
XKeyscore: NSA program collects 'nearly everything a user does on the internet' - sinak
http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
======
nikcub
This is overwhelming. Even when you always hear the claims about we knew this
was going on, somehow it is still shocking when you see it all laid out
infront of you with screenshots and the capabilities described.

I can see how they get HTTP information, since they would intercept at transit
hubs - but how are they getting all Facebook private messages and Gmail?

I was also looking for another unique ID that users are identified by -
perhaps a machine or browser fingerprint or some form of intel that can 'glue'
different browsers together and make a best guess if they are the same person
(Facebook does this with device and user cookies) but couldn't find anything.
It seems they rely solely on email addresses, IP addresses, cookies and HTTP
headers.

So if you are browsing via 16 tor circuits and a browser that defaults to
incognito with session histories being wiped, they couldn't reconstruct your
history.

Users of PGP/encryption products being singled out is terrifying. The sooner
we have the whole world using decent encryption tools, the better.

Edit: Gmail messages must only be captured when they leave the Google network.
They are the only provider to support server-to-server TLS:
[https://twitter.com/ashk4n/status/346807239002169344/photo/1](https://twitter.com/ashk4n/status/346807239002169344/photo/1)

They must only be getting a slice of the Facebook chat data, since the
transport there is also https.

Facebook Messenger, on the other hand, uses MQTT, so it transmits and stores
in plaintext. It has support for encrypted + signed messages with OTR if you
are using an alternate client such as Adium or Pidgin.

Really need to go out an audit all of these services and let users know which
are better.

~~~
deveac
_> This is overwhelming. Even when you always hear the claims about we knew
this was going on, somehow it is still shocking when you see it all laid out
infront of you with screenshots and the capabilities described._

It has become a bit of a pet peeve of mine recently to see self-aggrandizing
comments from users around the net about how "we should have known" and "none
of this is new."

I'm a practically addicted news junkie (especially tech news) and while I've
been aware of a fair amount of what has been exposed in this latest leak, it
seems that every day there are revelations new to me, and what is revealed
absolutely shocks the conscience. And _I 'm an outlier_. I'm more plugged in
to reporting on this subject than 99% of the globe's population, and this
subject tangles with the rights and treatment of a large portion of the
population of said globe.

The staggering majority had no clue, _has_ no clue, and no, _they were never
informed._ For all intents and purposes, the global media has been asleep or
complicit.

It's staggeringly important to keep telling this story at every level
specifically because "we" _don 't know, and still don't._

~~~
rmrfrmrf
First of all: keep the staggering to a minimum.

Second: realizing that "we should have known" and "none of this is new" isn't
so much about reading news articles and being "plugged in", but rather having
an understanding of how the Internet works. To oversimplify greatly, you're
essentially playing a very precise game of telephone between around 10-20
different people, and usually about 1-3 different publicly-owned corporations.
To be _surprised_ at the possibility of storing packets is somewhat naive
considering how simple it is to do.

~~~
noonespecial
The technical possibility isn't the new and staggering part, it's the profound
lack of morality, respect for any ideal whatsoever, and compete apathy towards
the oaths these people took to serve _us_.

They have compeley misused the power we granted them in sacred trust. We
should remove it from them at once. If this has become impossible, we need to
know that as soon as we can.

~~~
s_q_b
> The technical possibility isn't the new and staggering part, it's the
> profound lack of morality, respect for any ideal whatsoever, and compete
> apathy towards the oaths these people took to serve us.

Again, I'll chime in as the resident apologist. The people working at Fort
Meade are not evil. They truly believe they're doing a great service to the
nation. They may be wrong, and they've certainly thrown privacy out the
window. But they are following an ideal: national security.

Post 9/11, the nation went on a war footing. We reacted the way we did to the
Nazis and the Soviets. And in their search for an existential threat, the
intelligence community seized on nuclear terrorism. These analysts live in
constant fear of the day they miss a piece of information and New York,
Washington, or London is enveloped in a mushroom cloud.

The best explanations for this type of reasoning that I have heard came from
an unlikely source, my grandfather. He's a former FBI agent and WWII Navy
veteran. In war time, we threw all sorts of civil, economic, and political
liberties out the window to defend ourselves. When I asked him how this was
allowed to happen, he said simply, "When you're facing an enemy that wants to
cross over the hill into the valley where you, your family, and everyone
you've ever known or loved lives, you'll do anything to protect them."

Our grandparents grew up with the threat of the Nazis. Our parents faced the
prospect of annihilation by the Soviets. We have had the luxury of coming of
age in a time where there is no credible threat to our very national and
physical existence.

As a result, it's difficult for us to understand the mindset of someone that
spends all day, every day, thinking of the most horrible ways we could be
attacked, and then trying to devise countermeasures. It's almost inevitable
their perspective on the balance between security and privacy is altered.

I'm not saying this reasoning is morally correct or justifiable, especially
when applied to the current surveillance programs, but simply that it is
understandable.

The key danger is that these efforts are qualitatively distinct from those in
previous generations. The difference between extraordinary measures now and
then is twofold.

First, our capacity to surveil the citizenry has exploded over the past two
decades, and our legal framework is still grappling with that change. The
courts are having trouble understanding that a change in scale can be a change
in kind.

For example, it's one thing to have the occasional surveillance flight to
search for drug operations. It's quite another to have aerostats and
quadrotors watching every inch of a city all the time. But the legal rational
that there is no right to privacy in public spaces allows both.

Similarly, it's one thing to say the records generated by my water company are
business records not subject to the Fourth Amendment, but it's quite another
to use that rationale to justify monitoring the location of my cell phone
simply because my cellular provider maintains the records.

Second, wars have a point where they end, and the extraordinary measures are
supposed to be reversed. That's why the "war on terror" and the "war on drugs"
are so dangerous to civil liberties. They essentially extend the extraordinary
measures during wartime to police problems that have no logical end.

I agree that we've gone too far as a nation. The fact that these queries don't
require FISA orders flat out shocked me, even as a careful observer of these
issues. But let's not demonize the individuals. After all, they're only doing
what the people demanded after we were attacked. This is a democracy, and
immediately after 9/11 such measures were resoundingly approved by the public
and our representatives, beginning with the PATRIOT Act.

None of that changes the current reality however. We must slowly learn the
lesson the British did when dealing with terrorism. If you treat it as an
ordinary police matter, something that will always be present, you deprive it
of its power to shock, from which it derives its effectiveness.

The fact is that the war on terror must now end. It's time for a return to
normalcy.

~~~
afterburner
I'm not American, so I'm wondering: was the public really actually behind the
PATRIOT Act, or were they merely giving leeway in a time where everyone was
supposed to go along? Or were you thinking that's the same thing?

Same with the politicians; were they really for it, or simply incredibly
afraid of the political suicide that would be the results of standing up
against it? Because this was a time when people did not question Bush. From
today's perspective on his administration's actions, that seems odd, but it
was the reality at the time.

~~~
ISL
The public was behind doing _something_. Much of Congress didn't want to be
seen as impeding _something_.

It was obvious from the length of the act alone that even Congressional
staffers couldn't have read it carefully between the time of submission and
the time it passed. Quite a few people that I knew were weakly opposed, but
the sunset provisions may have made it more palatable.

It takes character to stand up and defend doing _nothing_ when _something_
"must be done".

~~~
kevinnk
>It was obvious from the length of the act alone that even Congressional
staffers couldn't have read it carefully between the time of submission and
the time it passed.

This is a little off topic, but I always see this trotted out when people talk
about big laws (like Obamacare, PATRIOT Act, etc) and it's not really true.
Lawmakers usually work with and read a "normal language" version of laws that
then gets transformed into a stricter legal version by staffers and experts.
They will look at the actual legal version of the law if they care about a
specific rule or section, but they usually don't need to.

~~~
bobwaycott
It is an incorrect characterization when referring to the Affordable Care Act,
as that went through so many revisions and debate over such a long period,
that anyone who did not read it has zero excuse (including the public who
allows itself to be misinformed about its contents). But it's not quite unfair
wrt the PATRIOT Act. There was widespread reporting, complaining, and outright
indignation that the PATRIOT Act was never read by a majority of
congresspersons who voted for it. It was so massive, that there was little
time to actually read the legal language overnight.

Of course, I expect my lawmakers to actually read the legal language.

~~~
kevinnk
The point is more that for most lawmakers there's not really a need to read
all of the nitty gritty legal language. If you're a House Rep from Kansas
who's core issue is corn subsidies, reading all of the PATRIOT Act isn't
really going to do you much good. Instead, you read the summaries and listen
to the opinion of the experts in your party who have read the whole act.

It's important too to note that this isn't a "big law" or even an American
thing. Virtually all bills of any substance work this way and it's pretty much
standard practice in most countries.

That being said, I'm not defending the PATRIOT Act. I just think the argument
that not enough people read it is weak, especially considering all the real
arguments you can make that actually attack the substance of the act.

~~~
bobwaycott
You make some decent points. However, I'm still going to counter that 'the
argument that not enough people read it'\--i.e., proposed laws--is _strong_ ,
not weak.

 _The point_ is that for _all_ lawmakers, there is both a need and sworn
obligation, in addition to national expectation, that they _read all the nitty
gritty legal language_ they are voting on, by which all Americans are bound to
abide.

That's what _lawmakers_ are there for--to know what in the hell they are
passing as _laws_. If they can't be bothered to do their job--which, at the
national level, goes _far beyond_ just securing corn subsidies, because
they're voting on legislation that touches on _all_ Americans--then fuck 'em.
Throw the bastards out on their asses, and send them back to the cornfields.

------
api
I'm getting seriously irritated at the "I have nothing to hide" crowd. For
starters, here are a few ways this can go _horribly_ wrong:

* Industrial espionage -- it's big business, and I'm sure it pays better than being an NSA analyst.

* Foreign espionage -- since this gives unlimited querying power to every agent, a single "turned" agent could inflict massive damage on U.S. government and industry interests on behalf of a foreign power. The potential for double agents is huge.

* False positives and guilt by association -- being flagged as a "person of interest" and then essentially persecuted because you have fringe ideological interests, are looking up a lot of info on terrorism for a book project, have a friend who knows radical Muslims, etc.

* Corrupt use in political campaigns by incumbent politicians with access -- obvious.

* Blackmail and other corruption.

* Use by government agencies with access to spy on other agencies.

... I'm sure creative people can think of more.

~~~
antimatter
This. I can't seem to make people around me understand this point.

~~~
legutierr
Do you list these negatives when having that conversation? Do they not see the
possibility of something like this being used against them or family members
when you lay out the possibilities specifically (blackmail and industrial
espionage could hit anybody)?

The "nothing to hide" trope seems to me to be entirely based on a false
dichotomy that contrasts "nothing to hide" with "unpatriotic/criminal". I
think this is primarily because people lack the imagination to consider the
other seedier and more lucrative uses of surveillance.

If they were confronted with these other possibilities, would your
acquaintances change their thinking? Or do these other risks--for example, the
risk of having an employer targeted by competitors unfairly (potentially
leading to layoffs), or the risk of having a representative vote against the
interests of his or her district because of blackmail (potentially leading to
a loss of government services and investment)--simply not resonate?

~~~
dwiel
When I make this argument the most common response is that they have faith in
the goodness of people and dont consider these risks to be very significant.

------
martindale
Interesting; it appears someone failed to redact some data from the slides. In
the Facebook chat example, the message is "to" 1536051595.

Using the Facebook Graph API, we can gather information based on this ID:
[http://graph.facebook.com/1536051595](http://graph.facebook.com/1536051595)

Which leads us to the Facebook profile
([https://www.facebook.com/arash.gorjipour.5](https://www.facebook.com/arash.gorjipour.5))
of an individual, real or contrived, named "Arash Gorjipour". His email
address and phone number are all exposed in one of his uploaded photos:
[http://i.imgur.com/0UUk5cB.jpg](http://i.imgur.com/0UUk5cB.jpg)

I wonder what the reason for this man being in these slides is.

~~~
lisper
He's Canadian. And he has dark skin and a funny-sounding name.

He's (almost certainly) a real person, by the way. I called his office. He
wasn't in, but they offered to page him for me.

~~~
pooriaazimi
Just FYI (almost certainly of no importance because this individual was chosen
at random for the slides): his name (both first and surname) are Persian. I'd
guess he was an Iranian (graduate) student who has decided to stay in Canada
after his studies; possibly to be "free" from an oppressive government's
espionage and meddling in his private life. The irony...

------
yread
This is brilliant, I love the screenshots:

 _Foreignness factor:

The person has stated that he is located outside the U.S.

Human intelligence source indicates person is located outside the U.s.

The person is a user of storage media seized outside the U.s.

Foreign govt indicates that the person is located outside the U.s.

Phone number country code indicates the person is located outside the U.s.

Phone number is registered in a country other than the U.S.

SIGINT reporting confirms person is located outside the U.S.

Open source information indicates person is located outside the U.s.

Network, machine or tech info indicates person is located outside the U.s.

In direct contact w/ tgt overseas no info to show proposed tgt in U.S._

It's quite easy to lose the protections of a U.S. citizen indeed!

~~~
sehugg
_The person is a user of storage media seized outside the U.s._

Interesting, so everyone who ever hit a MegaUpload link is potentially a
foreign entity?

~~~
RyanZAG
Kind of puts into perspective why they would coordinate such a massive raid on
Megaupload. The target may not have even been the data - merely seizing the
data puts anybody who has accessed the megaupload website as an easy target.

~~~
netrus
You crossed the tinfoil line. Copyright infringement was sufficient motivation
for the actions taken. The megaupload raid was not okay, but I am pretty sure
Hollywood was behind it, not the NSA.

~~~
kazagistar
Well, there are reasons to put on our tinfoil hats now... heck, last I heard,
MIT students had managed to inject memories into mice.

~~~
pyrocat
The headline for that article was astoundingly misleading. They created a fear
response in the mice to a place that the mice had never been.

------
znowi
Holy shit... Apparently, the only way to ensure privacy is to _go Stallman_.
Funny how yesterday's "conspiracy crackpot" became today's visionary.

~~~
jacquesm
Stallman never was a conspiracy crackpot, he always was a visionary. The only
thing that changed is some people's judgment of him.

~~~
astrodust
You can be completely correct and still be a crackpot.

What we need is strict limitations on what can and should be collected, and
how it's used, plus better methods of securing what's being exchanged. For
example, sending email as plain-text, leaving it on the server as plain-text,
maybe that's a bad idea.

The NSA isn't necessarily the only reason you'd do this. Foreign governments
are going to take an interest in this, too, and it's only a matter of time
before someone gets access the data the NSA is hoarding. No program of this
scale is ever 100% secure.

~~~
blueprint
> You can be completely correct and still be a crackpot.

This is very important. What do you mean by "crackpot"?

~~~
Karunamon
It's not feasible for the average person to restrict their lives to the point
that RMS does and advocates for.

* Reading the web via email only

* Using completely free software and hardware (which as far as I can tell, limits you to a very small subset of Linux on a single Chinese-made netbook)

* Not carrying a cellphone

* Not using any social networks.

Stallman's principled stand is admirable, but untenable for most. I need to
violate every single one of these tenets in an average day at work.

And that's before we even enter the realm of entertainment, which is even
worse as far as the FSF's definition of freedom goes.

~~~
jacquesm
Principled != crackpot. Crackpot is an insult intended for the feeble minded
and is used to reduce any opinions a person might hold on a subject as reject-
able out of hand.

Over unity energy generation from the vacuum is rightly labeled as 'crackpot'
imo, Stallman's position, while extreme should (again, imo) not be labeled as
such.

~~~
Karunamon
Where Stallman breaks from admirable principle and dives into untenable
crackpottery, IMO, is where he calls proprietary software evil.

~~~
jacquesm
Crackpot => unsupported by evidence.

Calling proprietary software evil is an opinion, and there are plenty of
examples of evidence that proprietary software was created in ways that one
could label as evil. Give it a while and there might be some revelation which
will cause lots of people to go 'oh, that Stallman was such a visionary,
calling proprietary software evil'.

Now on this particular aspect of Stallman's reasoning I find him hard to
follow because that would mean a whole class of something is bad whereas I
believe it should only apply to instances on a case-by-case basis. But I'm
going to hedge my bets here and sit it out for the next decade or two
(assuming I have that much time remaining) to see if he might not be on to
something again that is still hard to see from where we are standing right
now.

One way in which this could play out is that in order to avoid certain
societal fates is to have nothing but open source for certain classes of
application (for instance, voting computers, software in use by the government
in general or software that is used to power network infrastructure).

Don't be too quick to judge, Stallman has been right more often than I'm
comfortable with on some of his most 'extreme' views.

~~~
Karunamon
Moral judgements are subjective opinion by nature, fair enough, but I bring
the crackpot label in for exactly what you say, thinking in absolutes, in
black and white, instead of nuance.

In the real world, that shows a distressing lack of critical thinking and a
further distressing abundance of dogmatism.

"Proprietary software is bad" \-- Subjective value judgement.

"Properitary software is evil" \-- Subjective value judgement that shows a
lack of thought.

"You should always use free software wherever possible." \-- Subjective value
judgement.

"You should use absolutely nothing but free software ever" \-- Subjective
value judgement that shows a lack of thought.

I mean, the FSF "disapproves" of software that is completely free on its own
(Fedora, Firefox), merely because they point out nonfree things you can use.
(Fedora's firmware bundles and some repos, and Firefox's addons site).

That's completely idiotic. Apparently the FSF's "freedoms" do not include the
freedom to run whatever software you choose if it's "unfree".

~~~
consonants
The proprietary software as evil thing comes as a morality judgment, that the
potential evils from such software/licensing far outway whatever positive
nuance it could bring to the table. A nuanced reading of the past 75 years of
copyright/patent law and judgments can come to the conclusion that such an
ecosystem is detrimental to the rights and ability of end-users and
developers.

Guess what the solution to the proprietary software problem is? Not using or
promoting proprietary software or platforms that enable it.

You are getting upset that the Free Software Foundation has standards to be
met to consider software as "free". To dismiss their agenda as existing in
'crackpot' territory is invalidating a legitimate argument to support your
shaky conclusion.

------
hammerzeit
Reading these slides, I'm trying to parse what these slides do or do not say.
I'd like to leave aside the speculation about what the NSA is _probably_
doing.

First of all, XKeyscore seems to be primarily about the frontend query
interface rather than the backend data storage, at least as far as I can tell.
It looks like you can basically query their database by email address and get
a set of records (email, chat, http logs) back. It looks like there are
separate tools for viewing specific records as well. I assume they're joining
records on some combination of email address, IP address, timestamp, etc --
not unlike a modern ad server.

A few practical thoughts: * It's worth noting what's not shown in these
slides. Specifically, I don't see any ability to query the full text of
emails. The more I see about this, the more I'm convinced the NSA is not
collecting email body texts directly from corporate servers. Facebook messages
I'm less sure of. * How are they collecting HTTP data? I assume intercepting
at network hubs? * Given that it appears that individual records are HTTP
requests, I'm shocked at how few requests are in the database. 41 billion
seems an order of magnitude smaller than I'd expect. Could it be a record is
something else? * Interesting to note the "Miranda number" and "Foreign
Factor" fields that look like ways of saying "yes, I have permission to do
this." Might explain why a sysadmin could bypass these things but your
everyday NSA analyst could not.

~~~
cm2012
It doesn't show reading full emails in the screenshots, but the sentence right
underneath reads: "The analyst then selects which of those returned emails
they want to read by opening them in NSA reading software."

------
arca_vorago
Lurkers first post here.

I always said saying "I told you so." when stuff like this started getting
revealed would feel like a hollow phrase. Some of us have spent quite a bit of
time talking about these issues, and were mostly rejected as crackpot
"conspiracy theorists". While there are plenty of those around, maybe I could
use this slight moment of pseudo-clarity to propose something.

I could tell you where this is going (removal of ex post facto, and eventually
algorithmic based pre-crime), and who is largely behind it, but once again
most of you would probably perform the standard knee-jerk reaction against
"conspiracy theory", only to wait around and repeat the same kind of stuff you
are saying now, whenever the next steps are put into action.

We curious geeks have been too cocky, always thinking we could use our
superior knowledge of technology to beat "the man". Well boys, the man is
learning our tricks, and he's starting to get better at them than us...

The NSA is but a cog in a greater machine, and until we all realize that and
start conversing on what/who that machine is, we will continue to spin our
wheels uselessly.

~~~
w_t_payne
OK, I will take the bait. What do you think the greater machine is?

Here is my take:

You do not need to posit an organized Illuminati-like conspiracy to have cause
for concern. We can find plenty to worry about even if we limit ourselves to
properties of the system that are either emergent or driven by natural human
behavioural traits.

For example, a lot of people in positions of authority got there because they
have authoritarian instincts, and seek self-validation not only by dominating
and controlling others, but by ensuring that their position of authority and
dominance is recognized by others.

This is very human, and very instinctive, and operates at an unconscious,
almost sexual level. The alpha male will seek to dominate the pack and to
remind competing males of his superior status. You do not have to consciously
be aware that you are seeking power, money and sex, but you are, nonetheless.

This instinct can operate both consciously and unconsciously. Those who make
decisions to concentrate power and authority, to separate and elevate
themselves from the general population - they do not have to be consciously
aware of what they are doing. They can and will rationalize their beliefs and
actions to make it fit in with the dominant culture of their peers. This
process is called confabulation
([http://en.wikipedia.org/wiki/Confabulation](http://en.wikipedia.org/wiki/Confabulation))
and everybody does it all the time - it is the only way that we can make sense
of our lives and live in a human body without going insane with the sheer
irrationality of it all.

These instincts manifest themselves in lots of small, individually
inconsequential decisions. Normally, this is OK, because our social and
bureaucratic technologies are (were) too ineffective for too much harm to be
done. The ongoing march of modern information technology, however, looks
likely to change that, meaning that the unconsciously malicious instincts of
humans in positions of authority can become amplified and magnified.

I would be particularly worried if this resulted in a feedback loop - so that
increased power and increased power-seeking behaviour mutually reinforce one
another in a runaway process. I cannot readily identify such a loop in
operation though -- can anybody else?

~~~
arca_vorago
I hope I am not responding to too many people and seeming spammy, but here
goes.

I agree completely that we do not necessarily need to posit and organized
"Illuminati-like conspiracy" to have cause for concern. There are plenty of
studies showing increasing likely-hood of sociopaths rising to the top of
power structures, and is often just due to how to system as an autonomous
entity functions.

What I do posit though, is that, in fact, there is, borrowing your own term
for lack of a better one, an "illuminati-like conspiracy". I have been
considering an attempt at scholarly paper on the matter for some time now, but
let me try to be terse and possibly just point you in the right direction,
because I don't think I'm quite prepared to defend the full assertion in
public yet.

I will start with your question about power feedback loops. Here is a paper
regarding the global network of corporate control that anyone interested in
the global power structure should read.
[http://arxiv.org/pdf/1107.5728v2.pdf](http://arxiv.org/pdf/1107.5728v2.pdf)

I even contacted one of the researchers (Glattfelder) during the Libor
scandal, wondering if we could use some of the new information to analyze the
scandal better. He said it would be extremely difficult due to how good the
companies are at obfuscating their dealings.

Now, as far as the conspiracy, I would like to point out one thing. I do not
claim that there is but a single conspiracy (a trap assertion many fall into
making), and instead would say there there are but a small number of very
powerful ones operating at any one time, sometimes in competition and
sometimes cooperatively. Regarding the "illuminati-like conspiracy" itself, I
have one primary reading source for you, if you are genuinely interested in
the subject. It should be enough to get you started on the more serious
analysis of what I am talking about. [http://www.amazon.com/Anglo-American-
Establishment-Quigley-C...](http://www.amazon.com/Anglo-American-
Establishment-Quigley-
Carroll/dp/0945001010/ref=sr_1_3?s=books&ie=UTF8&qid=1375287143&sr=1-3&keywords=tragedy+and+hope)

~~~
w_t_payne
This seems relevant: [http://www.zerohedge.com/news/2013-04-26/illuminati-
were-ama...](http://www.zerohedge.com/news/2013-04-26/illuminati-were-
amateurs-matt-taibbi-explains-how-everything-rigged)

------
rdl
At this point the only thing protecting the US (and the world) from the worst
tyranny imaginable is that USG's essentially unlimited power is wielded by
individuals (rank and file workers, career bureaucrats, political appointees,
and politicians) with a fairly reasonable sense of morality and belief that
they are constrained by both the constitution and morality.

I'm don't think that is a stable long term system. Either some effective
limitations (technical and political) are put in in the next several years, or
a few decades of "us vs them" and self justifying security crises will produce
a horrible result.

~~~
northwest
Absolutely.

Now, the thing that prevents that from happening is money.

So much money is concentrated on so few people that _it protects itself_ and
the owner becomes invulnerable. Add to that that too much money very often
corrupts its owner. The predictable result for society seems pretty obvious.

~~~
jaekwon
You're spot on about money. I saw Keith Alexander's talk at the recent
BlackHat conference, and was miffed at people applauding the guy, but then
realized that it's a _Black_ Hat conference, the epicenter of the monetization
of exploits.

The other factor is that the NSA's reputation is irreparably tarnished, and
they will continue to attract the wrong kind of people. I think we need to
prepare for some _dark_ times ahead.

------
akmiller
Honest, maybe naive question, but what types of programmers actively help
build and maintain systems like this? I turned down a job for a company that
is less than a mile from my house because I viewed their business as immoral.

Hard for me to fathom anyone taking a job, helping to build systems like this.
I get that many of the components of a system like this could be seen as
harmless. However, a system of this complexity must have some talented
engineers bringing it all together and making it work. How can they feel good
about what they are doing?

~~~
nicholassmith
They're probably not thinking of it as immoral. Most likely they actually do
believe they're improving national security by doing this.

Or they just like the paycheck, that's a big possibility. I imagine the NSA is
probably happy to pay a lot with a large amount of bonuses to keep people in
roles.

~~~
g8oz
In a profile on Palantir (which sells tools that help with this sort of
thing), one employee was quoted as saying "this really is about saving the
Shire". Had to laugh.

~~~
nicholassmith
I remember that (I think it was in Wired), and it struck me as a basic naivety
on their part as when they were building it they were thinking about catching
bad guys without realising the line between who's a good guy and who's a bad
guy is determined way above your head.

In the spirit of the 'Shire' quote they should have also realised 'with great
power comes great responsibility'. No one has demonstrated that they are
responsible enough to have that level of power over millions of people.

------
kyro
Is this information the NSA could've attained left to their own devices, or is
this sort of stuff only accessible with help from service providers, eg
Facebook and Google?

What I'm trying to ask is: with all the hullabaloo Google, Facebook, Yahoo,
Microsoft, etc have made about individual, manual reviews of information
requests, are we _still_ being lied to? I suspect that we obviously haven't
been told the whole story by these companies, and that they are a lot more
implicit in this than they let on, but this article seems almost like
definitive proof that they did indeed allow unlimited access to user
information.

If this is saying what I think it's saying, then I feel seriously back stabbed
by the startup darlings -- Zuckerberg, Brin and Page, etc -- that so many
people here love and idolize. They should absolutely be held accountable.

~~~
jgrahamc
If you can tap large Internet connections then you can siphon off all HTTP and
SMTP traffic and from there it's trivial to reconstruct sessions and from
there get application level stuff.

I was doing similar things in the mid-1990s on shared Ethernet. It's really
only a question of speed and scale and then of writing code that recognizes
particular traffic (such as "this HTTP connection is a Facebook chat
session").

~~~
kyro
Interesting. So then this can be done with zero assistance from service
providers? Could providers have taken any steps to render that stream of
information inaccessible? And if so, is it a costly effort?

~~~
jonknee
Yes, use HTTPS for everything. It's not a surprise that all the logos in this
PowerPoint have since moved large portions of their traffic to SSL. SSL isn't
perfect (you can still see what domain someone is requesting), but it does
prevent a lot of the snooping outlined in the presentation (without vendor
participation, it's always possible that Facebook is siphoning off their
messages).

~~~
jstalin
Why would we assume that TLS is safe? The NSA could just as easily compromise
the CAs and get all the certificates they need.

~~~
nathan_long
Not exactly. Compromising a CA would let them fool a browser into thinking
that a fake Google certificate is a real one. However, if Google were
diligent, they could publish their valid cert signatures anywhere they like,
and users could check the signatures of the certs that are presented as
genuine.

The TSA can't crack or impersonate a cert at will; they can only 1) try to
trick you into accepting a phony one or 2) demand/steal the private key from
the site.

~~~
jstalin
Wouldn't having the private cert allow you to decrypt all communications
encrypted using that cert?

~~~
michaelt
Traditionally you generate an SSL public and private key, and send only the
public key to the certificate authority for signing, so compromising the
certificate authority doesn't give you the private key.

It does however give you the ability to issue yourself new public keys to
conduct man-in-the-middle attacks [1]. If you compromise the same CA as the
site whose traffic you're trying to intercept, you can bypass certificate
pinning which is supposed to detect MITM attacks. So for example you can MITM
gmail without certificate pinning detecting it if you compromise Verisign,
Equifax or GeoTrust [2]

[1] [http://googleonlinesecurity.blogspot.co.uk/2011/08/update-
on...](http://googleonlinesecurity.blogspot.co.uk/2011/08/update-on-attempted-
man-in-middle.html) [2]
[http://src.chromium.org/viewvc/chrome/trunk/src/net/http/tra...](http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json)

------
runn1ng
From the slides
[http://www.theguardian.com/world/interactive/2013/jul/31/nsa...](http://www.theguardian.com/world/interactive/2013/jul/31/nsa-
xkeyscore-program-full-presentation)

"Show me all the VPN startups in country X, and give me the data so I can
decrypt and discover the users"

Does this mean using VPN is not very safe from dragnet?

~~~
kintamanimatt
You probably don't need to break the encryption because eventually all traffic
has to exit the VPN's company's endpoint, and at that point it can be
captured. Meta data such as the browser's fingerprint can be used to tie
traffic to an individual, for example, if you see them log in to a regular
HTTP site with an email or a username, this information could probably be used
to figure out who they are. Armed with this information, all other traffic
originating from that endpoint (or elsewhere) with the same browser
fingerprint.[-1] can be monitored. Weak keys can also cause the encrypted
tunnel to be compromised. Also, PPTP is considered a very insecure tunneling
protocol[0] but still used.

You could also break into the VPN company's servers and do interesting things
too. There's also the possibility of timing attacks to determine the real IP
address of the VPN user, although that's fairly a sophisticated method and
quite difficult to do.

Bear in mind that this presentation dates back to 2008, which is a long time
in tech years. Who knows what they're capable of now. All that's known is that
they're not capable of _less_.

VPNs are useful for three things: protecting yourself against relatively
unsophisticated bad guys sniffing traffic on a local network (for example, an
unsecured wireless network), bypassing geographic content restrictions (e.g.
using Pandora in Sweden), and circumventing ISP traffic shaping (often they'll
not shape VPN traffic because it's used for businesses, and businesses can be
whale customers).

[-1]
[http://en.wikipedia.org/wiki/Device_fingerprint](http://en.wikipedia.org/wiki/Device_fingerprint)

[0] [http://blog.calyptix.com/2012/08/pptp-is-so-insecure-it-
shou...](http://blog.calyptix.com/2012/08/pptp-is-so-insecure-it-should-
be.html)

~~~
vidarh
> all traffic has to exit the VPN's company's endpoint, and at that point it
> can be captured.

If the only thing they're dealing with is VPN's used as a private proxy for
access to the public internet, you're right, and if so it's not so troubling
(well, as in it is "only" just as troubling as having them access everyones
web traffic).

But arguably most VPN traffic is exiting inside private networks and are
intended for machines within those private networks. If they are capable of
breaking or circumventing the crypto of those, then that's troubling at a
whole different level because it potentially means massive unknown weaknesses
in either specific crypto products, or in algorithms that have been assumed to
still be reasonably safe.

~~~
chiph
Many corporate VPNs are secured via RSA SecurID and their keyfobs. Several
years ago the SecurID source was compromised by hackers[1] and it was
suspected the master seed/key was lost. Imagine if the NSA had access to that
key -- it'd certainly be a juicy target for them.

[1]
[http://dankaminsky.com/2011/06/09/securid/](http://dankaminsky.com/2011/06/09/securid/)

~~~
kintamanimatt
The most reasonable assumption to make right now is to assume that the NSA
_does_ have the key. They may not, but but then again the recent revelations
have been so absurdly horrifying that I wouldn't put it past them.

------
aspensmonster
>How do I find a strong-selector for a known target?

>How do I find a cell of terrorists that has no known connection to strong-
selectors?

>Answer: Look for anomalous events

>E.g. Someone whose language is out of place for the region they are in

>Someone who is using encryption

>Someone searching the web for suspicious stuff

Lovely. Suspicious stuff and encryption. But wait! There's more!

>Show me all the VPN startups in country X, and give me the data so I can
decrypt and discover the users.

Wait... what? I really hope that doesn't mean what it sounds like it means.

>Slide 22 [regarding determining who authored a Jihadist document] redacted.

Well that's interesting.

>Show me all the exploitable machines in country X.

That's cool. I'm guessing this is what Snowden meant by weak endpoint
security.

>Over 300 terrorists captured using intelligence generated from X-KEYSCORE

>Slides 29 and 30 regarding this redacted.

What a shame.

~~~
talmand
I'd like to know where they are keeping these "over 300 terrorists" that have
been captured due to this program.

How is one labeled a terrorist by this program I wonder?

~~~
bowlofpetunias
This. This is what worries me more than anything. Where have these 300 people
gone? There should be records, trials, something. 300 _suspected_ terrorists
going on trial over a period of 5 years should have resulted in huge wave of
almost 24/7 publicity.

That the NSA is in the business of total surveillance is bad enough. But there
is the faint hint that the NSA is in the business of making people disappear.

~~~
junto
Black sites are still there. Black sites with dubious givernments do the
disappearances for the CIA, wihout them getting their hands dirty unless they
have to.

------
hga
This bit both somewhat limits the impact and makes Greenwald et. al.'s claims
that most everything is being Hoovered up a lot more credible:

" _The XKeyscore system is continuously collecting so much internet data that
it can be stored only for short periods of time. Content remains on the system
for only three to five days, while metadata is stored for 30 days. One
document explains: "At some sites, the amount of data we receive per day (20+
terabytes) can only be stored for as little as 24 hours."_"

Of course, as the article goes on to detail, anything that's found to be of
interest in that window can be saved permanently, and NSA analysis do that a
lot.

~~~
spahl
But this was written in 2008. Storage capacity could/must have increased
massively since then.

~~~
mpyne
But so has the volume of data that NSA would have to retain.

~~~
lukifer
...and so have the compression and filtering tech, I'm sure. If you strip out
most attachments, the average email message is incredibly tiny when gzipped.

------
jstalin
Slide 6 of the presentation clearly shows that pretty much every government is
in on the program, with heavy concentration in western Europe.

One question, how did the dot in China get there?

[http://www.theguardian.com/world/interactive/2013/jul/31/nsa...](http://www.theguardian.com/world/interactive/2013/jul/31/nsa-
xkeyscore-program-full-presentation)

~~~
jstalin
And look at slide 17:

"Show me all VPN startups in country X, and give me data _so I can decrypt and
discover users_."

Holy crap. Is all encryption broken?

~~~
vabmit
I think so. Yes. IIRC, the first time I saw this leaked was a combo leak by a
Navy Seal and a member of the Executive. The Seal leaked that they _powered
down_ Bin Laden's computers to take his hard drives after they shot him. The
Executive member said that the drives were encrypted and it would take a few
days to get the data. Jihadis are known to use a custom version of PGP with
2048bit RSA keys. They either used that, a COTS drive encryption program
(unlikely), or reviewed and adapted an open source drive encryption program.
In either of the likely scenarios they would have been using 2048bit RSA.
Therefor, it is highly likely (due to the NSA having target motivation even if
the drives weren't well encrypted) that the smooth barrier does not exist and
the NSA can factor 2048bit RSA in a hours to days scale time frame.

Also, it was leaked that NSA TAO had a 70%+ success rate compromising Chinese
systems. Even with the tech companies giving them secret zero days for an
extended period of time, anyone that has been a blackhat knows they're not
getting to a 70% success rate through exploits. Therefor, it's highly likely
they can decrypt VPN/SSH (TLS) traffic encrypted with AES256/RC4-128/3DES
and/or the RSA/EC public cryptography used. As you noted the leaked slide
seems to indicate that.

~~~
MAGZine
Breaking RSA is just a matter of managing to factor prime numbers faster than
anyone else, isn't it? Unless if there is some sort of oversight inside the
RSA algorithm that allows the encryption to be broken easier.

Do you have more information on the smooth barrier? I did a quick google but
didn't see much relevant.

~~~
nulldevnull
I'm not sure it's relevant whether the b-smooth barrier exists of not, since
that assume use of NFS.

There's a reason the NSA is pushing folks to use Suite B ciphers including
Elliptic Curve along specific curves. It's not unreasonable to think that the
NSA mathematicians have proven some relationship between EC and prime number
theory in general.

There is some public domain work on this topic. See
[[https://en.wikipedia.org/wiki/Lenstra_elliptic_curve_factori...](https://en.wikipedia.org/wiki/Lenstra_elliptic_curve_factorization)].

This might help explain in part the NSA's desire for large memory vector
supercomputers going back to the 1990s over distributed memory MP systems.

~~~
vabmit
Interesting comment! Yes, I have been trying to avoid EC because some of the
random walk stuff I read made me uncomfortable given standardized curves. I
always thought that NSA vector register desire was strictly due to block size
of ciphers (particularly Russian). This was definitely true when DES/3DES
where in use. Then again, I thought Bluffdale was just to crack old Russian
intercepts with GPU like custom hardware. BTW, a Cray hw engineer and I talked
about how Cray was trying to pivot into Bioinformatics since the gov biz was
no longer robust (in 2004, IIRC?).

~~~
nulldevnull
The whole reason the USG rescued Cray in the late-1990s/early-2000s was to
insure the continued availability of large memory image vector supercomputers.
Part of this may have been to it being less costly than converting their
processing systems from vector codes and algorithms to massively parallel
distributed processing ones. At that time the cluster interconnects were much,
much slower in terms of both bandwidth and latency than they are today.
Solving very large sparse matrices would have been tougher on an MPP system
than on a vector one. You can read about some of this history in Bamford's
"Shadow Factory."

There have been a number of very cost effective hardware approaches proposed
for significant acceleration of both the sieving and linear algebra components
of the NFS. Many of these proposals could successfully and cost effectively
attack a 1024-bit number in the 2003/2004 era. The process at that time was
around 130-nm. Today's process would have features at the 32-nm or 22-nm size.
Today there has been a 100-fold increase in performance since 2003. (See
[http://tau.ac.il/~tromer/cryptodev/](http://tau.ac.il/~tromer/cryptodev/) for
an overview.)

Combine this specialized hardware with an algorithmic improvement that gets to
O(log n) or O(n log n)....

AES appears fine. The NSA and USG in general make a very strong effort in the
2000s to move all civilian command and control systems for satellites to
AES-256 with TRANSEC capabilities. A brute force attack on AES-256 with a
quantum computer should be on the order of 2^128 operations with currently
know QC factoring algorithms. AES-128 looks weak at 2^64.

If the NSA can break something, they need to assume that their primary
opponents can do so or will do so soon. China specifically comes to mind here.
The can not release cryptography suites with known vulnerabilities. It is
widely thought that it is more importantly to secure one's own signals before
intercepting and decrypting one's enemies.

I think everything on the internet needs to be moved to Suite B protocols with
forward secrecy enabled. AES-GCM overcomes all the known attacks (i.e. CRIME)
against AES-CBC and AES-CTR.

I get the impression that the NSA is eight to ten years ahead of the public
domain cryptographers in some areas. I think this gap is shrinking slowly.
However, I have also heard that the NSA is preventing publication of some
papers developed in the public domain due to national security reasons.

------
antimatter15
I wonder how Sencha ([http://www.sencha.com/](http://www.sencha.com/)) feels
about how the NSA is clearly using their ExtJS framework given the
screenshots.

I guess this kind of puts different perspective to the whole debate that came
from JSMin's "The Software shall be used for Good, not Evil." clause
([http://wonko.com/post/jsmin-isnt-welcome-on-google-
code](http://wonko.com/post/jsmin-isnt-welcome-on-google-code)) given that
conceivably your open source framework might be a significant part of
something like this.

~~~
nemothekid
Its also very likely the machines are being run on Linux boxes. Should Linus
being losing sleep knowing he aided the NSA in this? Even the very database
this system runs on may be an offshoot of the Google BigTable paper. Should
Google have never opens sourced the software that eventually became
HBase/Hadoop/Cassandra because of the NSA?

A tool is a tool. I don't think Henry Ford should feel guilty for enabling
people to kidnap children with greater speed.

------
jstalin
Snowden deserves the Nobel Peace Prize and the Vatican should consider
canonizing him.

~~~
jbigelow76
To be canonized you have to have performed a miracle, but If he somehow get's
pardoned by the DoJ or the Obama administration we could probably consider
that requirement met.

~~~
skylan_q
You've performed a miracle, yourself. A good joke in the comments section of
an HN post! :p

------
ck2
Imagine if storage limitations weren't holding back the NSA.

Those 60TB density HAMR[1] drives that are due in 2016 are really going to
take invasive to a whole new level.

[1]
[http://storageeffect.media.seagate.com/files/2012/03/perpham...](http://storageeffect.media.seagate.com/files/2012/03/perphamr2.gif)

~~~
w_t_payne
Who said that they were using spinning storage? You can store an insane amount
of data for your dollar if you are willing t use tape.

~~~
shabble
For example, IBM have a robot tape library that can store 900PB[1], Quantum
can fit ~5PB per full rack equiv[2], and there are many many more.

[1]
[http://www-03.ibm.com/systems/storage/tape/ts3500/index.html](http://www-03.ibm.com/systems/storage/tape/ts3500/index.html)

[2]
[http://www.quantum.com/products/tapelibraries/scalari6000/in...](http://www.quantum.com/products/tapelibraries/scalari6000/index.aspx)

------
giulianob
Holy shit.. they did really write a GUI in Visual Basic to track the killer's
IP

~~~
mattbarrie
I think the guardian got trolled hard. This is too ridiculous to be true.

~~~
falk
I think you're in denial.

------
dictum
>Foreignness factor

I know NSA's mandate _is to spy on foreigners_ , but it's still very
jingoistic and xenophobic that not being American makes it OK to spy on you.

~~~
kintamanimatt
One could assume that Americans are spied on by foreign governments and the
data is just exchanged. The US spies on Brits, the UK spies on US persons, and
the both compare notes.

~~~
s_q_b
Actually this is exactly what occurs. Intelligence exchange among America and
its allies under Echelon, ANZUS, and UKUSA have been used in this exact way to
end-run around anti-domestic surveillance laws.

------
impendia
Another data point on the relationship between government and terrorism:

I live in Columbia, South Carolina. A mile from my house there is a prominent
statue of Ben Tillman. Tillman was an explicit advocate of terrorism, and
indeed personally engaged in it [1], which drove his popularity and ensured
his election to the governorship and the United States Senate.

Government programs such as the NSA's exist to protect the interests of the
powerful. Same as it ever was.

[http://en.wikipedia.org/wiki/Benjamin_Tillman](http://en.wikipedia.org/wiki/Benjamin_Tillman)

------
kilian
A 'fun' bit of weasel-wording by the chairman of the House intelligence
committee: "He's lying. It's impossible _for him_ to do what he was saying he
could do." They seem to be denying it, but all they're really denying is that
Snowden had access to the system personally.

~~~
dlitz
They mean he didn't have the "capability" to "collect" that data, which in NSA
newspeak means he had the technical means, but not the legal authorization to
do so.

------
sinak
Hey folks,

Just wanted to add a note and say that if you're angry about this, the best
thing that you can do is to get out into the streets and protest everything
that's been going on. Check out the Restore the Fourth rallies happening this
weekend, share them on social media, and sign up for your local event.

[http://1984Day.com](http://1984Day.com)

Getting out into the streets is the single most significant thing you can do -
even more effective than calling your legislators. The events on Sunday need
to be bigger than the events July 4th for this to really be a success.

------
jneal
Noticed one of the screenshots have a URL. It's a little blurry, but I suppose
it's an intranet URL since the TLD looks like .nsa

URL looks like: [https://gamut-
wakefield.ein.nsa/utt/UTT/do/FRNewSelector#sel...](https://gamut-
wakefield.ein.nsa/utt/UTT/do/FRNewSelector#selector)

~~~
jneal
Interesting addition. I wondered what some of these abbreviations in the URL
stood for. Upon searching, I found this:

[http://www.techcareers.com/job.asp?id=64332188&aff=C014D02C-...](http://www.techcareers.com/job.asp?id=64332188&aff=C014D02C-C8E2-4AF6-82A1-7B86393A9727)

Job posting, requiring top-secret clearance, looking for people that have
experience using certain tools including "GAMUT/UTT" \- notice the URL from
the NSA doc has "gamut" and "UTT". So i further looked into GAMUT/UTT and
found this:

[http://williamaarkin.wordpress.com/2012/03/13/nsa-code-
names...](http://williamaarkin.wordpress.com/2012/03/13/nsa-code-names-
revealed/)

------
coenhyde
This is the most terrifying thing i've ever seen. I'm not exaggerating in the
slightest.

------
susi22
One of the screen shots:

[http://static.guim.co.uk/sys-
images/Guardian/Pix/audio/video...](http://static.guim.co.uk/sys-
images/Guardian/Pix/audio/video/2013/7/31/1375269238578/KS3-001.jpg)

says: Top Secret Comm(?) REL() to USA, AUS, CAN, GBR, NZL

confirming the previous suspicions that many other governments are on board.

Der Spiegel actually has reported a few weeks back about XKeyscore [1] and
that it is used by the BND (Germany's NSA). I.e. all this data is also
available to the NSA equivalents of Australia, Candana, Great Britain and New
Zealand.

Many Americans trust their government (unfortunately), will they also trust
the other governments?

[1]:

[http://www.spiegel.de/international/world/german-
intelligenc...](http://www.spiegel.de/international/world/german-intelligence-
worked-closely-with-nsa-on-data-surveillance-a-912355.html)

[http://www.spiegel.de/international/germany/german-
intellige...](http://www.spiegel.de/international/germany/german-intelligence-
agencies-used-nsa-spying-program-a-912173.html)

~~~
brown9-2
Those are the Five Eyes countries:
[http://en.wikipedia.org/wiki/Five_Eyes](http://en.wikipedia.org/wiki/Five_Eyes)

~~~
clicks
Good catch -- and really, I find it to be quite foreboding in terms of how
indomitable it is precisely because of the secrecy of the program.

"This was a secret treaty, allegedly so secret that it was kept secret from
the Australian Prime Ministers until 1973."

This is indeed a trend, and I speculate that NSA (and NSA-like entities in the
other 4 eyes/countries) probably communicate information and abilities to
prime ministers and presidents of the respective countries very selectively.

------
qwertzlcoatl
Livestream to senate hearings covering all this can be found here:
[http://www.judiciary.senate.gov/hearings/hearing.cfm?id=0d93...](http://www.judiciary.senate.gov/hearings/hearing.cfm?id=0d93f03188977d0d41065d3fa041decd\[1\])

As of this moment it's all about FISA. Wonder if this new allegation will be
talked about.

~~~
mrt0mat0
they did mention it offhandedly, the woman(i was only listening) started
making a list of things that the nsa should release yearly including how many
crimes 702 and whatever helped prevent, and the main guy asked her to add a
view, in the light of the news posted today, but said they would investigate
that further at a later time. sorry it's poorly detailed but just wanted you
to know it was mentioned.

------
shirro
You have to admit these guys are working on some cool problems. If you don't
have a problem with the legality of it or potential for misuse it looks like a
really interesting place to work.

~~~
jacquesm
That's exactly how they get people to work on it in the first place. If you
have no conscience there are lots of places where you can work on 'cool
problems'.

~~~
astrodust
Weaponizing a nuclear reaction? Cool, right?

------
w_t_payne
I just read the actual XKeyscore slide deck. Unlike a lot of leaks, these
slides are totally worth a look-see:
[http://www.theguardian.com/world/interactive/2013/jul/31/nsa...](http://www.theguardian.com/world/interactive/2013/jul/31/nsa-
xkeyscore-program-full-presentation)

------
venomsnake
Credit where credit is due - NSA made useful and usable email search. Please
give it to gmail and outlook.com ... I want to be able to search trough my
mail as good as you guys can do.

------
stef25
A couple years ago there was an AMA on Reddit from someone saying he was very
deeply involved in spying on the general public's online lives, "at a level
you can't imagine". Many technical questions were asked, all answered
properly. I could never get it out of my head and now that Snowden has emerged
I can't stop thinking he was the OP. Wish I could find this AMA again.

~~~
cracell
Do you happen to have a link to this AMA? Not sure what to search for to find
it.

~~~
stef25
I can't find it, can't remember anything to search by. Very frustrating.

------
curbrusiasm
This has been up here for 5 hours and on the Guardian's website for nearly 6
hours. How is it possible that not the NYTimes, FOX, NPR, the Washington Post,
or CNN have picked this up? These organizations are an embarrassment to the
profession of journalism.

~~~
0003
Here is the newsdiff of today's NYT article on the disclosure of the
declassified docs. [1] Talk about burying...

[http://newsdiffs.org/diff/290704/290768/www.nytimes.com/2013...](http://newsdiffs.org/diff/290704/290768/www.nytimes.com/2013/08/01/us/nsa-
surveillance.html)

~~~
curbrusiasm
So rather than making a headline, update an article on another topic,
specifically update an article about a PR move by the White House intended to
stop talk on this issue. Assholes.

------
dmix
Greenwald said in the comments, there is a lot more to come:

> That House vote was about one specific topic - bulk collection of phone
> records - that this newest article has nothing to do with. That House vote
> isn't the be all and end all: it's just one small battle in what I can
> assure you will be a sustained and ongoing discussion/controversy.

> _There is a lot more to report still. Accuracy is the number one priority.
> That takes time._

------
peterwwillis
Here's an interesting legal question:

If a non-US resident or NSA target posts a thread on HN, and a US person
replies to the thread, is the US person now open to unlimited data collection?

Alternately, if you Facebook-like the same thing an NSA target has, are you
then subject to unlimited data collection?

~~~
fchollet
The information we have already shows that the US person/non-US person
distinction is purely cosmetic, meant to allow them to pretend that they're at
least trying to respect US laws to some tiny extent. It's rhetorical.

In reality you are always a valid target, US citizen or not.

------
chewxy
I don't think I have been more conflicted about this. I've just been talking
to my cofounders about the technical feasibilities of XKeyScore, and honestly,
our back-of-napkin engineering configurations indicate this is really an
awesome project to be working on.

On the other hand, this is categorically 'evil' by my and my cofounders'
ethical standards, and really, no one is safe. And that bugs the hell out of
me.

On the one hand: really fucking cool. On the other, I really do not like the
idea that I am being spied on.

I'm not sure how to process this information.

~~~
blackaspen
Welcome to working in the modern advertising industry.

~~~
chewxy
I AM currently in the advertising industry

~~~
LoganCale
No wonder you think it's cool.

------
mtgx
Nice pre-emptive "attack" by Greenwald today, just before the NSA hearings.

~~~
barylen
I was worried the leaks may have peaked a bit early, but this was very well
timed.

~~~
griffordson
The House hearing was canceled several days ago to make time for the House
Democrats to meet with Obama this morning. As far as I know they have not been
rescheduled yet and I will be surprised if they happen before the August
recess. Although Glenn Greenwald did say yesterday he hopes they get
rescheduled in the next 24 - 48 hours.

~~~
griffordson
Here is the video from the Senate Judiciary Committee hearing on the subject
today though:

[http://www.c-spanvideo.org/program/FISAS](http://www.c-spanvideo.org/program/FISAS)

------
rosem
I think it's insane that so many people are pointing the finger at Snowden,
yet no one is pointing the finger back at the NSA / US Government.

------
MarcScott
The scale, depth and technical sophistication of everything I've heard and
read so far has made me change my mind on whether or not there is a technical
solution to NSA and GCHQ surveillance. I'm now convinced that the only way to
solve this is through politics. We need representatives that will enforce our
rights to privacy, not clever hacks.

~~~
kazagistar
That said, we need to do the technical solutions as well. Don't use the
difficulty as an excuse to give up on one partial solution, when the other
solution is partial as well.

------
cnlwsu
Ok, so ignoring all moral/ethical issues with this. Wouldn't it just be
awesome to work on a project like this? Unheard of funds, tons of data,
interesting CS problems all around. I am sure they did everything possible to
make it miserable on the developers but nonetheless... sounds fun from a
completely detached CS perspective.

~~~
ratsbane
Yes, I was thinking the same. Sort of the software engineer equivalent of
flying the best fighter jets and recognizing that you're going to be using
them to bomb people in mud huts instead of dogfighting equally-classed
opponents.

------
chrisstanchak
Summary of how this story is being covered around the world vs. in the US.

[http://imgur.com/a/tS7h4](http://imgur.com/a/tS7h4)

~~~
mrt0mat0
i was shocked by this too. about an hour ago i went to CNN.com and searched
the keyword xkeyscore and got 0 results. Not a single article?

------
junto
The map on page 6 is interesting. Server locations of note:

    
    
      Moscow, Russia
    
      Caracas, Venezuela
    
      Tripoli, Libya
    
      Hubei Province, China
    
      Burma
    
      Lagos, Nigeria
    
      Saudi Arabia
    
      Iran (and geograhically surrounding Iran)
    
      Ukraine
    

Based on page 13, I wonder if Google have any servers at these locations?

Oh, what a surprise: [http://royal.pingdom.com/2008/04/11/map-of-all-google-
data-c...](http://royal.pingdom.com/2008/04/11/map-of-all-google-data-center-
locations/)

Does that look familiar?

~~~
jnbiche
I'm very suspicious of Google's role in all this, but there's not much overlap
in the list above and the map you refer to, outside of the normal population
and business centers in Europe and the US. I didn't see any in Google data
centers in Libya, Burma, Nigeria, Ukraine, Saudi Arabia, Iran, or even
Venezuela (the only one in S. American looks like it's in Brazil). Based on a
quick glance, the only overlap between the list above and Google's server
looks like Moscow, a major global business center.

Were we looking at the same map?

~~~
junto
Sorry, I wasn't suggesting Google were complicit, but the NSA need to suck up
search queries, so it makes sense to locate these NSA servers right next to
local Google installations.

Again, page 13; a local Google Pakistan search query.

------
swalsh
The thing that blows my mind, is you hear over and over again about Billions
of dollars being spent on large software projects for the government that seem
fairly simplistic that ultimately fail.

The NSA is accomplishing some pretty impressive things, what are they doing
differently?

~~~
fnordfnordfnord
Spending tons of our money while being accountable only to themselves.

~~~
mpyne
Spending tons of money didn't help when DoD was trying to field DIHMRS. The
military still runs on an ancient COBOL-era payroll system because they can't
successfully develop and field a replacement, despite some billions in wasted
$$$.

------
aspensmonster
Slide 13 just got slightly redacted.

[http://imgur.com/a/SVerP#0](http://imgur.com/a/SVerP#0)

~~~
HNaTTY
The 64. IP address on that slide is to Google (obviously), here's the other
end:

GeoIP City Edition, Rev 1: PK, 08, Islamabad, N/A, 33.700001, 73.166702, 0, 0

5.157.65.58.in-addr.arpa domain name pointer mbl-65-157-5.dsl.net.pk.

23674 | 58.65.157.0/24 | MBL-AS | PK | NAYATEL.PK | MICRONET BROADBAND (PVT)
LTD.

------
budman
Wow. Just Wow.

For years all of this was in the back of my mind as being capable but my not
wanting to think like a conspiracy crackpot just dismissed the thought as it
couldn't be possible. A conspiracy takes a lot of co-operation from within
large corporations who must also remain it a secret. Surely someone would have
a conscious and leak it? Or one of companies we all look up to as a modern
example of do-good company would say "Hell NO" to the attempt and then let the
world know what was attempted. Guess that was eventually proven true with
Snowden (a real hero imo), just shocked they were able to operate to the scale
they did for so long before a Snowden came along.

In my mind, this is not so much a shock to me regarding the NSA as well as the
current evil government we have had in place. Doesn't take a genius to realize
the president lies to our face on TV about trivial issues/promises, so
expected for top secret stuff.

What is the BIG stomach churning shock to me is the very companies that we
have come to know that are multi-billion dollar conglomerates providing
service/products for millions for every day use has been a part of it. A part
of this secret web while all the while proclaiming privacy for it users. I
guess at end of day profits still rule the roost. "Just do this for us, turn a
blind eye, and you get to go on making your billions". I wonder how many CEO's
knew of all this. Gates? Zuckerburg? Etc etc.

I feel like I have no outs now. There are no alternatives to current
establishment of companies that make our lives easier. Should we all wipe our
PC's and use Linux, sell our phones and use Ubuntu Phone, not pay for SSL
certs anymore (another mafia), etc?

------
mikecarroll
I wrote an e-mail to Congressman Mike Rogers about his misleading quote in
this article. I encourage others to reuse my template and also ask him to
justify his misleading remarks about Snowden's statement:
[https://news.ycombinator.com/item?id=6134672](https://news.ycombinator.com/item?id=6134672)

We should start hold our public servant to task for lying to the American
people about these programs.

------
andy_ppp
I just censored an email I was about to write in case it is used to discredit
me in the future. Jesus. The thought police are here :-(

------
api
At what point do the mathematical limits of data mining kick in here? How
useful is all this information?

I'm not an expert in this area of mathematics, so I could be wrong, but my
impression is that as the haystack becomes larger the problem of false
positives becomes more and more severe.

As a data miner, what you want is the maximum number of "hits" (of whatever
you're trying to hit) with the minimum number of misses and the minimum number
of false positives. My impression is that this becomes progressively harder--
the golden region between too many false positives and too many false
negatives becomes smaller and smaller and harder to hit.

Eventually you either miss important hits, namely the next terrorist attack,
or you get swamped with false positives that you have to manually investigate
and rule out.

I'd love someone who does know more here to chip in, but my personal suspicion
is that this actually has a pretty huge pork angle to it. How much money are
the contractors getting for building this stuff?

~~~
bane
so let's say there's a law that says "any American company doing business with
a company that does business with a known terrorist organization will have a
bad day"

you don't need to use some kind of fancy data mining algorithm for this to
work (generating false positives), you just need a ho-hum graph traversal
algorithm and unbelievable amounts of graph data to generate "candidates for
investigation".

US Company A -> intermediate 1 -> known terrorist group B

US Company A -> intermediate 2 -> known terrorist group B

US Company A -> intermediate 3 -> known terrorist group B

Each set of links is just one lead to investigate, but having a giant graph to
work off of would make generating those leads simply. You might find out that
intermediate 1 is a local falafel delivery place that "US Company A" uses for
lunch catering. Can probably strike that one off the list. intermediate 2 is a
utility (no choice but to use the local water monopoly), but intermediate 3 is
a material supplier that employs several low level delivery guys from known
terrorist group B, and the founder of the company is a cousin of the founder
of known terrorist group B.

So I'd wager it's not as simple as just running an algorithm and automatically
sending out Skynet drones to blow things up. There's some kind of more subtle
assessment being made, with the systems just providing help to the analysts.

------
emhart
Fitting/sinister that the top of their stored data pyramid is titled
"TrafficThief"

------
eksith
That UI looks awfully similar to a theme I've seen used in SharePoint Portal
Server. I hope that's not what they use for the front end, but I wouldn't put
it past them.

~~~
duncans
Pretty sure it isn't - some of it looks like old ExtJS if anything.

The more worrying thing is that they're still apparently using IE6. [EDIT: OK
the presentation is from 2008 but _still_!]

~~~
VikingCoder
This, to me, is like showing the alleged UI on an Apple IIc:

It just about _proves_ that it's not true, to me.

------
heyitsnick
And, according to Greenwald, there's a lot more to come. From the comments:

"There are thousands upon thousands of documents and they take time to read,
process, vet, and report. These are very complex matters..... there is a lot
more to report still. Accuracy is the number one priority. That takes time."

------
totalforge
Just a friendly reminder that if you looked at the slides, you have read a
classified document, and therefore are guilty of a Federal felony. Cheers!

~~~
w_t_payne
And the NSA is passing your details on to the FBI _riiiight_ about now.

Enjoy your federally-funded vacation!

~~~
northwest
At least you can be sure that dinner will _always_ be served.

------
codex
The Guardian strongly implies this system is used to intentionally target US
citizens in violation of the law, but then admits that would be "illegal." I
wonder if the leaked presentation touches on this point.

~~~
jabbernotty
The Guardian doesn't 'admit' anything (it wasn't hiding anything in the first
place), and legality doesn't predict whether actions are being taken or not.

>I wonder if the leaked presentation touches on this point.

That seems unlikely to me, as this is a technical presentation.

------
fideloper
Are the major news networks ignoring this story? Briefly checking, I only see
Fox News reporting related stories, naturally blaming the Obama Administration
(perhaps fairly in this case).

------
northwest
"The NSA documents assert that by 2008, 300 terrorists had been captured using
intelligence from XKeyscore."

So, even IF this number is not just another lie, XKeyscore has been made
worthless, with something ridiculously small as the 2 prison breaks of the
recent days.

That means: What remains is a police state that is not even "secure".

Good job, governments/lobbyists/"defense" corporations.

------
buggedplan
Germany used NSA's XKeyScore spying software: magazine report
[http://www.globalpost.com/dispatch/news/regions/europe/germa...](http://www.globalpost.com/dispatch/news/regions/europe/germany/130722/germany-
used-nsa-xkeyscore-spying-software-magazine-repo)

------
mladenkovacevic
It seems this was meant to be declassified in 2032.. I guess by then they were
hoping this would be so institutionalized and pervasive as to be the norm.

Also I wonder to what extent this is really used to hunt terrorists down and
how much of it is used to gain political or economic advantages over other
countries.

~~~
madaxe
Secrecy is like copyright - keeps on getting extended, or the documents just
get "mislaid" long before the declassification date.

------
antitrust
I realize that it isn't morally right, but I think such data storage is
inevitable. With the rise of instant communications, the amounts of data
people generate are massive, and old school law enforcement can't keep up.
Thus with the increase in technology, there's going to be an increase in
counter-technology.

I guess what we need to ask ourselves now is whether we want any secrets at
all. A true Panopticon -- a society where everyone could see what everyone
else was doing -- might bring a "freedom" from certain types of subterfuge,
and attack.

Then again, I don't want to live in it.

That leads us to the question of how we handle the flood of data when looking
for hostile activity, because governments are certain to use available
technology to trap, parse and search that flood.

------
w_t_payne
Imagine what Nixon would have got up to with this capability. He would
probably still be in power!

------
rehack
Makes me Wonder, if the Internet in this widespread form, was allowed so that
they can snoop (so easily)?

When I was a kid, my father, had told me a story that in Russia people are
scared to speak their minds, for fear of being snooped via any hidden gadgets
in the walls.

------
rtf1
And it's not even limited by the internet. NSA collects every piece of
information they can get their hands on, whether it's data on the internet or
any other network, or spectrum signals, or simple imagery. And they do that by
every means possible. James Bamford wrote years ago a number of books on the
subject. And even before him, David Kahn painted a pretty clear picture. Why
is everybody so excited so suddenly? Is there somebody on this forum who
believes for a split second that Mr Obama and/or the US House/Senate are
prepared to lay off way over 300,000 intelligence community workers,
contractors and what have you??? -RTF

------
mkhalil
Declassify on January 08, 2032. I wonder what kind of reaction the people of
2032 ( we who are still living that time ) would have had if they found out.
Would they care? Worse reaction? Probably be used to gov. spying? It's a scary
world.

------
mrt0mat0
I asked this in a deeper thread, but i would like to reask anyone that can
explain. If the NSA is tapping pipelines as it seems they are, wouldn't the
sources such as facebook and google all come online at the same time? if they
were in fact referring to the pipeline access as their way into facebook and
company, why did they all have different onboarding times? wouldn't they have
all come on at the same time: the time when they tapped the pipelines? Maybe i
misunderstand the process. I get that maybe they had to write some interface
that interpreted the packets and sorted them as such, but that wouldn't take
years.

~~~
stordoff
My interpretation is that the NSA basically have two main forms of collection:
data directly from fibre intercepts, and data obtained (via voluntary
agreement, court order, or otherwise) from private companies. This slide [1]
would certainly suggest such an arrangement.

The fibre intercepts would fairly easily give access to HTTP traffic, and
Facebook/Google/etc. would probably 'come online' at about the same time
(there will likely be some differences as it appears there is a need to code a
plug-in/processing engine for each major source to pull out usernames etc.[2])

What exactly the dates in the PRISM slide mean is somewhat unclear without
more information. It could be, for example the date that the first court order
is made, or the date when the company provides to the NSA a more automated way
to query the data. I doubt that those dates are related to the fibre
intercepts though.

[1] [https://image.guim.co.uk/sys-
images/Guardian/Pix/pictures/20...](https://image.guim.co.uk/sys-
images/Guardian/Pix/pictures/2013/6/8/1370711209084/b444b0a8-4436-4802-921e-5c3177bfc0eb-460x276.jpeg)

[2] [https://image.guim.co.uk/sys-
images/Guardian/Pix/audio/video...](https://image.guim.co.uk/sys-
images/Guardian/Pix/audio/video/2013/7/31/1375269148029/KS1-001.jpg)

~~~
mrt0mat0
so if that's the case, then it would seem that facebook, google, etc. are
still lying? or could this be more gag order stuff?

~~~
burntsushi
No it would not... At this point, it seems quite feasible that Facebook,
Google, et al., are telling the truth at least in some respect. The point is
that there are TWO different forms of data collection: PRISM and XKeyscore.
PRISM happens via court order and is what we've heard about primarily up until
today. XKeyscore is a separate program and _does not require the compliance of
Google, Facebook, et al._ In fact, it doesn't even require their knowledge.

The key now is to see who exactly is letting the NSA tap their network hubs to
sniff the entire Internet. These will be your Internet Service Providers...

~~~
mpyne
The ISPs might not have a choice either, thanks to CALEA.

~~~
burntsushi
Definitely. Thanks for pointing that out! I didn't mean to imply either way,
but looking back, I did use some unfortunate phrasing.

------
CPAhem
Slide 23: "Show me all the Microsoft Excel spreadsheets containing MAC
addresses coming out of Iraq so I can perform network mapping"

Does MS Excel store your MAC address in the xlsx file?

------
mattbarrie
Um... surely this has to be a spoof. "Select foreignness factor"?? really?

The user interface and way this is done just seems to amateur hour to believe
this is actually true

~~~
mattbarrie
The numbers seem way off and too keystone cop to be true. 20 terabytes is not
large for the NSA.

It can search BCC?? Only the sender has them. so everything would have to be
collected at each ISP (which isn't impossible).. but I think the guardian has
been trolled.

~~~
eterm
That's 20TB per site. Who knows how many collection sites they have?

~~~
noir_lord
Says in the full slides on guardian over 500 sites (this was 2008), I wonder
how many they have now..

------
badclient
_As one slide indicates, the ability to search HTTP activity by keyword
permits the analyst access to what the NSA calls "nearly everything a typical
user does on the internet"._

It seems like everyone's been attacking the wrong folks. From this article it
appears that bulk of the data is being tapped at the data center level and
then parsed. This begs the question how it would be able to make sense of
https traffic.

------
mkhalil
People aren't going to care about this until they understand what consequences
this may have to THEIR personal life. Live with it. Not changing unless the
knowledgeable/wise starts educating the general population on how they effects
them.

Most people might speak against it (include people here) but at the end, they
have the "I'm not doing anything wrong, who cares, not worth the effort"
mentality.

------
vasilipupkin
I am curious: Suppose this is true and NSA analysts have the technical
capability to access enormous amount of information with no authorization. But
if they do do that, agains the law and the rules and their actions are
recorded in the system, they could face penalties no? I mean I could kill
someone with a hammer technically, that doesn't make hammer bad per se, does
it ?

~~~
ryanmolden
It says _can_ be audited. I suspect the number of times that has been done is
vanishingly small, perhaps only on Snowden, after his revelations :) It smells
to me like plausible deniability. Claim you have set up a system where things
_can_ be audited, don't ever answer how frequently it is done or what the
penalty is for abuse of the system. Top secret and all. This kind of system
really should freak people out. I imagine it would be a great blackmail info
system if people start speaking against the govt or "causing problems". I can
imagine public figures don't want to be publicly shamed for their online
activities, gambling, porn, affairs, etc...

------
ceautery
I wonder how they store all that. Surely a side benefit of this could be NSA
contributions to CS journals about database techniques.

Also I doubt the veracity of the claim that they collect "nearly everything".
Wouldn't they show up on, say, Sandvine's Internet traffic reports? I think
it's more likely this claim is made simply to generate FUD in the general
population.

~~~
nikcub
Hadoop[0] and OpenStack[1]

I think the era of government being far ahead of commercial tech capability is
over. The government mostly outsources now (a problem Snowden identified in
terms of information control) or develops in-house with vendors.

[0]
[http://online.wsj.com/article/SB1000142412788732349560457853...](http://online.wsj.com/article/SB10001424127887323495604578535290627442964.html)

[1]
[http://www.youtube.com/watch?v=NgahKksMZis](http://www.youtube.com/watch?v=NgahKksMZis)

~~~
286c8cb04bda
_The government mostly outsources now (a problem Snowden identified in terms
of information control) or develops in-house with vendors._

There are a lot of fingers in that pie. Oracle, for example, has a National
Security Group, whose job is to come up with "solutions" and then try to sell
them to three-letter-agencies.

------
GI
I am going to be obliterated for this comment! Does the fact they've caught
300 terrorists in anyway justify what they're doing? I am not saying it does,
I just wondered what people's thoughts were (although I can guess!). It's
interesting that it was included in the article in an attempt to give it some
'balance'..

~~~
skore
Sir Thomas More decides that he would rather die than lie or betray his faith.
And one moment he is arguing with the particularly vicious which hunting
prosecutor. A servant of the king and a hungry and ambitious man.

And More says: “You’d break the law to punish the devil, wouldn’t you?”

The prosecutor says: “break it? I’d cut down every law in England if that
would take it to catch him”.

“Yes you would, wouldn’t you?” And then “When you would have cornered the
devil and the devil would turn around to meet you, where would you run for
protection, all the laws of England having been cut down and flattened? Who
would protect you then?”

Every time you violate – or propose the violate – the right to free speech of
someone else, you in potentia you’re making a rod for your own back. Because
(…), to who do you reward the right to decide which speech is harmful, or who
is the harmful speaker? Or to determine in advance what are the harmful
consequences going to be, that we know enough about in advance to prevent? To
whom would you give this job? To whom you’re going to award the task of being
the censor?

[http://howtoplayalone.wordpress.com/hitchens-on-free-
speech/](http://howtoplayalone.wordpress.com/hitchens-on-free-speech/)

~~~
sbi
These are quotes from the Bolt drama "A Man for All Seasons," not Sir Thomas
More himself.

~~~
skore
Guess it was one of those days where Hitchens had a drink too many and got his
quotes mixed up.

~~~
gruseom
More likely he assumed the reader knew what he was talking about.

~~~
skore
I would assume the same, yes.

------
andy_ppp
Judgement day is inevitable.

G�#��$�5�%�����V��5�F�'98u�x�)�w���[_Fa��6�1f�!��['��"���VGu~w�
����|�U���Z�hep���G��^7{��K�wq��h|ڛ�m=�$L ��t� _��pM<�q��;����Y��C
�M]!C�6ҝnV[�c�ϾWa�?C�M�"X*��b]0�Aļ��Li3`�P�#�j�f�u���!wb�]t_�q�&EԞw�����r�.<?K��{

------
epoxyhockey
In the first slide, there are 25 red dots in a row on the bottom.. I wonder
what those are supposed to represent?

~~~
junto
Digital finger-printing, so that you can tell who leaked what document.

I dont want to detract from Snowden's very noble act, but I hazard a guess
that Snowden knew that the documents he leaked could be traced back to him, or
at a minimum a small team that he worked with.

------
nullc
It's been being weirdly suppressed on reddit:
[http://www.anonmgur.com/up/17832a6eafb09376d012090ff1b06dbe....](http://www.anonmgur.com/up/17832a6eafb09376d012090ff1b06dbe.png)

Every time a thread on this hits the top it gets mod-deleted.

------
mjfl
Well then they are going to need that big data center. That is an unimaginable
amount of data...

~~~
sentinel
Yep.
[http://www.forbes.com/sites/kashmirhill/2013/07/24/blueprint...](http://www.forbes.com/sites/kashmirhill/2013/07/24/blueprints-
of-nsa-data-center-in-utah-suggest-its-storage-capacity-is-less-impressive-
than-thought/)

------
imrank1
interesting that is not even on CNN or MSNBC yet. Has anyone else seen
coverage on US news?

------
yen223
Has anyone verified the accuracy of the slides? How do we know they even came
from the NSA?

~~~
netrus
Let's see if NSA dares to dispute their authentity.

------
osth
[http://s3.documentcloud.org/documents/743252/nsa-pdfs-
redact...](http://s3.documentcloud.org/documents/743252/nsa-pdfs-redacted-
ed.pdf)

Missing: How much did this cost? Did the government (taxpayers) overpay?

------
w_t_payne
I wonder if we should try to put together a programme to try to drain the NSA
of technical talent ... offering jobs or other incentives to try to persuade
developers currently working for the agencies and their various contractors to
resign?

------
northwest
General reflection:

As I recall it, our right to privacy is defined by the "reasonable expectation
of privacy".

Currently, I see any such "reasonable" expectation to be almost zero.

Therefor, I have to conclude that we _have already_ lost the right to privacy.

------
scrrr
"Mr. <webservice-ceo> Does your company offer a backdoor for the government?
It looks like it, even though you have declared that there was no backdoor
just a few weeks ago!" \- "Uhm. Not wittingly!"

~~~
MichaelGG
That's like accusing AT&T of having a backdoor because your apartment has thin
walls and someone could overhear. Or that your ISP has a backdoor because your
WiFi isn't encrypted.

The FBI was doing this decades ago with Carnivore. Why is it at all surprising
that such a program continues to collect _unencrypted_ information you sent
over the Internet?

~~~
bobbydavid
access.

any citizen can go out and listen to public conversations, but we are not all
invited to put our e-stethoscopes up to the internet backbone.

------
obelos
How weird is it that cnn.com is included as a reason for being interested in
HTTP?

~~~
LoganCale
Another example is shown where they are searching for everyone who read a
particular article on the BBC website.

------
naithemilkman
Surely the question on everyone's mind is: how good is incognito mode???

~~~
kintamanimatt
It's not. It's only just a way to visit sites without a record being stored on
your computer. Read the warning. For example, Firefox's private browsing mode
states:

> While this computer won't have a record of your browsing history, your
> internet service provider or employer can still track the pages you visit.

They should include government spooks in that warning!

~~~
shawabawa3
Chrome does!

>Going Incognito doesn't affect the behaviour of other people, servers or
software. Be wary of:

> ...

>Surveillance by secret agents

------
kepano
Can someone with data center expertise extrapolate the physical scale of this
operation? In terms of storage and computing power it must rival if not
surpass what Google has built, no?

------
LeeLorean
It is interesting on slide 17 that the NSA can decrypt all VPN traffic.

Does this indicate that they have broken HTTPS, or simply that they own VPN
companies like Private Internet Access?

------
jstalin
I don't think it's a leap to assume that _ALL_ TLS certificates are
compromised and the NSA can monitor ALL Internet traffic.

~~~
nathan_long
No, that's a huge leap, actually. You could go make a certificate right now
for your web site and keep the private key private. I could visit your site
and verify that the signature is the expected one. If you and I are both
diligent, we can know that our TLS session is safe.

------
amckinlay
Wait, does the collection require FISA warrants? Is the collection still
limited to foreign nationals?

------
rdouble
It seems like working for the NSA is more like working at Inintech than it is
like Minority Report. I've been more embarrassed by how Office Space retarded
this seems than I have about the privacy abuses. I'm skeptical any of these
supposed systems work, or even exist. It reminds me of Iran's pretend fighter
jet.

------
llamataboot
Can someone explain this to me like a 5 year old and how it interfaces with
PRISM?

~~~
noir_lord
This is considerably more invasive than PRISM.

This system logs HTTP metadata and data (think the address on the envelope and
the contents of the envelope), the metadata for 30 days the contents for 3
days.

This http data is essentially _everything_ that goes over the wire all of
which is then shovelled into a database with a fairly sophisticated (if not
pretty) front-end that allows really invasive searches.

You can search for stuff like "all emails that contain the words sex doll" or
"nudes" and contain jpegs...of course the users would only use this system for
legitimate operations covered by warrants.../s.

This is the first of these releases that have really made me stop and go
"whoa" mostly because this is "better" (bigger, more complex and capable) than
anything I expected them to have now (and this was in 2008).

~~~
llamataboot
I guess I am mostly confused about whether they have any email content
capabilities...and if so, how?

~~~
noir_lord
They are tapped into the hubs of internet communication as well as most (if
not all) of the major webmail based systems (think Google, Hotmail, Yahoo).

As to the how they are taking feeds directly off major internet routers (the
vast majority of traffic will go through a major router at some point
particularly if it is international though it's quite possible for a packet
sent from one side of your country to another to go international as well).

So yes they do have email content capabilities (if you look at the actual
slides they also have a sophisticated filtering system, they can do stuff like
"show me emails from iran with word documents attached containing IAEO").

This system is absolutely terrifying, it genuinely is the work of a dystopian
sci-fi author from 30 years ago.

\----

If you want to get right down in the trenches email is SMTP and POP over
TCP/IP (normally), email is fundamentally a human readable text protocol which
makes it trivially easy to parse (this was kind of the intention after all) so
once they have the captured stream reconstructing the mail is not much harder
(if any) than writing a mail client.

You can see an example of SMTP if you open a console/shell and type "telnet
smtp.gmail.com 25" and then when it has logged in type HELO the response is
just plain text.

------
snambi
Wow... Govt is into big data. I wonder what they use for analyzing all this
data

------
thejosh
The funniest part is the ancient version of IE they are using in the
screenshots.

------
adelpozo
What makes this even scarier is to see IE in the screenshots. :)

------
Buzaga
Yep I'm done, I'll just go about my life from now on...

It's total power, I think it's unlikely that they'll want to give up on this
kind of power, they'll probably keep signing governments and 'the tech' will
eventually be exported and in the hands of governments everywhere, they'll
keep building this and they'll create tons of algorythms of course because
it's just too much data, any resistance can be crushed... and it's so much
power eventually some dark times will begin... I'm done with the topic.

~~~
general_failure
Totally agree. They are not going to give this up... and worse, we are not
going to fight this. We are speaking up only because this is the internet. We
just want to get on with our lives.

Kinda surprising why all the people who are 'overwhelmed' and 'terrified' in
the parent thread don't come out and protest. Oh wait, there's kids to feed.
My bad, sorry.

(no snark)

~~~
overgryphon
For 99.9% percent of people, this is exactly what will happen. A few shocked
moments, quickly followed by returning to all of the important things in their
life. No one has time to protest all of the hundreds of wrong things we
supposedly should be protesting and there aren't any clear or easy to
implement steps to avoid NSA spying. There is simply no reasonable actionable
item here for casual news readers.

The real consequences of this news will be seen in the actions of companies.
As 'cloud' (oh I hate buzzwords) technology becomes increasingly more
efficient and cheaper, as Amazon, Microsoft, Openstack and VMware duke it out
over cloud customers, will those customers trust them with their data? Will
companies invest in private clouds for increased security, or will large
public cloud service providers be able to win over and keep their trust? How
much money have public cloud service providers lost since the leaks began? How
many companies are now unwilling to use cloud services from US-based
companies?

------
hannibal5
Just like suspected. If you use encryption like PGP, you become person of
interest.

~~~
MichaelGG
You've no information to back up that statement.

Using PGP as part of a filter makes perfect sense. If you're looking for "bad
guys" that do certain activities, _as a starting filter_ , it doesn't hurt to
say "OK, show me everyone in this region doing these activities. Now filter by
language, etc. etc.".

Just like if I was looking for gang members, I might start off a filter with
"look for tattoos". It doesn't mean I'm saying everyone with a tattoo is gang
member, it's just a way to start filtering.

The NSA analysts are presumably actually trying to get something done (find
people they think are bad). How stupid do you think they are? If you were an
NSA analyst, would you tag "person of interest" on everyone using PGP? How
would that help your goal of finding _actual_ people of interest?

They say they caught 300 "terrorists" with this program and other success
stories. Presumably, they didn't achieve any success by wasting lots of time
flagging random PGP users.

~~~
hannibal5
Read the whole presentation linked in the article.

~~~
MichaelGG
I did exactly that, which is what I based my comment on.

------
VerilyForsooth
Why is the commentry on this topic always braindead?

The article states that there is a query interface using the email address as
the key. But Where does it say that every single email/webpage from every
single person is being collected? Such a task would be technically impossible.
It seems far more likely that it's querying a database of pretargeted people.

There is so much hysterical nonsense regarding this topic. The cancer of
conspiracy theory spreads.

~~~
computer
The raw slides are included in the article. You should consider looking at
them.

~~~
obs4711
Yeah, I've read them. Where do they say that every single email/webpage from
every single person is being collected?

~~~
acqq
It's nowhere in the slides.

------
_sabe_
xkeyscore.com leads to Google maps.......just saying o.0

~~~
diggan
No. It shows Google Maps in a iframe and was created 13 Jul 2013.
[https://gist.github.com/VictorBjelkholm/6127343](https://gist.github.com/VictorBjelkholm/6127343)

------
forgotAgain
Aw, Fuck.

