Bruce Schneier Speculates On NSA Double Laundering Information It Obtains Via Network Infiltration

from the double-reverse-parallel-construction dept

Bruce Schneier has a worth-reading post about the latest reports on the NSA infiltrating the network connections for Google and Yahoo’s datacenter, making a number of good points about that story. We’ll discuss a few of the points, but I wanted to focus in on this one first:

In light of this, PRISM is really just insurance: a way for the NSA to get legal cover for information it already has. My guess is that the NSA collects the vast majority of its data surreptitiously, using programs such as these. Then, when it has to share the information with the FBI or other organizations, it gets it again through a more public program like PRISM.

While it’s just speculation, there is some reason to suggest it might be the case, and that would show just how far the NSA goes in some cases. After all, until June, PRISM itself was a secret. Yet, now, it’s possible that the secret PRISM program was really just a way to put a legal-looking coat of paint on far more invasive activities. After all, it’s already been revealed that the NSA and others make use of what they call “parallel construction” to “refind” evidence that they found through means they don’t want to be challenged in court. As we said, this is just a way of laundering illegally obtained evidence. If Schneier’s suspicion is right, then the NSA was actually probably happy that PRISM info came out first, since it does have at least some claims to being legal under Section 702.

But, if he’s correct, it would mean that the NSA has secretly backdoored its way into networks, sucking up pretty much everything — and then when it finds something useful, it will then use Section 702 under the FAA and the FISA Court to come up with some reasoning why that same info should be “collected” via either PRISM or the upstream telco traps, and then it can do more with it. This might not be true, but layering secret programs on top of secret programs to hide how the info was actually obtained would be something.

Other key points from Schneier are that we cannot assume it was just Google and Yahoo infiltrated this way. It’s likely that others have been as well, just under different programs. And, more importantly, this demonstrates how legislative change to fix these things likely won’t be enough. If you block the NSA from getting the data from door number 1, they’re already in doors numbered 2, 3, 4, 5 and 6. Not only does there need to be a full independent investigation of everything the NSA is doing, but we need to build much more secure systems at the same time.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Bruce Schneier Speculates On NSA Double Laundering Information It Obtains Via Network Infiltration”

Subscribe: RSS Leave a comment
Anonymous Coward says:

As a target, I can tell you that you do not even have privacy in your own mind. I was targeted pre 911 and they left me lots of little hints that it was going to happen and then taunted me about it afterward in order to induce PTSD. There was nothing I could do to stop it of course, but some in charge are truly monsters. They kill us for power and control and then claim “democracy”.

Anonymous Coward says:

If course the DOJ will lie in court about how evidence was obtained.

What we really need is legislation that prevents the NSA from bullying companies, and installing spyware on citizen’s celphones.

NSA couldn’t break Google’s SSL ciphersuit. So the NSA attacked it’s unencrypted WLAN network instead.

If the NSA can’t break encrypted messages coming from your cellphone. Then they’ll infect your cellphone with spyware, and read the messages after they’ve been decrypted by your phone.

We need cellphones without proprietary backdoors built into the firmware and GSM/LTE modem drivers. That’s the only way to stop the NSA from abusing the power it holds.

Power sponsored wholly by our tax money. You wanna know why we’re 16 trillion dollars in debt? Look no farther than the 1 million square feet Datacenter in Utah.

Using our money to build spy centers, to be used against us! Plus handing hundreds of millions of tax dollars over to GCHQ and who knows who else. Probably Israel.

Anonymous Coward says:

Re: Re:

They don’t need backdoors in the drivers for cellphones. They have SIGINT at the carrier level along with all your GPS data handed to them on a silver platter.

They introduced weaknesses in SSL so none of that is safe either. But they don’t need it at all since the companies just hand it over to them (or face a DOJ inquisition).

Anonymous Coward says:

Pretty weak argument, since it's known that NSA isn't actually effective.

At least not for “terrorists” — getting social trends and industrial espionage works pretty well. Of course, I’ve never accepted the premise that Schneier/Mike seem to here, that NSA is for keeping We The People safe: I’ve always regarded “our” gov’t as the biggest and nearest threat to liberty, and spies as the worst types, explicitly out to steal liberty (and doesn’t matter if they’re “commercial” spies, either, they’re all just creepy snoops). So, taking that view, the prosecutorial functions of NSA are so rare that building theory on that premise just flops. — Where are these alleged court cases that justify all the trouble for “parallel” systems? It’s a mere handful of patsies who were set up, at most.

“…the NSA was actually probably happy that PRISM info came out first…” — Oh, so you DO believe is a limited hangout psyop?

Anonymous Coward says:

Welcome to the Police State of America. Where even your dog might be spied on. (well it’s almost that bad)

Evidence in one form or another just keeps coming about just how rabid the NSA has become. Problem with it is, the public is just getting the vanilla version. Each time there is a new revelation, you keep having to adjust your sense of how deep the rabbit hole goes. Since we’re only getting minor pieces and the NSA is scared to death someone is going to do something about it, it really makes you wonder what they are afraid might be revealed next. None of it bodes well for the average citizen when it’s government runs on hyped up paranoia.

vastrightwing (profile) says:

Re: how deep the rabbit hole goes

Seriously, do you want to consider just how deep the rabbit hole is? I’ll go insane if I seriously contemplate that mental exercise. We only hear the stuff that’s sanitized. I can’t even imagine the stuff the media won’t publish or doesn’t know. Please bear with me as my mind freezes contemplating that idea.

vastrightwing (profile) says:

Game Over

As I learn more about the NSA scandal, I am drawing a line through the idea that the data collection is really about insider trading and being able to beat the odds betting on derivative instruments. If you look at a derivative in this way, it now becomes a weapon.

Max Keiser explaining derivatives as a financial weapon:
You swap assets in a bank in a foreign country that are collateral that you can use to build a sound economy with exploding financial derivatives that take down the country.

Wikipedia cites this as a use for derivatives:
Derivatives can be used either for risk management (i.e. to “hedge” by providing offsetting compensation in case of an undesired event, a kind of “insurance”) or for speculation (i.e. making a financial “bet”). This distinction is important because the former is a prudent aspect of operations and financial management for many firms across many industries; the latter offers managers and investors a risky opportunity to increase profit, which may not be properly disclosed to stakeholders.

It is the last part where the NSA comes in handy. By knowing things your opponents don’t know, you can greatly increase the odds of winning a bet.

This goes a long way explaining why the NSA wants to keep this so secret. It’s about money, not terror. Once too many people find out the NSA is essentially a bet rigging device, it can no longer be used for such purposes. No one will want to play ball with us. The game will be over.

Anonymous Coward says:


Lavabit springs to mind. If you have the backbone tapped and a Judge ordered the hand over of the keys, why would you need the box in the Lavabit network?

You could go back and decode all previous traffic (they keep encrypted US traffic) and all future traffic anyway. Using their other taps.

There’s another point aswell. Google make great play of how low the PRISM numbers are, for Lavabit that number would be 1 request about 1 account, yet the way it was done it was 1 request about all accounts past and present and future.

And a final point, if they tapped Google, their keys and other security info, might have been sent across that internal network and thus compromised too.

Anonymous Coward says:

Anyone else??

Does anyone else here have any concerns that TD is now resorting to “Speculation”, are there not enough facts and supportable evidence to make your case.

Are we through the ‘bottom of the barrel’ at this point?
Is it really necessary to “make shit up” as opposed to reporting on known facts.

Once you degenerate to speculation you give up chance of being taken seriously. (not that that appears to be an issue here).

Mr Masnick you must have posted this with the full knowledge that your disciples will take this as honest truth and not as a speculative opinion that it actually is.
We also know that in future you will link back to this article and an indication of the truth of some future piece.

Anonymous Coward says:

Re: Anyone else??

“Is it really necessary to “make shit up” as opposed to reporting on known facts.”

Deduction is not the same as making shit up

Schneier deduced that PRISM was used to pull stuff they already had in a more legal way. Given the new leaks that seems likely.

It’s always worth re-examining everything we know in the light of each new leak.

For example, NSA can tap a phone based on an analysts opinion:

Now of course we had Merkels phone tap, we can examine what authority is needed for that and whether the same authority covers anyone, even US citizens.

You see how it works?

Anonymous Coward says:

Re: Re: Anyone else??

Also if you read the latest, Europes spying agencies were helped by GCHQ to get around the laws and oversight:

So NSA using the PRISM program to legalize stuff it got anyway through the hacking of Google(done offshore on the basis that the FISA court didn’t have jurisdiction and so the FISA ruling could be ignored). That seems like the same thing, finding some way around oversight and pesky laws.

Anonymous Coward says:

Re: Anyone else??

He’s quoting and discussing Schneier’s speculation, mostly.

What I find far more disturbing is this repeated insistence, even among NSA’s critics, that there is somehow still something ‘legal’ about all of this. I.e.:

‘it does have at least some claims to being legal under Section 702.’

There is nothing legal about anything the NSA has done and is doing. Stop furthering this lie. It’s a lie and everybody knows it. There is nothing more violating of the 4th amendment than this. Ever. No, the discussion about whether or not something can be ‘legal’ without being constitutional is a non-discussion too. Stop it.

Andy says:

Bear in mind...

You write that Bruce “speculates” this and that.

But don’t let the fool you. While he obvious always words his thoughts carefully unless he has in-your-face presentable hard proof of something, he is actually one of the few people who had direct access to selected parts of the leaked documents.

He may be assuming and speculating, but all over the glogosphere he is probably the man with the very best positions to hit very close to home with his theorys.

Andre Brisson (user link) says:

Schneier How is it he leads the most important debate on democracy?

The public should question the real motives of Eric Snowden and Bruce Schneier as well as NSA

By Richard H.L. Marshall, former Director of Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security (DHS) and
Andr? Brisson, founder Whitenoise Laboratories Canada Inc.

Washington D.C. USA, Geneva, Switzerland and Vancouver, BC Canada ? Almost daily, Mr. Bruce Schneier has generated incessant buzz about privacy and the National Security Agency (NSA) on his blog. From the sheer volume of his self-proclaimed insight and that of his sycophants, he would have us believe, like Chicken Little, that the sky is falling.

It appears that one of the sources of Mr. Schneier?s information are documents leaked by E.Snowden, fugitive American living in Russia and former contractor with Booz Allen Hamilton, and Glenn Greenwald, a journalist who worked with Mr. Snowden. Mr. Schneier?s intentions clearly have nothing to do with his convictions about privacy, as much as business and profit motives. It must be emphasized that blogs are not journalism: they are marketing tools specifically designed to try to sell a product, not to get to the truth.

Weeks of research regarding Mr. Schneier?s claims have highlighted one of the most frustrating problems with the internet age. Because virtually anyone lacking serious journalistic credentials can, and often does, write or post freely on any subject, the resulting sheer volume of information available may lead people to believe that the reporting is even-handed and well-researched. Unfortunately, in many circumstances nothing can be farther from the truth.

We are currently wrestling with the wrongly defined issue of Privacy versus Security. Rather we should be asking ourselves how we balance Privacy AND Security. They are not mutually exclusive.

Balancing privacy and security is one of the most pressing issues of our age, with far-reaching impact on democracy. It is also ever changing and evolving in real time, in response to terrorists, criminals, and dangerous malcontents. Because the very information analyzed and evaluated may result in policy, it absolutely demands that such information be subject to the highest and most stringent scrutiny and as such, deserves to be evaluated and vetted by verified experts, politicians, business leaders, and citizens with proven track records of integrity, honesty, and true concern for the public interest. It should not be done by those with a history of practicing self-interest over privacy and security.

For many weeks, it has been noted that volumes of proselytizing and dissemination of ?opinion-as-fact? come from unverified information through Mr. Schneier?s self-promoting blog, other blogs and various online sites, such as gamer?s sites, of unknown, dubious reputation and/or expertise in the critical areas of cryptography and privacy and not from reputable publications as The New York Times or The Washington Post.

Mr. Schneier decries the NSA and mandated law enforcement agencies empowered by our laws. Yet, Mr. Schneier?s track record shows, significantly, that at least twice over the last decade he has turned a blind eye to workable security (but he complains about privacy.) He has actively engaged in disparaging workable security and communications for his own benefit, and most callously, withheld this information from both his readers and his current employers.

As citizens and through our elected officials, we empower politicians with the creation of agencies and tools that are designed to protect us from the aforementioned threats. The system is not perfect, and must be updated and adjusted as times, technology and threats change. But we are all endangered if these various public servants are hobbled and cannot do their job. This is why Bruce Schneier?s style of journalism and lack of scientific integrity is dangerous.

The primary cause for drifting a bit from original mandates of our law enforcement and defense agencies is a product of rapidly changing technology, the sheer volume of communications, and the exploding threats environment. These agencies have been pressured to react faster than policy can adapt. Part of the answer lies in using the improved security technology we have available to combat the fatal flaws of public key and asymmetric network systems and the algorithms that are currently used to encrypt our data. The other part lies in following the existing FISA protocols currently in place and improving them as need dictates to insure that telecommunication providers, law enforcement and intelligence agencies interface with the LAW and follow the spirit of our constitution as intended.

In conclusion, as we best try to answer the most pressing question of our day, ?How do we balance between Privacy and Security?? we believe that a key element of serving our democracies is the judicious evaluation of information written by true journalists using properly researched and sourced information and publishing them in reputable publications without hidden agendas. The collective conversation should not ping pong between extreme positions but rather recognize that privacy and security are both demanded by the constitution. With new technologies and considered thinking, privacy and security can be balanced and achieved easily and inexpensively.

Learn more about Bruce Schneier?s current track record through ?The Challenge That Black Hat Would Not Take but DEFCON Did? at: and

Learn more about Bruce Schneier?s past track record at: and The History of Whitenoise Can’t Be Broken

For more information contact Richard H.L. Marshall at E-Mail:
or visit:

Mr. Marshall previously was a member of the Senior Cryptologic Executive Service (SCES) and the Defense Intelligence Senior Executive Service (DISES). He was the Director of Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security (DHS) by special arrangement between the Director, National Security Agency (DIRNSA) and the Secretary of DHS. Within DHS he directed the National Cyber Security Education Strategy, the Software Assurance, the Research and Standards Integration, and Supply Chain Risk Management programs. He was previously the Senior Information Assurance (IA) Representative, Office of Legislative Affairs at the National Security Agency (NSA) where he served as the Agency’s point of contact for all NSA Information Security (INFOSEC) matters concerning Congress. He devised the IA legislative strategy, helped shape the passage of the revised Foreign Intelligence Surveillance Act and was a key contributor to the Bush and Obama administration’s Comprehensive National Cyber Security Initiative (CNCI).

Andr? Brisson conceived Whitenoise and founded Whitenoise Laboratories Canada Inc. (WNL) to exploit revolutionary and patented security technology. He was listed by the White House Office of Science and Technology Policy and the first US National Cyber Leap Year Summit as belonging in the top 100 cyber security and cryptography experts.

The Wanderer (profile) says:

Re: Schneier How is it he leads the most important debate on democracy?

We are currently wrestling with the wrongly defined issue of Privacy versus Security. Rather we should be asking ourselves how we balance Privacy AND Security.

That’s not the correct question either.

The correct question would be something more like “how can we best achieve security without sacrificing privacy?”, and/or “how much security can we achieve without sacrificing privacy?”.

They are not mutually exclusive.

When security is done right, this is true.

However, doing security right (i.e. in a way which does not compromise privacy) is much harder than doing it in a way which does compromise privacy – and so unless there is heavy, constant pressure put on those trying to provide security, they will always tend to sacrifice privacy in the name of security.

Phrasing the issue in terms of a “balance” leads to questions like “How much privacy should we give up for security?”, which is a false equivalency; giving up privacy does not always (or even necessarily often) lead to security, and it is possible – as you note – to achieve reasonable, meaningful security without compromising privacy.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...