

NSA collects millions of e-mail address books globally  - chwolfe
http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html

======
fsck--off
I posted this quote from a Foreign Policy article [1] on another NSA related
discussion two weeks ago. In short, this isn't the first time Alexander has
run a program that used large networking charts, and it also isn't the first
time the charts his program created charts that turned out to be worthless.

"When he ran INSCOM and was horning in on the NSA's turf, Alexander was fond
of building charts that showed how a suspected terrorist was connected to a
much broader network of people via his communications or the contacts in his
phone or email account.

"He had all these diagrams showing how this guy was connected to that guy and
to that guy," says a former NSA official who heard Alexander give briefings on
the floor of the Information Dominance Center. "Some of my colleagues and I
were skeptical. Later, we had a chance to review the information. It turns out
that all [that] those guys were connected to were pizza shops."

A retired military officer who worked with Alexander also describes a "massive
network chart" that was purportedly about al Qaeda and its connections in
Afghanistan. Upon closer examination, the retired officer says, "We found
there was no data behind the links. No verifiable sources. We later found out
that a quarter of the guys named on the chart had already been killed in
Afghanistan."

Those network charts have become more massive now that Alexander is running
the NSA."

[1]
[http://www.foreignpolicy.com/articles/2013/09/08/the_cowboy_...](http://www.foreignpolicy.com/articles/2013/09/08/the_cowboy_of_the_nsa_keith_alexander?page=full)

~~~
a3n
The way you describe it, he sounds like an inept manager who moves from job to
job and tries to re-create that one success he had that one time, and forces
some tool or technique out of context every he goes.

------
sinak
Hey folks, just a quick plug: If this stuff pisses you off, help make the
rally that EFF, Mozilla and dozens of other public advocacy groups are
planning in DC a success.

Sign up to attend, share, donate, whatever floats your boat:

[1] [https://rally.stopwatching.us/](https://rally.stopwatching.us/)

[2] [http://www.indiegogo.com/projects/stop-watching-us-a-
rally-a...](http://www.indiegogo.com/projects/stop-watching-us-a-rally-
against-nsa-surveillance-on-october-26th--2)

~~~
protomyth
This probably isn't going to be one of those rallies that only look big if
photographed properly. Some of these organizations know how to bring motivated
people, and there seems to be a pretty broad group from left to right on the
political spectrum.

------
richardcrich
I'm guessing the NSA intercepts all unencrypted SMTP traffic and uses the
From: and To: addresses to build up your 'address book'.

So here is what you do:

1\. Set up two servers in two separate countries which you think the NSA will
be intercepting traffic between.

2\. Send random emails From: your@email.address and To: random@email.addresses
between the servers - the receiving servers should not relay the messages,
just drop the mail on the floor.

This should fill the NSA's 'address book' of your contacts with noise. They
will have the valid data, but they will also have a bunch of garbage.

Just make sure you don't send fake email between yourself and any known
terrorists, communists or people who dress funny as the NSA may start paying
more attention to you.

I'm sure others can think of other interesting variations on the theme.

------
greenyoda
The NSA's indiscriminate collection of contact information is only possible
because irresponsible companies can't be bothered to encrypt their users' data
as it passes over the network:

 _" It is unclear why the NSA collects more than twice as many address books
from Yahoo than the other big services combined. One possibility is that
Yahoo, unlike other service providers, has left connections to its users
unencrypted by default."_

------
downandout
A couple of observations:

1) It seems that the NSA is intent on cataloging every connection of everyone
in the world. The best way for "secure" communications then would be to send
encrypted messages to a few thousand random addresses, only one of which is
the intended recipient with the private key necessary to decrypt it. Everyone
else can write it off as spam.

2) I thought it funny that NSA took the time to write in the slides that they
are annoyed by Android's IMAP implementation ("Android implementation in
particular uses a lot of bandwidth").

3) Why release redacted versions of stolen documents whose release in any form
is a violation of federal law anyway? This is like cleaning up your mess after
robbing a bank. Might as well release the whole thing.

~~~
larubbio
for #1 I was wondering if you could build a messaging system where the sending
system didn't know the location of the recipient. It also would mask the
connection between sender and recipient. Basically you would send a message to
a key to several servers in the network. Each server would look at the key,
and if it matched their address they would store the message. They would also
forward the message along so an outside observer wouldn't know that that
server held that inbox. Basically 10 messages would come in and the same 10
would come out and maybe one would be stored, but you couldn't tell that. You
would have to age out the messages, and I'm not sure if you could guarantee
delivery. By observing the network you could tell where messages were
originating, but not where they were terminating. That is the extent of the
though I put into it, it's fun to think about but I'm sure there are many
holes in the idea.

for #3 the post runs the stories they publish past the government to make sure
they do not publish anything that would be truly damaging. After consulting
with the government I assume they decide what to redact and what is ok to
publish. I think this was the crux of the government case against Manning in
regards to responsible v. reckless disclosure.

~~~
discreditable
#1 sounds like it would satisfied by bitmessage:
[https://bitmessage.org/wiki/Main_Page](https://bitmessage.org/wiki/Main_Page)

------
r0h1n
In other words, the NSA is no different from private Internet companies like
Facebook and LinkedIn who think its perfectly fine to furtively copy their
user's email address books in order to mine them.

Remember Facebook's "Shadow Profiles" created using data harvested from user's
address books?
[https://news.ycombinator.com/item?id=5926275](https://news.ycombinator.com/item?id=5926275)

Remember LinkedIn's non-apology when faced with a lawsuit from users who felt
it was inappropriately accessing their email accounts?
[https://news.ycombinator.com/item?id=6425444](https://news.ycombinator.com/item?id=6425444)

------
walid
What is so ironic is that time and time again when spies are caught they
specifically make sure that they don't have address books neither on them or
stored somewhere. So this is essentially nothing more than all the innocent
people in the world. The only way I can see this technical solution producing
results is if all the people in the world were cataloged and then the
remaining ones were spied upon using field operatives.

------
TomGullen
Was this recently revealed by Snowdon? If so, I'm loving his tactic of slowly
leaking it all out and keeping it relevant. If it all came out in one go it'd
have a lot less impact in my opinion. I hope the leaks continue for a long
time.

~~~
aasarava
Read the first sentence of the article.

------
XorNot
Newsflash: Google, Facebook, Microsoft, most business and also some
particularly conversant users also doing the same thing.

------
aspensmonster
I see that NSA articles still have heavier weights attached to them.

~~~
aspensmonster
Edit: Downvote it all you want. The article is already on the second page :)

------
sdoowpilihp
I am not quite sure why this is news (or even worth mentioning for that
matter) given the fact that the NSA has demonstrated a propensity to collect
pretty much any data it can get it's hands on. This revelation seems like a
given fact. Should we also publish articles chronicling the NSA's collection
of family secret recipes?

~~~
bendoernberg
It's news because most people don't understand what "metadata" means in the
abstract, and what the implications of the NSA having it are. This may be a
sufficiently concrete invasion of privacy to reach the average person.

