>Any kind of Internet traffic that passes before these mass surveillance sensors can be analyzed in a protocol-agnostic manner, meta-data and content both, and it can be today, right now, searched not only with very little effort, via a complex regular expression — which is a type of shorthand programming — but also via any algorithm an analyst can implement in popular high level programming
That's amazing. Imagine being able to construct a regular expression that get's applied on every single piece of communication in the world. Yes, it's far too much power to entrust to anyone, much less an unaccountable secretive organization, but I'll be damned if that's not an incredibly fascinating and attractive proposition. No wonder these bureaucrats are willing to so thoroughly overstep the law, that kind of power must be very tempting.
This is a foolish belief. The higher ups in NSA are most likely under the very same surveillance that they oversee, whether they know it or not. After all, the NSA cannot be immune to internal politics and power-plays.
Usually there's a "code of silence" between crooks such as these. They know that if they started digging for another, they'd have others dig for their shit.
Plus, it's not like anyone will use their information to make their life hell or put them in jail. At worst, they might be denied some promotion.
Every comment, every upvote, every webpage you've ever viewed - parsed and mined for context specific metadata by some watson-like super-brain. And the interface isn't a regex, it's more minority-report style and lets you query people by political/economic/religious/etc affiliation. And you better believe there's a terminate button that disables your car brakes courtesy of on-star. (I keed I keed)
"In the case of Michael Hastings, what evidence is available publicly is consistent with a car cyber attack. And the problem with that is you can't prove it."
- Richard Clark, former Counter-Terrorism Czar
While evidence is insufficient to draw conclusions in that specific case, the fact that it is so plausible should be extremely worrying. (Hi, NSA spiders.)
As someone who has worked for a number of sensitive human rights groups over the years this sickens but doesn't surprise me. I would be very surprised if some of my operations haven't been targeted by this.
Many of the groups targeted are involved with actively investigating human rights abuses conducted by many countries in the world - including the USA in Guantanamo Bay, Abu Ghraib, drone strikes, secret prisons, etc. I fail to see exactly what the US National Security interest is in investigating these groups (Caveat: not all NGOs worldwide should be outside scrutiny, ie ones which funnel arms to Al Qaeda obviously but these ones certainly don't do that). The security community (as has happened in many countries over the years - the UK in Northern Ireland for example) has confused "National Security" with "embarrassment." I say "security community" as there are many fantastic people within US government and private institutions that are capable of looking at the long-term interest and are doing a good job of supporting human rights and freedom on the internet. For example, it is a credit that so much great work like The Guardian Project and Whisper Systems is underway to address such problems.
Human rights groups and journalists have been consistently the victim of high-level APT from China, Russia and elsewhere - there are many cases documented online. Many of these have been targeted through the exact same methods that large corporations like banks, defence companies, nuclear energy businesses. It's somehow morally wrong that organisations like GCHQ and the NSA actively thwart attacks (and share information) on such companies, while ignoring and obviously exploiting threats against human rights groups (which often end in the deaths of human rights defenders, aid workers and journalists).
The long-term national interest of the USA and other countries is the spread of our good values - freedom of speech, freedom of assembly, self determination, respect for international law etc. The "war on terror" has caused too many to lose sight of these soft-power instruments and that is a pity. Which does more long-term good for our way of life, values and foreign policy these days, Lockheed Martin or Amnesty International?
>The long-term national interest of the USA and other countries is the spread of our good values - freedom of speech, freedom of assembly, self determination, respect for international law etc.
That's not really an interest, short or long term. What are the various lobbies to gain from this? What is indeed an interest, and has been for over a century, is being the top dog, and taking advantage of that (using propaganda, lackeys and military power when needed) to get cheap resources, favorable trade deals and allies that ensure this goes on forever.
Playing on a level playing field has never been of interest.
Yeah because political activism is never ever sponsored by foreign actors as a means of fomenting unrest. Just ignore what's happening in the Ukraine right now, it might be devastating to your indignation.
Fair point, but if the political system itself isn't capable of dealing with that sort of crap, then isn't that a problem that needs to be fixed by addressing the infrastructure of the system itself, rather than anything else? Our political institutions are supposed to reject special interests and make decisions for the national good. This, after all, is their primary function and raison d'etre. If some subset of those special interests (vis, foreign actors) need to be filtered out through some special mechanism, then what does that say about its robustness and fitness-for-purpose with respect to all the other groups trying to game the system?
From a citizen's perspective they are effectively separate in name only, with slightly different legal authorities underpinning their actions. That one is organized under the DoD and the other the Executive matters little.
It was clearly a simple mistake. The intended distinction was between the Department of Defense and the Department of State, which was once a meaningful distinction.
These comments are the single best illustrations of why the NSA has gotten away with what it has. So many of its most strident critics have no idea what they're actually criticizing. It's not so much that you have zero credibility–that part is obvious. It's that you have absolutely no capacity for making things better; other than being a constituent (i.e., a target for manipulation), you're irrelevant.
Gosh I am shocked. Of all the people they would spy on they target a human rights group. Who would have thought it?
We have heard a lot about how people don't want their cloud computing in the US any more, however, as of yet, there has not been a lot about how those that now know they are effectively being targeted have changed procedures.
Anyone in a 'save the world' group care to comment?
The NSA's job is more than simply spying -- they also subvert security through intentionally and maliciously weakening it. I wouldn't be surprised if the NSA considers it an acceptable risk that sensitive government systems are allowed to continue remaining vulnerable regardless of the dangers because fixing those security vulnerabilities would alert their adversaries to such vulnerabilities.
Even furthermore, the various intelligence agencies also weaken systems for their own convenience, and yet there is nothing stopping anyone else from exploiting such weaknesses. Isn't this simply recklessness and negligence?
We keep hearing about hackers getting customer data over and over again, is that because of what our government has done?
Agreed. I have a somewhat concrete example, the US credit card system. We know that GCHQ, and probably the NSA, knew about public-key encryption a long time before it was reinvented. Therefore, the US credit card system could have been made quite secure, instead of the amalgam of cheapest-to-implement patches that it is today. Very probably, the NSA could have prevented the largest part of "identity theft".
I guess we also have to ask ourselves if this was deliberate on their part, or did they just miss the emergence of the credit-card-as-electronic-money?
How long is "a long time"? GCHQ had RSA a few years before RSA invented it. (About 3 years according to WP).
The story of it is interesting: Clifford Cocks was working on it, he went home, and had the realisation at home. He could not write it down because that's not what mathematician spies do, so he had to remember it overnight u til he went back to the office the next morning.
Widely deployed PKI would transform humanity as we know it, and I believe largely for the better (Yelp, Facebook, and many other websites besides would be rendered irrelevant with widespread PKI). "Like" this restaurant? Sign its public key and give it a star rating.
Want to consult with person X who is trusted by authority Y to do Z at a level L? This is straightforward without a bespoke who-trusts-whom website (heck, it's possible without "users") if we have PKI.
Every year we don't have PKI is quite possibly trillions lost globally. If the NSA has been the one preventing the adoption of widespread PKI, then this is the cost they have imposed.
Did your mother ever use Skype? Then she used a secure system. There are variants on the ideas behind PKI that are easy to use, and that do not rely on centralized trust.
I agree with your general sentiment but we're still not there yet.
Unfortunately, Skype hold all your keys and Microsoft changed the architecture to make legal intercept and tapping much simpler. I do not believe it is safe to assume that Skype conversations are private.
Current systems really do rely on users having some understanding of how trust in the application works.
For example, TextSecure really requires you to confirm keys in person (or via QR code etc) if you want to be sure you are not MITM'd. This is not obvious to most users I have spoken to.
Real time communication can use ephemeral keys. A Skype-like communications tool could be open, verifiable, as simple as Skype, and at least as hardened as Skype was before it was castrated.
As for web-of-trust for store and forward communication, social networks are an great way to provide secure key-signing.
Ephemeral keys, sure. Negotiated with... well... who exactly? The person you thought you were talking to, or someone else?
The available solutions are shared secrets with zero knowledge proof (like OTR does), voice verification (like various "secure phones", a web of trust, or CA infrastructure.
Crypto everywhere will improve things immensely, but (repeating myself) ultimately the user needs to understand how they can trust that the other party is who they say they are. So far we do not have a magic (automatic) way to do that for the user.
Unless NSA has a great Max Headroom version of me, I think people will trust that they are talking to, or listening to me. That's why I wrote "realtime communication."
For store and forward you need public key exchange and a mechanism for trusting identity. However, in most use cases where you have a mix of realtime and store and forward communication, you have ample opportunity for key signing where you can trust the identity of the person asking for your signature.
Right now there's relatively little risk in credit and identity theft, because people are usually mostly made whole after an event.
As more criminals pour through the holes opened by the NSA and their ilk, it will become difficult and then impossible for most of those victims to be made whole.
At that point you can easily sell security, privacy and good government. That is, if it isn't taken violently at the point of a pitchfork. [Hey, NSA, have you reinforced your buildings?]
Don't get why you're being downvoted. I can hardly imagine my friends signing restaurants' public keys. They don't have any problem with Facebook or Foursquare whatsoever.
As some guy said, you can't start with the technology and work backwards to customer experience.
Also, I doubt that decentralized liking is what will render Facebook obsolete. This is a very tech-centric point of view. People don't think of Facebook as of some kind of key-value storage where they can learn who liked what. They use Facebook to share stuff that happens to them with their friends.
I'm not in a "save the world" group but I do have friends that are in conservation groups. The common response was a sarcastic "who would have guessed?!?!" type of response.
These days everyone drinks at the NSA bar. where everything is on tap, all the time.
Remember that April fools joke by the pirate bay a few years ago..? They moved their hosting to the land of the free.
I am in two Dutch groups that are saving the world, both of them were not hosted there but definitively won't now.
Also a company I work for was collecting client customer data, they moved storage from US to Netherlands.
I think based on other Snowden revelations about non five-eye countries like Germany, Austria collaborating with the NSA and GCHQ - I think we all need to question whether any NATO country can be trusted for data privacy...
I have no answers. However, with the EU Parliament elections coming on May 22, I hope that someone with a less goldfish-like memory than mine may try to collate what the various electoral options may be.
Evidently, none of the big three UK political parties have any interest in reining in GCHQ, just as neither the Democrats nor Republicans have any interest in constraining the NSA. Who does wish to pull that leash back?
If anyone could post a video link or download that doesn't require flash, it would be appreciated. There seems to be a MP4 file hidden somewhere in the layers of obfuscation in their streaming player.
Those groups investigate and report things like the torture by those guards in Afghanistan, and other such abuses. But also abuses of local lackeys ("allies") worldwide. Including stuff done by corporations that have powerful lobbyists, in banana republics, the third world, etc.
The agenda one would guess is: get them to stop, intimidate people who follow a hot lead, know anything that's about to be reported in advance, etc.
It even happens for ecology groups. Here's a case from Britain -- see how far these things can go:
It's just a move covert intelligent gathering approach of using a vaccination program to obtain DNA samples of the local populace. It's exercise for the reader to work out when technique was apparently used.
Certain groups that the US deems contrary to their national interests may come to an aid agency for help.
“I am proud of the fact that despite the dramatic protestations of intelligence chiefs, no evidence has been shown by any government that the revelations of the last year have caused any specific harm,” he added. “My motivation is to improve government, not to bring it down.”
I think this goes against the grain for a lot of HN.
What? Even most hardcore libertarians don't want to bring down the government. And HN discussions rarely have anything more than moderate anti-government stances.
Despite common perception, almost all libertarians are "minarchists" not anarchists. They want to minimize government, not have no government.
An agency such as the NSA could actually fit into that model of governance if it had a defensive focus instead of an offensive one (ie. protecting citizens interests first instead of the state).
I disagree. I've seen very few arguments on HN for anarchy. I have seen many libertarian posts, but that is a very different thing. Anarchy is about removing the government; libertarianism is about keeping it tightly constrained. The NSA is a great example of government not kept constrained.
Personally, I just want effective government. I happen to believe that it will be more effective if it is smaller (in manpower terms, at least) ... but constraining & minimising government is a means to an end, not the end itself.
How does a secret treaty that enables us to spy on everyone in Austria actually enhance our power?
It diminishes the sovereignty of Austrians. It makes us a global spook. It didn't prevent a single bit of terrorism. Activity like this only enhances power to the short-sighted and self-important. There is a lot we should simply stop doing, and stop paying for it to be done, and spend that on things that make the lives of Americans better, because we rate poorly on quality of life measures.
Power comes from a strong, productive economy. Putting ourselves in a panopticon is not productive.
That's amazing. Imagine being able to construct a regular expression that get's applied on every single piece of communication in the world. Yes, it's far too much power to entrust to anyone, much less an unaccountable secretive organization, but I'll be damned if that's not an incredibly fascinating and attractive proposition. No wonder these bureaucrats are willing to so thoroughly overstep the law, that kind of power must be very tempting.