
New leak shows NSA harvests To, From, and Bcc lines of e-mail data - evo_9
http://arstechnica.com/tech-policy/2013/06/new-leak-shows-nsa-harvests-to-from-and-bcc-lines-of-e-mail-data/
======
ChrisAntaki
NSA harvests the entire email.

Source:
[http://www.wired.com/threatlevel/2007/05/mark_klein_docu/](http://www.wired.com/threatlevel/2007/05/mark_klein_docu/)

~~~
chakalakasp
If I'm not mistaken, isn't fiber optic splitting done with a glass... Prism?

~~~
mortehu
It's done by bending the fiber, causing leaks. The signal has a single
wavelength, so a prism would serve no purpose.

~~~
wyck
There are several fiber optic beam splitting patents that are actual prisms
which serve various needs.

For example :
[http://www.google.com/patents/US4671613](http://www.google.com/patents/US4671613)
(one of the many). I'm not saying this is used but it does exist.

~~~
mortehu
Well, a prism makes sense if you're sending multiple signals in the same
fiber, and want to separate and combine the signals at the ends. The fiber
connection I'm renting has two wavelengths on the same fiber.

The installation guys actually used a device to bend individual fibers during
installation, to see which ones were carrying signals. Here's a similar
device: [http://www.tuolima.com/optical-tool-series/test-
equipment/op...](http://www.tuolima.com/optical-tool-series/test-
equipment/optical-fiber-identifier.html)

~~~
wyck
I think you can also use a prism to just split 1 fiber into 2 or more, much
like a mirror, similar to how some laser systems work. So in essence the
original beam goes on it's merry way unaffected and the duplicate(s) goes into
a black box. Though I know very little about this subject I would assume the
splitter has to be exact and completely lossless. I also think there are tools
to measure any interference.

For example a device like this is used to reflect fibers:
[http://www.ozoptics.com/ALLNEW_PDF/DTS0095.pdf](http://www.ozoptics.com/ALLNEW_PDF/DTS0095.pdf)

------
bobsil1
If you're a techie, knowing that every bit of data you collect from customers
will eventually end up in Utah-- you have a duty to either collect the minimum
data possible or encrypt both transmission and storage and demand a warrant
for access.

~~~
kyzyl
Question: Does anyone here understand where exactly systems that incorporate a
zero-knowledge architecture fit into the recently illuminated legal framework
(re: warrants, etc.)?

i.e. if I implement my service so that I don't have the keys and cannot
reasonably obtain them, what does that mean for my users and their data,
presuming the data is stored in the US? Juicy example: Lastpass. (I am not
affiliated with Lastpass.)

I'm sure this has already been discussed on HN recently, but with the dizzying
number of PRISM/Snowden/Leaks/Wiretapping threads flying around it's difficult
to keep up.

~~~
mike-cardwell
Lastpass can access your decrypted password vault if they are compelled to.
All they have to do is send you some modified JavaScript which steals your
password/key.

They're certainly worried about persistant XSS attacks being used to gain
access to peoples vaults. There's nothing stopping them performing one of
these attacks themselves, targetted to a specific user.

If you think this is unlikely, look up Hushmail being compelled to send
modified java applets to their users to steal their keys. It has been done
before.

So yeah, if the US government wants access to a list of all of your accounts,
when you logged in to them, what IPs you logged in with and your usernames and
passwords, they'd probably be quite pleased to find out you're using Lastpass

~~~
kyzyl
Well Lastpass was just an example. With enough effort any service can be
hacked, but if the bar is high enough it means it's more likely that the US
gov can't/won't do it en masse. I would note that Lastpass allows you to
implement Google Authenticator/Yubikey/One-time-pad/Biometrics to help secure
your key against a simple XSS attack. I think that probably qualifies as
'setting the bar high.'

In any case, my question was more towards the _legal_ situation, not the
technical. Suppose you have a near-perfect no-knowledge system, how does the
US gov view that entity? At least in theory, if they cannot reasonably force
the company to give up the keys, what can they legally do? Can they force the
company to shutdown? Can they make the company force users off the service in
an attempt to get them into a less secure realm? Are such systems even legal
in the current climate?

Of course there is always a way to hack it, and the $5 wrench will beat
anything (pun intended), but as far as the mass surveillance mandate goes
those options are probably out.

~~~
mike-cardwell
To be clear, I was not describing a hack. LastPass _can_ be forced by the US
government to get a LastPass users keys. All they need to do is get a court
order and tell LastPass to send some backdoored code to the user, exactly like
they do with Hushmail.

------
zerohp
It's been a while since I worked with email headers and smtp, but I don't
think the Bcc header actually exists in transit. The mail user agent and/or
the mail submission agent remove it.

They could reconstruct this information from the graph.

~~~
fleitz
The BCC field itself is usually removed from the email but if you're
monitoring the STMP session you can reconstruct the BCC from the RCPT TO
commands in SMTP.

~~~
ape4
Yes if somebody is in the RCPT TO but not the To: or other fields then they
are Bcc:

------
dfc
If you don't want to use that awful doc viewer:

    
    
      wget http://s3.documentcloud.org/documents/719116/pages/doc03-p1-large.gif
      ...
      wget http://s3.documentcloud.org/documents/719116/pages/doc03-p52-large.gif
    

The last time the guardian had a document up and I provided these gifs someone
replied with a pdf copy. I am unsure of how to get the pdf from documentcloud.
So feel free to post a pdf link and please explain where you get the URL from

~~~
mh-
I took a guess and got it right (dont sue me plz DocumentCloud):

    
    
      http://s3.documentcloud.org/documents/719116/doc03.pdf

~~~
cliffu
What you just did is no different than the felony they got weev for.

Edit: well, I guess you didn't falsify any headers, though.

~~~
speeder
Now make a script to download several of those at once, and you are Aaron
class felon...

This make me depressed :/

------
Aqueous
Here's an idea: If you don't want to make an anxious public even more anxious,
don't name your NSA surveillance program "EvilOlive." Or really, anything
starting with 'evil.'

------
VladRussian2
yep, and due to a bug in the perl script, it harvests all the lines to the
next From.

~~~
pfortuny
Yes, it is probably a regexp bug, like

    
    
        /^ $/
    

Someone pressed the space key once at the wrong place...

------
mbateman
What exactly is it supposed to mean that the NSA intercepts only data with one
"foreign end"? That it intercepts all data that crosses e.g. a transatlantic
cable? Or that it scans the IP header of absolutely everything and grabs
anything with a non-US IP as either source or destination? Or something else?

~~~
guelo
That's where the "minimization" documents from last week come in. They
actually collect everything, but then there is some kind of filter at the
collection point that is supposed to remove any communication that they are
certain is american-to-american. But that filter also has exceptions for
things like encrypted messages or pretty much anything else they are
interested in. They make the filter as loose as they can while still being
able to maintain some deniability that they don't collect domestic
communication.

------
astangl
They discontinued the program to save just the 3 headers because now they've
got other programs that save the entire email message. And phone calls, and
text messages and tweets, etc.

------
hammerzeit
This headline is misleading. It implies the program is still ongoing, where
the original article clearly states that the program was shut down 2 years
ago.

Moreover, after a lot of cynical complaining about Obama not being
meaningfully different than previous administrations, it's worth noting that
Obama was the one to shut this down.

I'm not interested in reflexively defending the government or Obama but we
still need to pay attention to the facts at hand.

~~~
lemming
If you read the article carefully, or even better the original Guardian
article: [http://www.guardian.co.uk/world/2013/jun/27/nsa-online-
metad...](http://www.guardian.co.uk/world/2013/jun/27/nsa-online-metadata-
collection) you'll find claims that while the original program was shut down
something very like it although probably larger in scope is still ongoing -
details are murky though.

I instinctively like Obama, but I'm forced to admit that his policies on
national security are by any objective means worse than his predecessor. He's
just more eloquent when he talks about them.

~~~
hammerzeit
I read both of the original articles (also
[http://www.guardian.co.uk/world/2013/jun/27/nsa-data-
mining-...](http://www.guardian.co.uk/world/2013/jun/27/nsa-data-mining-
authorised-obama) ) -- there is still nothing in them that would cause this
statement to be reliably true. You may surmise it, but speculation != fact.

Also, I think you must have a phenomenally short memory if you think Obama's
policies on national security are stricter than Bush's were.

~~~
lemming
Let's see:

    
    
      - He has expanded and extensively justified the drone strike program
      - His administration has denied more Freedom of Information Act requests than Bush did
      - His administration has prosecuted more whistleblowers than *all other administrations combined*
      - He's clearly in favour of all this surveillance, even though he campaigned with promises to remove it
    

I used to think there was a lot to like about Obama and there are still some
things. At least he doesn't look like a chimp in photos. But it's naive to
think he's not extremely hawkish on national security. Whether that's a good
thing or not is up to each of us to decide.

~~~
webXL
Candidate Obama and President Obama are two very different people, despite
what many reporters and big supporters would have you believe. But it takes a
strong willed human being not to give in to all the pressures that must be
present in the Oval Office. Just imagine the day after he was sworn in how
much classified shit the CIA/FBI/HSA/NSA must have presented him with. How
would any individual be able to sift through it and call these agencies, who
have a vested interest to protect America AND expand their own budgets, on
their bullshit? I'm not saying all of it is, but the way they go about
security leads me to believe a lot of it is. But who wants to be the next Bush
and ignore a terrorism warning?

~~~
poster69
Naive, naive comment. Its all about the money. The cyber security apparatus is
worth more than 80 billions. Terrorism is a creation from the same people
seeking to profit from it. No, candidate Obama and President Obama are roles
played by the same individual, neither is true, just like an actor playing a
script, his job is to convince you the script is real... What does matter is
the money the actor brings to his sponsors.

~~~
XorNot
Yeah, 9/11 definitely was a fabricated event...

People need to keep their comments reasonable and cut the hyperbole if they
want to get anything done. When you keep crying wolf, people stop listening.
Which is fine if you just want to always get the last word in, but if we're
actually concerned with overreach and national security then choosing our
messaging well and keeping our concerns focused, specific and provable with
neat, incremental steps is the way to go.

------
rjbwork
So just use the CC field, problem solved!

------
askimto
Anyone ever hear the rumor that the reason why Google pulled out of China was
because Chinese hackers had tapped into a feed of all email metadata? I heard
it included subject. This news made me immediately think of that rumor.

~~~
tonyplee
Will google pull out of US now? :-)

Can't fight big government. China or US, really doens't matter.

------
webwanderings
How the heck do you track Ad interacting habits through just an IP address? I
call BS on that particular paragraph.

~~~
schmidp
They could track if you reply to an ad or, if they also track your IP
connections, see if you click on a link in an email containing an ad.

~~~
webwanderings
The IP information is a common and general location, usually of your nearest
Telecom tower. IP address in itself does not lead to your Internet device. So
the paragraph is still inaccurate if the Ad agency is tracking through IP.
Your IP was always naked and available to anyone you send email to (through
the headers).

~~~
tmzt
A couple of things:

1\. That is true of some cell-based mobile data solutions, but others use an
actual IPv4/v6 address assigned to each mobile session.

2\. Some popular webmail systems hide the source IP address, while others
include a special header with the data.

~~~
vidarh
But your actual IP address _still_ does not tell them your precise location.
Unless they also separately get a log of what cell tower handled traffic for
what IP addresses, they'd still be left with only the location of your local
internet provider.

~~~
tmzt
I might have been mislead by the use of IP, the handset is what is tracked and
it usually is more precise than just what tower the device is associated with.
It can include measurements taken from multiple towers, which can be derived
from data needed for CDMA to even function, or it can include government
mandated E911 information which is usually derived from an internal 4-channel
GPS receiver. In theory this is only supposed to be used for E911 functions
when the handset is in contact with a PSAP, but we have no way as the public
to know what information from these systems are collected and stored or for
how long.

~~~
webwanderings
An IP on a mobile device is not as same as an IP on desktop. As far as desktop
is concerned, unless ISPs are willing to track your exact location for the
government, there is no way anyone can pinpoint your exact location through
the public IP address.

------
eslaught
Is email traffic typically encrypted between major providers? E.g. could a
network attacker, located between Google and Microsoft, intercept unencrypted
traffic between gmail and hotmail addresses?

~~~
pjqwdpjoqw
It is often encrypted, but since the encryption is negotiated using STARTTLS
it can easily be stripped by an active attacker. It works fine against passive
attackers.

~~~
kintamanimatt
SMTP relay is almost always unencrypted. The client that connects to the SMTP
server may connect via an encrypted connection though, but that's mostly to
prevent snooping on the client's local network.

------
poster69
This thread is big meaningless distraction... The main point is: You Are all
being illegally spied on The land of the free is a big lie.

------
moneyrich2
Can I ask how? How do you have 75% of the traffic or 75% of the servers (as
the article states), how the hell is that logistically possible?

~~~
grey-area
GCHQ in the uk have been doing it for most uk traffic, and it seems the
approach is to store full data as long as they can, and store headers for
longer. All the content is stored for 3 days, then the headers are kept for 30
days, and shared with other agencies like the NSA, who may well keep it all
indefitely if they have enough storage available. They probably do some early
filtering to keep it manageable, removing duplicate content, unwanted videos
etc. and the headers and metadata are probably not that large. Before reading
the GCHQ docs I wouldn't have found this claim credible...

If they are not collecting every communication in the world, you can be sure
it is not from lack of ambition to do so. In the words of General Alexander:

“Why can’t we collect all the signals all the time?” the N.S.A. director was
quoted as saying. “Sounds like a good summer project for Menwith."

Which is a worryng thought when you realise the implications of this ambition.
We used to think that only a god could be omniscient, but that is the current
ambition of our intelligence services and politicians.

------
jccc
What if the near-term result of all these revelations is that it just becomes
the new normal? Is it necessarily such a bad thing for the snoops in the
shadows if they know people will eventually just get used to it? After all
nothing really _feels_ different day-to-day so ... meh.

~~~
raintrees
Data is being collected on all people. All people are guilty of something.
When the time comes, a case will be built for the person currently under
scrutiny.

[http://marginalrevolution.com/marginalrevolution/2013/06/no-...](http://marginalrevolution.com/marginalrevolution/2013/06/no-
one-is-innocent.html)

------
barredo
Is there any numbers on the amount of hard drives NSA have?

~~~
joe_the_user
"How Much Is A Zettabyte?" [http://foxnewsinsider.com/2013/06/07/how-much-
zettabyte-nsa-...](http://foxnewsinsider.com/2013/06/07/how-much-zettabyte-
nsa-utah-facility-can-hold-immense-amount-data)

~~~
barredo
> The center will reportedly be able to store five zettabytes worth of
> information

I am sure some day in the future there will be MicroSD cards with this storage
capacity. But now it is just mindblowing

~5.500.000.000.000 Gigabytes

~~~
DanBC
This website makes the unsourced claim about Yottabytes that "You can compare
it to the World Wide Web as the entire Internet almost takes up about a
Yottabyte."

([http://whatsabyte.com/](http://whatsabyte.com/))

1 Zettabyte = 1,073,741,824 terabytes.

This Quora answer says that total HD supplied numbers worldwide in 2011 was
6,800,000 units.

([http://www.quora.com/How-many-hard-drives-are-produced-
each-...](http://www.quora.com/How-many-hard-drives-are-produced-each-year))

I find the 5 zettabyte figure hard to believe.

~~~
aaronblohowiak
Tapes, not disks.

~~~
DanBC
Assuming 3:1 compression our 1 zettabyte (or 1,000,000,000 terabytes) of data
becomes 333,333,333.33 TB.

Using a nice IBM 4 TB tape we need 83,333,333.33 tapes for 1 zettabyte.

I still find the 5 zettabyte figure hard to believe.

But searching for tape does start producing a lot more government-like
language and documents. Knowing that there is a "Summary Of Non Confidential
Information On U.S. Magnetic Tape Coating Facilities" makes me want to read
the confidential version.

------
throwaway10001
So who the F can we trust? All those denials from everyone and now we see
this, which I kinda suspected since Verizon was ordered to hand over the same
for phone calls.

~~~
nathas
You can't trust anyone. You can trust protocols and implementations and proven
math.

That said, I would bet good money they already have working quantum computers,
in which case current crypto may have quite a few problems.

~~~
nostrademons
That's pretty restrictive. I know a large number of scientists and computer
programmers who believe the only thing you can trust are protocols and math,
and they're usually completely unable to function outside of the narrow domain
of their work.

I think a better philosophy is to trust that people will behave according to
the incentives and information available to them. So if there is an
organization out there, you can bet that it will act to expand the scope of
the organizations' actions, because organizations that don't do this
eventually get replaced by ones that do. If the organization is tasked with
keeping tabs on all of America's adversaries, you can bet that they will see
adversaries wherever possible to preserve a purpose for the organization.

~~~
zachrose
"Institutions will try to preserve the problem to which they are the
solution." \-- Clay Shirky

[http://www.kk.org/thetechnium/archives/2010/04/the_shirky_pr...](http://www.kk.org/thetechnium/archives/2010/04/the_shirky_prin.php)

------
jameshart
I think we would all forgive the intrusion if, as a side effect of this
program, NSA was using this data to feed a spam filtering service to which we
could all subscribe.

~~~
raintrees
No, for me it would have to be Daniel Suarez' Daemon. Then I could skip over
the forgive part, since many alphabet agencies may be rendered obsolete... And
all spammers would have ceased or been desisted.

Good story, if you haven't yet read/heard it.

