouldn't feel responsible for not having seen the signs yourself, or for having heeded the words of what probably seemed like kooky overreactionaries from back in the day.
The funniest part about this, to me, is that somewhere, very quietly, Richard Stallman is quietly telling us all the he told us so, and he's absolutely right, and always has been. Neverminding that, he's largely seen as a crazy old paranoiac who we should respect for his IT knowledge, while having to forgive the rest of his eccentricities.
If Richard Stallman is quietly berating us somewhere, he can go fuck himself. Part of educating the masses is being a person who people want to listen to. If he failed at that, he's no better than anyone else, and perhaps far worse, because of all the lost potential.
Part of being intelligent and shrewd is listening to the words that people say, and judging arguments based on their merit. The idea that Stallman should go fuck himself for not dumbing down or tarting up the message enough for you to pay attention to him makes you the asshole, not him.
In my experience, telling people to do something hard (open source, keep privacy, etc.) in the face of a barely perceived danger (government is coming to get you) is kind of a hard message to get heard.
Aside from that, I didn't mean to seriously suggest that he's out there passing judgement on us so much as I was attempting to acknowledge how hypocritical we are for having disregarded his message because of his eccentricities. I think your statement, that he should actively try to be more popular for us to care, is further proof of how wrong we are to be that way.
In an ideal world, your response would have made a perfect satire of how Americans are likely to react in the face of the responsible elder telling us to eat our proverbial vegetables. That is isn't saddens me.
Speak for yourself. Stallman is a massively influential thinker that has indisputably changed the world positively. A lot of the world has reshaped itself to attempt to resemble Stallman's dreams. His contribution was to have the dreams and to share them in material ways, and he didn't even owe us that.
You're in the bizarre position of criticizing him for being right. You're expecting Stallman to figure out a way to market to you, rather than expecting yourself to figure out how to evaluate arguments and evidence rationally. Think about that for a minute, and then explain to me why that wouldn't make more sense.
You seem to think I'm the one who has a problem with him. I think he's always been dead on, and don't disagree with you in the slightest about his vision.
Where our expectations start to misalign is the part where he's been ignored because he doesn't know how to be a consummate human being (let alone marketer), and you say it's everyone else's fault. Idealism is fucking useless.
More like a news sheep. The mass market news is and has always been 49% fluff and 49% lies.
Comments from people who already knew what the NSA does are not "self aggrandizing". The are other-insulting. You should rightly be ashamed that you walk through life in a news fog of up-to-the-minute minutiae. Read books by retired insiders, talk to current insiders and contractors. That's the only way you will learn anything about anything. To wait for the newsmen to do it for you is to sign your mind over to tampon salesmen.
The NSA story is staggeringly unimportant. Every government, many companies, and rather a lot of organized criminals run intel and counterintel operations. It is just a fact of life, like antibiotics and highway construction. It is inevitable that there must be a national American signals intelligence organization.
What os staggetingly important is why the NSA alone, out of all the spy organizations, is being singled out for a comprehensive media war. The most likely explanation is that the Democratic Party needed something to distract from its pecadillos. The next most likely explanation is that a foreign government is getting themselves some payback. In any event, if you care about this non-news, you are just another mindless pawn.
Every time I post the truth about this NSA fiasco, I get:
1. Downvoted to oblivion by a hivemind, and
2. Somebody like you chimes in with a content-free emotional outburst.
So exactly what did I misunderstand?
The incontrovertible fact that this really isn't news?
The fact that every history and exposé on the NSA has been saying this for decades?
The fact that the NSA tried cramming the Clipper chip and key length restrictions down our throats to make domestic spying easier? For half a decade this was a weekly running joke on Slashdot that you had to have been living under a rock to miss.
That the previous commenter claimed to be a "news junky" and then admitted that by news he means the mass media—a pack of tampon salesmen and political hatchetmen.
Don't worry, you're being downvoted by all the other "OUTRAGED" hackers who ignored all of the news that has been out about these programs for the last decade. Rather than confront the fact that they * have been downplaying the severity of this in the last two months and admit that maybe they ignored some of the news or didn't pay it attention, they contend it simply never existed.
The "The NSA is siphoning off the Internet on a huge scale" was a huge fucking story in Wired 5 years ago and no one gave two shits.
I'm sorry but "This is a complete surprise." is BS to anyone who's ACTUALLY been paying attention.
* Where "they" includes multiple noted HN names, often from the top list, that I've personally watched walk back their own denial of NSA programs in the last two months as more and more information has come out. Oh, and that guy that guy that did security for Google that just embarrassed himself a few weeks back has to feel really special now.
>That the previous commenter claimed to be a "news junky" and then admitted that by news he means the mass media
Absolutely nowhere did I say, or even begin to imply that. In fact, I explicitly called out the mainstream media for being complicit and/or not reporting on this issue while indicating that much of what is being reported was already known to me. Not only did I NOT say that I get my news from the mainstream media, the implication was, if anything, that I did not. The mainstream media is about the last place I'd look for competent coverage of this issue.
You're terrible at reading comprehension. Terrible. You make a lot of assumptions, all of them wrong, then proceed to insult other people based off your incorrect assumptions.
Additionally, the only thing incontrovertible is that this is news to the vast, vast majority of people who are affected by these programs. Those are the real numbers. But I know you. You're part of the Pedestal Crowd furiously patting themselves on the back. Good for you Danny. Atta boy.
I think it's just a demonstration of complacency more than any actual knowledge on the subject. I've noticed it's invariably my non technical acquaintances who are the first to pontificate on how this is all somehow boring old hat.
> It has become a bit of a pet peeve of mine recently to see self-aggrandizing comments from users around the net about how "we should have known" and "none of this is new."
I agree that "know" is a bit too glorifying. I propose "suspected".
I don't find this surprising at all. Practically 99.99% of a normal user's Internet activity is centered on Facebook, Google (including Gmail) and a handful of other sites. The amount of data everyone is requiring in order to provide a service also includes pretty much anything you need in order to track someone.
It's not news you need to pay attention to but some of the more theoretical aspects of networking in a second-year course.
I have nothing wrong with people having suspected it for a long time, or even saying so. I suspected it for a long time as well. My problem is with the attitude many people seem to have once evidence confirming those suspicions comes out and they go on about how the evidence means nothing because they knew it all along. No, the evidence confirms their suspicions, which makes it incredibly important!
Ultimately, whether they intend to or not, such statements end up making other people who are hearing about this for the first time more complacent about it because they come into the comments and see a bunch of people going on about how it's nothing new and therefore the new information is no big deal.
I share your pet peeve and I can only assume that the "meh, no big surprise here" response stems from two things: wanting to sound just as knowledgeable as the person who brings up the topic (despite not having any new information); and at the same time justifying their complacency about the issue.
>and at the same time justifying their complacency about the issue.
A good theory, as I have an extremely difficult time imagining anyone in an activist (non-complacent) stance on this issue ever reacting like that to these revelations.
From the slides, apparently a node in
the system just connects at an ISP
or peering site and grabs all the
packets. Then they essentially 'parse'
the packets to TCP/IP sessions, logical
user sessions, e-mail messages, etc.
Then back at HQ, can send
the node what are essentially 'filters'
to return 'alerts' and the associated
content.
So, point: As a system, it's quite
obvious. As software, it's quite
routine.
And, from their description of working
with anomalies, they are being just
intuitive and elementary and not at
all advanced or powerful.
It would appear that a terrorist
Internet user
could
do fairly well beating that system
by using a proxy server also used by
many other Internet users and also
using a lot of strong encryption --
PGP used well might be strong enough.
From the slides, apparently a node in the system just connects at an ISP or peering site and grabs all the packets. Then they essentially 'parse' the packets to TCP/IP sessions, logical user sessions, e-mail messages, etc.
See? No "direct access!" Google/FB/Apple's statements, totally reassuring.
For me, personally, it's not about "look how smart I am" as it is genuine surprise that the story actually seems to be sticking this time.
I'm glad that people are paying attention, but especially early on, it wasn't entirely clear that Snowden's leaks were substantially different from the leaks that have been coming out of the NSA for years that never got traction in the media.
I think the type of leak is substantially different, the other leaks were all somewhat hard to describe. The Snowden leaks have the names of well known companies in big menacing letters.
The traditional media is complicit. And it isn't some grand conspiracy either, they just share the same interests as the rest of the establishment, being part of (and/or owned by) the establishment themselves.
There is good independent media that has been covering the story for years though. Here's a Democracy Now story from February 2005:
How is that relevant to the NSA story exactly? Are you saying that the Government vacuuming up any and all data it can, and granting internal and external analysts easy access to that data, is comparable to the owner of a private server analyzing the network traffic of their servers and networks? If you want to hold private server and network operators to a standard that restricts them from doing that you're going to have a bad time.
And the purpose of Tor might be different than you imagine:
Is it self-aggrandizing? I suppose I'm one of those people.
I was shocked by having this laid out as well but I really did just assume this was probably going on. It was technically possible, it was politically possible and it was financially possible. If I shared the worldview of the people doing this and been in the position to do this, I would have been itching to start this level of collection and data mining.
I will admit to part of it being satisfaction at no longer getting the "oh put your tinfoil hat away, no one would do that" response whenever it came up, which was always based solely on the old "I don't like the implications of this being true therefore it can't be" argument. It's also relief that there is finally a discussion about a subject that was previously only seriously discussed by a small number of people.
I take your point that the I-told-you-so gloating isn't helpful and doesn't reflect well on those who do it but I disagree that that was ever meant to discourage discussion, if anything it was anger at the fact this discussion has taken so long to occur.
I've been hearing about the NSA's massive data center in Utah for well over a year, from public news sources. They have always suspected that it's main purpose was the warehousing of American's private communications.
I'm one of those "none of this is new" types. The fact is, we ALL very much should have known. Do the words "Echelon" and "Total Information Awareness" ring any bells? These were terms being used pre-9/11. There is no excuse for someone technological and with a small inkling of understanding of human nature to not have seen all of this coming. There really isn't.
If you're waiting for someone like Snowden to come along and spoon-feed you all the ways the government can screw you, you're doing things completely wrong. Oversight requires foresight.
Briefly summarized, the only way to do secure mail is pgp, the only way to do secure chat is to avoid all the main chat networks. And microsoft actively designs their systems to be easier to access for the NSA (far beyond their legal obligation) so you may assume that any microsoft product is a direct line to the NSA.
Its kinda interesting how most of the comments are: "amazing!", "shocking!", and "OMG!". But very little is discussed on what could be the solutions, theoretical and practical, short term and long term that could be taken in regards to the facts that came to light. Aside from the lonely fight-p#(%!.com there has not been any serious discussion on HN on this. What are you thinking, people?
Keep in mind also timeframes. Facebook HTTPS use -- and more so use by default -- is more recent. Remember the whole "sheep" debacle?
Even Gmail HTTPS use is somewhat recent and not original to the product.
Further, one might combine this with reporting about initiatives to gain company SSL/TLS private keys, account passwords, and the like, in some interesting speculation -- if speculation it remains.
Amongst all the rest, I would point readers towards browser fingerprinting. It's difficult for me to imagine they are not using it.
If the public is going to have some degree of counter-measures, this will include browser and other client software becoming more pro-active about anonymizing its own profile / usage profile. For one thing, stop sending highly unique fingerprint data such as font listings to every Tom, Dick, and Harry. Just one thing amongst many...
> but how are they getting all Facebook private messages and Gmail?
It was reported earlier that the NSA has installed hardware at their "partner" companies. As you certainly remember from the slides, they are: Facebook, Google, Microsoft/Skype, AOL, Paltalk, ...
What's really sickening is that you can tell that programmers or very technical people were involved at some level to design these systems which help people construct rubber-stamp plausible deniability. Whoever these people were knew full well that they were architecting systems that skirt the letter of the law if not outright flaunt it.
Somewhere there is an architectural diagram of these systems that describes how to make people check checkboxes before releasing information. CYA-oriented programming that has clearly driven the entire design of this thing.
Once again, whilst the shrill cries of protest claim that the government has gone too far in it's intrusive surveillance, the pragmatic amongst us are forced to admit that this is a capability that the state simply will not give up, even in the face of massive public protest and discontent.
Moreover, the technological trend is clear; and the avenues for sharing intimate personal information proliferate and multiply with every passing month. The debate therefore needs to shift. The question cannot be over whether the state should have access to this information. We are powerless to push on that point.
The question has to be this: Given that our state (and others) will necessarily know the most intimate details of our lives, how do we want it to behave? How do we want this information to be used? What do we want the newly intimate relationship between individual and state to look and feel like? It may well be that we come to a startling different conclusion than our initial starting points might presuppose.
There are tremendous social benefits to be had by using this treasure-trove of information wisely, just as there are tremendous dangers to be risked by using this trove with carelessness or malicious intent. However, we need to think very carefully about how we manage the relationship between individual and state; how we manage the relationship between individual and peer; and how we manage the relationship between individual and technology.
I feel strongly that this is the most important debate of our generation; perhaps the most important debate to be had in this new millennium.
There's no evidence that any encryption is broken (other than people misusing it (edit: or broken protocols like PPTP)). Anyone could do this kinda thing given enough motivation and money. Determining a VPN's users? Just monitor all inbound connections to the VPN service. Now you have the IPs of the users. The IP alone might be enough to know the user or a search on that IP might show them logging into other services that reveal their ID. Pretty simple.
I think so. Yes. IIRC, the first time I saw this leaked was a combo leak by a Navy Seal and a member of the Executive. The Seal leaked that they powered down Bin Laden's computers to take his hard drives after they shot him. The Executive member said that the drives were encrypted and it would take a few days to get the data. Jihadis are known to use a custom version of PGP with 2048bit RSA keys. They either used that, a COTS drive encryption program (unlikely), or reviewed and adapted an open source drive encryption program. In either of the likely scenarios they would have been using 2048bit RSA. Therefor, it is highly likely (due to the NSA having target motivation even if the drives weren't well encrypted) that the smooth barrier does not exist and the NSA can factor 2048bit RSA in a hours to days scale time frame.
Also, it was leaked that NSA TAO had a 70%+ success rate compromising Chinese systems. Even with the tech companies giving them secret zero days for an extended period of time, anyone that has been a blackhat knows they're not getting to a 70% success rate through exploits. Therefor, it's highly likely they can decrypt VPN/SSH (TLS) traffic encrypted with AES256/RC4-128/3DES and/or the RSA/EC public cryptography used. As you noted the leaked slide seems to indicate that.
I don't recall the source of the Executive comment. It was kind of buried in a news piece with a broad focus that I read. I'll look for it. Unfortunately, I can't recall the exact language to do a good search and find it. Sorry.
The Executive and Legislature couldn't keep something secret to save their lives. And, JSOC leaks like a fucking sieve. If I can't find that particular leak on the web, I'm sure there will be another one soon with the same info. Every guy likes to talk to pretty news reporters and seem important.
Breaking RSA is just a matter of managing to factor prime numbers faster than anyone else, isn't it? Unless if there is some sort of oversight inside the RSA algorithm that allows the encryption to be broken easier.
Do you have more information on the smooth barrier? I did a quick google but didn't see much relevant.
As the size of a semiprime increases, the number of smooth numbers that can be discovered (the "yield") by the GNFS with polynomials selected with academically known optimal polynomial selection algorithms decreases. With a reduction in smooth candidates the GNFS sieve operation can be wholly unsuccessful. If a smooth barrier exists (such as a semiprime size where smooth yield becomes deficient) factoring time degenerates from the GNFS improved rate to old school factoring rates due to the need to pivot. Yield decay has been observed <2048bit. If 2048bit is easily factorable for the NSA, no barrier challenge is suggested.
I'm not sure it's relevant whether the b-smooth barrier exists of not, since that assume use of NFS.
There's a reason the NSA is pushing folks to use Suite B ciphers including Elliptic Curve along specific curves. It's not unreasonable to think that the NSA mathematicians have proven some relationship between EC and prime number theory in general.
Interesting comment! Yes, I have been trying to avoid EC because some of the random walk stuff I read made me uncomfortable given standardized curves. I always thought that NSA vector register desire was strictly due to block size of ciphers (particularly Russian). This was definitely true when DES/3DES where in use. Then again, I thought Bluffdale was just to crack old Russian intercepts with GPU like custom hardware. BTW, a Cray hw engineer and I talked about how Cray was trying to pivot into Bioinformatics since the gov biz was no longer robust (in 2004, IIRC?).
The whole reason the USG rescued Cray in the late-1990s/early-2000s was to insure the continued availability of large memory image vector supercomputers. Part of this may have been to it being less costly than converting their processing systems from vector codes and algorithms to massively parallel distributed processing ones. At that time the cluster interconnects were much, much slower in terms of both bandwidth and latency than they are today. Solving very large sparse matrices would have been tougher on an MPP system than on a vector one. You can read about some of this history in Bamford's "Shadow Factory."
There have been a number of very cost effective hardware approaches proposed for significant acceleration of both the sieving and linear algebra components of the NFS. Many of these proposals could successfully and cost effectively attack a 1024-bit number in the 2003/2004 era. The process at that time was around 130-nm. Today's process would have features at the 32-nm or 22-nm size. Today there has been a 100-fold increase in performance since 2003. (See http://tau.ac.il/~tromer/cryptodev/ for an overview.)
Combine this specialized hardware with an algorithmic improvement that gets to O(log n) or O(n log n)....
AES appears fine. The NSA and USG in general make a very strong effort in the 2000s to move all civilian command and control systems for satellites to AES-256 with TRANSEC capabilities. A brute force attack on AES-256 with a quantum computer should be on the order of 2^128 operations with currently know QC factoring algorithms. AES-128 looks weak at 2^64.
If the NSA can break something, they need to assume that their primary opponents can do so or will do so soon. China specifically comes to mind here. The can not release cryptography suites with known vulnerabilities. It is widely thought that it is more importantly to secure one's own signals before intercepting and decrypting one's enemies.
I think everything on the internet needs to be moved to Suite B protocols with forward secrecy enabled. AES-GCM overcomes all the known attacks (i.e. CRIME) against AES-CBC and AES-CTR.
I get the impression that the NSA is eight to ten years ahead of the public domain cryptographers in some areas. I think this gap is shrinking slowly. However, I have also heard that the NSA is preventing publication of some papers developed in the public domain due to national security reasons.
I know nothing about this stuff, so apologies for my naiveté, but what technical barriers prevent us from changing from 2048 bit encryption to something of a much much greater magnitude? 2,048,000 bit (or whatever).
I thought Google, Facebook etc. only had to provide access as they are compelled to under US law? If the VPN provider was non-US (and did not/claimed they did not keep logs of user activity), would this help? Or do you reckon the NSA has the ability to get at the data without the cooperation of the VPN provider? It would be great to have a couple of slides revealed on this area.
You probably don't need to break the encryption because eventually all traffic has to exit the VPN's company's endpoint, and at that point it can be captured. Meta data such as the browser's fingerprint can be used to tie traffic to an individual, for example, if you see them log in to a regular HTTP site with an email or a username, this information could probably be used to figure out who they are. Armed with this information, all other traffic originating from that endpoint (or elsewhere) with the same browser fingerprint.[-1] can be monitored. Weak keys can also cause the encrypted tunnel to be compromised. Also, PPTP is considered a very insecure tunneling protocol[0] but still used.
You could also break into the VPN company's servers and do interesting things too. There's also the possibility of timing attacks to determine the real IP address of the VPN user, although that's fairly a sophisticated method and quite difficult to do.
Bear in mind that this presentation dates back to 2008, which is a long time in tech years. Who knows what they're capable of now. All that's known is that they're not capable of less.
VPNs are useful for three things: protecting yourself against relatively unsophisticated bad guys sniffing traffic on a local network (for example, an unsecured wireless network), bypassing geographic content restrictions (e.g. using Pandora in Sweden), and circumventing ISP traffic shaping (often they'll not shape VPN traffic because it's used for businesses, and businesses can be whale customers).
> all traffic has to exit the VPN's company's endpoint, and at that point it can be captured.
If the only thing they're dealing with is VPN's used as a private proxy for access to the public internet, you're right, and if so it's not so troubling (well, as in it is "only" just as troubling as having them access everyones web traffic).
But arguably most VPN traffic is exiting inside private networks and are intended for machines within those private networks. If they are capable of breaking or circumventing the crypto of those, then that's troubling at a whole different level because it potentially means massive unknown weaknesses in either specific crypto products, or in algorithms that have been assumed to still be reasonably safe.
The slide talks about VPN startups. Some corporate VPN connections could be also compromised for a number of reasons. There are possibly undisclosed weaknesses in the "gold standard" VPN solutions, such as OpenVPN, as well as the protocols they use.
Security's dirty secret is that security is an unobtainable goal. The goal of designing secure systems isn't to create something impenetrable (i.e. secure), but something that's almost impossible to penetrate. 100% secure systems are about as common as rooster eggs.
I took that to mean establishment of VPN connections, rather than companies operating VPN services.
Of course total security is impossible. But it would still be troubling if breaking common VPN services is not only possible but also doable with small enough resources that "any analyst" at NSA can just request it.
Many corporate VPNs are secured via RSA SecurID and their keyfobs. Several years ago the SecurID source was compromised by hackers[1] and it was suspected the master seed/key was lost. Imagine if the NSA had access to that key -- it'd certainly be a juicy target for them.
The most reasonable assumption to make right now is to assume that the NSA does have the key. They may not, but but then again the recent revelations have been so absurdly horrifying that I wouldn't put it past them.
There are not only correlation attacks as kintamanimatt describes, but "VPN" is a broad term that encapsulates a lot of old and broken protocols. They could be talking about breaking CHAP + PPTP.
Exactly. It has been obvious and widely understood for years to anyone who has ever used a network analyzer that systems like this could be built. The question was always would they be built. Stallman, and others, bet correctly based on their better reading of history and human nature.
You can be completely correct and still be a crackpot.
What we need is strict limitations on what can and should be collected, and how it's used, plus better methods of securing what's being exchanged. For example, sending email as plain-text, leaving it on the server as plain-text, maybe that's a bad idea.
The NSA isn't necessarily the only reason you'd do this. Foreign governments are going to take an interest in this, too, and it's only a matter of time before someone gets access the data the NSA is hoarding. No program of this scale is ever 100% secure.
It's not feasible for the average person to restrict their lives to the point that RMS does and advocates for.
* Reading the web via email only
* Using completely free software and hardware (which as far as I can tell, limits you to a very small subset of Linux on a single Chinese-made netbook)
* Not carrying a cellphone
* Not using any social networks.
Stallman's principled stand is admirable, but untenable for most. I need to violate every single one of these tenets in an average day at work.
And that's before we even enter the realm of entertainment, which is even worse as far as the FSF's definition of freedom goes.
Principled != crackpot. Crackpot is an insult intended for the feeble minded and is used to reduce any opinions a person might hold on a subject as reject-able out of hand.
Over unity energy generation from the vacuum is rightly labeled as 'crackpot' imo, Stallman's position, while extreme should (again, imo) not be labeled as such.
Calling proprietary software evil is an opinion, and there are plenty of examples of evidence that proprietary software was created in ways that one could label as evil. Give it a while and there might be some revelation which will cause lots of people to go 'oh, that Stallman was such a visionary, calling proprietary software evil'.
Now on this particular aspect of Stallman's reasoning I find him hard to follow because that would mean a whole class of something is bad whereas I believe it should only apply to instances on a case-by-case basis. But I'm going to hedge my bets here and sit it out for the next decade or two (assuming I have that much time remaining) to see if he might not be on to something again that is still hard to see from where we are standing right now.
One way in which this could play out is that in order to avoid certain societal fates is to have nothing but open source for certain classes of application (for instance, voting computers, software in use by the government in general or software that is used to power network infrastructure).
Don't be too quick to judge, Stallman has been right more often than I'm comfortable with on some of his most 'extreme' views.
I've never heard Stallman be right about anything that wasn't blindingly obvious to anyone who was an open-minded observer of the same things at the same time.
He's not the only one that's been crowing about electronic surveillance. Ever since things like Carnivore (http://en.wikipedia.org/wiki/Carnivore_(software)) were uncovered in the 1990s, it's been obvious that there's a lot going on we will never be fully informed about, that the internet is no longer a safe playground devoid of malevolent actors. Mailing lists and USENET groups at the same period of time were constantly aflame with these sorts of issues.
If you can cite an occasion where Stallman has had a unique insight into the situation, I'd be surprised.
Stallman, for all his posturing and relentless drum beating, which is at least admirable from the point of dedication, is still no Alan Kay, Marvin Minsky, Marshall McLuhan or Raymond Kurzweil.
Moral judgements are subjective opinion by nature, fair enough, but I bring the crackpot label in for exactly what you say, thinking in absolutes, in black and white, instead of nuance.
In the real world, that shows a distressing lack of critical thinking and a further distressing abundance of dogmatism.
"Proprietary software is bad" -- Subjective value judgement.
"Properitary software is evil" -- Subjective value judgement that shows a lack of thought.
"You should always use free software wherever possible." -- Subjective value judgement.
"You should use absolutely nothing but free software ever" -- Subjective value judgement that shows a lack of thought.
I mean, the FSF "disapproves" of software that is completely free on its own (Fedora, Firefox), merely because they point out nonfree things you can use. (Fedora's firmware bundles and some repos, and Firefox's addons site).
That's completely idiotic. Apparently the FSF's "freedoms" do not include the freedom to run whatever software you choose if it's "unfree".
The proprietary software as evil thing comes as a morality judgment, that the potential evils from such software/licensing far outway whatever positive nuance it could bring to the table. A nuanced reading of the past 75 years of copyright/patent law and judgments can come to the conclusion that such an ecosystem is detrimental to the rights and ability of end-users and developers.
Guess what the solution to the proprietary software problem is? Not using or promoting proprietary software or platforms that enable it.
You are getting upset that the Free Software Foundation has standards to be met to consider software as "free". To dismiss their agenda as existing in 'crackpot' territory is invalidating a legitimate argument to support your shaky conclusion.
You really want it both ways don't you. Ignore that Stallman was right AND continue to paint him as a crackpot. You just don't get it do you? You're drawing a completely arbitrary line. Who are you to say that he has no thought behind avoiding proprietary software as a matter of principle? I am willing to bet he could enumerate far more reasons for his position than you could.
> Over unity energy generation from the vacuum is rightly labeled as 'crackpot' imo
Then it seems that crackpottery is a term that may be removed in retrospect. I'm sure at some point in the future someone will crack the energy from the vacuum riddle, who knows.
* RMS reads the web via email because he's traveling virtually all the time and rarely has Internet access. A batch-based system makes more sense for him. This isn't an ethical stance, and the fact you include it hits your credibility severely.
* The FSF uses computers other than Yeeloongs. The FSF also doesn't really care about free hardware. The Yeeloong has chips with non-free firmware burnt in, and the FSF doesn't care because that isn't software. It's the Free SOFTWARE Foundation, after all.
* Stallman is on a few social networks, notably identica @rms@identi.ca (possibly now defunct). He probably has a GNU Social endpoint.
I think you're conflating Stallman's willingness to be uncompromising in his own lifestyle with his calls for reform. Stallman is fairly intelligent and understands that not everyone can live like he does, but I suppose he feels the need to answer the question of "what should you do in the present beyond push for reform."
I also don't know what "entertainment" you're talking about. The FSF is against proprietary video game engines, but their mission pertains to software, not music/movies/etc.. They campaign against DRM because DRM requires non-free software to enforce.
RMS emails in restaurants, cars, trains, etc., in Europe and the United States but also frequently in SE Asia and South America. There are pictures of him responding to email in the mountains in Nepal.
It's easy to get Internet access on the go in most of the places I've been to, but I've been to a tiny fraction of the places RMS has been to.
An example of a crackpot is Glenn Beck, that is, someone who is drawing incorrect, incoherent conclusions from the facts they observe.
Suggesting that people abandon social networks, never own cellular phones, avoid using the web almost entirely, these are extreme positions. What makes them crazy is when he's an advocate that everyone should follow these edicts.
Surely it's some kind of "geek social fallacy" that's being applied here. Stallman has come up with what he perceives as the optimal strategy and anyone who diverges from this is doing it incorrectly, just as how free, open-source software is the only kind of software that's acceptable, and everything else is "evil".
I think the free access to the data once it's mined is worse than the collection. Such access should require a warrant, if not a wiretap order, not a justification one-liner.
His observations are correct, but his conclusions are incorrect, just as people like Glenn Beck start out with facts and end up with paranoid delusions and fantasies.
I think Stallman's observations are valid, but his method of dealing with the implications of those observations are impractical, if not completely wrong.
He's not opposed to smartphones, he's opposed to cellular phones as these can serve as a tracking beacon, following your movements.
Given that the cellular providers are capturing and archiving location data, this is fact, his conclusion is we should avoid using these sorts of phones completely. Why? The reasoning here is a awfully thin, but has something to do with "being tracked = bad" and then goes into crazy territory from there. It's the same thing with credit and debit cards. They can be tracked, therefore bad, therefore nobody should use them.
If he's concerned about remaining invisible, then this must be applied rigorously across all aspects of his life. Does he wear dazzle face-paint or glasses with bright IR LEDs on them so that CCTV cameras can't pick him up? Does he only use methods of travel that require no identification? If the FBI wanted to retrace Stallman's activity on any given day, it'd take hours at most to piece it together.
The sign that someone's a crackpot is in how inconsistent they are in applying what they've concluded. It means they're missing something important.
For example, there are people that have a genuine need for absolute secrecy, that need to remain invisible, yet they still use cellular phones, email, and social networks. They're aware of the same risks as Stallman, but they take precautions instead of avoiding them completely.
It's notable that Osama Bin Ladin was taken down because he'd gone to such great lengths to avoid being tracked that he stood out as an anomaly, an approach that proved to be self-defeating. He had this large house, but a paranoia about electronic snooping so severe that he had no internet connection, and that alone made that house highly suspicious. If you're that affluent, you have an internet connection, even if you barely use it.
Everything Stallman advocates to avoid detection just makes him an even bigger target.
> If he's concerned about remaining invisible, then this must be applied rigorously across all aspects of his life
No, it mustn't. Every bit helps.
> Does he wear dazzle face-paint or glasses with bright IR LEDs on them so that CCTV cameras can't pick him up?
Perhaps he does not yet live in an area with seamless CCTV tracking.
> The sign that someone's a crackpot is in how inconsistent they are in applying what they've concluded. It means they're missing something important.
You must be a crackpot then because you're clearly missing that Stallman has probably managed to avoid having his daily movements tracked by some carrier.
> Everything Stallman advocates to avoid detection just makes him an even bigger target.
To whom, with what (crackpot-like) line of thought? Stallman is very open about his principles, his reasons and his actions. It would be extremely dumb for anyone to derive from this information that he is dangerous or a worthwhile target.
Tracking can be bad for some people, it can ruin their careers, destroy their marriage, completely upend their life if that sort of information got out. However, for most of us, it's not especially valuable information and any one day will look like any other.
When I engage with social networks, use a cellular phone, I'm aware of the liability. I'm making a conscious trade-off. I really would like it to be less of a big deal, that the privacy implications were minimal, but this is the world we live in. I support political parties and representatives that would restrict how this sort of information can be used, making it less likely to be collected in the first place.
> No, it mustn't. Every bit helps.
Either you're trying to avoid being detected, or you're not. There's no half measures here.
> it can ruin their careers, destroy their marriage, completely upend their life if that sort of information got out.
> I'm making a conscious trade-off.
No, you're not. If you and the people who have had what you wrote happen to them (they obviously would have been more careful than you) were making conscious trade-offs, nothing bad would have happened to anyone as a result. In fact, you do not even know what information you are disclosing to FB (it's more than you are writing) and other, unknown to you, parties, so a conscious trade-off is impossible. You are just patting yourself on the back for being satisified with your ignorance.
> Either you're trying to avoid being detected, or you're not. There's no half measures here.
From what I understand, he is refusing to provide personal information to a carrier and possibly other unknown parties, because that is potentially harmful and not beneficial in any way to him. Why are you insinuating that he is trying to avoid detection, as if he were some criminal? And by the way, even criminals aren't stupid enough to do everything wrong because they cannot do everything right.
I don't use Facebook specifically because of their habit of leaking information to anyone and everyone. I do use other "social networks" where I'm not obligated to provide a dossier on my life.
I've even got Facebook's site and associated flam blocked on my computer so I'm not bombarded with their inane commenting system, "Like" buttons, tracking features, or other garbage I want nothing to do with.
I'm taking a risk by using a cellular phone, I understand thins, however I believe the down-side of using one is better than the down-side of not using one. That I'm not a politician or celebrity factors in to this decision.
I'm not even sure what Stallman's full reasoning is behind cellular phones as it's always glossed over with some kind of hand-waving about tracking.
"Tracking can be bad for some people, it can ruin their careers, destroy their marriage, completely upend their life if that sort of information got out. However, for most of us, it's not especially valuable information and any one day will look like any other."
> I think the thing to realize here is life can change very quickly. What if, for one reason or another, you become a celebrity all of a sudden - Or happen to acquire particularly well-connected enemies. When this kind of powerful info is used against you things look quite different.
Stallman's stance is against all cell phones, not just smartphones. And I'd argue that in 2013, to the point where we're issuing basic phones to welfare recipients for the purpose of job searching, that this is an invalid conclusion.
As is only using the FSF's definition of free software (where it matters less that the software itself is free, but that the software doesn't point out to you any nonfree addons. Fedora Linux is free software, as is Firefox but since they allow nonfree firmware blobs, and addons respectively, they don't count).
Or free hardware, Good Luck With That, unless you like a single netbook made by a single company in China.
There's been many missed opportunities to get truly open hardware, an to this day we're still missing out on them. There are initiatives to remedy this, but they're still far from complete and need more motivated drivers to carry them forward.
Using a crappy computer from some no-name company in China is a protest vote and is not pushing things forward.
On the other hand, getting hardware hackers together to create a 100% free hardware platform would. The Raspberry Pi is close, all that's really needed is for some more aggressive lobbying to get the PowerVR driver component open-sourced.
Or consider, given how people are taping out custom Bitcoin ASICs, why is it inconceivable that someone could tape out an open-source CPU?
I fail to see how not owning a cellphone, only using free software and suitable hardware puts me at a greater inconvenience than, say, having all my life (movements, communication, interests) digitally recorded and made available for later arbitrary use (by any type of government we might have ...). I honestly wish I had the willpower and independence to pull it off.
On the other hand, I totally understand the people who firmly believe that neither governments nor rogue personnel will ever abuse this information to their disadvantage. After all, billions of people firmly believe in some arbitrary deity and we haven't managed to prove them wrong.
>As is only using the FSF's definition of free software (where it matters less that the software itself is free, but that the software doesn't point out to you any nonfree addons.
You're conflating the FSF's definition of free software, and the FSF's criteria for recommending software to users.
The FSF sees Firefox as free software (now that the proprietary error-reporting system they used is removed); they won't recommend Firefox, because it recommends non-free software. Fedora is a distribution, not a specific program, and they won't recommend it because it recommends non-free software.
By the FSF definition, a license is free if it protects the Four Freedoms; but software licensed under that could be something the FSF doesn't wish to endorse.
Honestly, if the NSA wanted to know what Stallman was up to, they'd apply the $5 wrench technique (http://xkcd.com/538/). All the tin-foil in the world can't prevent them from getting what they want if you're suddenly a Person of Interest.
Is there no difference between specifically targeting a suspect and gaining physical access to their hardware vs. any number of government employees/contractors sitting at their desk browsing through anybody's data with little to no technical limits and little to no oversight?
One of the slides literally says that users must be careful to and their query with another parameter to avoid running afoul of the law.
At this point the only difference is cost and scale. What the NSA is doing needs to be reeled in big-time, probably even shut down completely, but that doesn't mean being all tin-foil hat will somehow make you immune to what they're doing.
I'm sure they know everything they need to know about Stallman, just as they do about everyone else, apparently. Unless he's sitting in a cave writing EMACS source on goat hides, they'll have a window into his activities.
> At this point the only difference is cost and scale.
Only if we are talking about the same types of attack, which we aren't. If you do "wrench" style targeted attacks at a large scale, you'll leave 10%+ of the population injured, how is that supposed to work out for a government?
Stallman's counter-measures probably work as long as only very few people use them. The same is probably true for terrorists, which is why this whole dragnet surveillance does not really work towards the stated goals and "crackpots" like me suspect it may have more to do with bullying people into self-censorship.
You're completely missing the point -- it's unfeasible, unpractical, and unproductive hitting millions of people on the head with $5 wrenches. This is the entire point -- they can do it easily with everyone now, they're not hitting people with wrenches -- that would invoke suspicion and retaliatory response that would curtail their legal powers to snoop around.
Maybe you're forgetting about the sorts of things that went on, are probably still going on, in various brutal military dictatorships around the world. Wrenches are just the start of what they do to people before they disappear them.
It isn't impossible to beat information out of millions of people. It's been done before and it'll be done again.
You say it'd invoke suspicion, but it wouldn't. If you're at the wrench phase of interrogation, you're already in a world where legal powers don't matter.
>Maybe you're forgetting about the sorts of things that went on, are probably still going on, in various brutal military dictatorships around the world
NSA spying is not designed for the individual. It's designed for the masses. It's to keep the populace in check. It's Century of the Self and Edward Bernays, except for the 21st century.
You have to admit these guys are working on some cool problems. If you don't have a problem with the legality of it or potential for misuse it looks like a really interesting place to work.
That's exactly how they get people to work on it in the first place. If you have no conscience there are lots of places where you can work on 'cool problems'.
I'm going to give you the benefit of the doubt and assume you're not condoning their actions, but in case you need a more clear example of where this paradigm breaks down:
IBM & Nazi Germany, Nazi Germany in general, etc. Ironically, sillicon valley came into existence building military SIGINT/ELINT systems for the cold war.[0]
I think there is a developing consensus that the emerging US police state (and that of its allies) aren't appropriate for constitutional democracies. Comparing them to Nazi experiments or nuclear weapons is still a bit premature. The potential is there for it to turn really ugly which is why the time for political action is now. But national security is important and worthwhile within constitutional limits and under democratic oversight and I suspect a scaled back NSA would be no more evil or less interesting than Bletchley Park or the development of Radar.
Totally agree with everything you've said. I wasn't trying to equate helping the NSA build spy tools with building equipment for the Nazis -- just how doing so can be a slippery slope because it scales to such awful things as well.
I guess I felt the need to comment because it sounded like you were saying, "Hey, I get why they're doing it. Sounds like it'd be fun!", and I feel like having that attitude (even if I trust someone like you to know to stop before things get truly out of control) is dangerous.
Another data point on the relationship between government and terrorism:
I live in Columbia, South Carolina. A mile from my house there is a prominent statue of Ben Tillman. Tillman was an explicit advocate of terrorism, and indeed personally engaged in it [1], which drove his popularity and ensured his election to the governorship and the United States Senate.
Government programs such as the NSA's exist to protect the interests of the powerful. Same as it ever was.
Job posting, requiring top-secret clearance, looking for people that have experience using certain tools including "GAMUT/UTT" - notice the URL from the NSA doc has "gamut" and "UTT". So i further looked into GAMUT/UTT and found this:
My real issue with this isn't so much the fact that the NSA monitors everything I say and do. Its the fact that there is nothing preventing the NSA from obtaining insider information that can be exploited for personal financial gain.
I mean what stops an NSA analyst from being able to spy on an acquisition negotiation between corporation executives? What prevents that analyst from investing in the stock market using valuable info like this?
There really needs to be more accountability and transparency within the NSA.
Thanks, there isn't much funny about any of this, but that got a legitimate laugh out of me. For anyone who doesn't know the reference, a clip from CSI:
If a non-US resident or NSA target posts a thread on HN, and a US person replies to the thread, is the US person now open to unlimited data collection?
Alternately, if you Facebook-like the same thing an NSA target has, are you then subject to unlimited data collection?
The information we have already shows that the US person/non-US person distinction is purely cosmetic, meant to allow them to pretend that they're at least trying to respect US laws to some tiny extent. It's rhetorical.
In reality you are always a valid target, US citizen or not.
640 comments
[ 3.0 ms ] story [ 389 ms ] threadhttp://www.c-spanvideo.org/program/FISAS
"The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: "At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours.""
Of course, as the article goes on to detail, anything that's found to be of interest in that window can be saved permanently, and NSA analysis do that a lot.
It does not describe "interesting". Maybe metadata, encrypted sessions etc? Any conversations in threads linking to these articles?
Those 60TB density HAMR[1] drives that are due in 2016 are really going to take invasive to a whole new level.
[1] http://storageeffect.media.seagate.com/files/2012/03/perpham...
Oh, wait...
But note that you can buy off the shelf PCIe cards with SSD's mounted that will give you 1TB storage and an aggregate read bandwidth of more than 1GB/sec today. I've got three sitting in various servers. They're expensive, and frankly for the future I'll rather get a couple of extra SATA III controllers and get multiple "regular" SSDs on separate controllers for that reason, but they're available.
For NSA style data collection, though, the collection is trivially to do in parallel: Hash all keys to a "virtual bucket", and hold a map of virtual buckets to physical servers. Then when you want more capacity, you add some physical servers, reassigns some of the virtual buckets from other physical servers to the new ones, and synchronises any old data (given that NSA claims they could only hold the full data stream for three days, you don't even need the hassle of moving data, just make collection on different days map to different virtual buckets, so that on day one you "just" reassign virtual buckets the content of which is being expired on the old servers anyway, on day two, the next set etc. - you maintain full spread of read/write traffic by ensuring that in normal operation all servers have an even spread of "day 1", "day 2" and "day 3" buckets).
It's amusing they see storage as an issue, but of course this was in 2008. Today I have 6TB in my home NAS, and my perfectly off the shelf tower case can easily fit 40TB+ with current size harddisks (though I doubt the noise would make me popular at home).
[1] http://www-03.ibm.com/systems/storage/tape/ts3500/index.html
[2] http://www.quantum.com/products/tapelibraries/scalari6000/in...
Also I doubt the veracity of the claim that they collect "nearly everything". Wouldn't they show up on, say, Sandvine's Internet traffic reports? I think it's more likely this claim is made simply to generate FUD in the general population.
I think the era of government being far ahead of commercial tech capability is over. The government mostly outsources now (a problem Snowden identified in terms of information control) or develops in-house with vendors.
[0] http://online.wsj.com/article/SB1000142412788732349560457853...
[1] http://www.youtube.com/watch?v=NgahKksMZis
There are a lot of fingers in that pie. Oracle, for example, has a National Security Group, whose job is to come up with "solutions" and then try to sell them to three-letter-agencies.
Why would they? They deal with ISPs, backbones and such.
Well, now they have a massive data center in Utah. That's most likely where it's all going today. Standard open source tools are all you really need.
> Wouldn't they show up on, say, Sandvine's Internet traffic reports?
No. If some script kiddie/hacker type installs a packet sniffer and logs all your traffic to your ISP, that won't show up anywhere. Traffic goes somewhere. You're sending packets out. Merely logging packets is entirely passive and undetectable.
>I wonder if the leaked presentation touches on this point.
That seems unlikely to me, as this is a technical presentation.
The more worrying thing is that they're still apparently using IE6. [EDIT: OK the presentation is from 2008 but still!]
It just about proves that it's not true, to me.
http://static.guim.co.uk/sys-images/Guardian/Pix/audio/video...
says: Top Secret Comm(?) REL() to USA, AUS, CAN, GBR, NZL
confirming the previous suspicions that many other governments are on board.
Der Spiegel actually has reported a few weeks back about XKeyscore [1] and that it is used by the BND (Germany's NSA). I.e. all this data is also available to the NSA equivalents of Australia, Candana, Great Britain and New Zealand.
Many Americans trust their government (unfortunately), will they also trust the other governments?
[1]:
http://www.spiegel.de/international/world/german-intelligenc...
http://www.spiegel.de/international/germany/german-intellige...
http://en.wikipedia.org/wiki/UKUSA_Agreement
"This was a secret treaty, allegedly so secret that it was kept secret from the Australian Prime Ministers until 1973."
This is indeed a trend, and I speculate that NSA (and NSA-like entities in the other 4 eyes/countries) probably communicate information and abilities to prime ministers and presidents of the respective countries very selectively.
REL TO likely means release to.
As I've said before, the realisation that most countries do this sort of thing comes as no surprise.
Foreignness factor:
The person has stated that he is located outside the U.S.
Human intelligence source indicates person is located outside the U.s.
The person is a user of storage media seized outside the U.s.
Foreign govt indicates that the person is located outside the U.s.
Phone number country code indicates the person is located outside the U.s.
Phone number is registered in a country other than the U.S.
SIGINT reporting confirms person is located outside the U.S.
Open source information indicates person is located outside the U.s.
Network, machine or tech info indicates person is located outside the U.s.
In direct contact w/ tgt overseas no info to show proposed tgt in U.S.
It's quite easy to lose the protections of a U.S. citizen indeed!
Interesting, so everyone who ever hit a MegaUpload link is potentially a foreign entity?
For instance, need data from a server's hard drive? Accuse someone you know who has data on that server, not necessarily the data you want, to have an excuse to seize said hard drive and analyze it. Nope, turns out the accusation was incorrect, here's the hard drive back. Ah, is getting other data not covered by the warrant illegal? It just might be, but you can't complain if you don't know they did it and you probably don't have standing to sue over it to find out. Plus with authorities able to get double-secret warrants based on triple-super-secret laws issued by not-so-secret courts with "you can't even admit you were here" secret proceedings, how would anyone know in the first place?
Remember, government agents have the authority to lie to you in an effort to complete their goals.
Not that I'm saying the NSA was behind MegaUpload or anything, just saying it's feasible.
Just to be clear, Kim Dotcom was a NZ resident, and had broken no NZ laws.
At this point it would be a bold man who made the claim that the NSA had nothing to do with investigating a foreign person and/or their company, tracking that company's international internet usage, monitoring their involvement in possible illegal activities and providing that information to US authorities who could use it to reach out across the world and attempt to have that person extradited to the US.
In fact, I cannot understand for a second why you are trying to make that claim?
That, coupled with the fact that they only require 51% certainty in the foreignness factor makes me think this is intentionally designed to make every single person they come across a subject to surveillance.
I can see Weasel terms like "use of storage media seized outside of the U.s." be extended to mean pretty much anything.
That then provides an audit trail, where something, or more likely, nothing is done to check that decision was valid,.
Using the Facebook Graph API, we can gather information based on this ID: http://graph.facebook.com/1536051595
Which leads us to the Facebook profile (https://www.facebook.com/arash.gorjipour.5) of an individual, real or contrived, named "Arash Gorjipour". His email address and phone number are all exposed in one of his uploaded photos: http://i.imgur.com/0UUk5cB.jpg
I wonder what the reason for this man being in these slides is.
I suspect, or maybe just hope, that politicians are protected in some way from this. While it is unfair, at least it would mean less opportunities to extort or threaten lawmakers. Though, obviously, it would be best if we ALL were safe from that kind of crud.
If I were putting together a deck on that system I'd also probably favor test data over live data, if for no other reason than it's easy to come by.
You could say 153xxxxxxx and "Arxxx Goxxxxxxx" just to be sure and if you need to post links you could use a URL shortener.
I'm a little worried now because I visited his page, and this will surely be logged, hence my past online activities may now be investigated.
HN fields roughly 200,000 unique visitors each day, most of which have a markedly anti-gov't-spying slant[1], that's enough evidence to be in their cross-hairs.
[1]: Such that in some capacity you might participate in the creation/promotion of methods or software to get around their snooping technologies.
Oh bum..
http://www.theguardian.com/world/interactive/2013/jul/31/nsa...
He's (almost certainly) a real person, by the way. I called his office. He wasn't in, but they offered to page him for me.
I'm not an expert in this area of mathematics, so I could be wrong, but my impression is that as the haystack becomes larger the problem of false positives becomes more and more severe.
As a data miner, what you want is the maximum number of "hits" (of whatever you're trying to hit) with the minimum number of misses and the minimum number of false positives. My impression is that this becomes progressively harder-- the golden region between too many false positives and too many false negatives becomes smaller and smaller and harder to hit.
Eventually you either miss important hits, namely the next terrorist attack, or you get swamped with false positives that you have to manually investigate and rule out.
I'd love someone who does know more here to chip in, but my personal suspicion is that this actually has a pretty huge pork angle to it. How much money are the contractors getting for building this stuff?
The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: "At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours."
you don't need to use some kind of fancy data mining algorithm for this to work (generating false positives), you just need a ho-hum graph traversal algorithm and unbelievable amounts of graph data to generate "candidates for investigation".
US Company A -> intermediate 1 -> known terrorist group B
US Company A -> intermediate 2 -> known terrorist group B
US Company A -> intermediate 3 -> known terrorist group B
Each set of links is just one lead to investigate, but having a giant graph to work off of would make generating those leads simply. You might find out that intermediate 1 is a local falafel delivery place that "US Company A" uses for lunch catering. Can probably strike that one off the list. intermediate 2 is a utility (no choice but to use the local water monopoly), but intermediate 3 is a material supplier that employs several low level delivery guys from known terrorist group B, and the founder of the company is a cousin of the founder of known terrorist group B.
So I'd wager it's not as simple as just running an algorithm and automatically sending out Skynet drones to blow things up. There's some kind of more subtle assessment being made, with the systems just providing help to the analysts.
If yesterday we were "conspiracy theorists" when we suspected things like XKeyscore, what are we today if we suspect things like "Person of Interest"-like programs?
[0] http://www.imdb.com/title/tt1839578/
(from season 1 opening)
It's scary how this is actually not fiction.
Using PGP as part of a filter makes perfect sense. If you're looking for "bad guys" that do certain activities, as a starting filter, it doesn't hurt to say "OK, show me everyone in this region doing these activities. Now filter by language, etc. etc.".
Just like if I was looking for gang members, I might start off a filter with "look for tattoos". It doesn't mean I'm saying everyone with a tattoo is gang member, it's just a way to start filtering.
The NSA analysts are presumably actually trying to get something done (find people they think are bad). How stupid do you think they are? If you were an NSA analyst, would you tag "person of interest" on everyone using PGP? How would that help your goal of finding actual people of interest?
They say they caught 300 "terrorists" with this program and other success stories. Presumably, they didn't achieve any success by wasting lots of time flagging random PGP users.
I can see how they get HTTP information, since they would intercept at transit hubs - but how are they getting all Facebook private messages and Gmail?
I was also looking for another unique ID that users are identified by - perhaps a machine or browser fingerprint or some form of intel that can 'glue' different browsers together and make a best guess if they are the same person (Facebook does this with device and user cookies) but couldn't find anything. It seems they rely solely on email addresses, IP addresses, cookies and HTTP headers.
So if you are browsing via 16 tor circuits and a browser that defaults to incognito with session histories being wiped, they couldn't reconstruct your history.
Users of PGP/encryption products being singled out is terrifying. The sooner we have the whole world using decent encryption tools, the better.
Edit: Gmail messages must only be captured when they leave the Google network. They are the only provider to support server-to-server TLS: https://twitter.com/ashk4n/status/346807239002169344/photo/1
They must only be getting a slice of the Facebook chat data, since the transport there is also https.
Facebook Messenger, on the other hand, uses MQTT, so it transmits and stores in plaintext. It has support for encrypted + signed messages with OTR if you are using an alternate client such as Adium or Pidgin.
Really need to go out an audit all of these services and let users know which are better.
There's practical attacks for enumerating hidden service public keys, and so I wager that there's somebody somewhere with a complete map of the real server locations as well.
[1] https://metrics.torproject.org/users.html [2] https://metrics.torproject.org/network.html?graph=relaycount...
The bigger protection is the ease with which the NSA can mount this attack on TOR. I have no doubt that they could do it, however I do question if they can do it on a massive scale.
Think you're getting your entry and exit nodes mixed up there. Tor chooses a small number of entry nodes (entry guards) and attempts to only use those.
So I would think these tools are available only to a select few, and those are more interested in more high-profile tasks like catching extremists or going after political opponents.
I, frankly, don't think SR is that high on government list. Not yet.
Furthermore intelligence agencies are well aware that every action communicates information back to their adversaries. It's a no-brainer to let Silk Road exist if you think doing so gives you the edge on terrorism, or otherwise furthers the national interest.
Once they've revealed that, then people take account of it, and it becomes harder for the NSA to monitor them.
Half of the signals intelligence game is keeping your capabilities secret, so you can keep monitoring the signals, rather than have your target change their game.
That is to say, if they can get into Silk Road, then they probably ARE already monitoring everything that happens on Silk Road, and they'd rather it stay UP so they can keep monitoring the people on it (being very careful never to reveal that they can monitor it), then bust it so the people go elsewhere.
Perhaps you missed the news about PRISM? :)
[0] https://www.facebook.com/blog/blog.php?post=486790652130
Gag warrants existed before PRISM.
EDIT: "National Security Letters"
I think PRISM is just the public-private partnership aspect of this, where they have to go to service providers and install kit, as they can't tap SSL traffic.
So they didn't have access to private messages, they just intercepted internet traffic and relied on it being unencrypted. Facebook didn't always enforce https by default like it does now
Take facebook for example. By default, almost any and all activity on the site is catalogued for you by email -- for your convenience. Someone mentioned you in an update, you get a notification. A friend sent you a private FB message, you can an email notification with the content in line (even with the support of replying to message via email as well).
Now, because email traffic on the internet is not encrypted by default, one is able to piece together the contents of communications just by looking at the email.
Essentially anything that you receive via email (e.g. password reset links; credit card statement summaries etc) is subject to capture and analysis. Given this, it may make sense to perhaps disable (potentially sensitive) email notifications as a workaround around this particular collection method.
It will be interesting to go back through all of those statements with this new information/evidence on hand.
Greenwald has timed this well. He put out enough information early on to give Snowden opponents enough rope with which to hang themselves.
It's an interesting problem for the talking heads: How much will be revealed? They're caught between a rock and a hard place, if they start telling the truth they might reveal something that the leaked docs don't support, but if they tell a lie they might be found out.
This trickle strategy is working very well. The best cause of action for the people under the microscope would be to shut up and if they are compelled to talk to say the absolute minimum but to still tell the truth.
It's like the Socratic method for public/government relations.
The goal seems not just to be exposing the magnitide of this surveillance system, but also the government's systemic disregard for public mandate in the USA right now.
I have to wonder if the staggered deployment of the leak has anything to do with savvy, or more with his own need to digest what he's got as he works through it and reports as he goes.
Either way, the story has more legs than past revelations, so I'm happy for that, and I certainly would love for it to be the case that there is a degree of effective calculation behind the deployment of the info with the goal of keeping the conversation alive and neutering critics. Goodness knows that this story needs all the help it can get. It's up against not only the resources of some of the most powerful governments on the planet, but also the lacking attention spans of their populations combined with relatively disinterested media.
I'm heartened that the noise level has remained so high since the first Guardian article (in this latest series).
Q: Thanks for reporting this. I have to ask though, why is it that you are doling out this information now after the recent congressional inquiry into NSA spying and not earlier?
A: We've published almost two dozen exclusive articles about NSA spying in the last 7 weeks, in multiple different countries around the world. Is that pace not fast enough?
There are thousands upon thousands of documents and they take time to read, process, vet, and report. These are very complex matters. On top of everything else that has to be done with these articles, from explaining, debating and defending them in the media to dealing with the aftermath.
People can accuse us of many things. Not publishing enough or fast enough is hardly one of them.
That House vote was about one specific topic - bulk collection of phone records - that this newest article has nothing to do with. That House vote isn't the be all and end all: it's just one small battle in what I can assure you will be a sustained and ongoing discussion/controversy.
There is a lot more to report still. Accuracy is the number one priority. That takes time.
And some proof: http://www.haaretz.com/news/diplomacy-defense/1.528529
It seems easier for the NSA to tap datacenter <-> datacenter fiber links inside Google's network.
Why worry about decryption when you can have Google's frontend servers do it for you?
This XKS business seems about intercepting non-encrypted traffic as the references to HTTP payload quoted in the article would suggest.
The NSA has clearly tapped trans-oceanic fiber -- why not also tap high-volume inter-datacenter links?
Who says Google has a choice or is even complicit? The backbone providers have mostly stayed mum and it's known that the likes of AT&T split their fiber for the NSA. If we're willing to go to the bottom of the ocean to tap fiber lines it's pretty easy to believe that we'd tap terrestrial lines too.
"They have no direct access to our servers"
I wonder what a beam splitter consists of. Oh. A PRISM.
When one refers to a beamsplitter, it's usually a partially silvered mirror.
http://www.thorlabs.us/newgrouppage9.cfm?objectgroup_id=914
If it's fancy, it might use an evanescent wave to do the coupling, as in some cube beamsplitters.
Beamsplitters for optical fiber are more generally referred to as 'couplers' and involve bringing two fiber cores close enough for a long enough distance that the probability of coupling light from one to the other is the desired amount.
http://www.thorlabs.us/newgrouppage9.cfm?objectgroup_id=374
It is possible to split beams with a birefringent prism, but it is much less common.
http://www.thorlabs.us/newgrouppage9.cfm?objectgroup_id=745 http://www.thorlabs.us/newgrouppage9.cfm?objectgroup_id=917
Disclaimer for the following: I only work with optical fiber couplers occasionally, and not for telecom. Someone who works on telecom fibers daily will be more informed.
In summary, if someone wanted me to tap an optical fiber, I'd call up ThorLabs, get a matching coupler shipped overnight, cut the relevant fiber, slap APC ends on the fiber ends, and jack in. Splitting the beam in free space (outside of a fiber) with a prism is far more errorprone, unstable, and no more efficient. A fiber coupler has no moving parts, can't break, and won't take down a telecom's trunk line if someone breathes on it funny.
If they're actually using a prism, it's because of some sort of impedance/reflection minimization scheme; I can't conjure one that would work better than using simpler techniques though.
Anyway, you're probably right, it's probably just bog standard parts, and PRISM was a buzzword for management.
http://www.guardian.co.uk/technology/blog/2013/jun/19/google...
And I tend to believe him.
We should start lobbying for broader support for server-to-server TLS with perfect forward secrecy. While it alone is not sufficient to prevent the wiretapping of targeted individuals, it still makes fishing expeditions or "Big Data" level surveillance much harder. It would help keeping ordinary users' emails protected on the wire and secure the meta data of PGP emails.
They can use plugins / extensions installed. Fonts installed. If cookies are enabled or not, etc. Check out: https://panopticlick.eff.org/
(That is, unless you visit panopticlick.eff.org, which then sends all of the processed information over the wire in the clear...)
> I can see how they get HTTP information, since they would intercept at transit hubs - but how are they getting all Facebook private messages and Gmail?
I don't know how they're getting GMail(and this is probably a slide from when GMail was accessible via HTTP and not HTTPS), but Facebook chat specifically is done over a non-secure XMPP server. The only 'secure' part of that transaction is login, as far as I remember, once you're past that none of it is encrypted.
But even then gmail is the only webmail service that offers server-to-server encryption, so data can still get intercepted when communicating with someone using yahoo mail or hotmail for example: http://news.cnet.com/8301-13578_3-57590389-38/how-web-mail-p...
You think HTTPS keeps you safe? All it takes is ONE recipient to have an insecure connection and the entire thread is revealed.
Isn't it nice how every email conveniently includes a copy of the entire preceding conversation.
It has become a bit of a pet peeve of mine recently to see self-aggrandizing comments from users around the net about how "we should have known" and "none of this is new."
I'm a practically addicted news junkie (especially tech news) and while I've been aware of a fair amount of what has been exposed in this latest leak, it seems that every day there are revelations new to me, and what is revealed absolutely shocks the conscience. And I'm an outlier. I'm more plugged in to reporting on this subject than 99% of the globe's population, and this subject tangles with the rights and treatment of a large portion of the population of said globe.
The staggering majority had no clue, has no clue, and no, they were never informed. For all intents and purposes, the global media has been asleep or complicit.
It's staggeringly important to keep telling this story at every level specifically because "we" don't know, and still don't.
FYI, it should be "For all intents and purposes". :)
Second: realizing that "we should have known" and "none of this is new" isn't so much about reading news articles and being "plugged in", but rather having an understanding of how the Internet works. To oversimplify greatly, you're essentially playing a very precise game of telephone between around 10-20 different people, and usually about 1-3 different publicly-owned corporations. To be surprised at the possibility of storing packets is somewhat naive considering how simple it is to do.
Funny enough, I wrote a post on this subject matter too before the Snowden leaks where I included the video as well…[1]
[0]: http://techtv.mit.edu/embeds/21783?html5=true&size=full&cust...
[1]: http://blog.pictobar.com/post/47787766458/why-so-silent
The emotions are most likely to be anger and disgust of having their sense of reality shattered, inciting most people who feel powerless to change their habits, to go and protest. And as we all have seen around the world and even within the united states, protests can get pretty hairy, pretty quickly and not in the favor of people who want to live peacefully…
Outside of the issue of inciting the masses to act out physically, there is very little public "mainstream" acknowledgement that corporations are collecting and sharing the same types of data (and more) between one another, where issues surrounding any type of morality become selling points for products. So then the theoretical situation becomes: Government agrees to stop its dragnet programs, non governmental entities will continue to do so as long as people use their services… where's the protest for that (and when that comes they'll hire private contractors to protect them and their interests [remember OWS 2011])?
I posted this a while back on information asymmetry and the surveillance state [0], which lays out simply what is going on now in the minds of people and what is at the core of the issue people are talking about. I also propose an idea about the direction I feel would be more beneficial for the energy to be placed on my post as apposed to the logical conclusion of where all the anger will be placed by people who are now willing to enter the conversation from recent "mainstream" exposure [1].
[0]: https://news.ycombinator.com/item?id=6042241 [1]: http://blog.pictobar.com/post/52533760444/the-nsa-is-closed-...
That being said, I can also imagine how frustrating it must be to be a person who's spent years (maybe decades) worrying about something that's really happening, only to have their concerns dismissed with a wave of the hand or marginalized as "tinfoil hat" conspiracy theories. It's not hard to imagine how that could sour the disposition of even the sunniest person.
They have compeley misused the power we granted them in sacred trust. We should remove it from them at once. If this has become impossible, we need to know that as soon as we can.
Most Americans still believe they have more to lose than to gain by asserting themselves...
Again, I'll chime in as the resident apologist. The people working at Fort Meade are not evil. They truly believe they're doing a great service to the nation. They may be wrong, and they've certainly thrown privacy out the window. But they are following an ideal: national security.
Post 9/11, the nation went on a war footing. We reacted the way we did to the Nazis and the Soviets. And in their search for an existential threat, the intelligence community seized on nuclear terrorism. These analysts live in constant fear of the day they miss a piece of information and New York, Washington, or London is enveloped in a mushroom cloud.
The best explanations for this type of reasoning that I have heard came from an unlikely source, my grandfather. He's a former FBI agent and WWII Navy veteran. In war time, we threw all sorts of civil, economic, and political liberties out the window to defend ourselves. When I asked him how this was allowed to happen, he said simply, "When you're facing an enemy that wants to cross over the hill into the valley where you, your family, and everyone you've ever known or loved lives, you'll do anything to protect them."
Our grandparents grew up with the threat of the Nazis. Our parents faced the prospect of annihilation by the Soviets. We have had the luxury of coming of age in a time where there is no credible threat to our very national and physical existence.
As a result, it's difficult for us to understand the mindset of someone that spends all day, every day, thinking of the most horrible ways we could be attacked, and then trying to devise countermeasures. It's almost inevitable their perspective on the balance between security and privacy is altered.
I'm not saying this reasoning is morally correct or justifiable, especially when applied to the current surveillance programs, but simply that it is understandable.
The key danger is that these efforts are qualitatively distinct from those in previous generations. The difference between extraordinary measures now and then is twofold.
First, our capacity to surveil the citizenry has exploded over the past two decades, and our legal framework is still grappling with that change. The courts are having trouble understanding that a change in scale can be a change in kind.
For example, it's one thing to have the occasional surveillance flight to search for drug operations. It's quite another to have aerostats and quadrotors watching every inch of a city all the time. But the legal rational that there is no right to privacy in public spaces allows both.
Similarly, it's one thing to say the records generated by my water company are business records not subject to the Fourth Amendment, but it's quite another to use that rationale to justify monitoring the location of my cell phone simply because my cellular provider maintains the records.
Second, wars have a point where they end, and the extraordinary measures are supposed to be reversed. That's why the "war on terror" and the "war on drugs" are so dangerous to civil liberties. They essentially extend the extraordinary measures during wartime to police problems that have no logical end.
I agree that we've gone too far as a nation. The fact that these queries don't require FISA orders flat out shocked me, even as a careful observer of these issues. But let's not demonize the individuals. After all, they're only doing what the people demanded after we were attacked. This is a democracy, and immediately after 9/11 such measures were resoundingly approved by the public and our representatives, beginning with the PATRIOT Act.
None of that changes the current reality however. We must slowly learn the lesson the British did when dealing wi...
Same with the politicians; were they really for it, or simply incredibly afraid of the political suicide that would be the results of standing up against it? Because this was a time when people did not question Bush. From today's perspective on his administration's actions, that seems odd, but it was the reality at the time.
> incredibly afraid of the political suicide
Afraid is not the right word. Aware. When all (public) evidence concerning a law says "fight the terror!" and buildings are still blowing up, you'd have to represent a very interesting district to be "soft on terror".
It was obvious from the length of the act alone that even Congressional staffers couldn't have read it carefully between the time of submission and the time it passed. Quite a few people that I knew were weakly opposed, but the sunset provisions may have made it more palatable.
It takes character to stand up and defend doing nothing when something "must be done".
This is a little off topic, but I always see this trotted out when people talk about big laws (like Obamacare, PATRIOT Act, etc) and it's not really true. Lawmakers usually work with and read a "normal language" version of laws that then gets transformed into a stricter legal version by staffers and experts. They will look at the actual legal version of the law if they care about a specific rule or section, but they usually don't need to.
Of course, I expect my lawmakers to actually read the legal language.
It's important too to note that this isn't a "big law" or even an American thing. Virtually all bills of any substance work this way and it's pretty much standard practice in most countries.
That being said, I'm not defending the PATRIOT Act. I just think the argument that not enough people read it is weak, especially considering all the real arguments you can make that actually attack the substance of the act.
The point is that for all lawmakers, there is both a need and sworn obligation, in addition to national expectation, that they read all the nitty gritty legal language they are voting on, by which all Americans are bound to abide.
That's what lawmakers are there for--to know what in the hell they are passing as laws. If they can't be bothered to do their job--which, at the national level, goes far beyond just securing corn subsidies, because they're voting on legislation that touches on all Americans--then fuck 'em. Throw the bastards out on their asses, and send them back to the cornfields.
To be clear, the "hawk" politicians (and let's be honest, -many on the left) believed in the legislation but also exploited the tragedy to ram it through and neutered the ability of the other side to have a reasoned debate.
Our population was attacked, angry, and for the most part followed the lead of politicians who said we needed these laws to fight the people that attacked us.
In the aftermath, the scrutiny on the part of the American people never materialized. You're basically witnessing the moment where the most scrutiny on these types of programs/laws has ever occurred since 9/11. Worth keeping in mind that many components of these surveillance programs also predate 9/11.
Only 66 Representatives voted against it--62 Democrats, 3 Republicans, 1 Independent. Only 1 Democratic Senator voted against it, while another Democrat abstained from the vote.
At the time the Act passed, Americans were in the midst of a fear frenzy. It was a pervasive culture of fear and panic, the likes of which I can only compare to anti-Soviet fears of the Cold War. People all over the country actually went to stores to buy all kinds of emergency and survival supplies to build up their own anti-terror kits (I forget the name for this that was popular at the time).
Many of us questioned Bush from the moment he was declared the winner of the 2000 election by the Supreme Court. We took part in protests all over the country after 9/11 to oppose the buildup to war in Iraq. I took part in protests in D.C. It was all ineffectual. Fear gripped the country and few paused to consider the long-term ramifications of the actions taken in September's wake.
Demonizing people and falsely assigning ill-intent doesn't help us address and correct the problem, even if it feels good to do so. I personally have to fight the urge constantly myself because I feel so strongly in the immorality of the net output of the programs themselves.
GHW Bush
GW Bush
D Cheney
D Rumsfeld
C Rice
G Clapper
G Alexander
P Wolfowitz
These are the guys that created the orders that the soldiers are following, and the war they are dying in for these criminal's profits.
The people I listed have a decades long history which brought them to the US Coup of 9/11: Cheney in particular.
The above are at the core of PNAC, the CIAs takeover of the executive branch (both Clinton and Obama are their puppets here)
GHW Bush has been running shit since the 70s.
Cheney setup the framework for the current MIC exploitation of the world when he was in Sec. Defense position in the early 90s - then setup Halliburton to be in the position to receive all the mandated private-sector contracts so the military could focus on its "core" -- the same with the Carlyle group.
(Carlyle owned CRG West (MAE WEST) and other fiber infra and DCs)
These guys worked diligently to put all this into place. Obama is just a puppet who was meant to quell the outrage that the Bush regime was bringing.
I posted a list of the key players in this, I did not post any party affiliation....
I can provide a hell of a lot more detail than this too - going back to 1920 with these guys...
You're wading far too deeply into conspiracy territory to suggest that this puppet 'was meant to quell' anything. He is a leader whose administration stands and falls on its own merits.
There is no party but the MIC party - and clearly, the NSA owns that party.
America has died, completely, 100%. There is no such thing as "Land of the Free, Home of the Brave"
The IC isn't running the government. They've got their hands full just running themselves.
The idea that we are not free is absurd. If I want to hold a rally for the Ku Klux Klan, that activity will be protected by the full force and power of the United States government. I can worship as I wish, read the books I choose, and write whatever I want (excepting direct threats of violence) with little fear, knowing that laws and courts stand ready to vindicate my rights.
I would take our extensive package of rights over single party political control, strongman leadership, civil law jurisdictions, and common law libel standards any day.
We are certainly no longer the most free nation on the planet, which saddens me deeply. But we are certainly amongst the best on that metric.
You're clearly being partisan.
The American people overwhelmingly approved the Patriot Act, and the idea of surveillance, and the war on terror, and the actual wars on place.
The Obama administration resumed surveillance programs which had been previously shut down.
The military industrial complex has been growing steadily larger since the 1950s.
Congress people from both parties repeatedly approve the growth of the defense budget, and especially parts which gain them money and jobs for their own states and districts.
There are certainly people to demonize, but sorting them out from the well intentioned would be incredibly complicated.
That isn't really a strong argument. Firstly, their actions is supposed to reflect the ideology of the US citizens in general. If it doesn't, either they are not being administered as well as they should be or they are purposefully ignoring the will of the citizens. Secondly, the idea that because they truly believe that they are doing great service doesn't actually justify any of the actions. If we are forgoing the label of evil because they think that they are doing great work (and I am OK will that, I hate the label 'evil'. It is unconditionally partisan) then it does question whether Nazis/Soviet union deserved the label as well. Because I fear that they too believed in their actions.
> our legal framework is still grappling with that change
US legal framework does not seem to be struggling (I am not a native speaker, so I am assuming that is what you meant). It has expanded the power to monitor and interfere knowingly and willfully. Let's not blame this on misunderstanding or incompetence. While it is the first thing that this should attribute to, the people who have built this system seem highly skillful and knowledgeable. If you claim that decision makers do not understand the new world that has suddenly bubbled up, well it's your responsibility and that of the NSA employees who seem to be following orders without questioning, to either make them understand or replace them. And in all fairness, US voters did. The man even won a Nobel Peace Prize for some reason I cannot understand. But his actions behind the doors seem totally contrary to what his words have been in past. Not really the fault of the voters but it definitely raises questions if he truly understood the costs and still took the leap.
[Edit: grammar]
I think this is a very difficult question to answer. If you're a lowly NSA tech tasked with something seemingly mundane (say, writing some automated tool to be used by an internal billing dept), at what point do you refuse to contribute to an organization that may be operating against the will of the people? Who is responsible?
Evil doesn't require intent. Some of the most evil acts in history were carried out by people who believed they were doing a good and moral thing. Most evil people don't go around thinking "I'm going to be so evil today!"
I suspect you are correct and that the vast majority of NSA employees think they are doing the right thing for America. That doesn't make their actions any less evil.
I don't want to Godwin the discussion here, but it's not at all rare for people to act in an evil (or whatever you want to call it -- bad, harmful) way while not recognizing their own actions as evil.
That people don't think their actions are evil doesn't prove that their actions aren't evil.
Add to that, evil acts are almost always done in service of an ideal. For example the USA has economically and socially gutted many nations by force in service of the democratic/free-market ideal. Yet it's rare to find an American who sees it this way. US-USSR proxy wars in the Middle East and Latin America from the 60s-90s weren't destructive, we were just trying to help those countries out. We wanted to modernize them, to improve their lives, not to destroy them. They were just too uncivilized, too barbaric to get it. Why would they hate us for that?
Hence 'ideology'. Easy to serve, hard to view objectively when you've spent a lifetime on the inside.
>We have had the luxury of coming of age in a time where there is no credible threat to our very national and physical existence.
The Berlin wall didn't fall until 1989. The Soviet Union didn't dissolve until 1991. The period of 1991-2001 was spent fighting proxy wars in former USSR terrories or allies [1]. Iraq. The Yugoslav Wars in Bosnia, Macedonia, Kosovo. Haiti. All of this was an extension of the cold war. The Red threat didn't officially end until 09/11/01, Communism continued to be a spectre held over the head of the American public. It's just the discourse shifted from "the USSR has bombs that can kill us right now" to "Communism is bad therefore we're preventing it from spreading". The constancy of threat and surety of the potential for complete annihilation was always there.
And of course, from 2001 on everyone spent all day, every day thinking of the most horrible ways they could be attacked by terrorists. With great encouragement by media and government apparatuses.
>But let's not demonize the individuals. After all, they're only doing what the people demanded after we were attacked.
Again avoiding Godwinning, but to a certain extent you must demonize the individuals. Else there is no incentive for people to be vigilant of runaway ideology, like the US is operating under currently. Else there is no incentive for individuals to formulate a moral compass external to the state, because why bother when "they told me to do it" is a legitimate excuse? The state idology becomes your morality. After all, you're just tryin' to put food on your family.
[1] - https://en.wikipedia.org/wiki/Timeline_of_United_States_mili...
Certainly not. The issue is not their beliefs, but rather the reasoning behind them. Different experiences of the world give rise to different world views. The world view of those that operate, condone, and approve the surveillance arises from a set of historical understandings and modern experiences that neither you nor I share.
To suggest that the scare tactics of CNN and the like is comparable to the psychological effect upon an ordinary analyst of regular intelligence reports of weapons-grade uranium being smuggled out of Russia via Kazakhstan is naive at best.
The threat of true national annihilation, not a specter concocted by a manipulative elite, has been the norm rather than the exception throughout history.
Modern totalitarianism has its roots in a not too distant past in which totalitarianism was the surest defense against large armed groups of humans that would burn your fields, kill your family, and subjugate your people.
That threat didn't disappear until very recent times. The cultural history of the American people is replete with threats to our existence: the CCCP and Warsaw Pact, the Axis, the German Empire, Spanish colonial North American empires, the British Empire, the Quadruple Alliance, the Normans. The intelligence community takes it's cues from a long history of existential threats.
What seems so obvious to us is that the current world is stable, and thus extraordinary measures to protect our safety aren't justified. Those charged with national security take a longer view. They see our nation as balanced on a knife's edge between internal strife and external threats. And thus, threats to either must be vigilant observed, documented, and understood, so that if the time should come when a conflict does occur, we stand prepared.
That line of reasoning is often alien to privacy advocates. I neither endorse it nor deny it. I simply acknowledge that those who study, train, and practice for our defense are not naive when it comes to the risk of violating civilian privacy. They simply set a different value to each of the variables in the risk-reward equation. You may disagree with those values, but it is important to understand them. Blindly denouncing such views as morally bankrupt simply factually incorrect.
> The Berlin wall didn't fall until 1989. The Soviet Union didn't dissolve until 1991. The period of 1991-2001 was spent fighting proxy wars in former USSR terrories or allies [1]. Iraq. The Yugoslav Wars in Bosnia, Macedonia, Kosovo. Haiti. All of this was an extension of the cold war.
The wars you cited were in no way related to the Cold War. Yugoslavia was a strategically unimportant area, relevant to no one in the geopolitical sphere.
The intervention occurred as a direct result of ethnic cleansing that was taking place in obvious, organized, and deliberate fashion. To suggest otherwise is simply incorrect. I've spoken with the head of UNPROFOR from the Srebrenica Massacre. It was a war crime on par with the worst parts of World War II. Clinton himself stated that his reluctance to intervene was based upon the "ancient ethnic hatreds" argument of Balkan Ghosts. The Yugoslavian intervention was about genocide. As a simple fact, it had nothing to do with the Cold War.
> Communism continued to be a spectre held over the head of the American public. It's just the discourse shifted from "the USSR has bombs that can kill us right now" to "Communism is bad therefore we're preventing it from spreading".
Containment of communism was simply not a factor during the nineties. Moscow was crushed, the former Soviet block in shambles, and Russian interests retreating from throughout the world. Hence the remarkable cooperation on nuclear arms, energy policy, and democratization between the Yeltsin administration and the Clinton administration.
>I don't want to Godwin the discussion h...
"War is peace. Freedom is slavery. Ignorance is strength."
Orwell in 1984: "Part of the reason for this was that in the past no government had the power to keep its citizens under constant surveillance. The invention of print, however, made it easier to manipulate public opinion, and the film and the radio carried the process further. With the development of television, and the technical advance which made it possible to receive and transmit simultaneously on the same instrument, private life came to an end. Every citizen, or at least every citizen important enough to be worth watching, could be kept for twenty four hours a day under the eyes of the police and in the sound of official propaganda.")
It's a surprisingly interesting novel.
I have a tremendous amount of respect for those in the security services, who have been given a rather difficult job to do, and who seem (from the vanishingly small amount that I know) to be approaching it in a professional and objective manner.
I have no desire to be nasty, and if I have personally offended anybody by what I have written, I most profoundly apologize for the hurt.
However.
This is an important issue, and it deserves public attention and a detailed debate. I hope that some of my provocative wailing and doom-mongering has done what was intended: provoked some thought and consideration.
This is, after all, politics, and, as I have mentioned before, we sometimes need to make a caricature out of our own positions in order to make a point. Omlettes and eggs and all that.
You are nuts if you think that that was acceptable given the circumstances.
Just doing my job is not sufficient in jobs such as these.
I understand Nazi concentration camps. It was a manipulation of nationalist sentiment against an imagined internal enemy, conveniently one that could be dispossessed of a great deal of property, coupled with a never before seen combination of the pure survivalist id meeting modern state capitalism.
I understand United States concentration camps. While we certainly didn't starve, gas, or force Japanese, German, and Italian Americans, we did relocate large numbers of them to temporary camp facilities for the duration of the war. It was believed that recent immigrants and their children might harbor loyalty to extremely dangerous enemies and could serve as a fifth column in the event of an invasion. For what it's worth, despite the indignity and suspect constitutionality, that's a far cry better than most nations have acted in similar circumstances.
Both of those events are understandable, in that I can understand the thinking of the people involved. It does not mean I morally condone it. What I'm attempting to combat is the notion that all acts with which one disagrees must be the result of moral bankruptcy or internal failing.
Usually there is a logic, however skewed, behind even the most heinous events in human history. The first step to preventing those events is to understand that logic. Only then can we address the root causes of the problems we wish to solve.
In this case, I'm suggesting that the root cause was a panicked citizenry seeking shelter from a very real threat, not a government seeking to blindly expand its power. That's an unpopular opinion, but alternative interpretations lead to different actions.
These are exactly the kinds of comments I'm talking about. The preponderance of people affected by this program on the globe (a staggering amount if you will) had no knowledge of this because the media failed, and are not, in fact, technically savvy on any level and don't understand, at all how the internet works in relation to the technologies employed by these programs.
>To be surprised at the possibility of storing packets is somewhat naive considering how simple it is to do.
For the vast majority of the potential consumers of this knowledge, this just simply is not the case. At all. They aren't being naive. This is highly technical to them and severely under-reported, and where it was reported it was not explained terribly well, nor was there meaningful conversation surrounding the reporting's aftermath.
But congratulations, rmrfrmrf, on being one of the select few that are not naive. We need to get you some sort of prize.
Of course at least the mainstream media (MSM) failed. Why? It's a very old story, rock solid in the media: An MSM media company is in business to make money. They have some old techniques for doing so. Their main technique is to get eyeballs for ad revenue; for that their main technique is to grab people by the heart, gut, and below the belt, always below the shoulders, never between the ears; the content is essentially only light entertainment following the framework of the ancient Greeks we now call formula fiction; the content is nearly never the information needed by an "informed citizenry".
The best hope for the information citizens need is Web sites on the Internet and search engines that can help people find that information.
If you feel that the outrage is in fact without merit, then attack that on logical/rational grounds, not by appealing to social proof.
This is staggering, and to chide others for being staggered is the worst kind of truculence.
More relevant, and useful: What are we going to collectively do about it now that we know, beyond a doubt, what exactly is happening?
It is, however, VERY easy not to have been able to have that foresight, and I think that the insights people were expecting the government to have been constrained by the fact that all the information of value is collected by neutral third parties. Google, Yahoo, Twitter, etc., aren't likely colluders with the government.
Plus, at the time of the PATRIOT Act's passage, there wasn't quite as much information being put on social media, or out to the public in general. Not as much was online, digital, or otherwise easily indexable.
There were those predicting this sort of possibility before the PATRIOT Act's enactment, and since, to be sure, but you shouldn't feel responsible for not having seen the signs yourself, or for having heeded the words of what probably seemed like kooky overreactionaries from back in the day.
The funniest part about this, to me, is that somewhere, very quietly, Richard Stallman is quietly telling us all the he told us so, and he's absolutely right, and always has been. Neverminding that, he's largely seen as a crazy old paranoiac who we should respect for his IT knowledge, while having to forgive the rest of his eccentricities.
Aside from that, I didn't mean to seriously suggest that he's out there passing judgement on us so much as I was attempting to acknowledge how hypocritical we are for having disregarded his message because of his eccentricities. I think your statement, that he should actively try to be more popular for us to care, is further proof of how wrong we are to be that way.
In an ideal world, your response would have made a perfect satire of how Americans are likely to react in the face of the responsible elder telling us to eat our proverbial vegetables. That is isn't saddens me.
Think about that for a minute, and then explain to me why that makes more sense.
You're in the bizarre position of criticizing him for being right. You're expecting Stallman to figure out a way to market to you, rather than expecting yourself to figure out how to evaluate arguments and evidence rationally. Think about that for a minute, and then explain to me why that wouldn't make more sense.
Where our expectations start to misalign is the part where he's been ignored because he doesn't know how to be a consummate human being (let alone marketer), and you say it's everyone else's fault. Idealism is fucking useless.
More like a news sheep. The mass market news is and has always been 49% fluff and 49% lies.
Comments from people who already knew what the NSA does are not "self aggrandizing". The are other-insulting. You should rightly be ashamed that you walk through life in a news fog of up-to-the-minute minutiae. Read books by retired insiders, talk to current insiders and contractors. That's the only way you will learn anything about anything. To wait for the newsmen to do it for you is to sign your mind over to tampon salesmen.
The NSA story is staggeringly unimportant. Every government, many companies, and rather a lot of organized criminals run intel and counterintel operations. It is just a fact of life, like antibiotics and highway construction. It is inevitable that there must be a national American signals intelligence organization.
What os staggetingly important is why the NSA alone, out of all the spy organizations, is being singled out for a comprehensive media war. The most likely explanation is that the Democratic Party needed something to distract from its pecadillos. The next most likely explanation is that a foreign government is getting themselves some payback. In any event, if you care about this non-news, you are just another mindless pawn.
1. Downvoted to oblivion by a hivemind, and
2. Somebody like you chimes in with a content-free emotional outburst.
So exactly what did I misunderstand?
The incontrovertible fact that this really isn't news?
The fact that every history and exposé on the NSA has been saying this for decades?
The fact that the NSA tried cramming the Clipper chip and key length restrictions down our throats to make domestic spying easier? For half a decade this was a weekly running joke on Slashdot that you had to have been living under a rock to miss.
That the previous commenter claimed to be a "news junky" and then admitted that by news he means the mass media—a pack of tampon salesmen and political hatchetmen.
The "The NSA is siphoning off the Internet on a huge scale" was a huge fucking story in Wired 5 years ago and no one gave two shits.
I'm sorry but "This is a complete surprise." is BS to anyone who's ACTUALLY been paying attention.
* Where "they" includes multiple noted HN names, often from the top list, that I've personally watched walk back their own denial of NSA programs in the last two months as more and more information has come out. Oh, and that guy that guy that did security for Google that just embarrassed himself a few weeks back has to feel really special now.
edit: Sorry, the Wired story was SEVEN years ago now. http://www.wired.com/science/discoveries/news/2006/04/70619
Absolutely nowhere did I say, or even begin to imply that. In fact, I explicitly called out the mainstream media for being complicit and/or not reporting on this issue while indicating that much of what is being reported was already known to me. Not only did I NOT say that I get my news from the mainstream media, the implication was, if anything, that I did not. The mainstream media is about the last place I'd look for competent coverage of this issue.
You're terrible at reading comprehension. Terrible. You make a lot of assumptions, all of them wrong, then proceed to insult other people based off your incorrect assumptions.
Additionally, the only thing incontrovertible is that this is news to the vast, vast majority of people who are affected by these programs. Those are the real numbers. But I know you. You're part of the Pedestal Crowd furiously patting themselves on the back. Good for you Danny. Atta boy.
I agree that "know" is a bit too glorifying. I propose "suspected".
I don't find this surprising at all. Practically 99.99% of a normal user's Internet activity is centered on Facebook, Google (including Gmail) and a handful of other sites. The amount of data everyone is requiring in order to provide a service also includes pretty much anything you need in order to track someone.
It's not news you need to pay attention to but some of the more theoretical aspects of networking in a second-year course.
Ultimately, whether they intend to or not, such statements end up making other people who are hearing about this for the first time more complacent about it because they come into the comments and see a bunch of people going on about how it's nothing new and therefore the new information is no big deal.
A good theory, as I have an extremely difficult time imagining anyone in an activist (non-complacent) stance on this issue ever reacting like that to these revelations.
Then back at HQ, can send the node what are essentially 'filters' to return 'alerts' and the associated content.
So, point: As a system, it's quite obvious. As software, it's quite routine.
And, from their description of working with anomalies, they are being just intuitive and elementary and not at all advanced or powerful.
It would appear that a terrorist Internet user could do fairly well beating that system by using a proxy server also used by many other Internet users and also using a lot of strong encryption -- PGP used well might be strong enough.
See? No "direct access!" Google/FB/Apple's statements, totally reassuring.
I'm glad that people are paying attention, but especially early on, it wasn't entirely clear that Snowden's leaks were substantially different from the leaks that have been coming out of the NSA for years that never got traction in the media.
There is good independent media that has been covering the story for years though. Here's a Democracy Now story from February 2005:
http://www.democracynow.org/2005/2/10/no_place_to_hide_award...
Democracy Now has an incredible archive on this subject too. Right now it starts here:
http://www.democracynow.org/topics/nsa/7
Specifically, they've done some great interviews with previous whistleblowers:
http://www.democracynow.org/appearances/william_binney http://www.democracynow.org/appearances/russell_tice http://www.democracynow.org/appearances/thomas_drake http://www.democracynow.org/appearances/jesselyn_radack
Other interesting guests:
http://www.democracynow.org/appearances/jacob_appelbaum http://www.democracynow.org/appearances/laura_poitras http://www.democracynow.org/appearances/james_bamford
And the purpose of Tor might be different than you imagine:
https://www.torproject.org/docs/faq.html.en#WhatIsTor
Or are you just trying to discredit Appelbaum, Assange, and/or Wikileaks?
Also, is that your article? Should you disclose that? And is there any reason you linked to it rather than the original New Yorker article here:
http://www.newyorker.com/reporting/2010/06/07/100607fa_fact_...
I was shocked by having this laid out as well but I really did just assume this was probably going on. It was technically possible, it was politically possible and it was financially possible. If I shared the worldview of the people doing this and been in the position to do this, I would have been itching to start this level of collection and data mining.
I will admit to part of it being satisfaction at no longer getting the "oh put your tinfoil hat away, no one would do that" response whenever it came up, which was always based solely on the old "I don't like the implications of this being true therefore it can't be" argument. It's also relief that there is finally a discussion about a subject that was previously only seriously discussed by a small number of people.
I take your point that the I-told-you-so gloating isn't helpful and doesn't reflect well on those who do it but I disagree that that was ever meant to discourage discussion, if anything it was anger at the fact this discussion has taken so long to occur.
If you're waiting for someone like Snowden to come along and spoon-feed you all the ways the government can screw you, you're doing things completely wrong. Oversight requires foresight.
https://www.grc.com/securitynow.htm
Briefly summarized, the only way to do secure mail is pgp, the only way to do secure chat is to avoid all the main chat networks. And microsoft actively designs their systems to be easier to access for the NSA (far beyond their legal obligation) so you may assume that any microsoft product is a direct line to the NSA.
[1] http://www.newyorker.com/images/2013/07/01/p465/130701_daily...
[2] http://cartoonbank.licensestream.com/LicenseStream/Store/con...
Even Gmail HTTPS use is somewhat recent and not original to the product.
Further, one might combine this with reporting about initiatives to gain company SSL/TLS private keys, account passwords, and the like, in some interesting speculation -- if speculation it remains.
Amongst all the rest, I would point readers towards browser fingerprinting. It's difficult for me to imagine they are not using it.
If the public is going to have some degree of counter-measures, this will include browser and other client software becoming more pro-active about anonymizing its own profile / usage profile. For one thing, stop sending highly unique fingerprint data such as font listings to every Tom, Dick, and Harry. Just one thing amongst many...
It was reported earlier that the NSA has installed hardware at their "partner" companies. As you certainly remember from the slides, they are: Facebook, Google, Microsoft/Skype, AOL, Paltalk, ...
Somewhere there is an architectural diagram of these systems that describes how to make people check checkboxes before releasing information. CYA-oriented programming that has clearly driven the entire design of this thing.
I didn't see that in the article. Do you have a citation?
Slide 16: "Show me all PGP usage in Iran"
Moreover, the technological trend is clear; and the avenues for sharing intimate personal information proliferate and multiply with every passing month. The debate therefore needs to shift. The question cannot be over whether the state should have access to this information. We are powerless to push on that point.
The question has to be this: Given that our state (and others) will necessarily know the most intimate details of our lives, how do we want it to behave? How do we want this information to be used? What do we want the newly intimate relationship between individual and state to look and feel like? It may well be that we come to a startling different conclusion than our initial starting points might presuppose.
There are tremendous social benefits to be had by using this treasure-trove of information wisely, just as there are tremendous dangers to be risked by using this trove with carelessness or malicious intent. However, we need to think very carefully about how we manage the relationship between individual and state; how we manage the relationship between individual and peer; and how we manage the relationship between individual and technology.
I feel strongly that this is the most important debate of our generation; perhaps the most important debate to be had in this new millennium.
One question, how did the dot in China get there?
http://www.theguardian.com/world/interactive/2013/jul/31/nsa...
"Show me all VPN startups in country X, and give me data so I can decrypt and discover users."
Holy crap. Is all encryption broken?
Also, it was leaked that NSA TAO had a 70%+ success rate compromising Chinese systems. Even with the tech companies giving them secret zero days for an extended period of time, anyone that has been a blackhat knows they're not getting to a 70% success rate through exploits. Therefor, it's highly likely they can decrypt VPN/SSH (TLS) traffic encrypted with AES256/RC4-128/3DES and/or the RSA/EC public cryptography used. As you noted the leaked slide seems to indicate that.
I don't recall the source of the Executive comment. It was kind of buried in a news piece with a broad focus that I read. I'll look for it. Unfortunately, I can't recall the exact language to do a good search and find it. Sorry.
But, here they are saying they have it, it's encrypted, and they can get it in "weeks or months" (despite the large number of drives/filesystems with presumably different keys): http://www.cbsnews.com/8301-31727_162-20059825-10391695.html
The Executive and Legislature couldn't keep something secret to save their lives. And, JSOC leaks like a fucking sieve. If I can't find that particular leak on the web, I'm sure there will be another one soon with the same info. Every guy likes to talk to pretty news reporters and seem important.
Claimed 75%+ success rate attacking Chinese systems: http://www.scmp.com/news/hong-kong/article/1260306/edward-sn...
Asrar al-Mujahideen (the Jihadi PGP fork w/ 2048bit RSA): http://www.rbijou.com/2013/03/18/an-overview-of-jihadist-enc...
The news coverage sucks something awful. The thing is having enough knowledge of mil/ir/tech/math to put all the leaks together.
Do you have more information on the smooth barrier? I did a quick google but didn't see much relevant.
There's a reason the NSA is pushing folks to use Suite B ciphers including Elliptic Curve along specific curves. It's not unreasonable to think that the NSA mathematicians have proven some relationship between EC and prime number theory in general.
There is some public domain work on this topic. See [https://en.wikipedia.org/wiki/Lenstra_elliptic_curve_factori...].
This might help explain in part the NSA's desire for large memory vector supercomputers going back to the 1990s over distributed memory MP systems.
There have been a number of very cost effective hardware approaches proposed for significant acceleration of both the sieving and linear algebra components of the NFS. Many of these proposals could successfully and cost effectively attack a 1024-bit number in the 2003/2004 era. The process at that time was around 130-nm. Today's process would have features at the 32-nm or 22-nm size. Today there has been a 100-fold increase in performance since 2003. (See http://tau.ac.il/~tromer/cryptodev/ for an overview.)
Combine this specialized hardware with an algorithmic improvement that gets to O(log n) or O(n log n)....
AES appears fine. The NSA and USG in general make a very strong effort in the 2000s to move all civilian command and control systems for satellites to AES-256 with TRANSEC capabilities. A brute force attack on AES-256 with a quantum computer should be on the order of 2^128 operations with currently know QC factoring algorithms. AES-128 looks weak at 2^64.
If the NSA can break something, they need to assume that their primary opponents can do so or will do so soon. China specifically comes to mind here. The can not release cryptography suites with known vulnerabilities. It is widely thought that it is more importantly to secure one's own signals before intercepting and decrypting one's enemies.
I think everything on the internet needs to be moved to Suite B protocols with forward secrecy enabled. AES-GCM overcomes all the known attacks (i.e. CRIME) against AES-CBC and AES-CTR.
I get the impression that the NSA is eight to ten years ahead of the public domain cryptographers in some areas. I think this gap is shrinking slowly. However, I have also heard that the NSA is preventing publication of some papers developed in the public domain due to national security reasons.
"Show me all the VPN startups in country X, and give me the data so I can decrypt and discover the users"
Does this mean using VPN is not very safe from dragnet?
You could also break into the VPN company's servers and do interesting things too. There's also the possibility of timing attacks to determine the real IP address of the VPN user, although that's fairly a sophisticated method and quite difficult to do.
Bear in mind that this presentation dates back to 2008, which is a long time in tech years. Who knows what they're capable of now. All that's known is that they're not capable of less.
VPNs are useful for three things: protecting yourself against relatively unsophisticated bad guys sniffing traffic on a local network (for example, an unsecured wireless network), bypassing geographic content restrictions (e.g. using Pandora in Sweden), and circumventing ISP traffic shaping (often they'll not shape VPN traffic because it's used for businesses, and businesses can be whale customers).
[-1] http://en.wikipedia.org/wiki/Device_fingerprint
[0] http://blog.calyptix.com/2012/08/pptp-is-so-insecure-it-shou...
If the only thing they're dealing with is VPN's used as a private proxy for access to the public internet, you're right, and if so it's not so troubling (well, as in it is "only" just as troubling as having them access everyones web traffic).
But arguably most VPN traffic is exiting inside private networks and are intended for machines within those private networks. If they are capable of breaking or circumventing the crypto of those, then that's troubling at a whole different level because it potentially means massive unknown weaknesses in either specific crypto products, or in algorithms that have been assumed to still be reasonably safe.
Security's dirty secret is that security is an unobtainable goal. The goal of designing secure systems isn't to create something impenetrable (i.e. secure), but something that's almost impossible to penetrate. 100% secure systems are about as common as rooster eggs.
I took that to mean establishment of VPN connections, rather than companies operating VPN services.
Of course total security is impossible. But it would still be troubling if breaking common VPN services is not only possible but also doable with small enough resources that "any analyst" at NSA can just request it.
[1] http://dankaminsky.com/2011/06/09/securid/
But that's actually the one thing that makes the most sense now:
https://en.wikipedia.org/wiki/Darknet_%28file_sharing%29
What we need is strict limitations on what can and should be collected, and how it's used, plus better methods of securing what's being exchanged. For example, sending email as plain-text, leaving it on the server as plain-text, maybe that's a bad idea.
The NSA isn't necessarily the only reason you'd do this. Foreign governments are going to take an interest in this, too, and it's only a matter of time before someone gets access the data the NSA is hoarding. No program of this scale is ever 100% secure.
This is very important. What do you mean by "crackpot"?
* Reading the web via email only
* Using completely free software and hardware (which as far as I can tell, limits you to a very small subset of Linux on a single Chinese-made netbook)
* Not carrying a cellphone
* Not using any social networks.
Stallman's principled stand is admirable, but untenable for most. I need to violate every single one of these tenets in an average day at work.
And that's before we even enter the realm of entertainment, which is even worse as far as the FSF's definition of freedom goes.
Over unity energy generation from the vacuum is rightly labeled as 'crackpot' imo, Stallman's position, while extreme should (again, imo) not be labeled as such.
Calling proprietary software evil is an opinion, and there are plenty of examples of evidence that proprietary software was created in ways that one could label as evil. Give it a while and there might be some revelation which will cause lots of people to go 'oh, that Stallman was such a visionary, calling proprietary software evil'.
Now on this particular aspect of Stallman's reasoning I find him hard to follow because that would mean a whole class of something is bad whereas I believe it should only apply to instances on a case-by-case basis. But I'm going to hedge my bets here and sit it out for the next decade or two (assuming I have that much time remaining) to see if he might not be on to something again that is still hard to see from where we are standing right now.
One way in which this could play out is that in order to avoid certain societal fates is to have nothing but open source for certain classes of application (for instance, voting computers, software in use by the government in general or software that is used to power network infrastructure).
Don't be too quick to judge, Stallman has been right more often than I'm comfortable with on some of his most 'extreme' views.
He's not the only one that's been crowing about electronic surveillance. Ever since things like Carnivore (http://en.wikipedia.org/wiki/Carnivore_(software)) were uncovered in the 1990s, it's been obvious that there's a lot going on we will never be fully informed about, that the internet is no longer a safe playground devoid of malevolent actors. Mailing lists and USENET groups at the same period of time were constantly aflame with these sorts of issues.
If you can cite an occasion where Stallman has had a unique insight into the situation, I'd be surprised.
Stallman, for all his posturing and relentless drum beating, which is at least admirable from the point of dedication, is still no Alan Kay, Marvin Minsky, Marshall McLuhan or Raymond Kurzweil.
In the real world, that shows a distressing lack of critical thinking and a further distressing abundance of dogmatism.
"Proprietary software is bad" -- Subjective value judgement.
"Properitary software is evil" -- Subjective value judgement that shows a lack of thought.
"You should always use free software wherever possible." -- Subjective value judgement.
"You should use absolutely nothing but free software ever" -- Subjective value judgement that shows a lack of thought.
I mean, the FSF "disapproves" of software that is completely free on its own (Fedora, Firefox), merely because they point out nonfree things you can use. (Fedora's firmware bundles and some repos, and Firefox's addons site).
That's completely idiotic. Apparently the FSF's "freedoms" do not include the freedom to run whatever software you choose if it's "unfree".
Guess what the solution to the proprietary software problem is? Not using or promoting proprietary software or platforms that enable it.
You are getting upset that the Free Software Foundation has standards to be met to consider software as "free". To dismiss their agenda as existing in 'crackpot' territory is invalidating a legitimate argument to support your shaky conclusion.
Then it seems that crackpottery is a term that may be removed in retrospect. I'm sure at some point in the future someone will crack the energy from the vacuum riddle, who knows.
* The FSF uses computers other than Yeeloongs. The FSF also doesn't really care about free hardware. The Yeeloong has chips with non-free firmware burnt in, and the FSF doesn't care because that isn't software. It's the Free SOFTWARE Foundation, after all.
* Stallman is on a few social networks, notably identica @rms@identi.ca (possibly now defunct). He probably has a GNU Social endpoint.
I think you're conflating Stallman's willingness to be uncompromising in his own lifestyle with his calls for reform. Stallman is fairly intelligent and understands that not everyone can live like he does, but I suppose he feels the need to answer the question of "what should you do in the present beyond push for reform."
I also don't know what "entertainment" you're talking about. The FSF is against proprietary video game engines, but their mission pertains to software, not music/movies/etc.. They campaign against DRM because DRM requires non-free software to enforce.
Surely you can't expect people to take this argument seriously. It's easy to get internet access on the go in much of the world already.
It's easy to get Internet access on the go in most of the places I've been to, but I've been to a tiny fraction of the places RMS has been to.
Suggesting that people abandon social networks, never own cellular phones, avoid using the web almost entirely, these are extreme positions. What makes them crazy is when he's an advocate that everyone should follow these edicts.
Surely it's some kind of "geek social fallacy" that's being applied here. Stallman has come up with what he perceives as the optimal strategy and anyone who diverges from this is doing it incorrectly, just as how free, open-source software is the only kind of software that's acceptable, and everything else is "evil".
Not really. At that point, you are just using the term as an ad hominem in a childish attempt to ward off cognitive dissonance.
You don't win an argument by calling the other guy a weirdo.
I think Stallman's observations are valid, but his method of dealing with the implications of those observations are impractical, if not completely wrong.
More specifically, what is so impractical or "completely wrong" about not using smartphones?
Given that the cellular providers are capturing and archiving location data, this is fact, his conclusion is we should avoid using these sorts of phones completely. Why? The reasoning here is a awfully thin, but has something to do with "being tracked = bad" and then goes into crazy territory from there. It's the same thing with credit and debit cards. They can be tracked, therefore bad, therefore nobody should use them.
If he's concerned about remaining invisible, then this must be applied rigorously across all aspects of his life. Does he wear dazzle face-paint or glasses with bright IR LEDs on them so that CCTV cameras can't pick him up? Does he only use methods of travel that require no identification? If the FBI wanted to retrace Stallman's activity on any given day, it'd take hours at most to piece it together.
The sign that someone's a crackpot is in how inconsistent they are in applying what they've concluded. It means they're missing something important.
For example, there are people that have a genuine need for absolute secrecy, that need to remain invisible, yet they still use cellular phones, email, and social networks. They're aware of the same risks as Stallman, but they take precautions instead of avoiding them completely.
It's notable that Osama Bin Ladin was taken down because he'd gone to such great lengths to avoid being tracked that he stood out as an anomaly, an approach that proved to be self-defeating. He had this large house, but a paranoia about electronic snooping so severe that he had no internet connection, and that alone made that house highly suspicious. If you're that affluent, you have an internet connection, even if you barely use it.
Everything Stallman advocates to avoid detection just makes him an even bigger target.
You don't understand why tracking may be bad? Or are you just trying very hard to mock his very valid conclusion?
Here's other people's thoughts about cellphone tracking: http://www.zeit.de/datenschutz/malte-spitz-data-retention/ (totally crazy, right!)
> If he's concerned about remaining invisible, then this must be applied rigorously across all aspects of his life
No, it mustn't. Every bit helps.
> Does he wear dazzle face-paint or glasses with bright IR LEDs on them so that CCTV cameras can't pick him up?
Perhaps he does not yet live in an area with seamless CCTV tracking.
> The sign that someone's a crackpot is in how inconsistent they are in applying what they've concluded. It means they're missing something important.
You must be a crackpot then because you're clearly missing that Stallman has probably managed to avoid having his daily movements tracked by some carrier.
> Everything Stallman advocates to avoid detection just makes him an even bigger target.
To whom, with what (crackpot-like) line of thought? Stallman is very open about his principles, his reasons and his actions. It would be extremely dumb for anyone to derive from this information that he is dangerous or a worthwhile target.
When I engage with social networks, use a cellular phone, I'm aware of the liability. I'm making a conscious trade-off. I really would like it to be less of a big deal, that the privacy implications were minimal, but this is the world we live in. I support political parties and representatives that would restrict how this sort of information can be used, making it less likely to be collected in the first place.
> No, it mustn't. Every bit helps.
Either you're trying to avoid being detected, or you're not. There's no half measures here.
> I'm making a conscious trade-off.
No, you're not. If you and the people who have had what you wrote happen to them (they obviously would have been more careful than you) were making conscious trade-offs, nothing bad would have happened to anyone as a result. In fact, you do not even know what information you are disclosing to FB (it's more than you are writing) and other, unknown to you, parties, so a conscious trade-off is impossible. You are just patting yourself on the back for being satisified with your ignorance.
> Either you're trying to avoid being detected, or you're not. There's no half measures here.
From what I understand, he is refusing to provide personal information to a carrier and possibly other unknown parties, because that is potentially harmful and not beneficial in any way to him. Why are you insinuating that he is trying to avoid detection, as if he were some criminal? And by the way, even criminals aren't stupid enough to do everything wrong because they cannot do everything right.
I've even got Facebook's site and associated flam blocked on my computer so I'm not bombarded with their inane commenting system, "Like" buttons, tracking features, or other garbage I want nothing to do with.
I'm taking a risk by using a cellular phone, I understand thins, however I believe the down-side of using one is better than the down-side of not using one. That I'm not a politician or celebrity factors in to this decision.
I'm not even sure what Stallman's full reasoning is behind cellular phones as it's always glossed over with some kind of hand-waving about tracking.
> I think the thing to realize here is life can change very quickly. What if, for one reason or another, you become a celebrity all of a sudden - Or happen to acquire particularly well-connected enemies. When this kind of powerful info is used against you things look quite different.
As is only using the FSF's definition of free software (where it matters less that the software itself is free, but that the software doesn't point out to you any nonfree addons. Fedora Linux is free software, as is Firefox but since they allow nonfree firmware blobs, and addons respectively, they don't count).
Or free hardware, Good Luck With That, unless you like a single netbook made by a single company in China.
Using a crappy computer from some no-name company in China is a protest vote and is not pushing things forward.
On the other hand, getting hardware hackers together to create a 100% free hardware platform would. The Raspberry Pi is close, all that's really needed is for some more aggressive lobbying to get the PowerVR driver component open-sourced.
Or consider, given how people are taping out custom Bitcoin ASICs, why is it inconceivable that someone could tape out an open-source CPU?
On the other hand, I totally understand the people who firmly believe that neither governments nor rogue personnel will ever abuse this information to their disadvantage. After all, billions of people firmly believe in some arbitrary deity and we haven't managed to prove them wrong.
You're conflating the FSF's definition of free software, and the FSF's criteria for recommending software to users.
The FSF sees Firefox as free software (now that the proprietary error-reporting system they used is removed); they won't recommend Firefox, because it recommends non-free software. Fedora is a distribution, not a specific program, and they won't recommend it because it recommends non-free software.
By the FSF definition, a license is free if it protects the Four Freedoms; but software licensed under that could be something the FSF doesn't wish to endorse.
One of the slides literally says that users must be careful to and their query with another parameter to avoid running afoul of the law.
I'm sure they know everything they need to know about Stallman, just as they do about everyone else, apparently. Unless he's sitting in a cave writing EMACS source on goat hides, they'll have a window into his activities.
Only if we are talking about the same types of attack, which we aren't. If you do "wrench" style targeted attacks at a large scale, you'll leave 10%+ of the population injured, how is that supposed to work out for a government?
Stallman's counter-measures probably work as long as only very few people use them. The same is probably true for terrorists, which is why this whole dragnet surveillance does not really work towards the stated goals and "crackpots" like me suspect it may have more to do with bullying people into self-censorship.
It isn't impossible to beat information out of millions of people. It's been done before and it'll be done again.
You say it'd invoke suspicion, but it wouldn't. If you're at the wrench phase of interrogation, you're already in a world where legal powers don't matter.
Are including the USA in the list of 'brutal military dictatorships'? Because the USA disappears people: https://en.wikipedia.org/wiki/Khaled_el-Masri
It's an update to what was already going on.
http://crunchbang.org/forums/viewtopic.php?id=24722
IBM & Nazi Germany, Nazi Germany in general, etc. Ironically, sillicon valley came into existence building military SIGINT/ELINT systems for the cold war.[0]
[0] www.youtube.com/watch?v=hFSPHfZQpIQ
I guess I felt the need to comment because it sounded like you were saying, "Hey, I get why they're doing it. Sounds like it'd be fun!", and I feel like having that attitude (even if I trust someone like you to know to stop before things get truly out of control) is dangerous.
I live in Columbia, South Carolina. A mile from my house there is a prominent statue of Ben Tillman. Tillman was an explicit advocate of terrorism, and indeed personally engaged in it [1], which drove his popularity and ensured his election to the governorship and the United States Senate.
Government programs such as the NSA's exist to protect the interests of the powerful. Same as it ever was.
http://en.wikipedia.org/wiki/Benjamin_Tillman
URL looks like: https://gamut-wakefield.ein.nsa/utt/UTT/do/FRNewSelector#sel...
http://www.techcareers.com/job.asp?id=64332188&aff=C014D02C-...
Job posting, requiring top-secret clearance, looking for people that have experience using certain tools including "GAMUT/UTT" - notice the URL from the NSA doc has "gamut" and "UTT". So i further looked into GAMUT/UTT and found this:
http://williamaarkin.wordpress.com/2012/03/13/nsa-code-names...
I mean what stops an NSA analyst from being able to spy on an acquisition negotiation between corporation executives? What prevents that analyst from investing in the stock market using valuable info like this?
There really needs to be more accountability and transparency within the NSA.
http://www.youtube.com/watch?v=hkDD03yeLnU
If a non-US resident or NSA target posts a thread on HN, and a US person replies to the thread, is the US person now open to unlimited data collection?
Alternately, if you Facebook-like the same thing an NSA target has, are you then subject to unlimited data collection?
In reality you are always a valid target, US citizen or not.