It's easy to opine about things like educating the public or engineering 'crypto' for the common man.
In my opinion that would be an exercise in futility.
I think a proper response to this issue is to simply promote social depravity on a grand scale.
Everybody should just constantly read/watch/listen to media involving things like methamphetamine manufacturing, nuclear & home made weapons/chemicals, illegal currencies, human trafficking, hardcore pornography, armed rebellions, the middle east, famous terrorists, serial killers, bon jovi, etc
All of those are a lot more interesting to the common man than lessons on how to use PGP....which is theoretically breakable thanks to the advent of quantum computing.
If everything is being sniffed and stored, there have to be a number of very specific topics that are being sought after in that data.....in my opinion it'd be far worse if the government wasn't searching for things like human trafficking and nuclear weapons (things, hopefully, we can all agree are not good).
Television series like "Breaking Bad" are already pulling weekly audience number of around 3 million plus. One could argue that you wouldn't even have to do much promotion, as these topics already seem to be mainstays in much present day pop culture
As much as I hate to disappoint everyone, chaffing with lots of keywords, made up searches, and arbitrary blocks of suggestive text will not trigger any kind of flag except "people trying (poorly) to chaff NSA".
The algorithms used for text mining are much more contextual and semantic than what would be fooled by the simple gags I commonly see on the Internet. Those gags might send a message of sorts but they don't make anyone's job more difficult. For a start, they know you are not a terrorist or whatever; nothing about your life as modeled across myriad data sources suggests that. Instead, you will be some random person pretending to stick it to The Man, which they don't care about and never lands in front of a person.
To chaff the state-of-the-art data mining would require some sophisticated computer science and sophisticated operations. You would (1) have to understand the state-of-the-art algorithms used and (2) devise a way to break those algorithms transparently. It is not a trivial task by any means even for someone that understands what is involved.
Superficial attempts to chaff surveillance systems might feel good but they won't accomplish much against a sophisticated adversary. The tech these days is much too good. Even leaving a minimal footprint for analysis is becoming nigh impossible.
What if I create a new hotmail account which I use exclusively for emailing a random address in Pakistan, and after a few months delete all of my Facebook/gmail accounts and go completely off the grid save for this one email account which I start accessing from internet cafes dotted around the country, where I also look up information on Arabic websites about fertiliser... would that get their attention?
That's what I was getting at with my "Breaking Bad" comment.
A sort of "total depravity" is already a big part of pop culture, so it'd be easy to ignore false positives of people crying wolf.
What I was getting at is that what they're looking for is kind of a big unknown. If media about illegal things is so popular and they ignore it, it leads one to think that data being mined is possibly being used in a fashion similar to a personal agenda.
That's what's truly dangerous about monitoring at this scale. It's not so much that it's happening it's that they're creating something that could grant someone almost god like powers.
If I were to make an analogy, I'd say it's like a man buying a pistol to protect his family and then his child finds it loaded in a night stand.
It's funny you should mention godlike powers. We're pretty fast reaching a point where an individual can have "god like" powers for not very much $$$. You could argue that the genie isn't out of the bottle yet, but I think the point is arguable. As reprehensible as this sounds, maybe it'll turn out that whoever did the 2000 Anthrax attacks did the human race a favor.
Emacs' M-x spook command will paste some suitable words into the current buffer:
Croatian nuclear FBI colonel plutonium Ortega Waco, Texas Panama CIA DES jihad
fissionable quiche terrorist World Trade Center assassination DES NORAD Delta
Force Waco, Texas SDI explosion Serbian Panama Uzi Ft. Meade SEAL Team 6
Honduras PLO NSA terrorist Ft. Meade strategic supercomputer $400 million in
gold bullion quiche Honduras BATF colonel Treasury domestic disruption SEAL
Team 6 class struggle smuggle [Hello to all my fans in domestic surveillance]
Business idea: A "chaff box" that can be sold to the public.
Given a list of dodgy search keywords, youtube links, etc etc etc, regularly updated from a central location (think like a websense blocklist but in reverse), uses a configurable amount of bandwidth. Hits these sites with a human-like usage pattern when HTTP traffic from your LAN IP is detected (so it only works when you're actually browsing the web).
Plug it in and gain plausible deniability from most forms of government shenaniganery. Given critical mass, makes most forms of government behavioral analysis (and possibly advertiser behavioral analysis) useless.
Build it on the raspberry pi or similar platform. Materials cost is $35 plus shipping materials. Main time investment is limited to maintaining the blocklist and the central servers.
Hmm. Wonder how this could sell to the soccer mom crowd...
Would also raise some interesting and thorny questions for the server side. If enough people are using the box for the effect to be meaningful, then a lot of sites are going to have a lot of useless web traffic; yet allowing sites to "opt out" or having an identifier of some kind of the box's traffic completely defeats the purpose of the system.
There's a story by Cory Doctorow, in which terrorists blow up Bay Bridge and the US establish a surveillance state in the wake of those events. In response, the protagonist creates a distributed system using Xboxes that pretty much works like the way you're suggesting.
I'll admit I don't know all that much about machine learning and statistics, but it seems like it would be pretty hard to simulate human activity in a way that was really indistinguishable (highly sporadic, with trends of connected ideas, for a start). More immediately, most people are never going to get on board with making it look like they're into "bad stuff". It's icky, and they don't think they have that much to lose.
This is an interesting idea. However, for a noise box to be effective requires that a significant number of people are also using a noise box, which assures plausible deniability the same way TOR and shared-IP VPNs do.
If you're the only one using a noise box, or are part of a very small minority of users that do, the random noise you generate is just increasing your attack surface through which the government can more easily target and identify you.
Forget the box, you just need a web browser plugin. It could sit in the background. It could have two lists (updated occasionally like spamblockers do it), one of search engines and one of spook-luring phrases. Every, say rand(1..10) minutes, it could make a few connected queries from list B to some engine in list A. Visit a link or two from the gotten page. Stop after say rand(1..10) queries total on that theme. Throw everything away and go back to sleep.
If a million people installed this plugin, that would avg 5 queries every 5 minutes, that would be avg 1.4e9 queries per day, a tiny fraction of the intertubes.
edit: but, apology to parent, you'd never sell a browser plugin...
If it's from a central location and all clients are working off the same database, it seems like it would be fairly simple for their data mining teams to sift out the identical chaff.
In theory, couldn't an interested party filter out the blocklist from the all other traffic? It would be more interesting to have a dynamic list that gets updated based on actual user behavior. That way, the interested party wouldn't be able to filter out the blocklist without potentially filtering out actual traffic. This of course would create all kinds of legal issues.
In theory yes, but everything hinges on the "given critical mass" thing - once a large amount of the sites the government would look askance at you for visiting are on the chaffbox's list and thefore being browsed by a large amount of people, it serves to protect someone who wants to view one of these sites legitimately.
A dynamic list would be better,granted, but a much harder nut to crack.
> PGP....which is theoretically breakable thanks to the advent of quantum computing.
This is a minor quibble with your overall point, but what I've quoted is wrong. The underlying encryption algorithms for modern PGP implementations are breakable with Shor's algorithm on a quantum computer, but not all encryption algorithms are vulnerable and a PGP implementation in the future could use such an algorithm as default instead. (For instance, http://en.wikipedia.org/wiki/McEliece_cryptosystem)
I suspect that an organization with the computational resources and mathematical clout of the NSA are going to have little trouble distinguishing between people clicking around on "J0llY R0g3rs Gu1d3 to NUKELERA WEPONS" and people creating specific, repeated trails to suspicious resources.
The idea, if nothing else, is that such an analysis is possible it is also expensive enough to make it hard to do for everyone at once. If everyone superficially appears to be searching for verboten stuff, then their job becomes harder than just "carefully investigate whoever is hitting naughty keywords".
According to Mr. Binney's sworn declaration[1] in support of an EFF suit[2] against the NSA (stemming from the warrantless wiretapping/AT&T scandal,) he doesn't actually know that any of this is going on, but bases his assumptions on decade-old knowledge that it was possible.
It certainly might be the case that all net traffic is being stored by the NSA, but this man's say-so is hardly proof.
To me the warrantless wiretapping scandal IS the proof.
I mean if we know that there are Room 614As [1] all over the country, and that they are diverting nearly ALL communications to their facilities, in addition to them building new facilities to house data all the time [2].
All of this culminating with their shiny new data center [3], which cost 2 billion dollars to build, covers 900,000 sqft, and has a 40 million dollar annual utility bill, it becomes less about proving that they're doing this, but proving that they aren't doing this.
Even at 100k square feet, I don't think they have the capacity to record and store all data on the Internet backbone (they're recording a lot of data outside the US, too).
First, they'd need a shadow Internet backbone capable of transporting all that data to the DC. Second, they'd have to build a system with the same write-rate as all of the internet backbone. This stuff isn't cheap, and the NSA's budget is big, but not that big.
As 1/3rd of the US's internet traffic is porn, which you can really just de-dup by URL, it's a safe bet to say that they're filtering before they transmit data back home. The same goes for streaming video traffic. The remainder is mostly web with a small fraction being actual communication between people. For the NSA's mission, even implemented in the most evil way, they just don't have the money, means, or motivation to record everything. Instead, filtering on *hotmail.com connections, anything over SMTP ports, etc. makes substantially more sense.
Doing some digging, I find it rather hard to find data on the amount of traffic being sent in and out, and internally of the US. The best numbers I could find was from almost 10 years ago, which said around 970Gbit/s. Say it has gone up 100x, and we get a nice round number of 10 TB disk space needed per second.
We know, thanks to XCD, that 7523 hard drives per second is created by the storage industry (globally, a total of 650 million drives per year). Say that the average storage space is over the last 5 years, around 500GB.
That mean, so long NSA buy's 0.265% of all hard drives produced each year, they will have enough hard drives to record all data transmitted inside the US borders.
They would still need to write the data. One obvious way would be to store it on site, and transport the drives to a central place. Drives are not big, but it is a noticeable work, so if people were doing this, there should be more verifiable proof of it. If we include post-storage compression, finding duplicates and any other tricks, the numbers should be able to be lowered by 50-75% or so, and might be enough to send some through the wire and only the overflow through drives loaded onto trucks.
One could also ask what 0.265% of the storage industry output is in raw cash. To answer that, my answer is, I dont know :).
There could also be an incoming relevance filter. I'm sure the NSA has no interest in archiving all the pornography, spam, and cat pictures ever transmitted.
Also note that the majority of bandwidth nowadays is spent on videos and similar multimedia content. So if they notice that 100M people are watching Bieber's latest music video, they just need to store the YouTube URL. No need to store 100M copies of the video itself.
They don't need to store the traffic. All they need is to store the endpoints and timestamps and you could compress that quite well to have usable information, such as who talked to who and when.
Your actual data is just a subpoena away anyway in most cases.
Money are of no objection to that industry. The combined budget of NSA, CIA, FBI, Pentagon, foreign bases, Afghanistan and Iraq occupation, etc. is in the trillions. Why trust FB or Google if all it costs to capture and store the information are money.
NSA is an intelligence agency, not a law enforcement agency. They don't operate within the court process. Which means they don't really do subpoenas or warrants. Furthermore, any data covertly collected by the NSA would be inadmissible in court anyway, which would make it impossible to get a subpoena or warrant based on it anyway.
In 1971 we put wire taps on Soviet underwater communication lines within territorial waters despite sound detection devices placed along the seabed. I'm sure the country that had the ingenuity and balls to pull off Operation Ivy Bells (http://en.wikipedia.org/wiki/Operation_Ivy_Bells) when it faced the existential threat of Communism is perfectly capable of figuring out how to do the exact same thing to packet communication in the continental United States as it faces the threat of Terrorism.
It is a fundamental issue of volume. Unless we assume that backbone providers and Internet companies habitually over-provision, then it would take about the same size pipe, and the same size data centers, to "copy" the Internet in real time.
Consider how big the Internet is. Even if the NSA has 5 100,000 square foot data centers, think about adding up the aggregate data center footprint of Microsoft, Facebook, Apple, Google, Yahoo, Amazon, Rackspace, etc, etc. That comes to a lot more than 500,000 square feet. And this does not even get into the enormous data resources in Asia and Europe.
A much more likely scenario is that they are heavily filtering the data in real time and keeping just what looks useful or suspicious. That is still scary, but less fantastic than the idea that every packet is getting stored by the NSA.
I've looked at my own traffic and how much content useful for storing I'd have and it's probably less than 500Mbytes per month. And that's counting downstream and upstream.
But net is not the only thing NSA is interested in storing - banking, other records, communications over satellites, etc goes in there as well.
What's truly scary is people are sort of "meh" about this. Or they don't believe that this is really happening, as most of this thread seems to be the case in point.
The porn is in the top ten of their priority list. A great way to find the weak points and blackmail possibilities for current and future opposition leaders.
An interesting take on your comment: would people be more open to the NSA snarfing everything if they also acted as a personal Google, giving you access to all your own "lost" data?
I've been thinking about this lately, with regard to my own privacy policy.
I was thinking something to the effect "I will make all data I save that references your account or IP available to you through the following portal" - I of course, can't do it yet, as I haven't built the portal or figured out how to separate the data, but I think it's a neat solution to some of the problems I have (e.g. I really want to start doing console logging on VPSs 'cause it gives me a wealth of data when someone says "something was wrong with my VPS last night" - but so far I haven't (I do log physical consoles, just 'cause it's impossible to deal with hardware otherwise) due to privacy concerns.)
at /domain/portal just put a contact page and ask them to specify what they are looking for. You'll have to do it manually until you build the automated system but maybe the inconvenience would be motivation?
I need to limit the number of times I give myself extra work as 'motivation' - you get to the point where you spend all your time shooting alligators, and don't have any time at all to drain the swamp.
I mean, sometimes this is better than just not doing it? but not in this case, if you ask me.
Considering how quickly e-mail privacy is starting to get into lawmakers agenda after Patreus' fiasco I think this would have great consequences. Of course this implies nsa being open in return - that won't happen.
Somewhere I read a quote: People under surveillance, are already imprisoned.
The first step is to understand that one is under surveillance.
To be fair to the man, its pretty clear from his declaration you link to that some what he says is first-hand, some is second hand and some is assumptions. I think this is a little less nuts than the way you make it sound (that he doesn't know anything other than its possible).
If he were nuts, he would have told the court the same things he told the reporter and with the same conviction. He didn't, so he's sane but unreliable.
Right from the start it sounds strange. They cite the case of Petreus as a proof FBI has access to everybody's email. But it is certainly wrong - FBI can obtain access to everybody's email if it is hosted by US provider such as Google, given enough cause to obtain warrants (such as suspicion that CIA director's email account was compromised). This is not news - hardly anyone in the US has doubts that given strong enough cause, FBI can solicit and receive access to specific accounts at US providers. Calling this "everyone under surveillance" is misleading. And how is it related to NSA? And why does not Binney point out Petreus' case is not about surveillance?
The key to this all are these two things (and someone who knows more please correct me):
1) Constitutionally they (NSA) seemed to have found a loophole that states that just storing the data on the disk doesn't constitute spying|invasion of privacy. Only when someone (a human) looks at the results then it triggers all the Constitutional restrictions. Sounds like a bunch of bullshit to me, but that's how they are justifying it.
2) A court subpoena or an executive "magic-Patriot-Act-Federal-Injunction whatever it is called?" when issued can apply to all the data, including historic data from the beginning of time associated with that individual. So, if they ever get a subpoena say when you are in your 50's they could legally pull all the data you generated, created, accessed since the day you were born.
Basically it is pretty obvious they are just planning on storing all the data they can. Therefore the big new data center with a 65MW power station next to it.
My hope is only that someone who is involved in this, just like this whistle-blower, will realize that this is wrong and will expose it and the public in general will start caring enough about this to turn this into a major political issues.
This is a story that hasn't shown itself to have legs, I think largely in part because both political parties are fully complicit, so neither are interested in driving the narrative.
So the problem is, what does it mean for the public in general to care? Or rather, what is the value of truth in a world where we have no agency?
> So the problem is, what does it mean for the public in general to care? Or rather, what is the value of truth in a world where we have no agency?
The troubling truth is that many people would be either happy (or at least accepting) if the people doing the monitoring were also making big dents in the amount of spam being sent, or catching major criminals.
> So the problem is, what does it mean for the public in general to care?
That's actually simple - public should use strong encryption. That's it. I.e. those who care about such violation of civil freedoms have no other option anyway, if attempts to prevent this surveillance will continue to fail (and with the current power - they most probably will).
They should. I agree, however effectively using encryption not as simple as it sounds (both hardware, software and user interfaces need to work together and well) for this to work. On the other side I predict using encryption is becoming strange/weird/suspicious. There is an already well designed propaganda framework to portray those who care about these issues as associated with all kinds of scary crimes.
I predict in the future after a couple of high profile scape goat cases where a famous suspected terrorist, illegal movie downloader, or say whistle blower, cannot be prosecuted because they used encryption, the use of encryption will become illegal.
The problem with outlawing encryption is: everyone needs it for business purposes and to protect public / private infrastructure. If SSL encryption were to be forbidden, e-commerce would become very difficult...
> So the problem is, what does it mean for the public in general to care?
For instance many care about some "moral" or "religious" issues that have no bearing with objective reality. So a lot time, mental and emotional effort goes into those issues.
It is kind of interesting that caring about privacy in general is become weird it is almost demonized and relegated to criminal sphere by default -- terrorism, child pornography, drug dealing, piracy all those "hot" issues can be triggered in order to argue against privacy. A few fear words sprinkled here and there, a scapegoat show trial and we are not too far from just using encryption becoming illegal. By default it has become "weird" defending privacy when the opposite should be true -- it should feel "weird" defending erosion of privacy (at least in this country given its Constitutional principles).
Worse, they'll go public with the world's most awesome restore-from-backup service and everyone will love it, for the low price of incriminating yourself in future crimes (but you're not planning to commit any crimes anyway, right?).
Public in general is indifferent or worse, supportive, when it is being literally grabbed by their balls and photographed literally without their clothes - if only this is done under the guise of more security. And you want to talk about couple of emails? Forget about the public in general.
However this still does not justify mixing up signal with noise. If you want to talk about NSA surveillance - fine. But then don't start with Petreus who has nothing to do with it.
The FBI accessed all of Broadwell's IP address info and email accounts with nothing more than subpoena's.
I believe they are storing this information, they just don't have the technology yet that can sort it and allow access to it. So the Petreus emails are probably being stored at the NSA as well, it was just easier for the FBI to get them from Google.
Wired had some time ago an article about one NSA data center [1]. That article had some additional numbers on the scale of the surveillance efforts. Specifically it did note that the specific site will have a 65 MW power station, which one can compare to some supercomputers. For comparision RIKENs K Computer demands roughly 12 MW of power. [2] ( One can also try to estimate similar numbers from the size of the facility and from the building costs. In all cases one gets a similar factor of a few above modern supercomputers.)
How is this news? We've known this since Mark Klein[0] leaked the NSA warrantless wiretapping program to the press in 2006, more than 6 years ago. If you're doing anything illegal with a method of communication that doesn't have end-to-end encryption, then you're really stupid. Fortunately for the authorities, the vast majority of individuals who commit crimes are really stupid.
Sigh. I keep seeing comments like these whenever such article is posted. But there are 2 problems with that mentality:
1) Just because we the HN readers and Reddit readers, and other people who take an active interest in either being up to date with this sort of stuff, know about this, doesn't mean that population at large either a) knows about it, b) believes it (this sort of stuff sounds too much like conspiracy theories, even if it's real in this case).
2) Just because there were some news about it a few years ago, and there was like a mini-outrage for like a week, and then nothing really happened, doesn't mean we should stop talking about it now, and just let them continue doing it. The point is to keep raising awareness, and incite people to fight for their rights, and demand answers from NSA and the administration. More than that - demand change.
Re to 1): well, this is HN, so you're just preaching to the choir. Why not instead spend the time/effort spreading awareness among the general public? They're the ones that decide elections (and thus policies, or at least I hope).
Re to 2): again, this isn't going to raise awareness. The vast majority of people here already know about this.
When the general public's candidate pool has been narrowed down to two candidates by the media, is the general public really deciding elections anymore? It becomes multiple choice where both options are pro-plutocrat and pro-authoritarian.
We've also known since 2007 that "you can't hide secrets from the future with math[1]." So, if you're doing anything illegal and that information is available to a network, it's a matter of time, not encryption.
Also worth pointing out, in the video he reminds us that the definition of "crime" is not set in stone.
If the time that it will take to break the encryption is significantly longer than your expected remaining lifespan (and anyone you care about), then you probably have nothing to worry about. In any case, sneakernet is an option that is always available.
These estimates of security should be considered an upper bound, not a lower bound or average. In other words,
> If the time that it will take to break the encryption by brute force is significantly longer than your expected remaining lifespan
....just because we don't know about a vulnerability in SHA-3 today doesn't mean that we won't in ten years. SHA-1 and SHA-2 were once thought to be secure, and they may yet be even more broken than we realize.
Furthermore, that also makes a major assumption about computing hardware. Particularly with the (possible) advent of quantum computing and the possibilities that large-scale quantum computing would provide, I think it's impossible for anybody to do more than speculate about the future like that.
"I don’t think they are filtering it. They are just storing it"
How much would it actually cost to store all the emails that American citizens send and receive? I find it difficult to visualise a system of checks and balances approving the massive budget required to house all that data. And the technical challenge of sifting through those emails would be seriously hard. I understand that this might not be just about national security, but it could also be a power game on the part of the FBI. One has to consider how much [national security | power] this really affords [US citizens | the FBI] when measured against the gargantuan expenditure required to actually pull it off. This makes me totally skeptical. Additionally, by saying 'basically the e-mails of virtually everybody in the country' Binney demonstrates his lack of conviction and uncertainty of his own claims.
So, if his words aren't the giveaway, then two minutes of critical thinking will make the interview seem alarmist and inaccurate.
Interestingly, the article explicitly mentions the FBI, not the NSA. But, if we were to unify them in our respective imaginations (for the purposes of discussion), they still need to have the budget for their operations supplied from somewhere. http://www.fbi.gov/news/testimony/fbi-budget-request-for-fis... - it appears as if the FBI's budget is just as rigidly controlled as any other governmental organisation. How they internally allocate the funding they receive is a different matter. To me it seems that if there is any form of oversight within the FBI, then the funding of a project of this cost/return ratio would be infeasible and therefore the project could possibly be shut down. There is the possibility that this is an exercise in propaganda and scare tactics: "We can read your emails, so don't try anything. Check out our power". However, because the internal mechanics of the FBI are necessarily not public knowledge this is all speculation and unsubstantiated opinion. But, the argument can be made that this very fact enables the FBI to get away with scare tactics. I still don't see an organisation with the real-world constraints of money being able to store the sheer volume of data that they claim to. For arguments sake, let's assume that the year-on-year rate of email generation remains uniform for the next decade. In one year, they need to have the ability to store X amount of emails. In a decade, they'll need 10X amount of storage. How are they going to store all that data?
> they still need to have the budget for their operations supplied from somewhere. http://www.fbi.gov/news/testimony/fbi-budget-request-for-fis.... - it appears as if the FBI's budget is just as rigidly controlled as any other governmental organisation
Also, I've commented on the NSA probably intercepting on the people in command immediately after the Petraus affair hit the media (http://news.ycombinator.com/item?id=4767644), but I had hopes that they would stop at those people. Someone in the comments reprimanded me for viewing things in a CSI-like manner (CSI the TV show), but it was not that, just the natural reflexes of a former kid who has grown in Eastern Europe with Securitate ruling and surveying everything in sight. (http://en.wikipedia.org/wiki/Securitate)
The return is potentially infinite, since they can say "we have every single criminal conversation ever in digital space recorded".
edit: conversations primarily by American Citizens.
I'm curious as to the technical specifications of the supposed Naris device. I don't doubt that the US government can obtain the email logs of most citizens, but would it truly occur in this manner? Binney seems to describe a single unit connected directly into the backbone networks of major ISPs, logging all data on certain ports I assume (ie, the common POP3, IMAP, SMTP ports)? Depending on the level of distribution, this device would be tapping into potentially enormous amounts of data. The processing and storage infrastructure would have to be incredibly robust.
I'm not very knowledgable as to the feasibility of such a device, and quite frankly don't know where to begin, but I would love to hear from someone who might know more.
As a back of the napkin, rougher-than-order-of-magnitude calculation, it seems more feasible for the government to tap into existing email providers' databases than to try and administer their own. Would it not simply be easier to file requests (perhaps in a quasi-legitimate manner) for data from Google/Yahoo/MS/Apple than to try and catalog the entire email history of the Internet?
I think the government is sniffing packets directly. It's much easier to feed through whatever content analysis engines they have today than try to access remote systems routinely. SSL? When the government has access to most of the internet's root keys, decrypting 128-bit SSL is 'annoying' and definitely solved. There was a controversy a few years ago about secret closets with direct access to raw fiber traffic:
Mirroring traffic at the ISP would be much harder to detect, more thorough, and reduces the number of pesky admins who would come across surprises in their logs. My vote is on that approach -- it's similar to how spy satellites are operated now ("record everything and playback like it's a DVR when we need it").
As an aside, this is the third time in as many days that I've seen 'repeated' content from old Slashdot on HN. Not sure what I make of that trend.
Can you clarify the government's SSL decryption capabilities?
I'm aware the US government has CA certs installed in pretty much all browsers. Obviously being a CA allows you to MITM any SSL connection (though probably not without someone noticing, if done on the scale people are talking about, which is probably computationally prohibitive anyway).
But isn't it impossible to decrypt passively sniffed SSL traffic in all cases?
Neither SSL or cryptography are broken. However, it's widely known that the government has its hands on most root-level private keys. All of cryptography comes down to how well we manage keys, whose weakest link is humans :)
Having the internet's root keys does two things:
1) The government can impersonate as most sites to perform a MITM, which is rare and would only happen on specific, targeted people.
2) The private keys reduce the search space for brute force 128-bit decryption to the point that it can be completed in near real time. If the government were to have direct access to the fiber backbones, then they could monitor SSL traffic as easily as plain-text traffic. Hence, "solved problem." Part of the trick behind this is pre-computing a lot of commercial site's individual private keys ahead of time. If you do nothing but monitor headers you would know the top 90% of hosts to pre-compute first.
To be clear -- I don't know what the government does or does not do. But I know a little bit about crypto and the industry, and I'm inferring what the government does based on 'innocuous' requests it makes regularly to a popular crypto products such as the one I worked on.
That depends. SSL (https) as it is currently implemented in browsers has the vulnerability, that you trust all certificates signed with any root certificate which are installed in the browser. So if you have a dedicated browser, where you have deinstalled all default certificates and installed only your private self-signed certificate, then SSL is (to the best of my knowledge) secure. Unfortunately your server has no way to check, which certificate the client sees ( and vice versa). Therefore it can not enforce the use of this specific browser. ( And this obviously does not work for a public website.)
By contrast in the case of ssh the server and client each store a key for the specific connection. In this case your connection is essentially as secure as the key exchange. And if a mitm (Man in the middle) attack was already in place when you established a connection for the first time, then ssh will warn you if the mitm attack ends. ( Since in this case the server sends you a different public key than the stored one, which was corrupted by the mitm attack. )
This depends on the meaning of "sniff them." If you mean by this, that the attacker needs some way to get active equipment into your data stream, then yes. But a sufficiently advanced attacker can of course always get his equipment into your data stream. For example by using directional antennas to spoof a wifi hotspot, or digging a hole and splicing it directly into the optical fiber.
Yeah, I don't doubt the government could perform active attacks on more targeted individuals if they wanted to, but this mass collection of internet traffic that's supposedly happening is almost certainly passive.
The same principle that should make Verisign trustworthy (centrally recognized / audited trust authority) makes them vulnerable to nation-state tampering, or more specifically, eavesdropping.
Filing requests with endpoints leaves a trail, and an agency would have a hard time requesting everyone's total traffic without proper cause.
On the other hand, recording everything through a key bottleneck leaks no information about what is specifically of interest. It also allows retrospective looks at things that might not have seemed interesting enough to request up front. And 'certain ports'? Bah! Get it all. Maybe future breakthroughs (or current undisclosed innovations) can render it all transparent.
This may not be the 'easiest' approach, but it's definitely the 'best', for maximum knowledge, if you can afford/manage it.
The proper spelling is 'Narus', which is also the name of the supplier company, based in Sunnyvale and since 2010 a subsidiary of Boeing. You can read about them and their capabilities at:
Ah, thank you very much. A google for "Naris" (as it is spelled in the RT article) isn't very helpful.
Your logic is definitely sound. It's just mind boggling to me that anyone could possibly be logging everything thrown through every port. Every single day. Just, wow.
In addition to probably millions of pieces of cyberpunk/science fiction, there was a crack in Gilmore Girls about victims not caring if you take away their freedom slowly and without them noticing at first.
Almost everyone is distracted from the main point:
"A declaration of rights is not a creation of them, nor a donation of them. It is a manifest of the principle by which they exist, followed by a detail of what the rights are; for every civil right has a natural right for its foundation, and it includes the principle of a reciprocal guarantee of those rights from man to man. As, therefore, it is impossible to discover any origin of rights otherwise than in the origin of man, it consequently follows, that rights appertain to man in right of his existence only, and must therefore be equal to every man."-- Thomas Paine
I'd feel a lot better if this article was from almost any other news site. RT is not known for being fair or balanced when it comes to anything involving the USA.
If you find similar coverage elsewhere please link it. In the meantime I'm glad RT is on this.
And please distinguish between the long-term goals and values of the USA and the craven personal interests of its present rulers. In pieces I've read and seen from RT, they've often honored the former while excoriating the latter. Which is something I wish an American news source could do. I'll know it's possible as soon as I see a single example.
Because what RT "dares" to talk about may or may not have any relation to the truth, and in light of their obvious and profound bias against anything in the USA, any article from RT should be given more than the usual scrutiny.
It's worth asking why no other media organization has run with this story.
> and in light of their obvious and profound bias against anything in the USA
So that's a good thing then right? If they are critical they are more likely to present topics without sugar coating them? They don't have to fear American advertisers pulling adds off the air, they don't have to fear not being invited to the White House news room and having access to govt related press releases.
Now when it comes to Russia related news, that's when I found they are painting a picture completely divorced from reality.
And in general that is also true with other news media. Like Al Jazeera. They are pretty good and factual except for stuff happening in Qatar. Which is unfortunate but also expected.
> It's worth asking why no other media organization has run with this story.
I think if you read Chomsky's "Manufacturing Consent" book you'll get an answer to that question.
The answer to the last question is self obvious. Most other media is more controlled by the US power, than RT (which doesn't make RT more objective by default, since it can be of course more controlled by other interesants, but still it makes it easier for them to review these kind of topics).
How much other media covers EFF efforts in general for example? You are right - practically nobody does it.
Hardly. The warrantless wiretapping thing was all over the news when the story broke. So was SOPA (which serves to completely destroy this canard on its own; as the media companies had a direct interest in supporting that law yet still reported on the controversy.)
This, plainly, isn't newsworthy outside of tech circles yet.
The news cycle moves far too quickly to continually revisit the same topic over and over again (with a few obvious exceptions...), moreso when it's a topic that will not be understood, let alone appreciated by the average consumer.
A conference where people talk about deploying packet shaping gear is not newsworthy outside of a very niche circle. Yet.
> Just because someone talks about something doesn't make it the truth.
Well I don't think they made this guy up. I don't they exactly spliced the dialog to change the meaning of what he is saying. I think this guy is real. So that +1 for RT reporting on the story (the truth).
> I'd feel a lot better if this article was from almost any other news site. RT is not known for being fair or balanced when it comes to anything involving the USA.
Quite the contrary. RT is pretty well balanced when it comes to USA. A lot more so than Fox or CNN say.
RT is not balanced when it comes to Russia though.
>> RT: It seems that the public is divided between those, who think that the government surveillance program violates their civil liberties, and those who say, 'I've nothing to hide. So, why should I care?' What do you say to those who think that it shouldn't concern them.?
>> WB: The problem is if they think they are not doing anything that’s wrong, they don’t get to define that. The central government does, the central government defines what is right and wrong and whether or not they target you. So, it’s not up to the individuals. Even if they think they aren't doing something wrong, if their position on something is against what the administration has, then they could easily become a target.
It's Bluffdale, not Buffdale. And it creeps me out every time I look across the valley at it.
I really wish the investors in the company I was working on building to encrypted email for the "common man" would have been willing to invest what it would really take to make it work. We were on the right track. :(
Thought my connection to Google was almost always under the HTTPS protocol... can someone explain to me how the NSA has broken SSL encryption to possibly THE largest internet company in the world?
I'll probably get shot for this but in the shared source license there are a number of huge holes around the signing key code. NSAKEY doesn't exist any more but its more suspicious when there is just no code there.
I wouldn't trust Microsoft - the world's largest Trojan.
Not sure how this relates. Article/interviewee is stipulating that the NSA intercepts all communications at the telecom level (as far as I understand). It doesn't say how this device also magically breaks encryption on encrypted data.
I guess you are saying that Google willingly allows the NSA to decrypt the data? What would Google have to gain there? Because they certainly have a lot to lose.
They don't need to break encryption for telecom interception to be worthwhile. Most email is not encrypted.
Knowing what web sites you go to, if you are otherwise interesting, is worth knowing even if they can't read the bits. Pen registers do that with phones, and that's valuable enough that there are legal protocols about it. https://en.wikipedia.org/wiki/Pen_register
Just because you can't eat the whole enchilada doesn't mean the beans aren't worthwhile.
The email may not be encrypted, but as long as the data transfer was made under a secure protocol, there's not much of a difference. Only difference is that Google themselves can view your email in plaintext. But in terms of a man in the middle attack, I'm failing to see the difference.
A good argument can then also be that you should never trust emails outside your own provider? If you are sending to an @gmail to @gmail, you should be covered a bit better?
How? By hiring all the mathematicians in the world. I don't see how the size of the company would matter. Also, they are US-based, and have to comply with US cryptography laws. But even if their SSL was unbreakable, the NSA/FBI/etc must have a free pass to Google/Facebook/etc data.
Where does it say that the NSA has open access to Google's data? It says that the NSA most likely collaborated with Google as part of an investigation of the hacking of their Chinese servers.
The burden of proof being so low here on HN on matters like this is alarming.
Well, a little bit. The NSA is the largest employer of Mathematicians in the world, and excluding Universities, they own that title by a very large margin.
What are all of those elite nerds researching? Cryptography.
Only 3-6% of mathematics PhDs produced in the US are hired to government positions each year, with some large portion of that going to the NSA. While that is a lot (and doesn't include the mathematicians hired straight out of bachelors and masters programs), it's minuscule compared to the total number of mathematicians produced each year world-wide ("not even a little bit"), includes many that don't work on cryptography, and is dwarfed by the external security and cryptography community, both in academia (why on earth would you exclude them?) and in business.
How does this compare to the current practices in other countries? Are there whistleblowers elsewhere whose revelations are reported on in reliable press sources?
(I used to live in a country that was then ruled by a dictatorship, and I am aware of how people behave under such rule. That country now has a free press and free, contested elections for the national leadership.)
I would invite HN readers to consider that report, then consider over a decade of technology improvements have since occurred, then consider how little of the public's interest has been engaged in such matters. Having done so, consider supporting the efforts of a small number of parties like the EFF and Assange to raise awareness of these issues and fight for the public interest and individual rights.
Is it possible to write an OTR plugin/extension for Google Talk that can encrypt the text locally before it's sent to the other person, who would also use this plugin? From what I'm reading Cryptocat already works in a similar way.
I know there's already Jitsi or Pidgini with OTR that can do this for Google Talk and FB chat, but those are just other apps that you need to install, and I think a Chrome plugin/"app" would see much wider adoption. Or should we just wait for web crypto before this can be possible (2014)? Or just wait until Google themselves to do it? (if ever)
Those who care anyway already use clients which support OTR with the same Google Talk or any other XMPP server like Pidgin, Adium, Jitsi and etc. Those who don't care won't use anything even within the Google Talk web application.
Standalone XMPP clients anyway are way better than Google Talk web application, since they are more flexible and allow using several accounts at once.
Someone should buy a Naris and let hackers start hammering on it. The delivery vector for any malware developed would be trivial. Just send it in an email to someone in the USA.
1.) Citizens can't afford a Narus device, let alone what they're offering now (more service oriented, less local hardware)
2.) Narus doesn't sell to citizens. Citizens aren't allowed to have information on what kind of monitoring Narus does because it's national security classified.
>The exact use of this data is not fully documented, as the public is not authorized to see what types of activities and ideas are being monitored.
Yeah it probably isn't cheap. If motivated enough, however, somebody like EFF or WikiLeaks could co-opt enough officials in a third-party nation (Ecuador, perhaps?) to purchase the service. "National security classified" has never stopped Boeing from selling cut-rate, not-latest-generation tech to other nations before. After all, their pals who want to work for them upon "retirement" from the military decide what's classified. Probably the service wouldn't come with a complete ruleset, but it would come with consulting, from the same people who helped develop the initial USA ruleset. Also, the system is probably optimized for the use of its largest customer.
Failing that, you might be able to enlist the help of some of the APT folks who've been downloading all the F-35 plans. Why would we expect Boeing's network to be more secure than Lockheed's?
If one were really patient and as immoral as the NSA, one could start moving around a lot of fabricated-but-plausible evidence against USA citizens for national security-type crimes, and then paying special attention to federal prosecution notices. If you noticed which manufactured "evidence" turned up most often, you'd be able to run a kind of oracle attack by fine-tuning for what got prosecuted the most. In addition, many of these framed citizens would be so obviously innocent that even our debased court system would acquit. This would undermine the perceived accuracy of this fancy expensive system. After federal prosecutors look foolish a couple of times when relying on super-secret we-can't-tell-you-where-we-got-this surveillance data, word will get around.
However it's done, if someone figured out how to characterize which packets get saved (I still refuse to believe they're saving every packet sent in the USA), one could generate many such packets, which could be obviously bogus upon inspection but enough to fool the initial analyzer. That's a DOS right there.
Just throwing out some ideas. I'm sure you smart guys have already thought of all this.
The problem with all your proposed solutions is it doesn't allow the market to escape from the ever more technologically advanced supply of data because the development time is constrained by how fast you can fail. By the time you've found a vulnerability in their monitoring system, they've already written exception handlers for it and set up team dedicated to finding solutions for exceptions to those exceptions.
I am from those "parts" of the world but also monitor US media. I found from experience that RT actually does a great job covering issues related to US (and other countries) but it is complete bullshit when it comes to Russia itself.
American and other news agencies (say Al Jazeera) also seem to follow the same pattern more or less.
So it helps to monitor and compare various news outlets and you can sort of see who they cover the same story and how they spin and then, well, decide for yourself if you can't independently verify the facts. If you can then you can benchmark and compare the performance/quality of each of the news sources.
'Everyone in US', but not limited to the US, right? Services provided by servers in the States are used by people all around the world. Many communications started in other countries have their recipients in the US.
So isn't it more like 'A large part of the worlds population under virtual surveillance'?
Does this lead to a functional definition of freedom that's actually more useful for more people than what we're used to?
What is freedom? A functional definition might be -- you're not prevented from doing things when you try to do them.
Interested in electronics? Want to build an igniter for your home-brew rocket engine? Fine ... if we know enough about you to conclude that it's for fun, not for killin'
Want to build a rocket? Great ... if you're not likely to endanger others or sell your knowledge to those who might.
In a perverse way, more detailed profiles could lead to better discrimination between those who have esoteric interests but are unthreatening vs. those whose who are threats.
Of course, if you build it, it will be abused ... but it's an interesting thought experiment.
(In a nutshell: "Room 641A is a telecommunication interception facility operated by AT&T for the U.S. National Security Agency, beginning in 2003, and exposed in 2006. [...] It is fed by fiber optic lines from beam splitters installed in fiber optic trunks carrying Internet backbone traffic [...] contains several racks of equipment, including a Narus STA 6400, a device designed to intercept and analyze Internet communications at very high speeds.")
ECHELON is ancient; the only differences between that and this is are i) the lack of other nations and ii) the US directly spying on its citizens.
While it's not acceptable it surely can't be surprising? Especially seeing the other attacks on liberties happening every day.
Having said that, other people mention a bunch of problems with the article. Warrants provide easy legal access; connections are encrypted (and it'd be scary if that encryption was broken); the reliability of Russia Today; etc.
Sure, but we've got a pretty spiffy legal system that protects you from that, and in any case the NSA has no incentive to arrest me. I have no real protection from Google or its employees selling my information, using it against me, etc, and as a practical matter they have a lot more incentive to do that than the government does to arrest me.
This reminds me of the presentation "DEFCON 18: Your ISP and the Government: Best Friends Forever" http://www.youtube.com/watch?v=t0aQojDGSD4. I wonder if the "don't get involve in drugs and you'll be fine" advice still holds.
Privacy aside... I simply don't trust the government or any of the people who might have access to this data. Assuming you somehow have information about everyone whats to stop you from eventually controlling everything.
It is implied that the NSA surveilled Petreus' gmail using naris by capturing backbone data which implies that the NSA has cracked 128-bit SSL. Or maybe they just got it from google...
Wouldn't it make sense that the NSA owns a few Certificate Authorities and gets access that way? They try to have backdoors installed for them everywhere according to that whistleblower.
Oh yes it it. US voters happily allow it. You allow it.
The problem is your government, whether Rep or Dem, sees you, the people, as the enemy. There for, the government is your enemy, an enemy with in. It must be logically. How else can that work? Now, why does your constitution allow guns? Why do so many US citizens insist on their right to gun ownership? Is it not to oppose such an enemy? Yet all Americans do is sit on their big old butts and type stuff on the internet. So, what are all those guns for? Polishing and comparing to penises? Are women attracted by them?
What makes me laugh (or is it cry) as a Brit is that mention universal health care and its commie time, people on the streets claiming health care will kill granny. Yet here is a Democrat government continuing and expanding the removal of your freedoms and privacy started with a Republican hawk government, and your all cool with it. All you do is bleat on the web, and that's that. As some one pointed out, you knew this in 2006. Yet here you are 6 years on, and its worse. You do nothing.
Don't get me wrong, its the same every where. People just accept this stuff. Which is why this disgusting spying on your own people lark, KGB style, is in fact absolutely acceptable. Your inaction says so.
Until the people say no, the government, either party, UK or US, does what the hell it likes. Its up to us.
it's a question of time until this will turn against the people. My family has lived in eastern europe and was under survailance during comunist times in the 80's. very sad to see this happen to the US - land of the free.
In my opinion that would be an exercise in futility.
I think a proper response to this issue is to simply promote social depravity on a grand scale.
Everybody should just constantly read/watch/listen to media involving things like methamphetamine manufacturing, nuclear & home made weapons/chemicals, illegal currencies, human trafficking, hardcore pornography, armed rebellions, the middle east, famous terrorists, serial killers, bon jovi, etc
All of those are a lot more interesting to the common man than lessons on how to use PGP....which is theoretically breakable thanks to the advent of quantum computing.
If everything is being sniffed and stored, there have to be a number of very specific topics that are being sought after in that data.....in my opinion it'd be far worse if the government wasn't searching for things like human trafficking and nuclear weapons (things, hopefully, we can all agree are not good).
Television series like "Breaking Bad" are already pulling weekly audience number of around 3 million plus. One could argue that you wouldn't even have to do much promotion, as these topics already seem to be mainstays in much present day pop culture