

Snowden Disclosures Finally Hit 12 on a Scale of 1 to 10 - nkurz
http://www.motherjones.com/kevin-drum/2013/09/snowden-disclosures-nsa-bombshell-decryption

======
malandrew

        "For what it's worth, this is about the point where I get 
        off the Snowden train. It's true that some of these 
        disclosures are of clear public interest. In particular, 
        I'm thinking about the details of NSA efforts to 
        infiltrate and corrupt the standards setting groups that 
        produce commercial crypto schemes."
    

If anything this new information should put more people on the Snowden train.
In the 90s, legislation was proposed which would have put backdoors everywhere
via the Clipper Chip. Back then, we voted against that bill and all was good.
This new information is shocking because we've already told the government
that backdooring things was unacceptable behavior, yet they've done so
anyways. We should all be outraged by this because it clearly doesn't
represent the interest of the people.

~~~
stfu
It should be noted that Mother Jones is generally regarded as a left-wing
magazine - even by Wikipedia's description. [1]

From my understanding left-wing ideology has always placed the interest of the
collective, represented by the state, over the interest of the individual. So
the article and the author's conclusion seems to me completely in line with
this way of thinking.

[1]
[https://en.wikipedia.org/wiki/Mother_Jones_(magazine)](https://en.wikipedia.org/wiki/Mother_Jones_\(magazine\))

~~~
toyg
That's a very simplistic view of a very complicated history of political
theories.

Anarchism, a doctrine that explicitly _negates_ the State, is rooted squarely
in the leftist camp as classically intended, and gives individuals freedom
from being coerced in any collective action whatsoever.

You also have Libertarian Socialism, probably the most romantic of all leftist
ideologies, which tries to bring collectivist and individualist theories
together.

And then of course, the very source of the meaning of "left": the French
Revolution, with its rights trifecta of freedom, fraternity and equality,
which was born in complete opposition to the notion of the superiority of the
State over individuals.

Saying "left-wing ideology has always placed the interest of the collective,
represented by the state, over the interest of the individual" is like saying
"right-wing ideology has always placed the interest of the rich, represented
by the individual, to screw the poor, over the interest of society to improve
as a whole" \-- a simplistic mystification.

~~~
mrxd
Don't forget Marxism, with the goal of "the withering away of the state."

------
ChuckMcM
Per the article the gains that were made in breaking existing systems have
been made public, so all of that effort goes for naught as people move on to
new systems (which requires all new efforts). Basically if you want to
consider the "cost" (as in $$) of Snowden's leaks, this shows a bunch of
budget $$s that were spent on the assumption that these broken systems would
remain in use for a period of time. Since that assumption is removed, the $$s
spent on breaking those systems won't be as useful as forecast, hence the cost
estimate.

That said, at the big crypt-a-geddon moment, when Leon Panetta said [1] _" It
does not mean that the Department of Defense will monitor citizens’ personal
computers. We're not interested in personal communication or in e-mails or in
providing the day to day security of private and commercial networks. That is
not our goal. That is not our job. That is not our mission."_ he was lying.
Both by omission and by commission.

And perhaps the most painful aspect of Snowden's act is that by exposing this
failure of integrity in the NSA, they will never again be able to take the
"high road" of we need this to defend the nation.

[1]
[http://www.defense.gov/speeches/speech.aspx?speechid=1728](http://www.defense.gov/speeches/speech.aspx?speechid=1728)

------
blcknight
We need to stop posting these non-technical ravings of people who haven't a
clue. Kevin Drum can certainly have an opinion about the NSA (and he's mostly
wrong, I think), but his musings about what the NSA can do is clearly
uninformed.

He seems to believe that all commercial crypto is suspect; and there exists
some other nebulous category called "strong crypto." D'oh! If only we had all
been so smart enough to use this obviously better "strong crypto" instead of
"commercial." It's meaningless. The NSA has it's hands in all the crypto
cookie jars.

The NY Times slides:

[http://www.nytimes.com/interactive/2013/09/05/us/documents-r...](http://www.nytimes.com/interactive/2013/09/05/us/documents-
reveal-nsa-campaign-against-
encryption.html?loadDynamically=false&commentsPosition=middle&_r=0)

give us some new details that have some usable specifics that can be gleaned.

~~~
drcode
Exactly. The idea that the NSA has can break arbitrary SSL without access to
source keys is an EXTRAORDINARY CLAIM that goes against most of what we know
about the science of cryptography.

Just some managment type in the government saying a single time that the
government has made "major breakthroughs" in cracking SSL does not meet the
standard of ETRAORDINARY EVIDENCE.

------
auctiontheory
He seems to be saying that it would be better (for the US) if the NSA
continued to secretly spy on all the world's communications networks.

That's certainly one point of view, but it's not one I expected to see in
Mother Jones, or on HN. Isn't the whole point of this uproar that we do not
trust these unelected (by the US, never mind the global population) spooks
with unfettered access to all communications?

~~~
bpatrianakos
I don't think he's saying it would be good for anyone for the NSA to continue
snooping as they do. I think your first point is wrong, your last point is
right, and the two are unrelated.

The issue isn't the fact that the NSA snoops. That's their job and it has
value when their power to do so is used judiciously. The problem is that its
not being used judiciously. Rather than singling out as few people as possible
to root out the bad guys their just collecting everything they can. They don't
need to do this and doing so opens up the possibility for huge abuses of
power. That's the issue.

I think the article is right that the crypto revelations aren't pertinent to
this discussion. I would even consider the crypto revelations a red herring.
Is it important _how_ the NSA spies on everyone? No, its only important to
know that they do it at all when speaking in the context of how the Snowden
leaks are important to creating a national debate and, hopefully, by some
miracle, create reforms.

I think its reasonable that as a US citizen you're okay with the NSA being
able to break crypto. You just want to be able to trust that they're using it
against the bad guys and not you. Even now that we know they're probably using
it against innocent civilians its more harmful to the NSA's ability to go
after the "bad guys" when they legitimately do (and they still do serve that
purpose) and isn't really helping the debate over whether their over
collection of data is okay and how to reform that system.

~~~
auctiontheory
_I think its reasonable that as a US citizen you 're okay with the NSA being
able to break crypto_

I think you have forgotten the phrase "absolute power corrupts absolutely."
Humans with unchecked access to information (=power) will NEVER be completely
trustworthy. Never. It is by definition. That's why we have checks and
balances. That's why we had democracy. No one should be absolutely above
democracy. But that's what today's NSA is.

You realize these guys (in the NSA) have been using intelligence resources to
spy on their girlfriends and neighbors? How much more human and fallible does
it get than that?

~~~
pyvek
True. Even if NSA publicly shuts down mass surveillance, I wouldn't still be
okay with knowing that someone can still invade my privacy without me getting
even a hint. If they still get to keep their crypto powers, how can we be sure
that they won't just keep doing it in secret. Just how can people trust these
guys when they have already lied on the face of whole world. I feel so
helpless and hopeless.

~~~
sliverstorm
The same can be said for every method of communication in history. Security
agencies have the technical capabilities to record your telephone
conversations, read your mail, and listen to your private conversations. Yet
we manage.

There are so many frightening powers out there, trying to prevent them from
existing is a complete waste of effort. You simply cannot make it
technologically impossible to shoot you with a bullet, or snoop in your house,
or track your car. This is why gov't is regulated, and answers to the people.
You simply cannot prevent everyone from having the technical capabilities to
take the advantage of you.

So, IMO, forget about whether they can or they cannot. Even if you manage to
prevent them from breaking strong crypto, if it can be done _someone_ will do
it. Focus on controlling what they do with it.

~~~
qq66
The thing that is fundamentally different about modern surveillance is how
automated it can be. Governments have always been able to listen in on phone
calls and physical mail, but the limitations of needing a person to actually
do these things kept a check on the scope.

When every phone call can go through a voice recognition system and a set of
filters to detect anyone talking about Topic X, that's a very different world.
The NSA can't hire half the country to spy on the other half, but they can
hire a few thousand people to build a computer system to spy on everyone.

~~~
sliverstorm
Of course. My point is that cat's out of the bag. You can't prevent them from
being able to, so worry about whether they are allowed to.

------
Steuard
It's very valuable to see this reaction to the latest Snowden disclosures: I
expect it will be common, and the tech community needs to be prepared to make
it clear why this really does reflect another betrayal of trust.

Personally, I can't blame the NSA for trying to intercept and read lots of
"suspicious" internet traffic: _that 's their job_. Governments do this, and
whether it's good or bad, it's expected. (I'm not happy about the degree to
which the NSA seems to be stretching the rules against them acting
domestically, nor am I happy about massive all-encompassing interceptions
rather than targeted ones, but those are separate issues.)

So there really is a legitimate argument that these latest Snowden disclosures
damage national security. The thing is, they _also_ indicate that the NSA has
been doing its expected work by actively weakening the protections that we
(and large parts of the global economy) depend on. Their actions and
strategies have also undermined global confidence in American technology
companies. And those are factors that I think the average watcher (like the
author of this article) may not recognize unless folks like us point it out.

~~~
kordless
We definitely all need to step up and help explain this shit to other people.
It's a challenge to understand for a layman.

~~~
GoodIntentions
Not really a challenge. This is how I explained it to my non-technical father
years ago:

"Nothing you do online is anonymous. There is a record of everything you do."

He understood it right away and ( I think ) has always treated everything
online as public. No need to go into any technical details.

~~~
Steuard
That's not really the same issue as in these latest revelations, though. The
latest bit really is fundamentally technical, and folks like the article
author may only focus on the easier-to-understand national security interest
and overlook the downsides of the NSA weakening public crypto.

------
sillysaurus2
You know, there's one very valuable piece of info that I don't think has been
revealed anywhere yet, or I missed it:

 _Recall, for example, Glenn Greenwald 's admission that he "almost lost one
of the biggest leaks in national-security history" because Snowden initially
insisted on communicating with strong crypto and Greenwald didn't want to be
bothered to install it._

What exactly did Snowden insist Greenwald do, precisely? Whatever Snowden
insisted on, it's guaranteed to be an NSA-proof method of communication. So it
seems like it's an essential first step to figure out the details and train
people to use it habitually.

~~~
gwern
PGP email. And Snowden has already specifically stated that a PGP/GPG
encrypted document is safe from the NSA (assuming no one leaves around a
plaintext or private key, anyway).

~~~
sillysaurus2
I appreciate your comment, thank you. May I ask for a source where you got
your info? It's probably accurate, but it's good practice to insist that
hearsay not be trusted on faith.

EDIT: Ah, it appears to be confirmed at
[http://www.huffingtonpost.com/2013/06/10/edward-snowden-
glen...](http://www.huffingtonpost.com/2013/06/10/edward-snowden-glenn-
greenwald_n_3416978.html) ... Thanks!

~~~
ewoodrich
[http://www.huffingtonpost.com/2013/06/10/edward-snowden-
glen...](http://www.huffingtonpost.com/2013/06/10/edward-snowden-glenn-
greenwald_n_3416978.html)

Second paragraph into the article describes Snowden's requirement to use PGP
while contacting Greenwald at the least (although it's a tertiary source and
very sparse in technical details).

~~~
sillysaurus2
Would anyone speculate on the technical details of what Snowden probably
recommended Greenwald do, step by step? What steps would you recommend to
Greenwald if you had been in Snowden's position?

It's not enough to merely tell people "install PGP." Snowden presumably went
into meticulous detail about precisely how to be completely secure. Even
something small like "here is the exact exe installer to download" is probably
significant, because that would mean that specific installer is clean and free
of NSA tampering.

------
jmadsen
I'm not going to come out on either side on this yet, still thinking about it.

But to anticipate those who will say, "do you think the bad guys are really
dumb enough to use basic encryption techniques?" -

The 1993 (failed) World Trade Center bombers were caught because they went
back to the rental truck company to try to collect the deposit on the "stolen"
truck.

So yes, some of them certainly are.

~~~
sillysaurus2
They have children, though, and some of those children are probably smart, and
might train their old men to use Tarsnap via Tor in order to transmit
encrypted messages/photos/other data anonymously and securely.

I'd imagine the NSA is concerned about future intelligent adversaries who have
finesse, which is why they stay as far as possible ahead of the curve.

(I'm trying to come up with an alternative to our standard explanation of "the
NSA does this because it's a soulless governmental machine that wants access
to the world's information for corrupt purposes.")

~~~
jmadsen
LOL - actually, OT but lot of recent articles are showing that "young people
know all about computers" is a complete falsehood.

~~~
sillysaurus2
The point was more along the lines of "intelligent people are generated by
being born, so it's a matter of time before we face an intelligent adversary"
rather than "young people are intelligent."

------
sehugg
The author has posted an update which kinda-sorta retracts this article:
[http://www.motherjones.com/kevin-
drum/2013/09/hed](http://www.motherjones.com/kevin-drum/2013/09/hed)

------
enko
> It's not clear to me how disclosing NSA's decryption breakthroughs benefits
> the public debate much, unlike previous disclosures

Well, that's the problem with trying to keep _everything_ secret. If the
majority of these "disclosures" were in the public interest - they should have
been public knowledge. That would have made it far less likely for someone
like Snowden to feel the need to "blow the whistle".

There is such a thing as a "presumption of trust", which the NSA has
squandered. They likely had it before these leaks began, but now they have
lost it, no-one listens even when they might have a good point.

------
kalkin
The distinction which is the basis of this article between "commercial" and
"strong" encryption seems confused. Kevin Drum in this post makes it sound as
if commercial encryption is algorithmically weaker, which as a rule it is not,
rather than just easier for the NSA to plant backdoors in by strongarming
vendors.

The distinction matters here since we're meant to believe that most "bad
guys.. figured that ordinary commercial crypto provided sufficient
protection." But this translates to, they trusted Google, Microsoft et al.
That seems less likely to me.

Disclaimer: I am not a cryptographer or security researcher. (On the other
hand, given that I've done various kinds of antiwar political organizing and
associated with members of Muslim Student Associations whose infiltration by
NYPD later became a matter of public record, maybe I can speak as a
government-classified "bad guy!" I should really do an FOIA request one of
these days...)

------
a3n
"It's not clear to me how disclosing NSA's decryption breakthroughs benefits
the public debate much,"

Backdoors, bought or coerced. If I obtain crypto capability, I expect it to be
at least as good as advertised.

Or, in other words, they went to the public in the 90s and asked for Clipper.
They were denied. So they went against the public and implemented what they
were told, by their supposed masters, that they couldn't have.

If your dog is eating your children, is he your dog?

------
brudgers
All the latest revelations show is that corporate and consumer encryption is
just corporate and consumer encryption. It's never going to phase a state
sponsored intelligence organ. What they can't decrypt, they buy, what the
cannot buy they subvert or cripple or backdoor.

In fairness, it would be grossly unprofessional if they did not. The three
letter agencies take pride in their craft and part of their job is staying in
front of any wide spread encryption technology.

------
soora
What does a 12 on a scale of 1 to 10 even mean? What criteria are they judging
damages on?

So far, I do not think the NSA has lost any of the capabilities it previously
had. I have not heard of any NSA backdoors being removed from existing
software.

~~~
toyg
They're losing a lot of political capital, which should limit their ability to
further _expand_ their reach in the immediate future.

They're also an item of debate now, which could potentially result in loss of
capability further on. At the next round of elections, Democratic candidates
will likely have to defend an unpopular intervention in Syria, they'd rather
not add to that pile a defence of some invented Federal right to unwarranted
spying on everyone's communications; and it's a potentially easy target for
small-government Republicans.

~~~
jes5199
Republicans have, so far, not been willing to use the "big government" label
to attack anything to do with military, police, or espionage - their "law and
order" platform trumps their "small government" one.

In the bizarre logic of American politics, Republicans and Democrats are both
pro-NSA, while the Greens and Libertarians are anti-NSA.

~~~
toyg
That's why I said "potential". Depending on how the wind blows, the small-gov
platform _could_ give them an easy angle, and if it doesn't, they're still the
party of law and order, so it's a win-win. Dems have a harder job, for them
it's a wedge issue.

------
the_french
The way I've understood the recent leak was that we know the NSA has been
concentrating on breaking SSL, 4G and others but that the actual techniques
haven't been revealed. Besides, I feel that it is very important to know that
bank, internet, and wireless security have been comprised by at least one
actor.

------
ig1
Article 12. (The Universal Declaration of Human Rights)

"No one shall be subjected to arbitrary interference with his privacy, family,
home or correspondence, nor to attacks upon his honour and reputation.
Everyone has the right to the protection of the law against such interference
or attacks."

------
masswerk
Now this is quite a national-biased view (again). On the other hand standards,
protocols, and the trust in networks are an international affair as well. So
what is probably a future damage viewed from a national side is a damage
already caused from an international point of view.

------
lakeeffect
What are the implications of this on bitcoin? Seeking a technical
understanding of farming bitcoins.

------
bsaul
One theoretic question : suppose that the nsa did manage to crack encryption
using very advanced technology such as quantum computers. Would that seem
outrageous as well ?

I don't think people would have reacted the same. On this subject i believe
what piss people off is the mean rather than the result. Somehow people hoped
for a smarter NSA, not for a meaner one.

But that's a bit naïve isn'it ? After all they're here to save lives in the
end.

------
nraynaud
we need facts, the list of compromised ciphers, the bugs they are exploiting
etc. I guess those NSA guys can't travel abroad, since spying is a felony in
most countries.

~~~
kawera
_we need facts, the list of compromised ciphers, the bugs they are exploiting
etc_

More than that, we need the names of those involved.

------
nly
It's a shame we'll likely never see the "Annexe (available to BULLRUN
indoctrinated staff)" that contains a breakdown of their capabilities.

~~~
sliverstorm
Give it fifty years. They seem to have been pretty good about releasing
documents from the Cold War.

------
gmuslera
Another shoot the messenger article. Somewhat they try to convince us that
every single person ten miles around NSA is basically an archangel,
incorruptible and honest, that work just for justice and fairness, and given
by God the right of being over everyone else rights. And everyone in the other
side must be punished, stripped of privacy and intellectual property and keep
be unsafe while there are "bad" people around.

This really means that thousands (hundreds of thousands?) of people which
ultimate goal is to get money, and have little to none auditing on what they
do, some NSA employees, some from private companies, can access your trade
secrets, your bank account, or whatever that can be used to blackmail you, and
make any kind of profit from it, no matter from where you are, or who you are.
And that won't be even noticed by the authorities (if they even care, they
have the "state secret" wildcard) unless they become public on that (they
noticed what Snowden did because he went public, on pourpose). And that also
means that that information (that they are "careful" having it safe) on which
vulnerabilities they introduced on pourpose on every kind of "secure"
software, if ever leaks, get reverse engineered or found out by luck, will be
exploited by the bad guys too.

Hanlon's razor is not an excuse for this kind of article anymore.

------
grannyg00se
What is this strong crypto vs weak crypto he's talking about? Apparently
strong crypto is more of a PITA I gathered that much. But weak crypto is no
crypto. If you are going to go through the trouble of using any at all how
much more annoying is it to use NSA proof methods? Has any well established
crypto methodology been declared broken because of Snowden leaks?

------
at-fates-hands
"and the protection used on fourth-generation, or 4G, smartphones."

This quote was particularly eye opening to me.

In the early 2000's I remember speaking to a Verizon engineer who said their
encryption on CDMA was bulletproof. He went on to explain over the course of
an hour how impossible it was to crack their encryption or even eavesdrop on
their network.

See page 34 here: [http://www.scribd.com/doc/22599374/Security-Encryption-in-
GS...](http://www.scribd.com/doc/22599374/Security-Encryption-in-GSM-GPRS-
CDMA)

"The security protocols with CDMA-IS-41 networks are among the best in the
industry. By design, CDMA technology makes eavesdropping very difficult,
whether intentional or accidental. Unique to CDMA systems, is the 42-bit
PN(Pseudo-Random Noise) Sequence called “Long Code” to scramble voice and
data. On the forward link (network tomobile), data is scrambled at a rate of
19.2 Kilo symbols per second (Ksps) and on the reverse link, data is scrambled
ata rate of 1.2288 Mega chips per second (Mcps). CDMA network security
protocols rely on a 64-bit authentication key(A-Key) and the Electronic Serial
Number (ESN) of the mobile"

~~~
jdiez17
Holy shit, that's a whole lot of nothing.

------
reader5000
You know, it's really only an accident of history that human communication
historically primarily took place through air vibrations (which are difficult
to acquire, store, and query). Digital communication is a new medium with
different principles of interpretation. It is stupidly cheap to
algorithmically monitor and query digital comms on a mass scale. Why wouldn't
it be done? If you think the NSA is the only institution in the world doing
this you're an idiot. The only thing Snowden accomplished was demonstrating
how large an undisciplined joke US intel is that a high school graduate with a
narcissism complex could accomplish these leaks.

Here's an idea: if you don't want your neckbeard anime discussions pinged by
the world's intel/ad agencies, don't digitize and broadcast them over the
internet.

------
B0Z
I have a question from the article that I hope someone here can answer...
What's the difference between simple encryption and the "strong" encryption
Snowden was insisting on? Truecrypt volumes?

------
tomasien
I wonder what criteria Snowden used in his disclosures in terms of what to
release and what not to release.

~~~
milsorgen
Hopefully none. The information should be free to the public that paid for it.
You can sit here and quiver over national security or how some "know better
than others" and how they can be trusted with information that the public
can't. But at the end of the day that is all verbal excriment, tax dollar paid
information is property of the tax payers and anyone that argues against that
is living with their head in the sand.

~~~
tomasien
Anyone who ends a tenuous argument with "anyone who argues against this is
(insert any insult here)" is being ridiculous.

------
Qantourisc
Does anyone has a list of what is considered unsafe now ?

------
frank_boyd
> “These capabilities are among the Sigint community’s most fragile, and the
> inadvertent disclosure of the simple ‘fact of’ could alert the adversary and
> result in immediate loss of the capability,”

That's a statement designed to mislead.

"the adversary" certainly assumes that the NSA does what it does and acts
accordingly.

Now, if "the adversary" is the general public, then the statement actually
makes sense.

EDIT: The consumer is indeed part of "the adversary":

Extract of one of Snowden's documents: _" These design changes make the
systems in question exploitable through Sigint collection … with foreknowledge
of the modification. To the consumer and other adversaries, however, the
systems' security remains intact."_ Taken from
[http://www.theguardian.com/world/2013/sep/05/nsa-gchq-
encryp...](http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-
codes-security)

------
cjdrake
False. A scale of 1 to 10 only goes to 10. :).

------
dinkumthinkum
This so horribly misinformed or just naive. The "bad guys" should assume the
sites can read their data or the NSA has the private keys or whatever ... I
mean really? This is the straw that breaks the camels back ... That "bad guys"
didn't known "the man" was actually serious about reading their data?

------
notdrunkatall
What's the latest news on Snowden? Is he still holed up in Russia? Have they
started prodding him for information in return for protection yet?

