Latest Leak Shows NSA Can Collect Nearly Any Internet Activity Worldwide Without Prior Authorization

from the the-NSA-should-really-stop-issuing-denials dept

The newest NSA leak has just been posted at the Guardian and it gives credence to Snowden's earlier claim the he could, "from his desk," wiretap nearly anyone in the world. US officials, including NSA apologist/CISPA architect/Internet hater Mike Rogers, denied Snowden's claim, with Rogers going so far as to call the former NSA contractor a liar. The documents leaked today seem to indicate otherwise.

A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.

The NSA boasts in training materials that the program, called XKeyscore, is its "widest-reaching" system for developing intelligence from the internet.

[T]raining materials for XKeyscore detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search. The request is not reviewed by a court or any NSA personnel before it is processed.
Greenwald isn't kidding about the "broad justification." The slides tout the breadth of the search program, which provides results other programs can't. As is stated in the opening slides, XKeyscore allows agents to pull up tons of data (in search of "anomalies") and work backward to refine the results. The justification for these broad searches is available via a pulldown menu, as can (sort of) be seen in this screenshot, which gives agents a variety to choose from. (From the list, it appears that anything ending with "outside the US" is fair game.)


XKeyscore utilizes a variety of plugins to allow searches, including email addresses, phone numbers, IP addresses, full logs of every DNI session and machine-specific cookies. This gives agents an advantage other surveillance programs don't.
The purpose of XKeyscore is to allow analysts to search the metadata as well as the content of emails and other internet activity, such as browser history, even when there is no known email account (a "selector" in NSA parlance) associated with the individual being targeted.

Analysts can also search by name, telephone number, IP address, keywords, the language in which the internet activity was conducted or the type of browser used.

One document notes that this is because "strong selection [search by email address] itself gives us only a very limited capability" because "a large amount of time spent on the web is performing actions that are anonymous."
The slides warn that the data collected will be too large to parse (or even store for a great length of time). It recommends harvesting first and "selecting" second, in order to refine the results (using a "Strong Selector"). Agents are directed to look for "anomalous events," some of which seem a bit troubling.
  • E.g., Someone whose language is out of place for the region they are in
  • Someone who is using encryption
  • Someone searching the web for suspicious stuff
These "anomalies" are common enough that plenty of non-terrorists will be getting a second look from agents utilizing this program. And again we see the NSA's instant distrust of anyone using encryption. This is one of the hazards of "collecting it all" and then working backwards. It's easy to make common behavior look suspicious if you start at an end assumption and connect the dots in reverse.

Also troubling are some of the suggested applications of the search program shown in the slide deck, including "show me all the VPNs startups in Country X" and "show me all exploitable machines in Country X."

On top of this, there's the sheer breadth of the program.
The quantity of communications accessible through programs such as XKeyscore is staggeringly large. One NSA report from 2007 estimated that there were 850bn "call events" collected and stored in the NSA databases, and close to 150bn internet records. Each day, the document says, 1-2bn records were added.

The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: "At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours."
Because of the massive size of the data haul, metadata is retained and stored longer while more specific data is released. This still allows agents to perform broad searches to gather as much data as possible while relying on the stored metadata to put other connections together. Once they have the connections, the shallow search can be better utilized with the "strong selectors."

The data harvested isn't solely relegated to foreign communications, no matter what the pulldown menu says. The power of the database pretty much guarantees the inadvertent collection of data on American citizens. This is exacerbated by the fact that some web traffic will be indeterminate in origin or termination. This leads to violations of the few laws that do pertain to NSA data collection, something the NSA documents admit is a problem. Of course, as Snowden pointed out, there's always a solution.
In recent years, the NSA has attempted to segregate exclusively domestic US communications in separate databases. But even NSA documents acknowledge that such efforts are imperfect, as even purely domestic communications can travel on foreign systems, and NSA tools are sometimes unable to identify the national origins of communications.

Moreover, all communications between Americans and someone on foreign soil are included in the same databases as foreign-to-foreign communications, making them readily searchable without warrants.

Some searches conducted by NSA analysts are periodically reviewed by their supervisors within the NSA. "It's very rare to be questioned on our searches," Snowden told the Guardian in June, "and even when we are, it's usually along the lines of: 'let's bulk up the justification'."
Speaking of "justification," the slides claim that over 300 terrorists have been caught using XKeyscore. And the NSA has responded to the Guardian's leak with the usual claims that everything here is legal and audited, etc., which, again, doesn't make it right or even constitutional. It just makes it what it is: the end result of more than a decade's worth of expansion, secret law interpretations and compliant administrations.



Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 9:43am

    Outraged yet?

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    TaCktiX (profile), Jul 31st, 2013 @ 9:56am

    Words Fail Me

    ...except a single quote: "Power corrupts. Absolute power corrupts absolutely." - Lord Acton

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 9:57am

    Lets bulk up the justification

    Seems to be the same thing that FISA court would say.

    Whenever things weren't kosher, they wouldn't say no, they just directed the feds to put some more stuff in there. The FISA court isn't a court, it's a proofreader.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 9:59am

    Re: Words Fail Me

    The problem is the NSA and company are working under the logic of "Power corrupts. Absolute power is kind of nifty."

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    TaCktiX (profile), Jul 31st, 2013 @ 10:08am

    Re: Re: Words Fail Me

    The problem is that the absolute power has so corrupted them that they still believe they are right in what they are doing, that they genuinely are serving the greater good. Delusion that deep is frightening.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    pixelpusher220 (profile), Jul 31st, 2013 @ 10:12am

    Lying with facts

    Rep Rogers is 'correct' that you can't just wiretap anyone at a mouse click like Snowden said.

    The truth is that the wiretaps have *already* happened at that point. Snowden is inarticulately saying he could search the results of those wiretaps.

    It's telling that even Snowden appears to have fallen unknowingly for the line that it's not a 'tap' until its searched.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Michael, Jul 31st, 2013 @ 10:16am

    Why isn't Verizon throttling their bandwidth when they hit the 5GB cap?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Alt0, Jul 31st, 2013 @ 10:16am

    Those documents are 5-6 years old. I am sure that by now (if their programmers are worth a shit) that they have streamlined the process to automatically include the "justification" based on the results of the query.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 10:17am

    Re: Lying with facts

    It takes a good politician to be able to lie without actually lying.

    That all works until the details come out. Ooops. No wonder Snowden is a criminal instead of a whistleblower... he's ruining careers and making "good politicians" look bad.

     

    reply to this | link to this | view in thread ]

  10. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Jul 31st, 2013 @ 10:18am

    AGAIN without The Google.

    It's amazing how Mike can dodge around mentioning the MAJOR source of "vast databases containing emails, online chats and the browsing histories of millions of individuals".

    So I repeat again. Emphasis added:


    'Greenwald told ABC News’ George Stephanopoulos. “And what these programs are, are very simple screens, like the ones that supermarket clerks or shipping and receiving clerks use, where all an analyst has to do is enter an email address or an IP address, and it does two things. It searches that database and lets them listen to the calls or read the emails of everything that the NSA has stored, or look at the browsing histories or Google search terms that you’ve entered, and it also alerts them to any further activity that people connected to that email address or that IP address do in the future.”


    http://abcnews.go.com/blogs/politics/2013/07/glenn-greenwald-low-level-nsa-analysts-have -p owerful-and-invasive-search-tool/

    NOTE especially the last bit about CONTINUOUS monitoring with updates. That's NOT just looking into Google's servers, that's ACTIVE participation by Google.

    EVEN MORE, how can anyone continue to overlook how closely Google is tied into NSA as MAIN everyday feature, not just a few requests?

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 10:22am

    Back in 1986 I worked on a project that the Marine Corps wanted, adapting the precursor to the Sniffer tool (a network protocol analyzer) so they could monitor their own LAN. I have realized for a long time the theoretical capability of monitoring everything on the Internet. It now scares me to realize this is actually happening. XKEYSCORE takes the cake. I am officially paranoid.

    Things that struck me from the power point presentation.

    -If you are going to encrypt you're emails, chats, or phone calls, you're drawing attention to yourself. It behooves you to take all possible precautions with the rest of your internet activities. Don't go halfway!

    -There are MAC addresses in Excel documents?

    -It looks like the NSA analyzes HTTP headers and does browser fingerprinting. This can help to identify your computer even while going through a proxy.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Hephaestus (profile), Jul 31st, 2013 @ 10:24am

    Re: AGAIN without The Google.

    Let me guess you are short on GOOG and hoping to make some money.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    el_segfaulto (profile), Jul 31st, 2013 @ 10:24am

    Re: Re: Words Fail Me

    I always loved the quote attributed to Nixon regarding his presidency, "The power was nice, but I could have used more power."

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    DannyB (profile), Jul 31st, 2013 @ 10:26am

    HTTPS everywhere

    Someone will pipe up and say: "but I use HTTPS everywhere" extension so that web connections that can use Https, will use Https.

    This lulls people into a false sense of security.

    Let me point no further than the immediately preceding TechDirt article about how the NSA is in bed with American business, and how this hurts American business.

    But first, let me digress. Remember sometime back all the controversy and outrage when Mozilla revoked the SSL signing certificates from a company that had issued root certificates to a third party? In that case, the third party was a company that made border routers for large networks. Those devices could then issue you a genuine signed certificate for, oh, let's just say, Amazon.com, and your web browser would believe it really was talking to Amazon.com. In reality, the intermediate router was what your browser was talking to. Then the router talked to Amazon.com on your behalf. This allowed the intermediate router to intercept, monitor, log or do anything else with your private traffic between you and Amazon.com.

    At the time, the end result was that a lot of people began to wonder about just how much SSL and that green reassuring logo in your address bar should be trusted. If you want to Amazon.com, and your browser had a green trust logo, and you clicked it to inspect the certificate, and it was signed by, let's just say, Honest Achmed's Trusty SSL Certificates of Tehran Iran, would you believe that Amazon had purchased their SSL certificates from there?

    Now back from my digression to the topic at hand.

    Do you suppose that the NSA might secretly make secret arrangements with American certificate authorities (CA's) so that their secret private signing keys and or root certificates are secretly sent to the NSA so that the NSA can secretly play MITM (maniacal monster in the middle) games with your supposedly secure SSL traffic?

    I would laugh myself silly if a subsequent leak revealed exactly that.

    The entire underlying trust model of supposedly secure traffic on the internet would be broken. Who could trust anything over SSL? Who in other countries could trust American businesses ever again?

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Uriel-238 (profile), Jul 31st, 2013 @ 10:26am

    Resigned.

    What do those of us on the ground do when our congresscritters don't care about our opinions, but have backed mass surveillance 100%?

    All outrage does is eat me from the inside.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    DannyB (profile), Jul 31st, 2013 @ 10:27am

    Re: Re: AGAIN without The Google.

    He's short on brains and hoping to make some sense (or cents).

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 10:29am

    Can I send a DMCA notice to the NSA to have them take down my content? This is massive copyright infringement!

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 10:29am

    Re: AGAIN without The Google.

    Google is not necessarily involved in this particular program. Remember that the NSA has some 15-20 monitoring points at telecom centers across the U.S. HTTP traffic can be collected, filtered, and indexed in those places. Though, as HTTPS becomes more commonly used then searches using Google will have to be monitored with Google's help.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    jupiterkansas (profile), Jul 31st, 2013 @ 10:29am

    Re: Re: Re: Words Fail Me

    Most of them probably are serving the greater good, but it's a case where the ends doesn't justify the means.

    They also have the power to do the greatest evil, and eventually it will happen if it hasn't already.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 10:50am

    Re: HTTPS everywhere

    Interesting point. Do keep in mind that MITM could not be done on a mass scale. They could only do this with selected targets as it is computationally prohibitive on a large scale.

    One of the repercussions concerning all this is that other countries might demand that Internet governance (i.e. ICANN and Verisign) no longer be U.S. based.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    Hephaestus (profile), Jul 31st, 2013 @ 10:59am

    You know this is a big story when ...

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Ninja (profile), Jul 31st, 2013 @ 11:00am

    The vastness of the data collected is simply mind boggling. It gets worse each day with Govt lies being exposed as they are fresh in the public collective minds. This is getting epic proportions. I wonder how much damage the Govt or US tech companies will take before they finally start doing something to fix the issue...

    Reminds me of the US accusing huawei of hardwiring espionage stuff in their hardware. I'm sure everybody now have a big question mark concerning Cisco, IBM, Microsoft, Intel etc etc etc

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Cixelsid (profile), Jul 31st, 2013 @ 11:04am

    Re:

    Not sure whether to vote this comment insightful or funny

    (Picture of Philip. J. Fry here)

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 11:07am

    Locations

    Does page 6 show a xkeyscore server in the middle of China?

    I'm not sure what the dots along Antarctica represent. Satellites?

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 11:11am

    Page 24

    "Show me all the exploitable machines in country X"

    I want to know if they have searched for any exploitable machines in the United States - and how they've used that information.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    John Fenderson (profile), Jul 31st, 2013 @ 11:17am

    Re: Re: HTTPS everywhere

    They could only do this with selected targets as it is computationally prohibitive on a large scale.


    I don't see any reason why this couldn't be done on a large scale. The computational requirements aren't terribly prohibitive (large, yes, but not prohibitively so). The main constraint would be bandwidth, not CPU cycles, and that's easy to mitigate by scattering your servers across the globe.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 11:20am

    Re:

    As far as the router/switch companies go. I worked for a major competitor of Cisco and they did not have anything in the software that secretly allowed for general monitoring. CALEA conformance was basically assigning the use of a general purpose mirroring port which was not controlled separately from full administrative control of the router or switch involved. Any code residing in ASICS or FPGAs had to interact with the software. I can't speak for Cisco's routers, but it would be hard to keep backdoors secret. Usually, any software engineer that worked on a router has access to all the code for that router.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Failboat, Jul 31st, 2013 @ 11:20am

    Re: Page 24

    This makes me think of all those hacking attempts against US companies from China. Perhaps the NSA was just using a Chinese endpoint to attack our own country to retrieve data.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    DannyB (profile), Jul 31st, 2013 @ 11:20am

    Re: Re: HTTPS everywhere

    I'm not sure why you are saying that MITM can not be done on a mass scale?

    Suppose I had secretly obtained the root signing certificate from a CA? For the following, I will use a fictional CA and call it VeriSlime.

    Here is what my MITM device would need to do.

    When you connect to Amazon.com, I first check if I have ever created a certificate for Amazon.com. If so, then I just use that fake cert to accomplish my MITM between you and Amazon.com.

    But what if there is a cache miss? You connect to your small town bank site. I don't have that cert in my cache. So I make a connection to your small town bank site just to obtain its cert. I create a new cert with all the same properties, and sign it with VeriSlime's root cert key. That does not take very long to accomplish. And it only must be done once for that cert. I am not breaking any crypto -- merely performing some routine operations. Then using the new cert, I complete your original connection to your small town bank, but doing MITM, using the new cert.

    Unless you are alert you might not notice that your bank certificates used to be signed by another CA, and now are signed by VeriSlime.

    But if I was the NSA, I might have the root signing certs for every American CA. Then I could sign my impostor cert for your small town bank using the root cert from the same CA that your bank uses.

    Now suppose that even though now I use the right CA to sign all my fake certs, you still notice the thumbprint has changed and might be suspicious. Or suppose the bank could insert JavaScript code in their page to check the cert and insure it is what they expected to see? Or like Google, the Chrome browser checks Google certificates to be sure that they really are what they should be?

    Well, if I were the NSA, I might simply require every CA to give me a duplicate of any signing certificates that they issue to their customers. So (new application here...) when Microsoft buys a certificate (but this time instead of SSL, let's say a code signing certificate) the CA will issue me a copy of the certificate. That way I can sign any binary code I want it it REALLY IS signed by Microsoft. Now I can impersonate Microsoft's update servers, and have you do a Windows Update to my MITM server, and I could install any freakin' code I want onto your computer and it would be trusted!

    What is so difficult to do on a large scale here if I had, say, a twenty person team of experts working on it, starting, say, five years ago?

    One thing, using the Microsoft example, that Microsoft could do is to NOT use code signing certs issued by a CA. Set up their own internal CA that creates root certs, signs code, and put your trusted certs into your products (Windows, Office, etc) so that they only trust your own root certs and no third party is involved. But oh, wait -- Microsoft was working with the NSA either willingly or unwillingly. And Google. And everyone else.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    DannyB (profile), Jul 31st, 2013 @ 11:24am

    Re: Re: Re: HTTPS everywhere

    Gee, doesn't the NSA put some devices within the infrastructure at ISP's? Or did I just imagine reading that here on TechDirt recently?

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    DannyB (profile), Jul 31st, 2013 @ 11:25am

    Re: Re:

    The two are not mutually exclusive. Try it.

    No, really. Don't be afraid.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    DannyB (profile), Jul 31st, 2013 @ 11:26am

    Re: Page 24

    Let's not forget that Microsoft was giving NSA advance information about exploits not yet patched, or not necessarily even generally known.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    Rapnel (profile), Jul 31st, 2013 @ 11:26am

    Re: Page 24

    Were I a spook I would've been using/encouraging known exploits (especially those "you heard it here first" special edition deliveries) to exploit any and every machine on a wire, period. Wire tapped, key logged, private locks and private doors. select x-morecontent from theworld where z-content in(kill, bomb, jihad, '%yourgirlfriend%', selfie);

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 11:43am

    Re: Re: Re: HTTPS everywhere

    Possibly. That was a seat-of-my-pants estimate. I do know from working on a small router that adding encryption dropped the throughput by an order of magnitude. My estimate may not accurately take into account the gains, since then, provided by GPUs or other hardware that is encryption/decryption specific. Mark Klein described Narus machines filling the small room at the SF ATT center. At that time HTTPS usage was limited. Remember, that with MITM every packet is decrypted and re-encrypted and this is for traffic in both directions. I am wondering why the NSA would go this route rather than demanding more PRISM-like co-operation from the server endpoints.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 11:52am

    Re: AGAIN without The Google.

    Good point ootb, I personally avoid google like the plague.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 11:59am

    Re: Words Fail Me

    Unfortunately, I'm afraid this has not much to do with power but with mere bureaucratic estranged conscience. The same that has turned an engineer into a mass executer. I say "unfortunately" because if this were power, it wouldn't last long, victim to its own blind ambitions, and would somehow quickly come out as obvious (e.g. Nixon). The second brand however is silent, unnoticed and, well, just about average.
    Overall, what stands out as characteristics seems to me to be stupidity and an appalling lack of elegance. Typical Bush-era stuff perpetuated by the current weak administration.

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 12:00pm

    Re: Re: Re: HTTPS everywhere

    A MITM operation requires that every packet received is decrypted and then re-encrypted before re-transmitting. That is computationally expensive. Also, the NSA listening points at telecom centers were just mirroring received traffic. If MITM were a consideration, the NSA would have to insert themselves into the switching points and not just get traffic fed to them through a branch from the switches. If I were designing this I would say the NSA is better off expanding their PRISM capabilities.

    Signing code is an entirely different matter. I have always wondered if Microsoft wasn't allowing the FBI/CIA/NSA use their update capability to install code on targeted machines. The, recently publicized, fact that Microsoft was selling or providing security vulnerabilities/exploits to the government undermines that suspicion.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 12:02pm

    it was quite obvious before this why Rogers was condemning what Snowden was saying. i thik he anticipates making a nice little bonus from the security companies his family are associated with. now add in the fact that he didn't want it known for sure just how big a liar he is, and you can understand why he was shouting so loud. now this tidbit is out, it's blatantly obvious why he was shouting! isn't it funny how the most guilty, shouts the loudest to try to deflect from them on to anyone else. i sure hope that someone is keeping a list of those that need replacing come voting time. he definitely needs to lose his job!!

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 12:16pm

    Re: Re: Re: Re: Words Fail Me

    "Most of them probably are serving the greater good"

    No most of them probably THINK they are serving the greater good. Neo-con ideology really started to take hold out of trying to prevent another Pearl Harbor. Prior to that we felt our best policy was to mostly stay out of foreign conflicts apart from simply providing our allies with some requested support. When that sort policy failed twice to keep us safe, the thinking shifted to keeping tabs on and manipulation of foreign affairs as a means of minimizing the ability of situations where we could be attacked. In a nutshell, it's applying the theory of "the best defense is a good offense" to foreign affairs. The initial reasons behind it are still to keep Americans safe. The major downsides to it are doozies: 1. It tends to make a lot of enemies out of people that wouldn't otherwise consider you an enemy. 2. It fosters a us against the world mentality where you have to constantly overcome the collective strength of practically everyone else to make it work and keep it up in the long term. 3. If you can make it work, then those with the power to control the machine that manage it tend to become corrupted by the power that they have undermining all of the nobleness behind the initial ideology, which is where we are today.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    pixelpusher220 (profile), Jul 31st, 2013 @ 12:19pm

    Re: Re: Re: AGAIN without The Google.

    He's got a better shot at making 'cents'....

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 12:20pm

    Re: Lying with facts

    Besides you can't really "wiretap just anyone" anymore. Many people don't use or even have POTS lines anymore, making "wiretaps" not as prevalent. You can't really tap a wire on a wireless phone anyway now can you?

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 12:22pm

    Every day/week/month something new is coming out about the NSA and the dastardly deeds enabled by a free for all in spying that doesn't take any consideration about what the grounding laws actually say.

    We the public have been lied to so often and frequently that trust is no longer possible. It is far and beyond time to end the Patriot Act and other laws put on the books that enabled this sort of massive spying. I'm not sure that just defunding NSA is enough.

    What I am sure of is I don't recognize this country as the one I served in the military for. This country as it is being revealed begins to look more and more like Russia or China in it's keeping track of the populace. With absolutely no justifications beyond 'it might' qualifying. Give 'it might' to the paranoid and it becomes a certainly even through it is never proven to actually be so.

    Enough is enough.

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    evilbeing (profile), Jul 31st, 2013 @ 12:22pm

    NSA grabs data of Filesharer Hollywood Sues NSA for Infringement.. only in a perfect world

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 12:28pm

    Re: AGAIN without The Google.

    blue, again, Google has nothing to do with implementing this other than having to do what the government requests in order to keep from causing themselves a world of hurt at the hands of the government. If you want to rant about something wrong Google is doing (all though I admit it is off topic for this particular post) here, I'll throw you a bone...

    http://www.wired.com/threatlevel/2013/07/google-neutrality/

     

    reply to this | link to this | view in thread ]

  45.  
    icon
    Internet Zen Master (profile), Jul 31st, 2013 @ 12:39pm

    Pg. 28

    "Over 300 terrorists have been captured using intelligence from XKeyscore"


    Perhaps their claims that "we've stopped terrorist attacks with this surveillance!" might have a little credibility.

    Of course, we'd be taking a leap of faith and assuming that all the terrorists the NSA has helped stop are actually terrorists who were planning to, well, cause terror among the general populace (American or otherwise), and not some unlucky bastard who got a nasty case of "mistaken identity" and was dragged in with the real threats because the government couldn't risk letting the guy go because he'd make a big fuss about everything.

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 12:51pm

    Re:

    Damn you! Coffee all over my desk now!

     

    reply to this | link to this | view in thread ]

  47.  
    icon
    AR (profile), Jul 31st, 2013 @ 1:02pm

    Just as mentioned above. You have already been unconstitutionally and illegally wire tapped.

    Its automagic!!

    They just havent entered your name into their search box yet.

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 1:08pm

    http://www.wired.com/threatlevel/2013/07/alexander-blackhat-keynote/

    My favorite part is at the very end...

    "An audience member yelled “bullshit” at one point, while another shouted, “You lied to Congress, why do we believe you’re not lying now?” Both remarks received applause from the audience."

     

    reply to this | link to this | view in thread ]

  49.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 1:09pm

    OMG! They can! They Do! and they are!... on INTERNET EXPLORER??!!!. I'm telling you, seeing that they use IE really pissed me off....!!

     

    reply to this | link to this | view in thread ]

  50.  
    icon
    Josh in CharlotteNC (profile), Jul 31st, 2013 @ 1:17pm

    Re: Re: HTTPS everywhere

    Do keep in mind that MITM could not be done on a mass scale. They could only do this with selected targets as it is computationally prohibitive on a large scale.

    Yeah, they'd need a data center the size of a football field or two.

    Like the one that's being built by the NSA... oh.

     

    reply to this | link to this | view in thread ]

  51.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 1:56pm

    Re: Re: Re: HTTPS everywhere

    The more I think about this the less likely I think large scale MITM could happen. It is probably theoretically possible. The NSA would have to redesign all the telecom centers where they currently have taps into communication. Instead of just receiving a one-way feed of mirrored traffic they would have to insert themselves into the core routers. Normally core routers don't have hardware accelerators for encryption/decryption. That functionality is left for edge routers that must implement protocols like VPN. So, those routers would have to be a custom job and at the same time as quick and reliable as the equipment they are replacing. I am sure the current core router complement in these centers is nowhere near capable of handling the extra computational requirement for mass MITM functionality.

     

    reply to this | link to this | view in thread ]

  52.  
    icon
    John Fenderson (profile), Jul 31st, 2013 @ 2:01pm

    Re: Re: Re: Re: HTTPS everywhere

    If adding encryption reduced your throughput by an order of magnitude, either something is very wrong with the encryption code or your hardware is antique.

    Decryption (if you have the key) is a pretty fast operation. Encryption is a bit slower, but it's not crazy slow.

    I am wondering why the NSA would go this route rather than demanding more PRISM-like co-operation from the server endpoints.


    Mostly so that they don't have to rely on the cooperation of anybody. With a MITM attack, neither endpoint needs to help you, or even know that you're doing it.

     

    reply to this | link to this | view in thread ]

  53.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 2:04pm

    Re: Re: Re: HTTPS everywhere

    Bluffdale is just a storage center, that is still not capable of handling the raw feed of all the voice/internet traffic that is routed through a distributed set of telecom switching centers. It's scary enough what that data center will be capable of holding but it's not everything and it's not with the additional requirement of acting as MITM to all that traffic.

     

    reply to this | link to this | view in thread ]

  54.  
    icon
    John Fenderson (profile), Jul 31st, 2013 @ 2:07pm

    Re: Re:

    I worked for a major competitor of Cisco and they did not have anything in the software that secretly allowed for general monitoring.


    How do you know?

    There have been numerous instances of routers from various companies (including Cisco) having backdoors installed without the knowledge of the software devs and most of the hardware engineers.

     

    reply to this | link to this | view in thread ]

  55.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 2:15pm

    Re: Re: Re: Re: Re: HTTPS everywhere

    This was a low-end software based router. Very cheap, but the CPU was just equivalent of a high-end PC for 2006. In this system, the CPU was the choke point for throughput. Adding encryption/decryption without hardware accelerators made it even more of a choke point. So, that's why I am not sure how much current CPUs with multiple cores, along with GPUs or other specialized hardware would be affected. Still I think this is problematic. Read my next comment.

     

    reply to this | link to this | view in thread ]

  56.  
    icon
    James Burkhardt (profile), Jul 31st, 2013 @ 2:36pm

    Re:

    What we need to do, is take the time to have our address and phone number represent something, and therefore be a creative expression and then shut down the collection of our metadata on copyright grounds.

    To use the logic of the company that created bank routing numbers and the trolls who defended them.

     

    reply to this | link to this | view in thread ]

  57.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 2:36pm

    Re: Pg. 28

    Captured isn't the same as convicted (or even charged with a crime).
    As part of their story, I'd like to know where these captured terrorists are (Bagram? Abu Ghraib?) and who did the capturing (US or another nation).

     

    reply to this | link to this | view in thread ]

  58.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 2:38pm

    Re: Re: Re:

    I had access to all the code. I did go through a lot of it but not everything (really a lot of code). The stuff I did not go through was not handling the majority of traffic flow in that they implemented specialized protocols. I was privy to all the low-level interaction with the hardware and I knew everything about configuring a mirroring port.
    Can you point me to a discussion of backdoors for Cisco? Also, what other router companies are you thinking of?

     

    reply to this | link to this | view in thread ]

  59.  
    icon
    John Fenderson (profile), Jul 31st, 2013 @ 2:52pm

    Re: Re: Re: Re: Re: Re: HTTPS everywhere

    Well, in my own home network, I use a cheap consumer grade, 5-year-old router that I've replaced the software on. It is a VPN server and all traffic over my network flows through it and is encrypted (including things like Netflix). My network is under moderately heavy load most of the time.

    I did not do benchmarks when I installed the crypto, so I can't give exact figures -- but whatever slowdown the crypto is causing was low enough that it was unnoticeable in practical usage.

     

    reply to this | link to this | view in thread ]

  60.  
    icon
    John Fenderson (profile), Jul 31st, 2013 @ 3:05pm

    Re: Re: Re: Re:

    The backdoors would not be in the code proper, they would be in the hardware and require no interaction with code outside the chip.

    I cannot give you a list of the routers that I know about personally right now, but a quick web search turns up a list of usual suspects, including Cisco.

    Unless you're doing packet analysis of the traffic to and from a router while the back door is actually in use or attempt a known exploit and find that it succeeds, it's almost impossible to be sure that the router is not compromised -- even if you can guarantee that the higher-level code isn't.

    This is one reason why I don't use commercial routers at all between my network and the internet (although I do use them for internal routing).

     

    reply to this | link to this | view in thread ]

  61.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 3:28pm

    Re:

    Online fingerprinting is such a nasty tool for identifying people on the internet, without login or cookies.

    It is very scary to think about. I rarely use proxies anyway, but fingerprinting is something I would rather avoid giving away to foreign parties, no matter the cause.

     

    reply to this | link to this | view in thread ]

  62.  
    identicon
    Brazilian Guy, Jul 31st, 2013 @ 4:15pm

    Of course, since its only cost effective if you need to store data for at least 600 years, the NSA is the primary candidate to implement DNA DATA STORAGE. They may decide to retain your personal data for a longer period of time, to see if your grandgrandgrandgrandgrandgrandsons arent a threat.

    www.wired.com/wiredscience/2013/01/dna-data-storage-2/

     

    reply to this | link to this | view in thread ]

  63.  
    identicon
    Anonymous Coward, Jul 31st, 2013 @ 4:31pm

    Re: Re: Re: Re:

    you may think that you had access to all the code, but it could be easy to hide things where you wouldn't expect to look. Did you have access to the build machines? Do you know the ins, outs, and innards of the build system? I can tell you for a fact, the build process provided by microsoft for visual studio has open insertion points where I could add more source files/change the compiler/change the linker/completely replace the whole build process with just a text file and setting an environment variable.

     

    reply to this | link to this | view in thread ]

  64.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 4:48pm

    Re: Re: Re: Re: Re: Re: Re: HTTPS everywhere

    The router we were making maxed out at a total throughput of 800Mbits/second which is a rate you probably won't ever see at home. With all ports using VPN it maxed out at 80-90Mbits/second.

     

    reply to this | link to this | view in thread ]

  65.  
    icon
    aldestrawk (profile), Jul 31st, 2013 @ 5:38pm

    Re: Re: Re: Re: Re:

    I was very familiar with the build process and sometimes helped them when problems arose. Both engineering and build used the same source database. No, I didn't have actual access to the build machine but if there were added source there would be a difference in size of the binary between what they built and what was on my development machine. Believe me, I checked this often just to ensure no foul-ups occurred.
    I did a lot of testing of throughput including accounting for every single packet received on a port and where it went. These counts occurred in standard industry hardware outside of our proprietary ASICs and FPGA code. I would have noticed a discrepancy. If there was a backdoor in an ASIC it would still have to be triggered or configured by software. Even if there was a secret configurable register, there needed to be software that handled reads or writes to that specific interface. I knew all the low-level software. The only possibility I can see is if the compiler itself had been altered to add secret code to all the builds. I just find that hard to believe the company would go to that degree of trouble and risk screwing up any logic that would be impossible for most of the developers to debug.

     

    reply to this | link to this | view in thread ]

  66.  
    icon
    Aaron (profile), Jul 31st, 2013 @ 10:01pm

    Re: Lying with facts

    Wasn't it Evey in V for Vendetta who said something like:

    Artists use lies to tell the truth. Politicians use the truth to tell lies.

     

    reply to this | link to this | view in thread ]

  67.  
    identicon
    John, Aug 1st, 2013 @ 2:29am

    NASA Spying

    "If people can't trust not only the executive branch, but also don't trust Congress and don't trust federal judges to make sure that we're abiding by the Constitution, due process and rule of law, then we're going to have some problems here," ...Obama
    Well, when the Executive Branch, Congess and the courts provide a reason as to why we should trust them on this issue, then maybe we won't have a problem. Implicit in Obama's statement is that the American people should "trust us, we have your interests at heart". The fact of the matter is that since 9/11 the Surveillance State has grown exponentially, with little or no dialogue on the part of the Executive branch, Congress (with the exception of Senators Wyden and Udall) and the courts with the American people, regarding the tradeoff between civil liberties and the role of surveillance in 21st Century America. Furthermore, without Edward Snowden this conversation wouldn't be taking place, even now.

    http://www.carbonated.tv/technology

     

    reply to this | link to this | view in thread ]

  68.  
    icon
    DannyB (profile), Aug 1st, 2013 @ 6:44am

    Re: Re: Re: Re: HTTPS everywhere

    Encrypting / decrypting for SSL is not that expensive. An Apache Tomcat server (java) on a decent hardware*, can easily handle SSL without any outside software / hardware assistance. Yes, I know a distributor in front of it could do the SSL, or a hardware card, or even another web server (like Apache) in front of Apache Tomcat could remove the SSL burden from the Tomcat server (written in Java). (tcnative is also part of this configuration)

    *by decent hardware, I mean like a server with Xeon X5560. That CPU chip costs upward of $1000, (but it includes a heat sink! :-) ) Then buy enough of those chips to fill all the sockets on the motherboard. For only thousands of dollars a server with no special hardware assistance can easily handle a lot of SSL traffic without even breaking a sweat. I promise. That includes serving even static resources (graphics, js, css, etc over SSL) And if I ever need to offload the SSL onto other hardware, this is easy to do in several different ways, and totally transparent to the application. And it would also be very easy to move static resources to another server software (Apache or other), or even another server hardware. But in terms of economics, if it is not even breaking a sweat today, why bother until necessary.

    That's just one anecdotal example to consider.

     

    reply to this | link to this | view in thread ]

  69.  
    identicon
    Anonymous Coward, Aug 1st, 2013 @ 7:17am

    Re: Re:

    They aren't just collecting metadata if they have our chat logs.

     

    reply to this | link to this | view in thread ]

  70.  
    identicon
    Anonymous Coward, Aug 1st, 2013 @ 7:19am

    When I private IM someone, I have a reasonable expectation of privacy. Private is in the name of the action I am doing even.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This