It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
That aside, let me re-make a point I keep making:
Google had no knowledge of NSA's physical compromise of their data centers. But still, they pushed harder than anyone on the whole Internet for the adoption of modern TLS with forward-secrecy; they are the world's foremost deployers of ephemeral-keyed elliptic curve cryptography and of certificate pinning, both of which ensure not only the security of the traffic running over the network cables into their data centers, but also minimize the impact of a compromised long-term encryption key or the compromise of the CA system by a state actor.
Not only that, but Google launched a high-profile effort to encrypt the communications inside and between their data centers.
I hope a couple years hindsight will put the importance of Adam Langley's work (and that of the rest of his team; he's just the best-known member of that team) at Google into sharper relief.
When your opponent uses Navy submarines to tap undersea cables right under the Soviets' noses, you probably shouldn't trust your leased fiber with unencrypted data. This interception could occur where undersea cables make landfall without any datacenter antics.
I think they do now. There has to be some sort of sense of personal professionalism of the many highly qualified security experts working at Google, that is hurt by the revelations that the NSA basically fucked them over and drew a slide with a smiley face on it about how they fucked them over.
With governments around the world (see Brazil and India) now banning Google products for official government use, I can imagine overall usage of Google products will decline outside of the U.S.
This is a threat to Google's international business. They have a vested financial interest in reducing the hacking against their systems.
“It’s an arms race,” said Eric Grosse, vice president for security engineering at Google, based in Mountain View, Calif. “We see these government agencies as among the most skilled players in this game.”
Why would NSA agents go through all the trouble of tapping cables when they could probably just gain employment at Google and do whatever they want. I don't think encryption would make a difference here.
There's greater risk of facing problems of all sorts when you have rogue agents on the inside (what if they get found out? how will that be met by news journals? people who find out about it? the trust dynamics between CEOs and government agencies that request access in a legal way, when needed?).
The risk of things going wrong when you're tapping cables is much less pronounced as far as I can see.
I'm not sure why you think that's so easy to do. You need a person who:
1. Has the technical credentials and interviewing skills to get hired at Google (not easy).
2. Has a security clearance.
3. Wants to be a spy.
4. Can get themselves assigned to the team working on datacenter interconnects.
5. Can set up a tap on the interconnect without getting caught.
Consider Sally Smith, our hypothetical employee. She worked for several government and military agencies for years with a concentration in data center security. She has top-secret clearance.
Before the Snowden revelations came out, I'd have strongly considered Sally Smith to be a good fit for a position dealing with data center security. Who wouldn't have?! Years of experience at high levels securing data centers? Letters from generals and senior government officials attesting to her qualifications? Sign me up right away!
Post-Snowden, I'd start believing that Sally Smith is far more likely to be Sally Spook, an active NSA employee experienced in data center infiltration and with an impeccable cover story.
The only thing that keeps Sally Spook away from our data centers is Google's hiring processes & internal security, and is that really enough to stop a determined adversary with all the advantages of the NSA? I doubt it.
The Google hiring process seems to be very focused on discerning a candidate's practical knowledge not their on paper experience or recommendations. It would be silly to think that a general or senior government official would even have the technical knowledge to make a well informed recommendation of someone for a technical position.
Then the NSA finds a candidate that really knows how to secure inter-datacenter communications and gets them placed at appropriate positions inside the government or in collaborating private companies to build experience & a valuable network, with the long term goal of getting a job at Google. And if they really want in they place ten candidates in various companies.
The NSA can do this. They have the resources and the time to try. The only question is if they want a mole inside Google. Hell, I'd be shocked if large internet companies (Google, Yahoo, etc.) don't have agents from foreign and domestic intelligence agencies working there right now.
Betting on a companies hiring process to catch agents of an advanced persistent attacker is betting against house money in Vegas. You aren't going to win in the long run.
I think you dramatically underestimate the quality of the people the NSA has on staff. I know of two people who almost certainly worked there (obviously nobody confirms anything, but when two agents show up at your office to ask about their patriotism, the implication is clear), and they are brilliant, easily as smart as anyone I know at google.
Finding such a person would be difficult (but not impossible) for you or for me, but conditional probabilities work heavily in the NSA's favor. They have thousands of in-house people already satisfying 1, 2, and 3. 5 can be perfected by a team and taught to any of those thousands of people and 4 can be achieved with resume tweaking and, at most, a few repeat trials.
It's the same reason why security through obscurity doesn't work: if you chain together 5 obfuscation layers that each keep out 80% of competent hackers, in total they probably keep out 85% or 90% of competent hackers if you're lucky, but certainly not 99.99%, because everyone who bypasses the first layer has a much higher probability of having the skills to bypass the other layers as well.
there is also very easy other way around - "ask for help" [to fight terror and defend Motherland, err... USSR wording, today in the US it is "Homeland"] an existing Google employee.
From their perspective, why not tackle the additional attack vectors?
As for the internal mole, I'd imagine that any such individual's role would be highly focused. They'd be used to tackle specific target information rather than the wholesale siphoning tapped cables would provide. Aside from the simple logistic issues with the sheer amount of data they're tapping, I can't imagine how anyone could be in a physical position to do so across the entire Google network without tripping at least <i>one</i> internal safeguard?
For bulk collection, the taps enable surveillance without the possibility of detection unless the NSA screws the proverbial pooch. And if there's one thing history can tell us, it's that surveillance agencies will spend obscene amounts of money in pursuit of that undetectability. From the Project Azorian with the Glomar Explorer to the Berlin tunnels in Operation Gold, the Cold War alone proves the point.
you probably shouldn't trust your leased fiber with unencrypted data.
Or even your own fiber (Google owns tens of thousands of miles of it). There's nothing to prevent the black-hat guys from digging down to a cable in the middle of nowhere and installing an optical tap. Especially if they did it before commissioning, after which signal levels would start being monitored.
The article seems to suggest that it was inter-site links that were compromised and not actual Google data centers. Those compromises could happen at telco data centers or even in the field (e.g., by splicing monitoring equipment into a cable).
I imagine anyone with a line on their resume that says "NSA - Software Developer - 2009:Present" is going to have a hard time finding a new job at many companies (although certainly not all).
While this another angle, I was referring to the fact that many people will see these engineers as immoral and spineless. I know that I would not hire the person who drew that smiley face or any of their accomplices.
You have to trust your developers. You can do audits, but the problem is intractably difficult. Developers have a TREMENDOUS amount of power. Trust is absolutely, utterly, irreconcilably fundamental to the job. If you cannot trust your developers, you are screwed every which way to Sunday. If your developers are compromised, you have to assume that your whole business is compromised.
On the flip side of that, maybe you do want ex-NSA staff with the inside knowledge so you can protect yourself against their tactics. Isn't that the same reasoning for hiring ex-black hat hackers?
If someone is willing to divulge inside knowledge of his last employer you have to assume that in the future he will be willing to divulge your inside knowledge.
Agree. But it happens all the time. Why else do you think they have those long periods of gardening leave when you leave one employer for another, or those clauses in contracts saying you will not work for a competitor in the same field for X months when you leave? (Although, I seem to recall the last one being unlawful since they are essentially stopping you earning a living).
Sometimes employers are willing to take that risk.
Do you think Ed Snowden is now more or less employable now?
His options are certainly more limited now (considering most employers could not keep him safe). That being said, I imagine his existing options would be readily available and would all pay millions.
I am pretty sure they would be considered a traitor if someone told their new company how the NSA was doing things, just look at what they are calling Snowden.
Yes, absolutely, I agree with you. But just because you were ex-NSA does that mean you can no longer work in related work? What if you built their data centres, and you took a job at Google and tasked with building their new data centres. Do you just "forget" what you already know? I understand you may be under NDA to not discuss your previous work, but that doesn't meaning you can't make suggestions or plans without explicitly spelling it out, esp if your employer knew your background and you may not be able to speak about it openly.
I suspect that anyone who has been a software developer at the NSA (or FBI) for five years has robust job security. Government employees have some extensive benefits, and these guys get to play with some serious hardware. If they like working there, I would be surprised if they were unable to keep doing so for a Long Time in the future.
Now, if they decided they wanted out, well ... good luck with that in the manner you describe. I suspect that it won't be too hard, though. They deal with "Big Data" problems at a scale that few do, so being an NSA engineer likely is bound to be a similarly prestigious resume line as working for Google. Aside from the working for an evil entity part, that is, but some employers will not care as much about that.
Breaking: most people, even most people in the tech community, don't look on the NSA with that level of contempt, if any at all.
This is unfortunate--in a just world everyone doing this would be imprisoned for many years and have all their ill-gotten gains stripped from them--but a real fact. And the typical NSA software developer is certainly highly qualified and very, very smart. Going purely by business concerns, if you have a need for someone with the skill set that'd come from working for the NSA, you can't afford to pass them up just because they worked with the NSA.
You can also be sure that, even if the NSA were disbanded fully and all its employees hated so much that they could not get domestic employment anywhere, many international actors would be extremely excited to pay top dollar for their talent. And by top dollar, we're not talking piddling six figure salaries.
Agreed. Skills would be irrelevant. A brain dump alone would be worth hundreds of millions. That is the scariest thing about all of this. Every time I hear someone bash on Snowden about how he was a dropout, etc, etc I just think "ok, so you gave this guy who you say is an irresponsible idiot the ability to blackmail anyone who has a google search history?"
When the NSA sends people out to infiltrate companies, they won't write "NSA" on their resume. For the rest of former NSA employees, a lot of them will have resumes that say: Palantir, Booz Allen Hamilton, etc.
I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry). I imagine that the same prohibition would now apply to former government employees also.
The sad fact of the matter is that we cannot trust individuals that have ever worked with these agencies, nor with the private contractors that supply them. The risk of insider attacks is too high. Equally, we cannot trust companies that employ those individuals.
If silicon valley is to recover the confidence of it's customers, it must go through the painful and heart-rending exercise of dismissing all employees with any connection whatsoever to government espionage. Many innocent people will lose their jobs, and will face the prospect of being excluded from high-tech employment in the private sector, but I cannot see any other way of regaining trust in our fundamental infrastructure.
Why would the anti-virus industry refuse to hire people that had developed viruses? Aren't those the people that think like virus writers and could write better antivirus software? Same with the hacking half of that. Those are the people that best know how to secure systems.
Wouldn't it be the people that used to be blackhat and have transitioned to gray or white-hat hacking that would be the best people to provide their services for pen-testing/anti-virus writing/etc?
Is the probability of an so-called ex-virus-writer writing in exploits into the system higher than someone else?
because of their underlying lack of ethics. You need to have ethical hackers that are interested in the wellbeing/security of a community/society. Even if they know the systems from both perspectives, if they even have a moral deficiency, what's to stop them from committing insider attacks/writing exploits of the system? You cannot trust that type of people unless you know for certain that they have abandoned their prior convictions and truly follow white hat hacking, and knowing for certain is hard to do.
Given your assumptions, that makes sense; however, given what our parent commenter said, I came away with different assumptions.
From our parent: I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry). I imagine that the same prohibition would now apply to former government employees also.
They used the world "hacking", which I took to mean any form of hacking. We'd need the parent to respond to which one was meant, of course; but if it means any sort of hacking, from xbox modding to submitting bug and exploit reports to Google (which, how do you know if there's an exploit without trying to find it?), then hacking would include all of those people, including the people who you define as "ethical hackers".
If you're a known, aggressive and clearly unreformed cyber-saboteur, then it's pretty much a given that you shouldn't be hired to an anti-virus company since you probably are in there to commit insider attacks (I can't know for sure, I'm not in your brain) and it's reasonable to not hire you; however, if you're a tinkerer and inspector of things and dismantler of technology, then you would know how systems work and where issues are and could even be an asset, especially if you're very good at it. Depending on the author, both of those people could be seen as 'hackers'.
> From our parent: I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry).
A number of notable, convicted hackers have done additional work (whether employment or successful entrepreneurship or both) in the computer industry (in security-related or other subfields) after conviction. Kevin Mitnick, Julian Assange -- long before WikiLeaks -- and YC's cofounder Robert Tappan Morris are among the more notable examples.
The AV industry is particularly weird and clubby and, I think, full of itself. It's better to think of them as something apart from the rest of the "security" industry.
I'd wager that most people's ethics are more malleable than that. Also, don't underestimate the power of the golden handcuffs.
Having a spouse, kids, and a nice house in a nice neighbourhood makes any kind of anti-social behaviour that much harder to justify from a purely pragmatic, never mind ethical point of view.
I.e. young men often have nothing much to lose and act accordingly.
Anti-virus endpoint software is essentially (and necessarily) a rootkit. Businesses installing antivirus software are placing an incredible amount of trust in the antivirus vendor.
Without trust, the antivirus vendor has no business whatsoever. As a result, they are (or jolly well should be) ultra-careful to earn that trust. This includes subjecting their employees to a certain degree of vetting.
In the age of cloud computing, the same relationship dynamics are observed between businesses and the cloud vendors to whom they entrust their data.
I'm not sure if any security company would gain much by avoiding former government employees - you'd decline Abe Honest because he had worked in government earlier, but any Joe Infiltrator from NSA could come to your interview with CV, online profile + references/contacts claiming that he's worked in, say, Microsoft for 20 years.
Sure, but the phrase "plausible deniability" just reeks of government and corporate double-speak: "you can't prove beyond a shadow of a doubt I did it, so I can keep on doing it." Plausibly denying something is just a propaganda technique.
Did Google know or not? Did Google participate or not?
"Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday."
The phrase has that smell when used by the person denying. If an action or inaction is taken to preserve plausible deniability, it is smelly.
But when used by an observer after the fact, it just means that we have no way to know they knew, unless there is proof. So if they say they didn't know, it is a believable statement.
Based on the fact that they decided to accelerate their internal encryption projects back in September, 2 months ago ( http://www.informationweek.com/security/government/nsa-fallo... ), I'm guessing they thought it might be possible, and in the wake of the Snowden revelations they decided it's very plausible (or someone showed them that slide ahead of time) and so they now effectively "know", though they're not keen to cooperate.
In the first week that I was managing IT/Ops at our company, our security architect, msj, approached me and said that our approach towards security would be to encrypt everything at rest, and everything in flight. Even the 18" of ethernet cord hanging outside of the servers would be considered an attack vector.
I thought he was loopy at the time. Amazing how wrong I was.
I'm hoping Google ends up buying the ECC patents from Blackberry and then make them public domain or at least say they will allow everyone to use them for free and with no consequences. I know they want to buy some stuff from Blackberry right now, but not sure if they are considering buying the ECC patents, too, or not.
I'd feel a lot better if Google bought them than say Microsoft or some other company, who'd just try to collect royalties from anyone using them, and I feel that will make things a lot worse for security on the web in the future, especially with Microsoft's long-standing relationship with the NSA.
That being said, I'm very disappointed in Larry Page's statement about encryption and quantum computers:
> Lloyd made his pitch, proposing a quantum version of Google’s search engine whereby users could make queries and receive results without Google knowing which questions were asked. The men were intrigued. But after conferring with their business manager the next day, Brin and Page informed Lloyd that his scheme went against their business plan. “They want to know everything about everybody who uses their products and services,” he joked.
It bothers me a lot that the leaders of Google would think like that, even though I knew they would because of the incentives in their business. But I just wish they found way for their business to work, so they do not have to think like that, and be more on the side of users on this issue, than they are right now.
Unless their thinking about user-privacy and security changes, we should never fully trust Google (even if they are better than the rest right now). That sort of thinking means they will never go the all the way to protect their users, which probably why you will never see OTR or ZRTP in Google's chat services. All the data collection they do will also become increasingly more irresistible to governments, especially if they keep it forever.
I don't trust Google more than anyone else out there. They are in the business of making money and don't much of a damn about their users. The only reason the NSA spying is a problem for them (imo) is that it may affect their bottom line due to user concerns and therefore affect their products. NSA has direct line to Google Cloud, guess I'm better hosting my own servers rather than pay for business Google Mail and Drive. I'm not sure Google would give it away for free, they now own Motorola remember, in the fight against all the phone giants, patents are king!
The 2nd part makes no sense at all. Why would Google not want to know everything about you. That just goes completely against their business model. There is no such thing as a free lunch.
> It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons.
Even were a court somewhere to find that this interpretation is incorrect, there are numerous "good faith reliance" doctrines that prevent any prosecution or even civil consequences.
The government outright tortured people for years, and nothing has come of it. No prosecutions. No damages for victims. No cases dismissed for outrageous government conduct. Not even very many harsh words from judges. The only people for whom there were any consequences were the low level regular army people who got in on the torture train without first getting official blessing.
It'll be the same thing here. If some low level employee went out on his own to hack into Google servers, something might come of it. But by all appearances these programs were deliberate, planned, and vetted. In those circumstances the bad actors have long since learned to cover their own asses. There will be no consequences for them.
The problem is that the people who were actually in Germany breaking German law were (likely) on diplomatic passports and so have plenary immunity. Meanwhile, under international law, which German courts take seriously even if US courts do not, senior state officials have functional immunity for actions taken in an official capacity with a disputed exception for violations of jus cogens+.
While there may be some room between the people on the ground who are immune and the senior officials who are immune to prosecute mid-level functionaries, that's not terribly satisfying and there still remains the problem of getting them in front of the court.
Typically, if a diplomat constantly breaks the laws of the nation they're sent to in this manner, they get kicked out, and if the sender country in question keeps sending this sort of diplomat, the embassy would eventually be closed.
I certainly can't blame them for being upset. But for a NATO country to expel the US embassy would be a very dramatic act with uncertain consequences. There's a lot of fallout to accept there, and the impact would be broader than US-German relations.
> for a NATO country to expel the US embassy would be a very dramatic act with uncertain consequences.
Absolutely, but when German Interior Minister Hans-Peter Friedrich says "those responsible must be held accountable." I would guess that he means that there will, must be consequences. Closing the embassy is a consequence of last resort, if there is continued intransigence.
Will that happen? that's up to the US government, and possibly not the elected part.
But there isn't! You might all feel that your government is misrepresenting you, but until serious action is taken, nothing is going to change. What that serious action is, I have no idea. Other countries have dealt with oppressive regimes before, some better than others.
But that's the thing, the government has strayed so far from the people that a) it's obvious they aren't going to seriously consider the people's will other than window dressing, and therefore b) the only way this kind of thing will change is through revolution. And we're far from revolution, if ever. The gap is there.
I was on the streets, in I think the first set of protests, in front of the Denver state capitol building. It was a fairly sedate protest, except where it went a little off topic toward the end. ("March on the city jail! -- Wait, what?")
And I've communicated with my representatives. Udall is one of my Senators, and his staff got an email and an earful on the phone.
And these days I vote third party, which to me is "None of the above." I'm done playing into their hands by voting for one because at least he's not the other. They're the same.
I do think we're far from revolution, I hope never, but I wouldn't say it won't ever happen. The thing is, a few people are pissed and aware, and most don't care. But once the government realizes that they're getting away with whatever they're doing now, they'll do more. Eventually they'll grab so much power that we'll get sick of it and revolt.
Or maybe they'll go against history and stop grabbing ever more power.
> "Research by SPIEGEL reporters in Berlin and Washington, talks with intelligence officials and the evaluation of internal documents of the US' National Security Agency and other information, most of which comes from the archive of former NSA contractor Edward Snowden, lead to the conclusion that the US diplomatic mission in the German capital has not merely been promoting German-American friendship. On the contrary, it is a nest of espionage. From the roof of the embassy, a special unit of the CIA and NSA can apparently monitor a large part of cellphone communication in the government quarter."
^ "US diplomats could be expelled from the country"... mind you, they're not at all talking about closing the embassy, but "just" expelling those under diplomatic immunity who were doing this (and persecuting those not under diplomatic immunity). It might just be to look good for the Germany population, they might be serious... here's hoping.
^ infrared image of the embassy rooftop which I saw on German TV, in a discussion which surprised me by its serious tone and the absence of handwaving or belittling.
True. However I wonder if they could at least impose an embassy from which many forms of eavesdropping are not possible. i.e. US draws up floorplans and whatnot. The Germans modify those plans to make it into a giant Faraday cage will precisely defined inlets and outlets for water, gas, electricity, sewage, etc. Lastly all additions to the structure externally are to always inspected to make sure they don't contain eavesdropping equipment.
This would at least force all eavesdropping and surveillance performed to be the same kind of eavesdropping and surveillance doable from US soil. Furthermore, the Germans can try to perform some form of enforcement on what types of people can show up at the embassy to work.
With biometrics and sharing between countries, it's conceivable that one day you won't be able to cross official borders with two identities ever again. This means that you effectively force someone to choose only one identity forever. That identity can either be one of your secret government identities or it can be your real identity, but it can no longer be both at different times. Once you choose, you'r stuck with that decision
You are missing the "and therefore there it is unreasonable for you to be upset" leap.
Pointing out that illegal things are illegal isn't really a interesting contribution to the discussion, is it? I assume that wasn't all you meant to do.
Actually, if I were Google or Yahoo, I would be getting my lawyers to prepare some type of lawsuit. Not that I think it will succeed, but Google/Yahoo are direct victims here.
given the game the leakers are playing with these documents...
I would wait before I made any definitive statements about who is a victim and who is a villain.
The release of these documents seem to be carefully timed and calculated to give the government, corporations and people involved in the surveillance state the time and latitude to incriminate themselves.
Not only are the Government, the corporations and the people involved trying to tell a story... clearly the leakers are trying to tell a story as well.
Are we at the climax of the leakers' plot? or are we still building?
I think it might be best to get a look at all the cards first... and then decide what happened.
> The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons.
More to the point of the article here, the government takes the position that their agents are completely unconstrianed by law when it comes to using information shared by foreign intelligence services that their agents had no part in collecting, and the collection here is done by the GCHQ -- a British intelligence agency -- who simply provides NSA the privilege of submitting search terms and getting matching data from the collection GCHQ does from their taps.
I am at a loss for words. Arrogant, self-righteous, disrespectful, ignorant, mendacious...nothing cuts it. It is illegal in the US but who cares about the rest of the world? I can not remember when something similar made me that angry as the current conduct of the US does. If I would not know better that this would negatively affect the whole world and innocent US citizens and that emotional reactions are usually not good - I would just cut all cables to the US, stop all trades of oil, raw material and goods, deny US citizens to enter any foreign country and then just do your shit over there and get happy with it.
EDIT: Just to clarify it a bit more, I am not primarily angry because of the spying - read my mails if it makes you happy. What really pisses me of is this sentiment of thinking of non-US citizens as second class humans. We are not spying at US citizens, only at this other guys across the ocean. And sadly this sentiment is also present in part of the media coverage. Especially when the story broke there was a lot of outrage about (accidentally) spying at US citizens, but spying at non-US citizens and breaking foreign law in peacetime is deemed acceptable.
I would just cut all cables to the US, ... deny US citizens to enter any foreign country and then just do your shit over there and get happy with it.
Whoah, there. Your grievances are well-placed. But keep in mind that it's a certain subset of agencies in the US government that are responsible for the problems you're upset about, not all US citizens. As for fixing things, the government has become literally unmanageable, and things are a mess right now.
The vast majority of citizens support these initiatives. Given the winner-take-all approach we employ, it is not a stretch to say that yes, we all share blame.
Where did you get the idea the "vast majority of citizens support these initiatives"?
From the very start the polls have generally been against mass NSA surveillance except when the wording of the poll was misleading[1]. As more and more information has come out the polls have become more and more clearly against it[2].
Try to keep the facts straight.
Not sure why you refer to winner-take-all and how that concept could make everyone responsible. Keep in mind almost know one knew about this until very recently and we learned more even today.
Part of Obama's campaign was an end to warrentless wiretaps. Now, if people were paying closer attention, then maybe they would have known better than to trust him (or indeed, any American politician), but I think it is quite a stretch to say that the people are to blame when a politician is less than honest.
Furthermore, the people who are to blame for our current political system are long dead. Everyone alive today was born into this framework and told to work within the framework to modify the framework. They have not had the opportunity to shape the framework free from the constraints of the framework. The facilities the framework provides to modify itself are clumsy, inadequate, and ineffective when everything is working smoothly.
This isn't a system we chose, this is a situation that we were born into, and find ourselves unable to change.
"This Administration also puts forward a false choice between the liberties we cherish and the security we demand." (...) "That means no more illegal wire-tapping of American citizens. No more national security letters to spy on citizens who are not suspected of a crime. No more tracking citizens who do nothing more than protest a misguided war. No more ignoring the law when it is inconvenient. That is not who we are. And it is not what is necessary to defeat the terrorists."
This should be quoted much more often.
Regarding "work within the framework to modify the framework" Snowden decided not to work within it and we still don't know what will happen to him.
> Regarding "work within the framework to modify the framework" Snowden decided not to work within it and we still don't know what will happen to him.
What we do know is that he got shit done. His voice has been heard, people are talking now, he has had an impact.
Opting to work outside the framework is often not safe, particularly when the framework includes provisions for harming those who opt to work outside of it, but sometimes that is the only effective option.
Unfortunately, not only do a lot of US citizens still support such practices (I think around 40 percent - as long as they mention "to protect you from terrorists"), but most of the rest who don't agree with the practices, can't be bothered to do much about it, like even calling their representative, let alone going out and protesting.
I do believe this is very true:
> All that is necessary for evil to triumph is for good men to do nothing - Burke, Edmund
So, yes, I'd say most Americans are responsible for this yes, by doing nothing to stop it. So don't blame the rest of the world if they start "hating Americans" or "hating America". You are part of it, you are responsible to change the America you want the world to love, too.
Blaming only the government, that you probably voted in, too, does not cut it.
With this argument, you're implicitly assuming responsibility for the misdeeds of your own government. It's easy to cast blame en masse, but it is not a constructive response.
People are not going to start hating Americans. They have already been hating Americans for hundreds of years. It started with the "degeneracy thesis" in the 18th century, where it had been suggested by European intellectuals that the American climate led to physically inferior animals and humans. The reasons for hating Americans change everyday.
Hating a group of people is a completely irrational, unconstructive approach to solving a problem. If one has anger about something, they shouldn't lash out at group of people.
If people want Americans to change something on their behalf, for their benefit, it needs to be from a standpoint of respect. They can start by asking nicely.
Respect, sure. But "asking nicely"? How has that not been done already, over and over and over?
"Nobody in the world, nobody in history, has ever gotten their freedom by appealing to the moral sense of the people that were oppressing them." -- Assata Shakur
Even though we could argue about wether this stuff consititutes "oppression", I think the point still applies, sadly.
> "Nobody in the world, nobody in history, has ever gotten their freedom by appealing to the moral sense of the people that were oppressing them." -- Assata Shakur
I think there are one or two examples in recent history. The LGBT movement has made a great deal of ground recently by appealing to peoples' sensibilities.
Now, in more extreme cases you aren't going to talk the oppressors out of anything. I doubt anybody has ever stopped a genocide with rational argument and appeal to the murderers' sensibilities.
I'm not sure what we are talking about here. The US government is oppressing everyone... both Americans and non-Americans.
In theory, the American people are the only ones with the power to solve this problem. This responsibility is a burden. Before going to bat, I would rather encounter friendly encouragement than smug contempt.
For what it's worth, you have mine. Encouragament that is, not contempt. Although I'm not convinced all Americans are yet aware of the fact that they themselves also are at the wrong end of this gun, I'm sure the number increases daily. And generally I don't think excluding people for what others force on them, or even for their ignorance, or even for their hybris, really leads anywhere. So many Americans have my support and even admiration, and even the ones I do resent (not in a smug way though, I'm under no such delusions I would hope), I would rather argue with, or, at worst, bitch at (but never, ever, "ask nicely" :P), than outright shun. Letting someone simmer in their own sauce can work with individuals, but in nations I think it always strengthens the autocratic and warmongering elements.
Did I say anything about opposing NSA spycraft? Did I say anything about racism, for that matter?
I'm talking about hating Americans. It's irrational, unconstructive, and not a novel thing to do. It's certainly not going to accomplish anything against NSA spycraft.
If anything is going to change about NSA spycraft, especially on behalf of the rights of foreign nationals, having the rest of the world consider all Americans enemies is going to be counterproductive.
> but most of the rest who don't agree with the practices, can't be bothered to do much about it, like even calling their representative, let alone going out and protesting.
That's b/c most Americans are caught up in an endless cycle of work-aholism to either support their consumer-addiction and/or to climb out of debt and just pay the bills.
Related to that, I know this is somewhat menial, but I have found the site http://popvox.com to be fairly useful in this regard. Create an account, and you can track all current legislation -- a couple clicks will fire a stock letter to your rep either supporting or protesting a bill -- or you can edit the letter with a custom message (better). It is certainly a step above doing nothing and makes the task much easier.
Well, let's look at the policies of the US against rogue states: sanctions. What GP is describing is connectivity sanctions rather than trade or economic ones.
The US government throws its weight around by ordering sanctions against countries that have policies it does not agree with. I have no doubt that, where sanctions would be politically unpopular, there are back-room blackmailings of some type.
That said, instituting similar sanctions against the US should absolutely be the number one thing the rest of the world responds with! It might not be every US citizen that is culpable, but they are your representative government, and your responsibility. (I assume you're from the US, but I use "your" as a collective for anyone from the US that may be reading this).
Do you think the people might take a legitimate stand if business dealings, travel, and exports were banned to the United States? Do you think US citizens would go absolutely fucking crazy?
> As for fixing things, the government has become literally unmanageable, and things are a mess right now
Well untangle yourselves and then we'll talk.
Unfortunately, the US has so much power around the world that most countries are literally unable to respond. They are the new Rome, using political and economic power rather than pure force (but use force where necessary) to control the world. It's disgusting.
you left out a big part of the statement quoted. The tactics you listed would be commendable in comparison to pure force if the end goal wasn't world domination.
Since the end goal IS world domination, however, then no means is suitable from a humanity perspective.
Yeah, but US citizens vote for their government, so are therefore accountable. I don't see you out in the streets with pitchforks, so you're as culpable as the primary perpetrators.
I read the article. But I am not angry because of the actual incidents - what makes me angry is the sentiment, thinking of non-US people as second class humans. And I would happily lunch everybody into outer space who does this, including everyone from my own country, Germany.
I am missing a »primarily« between »not« and »angry«. Spying at innocent citizens is a crime, no doubt, but I still find this attitude of not treating all people equal way more worrisome.
I had the exact same feelings when I saw so many people go "They will just borrow more money" in the recent US govt. shutdown. The arrogance is unbelievable. Shows complete lack of remorse over leeching off the rest of the world.
Very disappointed in the american citizens' reaction to the catastrophic political decisions their leaders have been making for decades.
that was what I was referring to - leveraging the dollar's status of reserve currency. That's coming to an end for sure tho. Will laugh my ass off then at their ignorance.
And, at this point, I can't in good faith say that I would blame you.
I think it's pretty safe to say that getting rid of a President is no longer enough. My sense is that the people who make these policies really are "Beyond Elections". They are constants in our government. And appear unassailable.
I doubt very much that we, the American People, could even IDENTIFY the people setting or implementing these policies, much less rid ourselves of them.
I think in the present environment, it wouldn't be imprudent for other nations to look to their own interests.
I know some bits about campaign finance, but I also know that most people I meet in the US care much more about physical security than they do about privacy/civil liberties/etc.. They vote for people who implement nasty policies and they do not make those votes because they have been tricked.
"Citizen are involved" and "the democracy is not function as intended and/or there is a situation that can not be rectified democratically" are anything but mutually exclusive.
Yes, true. It is also true that sometimes citizens knowingly choose nasty policies and then sleep soundly at night with those policies in place. Like you, I also do not approve of the way the US has changed, but I try to avoid tricking myself into believing that many US citizens feel the same way I do.
No. Sorry. The President does bear full responsibility. That's the nature of the job.
If he wants to claim he wasn't aware, OK. But he is now and it's his responsibility to fix it. Again, that's the nature of the job.
If the President wanted to eliminate these programs, they'd get eliminated. It would require the exercise of political will, but it absolutely could be done.
The problem, actually, is right here, when people start making excuses for our leaders.
Stop.
Hold them responsible. Responsibility is why the job even exists.
If Obama believed these programs (and Guantanamo Bay) were "wrong" with the same conviction Snowden believes – he'd do what it takes to shut them down, with the same career/livelihood risks that Snowden accepted.
It's precisely the sort of moral compromises that Obama has made to allow Guantanamo Bay to stay operating, that have allowed the NSA to grab so much extraordinary power amd avoid any sort of reasonable oversight.
I understand that "just closing Guantanamo" isn't as simple as it sounds - but letting things like that slide because they're complicated, and doing so for 40 odd years, has allowed a situation where people like Clipper think lying to congress is his job. Where intelligent people somehow perform the sort of mental gymnastics that allow them to claim collecting and storing personal communication isn't "collection" unless a person listens to the collected information.
If the president wanted it to stop - he'd stop it. If he's not stopping it, it's because there's something he considers more important.
He _might_ even be right. There might be a real and provable public interest reason why Guantanamo and the NSA have to be the way they are. There's no obvious or easy explanation along those lines – and it's super easy to cynically attribute it all to personal(and corporate) wealth and power motives which _are_ pretty obvious.
Exactly. He can always promise to pardon every individuals that steps forward and provides the evidence necessary to shutdown Guantanamo.
Right now, it's continued operation relies entirely on state secrecy laws. If Obama or some future president realizes that it is that one provision that is protecting illegal actions, he can promise to pardon anyone of the laws they have to break to expose those illegal actions.
One of the biggest problems with our whistleblowing laws is that if you have to break laws to make things right, you may be seen as righteous, but you'll still be prosecuted for the laws you had to break to accomplish that. We're still a nation of laws and the only laws that can overturn that is the constitutional power to pardon. The only crime the president cannot pardon is impeachment. Any individual that isn't in an impeachable position could expose wrongdoing if the president had their back.
Honestly, dedicating himself to fixing this problem may be the only way he can save his presidency in the eyes of history at this point. Literally everything he's overseen has been a disaster.
The problem, of course, is that the president probably knows about the reason these programs came to be. What if there's a good reason ?
I mean you can be cynical or you can be realist. The cynical explanation would probably be that the president/congress don't really control a few organisations like the NSA.
The realist reason would be that the NSA can point to a couple dozen cases where their surveillance saved thousands of lives, American or otherwise. That they have very, very convincing arguments that these policies are worth it.
Also I am a bit fatalist about privacy expectations. Have you seen how "working class" people live in Hong Kong and how much privacy they effectively have ?
That's the future for the vast majority of humans on this planet, unless growth stops. If growth does stop, death and famine is the future for the majority of humans.
Enjoy it while it lasts, or collect enough money that you can realistically enjoy privacy and space until you die. For the next generation, it's a lost cause.
Government intrusion of privacy is (should be) the least of anyone's worries.
My assertion is that trust has broken down. And therefore the ability to validate has broken down.
Let's suppose, for the sake of argument, that the President and the Congress eliminate these programs...
How would you or I... or any foreign person validate that?
How would I, in good faith, tell a foreign person, or even another citizen, that their communications are no longer being monitored?
I don't believe we could give such assurances.
So even in the BEST case where the President and the politicians eliminate the programs... we would not be able to assert in good faith that there is no longer any communications monitoring going on.
The flaw in your idea, is that it is predicated on trust in the system.
Considering he was being spied on in 2004, before he even ran for Congress, and considering Supreme Court justices and other world leaders are monitored a well, I'm willing to bet he's still being spied on now.
The NSA requires money to operate, huge amounts of money. If that black funding was cut, they wouldn't be able to pay off GCHQ for example to provide hacks like this. If those programs were eliminated, the funding would stop, and you can't redirect that level of funding from other projects without someone noticing.
Obama is complicit with this system and quite happy for it continue.
How would you know? The answer is, essentially, "Trust".
You would trust the politicians when they say that the funding had been cut. The politicians, in their turn, would trust the functionaries when they say no funding was going into communications monitoring.
What if you don't trust the politicians or the functionaries... do you have any method of validating the elimination of the funding not based on "Trust"?
"...you can't redirect that level of funding from other projects without someone noticing..."
These are, at their core, intelligence agencies. "Redirecting that level of funding... without someone noticing..." is their job. It's what they are trained to do, among other things. I think it's a little optimistic to believe that they would not use that skill to accomplish their mission if they found it necessary.
What if you don't trust the politicians or the functionaries... do you have any method of validating the elimination of the funding not based on "Trust"?
Gov accounts are prepared and audited by civil servants. At a certain point a conspiracy is too large to be controlled, and I'd suggest managing to divert hundreds of millions from other budgets is a conspiracy just too large to hide from an entire people when gov. accounts are public. I'm all for official oversight as well by politicians, but politicians could easily cut funding for this sort of activity if they wanted to.
Obama certainly doesn't want to, for whatever reason, as evidenced by the his disingenuous lies about this topic to the public (no one is reading your email) and the way he left Clapper in power after lying to congress and proposed fig-leaf reform, not real reform.
"Redirecting that level of funding... without someone noticing..." is their job
No, it's not. Their job is spying on enemies of their country, nothing more, nothing less. In peacetime that should be a pretty simple job of spying on a few terrorist networks using targeted attacks.
I think the problem you are missing is that "nobody is innocent" and these bad actors have all the knowledge.
So when a President comes into office, they probably make it known that they have these N pieces of information, and well, they are going to do what they want unless said President wants those N pieces of information public.
Thats the really really scary realization here. Shadow government obtained through perfect intelligence with no checks and bounds.
This. I secretly harbor this fantasy that the next Edward Snowden will be a future American president. They do everything right, cross all the t's, dot all the i's, the perfect politician, then after their first 100 days in office, they come out and publicly address all the ways that the US is hypocritical and could be the model World citizen it pretends to be.
At the end of the day, the presidency is the only position that is beyond the reproach of anyone behind the scenes that may be using their powers to pull strings. If he has ever been coerced by hidden powers, he alone could unveil them and be believed by all the non-believers. Alternatively, he could choose to promise exercise his pardon rights for people who want to expose wrongdoing but are afraid. He had the power to protect people from jail. That's the power to allow people to expose wrongdoing without fear of retaliation (unless we've gone so far down the rabbit hole that someone can make the whistleblower just disappear.)
I believe that this could be workable with some preparation, the two most important of which are:
(1) the political work of defining the word "enemy". If you spend your time in your first 100 days of office trying to get the country to rally behind defining the "enemy" as actors within the US who are actively undermining the US Constitution and actors who are acting corruptly.
and
(2) the commander in chief work of defining the goals of the US military. The president is the commander in chief. If he decides that the primary goal of the US armed forces is to root out corruption and problems in the armed forces that are undermining the US Constitution in the interest of private interests.
By doing exactly both of those things and getting support for it, he has absolved himself of liability under the Espionage Act AFAICT. The reasoning here is that he's now defining the operation and success of the armed forces to be in line in a way that any information conveyed is no longer going to interfere with the armed forces of the United States. Furthermore, redefining the enemy means that he has also made sure that the information does not promote the success of the enemies of the US.
>the presidency is the only position that is beyond the reproach of anyone behind the scenes that may be using their powers to pull strings. If he has ever been coerced by hidden powers, he alone could unveil them...
If there were such hidden powers as to pull strings or coerce the president, I am not sure why we should believe that they didn't have a hand in his rise to power.
Sorry, that's the funniest thing I've read all week.
An American president with a moral backbone?
Give me a break.
That's like expecting it to rain candyfloss.
The presidency is a hollow man, a figurehead - it's all just a show to make you think you have a democracy. The tail wags the dog, and entrenched non-elected interests run the show, through corruption, lobbying (corruption), and special interests (corruption).
Lost in all the America hate is the fact that the tapping of Google and Yahoo was done by the British. The whole west is complicit but only America gets the hate so it can continue easily.
I believe strongly in "win win" solutions; in a broad internationalism that tries (at least in principle) to find solutions that benefit the whole of humanity (perhaps not uniformly, but uniformly enough to make everybody a net winner).
That last phrase really spooks me. "Look to their own interests". Saddens me a bit, too.
> I am at a loss for words. Arrogant, self-righteous, disrespectful, ignorant, mendacious...nothing cuts it. It is illegal in the US but who cares about the rest of the world?
Do you really believe that this is the modus operandi only of the United States?
Since, say, France has _at least_ the same position with regard to the rest of the world vs. French citizens, are you angry at France too? Will you cut all french, german, russian, and bahranian cables as well, so as to maintain a consistent position?
Tu quoque is basically the "but everyone does it" argument. I agree that'd be specious -- but I'm not saying that. Rather, I'm the poster's claims ("arrogant, self-righteous, disrespectful, ignorant, mendacious") -- particularly "arrogant" -- imply that he thought the US was doing something unique that other countries are above, and thus the US was deserving of special disdain. This implication is simply wrong. But he's building his whole argument on it.
> imply that he thought the US was doing something unique
But the US is doing something unique. No other country has the global reach and the sheer military budget that the US has. It's debatable that other countries are "above" it in moral terms, but the US certainly has taken it to a whole new level.
Edit: I also don't see where "But he's building his whole argument on ... US was deserving of special disdain". Despite the larger scope of the US's transgressions, you are saying "but they do it too". I think that the Tu Quoque fallacy absolutely applies. Nowhere is it said that other countries would not be worthy of equal disdain under equal circumstances. And if it were to be said, it would be wrong.
> It's debatable that other countries are "above" it in moral terms
It's really not, since many of the releases of information about what the US is doing -- including the current one -- have other countries also neck deep in it. I mean, the actual spying in the article that this comment thread is attached to is done by the UK's GCHQ, NSA is just a consumer of the data.
As pointed out above, misconduct of other countries does not justify the own behavior. There is really no big difference between collecting the information on your own or letting someone else do the dirty work and then just crabbing the results. I should have pointed out more clearly that I am not especially against the behavior of the USA but against behavior like this in general but I did so in some other comments.
Besides that the US are doing (almost) unique things among to most developed countries, for example I can not even imagine any EU country doing something like Guantanamo or having the death penalty. To make it clear again, I am not primarily angry because of the spying on its own but the sentiment as to human rights beyond it.
> for example I can not even imagine any EU country doing something like Guantanamo
By the information that has publicly come out about the "black sites" operated by the US and its allies -- from which prisoners were later transferred to the not-secret facility at Guatanamo where at least a show of adhering to international humanitarian law was made, several EU countries were actively involved in the system, and the UK was not only involved but actually operated prisons in the system.
So, yeah, EU countries have, contemporarily with Guantanamo, done things as much like the worst aspects of the Guantanamo detention as is possible.
Source? If true, I completely missed that side of the story. The worst I could find after a quick search was that the UK allowed extraditions to Guantanamo even after learning about the torture happening there.
IIRC, Poland was the EU country that was the focus of attention.
Skimming Wikipedia's most definitely totally truthy article on the subject [1] (actually, it has a lot of citations, so it should be easy to verify), the UK's only alleged black site was the US base on Diego Garcia, which is "UK", but not "basement in London".
Edit (T+18 minutes): Wikipedia lists numerous other European countries as possibly being involved. Information is really sketchy -- they are called "black" sites. Another question is which officials in the lucky host countries even knew about it.
"5 eyes alliance" countries are neck deep in domestic spying, it appears they are their own independent spy service, accountable to no country and all collaborating to avoid each other's laws. Impossible for any of those countries to have free elections anymore with this kind of surveillance. Everybody being watched all the time makes for easy political blackmail to avoid any serious attempts to dismantle the global Stasi state they've been busy making under our noses for the last decade
Countries like Russia and China and Syria and Iran claim that they're spying on whatever they can and control their citizens online expression because (a) they say they need it / national security, (b) they are allowed to do it / sovereignity.
On the other hand, USA had earlier openly claimed in essence something like 'why we'd never, we don't spy on americans (Clapper), we don't record all communications, we're for the open net and transparency, we need to safeguard the internet from China and censorship, and we have 4th/1st amendment, so we're different'.
Everybody else who did that, didn't do it while hypocritically claiming that they're different - so I believe that US really did something unique in this particular instance and deserves special extra disdain for that.
The position of others is that doing all those things is okay, so they do it without moral problems. However, USA had claimed (and apparently still claims, at least for US-citizens) that it's not okay.... and do it anyway.
First, I clearly presented this as a hypothetical and emotional reaction and I did this purely to illustrate my feelings. Second, I obviously can not be angry about a country but only about people. Currently there are a quite a few people from the US government I see regularly in the media and they make me angry with what they say, but there is nothing special about this people being from the USA.
I have been to France once and while the overall experience was very good there was one bad experience. We had a problem with the motorway toll and stopped to ask a woman working at a toll station. She was obviously able to understand my English question but did not even try to answer in English and I did not understand a single word. This was not bad enough to make me angry but it was very impolite and I have no understanding for this, not even given the history of the relationship between France and Germany. I knew that I had to expect things like this, but it was a single exception and I am happy about this.
So no doubt that there are many people in many countries thinking of their own people as superior, but this is not acceptable in any case.
The US is reportedly spying on the phone calls of 35 world leaders. How many countries are spying on the phone calls of President Obama? Does France have access to the phone calls of Obama?
Some countries would love to spy on the U.S. It's true. But how many actually successfully do? And at what scale?
While I agree the NSA's conduct is outrageous you seem to be confused about how countries actually work. Every country treats non-citizens worse than citizens - fewer rights and benefits, more limited (if any) work opportunities, additional hassles, etc. And most countries have intelligence agencies that spy on foreign countries and their citizens often in ways that break foreign laws. Don't be so naive.
There are of course differences in the treatment of citizens and non-citizens and this for good reasons like controlling immigration. But there should be no differences when it comes to human rights including privacy rights and this is what I complain about - different treatment as to human rights. And this goes beyond spying and also includes for example torturing people in Guantanamo. And yes, not only the US are breaking foreign law, but this does not at all justify this behavior.
There are no differences, both in practice and in theory, to the privacy rights of citizens and non-citizens. Everyone is spied on, and it is legal. The NSA is tasked with spying on foreign nationals. The FBI is tasked with spying on US nationals. Everyone seems to be getting caught up with these legal technicalities. Our agencies spy on everyone they can (as probably does every spy agency in the world). Our government might not even be aware of or in control of it.
Unfortunately we don't live in the world you imagine but I would join you in trying to improve the world we actually live in. I don't see how a trade and travel embargo could possibly help - it would almost certainly make things worse! Clearly there is no actual right to privacy under international law and rules vary greatly by country and are often weak in practice[1]. This is want we need to change either through treaties, constitutions or laws. I don't know where you live but in the US it would probably take a constitional amendment - a very difficult procedure - or a very broad decision by the Supreme Court - unlikely.
The thing about isolating the USA was not meant as a real solution, it was just to illustrate my feelings. See also this comment [1] of mine for a clarification.
The Universal Declaration of Human Rights (UDHR) [1] contains privacy right in article 12 [3]. The UDHR is not legally binding but the International Covenant on Civil and Political Rights (ICCPR) [4] is and contains the privacy rights, too. The USA signed and ratified the ICCPR. Maybe someone should just sue all the spying nations.
What's interesting with these declarations (and I'm surprised they don't even get a mention in the media) is that they specifically say that these rights cannot be denied based on "national or social origin". So it's basically illegal for the US to invade the privacy of foreign citizens according to the terms of those covenants. The US Constitution is probably in direct violation of it as far as I can tell since it specifically only applies to Americans.
This is the hypocracy we all accept as OK. If citizens are barred from travelling internally we call it a human rights violation (USSR, China). If foreigners are barred from travelling between countries we call it "important reasons - immigration control". Same with spying, assasination, torture, killing civilians in war, etc. Human rights don't apply to non-citizens of just about any country.
The problem is not so much about the expected behavior of a spy agency, or how the US government justify itself "But it's only on non-citizens". That's kind of expected, like you explained.
The problem is when the medias, the public and politicians are reassuring and reassured by that "But it's only for non-citizens".
To a foreigner like me, what I see is that US citizens, medias and politicians are just fine with my fundamental rights being violated. That is as long as I'm not a US citizen... a clear statement that to those eyes, the problem is of less magnitude because I'm not as important a being as US citizens are.
Do I have less a right to privacy because I am not a US citizen? Is it more ethical or moral?
I'm not talking of my legal rights on a US soil; because legality has not much to do with morality. Really, in this argument I don't care about the NSA's goal, or all the spy agencies' goals. I care about how the public reacts; nobody cared as long as it was only about violating the privacy of those without US citizenship. Second class humans.
That's incredibly insulting. It makes me angry.
And worst of all, I feel like I can't even express myself on that topic without fearing repercussion. When one day at the airport, I'll cross the custom lanes and some automated filter will have flagged me as a national security threat because I once posted outrage about how they treat non-citizens.
Correct. You have no legal right to privacy in the US and enjoy none of the legal protections from our government that citizens enjoy (or should). You can be renditioned, spied on and wiretapped with no legal recourse in the US. Similarly Americans don't enjoy legal protections from the governments of other countries.
Now two countries may enter into an agreement not to surveil each other or their citizens. That is completely a different issue. But if you are not a US citizen or don't have a visa than the Constitution affords you no protections.
In general, these are laws against things like war crimes. The UK (Brit here) also extends some child protection, fraud and bribery laws to cover acts worldwide, the former intended to be used to prosecute sex tourists who are unlikely to be prosecuted where they committed the offences.
I'm unsure whether any of these laws have actually specifically protected you, but the reason for their introduction is to afford people in other countries similar protection from UK-based criminals to the protections people enjoy in the UK.
Personally I hate whole "war crimes" thing. Since it WW2 it has been applied only to enemies. There was a lot of contention with the Russians over what was a war crime, since Stalin had done many of the same things as Hitler. It was generally agreed that it was only illegal when the Germans did it and Stalin went home happy.
It seems that Universal Jurisdiction allows people to prosecute me, but doesn't specifically protect me.
but spying at non-US citizens and breaking foreign law in peacetime is deemed acceptable.
First let me say that I agree with your sentiment -- it's hypocritical for people in the US to be upset about the US government's spying on its own citizens, but not upset when the people are in other countries.
Now for a dose of realism -- every single country out there that has a foreign policy and interests abroad behaves in this way to one extent or another. The question is not whether but how much. I'm receptive to ideas for something to replace this general approach to intelligence gathering. But let's not apply a double-standard in the opposite direction and say that only when the US does the spying is it a problem.
> every single country out there that has a foreign policy and interests abroad behaves in this way to one extent or another.
I'm German, and I can't remember ever having heard such a distinction - that some things are okay when done to foreigners, but not when done to Germans - apart from neo-nazis.
Sure, who knows what the BND is up to. But "behaving this way" also includes rhetoric that is not just considered acceptable in polite company, but even uttered by state officials... and as I said, I can't recall a single example, so maybe enlighten me? Or are you just assuming?
Sorry, I wasn't as clear as I wanted to be -- by "behaving this way," I had in mind the existence of government programs for surveillance and spying; not one-sided complaints on the part of citizens about such programs.
Well sure, people in positions of power pretty much equally suck everywhere, I think we can consider this as baseline. But I do find it disturbing that "American exceptionalism" seems to be rather widely accepted the US population, and that they're not even ashamed to express it, and that state officials implicitly or openly do the same. I have no doubt that some people in Germany harbour similar sentiments, but they're really at the fringes and in the dumps in comparison.
Also, scale still matters. Killing a person or slapping them in the face are both violence, but there is still a difference, otherwise we could just reduce all to "physical and chemical processess going on" and completely stop thinking. I don't believe for a second that Germany, or even France, Italy or Russia (which I consider rather right wing) have programs to scoop up traffic from Google's internal network in place. Maybe they would like to, but they can't pull it off. And while I wouldn't bet on it, I wouldn't be surprised if China doesn't either.
German soldiers abroad (say, in Afghanistan). Do they respect foreign law ? Of course not.
Non-EU residents on German soil are subject to summary arrest and deportation (it's more complex than this, I know, but as summaries go you could do worse)
German social security treats citizens, residents and illegal aliens vastly differently
German domestic wiretapping laws are basically that the executive gets to spy on anyone on German soil without judicial oversight AND outside of Germany. While it's of course true that this is not a distinction, it's actually worse than US law.
German wiretapping laws do not let companies evaluate the legality of a wiretapping order before complying, unlike US law. Telecom companies operating in Germany are forced to provide the government with an automated system that can wiretap anyone on their networks without even their technicians knowing about who/what is being wiretapped. Needless to say, these systems are in constant use, and have been expanded.
Small detail : in the US, the government will at least pay companies appropriately (handsomely even) for costs related to wiretapping. In Germany (like most of the EU) companies have to comply, fund it themselves, and can't even look at the orders. Non-compliance with this is punishable under criminal law (meaning the CEO, techies, field techs, or anyone in the telco can be arrested if the company refuses to comply)
The BND does not just have the right to spy on anyone, but it can summarily arrest anyone, intervene in any investigation without question (so they could, for example, kill someone, then take over the investigation, no questions asked). They can confiscate any goods, on German soil and outside of it, without so much as an explanation. They aren't even the only government department in Germany that has this power, the tax office has the same power.
As an EU citizen myself, I find the EU's "anger" at US spying somewhere between moronic and hypocritical. Especially France's is beyond all comparison, knowing that they just physically arrested someone for refusing to store all records of his customer's transmissions for a full year, entirely on his own dime. Furthermore, both France and Germany have used the information they force ISPs to spy for them to enforce copyrights. Neither country has any qualms about sending all citizen's internet traffic to a private organisation that is not answerable to the government at all, and is not even attempting to enforce criminal law (the NSA is at least doing this to prevent real crime, like 9/11. Germany and France are transmitting everyone's internet usage to an organisation so it could sue them for copyright infringement in an automated fashion. There's just no comparison)
Note that furthermore, in the EU, these practices have been voted in by a non-democratically elected government (the EU commission). So the EU can't even claim that parliament approved these measures, because they didn't (barring a few exceptions). This has been imposed by people negotiating "international treaties".
Can anyone please explain to me why, if there's outrage about the NSA, why isn't there 10x the outrage about EU practices ? The way it is makes absolutely no sense.
> Non-EU residents on German soil are subject to summary arrest and deportation
And where are the statements saying other countries shouldn't deport illegal aliens? My post asked about exceptionalism, openly stated, did it not?
> German domestic wiretapping laws are basically that the executive gets to spy on anyone on German soil without judicial oversight AND outside of Germany [..] The BND does not just have the right to spy on anyone, but it can summarily arrest anyone, intervene in any investigation without question (so they could, for example, kill someone, then take over the investigation, no questions asked). [..] Germany and France are transmitting everyone's internet usage to an organisation so it could sue them for copyright infringement in an automated fashion.
Uhhhh.... sources for all that please.
> Can anyone please explain to me why, if there's outrage about the NSA, why isn't there 10x the outrage about EU practices ?
Maybe the lack of abducting people and torturing them, or killing them with drones has something to do with it? And still, there isn't a month without demonstrations against some of the stuff you mentioned, like Vorratsdatenspeicherung. Other stuff is either flat out wrong or widely unknown, your posting of sources will decide that..
Given this article, I think it's safe to say that people get tortured to varying degrees by the German police on a weekly basis at least. Like the US, in the vast majority of cases the police do this for very good reasons.
As for a basic introduction to German wiretapping law:
Also you act surprised ? Why ? These laws are the "roughly" same across the EU. Generally a certain degree of violence, even what might be considered torture (but not outright "real" torture. Violence against an arrested person, ie. hitting them or so, even things like denying food/drink when it's not life threatening) is allowed in the EU to protect the institutions (parliament, government, ...) (but only for "existential" threats that threaten the institution itself, not just, say, the building), and to protect the lives of others.
- "the executive gets to spy on anyone on German soil without judicial oversight"
- "The BND does not just have the right to spy on anyone, but it can summarily arrest anyone, intervene in any investigation without question"
- "Germany and France are transmitting everyone's internet usage to an organisation so it could sue them for copyright infringement in an automated fashion"
?
from the link you posted, emphasis mine:
> "According to a 2003 survey, 75 percent of conducted telephone wiretapping actions violated the law. In most instances of wiretapping, law enforcement agencies did not inform the subjects after the eavesdropping took place, contrary to what is stipulated by the law. [..] In April 1998, Article 13 of the Constitution (Grundgesetz) that provides for the inviolability of private homes was amended in order to allow police authorities to place bugging devices in private homes (provided there is a court order)."
I wasn't "acting surprised", I was asking for sources, and now I kind of have to call bullshit on a lot of the stuff you said.
Yup, bullshit. And at any rate nowhere near comparable to the US, where people are afraid to close Gitmo because the people were so badly mistreated they might turn on them. So why would I be "10 times more" outraged? Maybe because I, as a German/EU citizen, am more directly responsible for the stuff going on here - granted. But otherwise? Get real. Have you even READ the first article you posted?
> "The Court stated that “[t]orture, inhuman or degrading treatment cannot be inflicted even in circumstances where the life of an individual is at risk” and –under its assessment of the alleged violation of art. 6 – “[b]eing absolute, there can be no weighing of other interests against article 3."
How does this make you conclude that "people get tortured to varying degrees by the German police on a weekly basis at least"? That's just saying stuff, in the hope some of it will stick. Boo.
I think you're confusing multiple things here. Guantanamo is not the same category as police torture in Germany by police forces. Guantanamo would be comparable to German soldiers guarding a prison in Afghanistan and arresting people there. Do you really need sources to convince you that German "prisons" in Afghanistan (and maybe other countries) exist and operate independently of both German law (because it isn't German citizens getting locked up) and local law ? I also don't think it very far fetched that the "rights" of prisoners in those prisons are not getting respected at all by (amongst others) German soldiers.
So you should only compare German police using torture Police, FBI or DEA or some department like that using torture inside America on American citizens. There I think it's much, much less clear that the rate of torture in Germany is higher or lower than the rate used by American law enforcement agencies. I'd guess the rate in Germany would be lower, but not that much, simply because America has many more regions where heavy violence against the police happens very often.
(note that information they forwarded, they obviously collected first, so yes, it does in fact prove the BND spies on all German citizens as part of normal operations)
I don't see a need to ask very simple questions for a third time, so I think we're done here. Your "guesses" don't interest me, as even the sources you posted contradict what you said. As for the BND, see my very first post in this thread. This is groan inducing.
"In an interview with Der Spiegel , Snowden claimed that the NSA provided German intelligence, with analysis tools to help the organisation monitor data flowing through Germany. “The NSA people are in bed together with the Germans,"” he told the magazine.
He added that the NSA’s foreign affairs directorate, which is responsible for relations with other countries, had set up a system whereby political leaders “could be insulated” from the backlash if spying became public and helped to play down how grievously they were “violating global privacy.”
> Now for a dose of realism -- every single country out there that has a foreign policy and interests abroad behaves in this way to one extent or another.
Simply not true. There may be a few large countries trying, but at nowhere near the global capability to lay bare all details of just about any person on the planet, like the US. And that's just comparing to the larger countries. The UK hacked Belgian telecoms, you're going to have to show me some proof that the reverse is also true. That's ridiculous.
The consequences of the Netherlands "behaving in this way to one extent or another" towards the US--yes, even a little bit--would not be very positive for the Netherlands. We do, however, "have a foreign policy and interests abroad".
The fact that the US believes it can get away with this sort of behaviour (and we'll have to see about that), doesn't somehow make it right or justify it in any way.
I certainly don't wish to justify espionage. I'm saying that it's a reality of life today and has been for centuries, and the US is only one of many countries (perhaps not Belgium or the Netherlands) that are engaging in it. So the anger directed at the US should be directed at all the other countries engaging in espionage as well (and it is clear that there are many).
As for the US being allowed to get away with it, I do not have any simple prescriptions to offer the US government for replacing it with something better, although I too wish it did not engage in it.
But, by denying movement, you are suggesting to treat US citizens as second class humans. To what purpose? in order to punish them? To educate them about your importance?
I completely agree with your sentiment that no one is justified in thinking they are superior to anyone else. Furthermore, I have never said anything even remotely to the contrary.
The quoted comment was not the best one I could have picked - I just wanted to clarify that the thing about isolating the US was just to illustrate my feelings but nothing to consider seriously.
The purpose of intelligence agencies is to spy on non-citizens, both in peacetime and in wartime. One might argue that traditionally they focused on public figures in the foreign states and that spying on average foreigners is new; I don't know if that's true, but seems plausible.
It would generally be a dereliction of duty for the NSA/CIA to not spy on non-Americans. The same holds true, modulo agency name and country, for any other country.
Now, if you want to make the argument that national borders should dissolve and that spying on foreigners should become history - or something like that - that's up to you. But spy agency gonna spy.
> The purpose of intelligence agencies is to spy on non-citizens, both in peacetime and in wartime.
No, the purpose of intelligence agencies is to gather and analyze information that might be of use to the nations leaders. Spying -- whether on citizens or foreigners, and whether on people located within the country or abroad -- is often a mechanism used to gather information (though collection from public sources is also a common mechanism.)
And there's nothing really special about the foreign vs. domestic (whether by location or citizenship) axis for "intelligence agencies", generally -- while sometimes the agencies that do domestic and foreign intelligence
gathering are separate, that's not always the case, and certainly not a defining feature of "intelligence agencies."
You are correct - I overspecialized in my comment (and focused too much on the US, which attempts to separate domestic and foreign intelligence)- but I would argue that espionage is a signature of intelligence agencies and their efforts; expecting such agencies not to make significant espionage efforts doesn't really cohere with reality.
That is what I would prefer. I can not think of a good reason why we (Germany) should spy at our friends like France, the UK or the USA. Agencies should gather information about (potentially) dangerous citizens in their country and share this information with other countries. I have also no problem with collecting information in war zones and I include countries hosting terrorists where you can not rely on there agencies to provide good information here.
Come on, say it to my face! You don't believe non-US people have a right to privacy. That's me! Your agencies can do whatever they want to me, but not to you.
You're on the public Internet, you're not "within national borders", and everybody can hear what you just said. Say it to my face. Tell me how you feel that it's just fine to violate my privacy, that it's apparently perfectly fine to pry into my life, hack my phone networks, to gather any possible information there is to know about me and all those around me, just because I'm not a US citizen, and you are. You are better and are entitled to these protections, I don't.
> The same holds true, modulo agency name and country, for any other country.
Not every country believes that their citizens are somehow exceptional and non-citizens can be treated however they please.
I think that, in today's world, everyone, particularly public people of interest to other countries, should reasonably expect to have foreign countries gather information about them, up to and including spying.
For example, if I was doing important security research, I would fully expect to have the Russians, Chinese, Israelis, etc, looking into my work.
I don't believe the US is exceptional. I expect other countries to have interests in US citizens and to carry out their interests to advance their national interest.
This expectation is entirely separate from my opinion of the morality of said act.
If privacy is a human right, it's not (to me, at least) of the same caliber as "life, liberty, and security of person". People behave best because they have internalized social norms, those arguments and attitudes that we proudly expose.
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.</i>
Otherwise, how would you define "liberty" or "security of person"? You're free to do what you want as long as it doesn't encroach on the freedom of others, and if being spied on makes you not want to do some things you ought to be able to do, then that's just tough luck, but not a restriction on liberty or your security? I'd say freedom of action is worthless without freedom of thought and speech, and that you can't pick and choose human rights, or rank them.
Things aren't that simple. Certain rights can certainly override others (your right to life overrides my liberty to shoot you), which implies, if not a ranking, at least complexity. My liberty was only legally maximized when I turned 19: should five-year-olds be able to buy guns? Should I be free to record a conversation we have without my telling you?
A person has liberty if he or she is free to do anything lawful within a just framework of laws that is fairly enforced. Everything you do has consequences, however. Your freedom is thus freedom from having government stopping you from doing things that are within the law, but not freedom from consequences. (Note that article 12, as written, is qualified by the term "arbitrary". According to the right as written, you or I can be interfered with if the reasons for doing so are non-arbitrary.) Absolute privacy rights increase freedom from non-legal consequences -- this is a good thing when your social context is horrible (shun him! he's smoking mj!), but more often than not, removing social consequences is a net loss.
Privacy has a nice "liberty narrative" which makes it easy to defend (as you are doing) in the abstract, because it bears a close relationship to freedom (you are, without a doubt, "more free" if you have more control over what you choose to disclose). In practice, people behave best (on balance) when transparency is maximized, and they behave worst when they have absolute privacy and anonymity (see Tor, 4chan, freenet, etc.). In many game-theoretic contexts, "private information" is what leads to sub-optimal overall outcomes that tend to strongly preference the already advantaged.
Privacy rights, therefore, have much to do with the tension between the goals of the many and the goals of the few. The real problems lie not with privacy per se, but with asymmetries in its distribution.
> What really pisses me of is this sentiment of thinking of non-US citizens as second class humans.
When a group puts a draws a line of Us and them, they are making enemies. With this approach the NSA is declaring the USA as the enemies of all those being spied upon. The more similar news spread the more this mentality that "The USA is the enemy" will spread and its only a matter of time that more countries turn a blind eye or even facilitate terrorist actions against the USA.
> It is illegal in the US but who cares about the rest of the world?
I think it's entirely justifiable to give the NSA more latitude abroad than domestically. To turn reverse the scenario, as an American, I would far rather have the French or the Germans conducting surveillance on the United States than the US government. People keep comparisons to the Stasi, too often they forget what the Stasi's purpose was: to suppress political opposition. Here in the US, surveillance was used for the same purpose, on a much smaller scale, during the J. Edgar Hoover era. Political opponents of the government were spied on with the intent of blackmail or embarassment.
That's the whole reason why government surveillance is so scary. It puts so much information in the hands of an organization with such far-reaching powers in law enforcement and otherwise that the combination is prone to abuse. When the US spies on foreign citizens or vice versa, the potential for abuse is much less. The NSA has neither the interest nor the ability to harass political opponents in Germany and France, and the same goes in the other direction.
In particular, domestic surveillance is a completely different beast vis-a-vis foreign surveillance: spying outside one's own state comes with it the almost total absence of state's monopoly on force (and, furthermore, the protection of the government in the state being spied upon).
Omniscience without omnipotence is tolerable, as is omnipotence without omniscience. The real trouble happens when you've got both.
I am at a loss for words. Arrogant, self-righteous, disrespectful, ignorant, mendacious...nothing cuts it. It is illegal in the US but who cares about the rest of the world?
I'm as appalled as the next guy about the NSA's actions, but let's keep this in perspective here: many countries have 2 intelligence agencies, one for external and one for internal. Do "MI-5" and "MI-6" ring a bell?
Plus, in this particular instance: the GCHQ (British version of NSA) is the one passing along the wiretapped stuff to the NSA.
> We are not spying at US citizens, only at this other guys across the ocean.
In this instance, it's the guys across the ocean who are spying, and passing on the results to us.
Especially when the story broke there was a lot of outrage about (accidentally) spying at US citizens, but spying at non-US citizens and breaking foreign law in peacetime is deemed acceptable.
What did you used to think foreign intelligence services did?
For what little is it worth, a lot of us American citizens have a real problem with our government not extending the concept of the natural rights that we supposedly have to everyone, everywhere. Of course, these days they aren't even really bothering to discriminate and are just fucking us all over, though I guess they do apologize a bit more when they get caught fucking over Americans.
Also, while I think this sort of spying is terrible I'm even more sickened by things like the fact that we keep killing innocent people with drones and such and justifying it as acceptable collateral damage when nobody will tell us who the real targets were, why they had to be killed, and why that was so important that accidentally killing a few hundreds or thousands of innocents while pursuing them is reasonable.
At this point we're so far down the slippery slope that the rest of you might as well cut us off if you can. I'm unconvinced we are going to right this ship anytime soon, we as the group of citizens whose net worth isn't in the billions have lost control of the bus.
All i can say to your heayed comment is that it is a good thing that you're not in a position of power to act in such a way that would sever the worlds ties with the US.
That's why, ironically, the best hope for privacy-minded US citizens (like a good part of HN readers) comes from outside governments.
People like Brazilian president, Dilma Rousseff, that had the courage to cancel state visits and declaring outraged by the state-sponsored spying supported by the Obama Administration.
We need many more governments standing up and threatening to cut commercial ties with the US, until we can see some traction.
Sadly, I'm not very hopeful that this will happen, given the commercial interests involved. Mexico had a slow initial response, but it's starting to demonstrate some reaction. Germany and France are my hopes [1].
Yeah, but chancellor Merkel must be really pissed off with all the latest shenanigans [1] by her friends across the pond...
And everybody else must be really pissed off with the latest documents. Here's the punch line:
> Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.
I think in the end it will be shown that both the Germans and French also engaged in surveillance or have partnerships with other intelligence agencies. The five sisters can't be the only big partnership.
The government of a country, any country, owes allegiance to its citizens first and foremost. Our laws do not apply to people in other countries. I can't imagine that most large governments other than the US do run in exactly the same manner.
I'm not defending the NSA, but let's not be naive here. One function of the government is to protect its people from all threats, foreign and domestic. So yes, citizens of other countries are second class, and well they should be from some perspectives. Again though, there are lines, and some have been crossed.
As both a US citizen and world citizen (how can we who've grown up in the Internet age not feel a little more worldly?) it feels violating to know this has been going on, and that it likely effects me.
On the other side, it has forever been, and continues to be, in a physical-boundary-defined nation's best interest to know things about every other nation, in order to compete within international relationships. I would be surprised to find a major international player that didn't have a clandestine agent group or groups like the CIA or NSA.
It's a very tough and frustrating topic. Spying always feels disrespectful and arrogant to the spied upon. But should we implicitly assert that this isn't done by the rest[0] of the intelligence agencies around the world?
> The government outright tortured people for years, and nothing has come of it.
I am not saying it's OK, but in that case, most US citizens aren't even affected. In the case of surveillance, data from US citizens is being directly compromised. Their attempt to do what they want to foreign individuals with surveillance actually causes some collateral damage to US citizens.
If voters are concerned with the plight of non-voters, then the plight of non-voters is by definition of concern to voters.
Asking voters to be concerned with what their government does to non-voters should never be discouraged. It may be futile, but it should not be discouraged.
I only made the distinction because someone pointed out that it's difficult for government agencies to get in legal trouble unless US citizens are the ones being harmed.
> I am not saying it's OK, but in that case, most US citizens aren't even affected.
There is a very strong line of reasoning that says terrorist attacks and thousands of America soldiers killed in combat are a direct result of these kinds of foreign policies.
"The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons.
"
It's worse than this.
You also generally can't sue the US government civilly unless they allow you to.
US has abrogated sovereign immunity in certain situations for certain types of torts, but ..
Civil immunity is a subset of completely unconstrained by law. For example, judges are entitled to absolute civil immunity for actions taken in an official capacity. But they have occasionally been charged criminally for actions for which they were civilly immune.
"Civil immunity is a subset of completely unconstrained by law"
Sorry, I didn't read it that way :)
Since the original thread seemed to be about criminalness, I assumed you meant they could not be charged criminally for their actions.
There is a huge difference, as you point out, between civil and criminal liability.
I'm sure the other branches of US government would be delighted if NSA would share with them - not the secret data, but their data processing tools.
I mean, it appears that NSA has the ability to separate the retrieved gmail data into citizens and non-citizens, so they can legally use the non-citizen part of data and throw the 'forbidden' US-citizen data away. Think of the wonders that we could do with such technology! We wouldn't need passports anymore, when arriving from another country, you just provide your gmail account, TSA systems check that you're a citizen and lets you right in with a smile...
Obama should be impeached. Both Obama and Bush should be tried for criminal conduct. Both should be put in prison for decades for treason. Of course on top of that are the war crimes and general crimes against humanity both committed (torture, war, murder of thousands of civilians, and so on).
I think in those sorts of situations, when the people are actually in a position of power over their government and thus able to effectively prosecute it, official charges are typically not bothered with. (or if they are, nobody bothers actually proving them during the 'trial'.)
(Lest anyone get the wrong idea, I'm not suggesting armed rebellion against the government. Rather, I'm pointing out that this situation has happened in history before, and, well, that's what we called it.)
Certainly he has revealed a lot of scary information about the government that the people needed to know about, but opposing the state (which is what Snowden seems to do) does not always equate to supporting the nation.
Some of Snowden's disclosures have been directly harmful to American interests without a corresponding harm being done to the American people that would have warranted that disclosure. For instance, his leak of details of NSA hacking attempts against China.
Likewise, his disclosures about spying against allied heads-of-state. Knowing what your friends truly think would be invaluable for American interests when negotiating. I certainly agree that spying on friends like that is distasteful, but revealing that can't possibly be said to have helped the American people.
first; you seem to be saying that each leak in isolation has to weigh in favour of the american people. a more lenient judgement might be made by taking everything as a whole and seeing if the benefits outweigh the costs. and even when the advantage is not direct, it may come later - for example, the international pressure from the leaks about intercepting foreign heads of states might lead to reduced surveillance of americans.
second; perhaps here on the internet we need something more international. perhaps he is a patriot in an international sense - since he works for the rights of all people. i certainly appreciate what he's done, and i am not american. of course, an alternative is to say that i am the enemy. but then we get to the american duplicity - they seem to want to be our friends, shake our hands, but then treat us as second class people.
[i wondered whether to include british duplicity with gchq, but they don't really make the same distinction. they seem to quite happily spy on britons and foreigners equally. they are not hypocrites, just assholes...]
> first; you seem to be saying that each leak in isolation has to weigh in favour of the american people.
Yes, I would certainly argue that someone claiming to act in the patriotic interests of the people of a nation should do things that are in that interest. Remember that by Snowden's own admission, he deliberately selected each individual batch of documents for later disclosure, it's not Manning-style indiscriminate collection of material to leak later.
On the other hand there is a very workable explanation to explain Snowden's actions: A belief that government is oppressive and wrong, with a corresponding imperative to harm that government. So it is here. You could argue that Snowden feels that by breaking the government that overall good things would happen for Americans, but his individual actions are certainly being conducted without regard to harm. So I would argue that he's anti-government, but not necessarily patriotic.
> but then we get to the american duplicity - they seem to want to be our friends, shake our hands, but then treat us as second class people.
That's hardly a trait unique to America and I think you know that. Remember that much of the outcry in the U.S. is very much because the NSA is treating American data the same as they treat foreign data. But either way, national governments work in the best interests of their citizens, not others. It's hard enough to convince people in America to maintain even existing levels of foreign aid for example.
As one of the French intelligence professionals mentioned, they spy on us too and if anything, are jealous of the abilities the NSA has.
The "more international" idea you talk about is certainly the direction we need to go down (as I've argued since Snowden first hit the news). Right now the global Internet is simply not working well with the ideal of individual national legal frameworks. But what solution will that be?
Somehow I suspect those on HN won't be satisfied with simply scaling up Five Eyes to include Western European governments as well, and as of yet there's no pan-world government to kick the task up to. Nor do I think that nations will (or should) completely give up on SIGINT.
Yes he is. He gave up his life and comfort in order to reveal illegal, massive surveillance by the US Government and friends. That's what actual patriots and heroes do.
> Certainly he has revealed a lot of scary information about the government that the people needed to know about, but opposing the state (which is what Snowden seems to do) does not always equate to supporting the nation.
This kind of statement is a sophists trick used to justify the unjustifiable: "Spying is typically bad but he revealed spying done by our own government!"
> Some of Snowden's disclosures have been directly harmful to American interests without a corresponding harm being done to the American people that would have warranted that disclosure. For instance, his leak of details of NSA hacking attempts against China.
The NSA are the ones causing the actual harm. Also, China boogeyman card.
> Likewise, his disclosures about spying against allied heads-of-state. Knowing what your friends truly think would be invaluable for American interests when negotiating. I certainly agree that spying on friends like that is distasteful, but revealing that can't possibly be said to have helped the American people.
Sounds like 1984 Ingsoc. Diplomacy with "friends" should be honest. Not conducted as "trust but verify" Reagan-esque bullshit.
I certainly agree that spying on friends like that is distasteful, but revealing that can't possibly be said to have helped the American people.
Yes it can. I'll say it right now: It has helped the American people. It has helped us, by giving us knowledge we need if we are going to hold our government accountable. Lest people forget, government exists to serve the people, not the other way around. This ain't a monarchy, pal. Here we can, and should, hold our elected officials' feet to the fire when our government screws up or does things we don't approve of.
Now, in the end, the American people might decide to keep "Baaaaah"ing like mindless sheep and let our government off the hook, which is, I suppose, their right. But what Snowden did was absolutely the right thing, as you can't even think about having accountability unless you have transparency.
Think about that for a second. Most people on HN wouldn't send a single file to their own backup provider in the clear. Google was sending gushing torrents of data, presumably including email, IMs, etc, over long distances that way.
That's very nice that the company that encouraged all of us to put all our email and documents in its data centers "pushed harder than anyone on the whole internet" for some basic security well after the NSA compromised their shit, but it doesn't excuse their irresponsible practices.
The likelihood miles and miles of cabling, much of it presumably leased, will be compromised is nowhere near comparable to the likelihood a normal, single-location office/home ethernet LAN will be compromised. (And if you think both are easily compromised, that only adds to my original point.)
Apparently the procedure is to position the USS Jimmy Carter over the cable, send out a remote vehicle to grab the cable and pull it up to the sub, splice in tapping equipment, and then drop the cable.
Intercontinental cables are less than one inch in diameter in deep water. If the sub plants the tap in deep water, it's extremely unlikely that anyone would ever discover it. There are a few cable repair ships that pull broken cables to the surface and fix them, but other than that... No one can reach it and no one will bother it.
The most interesting thing is actually getting the data back to the U.S. Do they run a separate cable alongside the existing cable? Getting SMALL bits of data back to the U.S. is easy, can just broadcast it. But LARGE amounts of data? Tricky.
> There are a few cable repair ships that pull broken cables to the surface and fix them, but other than that... No one can reach it and no one will bother it.
Even if you pull the cable up to repair it, it is unlikely that you would discover the tap. The device used in Operation Ivy Bells was designed to detach from the cable if the cable was lifted. Non-intrustive tapping might not be possible with fiber (it isn't, as far as I know), but I expect they have other mechanisms to avoid discovery. Perhaps lifting the cable would cause the cable to "snap" on either side of the tap, before the device could be lifted.
Why is the traffic in the fiber cables not encrypted between the endpoints? That would instantly nullify the attacks. Is AES hardware not cheap enough yet?
Google doesn't actually own the underwater cables though. So isn't the analogy more like sending things through a LAN in a building that you're renting?
> Google is buying a piece of a new transpacific fiber optic cable
Only a half dozen or so companies actually own undersea fiber. It requires a huge amount of effort to lay and maintain including hundred million dollar cable ships.
Everyone (even Google) leases, or in this case buys, capacity on shared cables.
I doubt they own all of the links they use worldwide, but Google did go on a buying binge a few years ago, acquiring large amounts of "dark fiber". There's some discussion about that whole topic here:
Do not trust that your internal networks are secure. Any links carrying business or customer data should be encrypted.
I remember over a decade ago talking with the security head of a university where I was working, about a new system design. I made some comment like "well this is all on the machine room network" and his response was "I wouldn't trust the machine room network." Pretty eye-opening since he was the person responsible for its security.
Which, going by their (this administration's) record at disavowing, initiating investigations into, and demanding accountability from our various security agencies for their widely known, and far more egregious abuses they've been indulging in since late 2001 -- torture, extrajudicial killings, and the cavalier attitude of our armed forces toward civilian populations, generally -- we can be virtual certain that not only will they "fail" to do, they won't even make a credibly sincere effort at it.
I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable.
In light of the criticisms leveled against these strategies in from 2002 - 2004 its difficult for intelligence policy makers to argue the risks were unknown. The indifference to risk, public opinion and constitutional issues is jaw dropping.
The political class is still more scared of being on the wrong side of security in the event of another terrorist attack. On a long enough timeline there certainly is bound to be another attack, and no one wants to be the one who weakened the intelligence community's toolset. No one seems to understand the tradeoffs they are making.
> Not only that, but Google launched a high-profile effort to encrypt the communications inside and between their data centers.
When exactly was that announced? Before or after Snowden went rogue? If after, the agency had to tell the PRISM partners that they were going to be exposed if they were willing participants in hosting a back-door.
Otherwise, they only got paranoid after that fact?
I'm wondering if there is a state with a particularly restrictive privacy law that can drag Larry or Sergei to the witness stand and find out if participation is willing or unwilling.
Technically, it's impossible to prove a negative. That said, what more evidence do you want than everything Google has done to combat this, including preemptively working to encrypt cross-dc traffic?
including preemptively working to encrypt cross-dc traffic
You do know that the national security apparatus can and does force companies to lie in press releases to the public about security- and privacy-related matters? Who's to say Google isn't flat out lying to us about that? There's no legal reason they can't lie to us if our secret courts force them to.
The problem now is we can't trust even the supposed "good guys" because the government has completely tainted the well with their secret courts and gag orders on companies (while still forcing them to comply).
"Google had no knowledge of NSA's physical compromise of their data centers. But still, they pushed harder than anyone on the whole Internet for the adoption of modern TLS with forward-secrecy..."
You're talking about security only. What about privacy? Security and privacy are not the same thing (although they overlap).
No other company has such a rapacious appetite to track and record online behaviour in one form or another - whether it's signing into your Chromebook to print to your desktop printer or using Google Analytics, Google wants to capture it all. Their vaguely-worded privacy statements tell you nothing about how they use this data, who sees it, or just how personally identifiable it is.
Take ChromeOS, the fact that you have to sign-in in with your Gmail account means potentially every activity you perform while in the OS is tracked by Google. I'm amazed at how little discussion is made of this. (I would never run ChromeOS for this reason alone.)
I've no doubt that Google takes security matters seriously. I'm not at all convinced they take privacy seriously.
> Google had no knowledge of NSA's physical compromise of their data centers.
How do you know this is the case? In the diagram submitted within the article, the box highlighted with the smiley face is labeled "GFE" for Google Front-End [1], which means it's a Google controlled server. It seems more plausible to me that the NSA compromised this target with a FISA court order rather than hacking it. And if that is true, then someone at Google did know about it, they just weren't willing to discuss it because of a legal threat.
> How do you know this is the case? In the diagram submitted within the article, the box highlighted with the smiley face is labeled "GFE" for Google Front-End [1], which means it's a Google controlled server.
Yeah, its the external facing server that is the boundary between Google's (encrypted) communication with outside systems and its internal network which doesn't use encryption.
> It seems more plausible to me that the NSA compromised this target with a FISA court order rather than hacking it.
If you read the article, the leak of documents that included the diagram indicates that:
1. The GFE server itself wasn't compromised, whether by a court order or hacking -- the unsecured communications which occur "behind" the GFE server were compromised, and
2. The entity which compromised the unsecured communications wasn't the NSA, but Britain's GCHQ. The NSA gets information from the compromised system because GCHQ allows NSA to submit search terms ("selectors") which are matched against the data GCHQ collects from tapping Google (and Yahoo!) unsecured internal comms, and then feeds the data matching the selectors back to the NSA.
You are correct, I've misunderstood this program and perhaps the parent post I was responding to. Oh well, can't win 'em all. This is in addition to the PRISM programs we've already seen.
> Google had no knowledge of NSA's physical compromise of their data centers.
You speak of Google as if it were a single person and not 46,000 people, or as if the threat of a long-term federal prison sentence isn't enough to make most members of society keep absolutely quiet.
> It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
Well, the article makes the point exceptionally well; it's unclear why MUSCULAR is needed when PRISM already exists.
However as long as the interception was exclusively between overseas Google and Yahoo data centers I'm not actually sure it's even clearly criminal.
Instead I think it shows a rather stunning 'loophole' in current U.S. law and case law when you intersect a globalized Internet with laws meant to deal with national-level communications.
Frankly, this is the same feeling I experienced when it became clear how global companies are able to "nation shop" for maximum tax advantage. I didn't like seeing it then, and I don't like it here.
But although the behavior might be technically legal (thanks to the platoon of lawyers) it's certainly not in keeping with the spirit. It seems to me that oversight much become much, much more intrusive than it used to be.
Instead of writing the law and then letting NSA squirm for years until it finds loopholes that work for it, it's time to force effective oversight deep into every level.
Because what's most striking to me is that I'm not sure that even the law as it stood before 2001 would have made this behavior technically illegal. MUSCULAR couldn't have happened then, of course, but now that American data is being farmed automatically to data centers around the world....
I don't think pushed hard enough for the adoption of TLS. It's only finally THIS YEAR that they made available their ubiquitous AdSense code for SSL/TSL. Because many websites derive their full livelihood from AdSense, Google has effectively been stalling the widespread adoption of SSL on the web. If you were a news website and you used AdSense, then forget about ever implementing SSL; it would kill our site.
Although I'm glad they have finally started serving AdSense in SSL, Google need to take ownership in their big role in keeping the internet unencrypted. If they have had a had a change of heart, that's great. But I don't trust them any more.
I wonder if many of these 'Chinese infiltration' events that did lead to Gmail HTTPS/TLS were actually spy agencies of various nationalities, even looking like Chinese hackers when in actuality it is something else.
Defend them against what? How could one seriously blame them for this, how are they not a victim, just as their users are? Yeah, they could have encrypted their internal network sooner. Just like someone who got robbed could have learned martial arts or taken a different route.
What Google knew when, and how Google co operated with the NSA and other agencies is something we will probably never know. Or at least not for a long time.
The first files that came out seemed to speak of direct access for the NSA into the datacenters done with the support of Google.
These speak of even more intrusive surveillance.
Personally I dont believe for a second that Google has not been fully cooperative with the needs of the American Intelligence community all the time. However Google needs a bit of good PR to ensure that they are not hit too hard with a backlash. As long as Google can maintain plausible deniability they are fine.
I dont see anything criminal that the NSA does as far as US law goes, unless they are spying on American citizens (which they are doing).
Spying in any way possible on other countries is not only legal but a bit reason for the existence of NSA, CIA etc.
There is an understanding in the international community that
spying may occur.
However there is also a long tradition that if someone is caught with their hand in the cookie jar, a harsh response is expected. The expulsion of diplomats, dropping trade deals, dropping mutual agreements (think US/USSR) and so on.
Also the criminal persecution and interrogation of enemy agents discovered.
A couple of points to make
1) Europe has so far not really reacted much to the news.
Some blabbing in the press, a bit of travel, but aside from
that little has changed.
2) the biggest threat over this for Europe is not so much the disposition of troops, where and how bombs are kept etc, its industrial espionage and leverage for getting EU countries to sign deals to buy American. A good recent example is the sale of JSF. The embassies were very heavily involved in ensuring that nations in Europe bought JSF. I find it impossible to think that intelligence gathering was not offered to ensure that this took place.
Why didn't they release these documents a long time ago when everyone was racing to judgement that Google, Yahoo, et al were secretly in cahoots with the NSA helping to build drag-net surveillance extranet stuff for them? These are very important revelations!
I mean, when Greenwald/Snowden/Guardian released the original PRISM accusations, these slides would have provided a much much more important set of evidence, instead of months of speculation and parsing of meanings of "backdoor", "frontdoor", "side door", in the corporate communications of the tech companies who were struggling to say "we've never heard of PRISM, da fuq is this shit?"
Is the slow dripping out of these slides because they are trying to be responsible in not releasing stuff that is too damaging (e.g. not trying to be a Bradley Manning dump), or is it to preserve traffic by keeping the click-gravy-train going?
At this point I suspect Snowden has become a bit of an Emmanuel Goldstein. Any leakers who want to get their stuff out with some modicum of safety just need to get it to one of the usual suspects in the media, if the latter are willing to play the game (this does violate normal journalist ethics, then again this is not a normal situation). The leak can then be ascribed to "Snowden".
And in this novel, Emmanuel Goldstein represents an absolute enemy of the state that doesn't actually live, but only exist to be blamed of all that is bad.
Who knows how many thousands of pages they need to read and understand? Also, don't underestimate the difficulty of a reporter understanding these thousands of documents sufficiently to recognize when one is really important.
If they don't understand what's going on, wouldn't that argue in favor of doing more detailed research and analysis before writing claims? The original assumptions/claims in the Guardian story on PRISM are now shown to be false. This caused a lot of negative blowback on the companies involved.
Don't we expect our investigative journalists, to well, actually investigate things, instead of rushing to print?
How where they false? The PRISM program is real. There is a way for the NSA to automatically access Google's databases, with Google's knowledge under secret blanket (not case-by-case) court orders. They where clearly lying when they denied any "direct access".
No they weren't lying, as there is no evidence that Google had knowledge that the NSA had been tapping their dark fiber. What everyone assumed after the Guardian story was that Google had built some kind of firehose feed or portal for the NSA to just login and get whatever they wanted, never in any of those stories did they say the NSA was taking data against Google's knowledge or will.
For example, there was a famous slide showing when each company "joined the PRISM program", but the actual slide merely says "Dates when PRISM collection started for each provider". The reporter inserted the terminology "joined" which implies a partnership that didn't exist.
What these revelations reveal is that the NSA supplemented the data they got on a case-by-case basis through NSLs by outside-the-datacenter fiber taps of traffic, as well as upstream unencrypted HTTP and SMTP/IMAP traffic.
> What these revelations reveal is that the NSA supplemented the data they got on a case-by-case basis through NSLs by outside-the-datacenter fiber taps of traffic, as well as upstream unencrypted HTTP and SMTP/IMAP traffic.
Which still does not contradict the original speculation that Google provided bulk data for PRISM. We do not yet know enough of all the stories as to judge who spied or helped to spy on us in what extend. There are too many lies, too many secrets and far too little liability out there to let the big companies of the hook yet.
As I understand it, there is nothing in this latest release which contradicts the previous PRISM stories. They are two separate programs.
In other words, NSA used court orders to access data with the knowledge (but gagging) of the companies (PRISM), while at the same time also hacking into the companies to access data without their knowledge (MUSCULAR). These things were both true.
Probably because there was just too much information to make sense of all at once. So they just let out little at a time of what they understood to be verifiably and properly true.
Of course the cynical view that they held on to it to make some ad-money is not altogether wrong either, just unlikely to be accurate.
People are probably missing the idea. In the past, like with the WikiLeaks cables, they released all at once and it didn't have that much effect, after one week most countries were already on some other matter. The slow dripping allows this case to continue being discussed after six months. Can't remember this ever happening before with any other subject like the fake article on Saddam's WMD, the CIA flights and torture cases, etc.
Given what we currently know about the human mind and how people react to news I expect this to be the future way of releasing highly critical information.
The "taps foreign heads of state" et. al. really due blood, e.g. DiFi shocked the intelligence community for doing a public about face.
Presumably because monitoring us proles is just fine with her, but other members of the international elite? That's beyond the pale, and I don't assume her call for a "top-to-bottom review of U.S. spy programs" is to do anything more than find out other such elite embarrassments.
BUT, to the extent the above is not true, or is making this Total Surveillance State toxic, now's a good time to drop this tidbit.
By releasing the documents in this order, they give government officials just enough rope to hang themselves by prompting them to defend themselves by making statements about what they do and do not do, and then releasing new documents directly contradicting those statements.
In a weird way, it actually motivates them to tell the "whole truth" because they don't know what documents will be released later so they don't know what lies to tell.
They didn't do their due diligence in encrypting data going through leased fibers -- they should have had the foresight to realize what a phenomenally bad thing this was. They didn't, hence why I'll never trust them again.
Do you also blame your car company when a thief breaks into it? Do you never trust banks again if a bank robbery happens? They were working on it, but full-on encryption everywhere within your internal network is expensive, and one tends to not imagine that buried dark fiber is dug up and tapped by one's own government.
Let's say that they encrypted everything, and then you learn the NSA had kidnapped the children of one of their network engineers and forced him to turn over some keys. Again, whose brand deserves to be damaged here, the company, or the immoral nation state with vast military industrial resources at its disposal?
Why do I sometimes get the feeling that people specifically want to hate on these companies when the real outrage should be for the government spooks.
Kidnapped their children? Get a hold of yourself here. Google is a tech company, it is a perfectly reasonable expectation that they get the big parts of their security model right. Not encrypting data going through leased (or even their own) fibers? Big, big mistake. NSA and US government aside, Google dropped the ball big-time here.
> Why do I sometimes get the feeling that people specifically want to hate on these companies when the real outrage should be for the government spooks.
Funny you say that. Because I was pretty much a Google fanboy before all of this happened (oh, and their recent changes wrt privacy policies). I am very angry at the government, but that is a separate issue.
Security is based on threat model. The spooks have capabilities that far exceed the threat models most companies assume from private blackhats. You think it is obvious to assume in hindsight that the government would dig up and tap your dark fiber, but you don't think it obvious the government would plant spies to do in-side-the-data-center taps. Now what? Encrypt all data between switches? The Soviets didn't think their undersea cables could be tapped either, and no one can claim they were insufficiently paranoid.
My point is, I don't want Silicon Valley in an arms race with the US government. The government is supposed to protect its citizens and companies, not work to undermine them. Google is working on rolling out better security, just like they eventually rolled out SSL everywhere before most other companies. They are at the forefront on this, but it still takes time and costs money. But even though they are spending time and resources on this, I would still like the US government to cut it out.
At the end of the day, Google lost. To a considerable extent, cloud lost. People who were trusting Google with their data lost. What is ostensibly true at this point at is that Google could have done something to have prevented this. All else is immaterial. Just like I would expect to lose business if I made a mistake and had data compromised (because doing X and Y was too difficult or too costly for me to do, because it was 'outside' my control, because I was too inept, or whatever else), Google should expect to lose some business the same way. If security is based on a threat model -- and it eventually loses, it was bad security.
Well, it would help if you would write in a way that is not insulting and condescending.
There's no "if" about it. All security is based on threat model, the lock on your front door is based on the threat of the average criminal, and not Watergate burglars. Are you guilty of bad security? Is it your fault if your front door lock gets picked because you made assumptions about the sophistication of your attacker?
You originally said "I'll never trust them again", but that beg's the question, just who will you trust? Unless you are using end-to-end encryption with everyone, there is no way to secure against NSA interception, and pretty much all of Google's cloud competitors are actually worse in terms of deployed security. And assuming end-to-end is secure is basically just assuming a threat model where the NSA or Chinese government can't plant infected firmware or hardware in your devices.
How about not musing out loud that people who are criticizing companies just "want to hate on these companies", if you're entertaining the idea of not being insulting and condescending.
Google is a company that's been leading the way to get everyone on the cloud. It turns out what it's also been doing is making mass surveillance massively easy due to poor security practices. One individual having bad locks is not analogous to what is at play here. You keep suggesting that Google should get a free pass because the adversary in this case was too sophisticated of a player: no, that does not matter, that is an excuse. Don't give me excuses. Google makes billions, it should simply have done a better job. Your earlier post took issue with Google's brand being tarnished unfairly, this is what I'm talking about to you right now, so the question of just 'who' I will trust is not very relevant.
To answer your question anyway: basically I'm going to pull away from the cloud as much as I can. No more google apps for me, no more gmail, no more anything where I end up putting my personal data or my clients' data anywhere but on my dedicated servers -- and using end-to-end encryption when any data needs to travel out. That does not remove the possibility of getting compromised, it just mitigates it.
I don't think there are many people who disagree with me that there's been a huge amount of unwarranted snark recently. The uProxy release for example. Don't compare that with using words like "stupid".
>no more anything where I end up putting my personal data or my clients' data anywhere but on my dedicated servers
The probability that your servers would be compromised by actual damaging threats (hackers, malware, viruses, botnets) is far higher than that of Google, so I hope if your servers get hacked, you will similarly berate yourself and not make excuses that you should have done better and spent 10x more security than you are now. How many actual penetrations have occured of Google infrastructure where thieves (not government) made off with actual information that they'd put to damaging use, vs that of other smaller hosts? Everything you do has tradeoffs.
You keep making hand wave arguments about what Google could have or should have done, again, totally points about the threat models and historical context. When this program started, by some accounts in 2007, the vast majority of Web traffic wasn't even secured by HTTPS, no one was using channel-ID or forward security, and the majority of SMTP traffic was not protected by TLS. In fact, even today, only 50% of email traffic is TLS protected. In 2007, fewer Google services were probably multi-datacenter replicated as well. Encrypting the dark fiber would have been useless back then when the front door was left unlocked.
So, let's try to imagine a hypothetical conversation of some security engineers when new data centers got set up for replication:
Engineer #1: Dude, we should encrypt traffic on our inter-DC traffic.
Engineer #2: It's a buried dark fiber.
Engineer #1: Yeah, but the NSA could dig it up and tap it.
Engineer #2: That's illegal, and besides, it's a theoretical threat. We have a bigger practical threat, right now, anyone could just tap all front-end traffic, because most incoming user traffic is not HTTPS.
Engineer #1: You're right, let's get everyone on HTTPS first. Let's upgrade browsers, and Chrome, with better cipher suites. Let's add Channel-ID. Let's try to get SMTP users to use TLS.
The point isn't about excuses, it's about understanding at each point in time, what the weakest link in the chain is. The NSA taps of your email traffic might be worrisome, but the reality is, the Russians slurping up your credit cards, passwords, and doing MITM's to install botnets have far greater, actual practical damaging effects on you and your customers.
In an ideal world, everything would be secured against all possible attacks from day one, but internet infrastructure is rarely ideal. I started on the internet in the 80s in an era with zero encryption and where many services didn't even have passwords. We have gradually made things more and more secure, but getting there is going to take time. It's unfortunate that Google's efforts to secure it's fiber didn't happen a few years earlier, but if they did happen a few years earlier, it wouldn't have a made a difference, because upstream attacks were far more effective back then.
what if that government who could tap into fiber was not US government? I think any communication outside the confines of corporate buildings should be encrypted.
As has been pointed out, Google owns a lot of fiber. When you have stuff that spans thousands of miles, there's a very real possibility that a bad actor can try to tap into it.
> Kidnapped their children? Get a hold of yourself here.
It's supposed to be an extreme example. He's trying to probe your boundaries -- if you'd forgive them in the kidnapping example, he could then name a somewhat less extreme example, like if the CIA had broken into a Googler's home to plant a recording device.
But, since you totally dodged the question, the opportunity was missed.
> Why do I sometimes get the feeling that people specifically want to hate on these companies
Because they promote themselves as tech-based companies, yet abdicated their professional duty to design secure systems because insecurity makes for easier monetization.
You would very much blame a car manufacturer when it turned out that all of its cars were keyed the same.
There is no such thing as a secure system, there is only conditional security. And what does unencrypted internal network traffic within a company have to do with monetization?
Pretty much all regular door locks on the majority of homes in the US are pickable. Have you installed an unpickable lock on your home?
It may be the case that the tech companies need to have their brands damaged for the greater good, at this point. If it turns out that G and Y are operating in an environment (USA) where a rogue government endangers consumers and prevents legit business from being done, G and Y need to either remove themselves from that environment or fall.
Here's an argument: assuming the worst suspicions, Google and the others are complicit in PRISM, so they deserve our scrutiny here. If this one were dumped at the same time, since Google was blindsided by this, people might forget to scrutinize Google for a while.
Imagine you come into possession of tens of thousands of documents covering material and terminology that you barely understand. That is going to take months to work through, even before you consider that you would want to keep access to the documents/information limited to a small group of people that could help you work through it.
I have no internal knowledge about this, but influenced by this Twitter thread[0] I would speculate that Greenwald and friends gave Google (and whoever else) advance notice and the opportunity to react to it before publishing. Responsible disclosure, and all that (not that it really applies in this case, but still).
Years ago, I remember reading Richard Stallman's "How I do my computing"[1], an essay in which he explains why he usually does not connect to any websites from his own machine, downloads web pages from a headless browser running in some server, does not have any user accounts for any web applications, does not buy anything over the Internet ever, does not use any social networking sites, and otherwise abstains from using the Internet like most normal human beings.
"Jeez, that's way too paranoid," I remember thinking.
It turns out Stallman was just (far) ahead of his time -- as usual.
> It turns out Stallman was just (far) ahead of his time -- as usual.
Indeed, and it was always obvious if you took security seriously instead of regarding it as a game of probabilities and trade-offs where convenience wins.
As we are being pulled very strongly towards a future where everything and everyone is connected all the time, we should really consider such radical approaches again and how to make them more convenient for "normal" people.
Of course it is, it's ridiculous. What the NSA is doing is despicable but why would that keep you from creating a user account or viewing a webpage from your computer?
Because some users do not have the privilege of doing even such rudimentary tasks, without the danger of being persecuted, prosecuted or worse by the tyrant regime they happen to be living under.
Right, but the idea is that if enough people with Stallman methodologies emerge, then the services that cater to those people must adapt or fail.
It's the same concept as 'voting with your dollar'. It works, he just chose a set of methodologies that are unlikely to become popular enough to change things..
But the fact that we are dicussing him & his methodologies in relationship to security is exactly his goal. He isn't advocating for everyone to emulate his ideas of how to use the internet, he is advocating the idea that people must truly think about what the repercussions of their usage actually entail.
rms experienced the sixties. that might be a signifigant factor in his choice of protest. hell, he even relates DoS attacks to modern day sit-ins.
Any amount of paranoid ridiculousness can be justified after the fact by some sort of big incident. It's how we justify the PATRIOT act after 9/11 and how one might justify Stallman's actions after the NSA leaks. That doesn't make it any less ridiculous to go to such radical measures.
We could just shut off the Internet entirely and force everyone to walk around naked lest they strap a bomb to themselves.
As for not believing intelligence services attempted to monitor the Internet prior to that story -- that would have been just silly. If they didn't they wouldn't be doing their (illegal) job.
If that graphic - that taunting smiley face, drawn when it was assumed that no one was watching - isn't enough to outrage the general public, I don't know what it will take. This is not super technical - it's easily explained and should be easily understood by the masses. And it should cause outrage.
You know what would outrage the public? ESPN being shut down. Most people do not actually care about their privacy. Even if everyone had the technical chops needed to understand what has been happening, most people never spend much time contemplating the importance of privacy rights.
This is 100% accurate, I've attempted to aggressively promote privacy tools well before the NSA/Snowden stuff among the people I know. They still don't care to use simple things like OTR with IM. They might use it for one week, and switch back.
Journalists/tech sites love making this seem like the biggest deal in society right now, but hardly the case in reality.
I'm not sure if it's an intellectual/knowledge gap (lack of technical knowledge), laziness, lack of good design in crypto tools, or just generally not caring about their privacy (until it becomes to hit them in the face).
I think it is part of a more general problem: people do not spend much time thinking about the importance of any of their rights. Nobody wants to hear that a terrorist attack was successful or that a criminal walked free for the sake of their civil rights -- rights are abstract, terrorists and criminals are threats to our children and whatnot. Look at what people say about free speech rights, how quickly everyone parrots the quote about shouting fire in a crowded theater (most people have never bothered to look into the Schenck case, they just know that one phrase). People have even managed to say that habeas corpus rights are problematic.
Privacy rights are too abstract for most people to bother with. After all, they have nothing to hide, only criminals and terrorists would bother hiding anything (or so the thinking goes).
It is possible our (UK/Canada/USA/etc) societies pursuit of comfort/safety has descended into what Nietzsche calls the "last man".
> the antithesis of the imagined superior being. The last man is tired of life, takes no risks, and seeks only comfort and security.
> Nietzsche said that the society of the last man would be too barren to support the growth of great individuals. The last man is possible only by mankind's having bred an apathetic creature who has no great passion or commitment, who is unable to dream, who merely earns his living and keeps warm. The last men claim to have discovered happiness, but blink every time they say so.
Blinking after saying something is commonly associated with being a good lie detector. Nietzsche wrote that in the 1800s and it's still apparently relevant:
If tools for private communiation weren't 10-20 years behind sending digital postcards on facebook.com, I'd use them more consistently too. I am tech savy yet most crypto tools don't seem to be made for me.
I have seen OTR fail in the most colorful ways, with and without error messages, and mostly with cryptic error messages. I have seen half a dozen IM clients forget messages, forget alerts, fail to deliver messages, disable alerts for other clients, mess up their contact list, mess up the service's contact list and mess up contact groups. Needless to say my experience didn't last more than a week.
I think it has to do with "privacy" being a general word that means many things; some of which people care about, some they don't. As much as I hate how politicials/lobbyists/etc. do this, I think a better way to get people to respond and care about the issue it to label it differently. For example, instead of saying "privacy", say "your credit card and bank info is compromised/stolen". Or that your "identity / SSN is at risk". Or perhaps that all your "passwords are leaked". Yes, this is less accurate and is a fear mongering tactic, but it is done to death in the US government with effective results.
> You know what would outrage the public? ESPN being shut down.
No better way to state it. Our government is fucking us with our pants on but we're too distracted (by people getting paid hundreds of millions of dollars to throw a fucking ball around) to care.
You're in your condo and not only is the roof structurally unsound but the HOA keeps walking around on it holding umbrellas to protect you and the other residents from the rain.
Meanwhile, most of your neighbors are focused on their own lives, and the lives of the people they'd rather watch on TV.
That roof IS going to collapse. Its just a matter of when. Would you too not have contempt for the priorities of your neighbors?
Love this, had never heard of it before. My generation drives me mad. 20-30 year olds whose major pursuit in life is frivolity, who complain when they don't have the jobs necessary for them to pursue their frivolity.
We're beyond this: "I must study politics and war, that our sons may have liberty to study mathematics and philosophy. Our sons ought to study mathematics and philosophy, geography, natural history and naval architecture, navigation, commerce and agriculture in order to give their children a right to study painting, poetry, music, architecture, statuary, tapestry and porcelain." And have reached a point where the majority of people spend their time in bread and circuses. God damn it.
Given that geeks are more likely to fix this stuff, why not talk about blocking hacker news, twitch.tv and reddit? What about political sites Politico, Huffington Post, Slate, that treat politics like sports -- who "won the morning", who's going to win Iowa in 2016, etc., deserve a lot more blame for peoples' political ignorance and apathy than a site that treats sports like sports.
It's a quintessentially American view, though -- my pleasures are above reproach, while yours mark you as a cretin. Nobody who likes things you don't like could be smart!
If people were going to get outraged about that, they would have burned the country to the ground when they learned that several NSA operations were given Civil War battles for codenames. You know, the only war where Americans have ever been our own enemy.
But the smiley is particularly infuriating, because it embodies the mindset behind this domestic spying: "we're better than you, we're smarter than you, and you can't do a damn thing about it, peons."
>"we're better than you, we're smarter than you, and you can't do a damn thing about it, peons."
What if that is actually true? I know it's a repulsive angle to think about, but is it possible? Maybe we've hit on a fundamental flaw in democracy and democratic-like political systems here. Maybe Plato was more correct than we'd like to think.
Personally, I don't read that much into it. I see it as: some geek is proud of this technical accomplishment (in an a-moral way). Perhaps he/she even gets a kick about "getting away with something naughty"...
His abhorrent project. This is not something to be proud of. Being a professional means answering to a set of ethics before acting like a kindergartner who's proud of his macaroni picture.
Makes me think about the guys who built the atomic bomb -- people doing [potentially] amoral things because they find the problems they're solving more fascinating than the practical implications.
I actually assumed and tried to verify really hard that that was the original slide and not "artists concept". I just can't believe someone would present that. Beyond the hubris (which is literally unbelievable ref first sentence for my disbelief), it's just unprofessional and childish.
Periodically, especially when a new report like this one comes out, I like to go back and watch the original Snowden interview (http://www.youtube.com/watch?v=5yB3n9fu-rM) and reflect on the differences between what we knew vs what we now know. When I first watched the video, it brought tears to my eyes and I try to remember that so I don't get desensitized to the magnitude of these revelations. I respect the man more and more everyday.
Meta remark, somewhat snarky: I would like to know at what point do all the HN'ers making fun of those libertarians among us concerned with security -- I believe over a period of months we were called "tinfoil hat types" and worse -- come back and offer us an apology.
I am not holding my breath.
(Although it's a snarky comment, I didn't make the comment just to snark. The point was to point out that over and over again, the folks who are concerned about government encroachment are made fun of, put down, and lampooned to a great degree. More often than not, these concerns turn out to be true. In most cases this happens long after the debate has died down. This is an important lesson from history that we all would do well to learn. This story has a lot more facets to it than just the NSA/USA angle)
As someone who routinely makes fun of libertarians, let me assure you this is not what we (or I) make fun of libertarians for. Lots of progressive-oriented folks I know are at the forefront protesting these things. Hell, Richard Stallman -- the man who's been all about resisting the cloud even before a lot of us were born -- is a self-alleged Green Party affiliate.
It matters not that you were right, but why you were right. If someone says they knew about the NSA taps because they were in cahoots with aliens, obviously they don't get credit.
I don't know what your politics are in general, so I can't criticize them.
But, in my experience, American capitalist libertarians are - in general - united not by a love of liberty, but a hatred of government. And that narrative, I think, does not have much predictive power. It vaguely fits the NSA case, but is harder to sustain when it comes to things like socialized medicine.
P.S. That said, I've learned a lot from libertarians, especially in their skepticism; sometimes doing nothing is the best strategy and sometimes the existence of a government agency is the problem. And it's inspired me to read authors like Hayek, who I respect a lot. But the modern movements seem to be more inspired by Rand than Hayek. Rand's narrative is that government is a conspiracy by the weak to oppress the strong, which I find ludicrous.
Gen. Keith Alexander, asked about it at a Bloomberg event, denied the accusations.
"I don't know what the report is," Alexander cautioned, adding the NSA does not "have access to Google servers, Yahoo servers." He said the NSA is "not authorized" to do this, and instead, must "go through a court process."
Specifically, he denies direct NSA access to the systems, and says that NSA would need to use a court process to gain such access, but the report is that the UK's GCHQ is actually tapping the systems and the GCHQ is sharing the captured data with NSA.
More importantly, he was never asked if they had access to the information passing _between_ datacenters, and so his reply was technically correct. "We don't collect that under this program", "We don't have access to those _servers_", etc (emphasis added).
Politicians are often adept at replying very carefully to questioning by congress or courts so that they can be entirely truthful when answering your questions, all while avoiding telling you what you really needed to know because you never asked the right question.
A lot hinges on the definition of "servers" being used. And how the question was put to Alexander. If there's even one alternate interpretation he can say No. Another non-denial denial. He is talking at lawyer-level now. This level of detail is not present in the Politico story.
Not that he would say Yes if we asked in the right way!
That's a potentially perfectly accurate statement that doesn't in any way refute the story. The leak indicates they have access to the fiber lines between datacenters, not the servers themselves.
while they might not have access to the "Google servers", it now is almost certain they have access to the "Google network" (i.e. fiber cable access). as seen in previous reports, intercepting sea fiber optic traffic between continents seems something the NSA has mastered...
> while they might not have access to the "Google servers", it now is almost certain they have access to the "Google network" (i.e. fiber cable access).
If the article is correct, the NSA does not have that. What they have is an agreement that they can submit search terms and get matching data from a system operated by their British counterpart, GCHQ.
It is GCHQ who, per the article, has a direct tap somewhere inside Google's unencrypted datacenter-to-datacenter communications network.
There have been reports going back to the Echelon days that the NSA and GCHQ collaborate to evade each nation's laws.
The ideas is that US agencies supply the UK with technology and training, the UK collects sigint in the US with US knowledge, then shares intelligence with US agencies.
The US reciprocates by spying on UK citizens and sharing the intelligence with UK agencies.
That way US agencies can say they don't spy on innocent Americans on US soil. But it's just another elaborate deception.
Since he seems to be a pathological liar, how about some waterboarding to help his memory? I'm sure we could clear up any misconceptions about the NSA's activities quickly with this officially-sanctioned (at least by former officials) method of "interrogation", which the US has applied many times in the past (allegedly with great success and little regret).
Don't waterboard him, and he'll tell you whatever he wants you to hear. Waterboard him, and he'll tell you whatever you want to hear.
Questioning him, under any circumstances, is useless. We need to get rid of him instead, and perform an independent investigation. However the circumstances under which such an independent investigation would be useful are limited. When East Germany started to fall, the Stasi started shredding everything they could get their hands on; organizations like this don't allow evidence to survive.
I hope that this finally convinces everyone that it doesn't matter whether Google is "Evil" or Yahoo is more evil or whatever. What matters is that large cloud systems are fundamentally incapable of protecting data.
Even the most goodhearted and the most talented teams can't reliably defend against a massively funded adversary.
If the NSA wanted your data, they could get into your network probably easier than they could get into Google's networks. Companies like Google have way smarter people (and working full time) securing data than most businesses.
For us to secure our networks as much as someone like Google would, we'd have to have a team of the best hackers around.
And by definition, the best hackers around are scarce. They're already working for Google, etc, and X Y Z security company.
.. and then google gets a letter with a request from the government, opens its data-centers and lies to its customers. It's not that easy your way, either..
Not exactly. Think of this analogy: the NSA built an enormously expensive sieve net to fish the entire Pacific Ocean (Google). While the Pacific may be deeper and wider than your innocuous little lagoon, that lagoon probably hasn't attracted the attention of the NSA. If you think the attention of the NSA is going to be a problem for your dealings, hiring very expensive security talent is necessary to your business plan.
Sure, but in that cat and mouse game between Google and the NSA, Google might actually have a chance. From what tptacek has said above about the kind of stuff Google's been doing (SSL with EC and perfect forward secrecy, etc), they're actually able to make it difficult for the NSA.
Plus, in the world of "I can sift through terabytes of data in seconds" even a little lagoon isn't too little.
Google may have better security, but they're also a much, much larger target. Wiretapping Google gives you access to the private data of Google's millions and millions of users, whereas gaining access to my network gets you access to… me. As long as there's a non-trivial fixed cost to attacking a host or a network, there's an advantage to hosting your own data.
While it's possible that the NSA has a system to automatically detect and wiretap hosts and private networks connected to the internet, it seems unlikely to not have been detected so far. I've taken to assuming that every packet send and received from my servers is being monitored, but that, barring specific interest in me by the NSA, the servers themselves are reasonably private.
You'd think that but that's not actually true. Google's infrastructure is way too big to be completely secure. There are several ways to penetrate Google's network.
I know some of the people in the security team and they are pretty good, but arrogance will be their undoing.
Google has an internal team called the Orange Team that performs security audits and, so far, they have always been successful in penetrating Google's network. If they can, what makes you think the NSA hasn't done that already?
> What matters is that large cloud systems are fundamentally incapable of protecting data.
I don't believe that's true.
1. Google (and others?) is already aggressively increasing the amount of encryption it does on traffic between its datacenters. So they have been addressing this problem before it was even brought to light.
2. We easily have the encryption abilities to do many more things than we do with secure cloud data; we'd just have to pay more for it. For instance, I can encrypt everything the minute it leaves my laptop, store it in the cloud, and not decrypt until it hits my laptop again. Nobody but me ever gets the secret key (heck, it could be a one-time-pad and thus unbreakable). If I trust the cloud computers themselves, then I can store different secret keys on each and use strong public-key encryption to protect all traffic between different machines in the cloud, and between my machine. Breaking the system requires compromising a machine, and even then you only get the key for that machine.
3. In theory, fully homomorphic encryption could allow the best of both worlds above. I completely encrypt my data on my machine --- nobody else has the key --- then send it into the cloud where cloud companies can do operations for me like searching, sorting, filtering, etc, all without ever decrypting the data or learning what it is. They send me back the results (securely), then I decrypt. Of course, right now this would be massively slow and expensive, but progress is being made.
Naturally all of the above are subject to the "5-dollar wrench" rule or the "secret court/FISA/warrants" rule. You cannot protect your data from the people making a law that says "give up your data". But it is technologically possible and even feasible to secure data from the NSA's snooping. The tradeoff is cost and time.
If you would use one-time-pad before storing to the cloud you'd either need to store the very same pad on the cloud, then effectively not needing encryption, or you wouldn't need the cloud, as the amount of the encrypted data would match the amount of the pad data one to one.
And homomorphic encryption is still far from being practical.
Sure, one would more realistically use any standard encryption scheme. Agreed on homomorphic encryption as mentioned in my previous comment. But "impractical" is a far cry from "fundamentally impossible".
I did not mean to make any such claim (hence the phrase, "in theory"). I was responding to the statement that "large cloud systems are fundamentally incapable of protecting data" by pointing out that, in theory, they are.
>In theory, fully homomorphic encryption could allow the best of both worlds above. I completely encrypt my data on my machine --- nobody else has the key --- then send it into the cloud where cloud companies can do operations for me like searching, sorting, filtering, etc, all without ever decrypting the data or learning what it is.
Can you explain this to me? I don't understand how you can search encrypted data.
The idea is this: I encrypt my data and give it to the cloud. I also encrypt the algorithm I want the cloud to use. In this case, it could be a search algorithm with the search query hardcoded. Right now, it would have to be encoded as a circuit and then encrpyted from there into a different circuit.
The cloud runs my encrypted data through this "transformed" circuit, yielding some encrypted output. The cloud tells me the output. I then decrypt it with my original key.
It's crazy that this works (longstanding open problem solved in 2005 or 06 I think). The name "homomorphic" comes from functions f, like homomorphisms, in which "order doesn't matter":
You don't need full homomorphic encryption to do encrypted search, look up PKES systems, there's tons of papers on it now (http://crypto.stanford.edu/~dabo/abstracts/encsearch.html). It's possible to encrypted keyword search with trapdoor functions in such a way that the server can't learn anything about what you're searching on, nor what is stored.
Are you aware of any vaguely practical systems for a variant of keyword search that just returns whether the keyword was found (e.g. 1 for found, 0 for not found) but with the added requirement that the result must itself be encrypted? I suspect it degenerates to fully homomorphic encryption though.
By result itself, you mean the boolean 1/0 about whether it was found? Yes, I am aware of one I saw some time ago that had additional guarantees, I don't know how practical it was though, but it'll take some searching to find.
I think this is of endgame for network security, I don't see a way out -- the Sony Rootkit[1] should have been the point where I realized but it is just sinking in for me now since the Snowden NSA leak.
Any network connected computer will be running an OS+Applications which are typically a gigabyte or more. This is produced by companies which are beholden to a nation state, and the companies can be coerced[2] or compelled[3] to use the software against the user. The software is also constantly being probed for vulnerabilities, which can also be exploited by law-enforcement / military [4][5].
So, if you turn on auto-update you have to trust the software maker is not being coerced by someone, or being compelled by a secret court to trojan you. If you don't turn on auto-update you can still get trojaned by any vulnerability. Lose-Lose.
> The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.
1. Spy on whatever the hell you want without benefit of warrant.
2. Discover something interesting.
3. "Parallel construct" a way that the information could have been legally obtained.
4. Get a warrant based on the parallel construction.
It's parallel construction all the way down. Discover via extralegal, point mass-capture in that direction, sniff out and send to 'legal' 702 or 215 databases, hint to FBI/DEA buddies, get normal warrant, and now you've got your criminals!
In that way, killing the 702 or 215 powers really wouldn't do that much, because they can just derive their parallel construction from elsewhere.
I don't see how the pretense that the NSA actively avoids snooping on U.S. citizens can be seriously maintained after this revelation. It's becoming increasingly clear that intelligence agencies want the ability to access all data created directly or indirectly by an arbitrary cyberspace target on demand and will shop around for the "best" (e.g. weakest link in technology and/or legislature) nook of the net to snoop at.
This seems like a good time to remember that Google has been storing wifi access passwords in plain text on its servers, and (presumably) passing them between its data centers.
It can be assumed that as a consequence of google's decision to store passwords in plaintext, the NSA now have access to every wifi access point that has been used by an android device.
This is a massive security breach. I sincerely hope google notifies android users of the problem.
The more I see stories like this, the more I wonder why there aren't tools out there that complement something like 1Password, LastPass or KeyPass by rotating passwords for all your devices programmatically. More devices should support SSHing into them for password rotation or some API for frequent password rotation.
e.g.
Here's the password for this router, rotate this key every X days, upon rotation, connect to the computers of friends X, Y and Z to notify them of the password update.
I imagine such a system would require two passwords, one to change the password so only one device is responsible for rotation and a second to share with others so they can access the computing resource in question.
Alternatively, every device should function with individual passwords for every user. I still get frustrated that wifi only offers one password and doesn't give you the option to give out one password per user. Future wifi protocols should permit a user to try to connect to a wifi and wait until someone approves their access. Approval could be done by visiting the routers IP address and granting access through some form that shows which clients are requesting access at that point in time. Furthermore, the way in which a computer requests access to wifi could be accomplished by having that computer submit it's SSH public key to the router.
People will no doubt come on this thread and remind everyone that of course the government always had access - you must have been a fool not to think so. But I just can not get over how angry it makes me. Honestly I thought that using google products with some exploitation of the contents for advertising was an acceptable exchange. This is just a total betrayal and I cannot believe that the Google board is not aware of this! and if it is not it is because they choose to be!
This might be a good time to go back and look at what you said to all those cypherpunks who kept talking about the need to build security into Internet protocols from day 1. Whitefield Diffie had pointed out this problem -- that online services could violate user privacy without any technical barriers -- in the 1970s and pointed to it to motivate public key cryptography. Throughout the 90s and 00s people were saying that we should be deploying cryptography more widely, yet these arguments were largely ignored or dismissed.
So really, this is not about the government. Rather it is about the inherently insecure design of today's email, IM, payment, and social networking systems. While the cryptography research community and the hacker community have proposed numerous solutions, few have worked to deploy such solutions. Worse, many hackers and computer scientists have actively worked against such deployment by building businesses that are monetized by violating user privacy.
Before talking about your anger, take a moment to think about what you were saying to people 5, 10, or 20 years ago when this topic came up (I am speaking to everyone now, not just jimparkins).
"You cannot acquire experience by making experiments. You cannot create experience. You must undergo it." - Albert Camus
The cypherpunk "2.0" generation is here. The adversaries are definitely way more resourceful and ten steps ahead now. So there may be some value in looking back with regret. But it's never too late.
It's the "professional" designation that's the problem. Once you say someone is a "professional," that means that they are part of a "profession," and that they answer to the ethical standards of that profession.
Sadly, we have doctors force-feeding people at Gitmo, so it's not terribly surprising that there are counter-professionals at the NSA.
It's not just that either. They seem to enjoy it and think that this is a game. If you're going to violate our basic rights, at least take it seriously, guys.
This presumes that those developers are building these systems to go after "our basic rights", instead of believing that they are helping to target terrorists and enemy states.
What gets lost in a lot of the (justifiable) NSA outrage is the fact that they want all of this technology to enable surveillance of terrorists who use the Internet just like ordinary Americans do. There is really no evidence so far that this massive surveillance apparatus is being used in a widespread way to abusively target Americans.
Being able to intercept online communication between terrorists and foreign governments in a way that collects zero communications of Americans seems like a really, really hard task.
The terrorism threat is simply a convenient bogeyman. The probabilities of dying in a random terrorist attack are so infinitesimally small that it is not even worth considering. Ordinary Americans are simply too stupid to really comprehend exactly what is happening here and subscribe to the "well, I don't have anything to hide" type logic. The fact is that the terrorists have won. The American public, due to indifference, is so irrationally afraid of dying in a terrorist attack that our own government is watching our every move under the guise of protecting us from that threat.
So, what types of widespread abusive things is the government doing to American citizens with all this surveillance?
When you say "convenient bogeyman" it implies that all of this surveillance was built with the express purpose of spying on Americans. I personally believe that to be false, and instead that the massive and overbearing surveillance was built because public officials are so afraid of another massive terrorist attack because the voters are so afraid.
In other words I agree with your basic observations but not the malicious motives.
It's a nice thought to believe there isn't malice in the government, but the facts say otherwise. Intelligence laundering to bypass our basic legal rights is a malicious motive[1]. Russ Tice's (NSA whistlerblower) interview talking about all the people the NSA targeted (including our president in 2004) is also not only malicious, but terrifying.[2] And as Bill Binney (another NSA whisteblower) has said, we're a "turn key totalitarian state", I'm not sure how one could think a totalitarian state could not be malicious.
Does erosion of the 4th Amendment to the Constitution count as widespread abuse? It does to me. Continuing down the slippery slope leads to things like parallel construction, as the previous poster mentioned.
As for public officials and voters and terrorism, I give you this:
> Representative Howard "Buck" McKeon, R-Calif., has received $526,600 from defense contractors and other defense industry interests, more than any other member of the House. He voted to continue the programs.
I will leave you to draw your own conclusions about what that article is saying. I take it to mean that it costs $526,000 to get what I want from that guy.
> There is really no evidence so far that this massive surveillance apparatus is being used in a widespread way to abusively target Americans.
Widespread? Maybe not strictly widespread, but it is being abused. There was that guy recently, I forget the beef the government had with him, they couldn't justify a warrant to search his laptop, so they just waited for him to travel. They put a flag on him, and when he came up registered to fly out of the country they seized and searched his laptop when he crossed back in through the no rights zone, AKA the border.
Everything accelerates, and if it isn't yet "widespread," it will be. It's certainly being done more than zero times.
This question implies they know what they're doing is wrong.
If they think they're protecting their country---including their families and friends---then it's easy to imagine how they wouldn't have a problem with this.
Because people compartmentalise and so for engineers this is most probably not a political thing but just an interesting difficult problem that is fun to work hard on.
It's kind of shocking that they haven't been encrypting all internal inter-datacentre connections to begin with. Even if they didn't suspect NSA snooping, there's enough companies and criminals out there that'd conceivably have a lot of reasons to want to try to find ways to tap Googles links.
You know, one thing I'm sure (hope) will come out of this is that enough people in the public should be sufficiently outraged at this that we start making some private sector headway in the data security race and perhaps we'll end up with some actual secure products by companies that aren't under the "jurisdiction" of U.S. policy, instead of those that just say they're secure but fall flat on their face when it comes to something as trivial as an NSL or an order for a pen register. If they were really secure, then these things wouldn't make the slightest difference.
Offtopic, but there's a problem on this site with this kind of story now. I'm not sure if it's the flamewar detection, or flagging, or some other automated system, but stories like this which are very popular and not remotely a flamewar, but an interesting discussion, are disappearing off the home page too fast in my opinion. This is a topic that will define a generation's attitude to technology and the internet, and is particularly pertinent to silicone valley.
Yet this morning this story went from top of the page:
14. NSA infiltrates links to Yahoo, Google data centers worldwide (washingtonpost.com)
1395 points by nqureshi 15 hours ago | flag | 533 comments
To behind stories like this:
12. Java Virtual Machine in pure Node.js (github.com)
232 points by binarymax 16 hours ago | flag | 129 comments
I'd be interested to know the reason, and perhaps whatever algorithm is voting this down could be adjusted, because it's clearly not working?
I came here and read some comments because I was wondering the same. Previously when something got >1k points, it would stay on the homepage at least a full day. Now it's almost off the front page with ~1.5k points in 22 hours.
Going out on a limb here because this does not make sense to me either. But maybe this has something to do with the fact that the valley built all of the software used to support this, quietly invested in it all in 2010 for undisclosed amounts at least in the tens of billions and approaching or exceeding 100 billion, and the money doesn't want it on the front page of one of the most popular news sites?
So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?
If this is true my next question would be does NSA have access to the keys or are they removing encryption in some other more technically involved way?
> So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?
Well, yes, if you are Google. The removal of SSL is done by Google's own front end servers at the boundary between the public internet and Google's own network, and Google's own network (including its private datacenter-to-datacenter fiber connections) are apparently not encrypted (which saves compute overhead.)
The revelation in the article (assuming it is correct) is that the GCHQ is taking advantage of this fact to evade Google's move to encrypt user-to-Google connections by simply tapping Google's datacenter-to-datacenter connections and (as well as whatever use GCHQ itself makes of the captured data) providing the NSA the ability to provide search terms that are matched against the captured data, with matching data fed from GCHQ to the NSA.
(This neatly also avoids any US legal limits on domestic electronic surveillance by the NSA, since, first, the surveillance isn't conducted by the NSA or any other US agency, and, second, its presumably not physically conducted in the US at all.)
Tell me if I understand this right: Google thought it was okay to not encrypt that 'internal' traffic, because even when trans-continental, that traffic was on 'private' Google fiber carrying only Google traffic, not the public internet. It was theoretically on a network that only Google had access to.
That's why it seemed okay not to encrypt it, right? (Otherwise, I don't know why Google would have thought it didn't have to encrypt it).
But the NSA managed to tap into this 'private' fiber anyway, perhaps with the cooperation of the actual telecoms that run it?
Essentially, that is what the article seems to indicate, except that it was Britain's GCHQ, not the US's NSA, that did the tapping. The GCHQ, as part of the "Five Eyes" intelligence cooperation [1], lets the NSA do searches against the data they get from the taps.
The spies tap the side where there's no encryption. SSL encryption is by Google's design removed by Google at the point marked with the smiley face.
The trick is that Google has to move a lot of data between their own servers on the different locations (even different continents) and that traffic is not encrypted. That's why "Two engineers with close ties to Google exploded in profanity when they saw the drawing." It was that easy.
Few people said you can't fight google with NSL or force them to do anything because it has $50B in cash.
Easy: Just start an anti-trust investigation - a fed lawyer can drag Larry Page and Google's top level managers into federal court every week for the next 5-10 years. Go thru every emails about iphone, android, bing in the past, and force monitor every single biz decision Google will try to make for the next 10 years.
Apple, Samsung, Microsoft, Facebook would love to help out the government(s) in this.
Larry will get so sick of it that he would think give out billions to kill Mosquitoes in Africa/India is a lot more fun. - Remember Bill Gates?
Google will never do it, but they should drown the NSA in bullshit data. So much so it literally chokes the NSA's ability to spy on Google's services.
Google is one of the few companies that could pull it off. They have $56 billion in cash and nothing to do with it apparently. They generate $12 billion in profit annually and growing.
They have more financial resources, computing power, and brain power than the NSA does, and they're one of the few companies on earth that can say that (the only?).
A billion a year thrown at choking the NSA with a flood of data, I'd argue, would work extraordinarily well.
The NSA has a substantial budget (but how much spare budget?), but I don't believe they could afford the processing and storage costs that can be generated from a billion dollar per year effort of bogus data spewing (particularly if Google matches it with a dramatic effort put toward encryption R&D to multiply the cost the NSA suffers significantly more than just basic processing & storage costs).
The NSA's grand new data center in Utah cost billions and will have taken years to build. Google could probably force them to attempt to build a new one every single year forever, particularly given how bloated every effort by the government is and easy Google could generate 'infinite' volumes of data. Google should pro-actively help Yahoo, Facebook and others out in teaming up to drown the NSA.
The biggest threat to Google is the NSA. Google should act accordingly. Just as they would react with financial investments to any other competitive threat.
The portion of google's operation that NSA is tapping is already tiny. This article claims they got 181 million "records" of all kinds in a month. That's nothing! Google claims that gmail has half a billion active accounts. You think each of those active accounts only sends and receives one mail every other month? of course not.
The NSA is clearly already drowning, or being selective about what they are getting.
A better use of all that money would be to play the lobbying game the enemies of freedom so effectively play.
This is the the thing I completely fail to understand. If all these huge tech firms with all this cash really care about privacy, people, US reputation, etc, then why are they not pouring their money in to politics like, say, the weapons manufacturers do? Why aren't they "buying" politicians?
I think a more sensible use of the money would be to 'fix' the ability to buy whatever legislation you want. Its really not a democracy any more when those wealthy enough can buy whatever legislation they want.
Unfortunately I think a real sense of democracy is long gone. We are left having the play the only game left in town. Buy your influence then, influence.
It would never happen, as Google shares would drop like a bomb and give credence to the argument that the cloud isn't secure enough, but at least it would show that someone at Google cares.
It would create a landmark moment though; something that would spark more debate in both the media and with American politicians.
Do you have evidence that Larry Page or Google knew about this? How is the CEO of Google stepping down an adequate reaction to a something that Google doesn't seem to be behind?
I'm not putting any responsibility on Google's CEO that he didn't ask for when he became CEO - he is ultimately responsible for the company's actions. Leaving that amount of user data open to attack is unforgivable, regardless of who is "behind this" or how much he knew.
Secondly, the alleged attack, however it happened, is not the reason he should step down. Larry Page stepping down is going to be really bad for Google, he is one of the finest entrepreneurs of our time, and a great technologist.
He should do it to send a message.
Will their ever be more evidence about what actually happened? Probably not, but a resignation by one of the most powerful CEOs in the world will get some serious attention in the wider debate on privacy.
But like I said, the share price probably comes first...
Everyone in Silicon Valley is talking about this and the media has painted a picture of criminal undertaking by the NSA. A lot of this is just speculation that has been blown out of proportion. The only way the NSA could compromise private data centers without placing moles in their respective ops teams, is to sniff the traffic on the private DC to DC lines leased by the companies. Assuming they did this by overpowering the ISPs, they are still left with a ton of TCP/UDP packets which they need to reconstruct, decipher and schematize. Although DC to DC traffic is typically not encrypted, it is often compressed or transmitted as binary streams. There is absolutely no way they NSA would be able to make sense of the data without reverse engineering the innumerable communication protocols used and then using that protocol to decipher the packets. It is a lot more feasible to force a company to hand over data on specific users than it is to piece together user data using this packet sniffing technique. If the NSA really is wiretapping DC-DC communication, it's not because they are trying to build profiles on individuals. It's likely that they are using this raw data for keyword lookups. And, although I question its effectiveness, that is a level of surveillance I'm comfortable with.
I think you over-estimate the complexity of the data being exchanged between data centres and underestimate the capabilities of these well-funded agencies that can afford top-notch PhDs, developers, engineers, mathematicians.
The article seems clear on the fact that they are able to reconstruct the data streams. It's not difficult to assume that most of the data-exchange protocols used are pretty standard or at least pretty stable, for instance Google use protobuf[1] for efficient binary exchanges, it's open source and well documented.
Data is meant to be moved efficiently between data-centres and these companies had no reason to add any obfuscation (if that was the case, they would have already used encryption). There is no reason to assume that adversaries with deep pockets would not have the technology or know-how to reverse engineer these unprotected data communication flows.
What makes me downright angry is the vehemence with which Google's Chief Legal officer David Drummond denounces siphoning Google's own data. Secretly take our users' personal data, that's okay, but secretly take our data, which we make our billions off of, now that is unamerican. Class, man. Real class.
Can anybody trust Google services anymore? It seems like it's pretty much a no-go at this point. Even if Google hands over select data from within their systems, it appears we cannot even trust that it makes it that far without being compromised.
Every business that can should be ditching their Google services right now.
For what, the magical service that can't compromised by the NSA if it wants? At least Google has more resources to throw at the problem than a lot of other companies -- but really you can't trust anyone.
Doesn't that hold true for anything not using quantum encryption?
To fully secure in communications, you need to take advantage of weird quantum phenomenon like radioactive decay, and even then you are betting that we won't come up with a theoretical framework capable of predicting quantum phenomenon.
You might not have to be able to predict quantum phenomena. IIRC, one of the issues they had with the "quantum internet" thing they built in New Mexico[1] was having to downgrade what should have been a perfectly secure connection to an insecure classical one because it's impossible to route an quantum entangled signal.
Not that this is necessarily a weakness of quantum encryption, so much as a suggestion that any system can't be perfectly secure. Maybe the chips have a backdoor. Maybe a random number generator is biased. Maybe any number of things up to and including maybe you get hit with a five dollar wrench over the head until you give up your password. What I fear is that while the math may be secure, the system itself can't be secured. The web was never built on the premise that security would matter, was it? Or at the very least that the adversary wouldn't be ones' own government. What can you do other than fabricate your own chips, build your own compiler, compile your own os, write your own network protocol and host a darknet (with similar self-constructed machines) out in the woods somewhere using a one-time pad for encryption? Even that's not enough.
“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,”
Interesting how agencies, corporations and alike have the collective maturity of children. A grown up will say to a kid "you can't play with fire with your friend" and the kid immediately will think "he didn't say I can't play with fire with my other friend".
As a software engineer just about to graduate from college. When I see drawings like that I just can't believe that people who know enough to draw something like that can actually do it without feeling like they are the definition of evil.
It sounds like the problem there is you are conflating the mostly unrelated ideas of how much technical knowledge someone has with how much their values will align with yours.
Why is it so hard to understand that there are intelligent people that honestly believe they're doing something that will ultimately benefit their country? People have done far worse in the name of a country or ideal.
For people outraged over the apparent happiness of the people that tapped Google, I imagine they've never broken a system. A breakthrough on a project is extremely enjoyable. Finding that Google removed SSL is like testing an app and finding it doesn't sanitize inputs it passes to a shell script as root.
If I scroll the Reddit frontpage (without being logged in), I am not seeing any NSA stories, despite being on the top of /r/WorldNews, /r/news, etc. Anyone know the story behind that?
Reddit has been compromised. Just look at what happened on r/worldnews with the u/douglasmacarther and the RT censorship thing, or how the NSA-Israel Memorandum submissions were purposely 'buried'
Funny thing is how many articles have been written about Chinese crackers, possibly funded by the Chinese government, trying to hack into big companies.
Yes. It would be considered a private datacenter environment. Someone with DC access or in this case the ability to tap a closed fiber network can still attack it. This mostly applies to state actors.
It means that the Google Front End (GFE) server is where encryption/decryption of SSL happens, and that communication outside the GFE (e.g., Google->Client) is encrypted, while communication behind the GFE (internal to the Google Cloud) is clear text.
[Edit: apparently, the decryption does not happen real time. Instead, the encyrpted traffic is stored and decrypted later. Either NSA/GCHQ think the latency introduced by doing a full mitm with the private key would blow their cover, or they're using some algorithm that isn't fast enough for full mitm. The below is a bad interpretation.]
My interpretation is that they've acquired - either via bag job or by unpublished algorithm - Google private keys, and are decrypting and copying traffic immediately before the Google Front End, then impersonating the client to the Google Front End. Presumably, the Google Front End is on Google premises, and Google would be aware of the warrant that let NSA install such a device behind the Google Front End, whereas the peering point in front of the Google Front End (or on the fiber to the Google Front End) would be on Telco premises, and we've seen the Telco's be all to eager to cooperate. Oh, except Qwest, where the CEO found himself in jail.
"Two engineers with close ties to Google exploded in profanity when they saw the drawing." seems hyperbolic. What does it even add to the article? Is it used to try and establish some credibility?
I don't understand why this is shocking (the photo- not the alleged spying)?
I would even let them get away with that argument, but if they do use that argument, that means they should also be pissed off about these revelations, and realize that NSA has gone fully rogue, and they need to drastically rein in on it. At least that's the logical conclusion from their argument.
The problem is they want their cake and eat it, too. They want to get away with it themselves, but also protect NSA and their powers. We should call them out on their hypocrisy, and ask them to restrain NSA's powers if it's really a surprise for them, too.
More promises to keep your information private, from people who already showed they are not competent to keep your information private. There is no reason Lavabit should have ever been able to disclose enough information to the government to get customers' messages
Google is so good. Such a great concept. So much fun to use. A romper room. Such a bastion of talent and good people. Which is why this whole business is such a crappy disappointment. A guy sitting in a renovated girl's bathroom in London told us some time back that this was the case, that Google had dropped its original stance against "evil," but nobody took him seriously.
Reaction of Google’s chief legal officer, David Drummond on the news. Sounds a lot more sincere then their previous denials (which proved to be lies forced by the law anyway).
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide. We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform." [0]
SMTP (mail protocol) between providers is unencrypted anyway. So, if I send email from gmail to ycombinator, it goes to ycombinator SMTP server unencrypted and can be tapped by anyone with access to the wire. Still, clear traffic between Google's own data centers is inexcusable. They are exposing my data to more risk.
I thought you were wrong about that, but when I went looking for a source, I found out you're right. As of June, major email providers other than Google did not support encryption for inbound emails[1]. That's disappointing.
Note there's no technical reason they couldn't. Also, Fastmail.fm, while arguably not really a major player, is an exception, supporting encryption on inbound emails since 2009[2].
I just verified this via http://www.checktls.com. A later blog post in 2010 says Fastmail enabled it for outbound email as well. So mail sent from Gmail to Fastmail or vice versa is encrypted between the two providers.
It's a start. I really thought I had read something about Microsoft enabling this on their email service, too, but I must be misremembering. All we can do is hope more big providers turn it on.
Aside from the indignation, I'd like to see proof that Google wasn't aware of this stuff. My guess is that it was approved as long as there was plausible deniability.
I'd need to see proof that the exploit (and operation to support it) was so sophisticated that Google reasonably could not have known.
Since Google has been complicit in a good portion of Snowden's revelations, the burden of proof is on Google to satisfy its customers that it in fact drew the line at the earlier revealed level of complicity rather than the most recent one.
What strikes me most reading NSA related articles, that for Americans the problem here is not the global surveillance itself, but the domestic spying. Wtf? Is my anonymity and freedom less valuable just because I don't have a USA signed piece of paper? It's a serious problem that touches everyone who uses digital communications (pretty much every human being on the word nowadays)and such data collection should be illegal on anyone unless he's under a warrant or belongs to opposite forces during war times. I'm very sad and disappointed that EU leaders don't have balls to stand up for this.
I agree that non-US-citizens are endowed with the same fundamental human rights, including the right to privacy, as US citizens.
However:
1) US citizens alone control the US government's actions, at least indirectly and in theory. NSA's domestic spying presents a threat to our democratic processes. NSA spying on US citizens is more dangerous than if they spied only on non-citizens, because it provides the NSA the means to control their ostensible masters--making any reforms to NSA's foreign surveillance operations impossible.
2) In realpolitik terms, most Americans simply do not think or care about foreigners. Any bill that ends NSA's authority to conduct warrantless surveillance on foreigners is a non-starter in our current Congress. By first ending NSA's domestic surveillance programs, we actually have a shot at eventually ending NSA's unethical foreign dragnet surveillance programs. In other words: baby steps.
This degrades into comic book villain territory. Every admin and developer professional wet dream is to be able to capture log and analyze every byte. To have unlimited processing power and storage.
It's interesting that there's been little attention paid to what this genre of backbone/infrastructure tapping means for companies using content accelerators (or whatever they're called).
Considering what we now know about tailored access operations, I find it hard to imagine they've not used these abilities to subvert the auto-update functionality of virtually every product there is out there.
Ie. client requests auto-update from front-end server, update is switched and replaced before hitting the front-end server & being delivered.
That would seem to be a harder problem for the NSA. First, it has to be an active attack, modifying data in transit rather than merely siphoning it off — probably tougher to cover their tracks in that case. Second, automatic updates are presumably cryptographically signed by the publisher, so the NSA also has to steal or crack the private signing key. Third, how do you target the backdoored version of the software so certain groups/people get it and others don't? CDNs don't work that way.
In the end, it seems much more practical to sneak a backdoor into the software at the source.
Given all those are used, I find it hard to believe the update vector isn't exploited. Sure you'd need to compromise the signing key first, but that's a single target allowing you the ability to subvert many more without the need for any breaking & entering or social engineering alerting intending targets/victims.
USSID18 is what should be talked about regarding these violations. The sooner people become more familiar with the laws in place to prevent this the better the outcome for all involved.
The denials over Prism never squared with the size and capability of the system that were outlined in the documents, unless I'm missing something here. Is it not possible that the court-ordered data releases were just one small part of the Prism program, with MUSCULAR and others filling the data that could not be obtained through the legal system? Prism is just the query interface, which is not necessarily tied to one dataset.
Would anyone else be interested in inserting a private version of a tracking pixel into each of their e-mails, so that you'd get a list of IP addresses where the mail was viewed back?
It would be interesting to see where mail was read versus where it is simply passed in plain text. Crowd-sourcing anonymous data might also allow us to determine which IP addresses belong to the NSA's systems.
"vice president for security engineering Eric Grosse announced that the company is racing to encrypt the links between its data centers. "
Isn't this useless?
They can serve Google NSL and the court can force the company to release the SSL keys for the encryptions - just like Lavabit. Google CEO/Board can not shutdown the company like Lavabit.
What can they do, get out of USA like how they got out of China?
Lavabit is small. Who did their shutdown directly affect? Imagine Google going down for a full day, even homeless people will raise pitch forks and match down to DC to protest.
If you want to fight for freedom, but are too busy, take some of your startup lottery money and hire some underemployed folks to raise pitchforks and march on DC.
I see it as just simple power struggle between companies and government - China won the round against Google a few year back by kicking googe out completely.
The power in US government would love the same leverage.
They will get it eventually - start with NSA in secret, but slowly congress can pass the law and bit by bit....
That's why FB and google are implanting the notions of "no privacy" in everyone's mind. Good for their business and also makes it easier to hand over the data to whoever governments/agencies in the future.
No it's not. The court system, even if it is rumber stamp-y, provides way more visibility and accountibility than secret and total access to Google's data via tapping data links.
The FISC is not visible or accountable to the public. NSLs must be kept secret by law. In other words, all courts do is provide the NSA with a minor speed bump when it wants to wiretap everyone.
It's mostly a moot point since it's overseas, but I doubt the secret court would be willing to pass through over 6 million FISC requests a day (181,280,466 requests every 30 days the NSA reportedly gets through this wire tapping). At the very least the FISC courts provide a bottleneck at whatever government 'efficiency' throughput they can provide.
> They can serve Google NSL and the court can force the company to release the SSL keys for the encryptions - just like Lavabit.
They can't do that without Google knowing about it, knowing what data is covered by the NSL and having the opportunity to challenge the request, or to factor the fact of the requests and the extent of information covered by it in evaluating Google's lobbying priorities.
> Google CEO/Board can not shutdown the company like Lavabit.
Well, it could (or, at least, it could recommend that course of action to the shareholders), but its true that Google is differently situated than Lavabit -- specifically, Lavabit doesn't have ~$50 billion in cash it doesn't know what to do with that it could pull from for political action to address government policy that it felt severely threatened the way it prefers to do business, whereas Google does, which gives it options to address known actions by a government agency that it doesn't like.
> What can they do, get out of USA like how they got out of China?
Well, its too big of a market for that to be a good first choice, but its not impossible. Moving the headquarters, etc., would be easy, the hard part would be moving all their existing data centers and similar operations out of the US.
If they wanted to do that with minimal disruption, they'd either need to build duplicate datacenters somewhere else and switch operations to those -- or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
BTW, a much simpler way to get the SSL keys is to send someone (or teams) to be employed by Google. (Like another big country probably did a while back.)
Once inside, put a few webcam, physical/virtual key logger, a few line of code, (checkin code with extra ",", "=" instead of "==" in the right place - just like a post about Linux security Kernel hack a while back.) and the jobs are done.
SSL keys are not the target, the data is the target. SSL keys change over time, and you still need to monitor the actual encrypted data; tapping the data where its sent in cleartext is actually simpler, if you have the capability to do it, than infiltrating a spy into the dev team, having them compromise the system without being detected, getting the SSL keys, and monitoring all the encrypted comms.
> or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
That must be what they're building in SF bay right now! It all makes sense now. Get Apple involved with their cash hoard and you could put the datacenters in space.
>or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
Or, they could build data centers on barges and float them out of difficult jurisdictions. ;)
I find it funny how many people say "x is going to move out of the US!". Upon doing so, x isn't protected from spying bye the NSA at _all_, not even the flimsy toothless protections we have as US citizens under US law. Ostensibly, the entire _job_ of the NSA is to spy on foreigners, which you become when you leave.
Note that the article makes the point that while the NSA can't compel companies to cooperate if they're not in the US, if they (or their data or data centres) are not in the US, NSA has much freer reign to use covert means to just take what they want.
So getting out of the US would be insufficient (not that it would be a viable option anyway) - if moving out of the US, they'd also need to actually know their countermeasures are sufficient to prevent the NSA from just taking what they want.
I love how every quote from the NSA stresses that "we don't have access to their servers. Fine. Let's say they don't. But that means nothing in this context. If they can see every piece of data that is sent between servers at various google data centers, they don't need access to the servers to gather a ton of information
As of 1:41pm PST, there is no mention of this news anywhere on the front page of the NY Times website. There have been similar ...time lags... in the past when covering Snowden related news at the NYT. It's a shame one of the most important news sources in the US is so slow in their coverage, either intentionally or not.
The NY Times is not Reddit. They will check the story through their own sources before publishing. They're not just going to repost the Washington Post story.
They're slow on Snowden stores because they do not have direct access to the Snowden documents, like the Guardian and WashPo do.
Of course the NY Times are not Reddit. Why are you even bringing that up?
The AP, Fox News, NPR, PBS, CNN, LA Times, ... all have reported on the story in the Washington Post. The NY Times has not, and that's unfortunate. It's a major news event.
I get the feeling that people are outraged by this not necessarily for the fact that spy agencies spy on everyone they can, but that they do it in such a blatant, efficient, and all encompassing way.
I know I feel a bad gut reaction to the mass collection of data, but when you think about it that is exactly what a country wants from its spy agency, to know others' secrets. Hence they're doing the most optimal thing from the countries point of view. Therefore it is just the brazen scale, the automation of the whole operation, and the fact that it is now officially public that gives me (and us in general) the sick feeling.
Like the breakdown of forgetting (anything on the Internet is there forever), and the rapid dissemination of information through the social network (Facebook status etc), an adjustment needs to be made either in us or the system.
Why is this on the second page of news right now? Older stories with way fewer points are currently ranked higher. This story is 22 hours old with 1495 points. There are stories with 264 and 305 points that are older but are currently ranked just higher than this story, moving it to the second page of news
“We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” he [google's clo] said.
You can always encrypt on the client, yes. But it is surprising that an entity such as Google doesn't understand that links between datacenters have multiple points out of Google's control where traffic can be intercepted.
Any institution responsible for maintaining a nations safety should be something to be proud about, but apparently with each news NSA sounds more like a virus.
I get the feeling I'm going to take a karma hit for this, but here goes...
By tapping those links, the agency has positioned itself to collect at will from hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.
There's a problem with this. The Post goes into a good amount of detail regarding how the NSA/GCHQ is collecting, but leaves nothing but speculation as to who they're targeting or why. It even goes so far as to suggest that NSA/GCHQ is targeting millions upon millions of ordinary citizens without giving evidence to back up that assertion. I would argue that these media outlets are doing us a disservice by not providing this information. All they're doing is generating hype and fear. I'm scrolling through the comments here and seeing calls for the imprisonment (or worse) of Obama administration officials and NSA personnel based not on solid evidence that the public at large is being spied upon, but based on our fear that the public is being spied upon. Some hypothetical headlines as an analogy:
A: "SWAT team guns down local residents"
B: "SWAT team guns down unarmed retirement home residents"
C: "SWAT team guns down pair of local gunmen; ends killing spree"
Headline A is vague and misleading. If that was the entirety of the information put out, the public would be outraged. If the actual story was closer to headline B, they'd be rightfully outraged, and all trust in the police force would be rightfully gone. The outrage wouldn't be justified if the actual story was closer to headline C. With regards to today's story, I don't want see something like "NSA spies on Google traffic" - there's not enough context. I want to see evidence showing who they're targeting and why. If it turns out that they're spying on US Congressmen, major business executives or just ordinary Americans with the intent to blackmail/bribe/manipulate/etc. - that's the reason to call for these people to stand trial. If it turns out that they're spying on the unencrypted internet traffic of valid intelligence targets like foreign government officials/foreign spies/terrorists/etc., what has the public gained by telling us all how they're doing it?
The media needs to show us that there's a good reason to be afraid/outraged of a vast, covert Orwellian apparatus, then show us how to protect ourselves against it. Show us that the NSA is determined to undermine the public good for its own benefit. Unless there is no vast, hidden Orwellian state. Every Snowden document that gets released without showing evidence that the NSA is pursuing anyone besides those it has been tasked to pursue leads me to believe more and more that there is no such evidence, and the media is riding high on all of this fear and outrage to gather advertising dollars.
Are people seriously surprised? After all of the other stuff we've heard the NSA has done, I am surprised that people are surprised by something we all but already knew.
How would not using their products resolve the issue with the NSA? If people switched to other providers than other providers will get accessed like Google.
I'm sure the NSA likes having a one-stop shop. More nodes means more leaks, and if we've learned one thing through this, it's that the NSA would really rather do their work without oversight, which, as we've also learned, only happens as a result of leaks.
> How would not using their products resolve the issue with the NSA?
One point would be: Google might feel a change in their bottom line and might actually start thinking about banding together with the other tech giants to be able to actively fight the NSA, instead of staying complicit.
The writing has been on the wall about the true nature of "the cloud" for at least 15 years. I tried to tell people, they preferred to put their faith and trust in the major magazines, which were all propagandizing about it constantly. Most people (including the developers who write this software) allow themselves to be herded, and if you try to tell them what's really going on they write you off as a crackpot.
What most people don't realize is that all the value offered by "the cloud" can be created with much higher quality on a different architecture, one that gives all the benefits of the cloud, but without sacrificing privacy.
It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
That aside, let me re-make a point I keep making:
Google had no knowledge of NSA's physical compromise of their data centers. But still, they pushed harder than anyone on the whole Internet for the adoption of modern TLS with forward-secrecy; they are the world's foremost deployers of ephemeral-keyed elliptic curve cryptography and of certificate pinning, both of which ensure not only the security of the traffic running over the network cables into their data centers, but also minimize the impact of a compromised long-term encryption key or the compromise of the CA system by a state actor.
Not only that, but Google launched a high-profile effort to encrypt the communications inside and between their data centers.
I hope a couple years hindsight will put the importance of Adam Langley's work (and that of the rest of his team; he's just the best-known member of that team) at Google into sharper relief.
Even with everything you say, Google was still defeated by the NSA. Will Google ever catch up in this arms race? "95% encrypted" == "100% compromised"
Google appears to have been so on the ball with this stuff that the NSA literally had to send bag men to their cages in order to retain access.
Wait, so until google can defend its cages against the g-men, then all efforts will be in vain.
Also, in other countries, I assume those g-men have access to those cages.
When your opponent uses Navy submarines to tap undersea cables right under the Soviets' noses, you probably shouldn't trust your leased fiber with unencrypted data. This interception could occur where undersea cables make landfall without any datacenter antics.
I've seen no indication that Google considers the NSA any sort of opponent.
I think they do now. There has to be some sort of sense of personal professionalism of the many highly qualified security experts working at Google, that is hurt by the revelations that the NSA basically fucked them over and drew a slide with a smiley face on it about how they fucked them over.
It's strange to drawn a nose on a smiley...
Then again, plausible deniability. Google is of less use to the NSA if they have fewer customers.
Could not believe the fucking smiley face. That's their attitude towards privacy.
With governments around the world (see Brazil and India) now banning Google products for official government use, I can imagine overall usage of Google products will decline outside of the U.S.
This is a threat to Google's international business. They have a vested financial interest in reducing the hacking against their systems.
http://www.washingtonpost.com/business/technology/google-enc...
“It’s an arms race,” said Eric Grosse, vice president for security engineering at Google, based in Mountain View, Calif. “We see these government agencies as among the most skilled players in this game.”
Why would NSA agents go through all the trouble of tapping cables when they could probably just gain employment at Google and do whatever they want. I don't think encryption would make a difference here.
There's greater risk of facing problems of all sorts when you have rogue agents on the inside (what if they get found out? how will that be met by news journals? people who find out about it? the trust dynamics between CEOs and government agencies that request access in a legal way, when needed?).
The risk of things going wrong when you're tapping cables is much less pronounced as far as I can see.
Anyone care to comment on FBs Max Kelly, head of security flip-flop employment between FB and NSA?
How can that guy be trusted with anything?
http://www.dailymail.co.uk/news/article-2347047/Former-Faceb...
Apparently unconstrained by resources, they decided to attack from multiple angles.
I'm not sure why you think that's so easy to do. You need a person who:
1. Has the technical credentials and interviewing skills to get hired at Google (not easy). 2. Has a security clearance. 3. Wants to be a spy. 4. Can get themselves assigned to the team working on datacenter interconnects. 5. Can set up a tap on the interconnect without getting caught.
That sounds both hard and expensive to me.
Take those requirements in reverse and apply them to an already employed NSA person -- then send them out to apply for jobs as an asset.
Consider Sally Smith, our hypothetical employee. She worked for several government and military agencies for years with a concentration in data center security. She has top-secret clearance.
Before the Snowden revelations came out, I'd have strongly considered Sally Smith to be a good fit for a position dealing with data center security. Who wouldn't have?! Years of experience at high levels securing data centers? Letters from generals and senior government officials attesting to her qualifications? Sign me up right away!
Post-Snowden, I'd start believing that Sally Smith is far more likely to be Sally Spook, an active NSA employee experienced in data center infiltration and with an impeccable cover story.
The only thing that keeps Sally Spook away from our data centers is Google's hiring processes & internal security, and is that really enough to stop a determined adversary with all the advantages of the NSA? I doubt it.
The Google hiring process seems to be very focused on discerning a candidate's practical knowledge not their on paper experience or recommendations. It would be silly to think that a general or senior government official would even have the technical knowledge to make a well informed recommendation of someone for a technical position.
Then the NSA finds a candidate that really knows how to secure inter-datacenter communications and gets them placed at appropriate positions inside the government or in collaborating private companies to build experience & a valuable network, with the long term goal of getting a job at Google. And if they really want in they place ten candidates in various companies.
The NSA can do this. They have the resources and the time to try. The only question is if they want a mole inside Google. Hell, I'd be shocked if large internet companies (Google, Yahoo, etc.) don't have agents from foreign and domestic intelligence agencies working there right now.
Betting on a companies hiring process to catch agents of an advanced persistent attacker is betting against house money in Vegas. You aren't going to win in the long run.
I think you dramatically underestimate the quality of the people the NSA has on staff. I know of two people who almost certainly worked there (obviously nobody confirms anything, but when two agents show up at your office to ask about their patriotism, the implication is clear), and they are brilliant, easily as smart as anyone I know at google.
Finding such a person would be difficult (but not impossible) for you or for me, but conditional probabilities work heavily in the NSA's favor. They have thousands of in-house people already satisfying 1, 2, and 3. 5 can be perfected by a team and taught to any of those thousands of people and 4 can be achieved with resume tweaking and, at most, a few repeat trials.
It's the same reason why security through obscurity doesn't work: if you chain together 5 obfuscation layers that each keep out 80% of competent hackers, in total they probably keep out 85% or 90% of competent hackers if you're lucky, but certainly not 99.99%, because everyone who bypasses the first layer has a much higher probability of having the skills to bypass the other layers as well.
there is also very easy other way around - "ask for help" [to fight terror and defend Motherland, err... USSR wording, today in the US it is "Homeland"] an existing Google employee.
From their perspective, why not tackle the additional attack vectors?
As for the internal mole, I'd imagine that any such individual's role would be highly focused. They'd be used to tackle specific target information rather than the wholesale siphoning tapped cables would provide. Aside from the simple logistic issues with the sheer amount of data they're tapping, I can't imagine how anyone could be in a physical position to do so across the entire Google network without tripping at least <i>one</i> internal safeguard?
For bulk collection, the taps enable surveillance without the possibility of detection unless the NSA screws the proverbial pooch. And if there's one thing history can tell us, it's that surveillance agencies will spend obscene amounts of money in pursuit of that undetectability. From the Project Azorian with the Glomar Explorer to the Berlin tunnels in Operation Gold, the Cold War alone proves the point.
you probably shouldn't trust your leased fiber with unencrypted data.
Or even your own fiber (Google owns tens of thousands of miles of it). There's nothing to prevent the black-hat guys from digging down to a cable in the middle of nowhere and installing an optical tap. Especially if they did it before commissioning, after which signal levels would start being monitored.
>Google owns tens of thousands of miles of it
If this haven't already I imagine they will be hiring security forces to patrol and inspect.
Even still, field techs, in lonely outposts, are easier targets than tech that are part of an onsite team.
The article seems to suggest that it was inter-site links that were compromised and not actual Google data centers. Those compromises could happen at telco data centers or even in the field (e.g., by splicing monitoring equipment into a cable).
Google might have an easier time recruiting edge producing developers than the NSA after the leaks.
I imagine anyone with a line on their resume that says "NSA - Software Developer - 2009:Present" is going to have a hard time finding a new job at many companies (although certainly not all).
I would expect Google and similarly enormous companies to have a process in place to keep rogue agents from inserting backdoors and malicious code.
While this another angle, I was referring to the fact that many people will see these engineers as immoral and spineless. I know that I would not hire the person who drew that smiley face or any of their accomplices.
And if you did hire that person, I would never trust you again with my business.
You have to trust your developers. You can do audits, but the problem is intractably difficult. Developers have a TREMENDOUS amount of power. Trust is absolutely, utterly, irreconcilably fundamental to the job. If you cannot trust your developers, you are screwed every which way to Sunday. If your developers are compromised, you have to assume that your whole business is compromised.
http://xkcd.com/898/
On the flip side of that, maybe you do want ex-NSA staff with the inside knowledge so you can protect yourself against their tactics. Isn't that the same reasoning for hiring ex-black hat hackers?
If someone is willing to divulge inside knowledge of his last employer you have to assume that in the future he will be willing to divulge your inside knowledge.
Very true. Trust is important -- hard to win, easy to lose. Once lost, it never comes back.
Agree. But it happens all the time. Why else do you think they have those long periods of gardening leave when you leave one employer for another, or those clauses in contracts saying you will not work for a competitor in the same field for X months when you leave? (Although, I seem to recall the last one being unlawful since they are essentially stopping you earning a living).
Sometimes employers are willing to take that risk.
Do you think Ed Snowden is now more or less employable now?
His options are certainly more limited now (considering most employers could not keep him safe). That being said, I imagine his existing options would be readily available and would all pay millions.
I am pretty sure they would be considered a traitor if someone told their new company how the NSA was doing things, just look at what they are calling Snowden.
Yes, absolutely, I agree with you. But just because you were ex-NSA does that mean you can no longer work in related work? What if you built their data centres, and you took a job at Google and tasked with building their new data centres. Do you just "forget" what you already know? I understand you may be under NDA to not discuss your previous work, but that doesn't meaning you can't make suggestions or plans without explicitly spelling it out, esp if your employer knew your background and you may not be able to speak about it openly.
I suspect that anyone who has been a software developer at the NSA (or FBI) for five years has robust job security. Government employees have some extensive benefits, and these guys get to play with some serious hardware. If they like working there, I would be surprised if they were unable to keep doing so for a Long Time in the future.
Now, if they decided they wanted out, well ... good luck with that in the manner you describe. I suspect that it won't be too hard, though. They deal with "Big Data" problems at a scale that few do, so being an NSA engineer likely is bound to be a similarly prestigious resume line as working for Google. Aside from the working for an evil entity part, that is, but some employers will not care as much about that.
Breaking: most people, even most people in the tech community, don't look on the NSA with that level of contempt, if any at all.
This is unfortunate--in a just world everyone doing this would be imprisoned for many years and have all their ill-gotten gains stripped from them--but a real fact. And the typical NSA software developer is certainly highly qualified and very, very smart. Going purely by business concerns, if you have a need for someone with the skill set that'd come from working for the NSA, you can't afford to pass them up just because they worked with the NSA.
You can also be sure that, even if the NSA were disbanded fully and all its employees hated so much that they could not get domestic employment anywhere, many international actors would be extremely excited to pay top dollar for their talent. And by top dollar, we're not talking piddling six figure salaries.
Agreed. Skills would be irrelevant. A brain dump alone would be worth hundreds of millions. That is the scariest thing about all of this. Every time I hear someone bash on Snowden about how he was a dropout, etc, etc I just think "ok, so you gave this guy who you say is an irresponsible idiot the ability to blackmail anyone who has a google search history?"
When the NSA sends people out to infiltrate companies, they won't write "NSA" on their resume. For the rest of former NSA employees, a lot of them will have resumes that say: Palantir, Booz Allen Hamilton, etc.
Indeed. "Confessions of an Economic Hitman" is worth a read.
I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry). I imagine that the same prohibition would now apply to former government employees also.
The sad fact of the matter is that we cannot trust individuals that have ever worked with these agencies, nor with the private contractors that supply them. The risk of insider attacks is too high. Equally, we cannot trust companies that employ those individuals.
If silicon valley is to recover the confidence of it's customers, it must go through the painful and heart-rending exercise of dismissing all employees with any connection whatsoever to government espionage. Many innocent people will lose their jobs, and will face the prospect of being excluded from high-tech employment in the private sector, but I cannot see any other way of regaining trust in our fundamental infrastructure.
Why would the anti-virus industry refuse to hire people that had developed viruses? Aren't those the people that think like virus writers and could write better antivirus software? Same with the hacking half of that. Those are the people that best know how to secure systems.
Wouldn't it be the people that used to be blackhat and have transitioned to gray or white-hat hacking that would be the best people to provide their services for pen-testing/anti-virus writing/etc?
Is the probability of an so-called ex-virus-writer writing in exploits into the system higher than someone else?
Is their knowledge worth the chance?
because of their underlying lack of ethics. You need to have ethical hackers that are interested in the wellbeing/security of a community/society. Even if they know the systems from both perspectives, if they even have a moral deficiency, what's to stop them from committing insider attacks/writing exploits of the system? You cannot trust that type of people unless you know for certain that they have abandoned their prior convictions and truly follow white hat hacking, and knowing for certain is hard to do.
Given your assumptions, that makes sense; however, given what our parent commenter said, I came away with different assumptions.
From our parent: I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry). I imagine that the same prohibition would now apply to former government employees also.
They used the world "hacking", which I took to mean any form of hacking. We'd need the parent to respond to which one was meant, of course; but if it means any sort of hacking, from xbox modding to submitting bug and exploit reports to Google (which, how do you know if there's an exploit without trying to find it?), then hacking would include all of those people, including the people who you define as "ethical hackers".
If you're a known, aggressive and clearly unreformed cyber-saboteur, then it's pretty much a given that you shouldn't be hired to an anti-virus company since you probably are in there to commit insider attacks (I can't know for sure, I'm not in your brain) and it's reasonable to not hire you; however, if you're a tinkerer and inspector of things and dismantler of technology, then you would know how systems work and where issues are and could even be an asset, especially if you're very good at it. Depending on the author, both of those people could be seen as 'hackers'.
> From our parent: I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry).
A number of notable, convicted hackers have done additional work (whether employment or successful entrepreneurship or both) in the computer industry (in security-related or other subfields) after conviction. Kevin Mitnick, Julian Assange -- long before WikiLeaks -- and YC's cofounder Robert Tappan Morris are among the more notable examples.
The AV industry is particularly weird and clubby and, I think, full of itself. It's better to think of them as something apart from the rest of the "security" industry.
I'd wager that most people's ethics are more malleable than that. Also, don't underestimate the power of the golden handcuffs.
Having a spouse, kids, and a nice house in a nice neighbourhood makes any kind of anti-social behaviour that much harder to justify from a purely pragmatic, never mind ethical point of view.
I.e. young men often have nothing much to lose and act accordingly.
Anti-virus endpoint software is essentially (and necessarily) a rootkit. Businesses installing antivirus software are placing an incredible amount of trust in the antivirus vendor.
Without trust, the antivirus vendor has no business whatsoever. As a result, they are (or jolly well should be) ultra-careful to earn that trust. This includes subjecting their employees to a certain degree of vetting.
In the age of cloud computing, the same relationship dynamics are observed between businesses and the cloud vendors to whom they entrust their data.
See? There it is again: Trust.
Important stuff.
> ... instant dismissal and black-listing (from pretty much the entire computer security industry)
I'm not sure where you got that from. A large percentage of the security industry is made up of people who got their start as blackhats.
That is sincerely what I had thought, as well.
I'm not sure if any security company would gain much by avoiding former government employees - you'd decline Abe Honest because he had worked in government earlier, but any Joe Infiltrator from NSA could come to your interview with CV, online profile + references/contacts claiming that he's worked in, say, Microsoft for 20 years.
> Even with everything you say, Google was still defeated by the NSA.
Well, actually, per the article, by GCHQ. Who, as well as using the data themselves, also allows the NSA access to it.
> Google had no knowledge of NSA's physical compromise of their data centers.
Are we sure about that?
I think we have enough information for Google to plausibly deny involvement.
Sure, but the phrase "plausible deniability" just reeks of government and corporate double-speak: "you can't prove beyond a shadow of a doubt I did it, so I can keep on doing it." Plausibly denying something is just a propaganda technique.
Did Google know or not? Did Google participate or not?
This should make it clear I think: http://articles.washingtonpost.com/2013-09-06/business/41831...
"Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday."
re: bediger4000
The phrase has that smell when used by the person denying. If an action or inaction is taken to preserve plausible deniability, it is smelly.
But when used by an observer after the fact, it just means that we have no way to know they knew, unless there is proof. So if they say they didn't know, it is a believable statement.
Based on the fact that they decided to accelerate their internal encryption projects back in September, 2 months ago ( http://www.informationweek.com/security/government/nsa-fallo... ), I'm guessing they thought it might be possible, and in the wake of the Snowden revelations they decided it's very plausible (or someone showed them that slide ahead of time) and so they now effectively "know", though they're not keen to cooperate.
In the first week that I was managing IT/Ops at our company, our security architect, msj, approached me and said that our approach towards security would be to encrypt everything at rest, and everything in flight. Even the 18" of ethernet cord hanging outside of the servers would be considered an attack vector.
I thought he was loopy at the time. Amazing how wrong I was.
I'm hoping Google ends up buying the ECC patents from Blackberry and then make them public domain or at least say they will allow everyone to use them for free and with no consequences. I know they want to buy some stuff from Blackberry right now, but not sure if they are considering buying the ECC patents, too, or not.
I'd feel a lot better if Google bought them than say Microsoft or some other company, who'd just try to collect royalties from anyone using them, and I feel that will make things a lot worse for security on the web in the future, especially with Microsoft's long-standing relationship with the NSA.
http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-c...
That being said, I'm very disappointed in Larry Page's statement about encryption and quantum computers:
> Lloyd made his pitch, proposing a quantum version of Google’s search engine whereby users could make queries and receive results without Google knowing which questions were asked. The men were intrigued. But after conferring with their business manager the next day, Brin and Page informed Lloyd that his scheme went against their business plan. “They want to know everything about everybody who uses their products and services,” he joked.
It bothers me a lot that the leaders of Google would think like that, even though I knew they would because of the incentives in their business. But I just wish they found way for their business to work, so they do not have to think like that, and be more on the side of users on this issue, than they are right now.
Unless their thinking about user-privacy and security changes, we should never fully trust Google (even if they are better than the rest right now). That sort of thinking means they will never go the all the way to protect their users, which probably why you will never see OTR or ZRTP in Google's chat services. All the data collection they do will also become increasingly more irresistible to governments, especially if they keep it forever.
http://www.wired.com/wiredscience/2013/10/computers-big-data...
I don't trust Google more than anyone else out there. They are in the business of making money and don't much of a damn about their users. The only reason the NSA spying is a problem for them (imo) is that it may affect their bottom line due to user concerns and therefore affect their products. NSA has direct line to Google Cloud, guess I'm better hosting my own servers rather than pay for business Google Mail and Drive. I'm not sure Google would give it away for free, they now own Motorola remember, in the fight against all the phone giants, patents are king!
The 2nd part makes no sense at all. Why would Google not want to know everything about you. That just goes completely against their business model. There is no such thing as a free lunch.
See also, "Google speeding up end-to-end crypto between data centers worldwide."
https://news.ycombinator.com/item?id=6351741
> It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons.
Even were a court somewhere to find that this interpretation is incorrect, there are numerous "good faith reliance" doctrines that prevent any prosecution or even civil consequences.
The government outright tortured people for years, and nothing has come of it. No prosecutions. No damages for victims. No cases dismissed for outrageous government conduct. Not even very many harsh words from judges. The only people for whom there were any consequences were the low level regular army people who got in on the torture train without first getting official blessing.
It'll be the same thing here. If some low level employee went out on his own to hack into Google servers, something might come of it. But by all appearances these programs were deliberate, planned, and vetted. In those circumstances the bad actors have long since learned to cover their own asses. There will be no consequences for them.
> actions taken abroad aimed at non-US persons.
And there is an interesting counterpoint to that, e.g.
> "If the Americans eavesdropped on cellphones in Germany, they broke German law on German soil, and those responsible must be held accountable."
http://www.japantimes.co.jp/news/2013/10/28/world/obama-unaw...
The problem is that the people who were actually in Germany breaking German law were (likely) on diplomatic passports and so have plenary immunity. Meanwhile, under international law, which German courts take seriously even if US courts do not, senior state officials have functional immunity for actions taken in an official capacity with a disputed exception for violations of jus cogens+.
While there may be some room between the people on the ground who are immune and the senior officials who are immune to prosecute mid-level functionaries, that's not terribly satisfying and there still remains the problem of getting them in front of the court.
See generally: http://www.lawfareblog.com/2013/10/the-nsa-affair-goes-crimi...
+The most serious types of international norms: things like genocide, slavery, torture, and piracy.
Typically, if a diplomat constantly breaks the laws of the nation they're sent to in this manner, they get kicked out, and if the sender country in question keeps sending this sort of diplomat, the embassy would eventually be closed.
I cannot imagine Germany closing the US Embassy.
Yeah, it's not like the German people are at all sensitive about the topic of having a secret, unaccountable organisation spying on them.
I certainly can't blame them for being upset. But for a NATO country to expel the US embassy would be a very dramatic act with uncertain consequences. There's a lot of fallout to accept there, and the impact would be broader than US-German relations.
> for a NATO country to expel the US embassy would be a very dramatic act with uncertain consequences.
Absolutely, but when German Interior Minister Hans-Peter Friedrich says "those responsible must be held accountable." I would guess that he means that there will, must be consequences. Closing the embassy is a consequence of last resort, if there is continued intransigence.
Will that happen? that's up to the US government, and possibly not the elected part.
As we're learning here in the US, there's a big difference and gap between "the people" and the government.
But there isn't! You might all feel that your government is misrepresenting you, but until serious action is taken, nothing is going to change. What that serious action is, I have no idea. Other countries have dealt with oppressive regimes before, some better than others.
But that's the thing, the government has strayed so far from the people that a) it's obvious they aren't going to seriously consider the people's will other than window dressing, and therefore b) the only way this kind of thing will change is through revolution. And we're far from revolution, if ever. The gap is there.
I agree with you - but I don't think that absolves US citizens of responsibility either.
Replying to jsmeaton
Indeed! They should be on the streets!
I was on the streets, in I think the first set of protests, in front of the Denver state capitol building. It was a fairly sedate protest, except where it went a little off topic toward the end. ("March on the city jail! -- Wait, what?")
And I've communicated with my representatives. Udall is one of my Senators, and his staff got an email and an earful on the phone.
And these days I vote third party, which to me is "None of the above." I'm done playing into their hands by voting for one because at least he's not the other. They're the same.
I do think we're far from revolution, I hope never, but I wouldn't say it won't ever happen. The thing is, a few people are pissed and aware, and most don't care. But once the government realizes that they're getting away with whatever they're doing now, they'll do more. Eventually they'll grab so much power that we'll get sick of it and revolt.
Or maybe they'll go against history and stop grabbing ever more power.
No, you could not. But now we are entertaining that notion.
That is the change that has occurred.
Fair point.
I would like to see something drastic and concrete happen, if it lead to reining in the wolves.
It certainly would make sense, since the US embassy in Berlin seems to be used for spying, too:
http://www.spiegel.de/international/germany/cover-story-how-...
> "Research by SPIEGEL reporters in Berlin and Washington, talks with intelligence officials and the evaluation of internal documents of the US' National Security Agency and other information, most of which comes from the archive of former NSA contractor Edward Snowden, lead to the conclusion that the US diplomatic mission in the German capital has not merely been promoting German-American friendship. On the contrary, it is a nest of espionage. From the roof of the embassy, a special unit of the CIA and NSA can apparently monitor a large part of cellphone communication in the government quarter."
http://www.focus.de/politik/deutschland/tid-34373/infrarotbi...
^ "US diplomats could be expelled from the country"... mind you, they're not at all talking about closing the embassy, but "just" expelling those under diplomatic immunity who were doing this (and persecuting those not under diplomatic immunity). It might just be to look good for the Germany population, they might be serious... here's hoping.
http://daserste.ndr.de/panorama/media/usbotschaft105_v-ardga...
^ infrared image of the embassy rooftop which I saw on German TV, in a discussion which surprised me by its serious tone and the absence of handwaving or belittling.
True. However I wonder if they could at least impose an embassy from which many forms of eavesdropping are not possible. i.e. US draws up floorplans and whatnot. The Germans modify those plans to make it into a giant Faraday cage will precisely defined inlets and outlets for water, gas, electricity, sewage, etc. Lastly all additions to the structure externally are to always inspected to make sure they don't contain eavesdropping equipment.
This would at least force all eavesdropping and surveillance performed to be the same kind of eavesdropping and surveillance doable from US soil. Furthermore, the Germans can try to perform some form of enforcement on what types of people can show up at the embassy to work.
With biometrics and sharing between countries, it's conceivable that one day you won't be able to cross official borders with two identities ever again. This means that you effectively force someone to choose only one identity forever. That identity can either be one of your secret government identities or it can be your real identity, but it can no longer be both at different times. Once you choose, you'r stuck with that decision
They did not break German Law. Germany still has past WWII contracts with the Allied Nations in certain areas.
http://translate.google.com/translate?hl=en&sl=de&tl=en&u=ht...
One should add: secret contracts (laws, for germans), that the population isn't being allowed to know about.
This is being disputed by the government, AFAIK.
All espionage that Country A does in Country B is illegal in Country B. That's why it's espionage.
You are missing the "and therefore there it is unreasonable for you to be upset" leap.
Pointing out that illegal things are illegal isn't really a interesting contribution to the discussion, is it? I assume that wasn't all you meant to do.
> actions taken abroad aimed at non-US persons.
Aren't Google and Yahoo US persons?
http://en.wikipedia.org/wiki/Corporate_personhood#Corporatio...
Actually, if I were Google or Yahoo, I would be getting my lawyers to prepare some type of lawsuit. Not that I think it will succeed, but Google/Yahoo are direct victims here.
Well...
given the game the leakers are playing with these documents...
I would wait before I made any definitive statements about who is a victim and who is a villain.
The release of these documents seem to be carefully timed and calculated to give the government, corporations and people involved in the surveillance state the time and latitude to incriminate themselves.
Not only are the Government, the corporations and the people involved trying to tell a story... clearly the leakers are trying to tell a story as well.
Are we at the climax of the leakers' plot? or are we still building?
I think it might be best to get a look at all the cards first... and then decide what happened.
Fair enough.
Doesn't Google and Yahoo both operate shell companies overseas in order to avoid US taxes though?
> The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons.
More to the point of the article here, the government takes the position that their agents are completely unconstrianed by law when it comes to using information shared by foreign intelligence services that their agents had no part in collecting, and the collection here is done by the GCHQ -- a British intelligence agency -- who simply provides NSA the privilege of submitting search terms and getting matching data from the collection GCHQ does from their taps.
And yet we civilians are still liable for receiving stolen goods.
I am at a loss for words. Arrogant, self-righteous, disrespectful, ignorant, mendacious...nothing cuts it. It is illegal in the US but who cares about the rest of the world? I can not remember when something similar made me that angry as the current conduct of the US does. If I would not know better that this would negatively affect the whole world and innocent US citizens and that emotional reactions are usually not good - I would just cut all cables to the US, stop all trades of oil, raw material and goods, deny US citizens to enter any foreign country and then just do your shit over there and get happy with it.
EDIT: Just to clarify it a bit more, I am not primarily angry because of the spying - read my mails if it makes you happy. What really pisses me of is this sentiment of thinking of non-US citizens as second class humans. We are not spying at US citizens, only at this other guys across the ocean. And sadly this sentiment is also present in part of the media coverage. Especially when the story broke there was a lot of outrage about (accidentally) spying at US citizens, but spying at non-US citizens and breaking foreign law in peacetime is deemed acceptable.
I would just cut all cables to the US, ... deny US citizens to enter any foreign country and then just do your shit over there and get happy with it.
Whoah, there. Your grievances are well-placed. But keep in mind that it's a certain subset of agencies in the US government that are responsible for the problems you're upset about, not all US citizens. As for fixing things, the government has become literally unmanageable, and things are a mess right now.
That's why I mentioned »innocent US citizens«. ;)
>not all US citizens
The vast majority of citizens support these initiatives. Given the winner-take-all approach we employ, it is not a stretch to say that yes, we all share blame.
Where did you get the idea the "vast majority of citizens support these initiatives"?
From the very start the polls have generally been against mass NSA surveillance except when the wording of the poll was misleading[1]. As more and more information has come out the polls have become more and more clearly against it[2].
Try to keep the facts straight.
Not sure why you refer to winner-take-all and how that concept could make everyone responsible. Keep in mind almost know one knew about this until very recently and we learned more even today.
[1] http://www.policymic.com/articles/53767/nsa-surveillance-sca...
[2] https://www.eff.org/deeplinks/2013/10/polls-continue-show-ma...
Now try mentioning terrorism as the tradeoff for granting civil liberties and see what people think.
That's how they view it, for better or worse.
Part of Obama's campaign was an end to warrentless wiretaps. Now, if people were paying closer attention, then maybe they would have known better than to trust him (or indeed, any American politician), but I think it is quite a stretch to say that the people are to blame when a politician is less than honest.
Furthermore, the people who are to blame for our current political system are long dead. Everyone alive today was born into this framework and told to work within the framework to modify the framework. They have not had the opportunity to shape the framework free from the constraints of the framework. The facilities the framework provides to modify itself are clumsy, inadequate, and ineffective when everything is working smoothly.
This isn't a system we chose, this is a situation that we were born into, and find ourselves unable to change.
Exactly, Obama in 2007:
http://www.youtube.com/watch?v=WAQlsS9diBs
http://www.youtube.com/watch?v=B6fnfVJzZT4
"This Administration also puts forward a false choice between the liberties we cherish and the security we demand." (...) "That means no more illegal wire-tapping of American citizens. No more national security letters to spy on citizens who are not suspected of a crime. No more tracking citizens who do nothing more than protest a misguided war. No more ignoring the law when it is inconvenient. That is not who we are. And it is not what is necessary to defeat the terrorists."
This should be quoted much more often.
Regarding "work within the framework to modify the framework" Snowden decided not to work within it and we still don't know what will happen to him.
http://www.techdirt.com/articles/20130726/01200123954/obama-...
> Regarding "work within the framework to modify the framework" Snowden decided not to work within it and we still don't know what will happen to him.
What we do know is that he got shit done. His voice has been heard, people are talking now, he has had an impact.
Opting to work outside the framework is often not safe, particularly when the framework includes provisions for harming those who opt to work outside of it, but sometimes that is the only effective option.
Unfortunately, not only do a lot of US citizens still support such practices (I think around 40 percent - as long as they mention "to protect you from terrorists"), but most of the rest who don't agree with the practices, can't be bothered to do much about it, like even calling their representative, let alone going out and protesting.
I do believe this is very true:
> All that is necessary for evil to triumph is for good men to do nothing - Burke, Edmund
So, yes, I'd say most Americans are responsible for this yes, by doing nothing to stop it. So don't blame the rest of the world if they start "hating Americans" or "hating America". You are part of it, you are responsible to change the America you want the world to love, too.
Blaming only the government, that you probably voted in, too, does not cut it.
With this argument, you're implicitly assuming responsibility for the misdeeds of your own government. It's easy to cast blame en masse, but it is not a constructive response.
People are not going to start hating Americans. They have already been hating Americans for hundreds of years. It started with the "degeneracy thesis" in the 18th century, where it had been suggested by European intellectuals that the American climate led to physically inferior animals and humans. The reasons for hating Americans change everyday.
Hating a group of people is a completely irrational, unconstructive approach to solving a problem. If one has anger about something, they shouldn't lash out at group of people.
If people want Americans to change something on their behalf, for their benefit, it needs to be from a standpoint of respect. They can start by asking nicely.
Respect, sure. But "asking nicely"? How has that not been done already, over and over and over?
"Nobody in the world, nobody in history, has ever gotten their freedom by appealing to the moral sense of the people that were oppressing them." -- Assata Shakur
Even though we could argue about wether this stuff consititutes "oppression", I think the point still applies, sadly.
> "Nobody in the world, nobody in history, has ever gotten their freedom by appealing to the moral sense of the people that were oppressing them." -- Assata Shakur
I think there are one or two examples in recent history. The LGBT movement has made a great deal of ground recently by appealing to peoples' sensibilities.
Now, in more extreme cases you aren't going to talk the oppressors out of anything. I doubt anybody has ever stopped a genocide with rational argument and appeal to the murderers' sensibilities.
I'm not sure what we are talking about here. The US government is oppressing everyone... both Americans and non-Americans.
In theory, the American people are the only ones with the power to solve this problem. This responsibility is a burden. Before going to bat, I would rather encounter friendly encouragement than smug contempt.
For what it's worth, you have mine. Encouragament that is, not contempt. Although I'm not convinced all Americans are yet aware of the fact that they themselves also are at the wrong end of this gun, I'm sure the number increases daily. And generally I don't think excluding people for what others force on them, or even for their ignorance, or even for their hybris, really leads anywhere. So many Americans have my support and even admiration, and even the ones I do resent (not in a smug way though, I'm under no such delusions I would hope), I would rather argue with, or, at worst, bitch at (but never, ever, "ask nicely" :P), than outright shun. Letting someone simmer in their own sauce can work with individuals, but in nations I think it always strengthens the autocratic and warmongering elements.
Yes, you're right, it's racist to oppose NSA spycraft.
> They can start by asking nicely.
"Can you please kindly, stop perpetuating your morally bankrupt spy-state?"
Gosh. That achieved a lot.
Did I say anything about opposing NSA spycraft? Did I say anything about racism, for that matter?
I'm talking about hating Americans. It's irrational, unconstructive, and not a novel thing to do. It's certainly not going to accomplish anything against NSA spycraft.
If anything is going to change about NSA spycraft, especially on behalf of the rights of foreign nationals, having the rest of the world consider all Americans enemies is going to be counterproductive.
> but most of the rest who don't agree with the practices, can't be bothered to do much about it, like even calling their representative, let alone going out and protesting.
That's b/c most Americans are caught up in an endless cycle of work-aholism to either support their consumer-addiction and/or to climb out of debt and just pay the bills.
Related to that, I know this is somewhat menial, but I have found the site http://popvox.com to be fairly useful in this regard. Create an account, and you can track all current legislation -- a couple clicks will fire a stock letter to your rep either supporting or protesting a bill -- or you can edit the letter with a custom message (better). It is certainly a step above doing nothing and makes the task much easier.
Well, let's look at the policies of the US against rogue states: sanctions. What GP is describing is connectivity sanctions rather than trade or economic ones.
The US government throws its weight around by ordering sanctions against countries that have policies it does not agree with. I have no doubt that, where sanctions would be politically unpopular, there are back-room blackmailings of some type.
That said, instituting similar sanctions against the US should absolutely be the number one thing the rest of the world responds with! It might not be every US citizen that is culpable, but they are your representative government, and your responsibility. (I assume you're from the US, but I use "your" as a collective for anyone from the US that may be reading this).
Do you think the people might take a legitimate stand if business dealings, travel, and exports were banned to the United States? Do you think US citizens would go absolutely fucking crazy?
> As for fixing things, the government has become literally unmanageable, and things are a mess right now
Well untangle yourselves and then we'll talk.
Unfortunately, the US has so much power around the world that most countries are literally unable to respond. They are the new Rome, using political and economic power rather than pure force (but use force where necessary) to control the world. It's disgusting.
>using political and economic power rather than pure force
Inconceivable!
> to control the world.
you left out a big part of the statement quoted. The tactics you listed would be commendable in comparison to pure force if the end goal wasn't world domination.
Since the end goal IS world domination, however, then no means is suitable from a humanity perspective.
Yeah, but US citizens vote for their government, so are therefore accountable. I don't see you out in the streets with pitchforks, so you're as culpable as the primary perpetrators.
If you had read the article you would know that this data was given to the NSA by the GHCQ. Would you cut off the UK? Australia and Canada?
I read the article. But I am not angry because of the actual incidents - what makes me angry is the sentiment, thinking of non-US people as second class humans. And I would happily lunch everybody into outer space who does this, including everyone from my own country, Germany.
If you are not angry at the GHCQ for tapping Google and Yahoo then I don't know what to tell you.
I am missing a »primarily« between »not« and »angry«. Spying at innocent citizens is a crime, no doubt, but I still find this attitude of not treating all people equal way more worrisome.
I had the exact same feelings when I saw so many people go "They will just borrow more money" in the recent US govt. shutdown. The arrogance is unbelievable. Shows complete lack of remorse over leeching off the rest of the world.
Very disappointed in the american citizens' reaction to the catastrophic political decisions their leaders have been making for decades.
Borrowing money at interest is not leeching. That is not how macroeconomics works. Defaulting is maybe leeching.
Manipulating the defacto world currency -- that is leeching.
that was what I was referring to - leveraging the dollar's status of reserve currency. That's coming to an end for sure tho. Will laugh my ass off then at their ignorance.
I'm a US citizen.
Born and bred.
And, at this point, I can't in good faith say that I would blame you.
I think it's pretty safe to say that getting rid of a President is no longer enough. My sense is that the people who make these policies really are "Beyond Elections". They are constants in our government. And appear unassailable.
I doubt very much that we, the American People, could even IDENTIFY the people setting or implementing these policies, much less rid ourselves of them.
I think in the present environment, it wouldn't be imprudent for other nations to look to their own interests.
"My sense is that the people who make these policies really are "Beyond Elections". They are constants in our government."
Yes, these people are our fellow citizens. There is no conspiracy, merely functioning democracy.
"functioning" democracy?? are you joking? do you know anything about campaign finance?
I know some bits about campaign finance, but I also know that most people I meet in the US care much more about physical security than they do about privacy/civil liberties/etc.. They vote for people who implement nasty policies and they do not make those votes because they have been tricked.
"Citizen are involved" and "the democracy is not function as intended and/or there is a situation that can not be rectified democratically" are anything but mutually exclusive.
Yes, true. It is also true that sometimes citizens knowingly choose nasty policies and then sleep soundly at night with those policies in place. Like you, I also do not approve of the way the US has changed, but I try to avoid tricking myself into believing that many US citizens feel the same way I do.
It may be a functioning democracy to whatever degree, but is it still a constitutional republic?
It isn't, as far as I can tell. But I think that happened a very long time ago, to great acclaim.
No. Sorry. The President does bear full responsibility. That's the nature of the job.
If he wants to claim he wasn't aware, OK. But he is now and it's his responsibility to fix it. Again, that's the nature of the job.
If the President wanted to eliminate these programs, they'd get eliminated. It would require the exercise of political will, but it absolutely could be done.
The problem, actually, is right here, when people start making excuses for our leaders.
Stop.
Hold them responsible. Responsibility is why the job even exists.
> If the President wanted to eliminate these programs, they'd get eliminated.
Just like Guantanamo Bay, right?
Exactly like that.
If Obama believed these programs (and Guantanamo Bay) were "wrong" with the same conviction Snowden believes – he'd do what it takes to shut them down, with the same career/livelihood risks that Snowden accepted.
It's precisely the sort of moral compromises that Obama has made to allow Guantanamo Bay to stay operating, that have allowed the NSA to grab so much extraordinary power amd avoid any sort of reasonable oversight.
I understand that "just closing Guantanamo" isn't as simple as it sounds - but letting things like that slide because they're complicated, and doing so for 40 odd years, has allowed a situation where people like Clipper think lying to congress is his job. Where intelligent people somehow perform the sort of mental gymnastics that allow them to claim collecting and storing personal communication isn't "collection" unless a person listens to the collected information.
If the president wanted it to stop - he'd stop it. If he's not stopping it, it's because there's something he considers more important.
He _might_ even be right. There might be a real and provable public interest reason why Guantanamo and the NSA have to be the way they are. There's no obvious or easy explanation along those lines – and it's super easy to cynically attribute it all to personal(and corporate) wealth and power motives which _are_ pretty obvious.
Exactly. He can always promise to pardon every individuals that steps forward and provides the evidence necessary to shutdown Guantanamo.
Right now, it's continued operation relies entirely on state secrecy laws. If Obama or some future president realizes that it is that one provision that is protecting illegal actions, he can promise to pardon anyone of the laws they have to break to expose those illegal actions.
One of the biggest problems with our whistleblowing laws is that if you have to break laws to make things right, you may be seen as righteous, but you'll still be prosecuted for the laws you had to break to accomplish that. We're still a nation of laws and the only laws that can overturn that is the constitutional power to pardon. The only crime the president cannot pardon is impeachment. Any individual that isn't in an impeachable position could expose wrongdoing if the president had their back.
Honestly, dedicating himself to fixing this problem may be the only way he can save his presidency in the eyes of history at this point. Literally everything he's overseen has been a disaster.
The problem, of course, is that the president probably knows about the reason these programs came to be. What if there's a good reason ?
I mean you can be cynical or you can be realist. The cynical explanation would probably be that the president/congress don't really control a few organisations like the NSA.
The realist reason would be that the NSA can point to a couple dozen cases where their surveillance saved thousands of lives, American or otherwise. That they have very, very convincing arguments that these policies are worth it.
Also I am a bit fatalist about privacy expectations. Have you seen how "working class" people live in Hong Kong and how much privacy they effectively have ?
That's the future for the vast majority of humans on this planet, unless growth stops. If growth does stop, death and famine is the future for the majority of humans.
Enjoy it while it lasts, or collect enough money that you can realistically enjoy privacy and space until you die. For the next generation, it's a lost cause.
Government intrusion of privacy is (should be) the least of anyone's worries.
Maybe I'm not being clear.
My assertion is that trust has broken down. And therefore the ability to validate has broken down.
Let's suppose, for the sake of argument, that the President and the Congress eliminate these programs...
How would you or I... or any foreign person validate that?
How would I, in good faith, tell a foreign person, or even another citizen, that their communications are no longer being monitored?
I don't believe we could give such assurances.
So even in the BEST case where the President and the politicians eliminate the programs... we would not be able to assert in good faith that there is no longer any communications monitoring going on.
The flaw in your idea, is that it is predicated on trust in the system.
> Let's suppose, for the sake of argument, that the President and the Congress eliminate these programs...
> How would you or I... or any foreign person validate that?
How would the President validate that?
This. Consider: is the NSA snooping on the president? If they were or weren't, would he ever know it for certain?
Considering he was being spied on in 2004, before he even ran for Congress, and considering Supreme Court justices and other world leaders are monitored a well, I'm willing to bet he's still being spied on now.
The NSA requires money to operate, huge amounts of money. If that black funding was cut, they wouldn't be able to pay off GCHQ for example to provide hacks like this. If those programs were eliminated, the funding would stop, and you can't redirect that level of funding from other projects without someone noticing.
Obama is complicit with this system and quite happy for it continue.
"...If that black funding was cut..."
How would you know? The answer is, essentially, "Trust".
You would trust the politicians when they say that the funding had been cut. The politicians, in their turn, would trust the functionaries when they say no funding was going into communications monitoring.
What if you don't trust the politicians or the functionaries... do you have any method of validating the elimination of the funding not based on "Trust"?
"...you can't redirect that level of funding from other projects without someone noticing..."
These are, at their core, intelligence agencies. "Redirecting that level of funding... without someone noticing..." is their job. It's what they are trained to do, among other things. I think it's a little optimistic to believe that they would not use that skill to accomplish their mission if they found it necessary.
What if you don't trust the politicians or the functionaries... do you have any method of validating the elimination of the funding not based on "Trust"?
Gov accounts are prepared and audited by civil servants. At a certain point a conspiracy is too large to be controlled, and I'd suggest managing to divert hundreds of millions from other budgets is a conspiracy just too large to hide from an entire people when gov. accounts are public. I'm all for official oversight as well by politicians, but politicians could easily cut funding for this sort of activity if they wanted to.
Obama certainly doesn't want to, for whatever reason, as evidenced by the his disingenuous lies about this topic to the public (no one is reading your email) and the way he left Clapper in power after lying to congress and proposed fig-leaf reform, not real reform.
"Redirecting that level of funding... without someone noticing..." is their job
No, it's not. Their job is spying on enemies of their country, nothing more, nothing less. In peacetime that should be a pretty simple job of spying on a few terrorist networks using targeted attacks.
I think the problem you are missing is that "nobody is innocent" and these bad actors have all the knowledge.
So when a President comes into office, they probably make it known that they have these N pieces of information, and well, they are going to do what they want unless said President wants those N pieces of information public.
Thats the really really scary realization here. Shadow government obtained through perfect intelligence with no checks and bounds.
> Hold them responsible. Responsibility is why the job even exists
Just so we're clear - how exactly does the average citizen "hold them responsible", other than our legal right to simply not vote for them next time?
It's so easy to say we should "hold them responsible" - but so incredibly vague to do.
This. I secretly harbor this fantasy that the next Edward Snowden will be a future American president. They do everything right, cross all the t's, dot all the i's, the perfect politician, then after their first 100 days in office, they come out and publicly address all the ways that the US is hypocritical and could be the model World citizen it pretends to be.
At the end of the day, the presidency is the only position that is beyond the reproach of anyone behind the scenes that may be using their powers to pull strings. If he has ever been coerced by hidden powers, he alone could unveil them and be believed by all the non-believers. Alternatively, he could choose to promise exercise his pardon rights for people who want to expose wrongdoing but are afraid. He had the power to protect people from jail. That's the power to allow people to expose wrongdoing without fear of retaliation (unless we've gone so far down the rabbit hole that someone can make the whistleblower just disappear.)
Every President is supposed to be that kind of moral leader.
He/she would be impeached under the espionage act.
I believe that this could be workable with some preparation, the two most important of which are:
(1) the political work of defining the word "enemy". If you spend your time in your first 100 days of office trying to get the country to rally behind defining the "enemy" as actors within the US who are actively undermining the US Constitution and actors who are acting corruptly.
and
(2) the commander in chief work of defining the goals of the US military. The president is the commander in chief. If he decides that the primary goal of the US armed forces is to root out corruption and problems in the armed forces that are undermining the US Constitution in the interest of private interests.
By doing exactly both of those things and getting support for it, he has absolved himself of liability under the Espionage Act AFAICT. The reasoning here is that he's now defining the operation and success of the armed forces to be in line in a way that any information conveyed is no longer going to interfere with the armed forces of the United States. Furthermore, redefining the enemy means that he has also made sure that the information does not promote the success of the enemies of the US.
>the presidency is the only position that is beyond the reproach of anyone behind the scenes that may be using their powers to pull strings. If he has ever been coerced by hidden powers, he alone could unveil them...
If there were such hidden powers as to pull strings or coerce the president, I am not sure why we should believe that they didn't have a hand in his rise to power.
Sorry, that's the funniest thing I've read all week.
An American president with a moral backbone?
Give me a break.
That's like expecting it to rain candyfloss.
The presidency is a hollow man, a figurehead - it's all just a show to make you think you have a democracy. The tail wags the dog, and entrenched non-elected interests run the show, through corruption, lobbying (corruption), and special interests (corruption).
Lost in all the America hate is the fact that the tapping of Google and Yahoo was done by the British. The whole west is complicit but only America gets the hate so it can continue easily.
Britain is equally broken - and as you say, the whole west is complicit, and all, to varying degrees, suffer from the same malaise.
The problem is that you can hold all the presidents responsible you want and that does not have the power to change this problem.
Congress, perhaps.
I believe strongly in "win win" solutions; in a broad internationalism that tries (at least in principle) to find solutions that benefit the whole of humanity (perhaps not uniformly, but uniformly enough to make everybody a net winner).
That last phrase really spooks me. "Look to their own interests". Saddens me a bit, too.
I guess it's time for the ultimate exit.
> I am at a loss for words. Arrogant, self-righteous, disrespectful, ignorant, mendacious...nothing cuts it. It is illegal in the US but who cares about the rest of the world?
Do you really believe that this is the modus operandi only of the United States?
Since, say, France has _at least_ the same position with regard to the rest of the world vs. French citizens, are you angry at France too? Will you cut all french, german, russian, and bahranian cables as well, so as to maintain a consistent position?
> Do you really believe that this is the modus operandi only of the United States?
Your fallacy is: Tu quoque http://en.wikipedia.org/wiki/Tu_quoque
This is one of the few times that someone pointing out a fallacy on HN was apt.
Tu quoque is basically the "but everyone does it" argument. I agree that'd be specious -- but I'm not saying that. Rather, I'm the poster's claims ("arrogant, self-righteous, disrespectful, ignorant, mendacious") -- particularly "arrogant" -- imply that he thought the US was doing something unique that other countries are above, and thus the US was deserving of special disdain. This implication is simply wrong. But he's building his whole argument on it.
> imply that he thought the US was doing something unique
But the US is doing something unique. No other country has the global reach and the sheer military budget that the US has. It's debatable that other countries are "above" it in moral terms, but the US certainly has taken it to a whole new level.
Edit: I also don't see where "But he's building his whole argument on ... US was deserving of special disdain". Despite the larger scope of the US's transgressions, you are saying "but they do it too". I think that the Tu Quoque fallacy absolutely applies. Nowhere is it said that other countries would not be worthy of equal disdain under equal circumstances. And if it were to be said, it would be wrong.
> It's debatable that other countries are "above" it in moral terms
It's really not, since many of the releases of information about what the US is doing -- including the current one -- have other countries also neck deep in it. I mean, the actual spying in the article that this comment thread is attached to is done by the UK's GCHQ, NSA is just a consumer of the data.
As pointed out above, misconduct of other countries does not justify the own behavior. There is really no big difference between collecting the information on your own or letting someone else do the dirty work and then just crabbing the results. I should have pointed out more clearly that I am not especially against the behavior of the USA but against behavior like this in general but I did so in some other comments.
Besides that the US are doing (almost) unique things among to most developed countries, for example I can not even imagine any EU country doing something like Guantanamo or having the death penalty. To make it clear again, I am not primarily angry because of the spying on its own but the sentiment as to human rights beyond it.
> for example I can not even imagine any EU country doing something like Guantanamo
By the information that has publicly come out about the "black sites" operated by the US and its allies -- from which prisoners were later transferred to the not-secret facility at Guatanamo where at least a show of adhering to international humanitarian law was made, several EU countries were actively involved in the system, and the UK was not only involved but actually operated prisons in the system.
So, yeah, EU countries have, contemporarily with Guantanamo, done things as much like the worst aspects of the Guantanamo detention as is possible.
Source? If true, I completely missed that side of the story. The worst I could find after a quick search was that the UK allowed extraditions to Guantanamo even after learning about the torture happening there.
IIRC, Poland was the EU country that was the focus of attention.
Skimming Wikipedia's most definitely totally truthy article on the subject [1] (actually, it has a lot of citations, so it should be easy to verify), the UK's only alleged black site was the US base on Diego Garcia, which is "UK", but not "basement in London".
[1] https://en.wikipedia.org/wiki/Black_site#Suspected_black_sit...
Edit (T+18 minutes): Wikipedia lists numerous other European countries as possibly being involved. Information is really sketchy -- they are called "black" sites. Another question is which officials in the lucky host countries even knew about it.
Nobody suggested a "basement in London".
"5 eyes alliance" countries are neck deep in domestic spying, it appears they are their own independent spy service, accountable to no country and all collaborating to avoid each other's laws. Impossible for any of those countries to have free elections anymore with this kind of surveillance. Everybody being watched all the time makes for easy political blackmail to avoid any serious attempts to dismantle the global Stasi state they've been busy making under our noses for the last decade
Countries like Russia and China and Syria and Iran claim that they're spying on whatever they can and control their citizens online expression because (a) they say they need it / national security, (b) they are allowed to do it / sovereignity.
On the other hand, USA had earlier openly claimed in essence something like 'why we'd never, we don't spy on americans (Clapper), we don't record all communications, we're for the open net and transparency, we need to safeguard the internet from China and censorship, and we have 4th/1st amendment, so we're different'.
Everybody else who did that, didn't do it while hypocritically claiming that they're different - so I believe that US really did something unique in this particular instance and deserves special extra disdain for that.
The position of others is that doing all those things is okay, so they do it without moral problems. However, USA had claimed (and apparently still claims, at least for US-citizens) that it's not okay.... and do it anyway.
First, I clearly presented this as a hypothetical and emotional reaction and I did this purely to illustrate my feelings. Second, I obviously can not be angry about a country but only about people. Currently there are a quite a few people from the US government I see regularly in the media and they make me angry with what they say, but there is nothing special about this people being from the USA.
I have been to France once and while the overall experience was very good there was one bad experience. We had a problem with the motorway toll and stopped to ask a woman working at a toll station. She was obviously able to understand my English question but did not even try to answer in English and I did not understand a single word. This was not bad enough to make me angry but it was very impolite and I have no understanding for this, not even given the history of the relationship between France and Germany. I knew that I had to expect things like this, but it was a single exception and I am happy about this.
So no doubt that there are many people in many countries thinking of their own people as superior, but this is not acceptable in any case.
The US is reportedly spying on the phone calls of 35 world leaders. How many countries are spying on the phone calls of President Obama? Does France have access to the phone calls of Obama?
Some countries would love to spy on the U.S. It's true. But how many actually successfully do? And at what scale?
It would be interesting to see the technical details of how this was done.
France hasn't built itself on a platform of French Exceptionalism. The USA demonstrably has.
http://en.wikipedia.org/wiki/American_exceptionalism
Perhaps France wasn't your best choice of country.
While I agree the NSA's conduct is outrageous you seem to be confused about how countries actually work. Every country treats non-citizens worse than citizens - fewer rights and benefits, more limited (if any) work opportunities, additional hassles, etc. And most countries have intelligence agencies that spy on foreign countries and their citizens often in ways that break foreign laws. Don't be so naive.
There are of course differences in the treatment of citizens and non-citizens and this for good reasons like controlling immigration. But there should be no differences when it comes to human rights including privacy rights and this is what I complain about - different treatment as to human rights. And this goes beyond spying and also includes for example torturing people in Guantanamo. And yes, not only the US are breaking foreign law, but this does not at all justify this behavior.
There are no differences, both in practice and in theory, to the privacy rights of citizens and non-citizens. Everyone is spied on, and it is legal. The NSA is tasked with spying on foreign nationals. The FBI is tasked with spying on US nationals. Everyone seems to be getting caught up with these legal technicalities. Our agencies spy on everyone they can (as probably does every spy agency in the world). Our government might not even be aware of or in control of it.
Unfortunately we don't live in the world you imagine but I would join you in trying to improve the world we actually live in. I don't see how a trade and travel embargo could possibly help - it would almost certainly make things worse! Clearly there is no actual right to privacy under international law and rules vary greatly by country and are often weak in practice[1]. This is want we need to change either through treaties, constitutions or laws. I don't know where you live but in the US it would probably take a constitional amendment - a very difficult procedure - or a very broad decision by the Supreme Court - unlikely.
[1] http://en.wikipedia.org/wiki/Privacy_law
The thing about isolating the USA was not meant as a real solution, it was just to illustrate my feelings. See also this comment [1] of mine for a clarification.
The Universal Declaration of Human Rights (UDHR) [1] contains privacy right in article 12 [3]. The UDHR is not legally binding but the International Covenant on Civil and Political Rights (ICCPR) [4] is and contains the privacy rights, too. The USA signed and ratified the ICCPR. Maybe someone should just sue all the spying nations.
[1] https://news.ycombinator.com/item?id=6643253
[2] http://en.wikipedia.org/wiki/Universal_Declaration_of_Human_...
[3] http://www.un.org/en/documents/udhr/index.shtml
[4] http://en.wikipedia.org/wiki/International_Covenant_on_Civil...
What's interesting with these declarations (and I'm surprised they don't even get a mention in the media) is that they specifically say that these rights cannot be denied based on "national or social origin". So it's basically illegal for the US to invade the privacy of foreign citizens according to the terms of those covenants. The US Constitution is probably in direct violation of it as far as I can tell since it specifically only applies to Americans.
This is the hypocracy we all accept as OK. If citizens are barred from travelling internally we call it a human rights violation (USSR, China). If foreigners are barred from travelling between countries we call it "important reasons - immigration control". Same with spying, assasination, torture, killing civilians in war, etc. Human rights don't apply to non-citizens of just about any country.
The problem is not so much about the expected behavior of a spy agency, or how the US government justify itself "But it's only on non-citizens". That's kind of expected, like you explained.
The problem is when the medias, the public and politicians are reassuring and reassured by that "But it's only for non-citizens".
To a foreigner like me, what I see is that US citizens, medias and politicians are just fine with my fundamental rights being violated. That is as long as I'm not a US citizen... a clear statement that to those eyes, the problem is of less magnitude because I'm not as important a being as US citizens are.
Do I have less a right to privacy because I am not a US citizen? Is it more ethical or moral?
I'm not talking of my legal rights on a US soil; because legality has not much to do with morality. Really, in this argument I don't care about the NSA's goal, or all the spy agencies' goals. I care about how the public reacts; nobody cared as long as it was only about violating the privacy of those without US citizenship. Second class humans.
That's incredibly insulting. It makes me angry.
And worst of all, I feel like I can't even express myself on that topic without fearing repercussion. When one day at the airport, I'll cross the custom lanes and some automated filter will have flagged me as a national security threat because I once posted outrage about how they treat non-citizens.
Correct. You have no legal right to privacy in the US and enjoy none of the legal protections from our government that citizens enjoy (or should). You can be renditioned, spied on and wiretapped with no legal recourse in the US. Similarly Americans don't enjoy legal protections from the governments of other countries.
Now two countries may enter into an agreement not to surveil each other or their citizens. That is completely a different issue. But if you are not a US citizen or don't have a visa than the Constitution affords you no protections.
"Similarly Americans don't enjoy legal protections from the governments of other countries."
Yeah right.
What governments are extending me legal protections?
https://en.wikipedia.org/wiki/Universal_jurisdiction#Univers...
In general, these are laws against things like war crimes. The UK (Brit here) also extends some child protection, fraud and bribery laws to cover acts worldwide, the former intended to be used to prosecute sex tourists who are unlikely to be prosecuted where they committed the offences.
I'm unsure whether any of these laws have actually specifically protected you, but the reason for their introduction is to afford people in other countries similar protection from UK-based criminals to the protections people enjoy in the UK.
Personally I hate whole "war crimes" thing. Since it WW2 it has been applied only to enemies. There was a lot of contention with the Russians over what was a war crime, since Stalin had done many of the same things as Hitler. It was generally agreed that it was only illegal when the Germans did it and Stalin went home happy.
It seems that Universal Jurisdiction allows people to prosecute me, but doesn't specifically protect me.
how about when the government makes you renounce citizenship and waive your right to sue them?
http://en.wikipedia.org/wiki/Yasser_Hamdi
They should have just manned up and charged him with treason. That seems like a relatively simple case.
But my point is specifically not about legality.
but spying at non-US citizens and breaking foreign law in peacetime is deemed acceptable.
First let me say that I agree with your sentiment -- it's hypocritical for people in the US to be upset about the US government's spying on its own citizens, but not upset when the people are in other countries.
Now for a dose of realism -- every single country out there that has a foreign policy and interests abroad behaves in this way to one extent or another. The question is not whether but how much. I'm receptive to ideas for something to replace this general approach to intelligence gathering. But let's not apply a double-standard in the opposite direction and say that only when the US does the spying is it a problem.
> every single country out there that has a foreign policy and interests abroad behaves in this way to one extent or another.
I'm German, and I can't remember ever having heard such a distinction - that some things are okay when done to foreigners, but not when done to Germans - apart from neo-nazis.
Sure, who knows what the BND is up to. But "behaving this way" also includes rhetoric that is not just considered acceptable in polite company, but even uttered by state officials... and as I said, I can't recall a single example, so maybe enlighten me? Or are you just assuming?
Sorry, I wasn't as clear as I wanted to be -- by "behaving this way," I had in mind the existence of government programs for surveillance and spying; not one-sided complaints on the part of citizens about such programs.
Well sure, people in positions of power pretty much equally suck everywhere, I think we can consider this as baseline. But I do find it disturbing that "American exceptionalism" seems to be rather widely accepted the US population, and that they're not even ashamed to express it, and that state officials implicitly or openly do the same. I have no doubt that some people in Germany harbour similar sentiments, but they're really at the fringes and in the dumps in comparison.
Also, scale still matters. Killing a person or slapping them in the face are both violence, but there is still a difference, otherwise we could just reduce all to "physical and chemical processess going on" and completely stop thinking. I don't believe for a second that Germany, or even France, Italy or Russia (which I consider rather right wing) have programs to scoop up traffic from Google's internal network in place. Maybe they would like to, but they can't pull it off. And while I wouldn't bet on it, I wouldn't be surprised if China doesn't either.
Really ? How about :
German soldiers abroad (say, in Afghanistan). Do they respect foreign law ? Of course not. Non-EU residents on German soil are subject to summary arrest and deportation (it's more complex than this, I know, but as summaries go you could do worse) German social security treats citizens, residents and illegal aliens vastly differently German domestic wiretapping laws are basically that the executive gets to spy on anyone on German soil without judicial oversight AND outside of Germany. While it's of course true that this is not a distinction, it's actually worse than US law. German wiretapping laws do not let companies evaluate the legality of a wiretapping order before complying, unlike US law. Telecom companies operating in Germany are forced to provide the government with an automated system that can wiretap anyone on their networks without even their technicians knowing about who/what is being wiretapped. Needless to say, these systems are in constant use, and have been expanded. Small detail : in the US, the government will at least pay companies appropriately (handsomely even) for costs related to wiretapping. In Germany (like most of the EU) companies have to comply, fund it themselves, and can't even look at the orders. Non-compliance with this is punishable under criminal law (meaning the CEO, techies, field techs, or anyone in the telco can be arrested if the company refuses to comply) The BND does not just have the right to spy on anyone, but it can summarily arrest anyone, intervene in any investigation without question (so they could, for example, kill someone, then take over the investigation, no questions asked). They can confiscate any goods, on German soil and outside of it, without so much as an explanation. They aren't even the only government department in Germany that has this power, the tax office has the same power.
As an EU citizen myself, I find the EU's "anger" at US spying somewhere between moronic and hypocritical. Especially France's is beyond all comparison, knowing that they just physically arrested someone for refusing to store all records of his customer's transmissions for a full year, entirely on his own dime. Furthermore, both France and Germany have used the information they force ISPs to spy for them to enforce copyrights. Neither country has any qualms about sending all citizen's internet traffic to a private organisation that is not answerable to the government at all, and is not even attempting to enforce criminal law (the NSA is at least doing this to prevent real crime, like 9/11. Germany and France are transmitting everyone's internet usage to an organisation so it could sue them for copyright infringement in an automated fashion. There's just no comparison)
Note that furthermore, in the EU, these practices have been voted in by a non-democratically elected government (the EU commission). So the EU can't even claim that parliament approved these measures, because they didn't (barring a few exceptions). This has been imposed by people negotiating "international treaties".
Can anyone please explain to me why, if there's outrage about the NSA, why isn't there 10x the outrage about EU practices ? The way it is makes absolutely no sense.
> Non-EU residents on German soil are subject to summary arrest and deportation
And where are the statements saying other countries shouldn't deport illegal aliens? My post asked about exceptionalism, openly stated, did it not?
> German domestic wiretapping laws are basically that the executive gets to spy on anyone on German soil without judicial oversight AND outside of Germany [..] The BND does not just have the right to spy on anyone, but it can summarily arrest anyone, intervene in any investigation without question (so they could, for example, kill someone, then take over the investigation, no questions asked). [..] Germany and France are transmitting everyone's internet usage to an organisation so it could sue them for copyright infringement in an automated fashion.
Uhhhh.... sources for all that please.
> Can anyone please explain to me why, if there's outrage about the NSA, why isn't there 10x the outrage about EU practices ?
Maybe the lack of abducting people and torturing them, or killing them with drones has something to do with it? And still, there isn't a month without demonstrations against some of the stuff you mentioned, like Vorratsdatenspeicherung. Other stuff is either flat out wrong or widely unknown, your posting of sources will decide that..
As for the torture thing :
http://strasbourgobservers.com/2010/07/06/389/
Given this article, I think it's safe to say that people get tortured to varying degrees by the German police on a weekly basis at least. Like the US, in the vast majority of cases the police do this for very good reasons.
As for a basic introduction to German wiretapping law:
https://www.privacyinternational.org/reports/germany/ii-surv...
Also you act surprised ? Why ? These laws are the "roughly" same across the EU. Generally a certain degree of violence, even what might be considered torture (but not outright "real" torture. Violence against an arrested person, ie. hitting them or so, even things like denying food/drink when it's not life threatening) is allowed in the EU to protect the institutions (parliament, government, ...) (but only for "existential" threats that threaten the institution itself, not just, say, the building), and to protect the lives of others.
what about
- "the executive gets to spy on anyone on German soil without judicial oversight"
- "The BND does not just have the right to spy on anyone, but it can summarily arrest anyone, intervene in any investigation without question"
- "Germany and France are transmitting everyone's internet usage to an organisation so it could sue them for copyright infringement in an automated fashion"
?
from the link you posted, emphasis mine:
> "According to a 2003 survey, 75 percent of conducted telephone wiretapping actions violated the law. In most instances of wiretapping, law enforcement agencies did not inform the subjects after the eavesdropping took place, contrary to what is stipulated by the law. [..] In April 1998, Article 13 of the Constitution (Grundgesetz) that provides for the inviolability of private homes was amended in order to allow police authorities to place bugging devices in private homes (provided there is a court order)."
I wasn't "acting surprised", I was asking for sources, and now I kind of have to call bullshit on a lot of the stuff you said.
http://en.wikipedia.org/wiki/Human_rights_in_Germany#Torture
Yup, bullshit. And at any rate nowhere near comparable to the US, where people are afraid to close Gitmo because the people were so badly mistreated they might turn on them. So why would I be "10 times more" outraged? Maybe because I, as a German/EU citizen, am more directly responsible for the stuff going on here - granted. But otherwise? Get real. Have you even READ the first article you posted?
> "The Court stated that “[t]orture, inhuman or degrading treatment cannot be inflicted even in circumstances where the life of an individual is at risk” and –under its assessment of the alleged violation of art. 6 – “[b]eing absolute, there can be no weighing of other interests against article 3."
How does this make you conclude that "people get tortured to varying degrees by the German police on a weekly basis at least"? That's just saying stuff, in the hope some of it will stick. Boo.
I think you're confusing multiple things here. Guantanamo is not the same category as police torture in Germany by police forces. Guantanamo would be comparable to German soldiers guarding a prison in Afghanistan and arresting people there. Do you really need sources to convince you that German "prisons" in Afghanistan (and maybe other countries) exist and operate independently of both German law (because it isn't German citizens getting locked up) and local law ? I also don't think it very far fetched that the "rights" of prisoners in those prisons are not getting respected at all by (amongst others) German soldiers.
So you should only compare German police using torture Police, FBI or DEA or some department like that using torture inside America on American citizens. There I think it's much, much less clear that the rate of torture in Germany is higher or lower than the rate used by American law enforcement agencies. I'd guess the rate in Germany would be lower, but not that much, simply because America has many more regions where heavy violence against the police happens very often.
As for what the BND does, is it really so hard to find ? http://www.globalresearch.ca/germanys-intelligence-service-b... http://www.theguardian.com/commentisfree/2013/oct/04/german-... ...
(note that information they forwarded, they obviously collected first, so yes, it does in fact prove the BND spies on all German citizens as part of normal operations)
I don't see a need to ask very simple questions for a third time, so I think we're done here. Your "guesses" don't interest me, as even the sources you posted contradict what you said. As for the BND, see my very first post in this thread. This is groan inducing.
Sure, who knows what the BND is up to.
Just a reminder:
"In an interview with Der Spiegel , Snowden claimed that the NSA provided German intelligence, with analysis tools to help the organisation monitor data flowing through Germany. “The NSA people are in bed together with the Germans,"” he told the magazine.
He added that the NSA’s foreign affairs directorate, which is responsible for relations with other countries, had set up a system whereby political leaders “could be insulated” from the backlash if spying became public and helped to play down how grievously they were “violating global privacy.”
http://www.independent.co.uk/news/world/europe/nsa-in-bed-wi...
> Now for a dose of realism -- every single country out there that has a foreign policy and interests abroad behaves in this way to one extent or another.
Simply not true. There may be a few large countries trying, but at nowhere near the global capability to lay bare all details of just about any person on the planet, like the US. And that's just comparing to the larger countries. The UK hacked Belgian telecoms, you're going to have to show me some proof that the reverse is also true. That's ridiculous.
The consequences of the Netherlands "behaving in this way to one extent or another" towards the US--yes, even a little bit--would not be very positive for the Netherlands. We do, however, "have a foreign policy and interests abroad".
The fact that the US believes it can get away with this sort of behaviour (and we'll have to see about that), doesn't somehow make it right or justify it in any way.
I certainly don't wish to justify espionage. I'm saying that it's a reality of life today and has been for centuries, and the US is only one of many countries (perhaps not Belgium or the Netherlands) that are engaging in it. So the anger directed at the US should be directed at all the other countries engaging in espionage as well (and it is clear that there are many).
As for the US being allowed to get away with it, I do not have any simple prescriptions to offer the US government for replacing it with something better, although I too wish it did not engage in it.
> What really pisses me of is this sentiment of thinking of non-US citizens as second class humans.
If this is really what you believe, then start pushing for legislation to include non-US citizens as first-class humans.
But, by denying movement, you are suggesting to treat US citizens as second class humans. To what purpose? in order to punish them? To educate them about your importance?
I am to lazy to type it again, but this comment [1] from me fits your comment pretty well.
[1] https://news.ycombinator.com/item?id=6643253
I completely agree with your sentiment that no one is justified in thinking they are superior to anyone else. Furthermore, I have never said anything even remotely to the contrary.
The quoted comment was not the best one I could have picked - I just wanted to clarify that the thing about isolating the US was just to illustrate my feelings but nothing to consider seriously.
The purpose of intelligence agencies is to spy on non-citizens, both in peacetime and in wartime. One might argue that traditionally they focused on public figures in the foreign states and that spying on average foreigners is new; I don't know if that's true, but seems plausible.
It would generally be a dereliction of duty for the NSA/CIA to not spy on non-Americans. The same holds true, modulo agency name and country, for any other country.
Now, if you want to make the argument that national borders should dissolve and that spying on foreigners should become history - or something like that - that's up to you. But spy agency gonna spy.
> The purpose of intelligence agencies is to spy on non-citizens, both in peacetime and in wartime.
No, the purpose of intelligence agencies is to gather and analyze information that might be of use to the nations leaders. Spying -- whether on citizens or foreigners, and whether on people located within the country or abroad -- is often a mechanism used to gather information (though collection from public sources is also a common mechanism.)
And there's nothing really special about the foreign vs. domestic (whether by location or citizenship) axis for "intelligence agencies", generally -- while sometimes the agencies that do domestic and foreign intelligence gathering are separate, that's not always the case, and certainly not a defining feature of "intelligence agencies."
You are correct - I overspecialized in my comment (and focused too much on the US, which attempts to separate domestic and foreign intelligence)- but I would argue that espionage is a signature of intelligence agencies and their efforts; expecting such agencies not to make significant espionage efforts doesn't really cohere with reality.
That is what I would prefer. I can not think of a good reason why we (Germany) should spy at our friends like France, the UK or the USA. Agencies should gather information about (potentially) dangerous citizens in their country and share this information with other countries. I have also no problem with collecting information in war zones and I include countries hosting terrorists where you can not rely on there agencies to provide good information here.
Come on, say it to my face! You don't believe non-US people have a right to privacy. That's me! Your agencies can do whatever they want to me, but not to you.
You're on the public Internet, you're not "within national borders", and everybody can hear what you just said. Say it to my face. Tell me how you feel that it's just fine to violate my privacy, that it's apparently perfectly fine to pry into my life, hack my phone networks, to gather any possible information there is to know about me and all those around me, just because I'm not a US citizen, and you are. You are better and are entitled to these protections, I don't.
> The same holds true, modulo agency name and country, for any other country.
Not every country believes that their citizens are somehow exceptional and non-citizens can be treated however they please.
I think that, in today's world, everyone, particularly public people of interest to other countries, should reasonably expect to have foreign countries gather information about them, up to and including spying.
For example, if I was doing important security research, I would fully expect to have the Russians, Chinese, Israelis, etc, looking into my work.
I don't believe the US is exceptional. I expect other countries to have interests in US citizens and to carry out their interests to advance their national interest.
This expectation is entirely separate from my opinion of the morality of said act.
Every state privileges its own citizens. There are good reasons for doing so that have nothing to do with bigotry or exceptionalism.
Some of us don't consider human rights a "privilege".
If privacy is a human right, it's not (to me, at least) of the same caliber as "life, liberty, and security of person". People behave best because they have internalized social norms, those arguments and attitudes that we proudly expose.
http://www.un.org/en/documents/udhr/
Article 12.
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.</i>
Otherwise, how would you define "liberty" or "security of person"? You're free to do what you want as long as it doesn't encroach on the freedom of others, and if being spied on makes you not want to do some things you ought to be able to do, then that's just tough luck, but not a restriction on liberty or your security? I'd say freedom of action is worthless without freedom of thought and speech, and that you can't pick and choose human rights, or rank them.
Things aren't that simple. Certain rights can certainly override others (your right to life overrides my liberty to shoot you), which implies, if not a ranking, at least complexity. My liberty was only legally maximized when I turned 19: should five-year-olds be able to buy guns? Should I be free to record a conversation we have without my telling you?
A person has liberty if he or she is free to do anything lawful within a just framework of laws that is fairly enforced. Everything you do has consequences, however. Your freedom is thus freedom from having government stopping you from doing things that are within the law, but not freedom from consequences. (Note that article 12, as written, is qualified by the term "arbitrary". According to the right as written, you or I can be interfered with if the reasons for doing so are non-arbitrary.) Absolute privacy rights increase freedom from non-legal consequences -- this is a good thing when your social context is horrible (shun him! he's smoking mj!), but more often than not, removing social consequences is a net loss.
Privacy has a nice "liberty narrative" which makes it easy to defend (as you are doing) in the abstract, because it bears a close relationship to freedom (you are, without a doubt, "more free" if you have more control over what you choose to disclose). In practice, people behave best (on balance) when transparency is maximized, and they behave worst when they have absolute privacy and anonymity (see Tor, 4chan, freenet, etc.). In many game-theoretic contexts, "private information" is what leads to sub-optimal overall outcomes that tend to strongly preference the already advantaged.
Privacy rights, therefore, have much to do with the tension between the goals of the many and the goals of the few. The real problems lie not with privacy per se, but with asymmetries in its distribution.
> Things aren't that simple. Certain rights can certainly override others (your right to life overrides my liberty to shoot you)
Certain rights certainly can. But not human rights. That's the whole point.
(btw "liberty to shoot GP" and "ability to buy guns" are not in fact human rights. GP's "right to life", however, is.)
So it turns out, you can apply the naturalistic fallacy to things that are entirely of human construction...
> What really pisses me of is this sentiment of thinking of non-US citizens as second class humans.
When a group puts a draws a line of Us and them, they are making enemies. With this approach the NSA is declaring the USA as the enemies of all those being spied upon. The more similar news spread the more this mentality that "The USA is the enemy" will spread and its only a matter of time that more countries turn a blind eye or even facilitate terrorist actions against the USA.
> It is illegal in the US but who cares about the rest of the world?
I think it's entirely justifiable to give the NSA more latitude abroad than domestically. To turn reverse the scenario, as an American, I would far rather have the French or the Germans conducting surveillance on the United States than the US government. People keep comparisons to the Stasi, too often they forget what the Stasi's purpose was: to suppress political opposition. Here in the US, surveillance was used for the same purpose, on a much smaller scale, during the J. Edgar Hoover era. Political opponents of the government were spied on with the intent of blackmail or embarassment.
That's the whole reason why government surveillance is so scary. It puts so much information in the hands of an organization with such far-reaching powers in law enforcement and otherwise that the combination is prone to abuse. When the US spies on foreign citizens or vice versa, the potential for abuse is much less. The NSA has neither the interest nor the ability to harass political opponents in Germany and France, and the same goes in the other direction.
In particular, domestic surveillance is a completely different beast vis-a-vis foreign surveillance: spying outside one's own state comes with it the almost total absence of state's monopoly on force (and, furthermore, the protection of the government in the state being spied upon).
Omniscience without omnipotence is tolerable, as is omnipotence without omniscience. The real trouble happens when you've got both.
CIA.
https://en.wikipedia.org/wiki/Operation_Gladio
https://en.wikipedia.org/wiki/Operation_Condor
> People keep comparisons to the Stasi, too often they forget what the Stasi's purpose was: to suppress political opposition
That's however not how the Stasi thought of itself though, or how it was presented in propaganda.
http://andberlin.files.wordpress.com/2012/05/propaganda-in-t...
"For our security"
US intelligence agencies do keep tabs on stuff like Occupy, and of course it's officially "to prevent terrorism".. I for one don't buy it.
I am at a loss for words. Arrogant, self-righteous, disrespectful, ignorant, mendacious...nothing cuts it. It is illegal in the US but who cares about the rest of the world?
I'm as appalled as the next guy about the NSA's actions, but let's keep this in perspective here: many countries have 2 intelligence agencies, one for external and one for internal. Do "MI-5" and "MI-6" ring a bell?
Plus, in this particular instance: the GCHQ (British version of NSA) is the one passing along the wiretapped stuff to the NSA.
> We are not spying at US citizens, only at this other guys across the ocean.
In this instance, it's the guys across the ocean who are spying, and passing on the results to us.
Especially when the story broke there was a lot of outrage about (accidentally) spying at US citizens, but spying at non-US citizens and breaking foreign law in peacetime is deemed acceptable.
What did you used to think foreign intelligence services did?
For what little is it worth, a lot of us American citizens have a real problem with our government not extending the concept of the natural rights that we supposedly have to everyone, everywhere. Of course, these days they aren't even really bothering to discriminate and are just fucking us all over, though I guess they do apologize a bit more when they get caught fucking over Americans.
Also, while I think this sort of spying is terrible I'm even more sickened by things like the fact that we keep killing innocent people with drones and such and justifying it as acceptable collateral damage when nobody will tell us who the real targets were, why they had to be killed, and why that was so important that accidentally killing a few hundreds or thousands of innocents while pursuing them is reasonable.
At this point we're so far down the slippery slope that the rest of you might as well cut us off if you can. I'm unconvinced we are going to right this ship anytime soon, we as the group of citizens whose net worth isn't in the billions have lost control of the bus.
All i can say to your heayed comment is that it is a good thing that you're not in a position of power to act in such a way that would sever the worlds ties with the US.
That's why, ironically, the best hope for privacy-minded US citizens (like a good part of HN readers) comes from outside governments.
People like Brazilian president, Dilma Rousseff, that had the courage to cancel state visits and declaring outraged by the state-sponsored spying supported by the Obama Administration.
We need many more governments standing up and threatening to cut commercial ties with the US, until we can see some traction.
Sadly, I'm not very hopeful that this will happen, given the commercial interests involved. Mexico had a slow initial response, but it's starting to demonstrate some reaction. Germany and France are my hopes [1].
[1] http://www.theguardian.com/world/2013/oct/22/mexico-presiden...
France and Germany can't. They are both export based economies.
Yeah, but chancellor Merkel must be really pissed off with all the latest shenanigans [1] by her friends across the pond...
And everybody else must be really pissed off with the latest documents. Here's the punch line:
> Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.
[1] http://electrospaces.blogspot.nl/2013/10/how-nsa-targeted-ch...
[2] http://www.washingtonpost.com/world/national-security/nsa-in...
I think in the end it will be shown that both the Germans and French also engaged in surveillance or have partnerships with other intelligence agencies. The five sisters can't be the only big partnership.
The government of a country, any country, owes allegiance to its citizens first and foremost. Our laws do not apply to people in other countries. I can't imagine that most large governments other than the US do run in exactly the same manner.
I'm not defending the NSA, but let's not be naive here. One function of the government is to protect its people from all threats, foreign and domestic. So yes, citizens of other countries are second class, and well they should be from some perspectives. Again though, there are lines, and some have been crossed.
I'm torn between the two sides of this coin.
As both a US citizen and world citizen (how can we who've grown up in the Internet age not feel a little more worldly?) it feels violating to know this has been going on, and that it likely effects me.
On the other side, it has forever been, and continues to be, in a physical-boundary-defined nation's best interest to know things about every other nation, in order to compete within international relationships. I would be surprised to find a major international player that didn't have a clandestine agent group or groups like the CIA or NSA.
It's a very tough and frustrating topic. Spying always feels disrespectful and arrogant to the spied upon. But should we implicitly assert that this isn't done by the rest[0] of the intelligence agencies around the world?
0: http://en.wikipedia.org/wiki/List_of_intelligence_agencies
> The government outright tortured people for years, and nothing has come of it.
I am not saying it's OK, but in that case, most US citizens aren't even affected. In the case of surveillance, data from US citizens is being directly compromised. Their attempt to do what they want to foreign individuals with surveillance actually causes some collateral damage to US citizens.
Who cares about the collateral damage done to US citizens? The problem is the damage done to non-US citizens.
What?! since when non-us citzens can vote?
remember that democracy (even half-implemented as it is in the US) is the dictatorship or the majority (that can vote).
If voters are concerned with the plight of non-voters, then the plight of non-voters is by definition of concern to voters.
Asking voters to be concerned with what their government does to non-voters should never be discouraged. It may be futile, but it should not be discouraged.
I only made the distinction because someone pointed out that it's difficult for government agencies to get in legal trouble unless US citizens are the ones being harmed.
> I am not saying it's OK, but in that case, most US citizens aren't even affected.
There is a very strong line of reasoning that says terrorist attacks and thousands of America soldiers killed in combat are a direct result of these kinds of foreign policies.
Monroe Doctrine 2.0
"The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons. "
It's worse than this. You also generally can't sue the US government civilly unless they allow you to. US has abrogated sovereign immunity in certain situations for certain types of torts, but ..
Civil immunity is a subset of completely unconstrained by law. For example, judges are entitled to absolute civil immunity for actions taken in an official capacity. But they have occasionally been charged criminally for actions for which they were civilly immune.
"Civil immunity is a subset of completely unconstrained by law"
Sorry, I didn't read it that way :) Since the original thread seemed to be about criminalness, I assumed you meant they could not be charged criminally for their actions.
There is a huge difference, as you point out, between civil and criminal liability.
I'm sure the other branches of US government would be delighted if NSA would share with them - not the secret data, but their data processing tools.
I mean, it appears that NSA has the ability to separate the retrieved gmail data into citizens and non-citizens, so they can legally use the non-citizen part of data and throw the 'forbidden' US-citizen data away. Think of the wonders that we could do with such technology! We wouldn't need passports anymore, when arriving from another country, you just provide your gmail account, TSA systems check that you're a citizen and lets you right in with a smile...
It's far beyond special investigator time.
Obama should be impeached. Both Obama and Bush should be tried for criminal conduct. Both should be put in prison for decades for treason. Of course on top of that are the war crimes and general crimes against humanity both committed (torture, war, murder of thousands of civilians, and so on).
Can you lay out the charges, special prosecutor?
Whats the charge for a state being the enemy of its own citizens?
Crimes against Humanity?
I think in those sorts of situations, when the people are actually in a position of power over their government and thus able to effectively prosecute it, official charges are typically not bothered with. (or if they are, nobody bothers actually proving them during the 'trial'.)
http://www.archives.gov/exhibits/charters/declaration_transc...
(Lest anyone get the wrong idea, I'm not suggesting armed rebellion against the government. Rather, I'm pointing out that this situation has happened in history before, and, well, that's what we called it.)
It wasn't too long ago that Obama himself said Ed Snowden was not a patriot. Said it then, will say it again. The hypocrisy just reeks.
Snowden isn't a patriot though.
Certainly he has revealed a lot of scary information about the government that the people needed to know about, but opposing the state (which is what Snowden seems to do) does not always equate to supporting the nation.
Some of Snowden's disclosures have been directly harmful to American interests without a corresponding harm being done to the American people that would have warranted that disclosure. For instance, his leak of details of NSA hacking attempts against China.
Likewise, his disclosures about spying against allied heads-of-state. Knowing what your friends truly think would be invaluable for American interests when negotiating. I certainly agree that spying on friends like that is distasteful, but revealing that can't possibly be said to have helped the American people.
first; you seem to be saying that each leak in isolation has to weigh in favour of the american people. a more lenient judgement might be made by taking everything as a whole and seeing if the benefits outweigh the costs. and even when the advantage is not direct, it may come later - for example, the international pressure from the leaks about intercepting foreign heads of states might lead to reduced surveillance of americans.
second; perhaps here on the internet we need something more international. perhaps he is a patriot in an international sense - since he works for the rights of all people. i certainly appreciate what he's done, and i am not american. of course, an alternative is to say that i am the enemy. but then we get to the american duplicity - they seem to want to be our friends, shake our hands, but then treat us as second class people.
[i wondered whether to include british duplicity with gchq, but they don't really make the same distinction. they seem to quite happily spy on britons and foreigners equally. they are not hypocrites, just assholes...]
> first; you seem to be saying that each leak in isolation has to weigh in favour of the american people.
Yes, I would certainly argue that someone claiming to act in the patriotic interests of the people of a nation should do things that are in that interest. Remember that by Snowden's own admission, he deliberately selected each individual batch of documents for later disclosure, it's not Manning-style indiscriminate collection of material to leak later.
On the other hand there is a very workable explanation to explain Snowden's actions: A belief that government is oppressive and wrong, with a corresponding imperative to harm that government. So it is here. You could argue that Snowden feels that by breaking the government that overall good things would happen for Americans, but his individual actions are certainly being conducted without regard to harm. So I would argue that he's anti-government, but not necessarily patriotic.
> but then we get to the american duplicity - they seem to want to be our friends, shake our hands, but then treat us as second class people.
That's hardly a trait unique to America and I think you know that. Remember that much of the outcry in the U.S. is very much because the NSA is treating American data the same as they treat foreign data. But either way, national governments work in the best interests of their citizens, not others. It's hard enough to convince people in America to maintain even existing levels of foreign aid for example.
As one of the French intelligence professionals mentioned, they spy on us too and if anything, are jealous of the abilities the NSA has.
The "more international" idea you talk about is certainly the direction we need to go down (as I've argued since Snowden first hit the news). Right now the global Internet is simply not working well with the ideal of individual national legal frameworks. But what solution will that be?
Somehow I suspect those on HN won't be satisfied with simply scaling up Five Eyes to include Western European governments as well, and as of yet there's no pan-world government to kick the task up to. Nor do I think that nations will (or should) completely give up on SIGINT.
> Snowden isn't a patriot though.
Yes he is. He gave up his life and comfort in order to reveal illegal, massive surveillance by the US Government and friends. That's what actual patriots and heroes do.
> Certainly he has revealed a lot of scary information about the government that the people needed to know about, but opposing the state (which is what Snowden seems to do) does not always equate to supporting the nation.
This kind of statement is a sophists trick used to justify the unjustifiable: "Spying is typically bad but he revealed spying done by our own government!"
> Some of Snowden's disclosures have been directly harmful to American interests without a corresponding harm being done to the American people that would have warranted that disclosure. For instance, his leak of details of NSA hacking attempts against China.
The NSA are the ones causing the actual harm. Also, China boogeyman card.
> Likewise, his disclosures about spying against allied heads-of-state. Knowing what your friends truly think would be invaluable for American interests when negotiating. I certainly agree that spying on friends like that is distasteful, but revealing that can't possibly be said to have helped the American people.
Sounds like 1984 Ingsoc. Diplomacy with "friends" should be honest. Not conducted as "trust but verify" Reagan-esque bullshit.
I certainly agree that spying on friends like that is distasteful, but revealing that can't possibly be said to have helped the American people.
Yes it can. I'll say it right now: It has helped the American people. It has helped us, by giving us knowledge we need if we are going to hold our government accountable. Lest people forget, government exists to serve the people, not the other way around. This ain't a monarchy, pal. Here we can, and should, hold our elected officials' feet to the fire when our government screws up or does things we don't approve of.
Now, in the end, the American people might decide to keep "Baaaaah"ing like mindless sheep and let our government off the hook, which is, I suppose, their right. But what Snowden did was absolutely the right thing, as you can't even think about having accountability unless you have transparency.
By the same reasoning you should impeach the majority of Congress (the same people who would vote for such an impeachment of the President).
Deal!
Google was letting information flow between its data centers completely unencrypted until last month. http://www.washingtonpost.com/business/technology/google-enc... Last month!
Think about that for a second. Most people on HN wouldn't send a single file to their own backup provider in the clear. Google was sending gushing torrents of data, presumably including email, IMs, etc, over long distances that way.
That's very nice that the company that encouraged all of us to put all our email and documents in its data centers "pushed harder than anyone on the whole internet" for some basic security well after the NSA compromised their shit, but it doesn't excuse their irresponsible practices.
> Google was letting information flow between its data center completely unencrypted until last month. http://www.washingtonpost.com/business/technology/google-enc.... Last month!
Over their own private WAN. The analogy would be sending things in the clear over your LAN. [Citation: http://www.eecs.berkeley.edu/~rcs/research/google-onrc-slide...]
The likelihood miles and miles of cabling, much of it presumably leased, will be compromised is nowhere near comparable to the likelihood a normal, single-location office/home ethernet LAN will be compromised. (And if you think both are easily compromised, that only adds to my original point.)
"much of it presumably leased,"
This is a very interesting assumption
http://www.howstuffworks.com/tech-myths/5-myths-about-google...
http://www.lightreading.com/document.asp?doc_id=633236
Fiber optic links are not so easily compromised. Not without service interruption, which will raise quite a few eyebrows.
The US has submarines which are entirely designed to splice fiber optics without interruption.
They literally bring part of the cable into the sub and work on it from there.
Citation for that? Seems plausible but I'm interested in any details.
http://cryptome.org/eyeball/mmp/jimmy-carter.htm
Apparently the procedure is to position the USS Jimmy Carter over the cable, send out a remote vehicle to grab the cable and pull it up to the sub, splice in tapping equipment, and then drop the cable.
Intercontinental cables are less than one inch in diameter in deep water. If the sub plants the tap in deep water, it's extremely unlikely that anyone would ever discover it. There are a few cable repair ships that pull broken cables to the surface and fix them, but other than that... No one can reach it and no one will bother it.
The most interesting thing is actually getting the data back to the U.S. Do they run a separate cable alongside the existing cable? Getting SMALL bits of data back to the U.S. is easy, can just broadcast it. But LARGE amounts of data? Tricky.
> There are a few cable repair ships that pull broken cables to the surface and fix them, but other than that... No one can reach it and no one will bother it.
Even if you pull the cable up to repair it, it is unlikely that you would discover the tap. The device used in Operation Ivy Bells was designed to detach from the cable if the cable was lifted. Non-intrustive tapping might not be possible with fiber (it isn't, as far as I know), but I expect they have other mechanisms to avoid discovery. Perhaps lifting the cable would cause the cable to "snap" on either side of the tap, before the device could be lifted.
http://en.wikipedia.org/wiki/Operation_Ivy_Bells
http://www.fas.org/irp/eprint/ic2000/ivy_bells_pod.jpg
Why is the traffic in the fiber cables not encrypted between the endpoints? That would instantly nullify the attacks. Is AES hardware not cheap enough yet?
Traditionally encryption is left to higher layers.
A few years ago the cable that connects Pakistan to the Internet was mysteriously cut. I wonder where the Jimmy Carter was at that time.
http://en.wikipedia.org/wiki/Fiber_tapping
http://motherboard.vice.com/blog/undersea-cable-surveillance...
Google doesn't actually own the underwater cables though. So isn't the analogy more like sending things through a LAN in a building that you're renting?
http://gigaom.com/2008/02/25/googlenet-update-google-buys-a-...
From the link:
> Google is buying a piece of a new transpacific fiber optic cable
Only a half dozen or so companies actually own undersea fiber. It requires a huge amount of effort to lay and maintain including hundred million dollar cable ships.
Everyone (even Google) leases, or in this case buys, capacity on shared cables.
Google has the cash to lay their own now though.
Or just buy a company which does.
I wouldn't be surprised if they do so in the future.
What is the point? If they can tap the cables it seems like owning your own just causes a false sense of security.
It provides better legal grounds to sue.
http://www.cs.uccs.edu/~xzhou/teaching/CS522/Projects/SIGCOM...
There's the actual paper google wrote. It's very good. OpenFlow is a terrific piece of technology.
Do they actually own and operate all of the wires between various datacenters? That sounds like a huge undertaking.
I doubt they own all of the links they use worldwide, but Google did go on a buying binge a few years ago, acquiring large amounts of "dark fiber". There's some discussion about that whole topic here:
http://www.howstuffworks.com/tech-myths/5-myths-about-google...
http://news.cnet.com/Google-wants-dark-fiber/2100-1034_3-553...
http://www.lightreading.com/document.asp?doc_id=633236
Assuming that the fiber end points only touch Google data centers, this would be ok, I guess.
Do not trust that your internal networks are secure. Any links carrying business or customer data should be encrypted.
I remember over a decade ago talking with the security head of a university where I was working, about a new system design. I made some comment like "well this is all on the machine room network" and his response was "I wouldn't trust the machine room network." Pretty eye-opening since he was the person responsible for its security.
inter-datacentre communication most likely happens on dedicated networks "outside" the internet
Which, going by their (this administration's) record at disavowing, initiating investigations into, and demanding accountability from our various security agencies for their widely known, and far more egregious abuses they've been indulging in since late 2001 -- torture, extrajudicial killings, and the cavalier attitude of our armed forces toward civilian populations, generally -- we can be virtual certain that not only will they "fail" to do, they won't even make a credibly sincere effort at it.
I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable.
In light of the criticisms leveled against these strategies in from 2002 - 2004 its difficult for intelligence policy makers to argue the risks were unknown. The indifference to risk, public opinion and constitutional issues is jaw dropping.
The stage is being set for a giant conflict between the intelligence community and the political class in DC.
The political class is still more scared of being on the wrong side of security in the event of another terrorist attack. On a long enough timeline there certainly is bound to be another attack, and no one wants to be the one who weakened the intelligence community's toolset. No one seems to understand the tradeoffs they are making.
> Google had no knowledge
Citation required.
> Not only that, but Google launched a high-profile effort to encrypt the communications inside and between their data centers.
When exactly was that announced? Before or after Snowden went rogue? If after, the agency had to tell the PRISM partners that they were going to be exposed if they were willing participants in hosting a back-door.
Otherwise, they only got paranoid after that fact?
I'm wondering if there is a state with a particularly restrictive privacy law that can drag Larry or Sergei to the witness stand and find out if participation is willing or unwilling.
Technically, it's impossible to prove a negative. That said, what more evidence do you want than everything Google has done to combat this, including preemptively working to encrypt cross-dc traffic?
including preemptively working to encrypt cross-dc traffic
You do know that the national security apparatus can and does force companies to lie in press releases to the public about security- and privacy-related matters? Who's to say Google isn't flat out lying to us about that? There's no legal reason they can't lie to us if our secret courts force them to.
The problem now is we can't trust even the supposed "good guys" because the government has completely tainted the well with their secret courts and gag orders on companies (while still forcing them to comply).
"Google had no knowledge of NSA's physical compromise of their data centers. But still, they pushed harder than anyone on the whole Internet for the adoption of modern TLS with forward-secrecy..."
You're talking about security only. What about privacy? Security and privacy are not the same thing (although they overlap).
No other company has such a rapacious appetite to track and record online behaviour in one form or another - whether it's signing into your Chromebook to print to your desktop printer or using Google Analytics, Google wants to capture it all. Their vaguely-worded privacy statements tell you nothing about how they use this data, who sees it, or just how personally identifiable it is.
Take ChromeOS, the fact that you have to sign-in in with your Gmail account means potentially every activity you perform while in the OS is tracked by Google. I'm amazed at how little discussion is made of this. (I would never run ChromeOS for this reason alone.)
I've no doubt that Google takes security matters seriously. I'm not at all convinced they take privacy seriously.
> Google had no knowledge of NSA's physical compromise of their data centers.
How do you know this is the case? In the diagram submitted within the article, the box highlighted with the smiley face is labeled "GFE" for Google Front-End [1], which means it's a Google controlled server. It seems more plausible to me that the NSA compromised this target with a FISA court order rather than hacking it. And if that is true, then someone at Google did know about it, they just weren't willing to discuss it because of a legal threat.
[1] Google server names: http://googlesystem.blogspot.com/2007/09/googles-server-name...
> How do you know this is the case? In the diagram submitted within the article, the box highlighted with the smiley face is labeled "GFE" for Google Front-End [1], which means it's a Google controlled server.
Yeah, its the external facing server that is the boundary between Google's (encrypted) communication with outside systems and its internal network which doesn't use encryption.
> It seems more plausible to me that the NSA compromised this target with a FISA court order rather than hacking it.
If you read the article, the leak of documents that included the diagram indicates that:
1. The GFE server itself wasn't compromised, whether by a court order or hacking -- the unsecured communications which occur "behind" the GFE server were compromised, and
2. The entity which compromised the unsecured communications wasn't the NSA, but Britain's GCHQ. The NSA gets information from the compromised system because GCHQ allows NSA to submit search terms ("selectors") which are matched against the data GCHQ collects from tapping Google (and Yahoo!) unsecured internal comms, and then feeds the data matching the selectors back to the NSA.
You are correct, I've misunderstood this program and perhaps the parent post I was responding to. Oh well, can't win 'em all. This is in addition to the PRISM programs we've already seen.
> Google had no knowledge of NSA's physical compromise of their data centers.
You speak of Google as if it were a single person and not 46,000 people, or as if the threat of a long-term federal prison sentence isn't enough to make most members of society keep absolutely quiet.
> It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
Well, the article makes the point exceptionally well; it's unclear why MUSCULAR is needed when PRISM already exists.
However as long as the interception was exclusively between overseas Google and Yahoo data centers I'm not actually sure it's even clearly criminal.
Instead I think it shows a rather stunning 'loophole' in current U.S. law and case law when you intersect a globalized Internet with laws meant to deal with national-level communications.
Frankly, this is the same feeling I experienced when it became clear how global companies are able to "nation shop" for maximum tax advantage. I didn't like seeing it then, and I don't like it here.
But although the behavior might be technically legal (thanks to the platoon of lawyers) it's certainly not in keeping with the spirit. It seems to me that oversight much become much, much more intrusive than it used to be.
Instead of writing the law and then letting NSA squirm for years until it finds loopholes that work for it, it's time to force effective oversight deep into every level.
Because what's most striking to me is that I'm not sure that even the law as it stood before 2001 would have made this behavior technically illegal. MUSCULAR couldn't have happened then, of course, but now that American data is being farmed automatically to data centers around the world....
I don't think pushed hard enough for the adoption of TLS. It's only finally THIS YEAR that they made available their ubiquitous AdSense code for SSL/TSL. Because many websites derive their full livelihood from AdSense, Google has effectively been stalling the widespread adoption of SSL on the web. If you were a news website and you used AdSense, then forget about ever implementing SSL; it would kill our site.
Although I'm glad they have finally started serving AdSense in SSL, Google need to take ownership in their big role in keeping the internet unencrypted. If they have had a had a change of heart, that's great. But I don't trust them any more.
That all sounds very impressive, but in the end it didn't work and all our emails are belong to them.
I wonder if many of these 'Chinese infiltration' events that did lead to Gmail HTTPS/TLS were actually spy agencies of various nationalities, even looking like Chinese hackers when in actuality it is something else.
Yet, with such emphasis on security, how did they manage to "back up" Wi-Fi passwords on Android as clear text on their servers?
Oh nice, tptacek defending Google again, no matter what.
Defend them against what? How could one seriously blame them for this, how are they not a victim, just as their users are? Yeah, they could have encrypted their internal network sooner. Just like someone who got robbed could have learned martial arts or taken a different route.
What Google knew when, and how Google co operated with the NSA and other agencies is something we will probably never know. Or at least not for a long time.
The first files that came out seemed to speak of direct access for the NSA into the datacenters done with the support of Google.
These speak of even more intrusive surveillance.
Personally I dont believe for a second that Google has not been fully cooperative with the needs of the American Intelligence community all the time. However Google needs a bit of good PR to ensure that they are not hit too hard with a backlash. As long as Google can maintain plausible deniability they are fine.
I dont see anything criminal that the NSA does as far as US law goes, unless they are spying on American citizens (which they are doing).
Spying in any way possible on other countries is not only legal but a bit reason for the existence of NSA, CIA etc. There is an understanding in the international community that spying may occur.
However there is also a long tradition that if someone is caught with their hand in the cookie jar, a harsh response is expected. The expulsion of diplomats, dropping trade deals, dropping mutual agreements (think US/USSR) and so on. Also the criminal persecution and interrogation of enemy agents discovered.
A couple of points to make
1) Europe has so far not really reacted much to the news. Some blabbing in the press, a bit of travel, but aside from that little has changed.
2) the biggest threat over this for Europe is not so much the disposition of troops, where and how bombs are kept etc, its industrial espionage and leverage for getting EU countries to sign deals to buy American. A good recent example is the sale of JSF. The embassies were very heavily involved in ensuring that nations in Europe bought JSF. I find it impossible to think that intelligence gathering was not offered to ensure that this took place.
Why didn't they release these documents a long time ago when everyone was racing to judgement that Google, Yahoo, et al were secretly in cahoots with the NSA helping to build drag-net surveillance extranet stuff for them? These are very important revelations!
I mean, when Greenwald/Snowden/Guardian released the original PRISM accusations, these slides would have provided a much much more important set of evidence, instead of months of speculation and parsing of meanings of "backdoor", "frontdoor", "side door", in the corporate communications of the tech companies who were struggling to say "we've never heard of PRISM, da fuq is this shit?"
Is the slow dripping out of these slides because they are trying to be responsible in not releasing stuff that is too damaging (e.g. not trying to be a Bradley Manning dump), or is it to preserve traffic by keeping the click-gravy-train going?
We're still talking about Snowden. This is the reason.
At this point I suspect Snowden has become a bit of an Emmanuel Goldstein. Any leakers who want to get their stuff out with some modicum of safety just need to get it to one of the usual suspects in the media, if the latter are willing to play the game (this does violate normal journalist ethics, then again this is not a normal situation). The leak can then be ascribed to "Snowden".
this is brilliant.
For those wondering who "Emmanuel Goldstein" is, he's a character in the novel 1984.
And in this novel, Emmanuel Goldstein represents an absolute enemy of the state that doesn't actually live, but only exist to be blamed of all that is bad.
Who knows how many thousands of pages they need to read and understand? Also, don't underestimate the difficulty of a reporter understanding these thousands of documents sufficiently to recognize when one is really important.
If they don't understand what's going on, wouldn't that argue in favor of doing more detailed research and analysis before writing claims? The original assumptions/claims in the Guardian story on PRISM are now shown to be false. This caused a lot of negative blowback on the companies involved.
Don't we expect our investigative journalists, to well, actually investigate things, instead of rushing to print?
How where they false? The PRISM program is real. There is a way for the NSA to automatically access Google's databases, with Google's knowledge under secret blanket (not case-by-case) court orders. They where clearly lying when they denied any "direct access".
No they weren't lying, as there is no evidence that Google had knowledge that the NSA had been tapping their dark fiber. What everyone assumed after the Guardian story was that Google had built some kind of firehose feed or portal for the NSA to just login and get whatever they wanted, never in any of those stories did they say the NSA was taking data against Google's knowledge or will.
For example, there was a famous slide showing when each company "joined the PRISM program", but the actual slide merely says "Dates when PRISM collection started for each provider". The reporter inserted the terminology "joined" which implies a partnership that didn't exist.
What these revelations reveal is that the NSA supplemented the data they got on a case-by-case basis through NSLs by outside-the-datacenter fiber taps of traffic, as well as upstream unencrypted HTTP and SMTP/IMAP traffic.
> What these revelations reveal is that the NSA supplemented the data they got on a case-by-case basis through NSLs by outside-the-datacenter fiber taps of traffic, as well as upstream unencrypted HTTP and SMTP/IMAP traffic.
Which still does not contradict the original speculation that Google provided bulk data for PRISM. We do not yet know enough of all the stories as to judge who spied or helped to spy on us in what extend. There are too many lies, too many secrets and far too little liability out there to let the big companies of the hook yet.
As I understand it, there is nothing in this latest release which contradicts the previous PRISM stories. They are two separate programs.
In other words, NSA used court orders to access data with the knowledge (but gagging) of the companies (PRISM), while at the same time also hacking into the companies to access data without their knowledge (MUSCULAR). These things were both true.
What claims in the Guardian PRISM story have been shown to be false?
Probably because there was just too much information to make sense of all at once. So they just let out little at a time of what they understood to be verifiably and properly true.
Of course the cynical view that they held on to it to make some ad-money is not altogether wrong either, just unlikely to be accurate.
> is it to preserve traffic by keeping the click-gravy-train going?
If that were their intent, I would expect them to release slightly faster, at least one significant document per week.
click-gravy-train; almost certainly.
People are probably missing the idea. In the past, like with the WikiLeaks cables, they released all at once and it didn't have that much effect, after one week most countries were already on some other matter. The slow dripping allows this case to continue being discussed after six months. Can't remember this ever happening before with any other subject like the fake article on Saddam's WMD, the CIA flights and torture cases, etc.
Given what we currently know about the human mind and how people react to news I expect this to be the future way of releasing highly critical information.
It sure looks like it could be strategic.
The "taps foreign heads of state" et. al. really due blood, e.g. DiFi shocked the intelligence community for doing a public about face.
Presumably because monitoring us proles is just fine with her, but other members of the international elite? That's beyond the pale, and I don't assume her call for a "top-to-bottom review of U.S. spy programs" is to do anything more than find out other such elite embarrassments.
BUT, to the extent the above is not true, or is making this Total Surveillance State toxic, now's a good time to drop this tidbit.
By releasing the documents in this order, they give government officials just enough rope to hang themselves by prompting them to defend themselves by making statements about what they do and do not do, and then releasing new documents directly contradicting those statements.
In a weird way, it actually motivates them to tell the "whole truth" because they don't know what documents will be released later so they don't know what lies to tell.
Yea, but as collateral damage, the rope hung the tech companies and damaged their brands by who knows how much.
They deserve to have their brands damaged.
They didn't do their due diligence in encrypting data going through leased fibers -- they should have had the foresight to realize what a phenomenally bad thing this was. They didn't, hence why I'll never trust them again.
Do you also blame your car company when a thief breaks into it? Do you never trust banks again if a bank robbery happens? They were working on it, but full-on encryption everywhere within your internal network is expensive, and one tends to not imagine that buried dark fiber is dug up and tapped by one's own government.
Let's say that they encrypted everything, and then you learn the NSA had kidnapped the children of one of their network engineers and forced him to turn over some keys. Again, whose brand deserves to be damaged here, the company, or the immoral nation state with vast military industrial resources at its disposal?
Why do I sometimes get the feeling that people specifically want to hate on these companies when the real outrage should be for the government spooks.
What an unbelievably stupid line of thinking.
Kidnapped their children? Get a hold of yourself here. Google is a tech company, it is a perfectly reasonable expectation that they get the big parts of their security model right. Not encrypting data going through leased (or even their own) fibers? Big, big mistake. NSA and US government aside, Google dropped the ball big-time here.
> Why do I sometimes get the feeling that people specifically want to hate on these companies when the real outrage should be for the government spooks.
Funny you say that. Because I was pretty much a Google fanboy before all of this happened (oh, and their recent changes wrt privacy policies). I am very angry at the government, but that is a separate issue.
Security is based on threat model. The spooks have capabilities that far exceed the threat models most companies assume from private blackhats. You think it is obvious to assume in hindsight that the government would dig up and tap your dark fiber, but you don't think it obvious the government would plant spies to do in-side-the-data-center taps. Now what? Encrypt all data between switches? The Soviets didn't think their undersea cables could be tapped either, and no one can claim they were insufficiently paranoid.
My point is, I don't want Silicon Valley in an arms race with the US government. The government is supposed to protect its citizens and companies, not work to undermine them. Google is working on rolling out better security, just like they eventually rolled out SSL everywhere before most other companies. They are at the forefront on this, but it still takes time and costs money. But even though they are spending time and resources on this, I would still like the US government to cut it out.
I'm not getting through to you.
At the end of the day, Google lost. To a considerable extent, cloud lost. People who were trusting Google with their data lost. What is ostensibly true at this point at is that Google could have done something to have prevented this. All else is immaterial. Just like I would expect to lose business if I made a mistake and had data compromised (because doing X and Y was too difficult or too costly for me to do, because it was 'outside' my control, because I was too inept, or whatever else), Google should expect to lose some business the same way. If security is based on a threat model -- and it eventually loses, it was bad security.
Well, it would help if you would write in a way that is not insulting and condescending.
There's no "if" about it. All security is based on threat model, the lock on your front door is based on the threat of the average criminal, and not Watergate burglars. Are you guilty of bad security? Is it your fault if your front door lock gets picked because you made assumptions about the sophistication of your attacker?
You originally said "I'll never trust them again", but that beg's the question, just who will you trust? Unless you are using end-to-end encryption with everyone, there is no way to secure against NSA interception, and pretty much all of Google's cloud competitors are actually worse in terms of deployed security. And assuming end-to-end is secure is basically just assuming a threat model where the NSA or Chinese government can't plant infected firmware or hardware in your devices.
How about not musing out loud that people who are criticizing companies just "want to hate on these companies", if you're entertaining the idea of not being insulting and condescending.
Google is a company that's been leading the way to get everyone on the cloud. It turns out what it's also been doing is making mass surveillance massively easy due to poor security practices. One individual having bad locks is not analogous to what is at play here. You keep suggesting that Google should get a free pass because the adversary in this case was too sophisticated of a player: no, that does not matter, that is an excuse. Don't give me excuses. Google makes billions, it should simply have done a better job. Your earlier post took issue with Google's brand being tarnished unfairly, this is what I'm talking about to you right now, so the question of just 'who' I will trust is not very relevant.
To answer your question anyway: basically I'm going to pull away from the cloud as much as I can. No more google apps for me, no more gmail, no more anything where I end up putting my personal data or my clients' data anywhere but on my dedicated servers -- and using end-to-end encryption when any data needs to travel out. That does not remove the possibility of getting compromised, it just mitigates it.
I don't think there are many people who disagree with me that there's been a huge amount of unwarranted snark recently. The uProxy release for example. Don't compare that with using words like "stupid".
>no more anything where I end up putting my personal data or my clients' data anywhere but on my dedicated servers
The probability that your servers would be compromised by actual damaging threats (hackers, malware, viruses, botnets) is far higher than that of Google, so I hope if your servers get hacked, you will similarly berate yourself and not make excuses that you should have done better and spent 10x more security than you are now. How many actual penetrations have occured of Google infrastructure where thieves (not government) made off with actual information that they'd put to damaging use, vs that of other smaller hosts? Everything you do has tradeoffs.
You keep making hand wave arguments about what Google could have or should have done, again, totally points about the threat models and historical context. When this program started, by some accounts in 2007, the vast majority of Web traffic wasn't even secured by HTTPS, no one was using channel-ID or forward security, and the majority of SMTP traffic was not protected by TLS. In fact, even today, only 50% of email traffic is TLS protected. In 2007, fewer Google services were probably multi-datacenter replicated as well. Encrypting the dark fiber would have been useless back then when the front door was left unlocked.
So, let's try to imagine a hypothetical conversation of some security engineers when new data centers got set up for replication:
Engineer #1: Dude, we should encrypt traffic on our inter-DC traffic. Engineer #2: It's a buried dark fiber. Engineer #1: Yeah, but the NSA could dig it up and tap it. Engineer #2: That's illegal, and besides, it's a theoretical threat. We have a bigger practical threat, right now, anyone could just tap all front-end traffic, because most incoming user traffic is not HTTPS.
Engineer #1: You're right, let's get everyone on HTTPS first. Let's upgrade browsers, and Chrome, with better cipher suites. Let's add Channel-ID. Let's try to get SMTP users to use TLS.
The point isn't about excuses, it's about understanding at each point in time, what the weakest link in the chain is. The NSA taps of your email traffic might be worrisome, but the reality is, the Russians slurping up your credit cards, passwords, and doing MITM's to install botnets have far greater, actual practical damaging effects on you and your customers.
In an ideal world, everything would be secured against all possible attacks from day one, but internet infrastructure is rarely ideal. I started on the internet in the 80s in an era with zero encryption and where many services didn't even have passwords. We have gradually made things more and more secure, but getting there is going to take time. It's unfortunate that Google's efforts to secure it's fiber didn't happen a few years earlier, but if they did happen a few years earlier, it wouldn't have a made a difference, because upstream attacks were far more effective back then.
You mean like the things that Google has done, as soon as the threat vector seemed credible?
http://www.informationweek.com/security/government/nsa-fallo...
what if that government who could tap into fiber was not US government? I think any communication outside the confines of corporate buildings should be encrypted.
Why would have they treated their own fibers untrustworthy?
As has been pointed out, Google owns a lot of fiber. When you have stuff that spans thousands of miles, there's a very real possibility that a bad actor can try to tap into it.
Apparently even tapping undersea cables is not as challenging as some think, according to Kapela: http://motherboard.vice.com/blog/undersea-cable-surveillance...
> What an unbelievably stupid line of thinking.
Sentences like that have no place on HN.
> Kidnapped their children? Get a hold of yourself here.
It's supposed to be an extreme example. He's trying to probe your boundaries -- if you'd forgive them in the kidnapping example, he could then name a somewhat less extreme example, like if the CIA had broken into a Googler's home to plant a recording device.
But, since you totally dodged the question, the opportunity was missed.
> Why do I sometimes get the feeling that people specifically want to hate on these companies
Because they promote themselves as tech-based companies, yet abdicated their professional duty to design secure systems because insecurity makes for easier monetization.
You would very much blame a car manufacturer when it turned out that all of its cars were keyed the same.
There is no such thing as a secure system, there is only conditional security. And what does unencrypted internal network traffic within a company have to do with monetization?
Pretty much all regular door locks on the majority of homes in the US are pickable. Have you installed an unpickable lock on your home?
Supposedly the US government is tapping fiber they own. Would you fault someone for not having security between rooms in their home?
They also gave the NSA and co. front-door access, and probably knew about the back-door access, but couldn't do anything about it.
It may be the case that the tech companies need to have their brands damaged for the greater good, at this point. If it turns out that G and Y are operating in an environment (USA) where a rogue government endangers consumers and prevents legit business from being done, G and Y need to either remove themselves from that environment or fall.
Here's an argument: assuming the worst suspicions, Google and the others are complicit in PRISM, so they deserve our scrutiny here. If this one were dumped at the same time, since Google was blindsided by this, people might forget to scrutinize Google for a while.
There's a difference between assuming the worst, and having evidence on your desk that refutes your own assumptions.
Don't forget the difference between possessing mountains of documents and having the right documents on your desk.
In what way were previous disclosures refuted? PRISM and MUSCULAR aren't mutually exclusive.
Imagine you come into possession of tens of thousands of documents covering material and terminology that you barely understand. That is going to take months to work through, even before you consider that you would want to keep access to the documents/information limited to a small group of people that could help you work through it.
I have no internal knowledge about this, but influenced by this Twitter thread[0] I would speculate that Greenwald and friends gave Google (and whoever else) advance notice and the opportunity to react to it before publishing. Responsible disclosure, and all that (not that it really applies in this case, but still).
[0] https://twitter.com/ioerror/status/395636984313413632
Wow.
Years ago, I remember reading Richard Stallman's "How I do my computing"[1], an essay in which he explains why he usually does not connect to any websites from his own machine, downloads web pages from a headless browser running in some server, does not have any user accounts for any web applications, does not buy anything over the Internet ever, does not use any social networking sites, and otherwise abstains from using the Internet like most normal human beings.
"Jeez, that's way too paranoid," I remember thinking.
It turns out Stallman was just (far) ahead of his time -- as usual.
--
[1] http://stallman.org/stallman-computing.html
> It turns out Stallman was just (far) ahead of his time -- as usual.
Indeed, and it was always obvious if you took security seriously instead of regarding it as a game of probabilities and trade-offs where convenience wins.
As we are being pulled very strongly towards a future where everything and everyone is connected all the time, we should really consider such radical approaches again and how to make them more convenient for "normal" people.
"game of probabilities and trade-offs where convenience wins" that is it in a nutshell, well said.
> Jeez, that's way too paranoid
Of course it is, it's ridiculous. What the NSA is doing is despicable but why would that keep you from creating a user account or viewing a webpage from your computer?
Because some users do not have the privilege of doing even such rudimentary tasks, without the danger of being persecuted, prosecuted or worse by the tyrant regime they happen to be living under.
Right, but Richard Stallman is not one of those people.
Right, but the idea is that if enough people with Stallman methodologies emerge, then the services that cater to those people must adapt or fail.
It's the same concept as 'voting with your dollar'. It works, he just chose a set of methodologies that are unlikely to become popular enough to change things..
But the fact that we are dicussing him & his methodologies in relationship to security is exactly his goal. He isn't advocating for everyone to emulate his ideas of how to use the internet, he is advocating the idea that people must truly think about what the repercussions of their usage actually entail.
rms experienced the sixties. that might be a signifigant factor in his choice of protest. hell, he even relates DoS attacks to modern day sit-ins.
Any amount of paranoid ridiculousness can be justified after the fact by some sort of big incident. It's how we justify the PATRIOT act after 9/11 and how one might justify Stallman's actions after the NSA leaks. That doesn't make it any less ridiculous to go to such radical measures.
We could just shut off the Internet entirely and force everyone to walk around naked lest they strap a bomb to themselves.
Well, that Stallman page is copyright 2006, which is after the Stellar Wind story broke: http://www.nytimes.com/2005/12/16/politics/16program.html?pa...
As for not believing intelligence services attempted to monitor the Internet prior to that story -- that would have been just silly. If they didn't they wouldn't be doing their (illegal) job.
> It turns out Stallman was just (far) ahead of his time -- as usual.
Indeed, maybe moreso then we think. I remember hearing he didn't have a cell phone either.
If that graphic - that taunting smiley face, drawn when it was assumed that no one was watching - isn't enough to outrage the general public, I don't know what it will take. This is not super technical - it's easily explained and should be easily understood by the masses. And it should cause outrage.
You know what would outrage the public? ESPN being shut down. Most people do not actually care about their privacy. Even if everyone had the technical chops needed to understand what has been happening, most people never spend much time contemplating the importance of privacy rights.
> people do not actually care about their privacy
This is 100% accurate, I've attempted to aggressively promote privacy tools well before the NSA/Snowden stuff among the people I know. They still don't care to use simple things like OTR with IM. They might use it for one week, and switch back.
Journalists/tech sites love making this seem like the biggest deal in society right now, but hardly the case in reality.
I'm not sure if it's an intellectual/knowledge gap (lack of technical knowledge), laziness, lack of good design in crypto tools, or just generally not caring about their privacy (until it becomes to hit them in the face).
I think it is part of a more general problem: people do not spend much time thinking about the importance of any of their rights. Nobody wants to hear that a terrorist attack was successful or that a criminal walked free for the sake of their civil rights -- rights are abstract, terrorists and criminals are threats to our children and whatnot. Look at what people say about free speech rights, how quickly everyone parrots the quote about shouting fire in a crowded theater (most people have never bothered to look into the Schenck case, they just know that one phrase). People have even managed to say that habeas corpus rights are problematic.
Privacy rights are too abstract for most people to bother with. After all, they have nothing to hide, only criminals and terrorists would bother hiding anything (or so the thinking goes).
It is possible our (UK/Canada/USA/etc) societies pursuit of comfort/safety has descended into what Nietzsche calls the "last man".
> the antithesis of the imagined superior being. The last man is tired of life, takes no risks, and seeks only comfort and security.
> Nietzsche said that the society of the last man would be too barren to support the growth of great individuals. The last man is possible only by mankind's having bred an apathetic creature who has no great passion or commitment, who is unable to dream, who merely earns his living and keeps warm. The last men claim to have discovered happiness, but blink every time they say so.
https://en.wikipedia.org/wiki/Last_man
The last man trades their rights and freedoms away for security and comfort.
Sounds like happy/content people to me.
> The last men claim to have discovered happiness, but blink every time they say so.
I guess I don't understand the blink reference
Blinking after saying something is commonly associated with being a good lie detector. Nietzsche wrote that in the 1800s and it's still apparently relevant:
http://www.telegraph.co.uk/news/2589073/Liars-are-exposed-by...
If tools for private communiation weren't 10-20 years behind sending digital postcards on facebook.com, I'd use them more consistently too. I am tech savy yet most crypto tools don't seem to be made for me.
I have seen OTR fail in the most colorful ways, with and without error messages, and mostly with cryptic error messages. I have seen half a dozen IM clients forget messages, forget alerts, fail to deliver messages, disable alerts for other clients, mess up their contact list, mess up the service's contact list and mess up contact groups. Needless to say my experience didn't last more than a week.
I think it has to do with "privacy" being a general word that means many things; some of which people care about, some they don't. As much as I hate how politicials/lobbyists/etc. do this, I think a better way to get people to respond and care about the issue it to label it differently. For example, instead of saying "privacy", say "your credit card and bank info is compromised/stolen". Or that your "identity / SSN is at risk". Or perhaps that all your "passwords are leaked". Yes, this is less accurate and is a fear mongering tactic, but it is done to death in the US government with effective results.
What about: Your most intimate moment broadcasted to a bunch if geeks at NSA
> You know what would outrage the public? ESPN being shut down.
No better way to state it. Our government is fucking us with our pants on but we're too distracted (by people getting paid hundreds of millions of dollars to throw a fucking ball around) to care.
I bet if ESPN and shows like American Idol, etc. were knocked offline until we got our government back on track things would get done pretty fast.
No doubt!
The contempt you guys show for millions and millions of people because they prioritize privacy differently from you is really distasteful.
You're in your condo and not only is the roof structurally unsound but the HOA keeps walking around on it holding umbrellas to protect you and the other residents from the rain.
Meanwhile, most of your neighbors are focused on their own lives, and the lives of the people they'd rather watch on TV.
That roof IS going to collapse. Its just a matter of when. Would you too not have contempt for the priorities of your neighbors?
But do you want things to get done fast?
The Patriot Act was done fast, and we can see what kind of mess that is.
http://en.wikipedia.org/wiki/Bread_and_circuses
Love this, had never heard of it before. My generation drives me mad. 20-30 year olds whose major pursuit in life is frivolity, who complain when they don't have the jobs necessary for them to pursue their frivolity.
We're beyond this: "I must study politics and war, that our sons may have liberty to study mathematics and philosophy. Our sons ought to study mathematics and philosophy, geography, natural history and naval architecture, navigation, commerce and agriculture in order to give their children a right to study painting, poetry, music, architecture, statuary, tapestry and porcelain." And have reached a point where the majority of people spend their time in bread and circuses. God damn it.
Why the contempt for professional sports?
Given that geeks are more likely to fix this stuff, why not talk about blocking hacker news, twitch.tv and reddit? What about political sites Politico, Huffington Post, Slate, that treat politics like sports -- who "won the morning", who's going to win Iowa in 2016, etc., deserve a lot more blame for peoples' political ignorance and apathy than a site that treats sports like sports.
It's a quintessentially American view, though -- my pleasures are above reproach, while yours mark you as a cretin. Nobody who likes things you don't like could be smart!
You know what would outrage the public? Having any of this affect them directly in any tangible way. It doesn't. So they don't care.
If people were going to get outraged about that, they would have burned the country to the ground when they learned that several NSA operations were given Civil War battles for codenames. You know, the only war where Americans have ever been our own enemy.
It should, but it probably won't.
But the smiley is particularly infuriating, because it embodies the mindset behind this domestic spying: "we're better than you, we're smarter than you, and you can't do a damn thing about it, peons."
>"we're better than you, we're smarter than you, and you can't do a damn thing about it, peons."
What if that is actually true? I know it's a repulsive angle to think about, but is it possible? Maybe we've hit on a fundamental flaw in democracy and democratic-like political systems here. Maybe Plato was more correct than we'd like to think.
Personally, I don't read that much into it. I see it as: some geek is proud of this technical accomplishment (in an a-moral way). Perhaps he/she even gets a kick about "getting away with something naughty"...
(I do find it sickeningly arrogant, though.)
Where you see a taunting smiley, I see a developer who's just happy to have made a breakthrough on his project.
His abhorrent project. This is not something to be proud of. Being a professional means answering to a set of ethics before acting like a kindergartner who's proud of his macaroni picture.
Right, but obviously his ethics and your ethics do not match.
Makes me think about the guys who built the atomic bomb -- people doing [potentially] amoral things because they find the problems they're solving more fascinating than the practical implications.
I actually assumed and tried to verify really hard that that was the original slide and not "artists concept". I just can't believe someone would present that. Beyond the hubris (which is literally unbelievable ref first sentence for my disbelief), it's just unprofessional and childish.
Periodically, especially when a new report like this one comes out, I like to go back and watch the original Snowden interview (http://www.youtube.com/watch?v=5yB3n9fu-rM) and reflect on the differences between what we knew vs what we now know. When I first watched the video, it brought tears to my eyes and I try to remember that so I don't get desensitized to the magnitude of these revelations. I respect the man more and more everyday.
Meta remark, somewhat snarky: I would like to know at what point do all the HN'ers making fun of those libertarians among us concerned with security -- I believe over a period of months we were called "tinfoil hat types" and worse -- come back and offer us an apology.
I am not holding my breath.
(Although it's a snarky comment, I didn't make the comment just to snark. The point was to point out that over and over again, the folks who are concerned about government encroachment are made fun of, put down, and lampooned to a great degree. More often than not, these concerns turn out to be true. In most cases this happens long after the debate has died down. This is an important lesson from history that we all would do well to learn. This story has a lot more facets to it than just the NSA/USA angle)
As someone who routinely makes fun of libertarians, let me assure you this is not what we (or I) make fun of libertarians for. Lots of progressive-oriented folks I know are at the forefront protesting these things. Hell, Richard Stallman -- the man who's been all about resisting the cloud even before a lot of us were born -- is a self-alleged Green Party affiliate.
It matters not that you were right, but why you were right. If someone says they knew about the NSA taps because they were in cahoots with aliens, obviously they don't get credit.
I don't know what your politics are in general, so I can't criticize them.
But, in my experience, American capitalist libertarians are - in general - united not by a love of liberty, but a hatred of government. And that narrative, I think, does not have much predictive power. It vaguely fits the NSA case, but is harder to sustain when it comes to things like socialized medicine.
P.S. That said, I've learned a lot from libertarians, especially in their skepticism; sometimes doing nothing is the best strategy and sometimes the existence of a government agency is the problem. And it's inspired me to read authors like Hayek, who I respect a lot. But the modern movements seem to be more inspired by Rand than Hayek. Rand's narrative is that government is a conspiracy by the weak to oppress the strong, which I find ludicrous.
From the article: "Two engineers with close ties to Google exploded in profanity when they saw the drawing."
That about sums up my reaction as well.
Yup. Google got royally screwed by the NSA.
Gen. Keith Alexander, asked about it at a Bloomberg event, denied the accusations.
"I don't know what the report is," Alexander cautioned, adding the NSA does not "have access to Google servers, Yahoo servers." He said the NSA is "not authorized" to do this, and instead, must "go through a court process."
http://www.politico.com/story/2013/10/keith-alexander-nsa-re...
Nothing he said actually responds to the allegations.
Specifically, he denies direct NSA access to the systems, and says that NSA would need to use a court process to gain such access, but the report is that the UK's GCHQ is actually tapping the systems and the GCHQ is sharing the captured data with NSA.
More importantly, he was never asked if they had access to the information passing _between_ datacenters, and so his reply was technically correct. "We don't collect that under this program", "We don't have access to those _servers_", etc (emphasis added).
Politicians are often adept at replying very carefully to questioning by congress or courts so that they can be entirely truthful when answering your questions, all while avoiding telling you what you really needed to know because you never asked the right question.
A lot hinges on the definition of "servers" being used. And how the question was put to Alexander. If there's even one alternate interpretation he can say No. Another non-denial denial. He is talking at lawyer-level now. This level of detail is not present in the Politico story.
Not that he would say Yes if we asked in the right way!
That's a potentially perfectly accurate statement that doesn't in any way refute the story. The leak indicates they have access to the fiber lines between datacenters, not the servers themselves.
Also, it's GCHQ that broke in, no?
Well given how many times he has been found lying, ...
while they might not have access to the "Google servers", it now is almost certain they have access to the "Google network" (i.e. fiber cable access). as seen in previous reports, intercepting sea fiber optic traffic between continents seems something the NSA has mastered...
> while they might not have access to the "Google servers", it now is almost certain they have access to the "Google network" (i.e. fiber cable access).
If the article is correct, the NSA does not have that. What they have is an agreement that they can submit search terms and get matching data from a system operated by their British counterpart, GCHQ.
It is GCHQ who, per the article, has a direct tap somewhere inside Google's unencrypted datacenter-to-datacenter communications network.
There have been reports going back to the Echelon days that the NSA and GCHQ collaborate to evade each nation's laws.
The ideas is that US agencies supply the UK with technology and training, the UK collects sigint in the US with US knowledge, then shares intelligence with US agencies.
The US reciprocates by spying on UK citizens and sharing the intelligence with UK agencies.
That way US agencies can say they don't spy on innocent Americans on US soil. But it's just another elaborate deception.
Alexander is but one of many Wormtongues striving to bring down Rohan.
Since he seems to be a pathological liar, how about some waterboarding to help his memory? I'm sure we could clear up any misconceptions about the NSA's activities quickly with this officially-sanctioned (at least by former officials) method of "interrogation", which the US has applied many times in the past (allegedly with great success and little regret).
Don't waterboard him, and he'll tell you whatever he wants you to hear. Waterboard him, and he'll tell you whatever you want to hear.
Questioning him, under any circumstances, is useless. We need to get rid of him instead, and perform an independent investigation. However the circumstances under which such an independent investigation would be useful are limited. When East Germany started to fall, the Stasi started shredding everything they could get their hands on; organizations like this don't allow evidence to survive.
I hope that this finally convinces everyone that it doesn't matter whether Google is "Evil" or Yahoo is more evil or whatever. What matters is that large cloud systems are fundamentally incapable of protecting data.
Even the most goodhearted and the most talented teams can't reliably defend against a massively funded adversary.
Secrets are for keeping, not sharing.
Well, I don't think it's that easy.
If the NSA wanted your data, they could get into your network probably easier than they could get into Google's networks. Companies like Google have way smarter people (and working full time) securing data than most businesses.
For us to secure our networks as much as someone like Google would, we'd have to have a team of the best hackers around.
And by definition, the best hackers around are scarce. They're already working for Google, etc, and X Y Z security company.
"They're already working for Google, etc, and X Y Z security company."
And the NSA, apparently.
.. and then google gets a letter with a request from the government, opens its data-centers and lies to its customers. It's not that easy your way, either..
Not exactly. Think of this analogy: the NSA built an enormously expensive sieve net to fish the entire Pacific Ocean (Google). While the Pacific may be deeper and wider than your innocuous little lagoon, that lagoon probably hasn't attracted the attention of the NSA. If you think the attention of the NSA is going to be a problem for your dealings, hiring very expensive security talent is necessary to your business plan.
Sure, but in that cat and mouse game between Google and the NSA, Google might actually have a chance. From what tptacek has said above about the kind of stuff Google's been doing (SSL with EC and perfect forward secrecy, etc), they're actually able to make it difficult for the NSA.
Plus, in the world of "I can sift through terabytes of data in seconds" even a little lagoon isn't too little.
Google may have better security, but they're also a much, much larger target. Wiretapping Google gives you access to the private data of Google's millions and millions of users, whereas gaining access to my network gets you access to… me. As long as there's a non-trivial fixed cost to attacking a host or a network, there's an advantage to hosting your own data.
While it's possible that the NSA has a system to automatically detect and wiretap hosts and private networks connected to the internet, it seems unlikely to not have been detected so far. I've taken to assuming that every packet send and received from my servers is being monitored, but that, barring specific interest in me by the NSA, the servers themselves are reasonably private.
You'd think that but that's not actually true. Google's infrastructure is way too big to be completely secure. There are several ways to penetrate Google's network.
I know some of the people in the security team and they are pretty good, but arrogance will be their undoing.
Google has an internal team called the Orange Team that performs security audits and, so far, they have always been successful in penetrating Google's network. If they can, what makes you think the NSA hasn't done that already?
> What matters is that large cloud systems are fundamentally incapable of protecting data.
I don't believe that's true.
1. Google (and others?) is already aggressively increasing the amount of encryption it does on traffic between its datacenters. So they have been addressing this problem before it was even brought to light.
2. We easily have the encryption abilities to do many more things than we do with secure cloud data; we'd just have to pay more for it. For instance, I can encrypt everything the minute it leaves my laptop, store it in the cloud, and not decrypt until it hits my laptop again. Nobody but me ever gets the secret key (heck, it could be a one-time-pad and thus unbreakable). If I trust the cloud computers themselves, then I can store different secret keys on each and use strong public-key encryption to protect all traffic between different machines in the cloud, and between my machine. Breaking the system requires compromising a machine, and even then you only get the key for that machine.
3. In theory, fully homomorphic encryption could allow the best of both worlds above. I completely encrypt my data on my machine --- nobody else has the key --- then send it into the cloud where cloud companies can do operations for me like searching, sorting, filtering, etc, all without ever decrypting the data or learning what it is. They send me back the results (securely), then I decrypt. Of course, right now this would be massively slow and expensive, but progress is being made.
Naturally all of the above are subject to the "5-dollar wrench" rule or the "secret court/FISA/warrants" rule. You cannot protect your data from the people making a law that says "give up your data". But it is technologically possible and even feasible to secure data from the NSA's snooping. The tradeoff is cost and time.
If you would use one-time-pad before storing to the cloud you'd either need to store the very same pad on the cloud, then effectively not needing encryption, or you wouldn't need the cloud, as the amount of the encrypted data would match the amount of the pad data one to one.
And homomorphic encryption is still far from being practical.
Sure, one would more realistically use any standard encryption scheme. Agreed on homomorphic encryption as mentioned in my previous comment. But "impractical" is a far cry from "fundamentally impossible".
Impractical is in sense "nobody can actually it, only the papers are written about it." Practically impossible to use.
A lot of things that were practically impossible 50 (or even 5) years ago are commonplace today.
That doesn't change the fact that nobody today can use homomorphic encryption, contrary to your claim.
I did not mean to make any such claim (hence the phrase, "in theory"). I was responding to the statement that "large cloud systems are fundamentally incapable of protecting data" by pointing out that, in theory, they are.
>In theory, fully homomorphic encryption could allow the best of both worlds above. I completely encrypt my data on my machine --- nobody else has the key --- then send it into the cloud where cloud companies can do operations for me like searching, sorting, filtering, etc, all without ever decrypting the data or learning what it is.
Can you explain this to me? I don't understand how you can search encrypted data.
It's mind-boggling, but possible. Here's the wikipedia link: http://en.wikipedia.org/wiki/Homomorphic_encryption
The idea is this: I encrypt my data and give it to the cloud. I also encrypt the algorithm I want the cloud to use. In this case, it could be a search algorithm with the search query hardcoded. Right now, it would have to be encoded as a circuit and then encrpyted from there into a different circuit.
The cloud runs my encrypted data through this "transformed" circuit, yielding some encrypted output. The cloud tells me the output. I then decrypt it with my original key.
It's crazy that this works (longstanding open problem solved in 2005 or 06 I think). The name "homomorphic" comes from functions f, like homomorphisms, in which "order doesn't matter":
Hope that makes some sense.
Ah yes now it seems obvious, thanks.
You don't need full homomorphic encryption to do encrypted search, look up PKES systems, there's tons of papers on it now (http://crypto.stanford.edu/~dabo/abstracts/encsearch.html). It's possible to encrypted keyword search with trapdoor functions in such a way that the server can't learn anything about what you're searching on, nor what is stored.
Are you aware of any vaguely practical systems for a variant of keyword search that just returns whether the keyword was found (e.g. 1 for found, 0 for not found) but with the added requirement that the result must itself be encrypted? I suspect it degenerates to fully homomorphic encryption though.
By result itself, you mean the boolean 1/0 about whether it was found? Yes, I am aware of one I saw some time ago that had additional guarantees, I don't know how practical it was though, but it'll take some searching to find.
I think this is of endgame for network security, I don't see a way out -- the Sony Rootkit[1] should have been the point where I realized but it is just sinking in for me now since the Snowden NSA leak.
Any network connected computer will be running an OS+Applications which are typically a gigabyte or more. This is produced by companies which are beholden to a nation state, and the companies can be coerced[2] or compelled[3] to use the software against the user. The software is also constantly being probed for vulnerabilities, which can also be exploited by law-enforcement / military [4][5].
So, if you turn on auto-update you have to trust the software maker is not being coerced by someone, or being compelled by a secret court to trojan you. If you don't turn on auto-update you can still get trojaned by any vulnerability. Lose-Lose.
[1] Sony Rootkit: http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...
[2] Qwest CEO Nacchio's claims: http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/30...
[3] FISA court
[4] German Govt. Trojan from 2011: http://www.spiegel.de/international/germany/the-world-from-b...
[5] FBI's TOR trojan injection: http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi...
Agreed. What's funny is we're wondering why people who still buy stuff from Sony don't seem to get outraged about the NSA.
Nobody ever cares about this stuff until it is way too late.
> The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.
1. Spy on whatever the hell you want without benefit of warrant.
2. Discover something interesting.
3. "Parallel construct" a way that the information could have been legally obtained.
4. Get a warrant based on the parallel construction.
5. Profit.
It's parallel construction all the way down. Discover via extralegal, point mass-capture in that direction, sniff out and send to 'legal' 702 or 215 databases, hint to FBI/DEA buddies, get normal warrant, and now you've got your criminals!
In that way, killing the 702 or 215 powers really wouldn't do that much, because they can just derive their parallel construction from elsewhere.
I don't see how the pretense that the NSA actively avoids snooping on U.S. citizens can be seriously maintained after this revelation. It's becoming increasingly clear that intelligence agencies want the ability to access all data created directly or indirectly by an arbitrary cyberspace target on demand and will shop around for the "best" (e.g. weakest link in technology and/or legislature) nook of the net to snoop at.
This seems like a good time to remember that Google has been storing wifi access passwords in plain text on its servers, and (presumably) passing them between its data centers.
It can be assumed that as a consequence of google's decision to store passwords in plaintext, the NSA now have access to every wifi access point that has been used by an android device.
This is a massive security breach. I sincerely hope google notifies android users of the problem.
The more I see stories like this, the more I wonder why there aren't tools out there that complement something like 1Password, LastPass or KeyPass by rotating passwords for all your devices programmatically. More devices should support SSHing into them for password rotation or some API for frequent password rotation.
e.g.
Here's the password for this router, rotate this key every X days, upon rotation, connect to the computers of friends X, Y and Z to notify them of the password update.
I imagine such a system would require two passwords, one to change the password so only one device is responsible for rotation and a second to share with others so they can access the computing resource in question.
Alternatively, every device should function with individual passwords for every user. I still get frustrated that wifi only offers one password and doesn't give you the option to give out one password per user. Future wifi protocols should permit a user to try to connect to a wifi and wait until someone approves their access. Approval could be done by visiting the routers IP address and granting access through some form that shows which clients are requesting access at that point in time. Furthermore, the way in which a computer requests access to wifi could be accomplished by having that computer submit it's SSH public key to the router.
People will no doubt come on this thread and remind everyone that of course the government always had access - you must have been a fool not to think so. But I just can not get over how angry it makes me. Honestly I thought that using google products with some exploitation of the contents for advertising was an acceptable exchange. This is just a total betrayal and I cannot believe that the Google board is not aware of this! and if it is not it is because they choose to be!
This might be a good time to go back and look at what you said to all those cypherpunks who kept talking about the need to build security into Internet protocols from day 1. Whitefield Diffie had pointed out this problem -- that online services could violate user privacy without any technical barriers -- in the 1970s and pointed to it to motivate public key cryptography. Throughout the 90s and 00s people were saying that we should be deploying cryptography more widely, yet these arguments were largely ignored or dismissed.
So really, this is not about the government. Rather it is about the inherently insecure design of today's email, IM, payment, and social networking systems. While the cryptography research community and the hacker community have proposed numerous solutions, few have worked to deploy such solutions. Worse, many hackers and computer scientists have actively worked against such deployment by building businesses that are monetized by violating user privacy.
Before talking about your anger, take a moment to think about what you were saying to people 5, 10, or 20 years ago when this topic came up (I am speaking to everyone now, not just jimparkins).
"You cannot acquire experience by making experiments. You cannot create experience. You must undergo it." - Albert Camus
The cypherpunk "2.0" generation is here. The adversaries are definitely way more resourceful and ten steps ahead now. So there may be some value in looking back with regret. But it's never too late.
> But it's never too late.
Upvote for hope.
Very good point; very well made. Thank you, good sir.
Is that an official document with an actual smiley face?
What ever happened to the admins / programmers standing up for what is right, or do they just gobble down a paycheck and turn the other way?
>Is that an official document with an actual smiley face?
It's only HN that pretends there is no feeling in professional work.
Apparently those guys felt good about what they did. That's what's upsetting people.
No one sees themselves as a bad guy. Most working at the NSA probably do believe they are protecting the nation.
Everyone is happy having done a job well. It's just human nature.
/except on HN, where we are all expected to act like robots.
It's the "professional" designation that's the problem. Once you say someone is a "professional," that means that they are part of a "profession," and that they answer to the ethical standards of that profession.
Sadly, we have doctors force-feeding people at Gitmo, so it's not terribly surprising that there are counter-professionals at the NSA.
It's not just that either. They seem to enjoy it and think that this is a game. If you're going to violate our basic rights, at least take it seriously, guys.
I wouldn't be surprised if it's just a coping mechanism.
This presumes that those developers are building these systems to go after "our basic rights", instead of believing that they are helping to target terrorists and enemy states.
What gets lost in a lot of the (justifiable) NSA outrage is the fact that they want all of this technology to enable surveillance of terrorists who use the Internet just like ordinary Americans do. There is really no evidence so far that this massive surveillance apparatus is being used in a widespread way to abusively target Americans.
Being able to intercept online communication between terrorists and foreign governments in a way that collects zero communications of Americans seems like a really, really hard task.
The terrorism threat is simply a convenient bogeyman. The probabilities of dying in a random terrorist attack are so infinitesimally small that it is not even worth considering. Ordinary Americans are simply too stupid to really comprehend exactly what is happening here and subscribe to the "well, I don't have anything to hide" type logic. The fact is that the terrorists have won. The American public, due to indifference, is so irrationally afraid of dying in a terrorist attack that our own government is watching our every move under the guise of protecting us from that threat.
So, what types of widespread abusive things is the government doing to American citizens with all this surveillance?
When you say "convenient bogeyman" it implies that all of this surveillance was built with the express purpose of spying on Americans. I personally believe that to be false, and instead that the massive and overbearing surveillance was built because public officials are so afraid of another massive terrorist attack because the voters are so afraid.
In other words I agree with your basic observations but not the malicious motives.
It's a nice thought to believe there isn't malice in the government, but the facts say otherwise. Intelligence laundering to bypass our basic legal rights is a malicious motive[1]. Russ Tice's (NSA whistlerblower) interview talking about all the people the NSA targeted (including our president in 2004) is also not only malicious, but terrifying.[2] And as Bill Binney (another NSA whisteblower) has said, we're a "turn key totalitarian state", I'm not sure how one could think a totalitarian state could not be malicious.
[1] https://www.eff.org/deeplinks/2013/08/dea-and-nsa-team-intel... [2] http://en.wikipedia.org/wiki/Russ_Tice
Does erosion of the 4th Amendment to the Constitution count as widespread abuse? It does to me. Continuing down the slippery slope leads to things like parallel construction, as the previous poster mentioned.
As for public officials and voters and terrorism, I give you this:
> Representative Howard "Buck" McKeon, R-Calif., has received $526,600 from defense contractors and other defense industry interests, more than any other member of the House. He voted to continue the programs.
Source: http://www.presstv.com/detail/2013/07/29/316197/pronsa-congr...
I will leave you to draw your own conclusions about what that article is saying. I take it to mean that it costs $526,000 to get what I want from that guy.
> There is really no evidence so far that this massive surveillance apparatus is being used in a widespread way to abusively target Americans.
Widespread? Maybe not strictly widespread, but it is being abused. There was that guy recently, I forget the beef the government had with him, they couldn't justify a warrant to search his laptop, so they just waited for him to travel. They put a flag on him, and when he came up registered to fly out of the country they seized and searched his laptop when he crossed back in through the no rights zone, AKA the border.
Everything accelerates, and if it isn't yet "widespread," it will be. It's certainly being done more than zero times.
This question implies they know what they're doing is wrong.
If they think they're protecting their country---including their families and friends---then it's easy to imagine how they wouldn't have a problem with this.
Because people compartmentalise and so for engineers this is most probably not a political thing but just an interesting difficult problem that is fun to work hard on.
Privacy issues aside, getting paid to hack into big important systems sounds like it could be a job many people would enjoy.
`cat /dev/internet0 | grep -i 'Terrorists'` and then it doesn't sound so bad.
It's kind of shocking that they haven't been encrypting all internal inter-datacentre connections to begin with. Even if they didn't suspect NSA snooping, there's enough companies and criminals out there that'd conceivably have a lot of reasons to want to try to find ways to tap Googles links.
You know, one thing I'm sure (hope) will come out of this is that enough people in the public should be sufficiently outraged at this that we start making some private sector headway in the data security race and perhaps we'll end up with some actual secure products by companies that aren't under the "jurisdiction" of U.S. policy, instead of those that just say they're secure but fall flat on their face when it comes to something as trivial as an NSL or an order for a pen register. If they were really secure, then these things wouldn't make the slightest difference.
Offtopic, but there's a problem on this site with this kind of story now. I'm not sure if it's the flamewar detection, or flagging, or some other automated system, but stories like this which are very popular and not remotely a flamewar, but an interesting discussion, are disappearing off the home page too fast in my opinion. This is a topic that will define a generation's attitude to technology and the internet, and is particularly pertinent to silicone valley.
Yet this morning this story went from top of the page:
14. NSA infiltrates links to Yahoo, Google data centers worldwide (washingtonpost.com) 1395 points by nqureshi 15 hours ago | flag | 533 comments
To behind stories like this:
12. Java Virtual Machine in pure Node.js (github.com) 232 points by binarymax 16 hours ago | flag | 129 comments
I'd be interested to know the reason, and perhaps whatever algorithm is voting this down could be adjusted, because it's clearly not working?
I came here and read some comments because I was wondering the same. Previously when something got >1k points, it would stay on the homepage at least a full day. Now it's almost off the front page with ~1.5k points in 22 hours.
Going out on a limb here because this does not make sense to me either. But maybe this has something to do with the fact that the valley built all of the software used to support this, quietly invested in it all in 2010 for undisclosed amounts at least in the tens of billions and approaching or exceeding 100 billion, and the money doesn't want it on the front page of one of the most popular news sites?
By money i mean this money that keeps its actions shadier than the NSA: https://angel.co/emc https://angel.co/emc-ventures
So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?
If this is true my next question would be does NSA have access to the keys or are they removing encryption in some other more technically involved way?
> So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?
Well, yes, if you are Google. The removal of SSL is done by Google's own front end servers at the boundary between the public internet and Google's own network, and Google's own network (including its private datacenter-to-datacenter fiber connections) are apparently not encrypted (which saves compute overhead.)
The revelation in the article (assuming it is correct) is that the GCHQ is taking advantage of this fact to evade Google's move to encrypt user-to-Google connections by simply tapping Google's datacenter-to-datacenter connections and (as well as whatever use GCHQ itself makes of the captured data) providing the NSA the ability to provide search terms that are matched against the captured data, with matching data fed from GCHQ to the NSA.
(This neatly also avoids any US legal limits on domestic electronic surveillance by the NSA, since, first, the surveillance isn't conducted by the NSA or any other US agency, and, second, its presumably not physically conducted in the US at all.)
Tell me if I understand this right: Google thought it was okay to not encrypt that 'internal' traffic, because even when trans-continental, that traffic was on 'private' Google fiber carrying only Google traffic, not the public internet. It was theoretically on a network that only Google had access to.
That's why it seemed okay not to encrypt it, right? (Otherwise, I don't know why Google would have thought it didn't have to encrypt it).
But the NSA managed to tap into this 'private' fiber anyway, perhaps with the cooperation of the actual telecoms that run it?
Do I have that right?
Essentially, that is what the article seems to indicate, except that it was Britain's GCHQ, not the US's NSA, that did the tapping. The GCHQ, as part of the "Five Eyes" intelligence cooperation [1], lets the NSA do searches against the data they get from the taps.
[1] http://en.wikipedia.org/wiki/UKUSA_Community
The spies tap the side where there's no encryption. SSL encryption is by Google's design removed by Google at the point marked with the smiley face.
The trick is that Google has to move a lot of data between their own servers on the different locations (even different continents) and that traffic is not encrypted. That's why "Two engineers with close ties to Google exploded in profanity when they saw the drawing." It was that easy.
Few people said you can't fight google with NSL or force them to do anything because it has $50B in cash.
Easy: Just start an anti-trust investigation - a fed lawyer can drag Larry Page and Google's top level managers into federal court every week for the next 5-10 years. Go thru every emails about iphone, android, bing in the past, and force monitor every single biz decision Google will try to make for the next 10 years.
Apple, Samsung, Microsoft, Facebook would love to help out the government(s) in this.
Larry will get so sick of it that he would think give out billions to kill Mosquitoes in Africa/India is a lot more fun. - Remember Bill Gates?
Google will never do it, but they should drown the NSA in bullshit data. So much so it literally chokes the NSA's ability to spy on Google's services.
Google is one of the few companies that could pull it off. They have $56 billion in cash and nothing to do with it apparently. They generate $12 billion in profit annually and growing.
They have more financial resources, computing power, and brain power than the NSA does, and they're one of the few companies on earth that can say that (the only?).
A billion a year thrown at choking the NSA with a flood of data, I'd argue, would work extraordinarily well.
The NSA has a substantial budget (but how much spare budget?), but I don't believe they could afford the processing and storage costs that can be generated from a billion dollar per year effort of bogus data spewing (particularly if Google matches it with a dramatic effort put toward encryption R&D to multiply the cost the NSA suffers significantly more than just basic processing & storage costs).
The NSA's grand new data center in Utah cost billions and will have taken years to build. Google could probably force them to attempt to build a new one every single year forever, particularly given how bloated every effort by the government is and easy Google could generate 'infinite' volumes of data. Google should pro-actively help Yahoo, Facebook and others out in teaming up to drown the NSA.
The biggest threat to Google is the NSA. Google should act accordingly. Just as they would react with financial investments to any other competitive threat.
The NSA could, however, get a law passed for like $1M that makes this practice illegal, if it isn't already.
The portion of google's operation that NSA is tapping is already tiny. This article claims they got 181 million "records" of all kinds in a month. That's nothing! Google claims that gmail has half a billion active accounts. You think each of those active accounts only sends and receives one mail every other month? of course not.
The NSA is clearly already drowning, or being selective about what they are getting.
A better use of all that money would be to play the lobbying game the enemies of freedom so effectively play.
This is the the thing I completely fail to understand. If all these huge tech firms with all this cash really care about privacy, people, US reputation, etc, then why are they not pouring their money in to politics like, say, the weapons manufacturers do? Why aren't they "buying" politicians?
I think a more sensible use of the money would be to 'fix' the ability to buy whatever legislation you want. Its really not a democracy any more when those wealthy enough can buy whatever legislation they want.
Unfortunately I think a real sense of democracy is long gone. We are left having the play the only game left in town. Buy your influence then, influence.
Larry Page should step down as CEO.
It would never happen, as Google shares would drop like a bomb and give credence to the argument that the cloud isn't secure enough, but at least it would show that someone at Google cares.
It would create a landmark moment though; something that would spark more debate in both the media and with American politicians.
Do you have evidence that Larry Page or Google knew about this? How is the CEO of Google stepping down an adequate reaction to a something that Google doesn't seem to be behind?
I'm not putting any responsibility on Google's CEO that he didn't ask for when he became CEO - he is ultimately responsible for the company's actions. Leaving that amount of user data open to attack is unforgivable, regardless of who is "behind this" or how much he knew.
Secondly, the alleged attack, however it happened, is not the reason he should step down. Larry Page stepping down is going to be really bad for Google, he is one of the finest entrepreneurs of our time, and a great technologist.
He should do it to send a message.
Will their ever be more evidence about what actually happened? Probably not, but a resignation by one of the most powerful CEOs in the world will get some serious attention in the wider debate on privacy.
But like I said, the share price probably comes first...
Better yet: appoint a goat to be CEO and then ritually sacrifice it. Maybe write "Google Cares" on the side of the goat before killing it.
I guarantee that would spark some interesting debate!
"Google: Don't be evil, to goats"
Except that one we just killed. I think you're on to something.
Everyone in Silicon Valley is talking about this and the media has painted a picture of criminal undertaking by the NSA. A lot of this is just speculation that has been blown out of proportion. The only way the NSA could compromise private data centers without placing moles in their respective ops teams, is to sniff the traffic on the private DC to DC lines leased by the companies. Assuming they did this by overpowering the ISPs, they are still left with a ton of TCP/UDP packets which they need to reconstruct, decipher and schematize. Although DC to DC traffic is typically not encrypted, it is often compressed or transmitted as binary streams. There is absolutely no way they NSA would be able to make sense of the data without reverse engineering the innumerable communication protocols used and then using that protocol to decipher the packets. It is a lot more feasible to force a company to hand over data on specific users than it is to piece together user data using this packet sniffing technique. If the NSA really is wiretapping DC-DC communication, it's not because they are trying to build profiles on individuals. It's likely that they are using this raw data for keyword lookups. And, although I question its effectiveness, that is a level of surveillance I'm comfortable with.
I think you over-estimate the complexity of the data being exchanged between data centres and underestimate the capabilities of these well-funded agencies that can afford top-notch PhDs, developers, engineers, mathematicians.
The article seems clear on the fact that they are able to reconstruct the data streams. It's not difficult to assume that most of the data-exchange protocols used are pretty standard or at least pretty stable, for instance Google use protobuf[1] for efficient binary exchanges, it's open source and well documented.
Data is meant to be moved efficiently between data-centres and these companies had no reason to add any obfuscation (if that was the case, they would have already used encryption). There is no reason to assume that adversaries with deep pockets would not have the technology or know-how to reverse engineer these unprotected data communication flows.
[1]:https://code.google.com/p/protobuf/
What makes me downright angry is the vehemence with which Google's Chief Legal officer David Drummond denounces siphoning Google's own data. Secretly take our users' personal data, that's okay, but secretly take our data, which we make our billions off of, now that is unamerican. Class, man. Real class.
Can anybody trust Google services anymore? It seems like it's pretty much a no-go at this point. Even if Google hands over select data from within their systems, it appears we cannot even trust that it makes it that far without being compromised.
Every business that can should be ditching their Google services right now.
For what, the magical service that can't compromised by the NSA if it wants? At least Google has more resources to throw at the problem than a lot of other companies -- but really you can't trust anyone.
> you can't trust anyone
That's become quite apparent. I just wonder if there's any solution, or if it's a mathematical certainty that communications are insecure.
Doesn't that hold true for anything not using quantum encryption?
To fully secure in communications, you need to take advantage of weird quantum phenomenon like radioactive decay, and even then you are betting that we won't come up with a theoretical framework capable of predicting quantum phenomenon.
You might not have to be able to predict quantum phenomena. IIRC, one of the issues they had with the "quantum internet" thing they built in New Mexico[1] was having to downgrade what should have been a perfectly secure connection to an insecure classical one because it's impossible to route an quantum entangled signal.
Not that this is necessarily a weakness of quantum encryption, so much as a suggestion that any system can't be perfectly secure. Maybe the chips have a backdoor. Maybe a random number generator is biased. Maybe any number of things up to and including maybe you get hit with a five dollar wrench over the head until you give up your password. What I fear is that while the math may be secure, the system itself can't be secured. The web was never built on the premise that security would matter, was it? Or at the very least that the adversary wouldn't be ones' own government. What can you do other than fabricate your own chips, build your own compiler, compile your own os, write your own network protocol and host a darknet (with similar self-constructed machines) out in the woods somewhere using a one-time pad for encryption? Even that's not enough.
[1]http://www.pcmag.com/article2/0,2817,2418657,00.asp
“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,”
Interesting how agencies, corporations and alike have the collective maturity of children. A grown up will say to a kid "you can't play with fire with your friend" and the kid immediately will think "he didn't say I can't play with fire with my other friend".
organizations are not ma-turing complete
As a software engineer just about to graduate from college. When I see drawings like that I just can't believe that people who know enough to draw something like that can actually do it without feeling like they are the definition of evil.
It sounds like the problem there is you are conflating the mostly unrelated ideas of how much technical knowledge someone has with how much their values will align with yours.
Why is it so hard to understand that there are intelligent people that honestly believe they're doing something that will ultimately benefit their country? People have done far worse in the name of a country or ideal.
For people outraged over the apparent happiness of the people that tapped Google, I imagine they've never broken a system. A breakthrough on a project is extremely enjoyable. Finding that Google removed SSL is like testing an app and finding it doesn't sanitize inputs it passes to a shell script as root.
They still deserve to be skinned alive though. As feminists are fond of saying "intent isn't magic".
That kind of approach is just going to lead us around in a big circle, and when we look back in fifty years we'll be just where we started
If I scroll the Reddit frontpage (without being logged in), I am not seeing any NSA stories, despite being on the top of /r/WorldNews, /r/news, etc. Anyone know the story behind that?
It's a conspiracy of course to try and hide this information from the public. That's the answer you were looking for, right?
You joke but if you don't think subtle censorship tools have already been deployed you're mad.
Here, I did your own research for you:
http://www.guardian.co.uk/technology/2011/mar/17/us-spy-oper...
> Most addicted city (over 100k visits total) > Eglin Air Force Base, FL
http://blog.reddit.com/2013/05/get-ready-for-global-reddit-m...
/r/worldnews is no longer a default sub, so none of its posts appear on logged-out frontpage anyways.
The posters above apparently show me to be wrong, so I guess /r/worldnews is still a default.
It's currently at #10 on the frontpage. http://imgur.com/ZuIUSGl.png
And it's now at the #1 spot.
http://i.imgur.com/ljVc1ga.png
Sometimes news takes awhile to reach the front page.
Reddit has been compromised. Just look at what happened on r/worldnews with the u/douglasmacarther and the RT censorship thing, or how the NSA-Israel Memorandum submissions were purposely 'buried'
http://rt.com/news/rt-reddit-ban-censorship-169/
Funny thing is how many articles have been written about Chinese crackers, possibly funded by the Chinese government, trying to hack into big companies.
It's also funny how all these "anonymous government sources" suddenly became available when the subject was about someone else.
Can anyone explain what exactly is meant by "SSL added and removed here! :-)"?
The implication is that there is no SSL from the front end web server to the back end data center, thus it is susceptible to snooping at that point.
Yes. It would be considered a private datacenter environment. Someone with DC access or in this case the ability to tap a closed fiber network can still attack it. This mostly applies to state actors.
It means that the Google Front End (GFE) server is where encryption/decryption of SSL happens, and that communication outside the GFE (e.g., Google->Client) is encrypted, while communication behind the GFE (internal to the Google Cloud) is clear text.
[Edit: apparently, the decryption does not happen real time. Instead, the encyrpted traffic is stored and decrypted later. Either NSA/GCHQ think the latency introduced by doing a full mitm with the private key would blow their cover, or they're using some algorithm that isn't fast enough for full mitm. The below is a bad interpretation.]
My interpretation is that they've acquired - either via bag job or by unpublished algorithm - Google private keys, and are decrypting and copying traffic immediately before the Google Front End, then impersonating the client to the Google Front End. Presumably, the Google Front End is on Google premises, and Google would be aware of the warrant that let NSA install such a device behind the Google Front End, whereas the peering point in front of the Google Front End (or on the fiber to the Google Front End) would be on Telco premises, and we've seen the Telco's be all to eager to cooperate. Oh, except Qwest, where the CEO found himself in jail.
Your interpretation is completely wrong.
"Two engineers with close ties to Google exploded in profanity when they saw the drawing." seems hyperbolic. What does it even add to the article? Is it used to try and establish some credibility?
I don't understand why this is shocking (the photo- not the alleged spying)?
How are all of our elected officials "just finding out" about this stuff? Bullshit!
Our congressmen, senators, and POTUS are all "as surprised as you are!"(TM) about these allegations that keep coming out.
Obama doesn't know anything. Feinstein (who heads the Senate intelligence committee, and is briefed on the NSA's activity) knows nothing.
What's the difference between extreme incompetence and maliciously lying? I can't tell the difference.
I would even let them get away with that argument, but if they do use that argument, that means they should also be pissed off about these revelations, and realize that NSA has gone fully rogue, and they need to drastically rein in on it. At least that's the logical conclusion from their argument.
The problem is they want their cake and eat it, too. They want to get away with it themselves, but also protect NSA and their powers. We should call them out on their hypocrisy, and ask them to restrain NSA's powers if it's really a surprise for them, too.
Here, Google - show us how much you care about user privacy and security, and join Lavabit and Silent Circle's alliance for the "Dark Mail" protocol:
http://www.forbes.com/sites/kashmirhill/2013/10/30/lavabit-a...
Meanwhile I'll be waiting impatiently.
More promises to keep your information private, from people who already showed they are not competent to keep your information private. There is no reason Lavabit should have ever been able to disclose enough information to the government to get customers' messages
Actually, the real test will be whether Google and Yahoo file amicus briefs in Lavabit's appeal.
Google is so good. Such a great concept. So much fun to use. A romper room. Such a bastion of talent and good people. Which is why this whole business is such a crappy disappointment. A guy sitting in a renovated girl's bathroom in London told us some time back that this was the case, that Google had dropped its original stance against "evil," but nobody took him seriously.
Reaction of Google’s chief legal officer, David Drummond on the news. Sounds a lot more sincere then their previous denials (which proved to be lies forced by the law anyway).
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide. We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform." [0]
[0]http://www.washingtonpost.com/world/national-security/google...
SMTP (mail protocol) between providers is unencrypted anyway. So, if I send email from gmail to ycombinator, it goes to ycombinator SMTP server unencrypted and can be tapped by anyone with access to the wire. Still, clear traffic between Google's own data centers is inexcusable. They are exposing my data to more risk.
I thought you were wrong about that, but when I went looking for a source, I found out you're right. As of June, major email providers other than Google did not support encryption for inbound emails[1]. That's disappointing.
Note there's no technical reason they couldn't. Also, Fastmail.fm, while arguably not really a major player, is an exception, supporting encryption on inbound emails since 2009[2].
I just verified this via http://www.checktls.com. A later blog post in 2010 says Fastmail enabled it for outbound email as well. So mail sent from Gmail to Fastmail or vice versa is encrypted between the two providers.
It's a start. I really thought I had read something about Microsoft enabling this on their email service, too, but I must be misremembering. All we can do is hope more big providers turn it on.
1. http://news.cnet.com/8301-13578_3-57590389-38/how-web-mail-p...
2. http://blog.fastmail.fm/2009/04/16/opportunistic-ssltls-encr...
Aside from the indignation, I'd like to see proof that Google wasn't aware of this stuff. My guess is that it was approved as long as there was plausible deniability.
What proof would satisfy you? It seems like you're asking for something impossible to provide.
I'd need to see proof that the exploit (and operation to support it) was so sophisticated that Google reasonably could not have known.
Since Google has been complicit in a good portion of Snowden's revelations, the burden of proof is on Google to satisfy its customers that it in fact drew the line at the earlier revealed level of complicity rather than the most recent one.
What strikes me most reading NSA related articles, that for Americans the problem here is not the global surveillance itself, but the domestic spying. Wtf? Is my anonymity and freedom less valuable just because I don't have a USA signed piece of paper? It's a serious problem that touches everyone who uses digital communications (pretty much every human being on the word nowadays)and such data collection should be illegal on anyone unless he's under a warrant or belongs to opposite forces during war times. I'm very sad and disappointed that EU leaders don't have balls to stand up for this.
I agree that non-US-citizens are endowed with the same fundamental human rights, including the right to privacy, as US citizens.
However: 1) US citizens alone control the US government's actions, at least indirectly and in theory. NSA's domestic spying presents a threat to our democratic processes. NSA spying on US citizens is more dangerous than if they spied only on non-citizens, because it provides the NSA the means to control their ostensible masters--making any reforms to NSA's foreign surveillance operations impossible.
2) In realpolitik terms, most Americans simply do not think or care about foreigners. Any bill that ends NSA's authority to conduct warrantless surveillance on foreigners is a non-starter in our current Congress. By first ending NSA's domestic surveillance programs, we actually have a shot at eventually ending NSA's unethical foreign dragnet surveillance programs. In other words: baby steps.
It seems the rest of the world is coming to the realization that they are merely conquered provinces in the US empire.
This degrades into comic book villain territory. Every admin and developer professional wet dream is to be able to capture log and analyze every byte. To have unlimited processing power and storage.
And these people lived it ...
> And these people lived it ...
And, as it turns out, it's completely useless.
It's interesting that there's been little attention paid to what this genre of backbone/infrastructure tapping means for companies using content accelerators (or whatever they're called).
Considering what we now know about tailored access operations, I find it hard to imagine they've not used these abilities to subvert the auto-update functionality of virtually every product there is out there.
Ie. client requests auto-update from front-end server, update is switched and replaced before hitting the front-end server & being delivered.
That would seem to be a harder problem for the NSA. First, it has to be an active attack, modifying data in transit rather than merely siphoning it off — probably tougher to cover their tracks in that case. Second, automatic updates are presumably cryptographically signed by the publisher, so the NSA also has to steal or crack the private signing key. Third, how do you target the backdoored version of the software so certain groups/people get it and others don't? CDNs don't work that way.
In the end, it seems much more practical to sneak a backdoor into the software at the source.
Whilst I agree with your point, I think an important question to ask is "harder compared to what exactly?"
Cracking SSL? Weaking crypto standards? Tapping undersea fiber? MITM attacks?
Given all those are used, I find it hard to believe the update vector isn't exploited. Sure you'd need to compromise the signing key first, but that's a single target allowing you the ability to subvert many more without the need for any breaking & entering or social engineering alerting intending targets/victims.
I'll take my tinfoil hat off now.
USSID18 is what should be talked about regarding these violations. The sooner people become more familiar with the laws in place to prevent this the better the outcome for all involved.
Gonna be a very interesting fundraising season in Silicon Valley.
The denials over Prism never squared with the size and capability of the system that were outlined in the documents, unless I'm missing something here. Is it not possible that the court-ordered data releases were just one small part of the Prism program, with MUSCULAR and others filling the data that could not be obtained through the legal system? Prism is just the query interface, which is not necessarily tied to one dataset.
This makes the recent warning atop my personal gmail that "State sponsored actors may be trying to access your account" particularly ironic.
Would anyone else be interested in inserting a private version of a tracking pixel into each of their e-mails, so that you'd get a list of IP addresses where the mail was viewed back?
It would be interesting to see where mail was read versus where it is simply passed in plain text. Crowd-sourcing anonymous data might also allow us to determine which IP addresses belong to the NSA's systems.
I doubt the NSA is foolish enough to make external requests to load images in the emails they read.
And yet they accidentally hired at least one contractor with a conscience!
If it's passed in plain text the tracking pixel wont load.
"vice president for security engineering Eric Grosse announced that the company is racing to encrypt the links between its data centers. "
Isn't this useless?
They can serve Google NSL and the court can force the company to release the SSL keys for the encryptions - just like Lavabit. Google CEO/Board can not shutdown the company like Lavabit.
What can they do, get out of USA like how they got out of China?
Lavabit is small. Who did their shutdown directly affect? Imagine Google going down for a full day, even homeless people will raise pitch forks and match down to DC to protest.
If you want to fight for freedom, but are too busy, take some of your startup lottery money and hire some underemployed folks to raise pitchforks and march on DC.
I see it as just simple power struggle between companies and government - China won the round against Google a few year back by kicking googe out completely.
The power in US government would love the same leverage.
They will get it eventually - start with NSA in secret, but slowly congress can pass the law and bit by bit....
That's why FB and google are implanting the notions of "no privacy" in everyone's mind. Good for their business and also makes it easier to hand over the data to whoever governments/agencies in the future.
No it's not. The court system, even if it is rumber stamp-y, provides way more visibility and accountibility than secret and total access to Google's data via tapping data links.
The FISC is not visible or accountable to the public. NSLs must be kept secret by law. In other words, all courts do is provide the NSA with a minor speed bump when it wants to wiretap everyone.
It's mostly a moot point since it's overseas, but I doubt the secret court would be willing to pass through over 6 million FISC requests a day (181,280,466 requests every 30 days the NSA reportedly gets through this wire tapping). At the very least the FISC courts provide a bottleneck at whatever government 'efficiency' throughput they can provide.
> Isn't this useless?
No.
> They can serve Google NSL and the court can force the company to release the SSL keys for the encryptions - just like Lavabit.
They can't do that without Google knowing about it, knowing what data is covered by the NSL and having the opportunity to challenge the request, or to factor the fact of the requests and the extent of information covered by it in evaluating Google's lobbying priorities.
> Google CEO/Board can not shutdown the company like Lavabit.
Well, it could (or, at least, it could recommend that course of action to the shareholders), but its true that Google is differently situated than Lavabit -- specifically, Lavabit doesn't have ~$50 billion in cash it doesn't know what to do with that it could pull from for political action to address government policy that it felt severely threatened the way it prefers to do business, whereas Google does, which gives it options to address known actions by a government agency that it doesn't like.
> What can they do, get out of USA like how they got out of China?
Well, its too big of a market for that to be a good first choice, but its not impossible. Moving the headquarters, etc., would be easy, the hard part would be moving all their existing data centers and similar operations out of the US.
If they wanted to do that with minimal disruption, they'd either need to build duplicate datacenters somewhere else and switch operations to those -- or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
BTW, a much simpler way to get the SSL keys is to send someone (or teams) to be employed by Google. (Like another big country probably did a while back.)
Once inside, put a few webcam, physical/virtual key logger, a few line of code, (checkin code with extra ",", "=" instead of "==" in the right place - just like a post about Linux security Kernel hack a while back.) and the jobs are done.
> BTW, a much simpler way to get the SSL keys
SSL keys are not the target, the data is the target. SSL keys change over time, and you still need to monitor the actual encrypted data; tapping the data where its sent in cleartext is actually simpler, if you have the capability to do it, than infiltrating a spy into the dev team, having them compromise the system without being detected, getting the SSL keys, and monitoring all the encrypted comms.
> or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
That must be what they're building in SF bay right now! It all makes sense now. Get Apple involved with their cash hoard and you could put the datacenters in space.
>or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
Or, they could build data centers on barges and float them out of difficult jurisdictions. ;)
I find it funny how many people say "x is going to move out of the US!". Upon doing so, x isn't protected from spying bye the NSA at _all_, not even the flimsy toothless protections we have as US citizens under US law. Ostensibly, the entire _job_ of the NSA is to spy on foreigners, which you become when you leave.
Note that the article makes the point that while the NSA can't compel companies to cooperate if they're not in the US, if they (or their data or data centres) are not in the US, NSA has much freer reign to use covert means to just take what they want.
So getting out of the US would be insufficient (not that it would be a viable option anyway) - if moving out of the US, they'd also need to actually know their countermeasures are sufficient to prevent the NSA from just taking what they want.
I love how every quote from the NSA stresses that "we don't have access to their servers. Fine. Let's say they don't. But that means nothing in this context. If they can see every piece of data that is sent between servers at various google data centers, they don't need access to the servers to gather a ton of information
As of 1:41pm PST, there is no mention of this news anywhere on the front page of the NY Times website. There have been similar ...time lags... in the past when covering Snowden related news at the NYT. It's a shame one of the most important news sources in the US is so slow in their coverage, either intentionally or not.
The NY Times is not Reddit. They will check the story through their own sources before publishing. They're not just going to repost the Washington Post story.
They're slow on Snowden stores because they do not have direct access to the Snowden documents, like the Guardian and WashPo do.
Of course the NY Times are not Reddit. Why are you even bringing that up?
The AP, Fox News, NPR, PBS, CNN, LA Times, ... all have reported on the story in the Washington Post. The NY Times has not, and that's unfortunate. It's a major news event.
I get the feeling that people are outraged by this not necessarily for the fact that spy agencies spy on everyone they can, but that they do it in such a blatant, efficient, and all encompassing way.
I know I feel a bad gut reaction to the mass collection of data, but when you think about it that is exactly what a country wants from its spy agency, to know others' secrets. Hence they're doing the most optimal thing from the countries point of view. Therefore it is just the brazen scale, the automation of the whole operation, and the fact that it is now officially public that gives me (and us in general) the sick feeling.
Like the breakdown of forgetting (anything on the Internet is there forever), and the rapid dissemination of information through the social network (Facebook status etc), an adjustment needs to be made either in us or the system.
Why is this on the second page of news right now? Older stories with way fewer points are currently ranked higher. This story is 22 hours old with 1495 points. There are stories with 264 and 305 points that are older but are currently ranked just higher than this story, moving it to the second page of news
“We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” he [google's clo] said.
reform... ha!
There's worse leaks to come. There are hardware-based backdoors in 90+% of the Tier1 routers. The whole Internet is basically bugged.
Now wait... It isn't surprising that inside the datacenters most traffic flows unencrypted, but not encrypting links between datacenters?
Well...
You can always encrypt on the client, so the Google data centers are just pushing encrypted blobs around.
It makes like a bit more complex, but PGP can be used for mail and here's how to protect GDrive files: https://news.ycombinator.com/item?id=6644888
Remember these revelations date from a year or two ago, who knows what they're up to now?
You can always encrypt on the client, yes. But it is surprising that an entity such as Google doesn't understand that links between datacenters have multiple points out of Google's control where traffic can be intercepted.
Is there anything in the world that the US Government cannot rationalize?
Are there literally no limits worldwide to their power at this point?
It is my current assumption that everything now is being logged.
Any institution responsible for maintaining a nations safety should be something to be proud about, but apparently with each news NSA sounds more like a virus.
That sounds like a rather interesting and large integration project that most engineers would salivate over.
I get the feeling I'm going to take a karma hit for this, but here goes...
By tapping those links, the agency has positioned itself to collect at will from hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.
There's a problem with this. The Post goes into a good amount of detail regarding how the NSA/GCHQ is collecting, but leaves nothing but speculation as to who they're targeting or why. It even goes so far as to suggest that NSA/GCHQ is targeting millions upon millions of ordinary citizens without giving evidence to back up that assertion. I would argue that these media outlets are doing us a disservice by not providing this information. All they're doing is generating hype and fear. I'm scrolling through the comments here and seeing calls for the imprisonment (or worse) of Obama administration officials and NSA personnel based not on solid evidence that the public at large is being spied upon, but based on our fear that the public is being spied upon. Some hypothetical headlines as an analogy:
A: "SWAT team guns down local residents"
B: "SWAT team guns down unarmed retirement home residents"
C: "SWAT team guns down pair of local gunmen; ends killing spree"
Headline A is vague and misleading. If that was the entirety of the information put out, the public would be outraged. If the actual story was closer to headline B, they'd be rightfully outraged, and all trust in the police force would be rightfully gone. The outrage wouldn't be justified if the actual story was closer to headline C. With regards to today's story, I don't want see something like "NSA spies on Google traffic" - there's not enough context. I want to see evidence showing who they're targeting and why. If it turns out that they're spying on US Congressmen, major business executives or just ordinary Americans with the intent to blackmail/bribe/manipulate/etc. - that's the reason to call for these people to stand trial. If it turns out that they're spying on the unencrypted internet traffic of valid intelligence targets like foreign government officials/foreign spies/terrorists/etc., what has the public gained by telling us all how they're doing it?
The media needs to show us that there's a good reason to be afraid/outraged of a vast, covert Orwellian apparatus, then show us how to protect ourselves against it. Show us that the NSA is determined to undermine the public good for its own benefit. Unless there is no vast, hidden Orwellian state. Every Snowden document that gets released without showing evidence that the NSA is pursuing anyone besides those it has been tasked to pursue leads me to believe more and more that there is no such evidence, and the media is riding high on all of this fear and outrage to gather advertising dollars.
Are people seriously surprised? After all of the other stuff we've heard the NSA has done, I am surprised that people are surprised by something we all but already knew.
Curious to see who will continue to still use their products...
How would not using their products resolve the issue with the NSA? If people switched to other providers than other providers will get accessed like Google.
I'm sure the NSA likes having a one-stop shop. More nodes means more leaks, and if we've learned one thing through this, it's that the NSA would really rather do their work without oversight, which, as we've also learned, only happens as a result of leaks.
> How would not using their products resolve the issue with the NSA?
One point would be: Google might feel a change in their bottom line and might actually start thinking about banding together with the other tech giants to be able to actively fight the NSA, instead of staying complicit.
Test reply.
The writing has been on the wall about the true nature of "the cloud" for at least 15 years. I tried to tell people, they preferred to put their faith and trust in the major magazines, which were all propagandizing about it constantly. Most people (including the developers who write this software) allow themselves to be herded, and if you try to tell them what's really going on they write you off as a crackpot.
What most people don't realize is that all the value offered by "the cloud" can be created with much higher quality on a different architecture, one that gives all the benefits of the cloud, but without sacrificing privacy.
China's Lanxiang vocational school is innocent . 蓝翔技校是清白的 http://www.theguardian.com/technology/2011/jun/02/chinese-sc...
Thank you Snowden.
fucking wow ..... that is all i have to say