
Snowden Interview with Jacob Applebaum - teawithcarl
http://cryptome.org/2013/07/snowden-spiegel-13-0707-en.htm
======
jrochkind1
I think Snowden et al made a mistake with the PR, with regard to what they
released first.

The "PRISM" stuff, the stuff with specific internet app/service providers, is
actually the _least_ troublesome. (And the closest to legal/constitutional,
with FISA orders involved and all.)

MUCH more troublesome, but receiving MUCH less media attention (such that I
don't even know the special program names, they are not 'prism'):

* They are recording _everything that goes over the internet_ , by tapping in at major backbones, undersea cables, etc.

* They deploy RAT malware to take over and observe targetted person's computer. (Have we been given evidence by Snowden that they do this inside the US and/or to US citizens? I am not certain. Do they get FISA orders/warrants first? I am not sure. Have we gotten info released on the RAT stuff yet? This interview is the first _I 've_ heard of it, in fact.)

Both of these are WAY more alarming, more significant invasions of privacy,
less likely to be legal/constitutional, than PRISM. But PRISM's getting all
the attention.

I wonder if this was in fact part of NSA/government counter-PR, to make sure
PRISM gets the attention and people get burnt out on the story before they get
to the REALLY disturbing stuff.

~~~
rickhanlonii
I make the same observations, but I actually think that it's a brilliant move
by Snowden et. al. The way they are releasing the information so far has been
from _less_ to _more_ troublesome. It's hard to say yet, but I would imagine
that the first leak is on the lower spectrum of importance. But it was a great
starter because it appealed to a larger audience given that it had powerpoint
with big name companies on it, rather than the technical details that would be
required to demonstrate the two points you mention.

As the leaks have moved on, the information has become progressively more
concerning. Anyone who has followed this issue should have at least a vague
idea of the caliber of information that could be coming (your post as an
example). So, rather than releasing the big ticket items first, and having the
rest of the issues make no impact in comparison, they're allowing as much
information as possible to have it's greatest individual impact before moving
on (not to mention the now well-discussed benefit of authorities lying
themselves into corners trying to cover up the smaller issues).

In this way, they're priming the public so that we've spent months digesting
the impact, and understanding the issue so that when we get (say) screenshots
proving everything going over telecommunications is recorded, the public is
prepared to understand and digest that fact quickly, and can move to action
quicker--or even at all.

The more I think about it, the more I earnestly believe that this technique is
the most effective methodology available to them and may be our one and only
shot to stop it (keep in mind that once a subgroup of society reaches enough
power and intelligence over the rest, there is literally nothing the rest of
humanity could do to overthrow them; we can't dump tea in the ocean and fire
guns at them anymore if they have drones _and_ know everything about
everyone).

He doesn't have to convince HN readers that this is worth stopping our daily
lives for to stand against, he has to convince _the general public._

With that in mind, the best thing _we_ can do right now, is help them to prime
the pump. Bring it up to everyone that will listen. Make the electorate
informed. Because when the news comes--the one that we will need to act on--
the public needs to be ready to hear it and move on it.

~~~
sneak
> He doesn't have to convince HN readers that this is worth stopping our daily
> lives for to stand against, he has to convince the general public.

The opinion of the general public doesn't matter. It's been being effectively
managed for years, and that won't change now. The proles will never revolt.

The fact is, these programs existing and being public knowledge to "foreign
entities" (Obama's words), pose an existential threat to Google, Apple,
Amazon, Microsoft, and any other US-based company that intends to make money
handling the private data of those filthy foreigners (whom outnumber US
citizens on the internet something like a dozen to one).

Sure, tell everyone who will listen. But you'll find that most people don't
give a fuck, and wouldn't know what to do with the information even if they
did.

This change, if it comes, will come from industry, as all major internal
policy changes in US government have for decades.

~~~
rickhanlonii
What you say may be true. But history has shown that people can give a fuck
and policy change can come from the people--even recently with ballot
initiatives. Corporations didn't overturn Ohio's SB5. Corporations didn't
legalize and regulate cannabis in Colorado and Washington. Corporations didn't
pass the Dream Act in Maryland. Corporations didn't pass multi-state
initiatives to legalize gay marriage. _People did_.

So independent of my opinion, there's demonstronably a non-trivial chance that
you're wrong. And from chances like that, movements are born.

~~~
sneak
> Corporations didn't legalize and regulate cannabis in Colorado and
> Washington.

You're right: cannabis is still illegal in Colorado and Washington.

------
tippytop
He has a nice idea about a prospective path of resistance:

"The [telcom] companies should write enforceable clauses into their terms,
guaranteeing their clients that they are not being spied on. And they should
include technical guarantees. If you could move even a single company to do
such a thing, it would improve the security of global communications. And when
this appears to not be feasible, you should consider starting one such company
yourself."

Google and Facebook don't seem to care, but the people here can create the
kinds of companies that do. Let the PRISM collaborators starve of a talent
storage.

~~~
antocv
Yes, this is what we should talk about.

How do we create, maintain and support companies that guarantee our privacy?
What do we do when those companies and its employees receive threats,
blackmails and various attacks by the feds? When they become infiltrated? When
they buy them up like Skype and close its security down?

Facebook, Oracle, Google all seemed to crap their pants when PRISM came out,
can we increase the heat on them to stop what theyre doing?

What methods do we have? What can we, the good hackers non-NSA-employed
hackers, do?

We have various encryption technologies, mega made some fine client-side
encryption kind of easy to use, what else?

Whatever we build will not be a perfect solution, it will require agreements
and legal frameworks and support from a major group of people. Isnt this what
GNU is about, the FSF and freedom box project?

EDIT: Its kind of tiresome that HN must always have a critical comment at the
top, no matter the issue, someone always tries to tear any story up to pieces.
Id like to remind you people of this awesome quote;

"" __It is not the critic who counts; not the man who points out how the
strong man stumbles, or where the doer of deeds could have done them better
__.

The credit belongs to the man who is actually in the arena, whose face is
marred by dust and sweat and blood; who strives valiantly; who errs, who comes
short again and again, because there is no effort without error and
shortcoming; but who does actually strive to do the deeds; who knows great
enthusiasms, the great devotions; who spends himself in a worthy cause; who at
the best knows in the end the triumph of high achievement, and who at the
worst, if he fails, at least fails while daring greatly, so that his place
shall never be with those cold and timid souls who neither know victory nor
defeat. ""

------
asveikau
More of this Hollywood movie plot version of network security:

> The analyst can then decide what he wants to do - the computer of the target
> person does not belong to them anymore, it then more or less belongs to the
> U.S. government.

This is kind of like when he said:

> You are not even aware of what is possible. The extent of their capabilities
> is horrifying. We can plant bugs in machines. Once you go on the network, I
> can identify your machine.

Software types reading this stuff know that this is not how computer networks
generally work. Maybe it is a dumbed-down reference to some sort of government
malware. If so I would like to see more technical precision from Snowden
before I can say that he has any chance of knowing what he's talking about.

~~~
AnthonyMouse
>Maybe it is a dumbed-down reference to some sort of government malware.

That's what I took it as. With government-level resources you can pretty
easily throw a team at all the common web browsers and find exploitable 0-days
and then MITM the next connection the target makes to any website to exploit
it, and then find a local privilege escalation vulnerability if necessary.
Once you have root (or equivalent) on any given machine you pretty much own
it.

That sort of thing isn't necessarily in reach of your typical J. Random Hacker
against a patched machine (may not have access to 0-day, can't easily MITM
target's internet connection, etc.) but it's really not a stretch to imagine
that the NSA can do it if they have no regard for the law.

~~~
asveikau
> not a stretch to imagine that the NSA can do it

In what kind of numbers, though? I mean, from what I remember reading Stuxnet
had this kind of crazy stuff in it (multiple zero-days if I recall), but also
a clear target in Iran. Would they have the resources to do this to everybody?
Is there any evidence of that? Certainly if there were it would be really
fascinating to know more, but all we have is this movie plot scenario.

With what Snowden says it makes it sound like they do it to anyone out of
sheer boredom. I think to understand the scope of this claim we need more
details.

~~~
jrochkind1
I didn't think it sounded like they did it 'out of sheer boredom', they do it
to people they've targetted for investigation. In what numbers, whether
targetting computers inside the US or not, etc. -- we do not know, Snowden has
not yet released documents so far as I know.

The software to take over someone's computer like that exists, and can be used
by script kiddies that don't even know what they're doing, to take over and
'own' many people's computers, complete control. Presumably the NSA knows
about even more exploits than the easily available hacker-distributed software
does.

[http://en.wikipedia.org/wiki/Remote_administration_software](http://en.wikipedia.org/wiki/Remote_administration_software)

[http://arstechnica.com/tech-policy/2013/03/rat-breeders-
meet...](http://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-
who-spy-on-women-through-their-webcams/)

------
larrywright
Some of this seems odd to me. Snowden appears very intelligent and credible,
but how would he have been in a position to know who wrote Stuxnet?

~~~
lawnchair_larry
How _wouldn 't_ he?

That's like asking how he would be in a position to get Top Secret documents.

~~~
larrywright
I'll confess that I've followed this subject only partially, so I may be
missing facts about what he had access to. Did he have complete access to
everything at the NSA?

~~~
rantanplan
At his now famous video interview, he said that he had access to most things.
He also said that he could even shut down most of NSA's monitoring system, if
he wanted. Which strikes me as odd, that just a single analyst could have such
power, but what do I know about spying agencies?

~~~
fixxer
Here are a few things we know about the U.S. intelligence infrastructure:

* They couldn't find WMD in Iraq -- because they weren't there.

* They couldn't find bin Laden for 10 years.

* They thought Snowden was on a plane with Evo Morales -- and were wrong.

So, given these observations, I wouldn't be too surprised that one guy was
able to get access. Like all big organizations, I'm sure the NSA & CIA have
some amazing small groups capable to Bond-like performance.

But as a whole, they are probably a nightmare of incompetence. Therein lies
the reason I'm not in favor of giving them Carte Blanche for domestic
surveillance: they _will_ fuck up on an epic scale with probability=1. It is
only a matter of time until their infrastructure becomes a tool for some
oppressive politician or bureaucrat. HUAAC 2.0.

~~~
rantanplan
I'm not a US citizen so I am not the one to judge its efficiency. Nevertheless
I agree with the general idea of what you say. However it is highly peculiar
if he legitimately had so much power. It doesn't matter if he is an uber-
hacker or not, as some others point out. No government or agency would
structure its hierarchy such that a simple cog in the machine could bring the
whole thing tumbling down. Unless of course the high ranking officials are
like the regular PHB's we know - clueless about technology issues.

~~~
fixxer
> Unless of course the high ranking officials are like the regular PHB's we
> know - clueless about technology issues.

Bingo.

------
D9u
_Question: What happens if the NSA has a user in its sights?

Snowden: The target person is completely monitored. An analyst will get a
daily report about what has changed in the computer system of the targeted
person. There will also be... packages with certain data which the automatic
analysis systems have not understood, and so on. The analyst can then decide
what he wants to do - the computer of the target person does not belong to
them anymore, it then more or less belongs to the U.S. government._

I wonder if regularly wiping and reinstalling your operating system has any
effect on the aforementioned computer compromising by government/criminal
elements?

Obviously, an open source OS is a better choice than some closed, proprietary,
OS, but I seem to remember some controversy about BSD developers being
approached by government agents for the purpose of coding a backdoor into the
systems which they were working on.

Just how secure is my unix-like OS?

------
jallmann
This information is illuminating, albeit not too surprising. But with all
these releases, Snowden's chance of securing whistleblower protection on
constitutional grounds is completely shot. There could be a legitimate
discussion about tapping US companies, or constitutionality of the information
dragnet on Americans [1]. He could have had a fighting chance if the leak were
confined to just those.

That's not going to happen anymore, because now everybody is distracted by
sensational asides: we're hacking everybody, we're behind Stuxnet, we're in
cahoots with the Europeans, etc etc etc. Snowden is allowing the spotlight to
remain fixed on him; this whole thing is perfect fodder for the media -- an
individual on the run, Hollywood-style hacking plots, and predictable Internet
outrage. All while the constitutionality issue gets swept under the rug (see
Congress). What's more, Snowden will probably lose the battle of public (and
legal) opinion because these foreign operations are arguably justifiable [2],
and the leaks weaken the US bargaining position with other countries.

I'm not sure what the goal of this leak is anymore. Snowden is completely
fucking himself over while diverting public attention from issues that have
the best odds of an immediate fix -- the surveillance of Americans. This whole
thing is a bitter popcorn-fest.

William Binney said this during the USA Today interview [3] a few weeks ago:

I would tell him to steer away from anything that isn't a public service —
like talking about the ability of the U.S. government to hack into other
countries or other people is not a public service. So that's kind of
compromising capabilities and sources and methods, basically. That's getting
away from the public service that he did initially. And those would be the
acts that people would charge him with as clearly treason.

[1] Sorry, non-Americans: the Constitution doesn't cover you guys. But we need
to protect ourselves from our own laws first before we can help the rest of
the world.

[2] If you think the US is the only one doing this, or if the world should
just hold hands and sing Kumbaya: get a clue.

[3]
[http://www.usatoday.com/story/news/politics/2013/06/16/snowd...](http://www.usatoday.com/story/news/politics/2013/06/16/snowden-
whistleblower-nsa-officials-roundtable/2428809/)

~~~
guelo
I hate the "everyone is doing it" "get a clue" excuses. The U.S. government
hacking into Hong Kong computers is wrong and disclosing it is a public
service to the people of Hong Kong. If we don't demand moral just governments
we will never get them.

~~~
jallmann
>If we don't demand moral just governments we will never get them.

OK, here's a clue: truly moral governance is only sustainable if all
governments follow the same moral behaviors. Unfortunately, that's not a
stable equilibrium, because the world is not Kantian -- thinking otherwise is
naive.

~~~
guelo
The US used to be a leader, forming the United Nations, ratifying the Geneva
Conventions, promoting human rights, etc. Nowadays we have squandered our
moral leadership by refusing to sign things like the ban against land mines or
the international criminal court; as well as by leading immoral wars and
torturing prisoners. As a superpower we have the power to make the world
better for everyone but the empire has turned selfish, short-sighted and evil
instead.

~~~
jallmann
Rose-colored glasses, maybe? How about slavery, segregation, the treatment of
Native Americans, Japanese internment, McCarthyism, etc. Find a country with a
history of unblemished human rights -- it doesn't exist. Anyway this thread is
getting off topic, I'll stop here.

------
throwaway345
I'm still conflicted over these Snowden revelations. On the one hand, it is
(of course) an egregious (and probably illegal) breach of privacy.

On the other hand, I think it's incredibly naive to believe that, once a
technology exists, it won't be aggressively used to further the interests of
nation-states and multinational corporations alike.

What makes you think for a second that China and Russia aren't using (or at
least in the process of building) the same sorts of systems?

------
gexla
If the NSA saves all my stuff, then why do I need my own backups? Forget
Dropbox, just give me access to my stuff at NSA. This is a service I'm already
paying for.

------
medde
He should start signing all his messages

