
How the NSA Threatens National Security - fortepianissimo
https://www.schneier.com/blog/archives/2014/01/how_the_nsa_thr.html
======
ds9
The most important line: "put security ahead of both domestic and
international surveillance". That's what it comes down to, we can have
communications security or surveillance, not both.

~~~
higherpurpose
Yes, so far NSA has been successful as promoting mass surveillance as a matter
of "security" not just against terrorists (which we now learn is being very
wasteful and ineffective), but against "cyber-attacks", too.

Every time they talked about cyber-attacks, they implied Congress need to give
them more powers and more money, which they later used for offensive actions,
rather than securing the networks. NSA has _zero_ interest in security
networks at this point. Maybe they cared about that a little before 9/11, but
I don't think they care about it at all anymore.

All they want to do now is _be able_ to break into everything or have
backdoors into everything, which means they will not only hoard systems'
vulnerabilities for themselves, but they also won't even use that knowledge to
secure domestic systems, because the truth is they want access to domestic
systems, too, and to them that has a higher priority than securing those
systems even against China and so on.

The NAS has probably always had this corrupted idea about security, but I
think it became much more so when they merged the US Cyber Command with the
NSA.

Bottomline is that we need to educate others that surveillance is pretty much
the opposite of "cyber-security", and we need to call NSA out on it everytime
they try to use the lie that they're the same.

------
r0h1n
While there's a healthy debate in the US (and to a lesser extent in Europe
perhaps) about the extent of spying being done by governments, I see hardly
any concern in India among both media organizations (with probably the
exception of The Hindu newspaper), businesses and citizens.

Fed by the constant drip-drip of "free" features, people are almost blind to
the true "cost" they're paying. I've tried my best to convince people I know
to adopt even simple (not foolproof, which probably nothing is)
countermeasures like VPNs or HTTPS-Everywhere...but nobody gives a damn.

Reminds me of a Supernatural episode [1] featuring drugged Turducken
sandwiches that turn people into passive, media-absorbing, harmless zombies.

[1] - [http://io9.com/5861160/turducken-and-the-rise-of-dick-
make-o...](http://io9.com/5861160/turducken-and-the-rise-of-dick-make-one-
helluva-supernatural-episode)

~~~
pavanred
This is true, just days ago there was a proposal of a Google tie-up with
Election Commission of India [1]. The proposal allowed Google to offer
services for the General Elections in India to be held in 2014. Google
proposed free online voter registration besides making available vital details
of voter EPIC card numbers and polling station locations.

While this did stir up a concern among the political parties and got some
column inches and airtime in mainstream media, I think it should have deserved
a lot more attention. I was quite surprised that many people I know don't even
have a clue that this happened about a week ago. With all the recent spying
revelations, this was seen as a huge security risk. Nevertheless, the Election
Commission of India later dropped plans to partner with Google after spying
fears [2].

[1]
[http://articles.timesofindia.indiatimes.com/2014-01-07/india...](http://articles.timesofindia.indiatimes.com/2014-01-07/india/45954589_1_voter-
facilitation-security-concerns-tie-up)

[2] [http://in.reuters.com/article/2014/01/09/india-elections-
goo...](http://in.reuters.com/article/2014/01/09/india-elections-google-
idINDEEA080CQ20140109)

~~~
DannyBee
"The proposal allowed Google to offer services for the General Elections in
India to be held in 2014. Google proposed free online voter registration
besides making available vital details of voter EPIC card numbers and polling
station locations."

I started and used to run these programs for Google. I'm not sure what you are
implying is done with this data, but security and privacy are always the
highest priority.

Google does this stuff for completely altruistic reasons. It's not even part
of .com anymore, it's part of .org. The goal is to help people know where to
vote. Nothing more, nothing less.

If you'd like to tell me what conspiracy you think this is part of, ...

~~~
pavanred
The point I was trying to make was that when it comes to security, privacy etc
there isn't as much debate and media interest as I think should be in India.

In this case there were concerns voiced that the Election commission neither
consulted all the stake holders nor consulted political parties to discuss
this. And, of course with the revelations of US agencies indulging in
widespread spying and intelligence gathering, sharing vital data pertaining to
Indians citizens to a foreign company was perceived as a security risk.

I did not imply that there is a conspiracy. I just think when there are
concerns about security and privacy, as in this case, there should be a louder
discussion.

~~~
DannyBee
"The point I was trying to make was that when it comes to security, privacy
etc there isn't as much debate and media interest as I think should be in
India."

Fair enough. Note when I started this, Google was essentially one of the only
players in this space who didn't want data that had PII in it (in the US,
things like voter files get sold quite a lot). Still true, sadly

For national ID systems, most of it was something like "ID xxx through zzz
vote at YYY". where xxx to zzz was some very large range. For those systems
that required fine grained data (like Peru, I believe), our design was to give
them secure one way hashes to use on the data before giving it to us so that
we never had any info, just something we could key on (we would then proxy api
calls to do the actual national id lookups or something so again, we never saw
the id's) AFAIK, none of these ever panned out for other reasons.

At least when I was running it (and i doubt things have changed in the past 8
months, it's the same people other than me), there was a zero percent chance
we would have ever agreed to _receive_ any "vital data" at all.

I haven't looked heavily into all this, but I have _very_ strong doubts any
info about people would have actually been asked for or given. You know how
the press tends to understand nuanced technical detail.

In most cases where these stories happen, sad truth is the real reason is
losing control of voter suppression.

------
higherpurpose
> We need to build a coalition of free-world nations dedicated to a secure
> global Internet, and we need to continually push back against bad actors --
> both state and non-state -- that work against that goal.

Let's do it. Even though I'm starting to believe that a "secure by default
Internet" will come from the wilderness of the Internet and not from
committees, because too many corporations (Google, Facebook, Microsoft, etc)
and governments (US, China, "5 eyes", etc) will push against those committees'
standards, I still think it's important to have at least some large countries
support those types of projects when they arrive, or at least not be outright
hostile against them and try to ban them "because terrorism/child
pornography/money laundering".

These technologies will need some time to incubate, and leak into the
mainstream, so at the very least we'll need some countries to turn a 'blind
eye' to them until they reach critical mass, and not try to shut them down
from day one or threaten people with new laws and arrests if they use them.

