
Looking Back at the Snowden Revelations - sohkamyung
https://blog.cryptographyengineering.com/2019/09/24/looking-back-at-the-snowden-revelations/
======
BlueTemplar
Oh yeah :

\- Before Snowden, if you spoke about these issues, you were dismissed as
paranoid.

\- After Snowden, if you dismiss these issues, you are dismissed as hopelessly
naive...

Oh, also - considering all this - you can bet that Intel's Management Engine
has likely been backdoored by the NSA, so using Intel's processors is not
recommended, especially if you're a non-US company... (industrial espionage !)

[https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf](https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf)

~~~
Hendrikto
> Before Snowden, if you spoke about these issues, you were dismissed as
> paranoid.

I’ve been telling people for years, but nobody listened.

Now everyone knows it’s true, but still nobody seems to care…

~~~
throwaway_law
>Now everyone knows it’s true, but still nobody seems to care…

That just about sums up every bad act.

Lots of people were aware of all the bank fraud and toxic loans leading to the
2008 real estate bubble, no one cared leading up to it, and no one cares now.

The Googles/Facebooks/amazons are collecting and doing unsavory things with
your data, whether you ever used their services or not (shadow accounts), no
one seems to care.

Governmental spying on citizens? Hell the Government had a program which
included secret kill lists, flew military bombers into foreign countries to
drop bombs and kill a citizen. Even when the US failed to kill the citizen and
the family sued, their case was dismissed as the courts denied any right to
know who was on the list, how they got on the list, and even denied
acknowledging the list existed...yet no one cared.

Imagine a foreign country flying military missions in the US and dropping
bombs on a foreigner in the US, based on the foreign governments secret kill
lists. It's pure insanity.

~~~
hokumguru
Source on this?

~~~
NegativeLatency
[https://www.nytimes.com/2012/05/29/world/obamas-
leadership-i...](https://www.nytimes.com/2012/05/29/world/obamas-leadership-
in-war-on-al-qaeda.html)

[https://en.wikipedia.org/wiki/Disposition_Matrix](https://en.wikipedia.org/wiki/Disposition_Matrix)

------
saalweachter
The article mentions MUSCULAR, but neglected the follow-up: shortly after the
leaks, Google began encrypting all of its internal traffic over its own fiber
links.[0]

First, it's worth pointing out that "encrypt everything in flight always" is
not prohibitively expensive on modern hardware; also that your own internal
network should not be viewed as an impenetrable bastion where you can let down
your guard, just because you keep a close eye on the external routers.

[0] [https://www.washingtonpost.com/business/technology/google-
en...](https://www.washingtonpost.com/business/technology/google-encrypts-
data-amid-backlash-against-nsa-
spying/2013/09/06/9acc3c20-1722-11e3-a2ec-b47e45e6f8ef_story.html)

~~~
andy_ppp
“Security of organisations should be done in layers” and each layer makes
breaking into your (whole) organisation harder, but comes with friction for
your staff.

~~~
e12e
No, I think the new consensus is that all systems are vulnerable (obviously
true if all systems have users with access, whom may be compromised) - so not
layers: compartments (and need to know;need to access).

I believe this is part of eg google/alphabet's new model: no hard wall, soft
"inside" (egg model). Just stand alone secure sub-systems with ACL (access
control lists) mediating access on a user-by-user, sub-system by sub-system
level. No real trust in "location" as proof of authorization (I assume truly,
off-grid clean rooms are excepted) - because "everything" needs access to
networked resources.

Ah, I guess they call it BeyondCorp:

[https://cloud.google.com/beyondcorp/](https://cloud.google.com/beyondcorp/)

~~~
soulofmischief
Virtualization, privilege management, etc. are still another layer.

~~~
e12e
Not a different _organizational_ layer, just a different _techincal_ layer
though.

~~~
soulofmischief
Both are important in the context of security.

------
DrScientist
There are two problems - surveillance itself and the lack of democratic
oversight and control.

Most people would agree that the state should be able to deprive people of
their liberty ( prison ), but that stringent controls should be in place, with
that process being public and involve peers ( though that is being slowly
undermined in the west ).

What are the controls around surveillance? What processes stop abuse? Who is
accountable? Where is the transparency?

You could argue that you can't be public about intent to spy, but there is a
lot more that could be done.

[https://www.theguardian.com/news/defence-and-security-
blog/2...](https://www.theguardian.com/news/defence-and-security-
blog/2015/mar/12/britains-spy-agencies-the-only-watchdog-is-the-workforce)

------
pascalmahe
As someone not from the US, the passages about how easy it was are clear
reminders that just because only the NSA got caught, does not mean only the
NSA was doing it. Even if they have by far the biggest budget...

~~~
parsimo2010
We’ve seen other stories, Stuxnet in particular that implicate other countries
like Israel. Anyone that thinks that the USA and Israel are spending money on
cyber warfare but China and Russia are not is living in a fantasy world. Maybe
some small countries like Andorra don’t have a cyber warfare division, but all
the big countries do.

Everyone is being spied on. Perhaps the only distinction worth making is
whether you’re being spied on by your own government in addition to foreign
governments.

~~~
ncmncm
In fact, once the content and data are liberated, there is no reason to assume
it is well-protected from criminal access. Personal facts that are not
directly incriminating are often just as valuable for extortion. Those facts
need not be about you, to affect you. They could be about a federal judge's
brother.

As extortion is the central procedure of spycraft, people trained in its use
by the government also have access to the "goods". Criminal intent is no bar
to employment by Booz Allen, or by NSA or FBI proper, never mind Russian GRU
or FSB or their Chinese counterparts.

Extortion works for anybody.

------
inanutshellus
Naive question:

This cryptography blog seems to, but... is WhatsApp really trusted as secure
end-to-end encryption chat client?

Colloquially, for one thing it's now owned by one of the biggest personal-data
collection companies in the world, which would have little interest in owning
a chat client it couldn't benefit from data-wise. For another, I read an
article mentioning it was "known" that WhatsApp decrypted your message, stored
it, then resubmitted it encrypted to the destination. (Inconveniently, I can't
seem to find the article now.) If, say, your life relied on privacy, would you
trust WhatsApp, and if not, why?

~~~
lucozade
It is highly unlikely that Facebook can read WhatsApp messages. The reason I
say that is that Zuckerberg said the couldn't, repeatedly and explicitly, to
Congress. If there was any chance that they could, he would have either not
said anything (the context would have allowed for that) or he would have
dissembled. As he did numerous other times on other subjects.

As to benefiting from WhatsApp, I'm sure they benefited just fine. They bought
it for the contact info from millions of non-Facebook customers that they
could use to cross sell. Their growth in, for example, LatAm seems to imply
that it worked ok.

~~~
DrScientist
Don't have the transcript - did he say that 'he' couldn't or that Facebook
couldn't? Or that other agencies, facilitated by Facebook couldn't?

~~~
lucozade
For example, he said at one point:

> No, we don’t see any of the content in WhatsApp, it’s fully encrypted

It's clear he's speaking about his company. Given Snowden, it would be
monumentally stupid to make such a bare faced lie to Congress if they were
reading, or facilitating the ability to read, unencrypted content.

Especially as he could have chosen not to say anything so specific.
Congressman Schatz was talking about advertising. He could have just said
something innocuous like: we don't have the ability to use WhatsApp content
for advertising.

~~~
DrScientist
What he said there was they _don 't_ see, not they _can 't_ see.

What he also didn't say there was whether others routinely saw with Facebooks
help.

Not saying they do, just saying he didn't strictly say they didn't.

He may of also being talking in the context of using content for advertising,
not surveillance.

Finally a lot of intelligence gathering is just based on who has talked to who
kind of networks in the first instance, rather than content because:

1\. Content can be obfuscated, but not the connections

2\. Easier to store and navigate

3\. Less noise

------
codeulike
This is a good article. Everyone has forgotten how much has changed since
Snowden.

~~~
9dl
Actually, nothing changed

Some Laws was created.

Some revelations was made.

But even manipulations with elections did not kill any company

~~~
jasonvorhe
Let's Encrypt brought TLS to the masses, browsers are bringing focus to sites
still not using transport encryption, https is a signal for Google ranking.

Don't be so defeatist.

~~~
jmnicolas
I always assumed Let's Encrypt was an NSA front so that they can decrypt most
of the https traffic.

Remember just after the Snowden revelations all the 3 letter agencies were
very worried about https adoption rising, then their concerns suddenly
disappeared.

However I have no idea how encryption works so maybe my hunch is stupid (I
remember that the NSA impersonated a certificate authority for that purpose).

~~~
driverdan
> However I have no idea how encryption works so maybe my hunch is stupid

Your words, not mine.

The person who created Let's Encrypt started it as his thesis in college. From
there he received assistance from the EFF, some of its staff, and a few other
volunteers. None of them are anonymous, all working in the space before Let's
Encrypt. It's fully open source and there are no backdoors in TLS encryption.

------
upofadown
> ... — the agency spent $250 million per year on a program called the SIGINT
> Enabling Project. Its goal was, basically, to bypass our commercial
> encryption at any cost.

Now that things have actually started going dark for these overfunded and
completely unaccountable entities this is where the biggest danger lies. They
have become so desperate for continued access to endless funding that they are
actually turning against the people they are sworn to serve. The most
dangerous time will come when the governments of the world start the task of
trimming down such entities to something proportionate to their worth. That
process has not really even begun yet...

~~~
peterkelly
Last year the Australian government even went so far as to pass a law allowing
them to _force_ companies to sabotage their own products/services in cases
where a government agency wants to get access to someone's communications.

[https://www.engadget.com/2018/12/07/australia-access-
assista...](https://www.engadget.com/2018/12/07/australia-access-assistance-
bill-now-a-law/)

~~~
SAI_Peregrinus
For an extra scary thought: Atlassian are Australian. Jira tickets can be
forced to be altered or deleted, and codebases hosted on bitbucket shouldn't
be assumed as trusted. You'll never see a Jira ticket about a 0-day the
Australian government doesn't want you to fix if they decide to utilize this
law.

------
stephenitis
I needed clear recap like this to put it in perspective. Thank You Matthew
Green.

------
ryacko
[https://archive.org/details/PikeCommitteeReports/page/n19](https://archive.org/details/PikeCommitteeReports/page/n19)

>NSA's work necessarily brings it in possession of the private communications
of Americans. This is so because in order for NSA to monitor international
lines of communications for foreign intelligence, NSA must intercept all
communications transmitted over such links.

...

>First, it suggests that NSA is able monitor virtually every international
communication entering or leaving the United States. At present, some 24
million telegrams and 50 million telex (teletype) messages enter, leave, and
transit the United States annually, and most of these are sent or received by
private citizens. Millions of additional messages are transmitted over leased
lines, including millions of computer data transmissions electronically
entering and leaving the country each year. International telephone calls are
yet another potential source of intelligence.

------
geggam
I have often wondered why everyone simply doesnt use Pidgin OTR ... or OTR for
every communication

~~~
693471
Because the UI/UX is terrible, and XMPP is not mobile friendly at all

~~~
BlueTemplar
Hmm, what is not mobile-friendly with, say, Conversations ?

~~~
693471
It's not an app that can be awakened by a push notification.

~~~
BlueTemplar
What ?
[https://github.com/siacs/Conversations/issues/1759](https://github.com/siacs/Conversations/issues/1759)

------
kevintb
Excellent article, and great blog find.

------
najan
snowden = ehrenmann

------
mistermann
Snowden's revelations proved once again that conspiracies are all false,
because it is literally impossible for large numbers of people to keep their
mouth shut.

Exactly as we're told on forums, exactly as we're told on TV. This is how you
know Epstein is also innocent and why it won't be investigated, because we
know people cannot keep silent about committing crimes, therefore we know no
crimes were committed.

~~~
dang
" _Eschew flamebait. Don 't introduce flamewar topics unless you have
something genuinely new to say. Avoid unrelated controversies and generic
tangents._"

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
SomeOldThrow
You know this is just as effective if you don’t pretend to provide a
substantial justification. Flamebait can be anything you want it to be. Seize
the power, dang.

------
raxxorrax
Isn't the practice of the NSA just plainly treason? And why would it not be?

~~~
em3rgent0rdr
Hypothetically, a benevolent NSA would primarily develop cryptographic
security tools for the populace.

~~~
raxxorrax
True. But besides their interest in acquiring exploits, I think their data
collection seriously collides with peoples amendment rights against arbitrary
state surveillance.

I know there are some judges and institutions that enabled this madness, but I
think they might be guilty as well.

These judges should be accountable to the public in theory.

I am not saying the everyone working at the NSA is a criminal. But maybe
Snowden was the only one with perspective.

The NSA as an institution certainly did more damage to the US than most of its
enemies.

~~~
Craighead
You must not understand how cyber war works.

The US has judges and legislation to enable the NSA.

Russia, China, Iran, NK, and many other authoritarian states seek to use their
power to attack America 24x7 and do so without any oversight.

~~~
anilakar
A few countries actively try to hurt us, so let's spy on everyone, including
our own citizens and allies!

