Personally, the biggest take away to this is the invasive targeting of completely innocent and ordinary people simply as a means to get access to things the NSA needed (sim Card keys). We have concrete evidence they nailed peoples personal email accounts and social networks merely as a means to an get crypto keys in mass. Sure, the potential mass surveillance is exceedingly problematic, but thats mainly problematic because of the potential for abuse. Abuse that we either assumed would happen or already had, but as far as I know there was little direct evidence of.
The absolute lowest bar for surveillance seems to be that a government doesn't use it to intentionally target innocent people/ those not in the game (hell, lets lower it even further to be only people the government themselves believe are innocent).[0]
That potentially allows dragnet collection of data if no one looks at it. It might allow hacking just a company's servers to get access to third party data. It probably allows you to spy on foreign heads of state (even if it's a boneheaded move). But it damn well doesn't allow you to go through the personal communications of people who you know have done nothing wrong and aren't even working for someone who has.
[0] This is precisely the woefully low bar Obama has been espousing : “The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security and that we take their privacy concerns into account in our policies and procedures,”
I wonder how many years with of jail time Aaron Schwartz's prosecutors would be talking about if this'd been done by a mouthy kid instead of the NSA?
I wonder which non-US country, where the NSA's actions aren't made "legal" by secret FISA courts or acts of (US) Congress, will be the first to start throwing that kind of legal threat at NSA staff responsible for this?</wishful-thinking>
When you hold the Poisoned Chalice of Power you get to decide who is legally justified and who isn't. "Morals" doesn't even factor into things....unfortunately.
Only in a limited way though, the NSA can decide (or at least exert considerable influence over) what's legal in the US - but criminal actions in, say, The Netherlands or any other (non five eyes) country, cannot be "justified" or "excused" legally by another except those countries.
I guess a _lot_ of what goes in in state sponsored espionage happens outside the civilian legal system - at least in "major" countries - but surely there's scope for a criminal trial and civil damages case against NSA/GHCQ operatives when their espionage involves widespread network exploitation and privacy violation of corporate networks and staff. Crimes which would _clearly_ be aggressively prosecuted if committed by Anonymous Skript Kiddies or criminal credit card fraud gangs. Why shouldn't NSA agents be held just as accountable in this case by non US legal systems? Sure, root the embassy network and expect to be held diplomatically responsible if you get caught. Private companies and citizens though? Go to jail just like anybody else.
But if you've been following the Firstlook disclosures, and the response to it from different governments, you'll notice that they don't really want to hold anyone accountable - likely, they are all on it some way or another.
Ireland rushed to retroactively OK british spying. Germany ignored it (with some theatrical "I'm insulted" remarks from Merkel, but no real action).
The assumption that any government out there actually wants to enforce its laws with respect to mass spying against its people is not supported by facts.
> "the document presented in public as proof of an actual tapping of the mobile phone is not an authentic surveillance order by the NSA. It does not come from the NSA database.
> "There is no proof at the moment which could lead to charges that Chancellor Merkel's phone connection data was collected or her calls tapped."
Plenty of spies on all sides have been killed and jailed over the years. If a country can prove a specific person committed a crime. But that's a lot harder to do with tech crimes.
How do you think the world actually works? Do you think that any other intelligence operation this past century didn't target similar people?
Take a look at the cold war, most of the directly tasked targets of US and Soviet intelligence efforts were "small fish" with the right access, anything from a hotel employee to a secretary or a cook or even your hair dresses.
At least with this NSA thing they don't end up with 2 bullet holes at their back of the head at the bottom of a trash chute.
Spy agencies always have and always will operate in such manner really not sure why people still act in any sort of shock this is the most basic trade craft.
No they didn't. There are intelligence operation that you haven't heard of, and this is not an accident. Just because NSA is using brute force and does not care about the collateral damage it does not mean that all of the secret agencies should do the same or doing the same.
I am not concerned about that. It is bad practice to damage security for all because of few. This is all I am saying. It seems like a pretty bad idea to me.
Damage security? They didn't damage the security of the products because of this, if anything you should take of is just how easily these products can be compromised in such manner.
All the NSA did is to steal keys which they can then use to interdict cellular communications, it's not like they put in a weakness by design and then exploited it (which they might have done in other operations but that's a completely different story).
This thing is no different than the digital signatures on the driver used by Stuxnet ("oddly enough" both companies which were compromised were in the same industrial park just a across of a shared parking lot from each other ;)).
Sadly this level of operation is plausible to be committed not only by private intelligence agencies (which we had too many off already) but by crime organizations as well. I've seen case of corporate espionage which were more complex than this one.
Instead of huffing and puffing at the NSA the proper lesson to learn from this is that cellphone carriers should stop relying on SIM card manufacturers in China and India for their encryption.
Heck if the NSA can interdict equipment in transit to tamper with it, how hard would you think does the Chinese intelligence service has to work to go down the street and just demand the keys straight from the source?
It's about a good damn time that people start asking questions on who has access to the private keys which are used in so many day to day operations from the keys used to authenticate your cable modem to the keys in the card reader you swiped your card trough at your local coffee shop. The answer to this should force quite a few people to live in a hunting lodge in Montana for sure.
I in fact would be very surprised to find a single mass used commercial cryptosystem which is actually secure. Because which each and everyone of those the keys to the castle end up being in the hands of the lowest paid employees out there and business practices will always force availability and serviceability over security.
Everything can be compromised. It is just a matter of enough resources(money really). Finding a security bug and actively using it and do not expose it publicly is kind of damaging security because the bug can be used by other organizations as well. Writing Stuxnet is an entire different level. Actively deploying backdoors and compromise entire networks just to get to the target is a lot of collateral damage. Isn't it?
Actually there were certain projects got pushed back like the IDEA from ETH Zurich or ECC from University of Washington and other potentially vulnerable alternatives were promoted. ECC btw. is pretty strong for a very long time, even today, if you don't use the backdoored version...
Eh? the NSA didn't pushed IDEA out, what pushed it is the fact that besides being actually substantially (esp. since 2013) less secure than AES and with poorer performance is that IDEA was a registered trademark and was under a full patent which meant implementing (prior to the patent expiration in 2012) was a nightmare.
I also hope that you don't insinuate that ECC was "invented" by UW since elliptic curve cryptography was known for quite a long time.
By the backdoor I assume you mean the whole NIST curves fiasco, well besides the fact that it was in use almost no where, if you speak to actual mathematicians you'll find out that it wasn't a big deal. The NIST curve was more about performance enchantment than backdooring, altough sadly for NIST and for the NSA it failed at providing both.
The big problems with ECC is that it's extremely susceptible to side channel attacks especially in embedded implementations, and that if you have the capability to use quantum computing for cryptanalysis then to break ECC you'll need only about 25-50% of the compute time/power than you would need to break RSA.
Also since ECC is asymmetric and quite resource consuming it's not really used in encryption as much as you think, sure it's good in any situation where you can use PKI but PKI is rarely used to encrypt actual data. The common uses of PKI are for authentication and initial key exchange data encryption whether it's in rest or in motion is usually based on symmetric encryption.
So I may have missed the details. I thought we knew they hacked Belgacom, but no one mentioned going through employee's personal email and social networks (though in light of this, we can assume they did). If they did mention it and I missed it, sure, nothing new. But the same entire thing then just applies to that instance too.
> While working to assess the extent of the infection at Belgacom, the team of investigators realized that the damage was far more extensive than they first thought. The [ed: NSA] malware had not only compromised Belgacom’s email servers, it had infected more than 120 computer systems operated by the company, including up to 70 personal computers.
I don't remember the reporting on the Belgacom hack mentioning that they were casually querying X-KEYSCORE as they reportedly did here to identify potential targets.
It is gradually recursing backward to "invasive targeting of completely innocent and ordinary people simply as a means to get access more innocent and ordinary people in order to ...etc"
It's worth remembering that some tools are only useful with lots of data about innocent people. Some forms of network analysis fall into this category, I believe.
Lets suppose it actually was a valid defense. But what does that have to do with going through the Facebook and personal email of individual employees to know who to target. That was done up close, in personal, by hand. By any definition, those people had their privacy specifically and intentionally violated by actual human analysts.
The end in this case being the ability to decrypt cellphone traffic. And what will that capacity be used for? Spying on foreign nations? Halting nonexistent terrorist plots? Further secret surveillance of American citizens?
If we judge the means by the ends, I do not believe that their end provides sufficient justification for their means. They appear to believe otherwise, however they fail to offer any evidence for their perspective; as an American, I am feeling ever more alienated from the organizations which were theoretically founded for our benefit.
Decrypting cellphone traffic is also a means. It's a means towards information and human connections and so on. That's the sort of stuff that can make or break an operation.
Did it? Has it? Unknown.
The trouble with intelligence is that it's only effective when done with secrecy and fairly broad latitude to operate. There are few easy answers here.
A fairly broad latitude? If the ends justify the means and yet the ends themselves are kept completely hidden, then the latitude, as you put it, is completely unconstrained. An intelligence agency operating under those principles can literally do anything claiming that it is for the greater good.
In short, it sounds like you are advocating for an agency which can take arbitrary extralegal action at its own discretion, without providing reason or explanation, and without providing any demonstrable benefit to anybody, because it's secret.
Frankly, I find the idea terrifying. I understand that intelligence agencies need some quantity of secrecy and some degree of latitude. Like you have repeatedly stated, there are no easy answers. But that doesn't mean we shouldn't ask the question. What the hell are these people doing, and should we let them continue? What is growing in our intelligence sector -- is it an institution that will be found to have brought the world benefit, like Bletchley Park, or will it be seen to have become a thin facade over a malignant, self-interested organization, potentially culminating in something like a secret police?
We have a secret police now: what else do you call an organization that secretly collects information against the nation's own citizens to be secretly passed along for 'parallel construction'? That kept this policy itself a secret? Theoretically it's as a byproduct of foreign intelligence-gathering, not a primary function, but this frog feels the pot to be plenty hot already.
I agree, except for "now". That's clear from Bamford's books. For example, federal charges against the Weather Underground Organization were dropped in late 1973 after a screwup in parallel construction. In 1973, hardly any civilians had ever heard of the NSA (aka "No Such Agency") and they wanted to keep it that way.
Can you please provide your definition of intelligence?
I would argue that theoretically, a government (or other entity) could use intelligence but use it within a set of moral and/or ethical guidelines that uses a system of checks and balances.
Intelligence is the dirty-but-necessary stuff that makes it possible to accurately guide diplomacy, economic policy, trade, and military action to achieve the desired goals of a nation-state for a minimum of cost. It includes internal security.
Generally, intelligence cannot operate openly, even under a strict set of guidelines. Further, there will always be situations where efficacy runs into guidelines and something has to give. Would you be willing to violate the privacy of one person to prevent an attack that would kill five thousand? How about a dozen people's privacy? A hundred? A thousand? A million?
As I understand it, those aren't purely theoretical questions in the world of intelligence.
Would you be willing to violate the privacy of one person to prevent an attack that would kill five thousand?
Why don't we skip the suggestive "thought experiments" and look at some facts instead.
A grand total of 3467 people in the USA have been killed by terror attacks since 1970[1].
In the same timeframe 2091 americans were killed by lightning strike[2] and roughly 102.000.000 died of old age.
Please explain how these numbers justify the NSA's yearly budget of $75 billion dollars, and their documented, ongoing violation of millions of people's privacy.
No. Otherwise police departments would be unable to do anything and would cease to exist. Police operations vary in secrecy but even the most secret eventually stop being so, as there is a need to actually prosecute.
The idea that "spys gonna spy" is one we need to start collectively challenging. Why do we need these organisations at all? If NSA/GCHQ were wound up and their technical specialists re-allocated 80% to domestic law enforcement for computer forensics purposes, and 20% to a new dedicated counter-intel-only organisation, would the sky fall? I doubt it.
It's interesting because last I checked Obama/NSA were saying they don't collect content, only metadata (that harmless, harmless metadata [1]). If that's the case, why were they so interested in the SIM key?!
Because they were useful for targeted surveillance? Not that I agree with the means or the scope, but there's an above board explanation for the desire to get the keys . Suppose you have a handful of phones in Pakistan or Iran you need access to very covertly (e.g. some rogue guy in the ISI where getting caught snooping has major consequences). The least risky way to access his communications is to get the keys. The least risky way to do that is to get them from the broadest source possible(to obscure who you're really interest in) and the one most removed from your target. So there's a legit reason to want the keys, even if your only targeting a few legit targets.
But the means of doing so is truly questionable, even given all their assertions about trust us and we don't look at everyones stuff.
The absolute lowest bar for surveillance seems to be that a government doesn't use it to intentionally target innocent people/ those not in the game (hell, lets lower it even further to be only people the government themselves believe are innocent).[0]
That potentially allows dragnet collection of data if no one looks at it. It might allow hacking just a company's servers to get access to third party data. It probably allows you to spy on foreign heads of state (even if it's a boneheaded move). But it damn well doesn't allow you to go through the personal communications of people who you know have done nothing wrong and aren't even working for someone who has.
[0] This is precisely the woefully low bar Obama has been espousing : “The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security and that we take their privacy concerns into account in our policies and procedures,”