Hacker News new | past | comments | ask | show | jobs | submit login
Looking Back at the Snowden Revelations (cryptographyengineering.com)
401 points by sohkamyung 28 days ago | hide | past | web | favorite | 231 comments



Oh yeah :

- Before Snowden, if you spoke about these issues, you were dismissed as paranoid.

- After Snowden, if you dismiss these issues, you are dismissed as hopelessly naive...

Oh, also - considering all this - you can bet that Intel's Management Engine has likely been backdoored by the NSA, so using Intel's processors is not recommended, especially if you're a non-US company... (industrial espionage !)

https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf


> Before Snowden, if you spoke about these issues, you were dismissed as paranoid.

I’ve been telling people for years, but nobody listened.

Now everyone knows it’s true, but still nobody seems to care…


Description of my life. I was telling people for years what is going on, not from position of daydreaming, but what I would be able to pull off. I got back everything from tin foil hat to "I have nothing to hide". Snowden changed that and I am gratefull to him for exactly that...

And for one more sentance, that is a work of pure genius: “Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.” <3

And how the world is changing, from GDPR to California privacy law... I would just love to shake hand to this guy.


I was actually more positive than reality, for a better "quip" - I still had a discussion where the other person pushed the "I have nothing to hide" angle as recently as last month ! And that persons' grandparents died in Auschwitz... (Thankfully, this seems to be much more rare in the "tech" circles ?)


The "I've got nothing to hide" angle terrifies me.

As one obvious example, LGBT Russians had absolutely nothing to hide, right up until the moment it was outlawed, again. Then suddenly it was extremely easy to identify and persecute.

In a world where we hold people like Willem Arondeus, Sophie Scholl or anyone else involved in hiding or exfiltrating Jews during WW2 a hero, it baffles me that the idea of "nothing to hide" even exists. The fact we've made a modern kinder-transport or even a resistance nearly technologically impossible honestly stops me sleeping.


> “Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.”

I find this sentence interesting because it is very specific to the American public. I am European and personally I care a lot more about privacy than free speech, and America's obsession with free speech boggles my mind.

It might have to do with the last time we in Europe experimented with unadulterated free speech, and got Hitler and WW2 as a result. We might have dialed it back a bit after that. But what do I know ?

There seems to be some a profound divide between America and Europe on this front and I haven't quite put my finger on why yet.


I am European too. But without the freedom of speech, we wouldnt be discussing this. They are both liberties and we need them both. There is no "I care more about X". We need them both as fundamental human rights.


Of course.

But free speech is not absolute, even in USA (libel laws and all that).

What I find interesting is how the threshold between the freedom of speech and the freedom of others people is set differently between US and most of Europe.

For instance you can be convicted for incitement to ethnic or racial hatred in a lot of European countries [1] while to the best of my knowledge this kind of speech is protected in the US.

Personally I am very happy with how the free speech threshold is set in France or Germany but I have no doubt it is a cultural thing.

https://en.wikipedia.org/wiki/Incitement_to_ethnic_or_racial...


Libel laws aren't anti free speech at all. Freedom of speech is not freedom from consequences*

*Unless it's from the government in which case it's absolute.


"Freedom of speech is not freedom from consequences."

It sounds like a quote from "Animal Farm", doesn't it? I am free to say anything I like, but if I say the wrong thing, I get punished for it. Also, "some are more equal than others".


> "Freedom of speech is not freedom from consequences." > I am free to say anything I like, but if I say the wrong thing, I get punished for it

Not quite. You did not quote a critical part -- being free from consequences from the government. And as governments, almost everywhere, give themselves a monopoly on the use of force "if I say the wrong thing I get punished for it" does not apply.

Thus whoever wants to punish you needs to petition the government for help and prove their case -- if I make false claims that you consider damaging you can ask the government to help and prove your case in a civil court (instead of, say, punching me in the snout to punish me directly). Just my 2c.


There are a bunch of relevant passages about this in Animal Farm, but I can't seem to find them at the moment.

For example-- that famous one where the hedgehog pornography tycoon runs an add in his magazine accusing one of the pigs of having sex with his own mom, and then is cleared by a panel of pig judges who rule that parody is protected speech.

Where is that passage in Animal Farm? Maybe I don't have the details correct, but I certainly remember reading a long passage where Orwell clearly establishes that a book of satire like Animal Farm itself would be allowed in the Animal Farm universe. I thought it was such a nice touch of optimism in an otherwise dreary book. (And if I remember correctly it was a welcome respite from those long boring passages of complicated libel case law in the animal world.)


I mean civil consequences. If someone says something I dislike, and I disassociate with them, that's a consequence. Nobody should ever be jailed for their speech and that's what it's designed to protect against.

Libel is special because it's purely a civil matter and usually has to prove malicious intentions.


I can insult the president, house, senate, justices, and all the others in government. And not only that, I can 'peacably assemble', and 'petition for a redress of grievances'. Those are all rights in the 1A alongside free speech.

Compare that to: Poland, Netherlands, Spain, Switzerland, Thailand, and Saudi Arabia.4 are European and 2 not. Yet it is a criminal charge if you do. And in Saudi Arabia, it's a terrorist charge.


Please dont do it. 1A is protecting you, but they still got guys with batons, tear gas and tazers. It is not about the letter within some law but rather how it is practised, by insulting someone strong enough, law might protect you but at the end you will still finish as a begger. And, me personally, I wouldnt dare to do it in states. Actually I would rather do it in Switzerland. Or maybe even Thailand.


I disagree. This is the very thing freedom of speech protects, bar violent incitement. The great thing about the US is that FoS is not not just a law, but also a cultural tentpole. I doubt the people holding the tazers would carry out their orders in this case.


Who defines incitement? Who defines ethnic or racial hatred? Is it incitement of racial hatred to post a joke video of your dog performing a Nazi salute?


Every country's law is a bit different in that regard, but mostly : exactly like how the United States Supreme Court defines obscenity [1].

[1] https://en.wikipedia.org/wiki/I_know_it_when_I_see_it


> Is it incitement of racial hatred to post a joke video of your dog performing a Nazi salute?

Why did you post it?

Because you know it's controversial and would create engagement.

If the nazi salute wasn't controversial (and rightfully considered hate crime) you would have ignored it.

BTW the first amendment does not condone hate speech.

Because even USA understands that there is a limit on everything.


The last time I came across someone referring to that case here on HN, I went away and read the judgement. It took the story from being surprising to a perfectly restrained, considered and reasonable verdict.

Mainly as the defendant hadn't, despite the judge's specific encouragement, bothered to submit a proper defence or explore freedom of expression. So it could only be decided purely on the breach of the law. Then there were all the surrounding circumstances of how he set this up.

http://www.scotland-judiciary.org.uk/8/1962/PF-v-Mark-Meecha...


Prudent defense or not, no law should be written in the first place so as to criminalize a joke YouTube video under its letter. Nor should citizens (or subjects in this case) be compelled to explore the necessities of free expression as a criminal defense for making a simple joke.

Thankfully in the US we have already codified free speech into law. Unfortunately there are still many who do not consider the liberties protected by the Bill of Rights to be a settled issue.


The original statement by a justice implying restriction on freedom of expression was later recanted (note it was not directly a precedent setting ruling either). There are people in the US that see any restriction, even for hate speech or incitement of violence, as against the first amendment.

You might think they are extreme in their views but rulings restricting speech are very, very rare.


I don’t believe that is accurate. Courts routinely issue gag orders.


> You might think they are extreme in their views but rulings restricting speech are very, very rare.

And that has severe consequences as you see.

Popper said it many years ago.


The first amendment doesn't condone hate speech, nor does it disallow it


You have it, but it's not pure free speech US style, everything is good because it's the constitution, like bearing arms and whatnot, you have the right to your opinions, but some opinions could lead you to jail.

Which is slightly different.


You're afraid of free speech? Manipulation occurs no matter how open or free communication is. Discourse and skepticism are the only weapons we have against Manipulation, and those exist via free speech.


There is absolutely no divide. The concept of a right to (almost) unrestricted freedom to criticize the government comes straight out of Western European legal norms that were in fashion around the founding of the United States, and have continued to remain in fashion since.

No Western-style democracy observes a right to absolutely unrestricted freedom of speech, because it conflicts in obvious ways with other rights. We cannot, for example, incite people to a riot, or yell fire in a crowded theater, or go on the radio and accuse our boss of murdering children. The restrictions against Holocaust denial in Germany (for example) aren't different in kind. Europeans enjoy broad freedom to publish whatever they want about their government, critical or otherwise.

This is in stark contrast with China, Russia, most countries under some form of religious rule, and most dictatorships, where criticizing the government will get you tortured to death or sent to a labor camp at worst, and severely fined and blacklisted from government service at best.

The "median Western European" may have a more nuanced view on the right to free speech than the median citizen of the United States, but I'd attribute that to a superior education system and decades of trying to undo structural economic injustice rather than a cultural divide (which is complete nonsense, honestly).


Anyone absolutely can "Yell fire in a theater" in the US, this canard has an interesting history: https://en.wikipedia.org/wiki/Shouting_fire_in_a_crowded_the...

You can also go on the radio and accuse your boss of whatever you like in the US as well. You might get sued by your boss in civil court, but the police will not come after you.

You can also deny the Holocaust, that the earth is round, that people have landed on the moon, or anything else. An unfortunate side effect of freedom is that other people will be allowed to say things that you dislike.


The distinction between civil and criminal law isn't terribly relevant here. You can be found liable in civil court for all of the things listed in the first two paragraphs.


Its entirely relevant. Your speech is subject to civil law, never criminal law, because speech is free. If it is somehow subject to criminal law its not really the speech that is, but some other act which the speech is facilitating.

Yelling fire in a theater isn't illegal, but deliberately doing something that will cause a panic is.


Sure it's relevant. In the context of Free Speech, we're talking about freedom from persecution by the state.

In the US, you can say whatever you like and you will not be prosecuted or jailed. That is simply not true in most other countries.


It isn't pertinent to the conversation re: europe. Also, it's false, you can be imprisoned for inciting violence (or taking other unlawful action) in the United States. Finally, there isn't a categorical distinction between having speech restricted by a suit brought in civil court vs in criminal court: in both cases my speech is curtailed by law.

I drew the obvious contrast with most of the rest of the world in the parent comment, I have nothing more to say there.


America was settled largely by people fleeing religious persecution in Europe.

> It might have to do with the last time we in Europe experimented with unadulterated free speech, and got Hitler and WW2 as a result.

Um, I'm not sure what they put in your history books over there, but I'm certain that's not an accurate characterization of how that happened.


Free speech is not responsible for WWII at all?!

You forget that Hitler's ideas were popular at the time - that's why he was elected. Slowly but surely it was the free speech of Jews, their very ability to combat the incoming tyranny before it was to late, was clamped down on.

As such, censorship was quite popular.

Free speech levels the playing field between government and people.


OT: You for sure know that the 'Duce del Fascismo' was in power as a Dictator since 1925 - and the fascists takeover state power in Kingdom of Italy in 1922, not ?

(Quoting: //wiki/Mussolini)

regards from germany (-;

Edited: Typo


I think he intended that unadulterated free speech is not necessarily the most important of the rights.

I think freedom of the press and freedom of association come before that.

In fact the first thing Mussolini did when he won the election (not without the help of violence, verbal but more importantly physical, like Hitler also did after him) was to abolish the free press and make all the other parties illegal.


1) Freedom of the press is a subset of freedom of speech.

2) Verbal 'violence' is a fallacy. It doesn't exist.


Your legal name is: $name

Your Address is: $address

Your phone is: #ph

You work at: $employer

You did X abhorrent thing (fakes picture or video with deepfakes). It would be a shame if something happened to you.

-------------------------------

That right there is indeed verbal violence, AND a call to arms to enact violence against you.


That's just libel and an incitement to violence (though you could have rephrased the same information so it wouldn't be).

Only the incitement to violence could possibly be considered violence, though I personally would say it is NOT violence, but a separate offence.


"I'll kill your family" after they killed many other people's families is verbal violence.

Believe me, my grangrandfather and my grandfather were jailed many times in the 20 years of fascist regime because they refused to swear as fascists.

They were two gentle men who worked as tailors.


That right there is not an example of violence, despite any assertions to the contrary. There is a clear distinction between statements and actions.


And this is where my opinion lies.


1) nope. yo could say whatever you wanted in Rome when the ruler was the pope, but you could not write it freely.

Example: Pasquino https://en.wikipedia.org/wiki/Pasquino

2) I'm a polite Italian using ancient words: it's what we call hate speech today.


> last time we in Europe experimented with unadulterated free speech, and got Hitler and WW2 as a result

We also needed Americans to save us Europeans from those other Europeans.


> last time we in Europe experimented with unadulterated free speech, and got Hitler and WW2 as a result

Aside from being really smug about Europe's supposed superiority today, this comment is just factually misleading. For one thing, it wasn't "unadulterated free speech" that got Hitler into a position of dictatorial power, it was backroom politics, legal manipulation, and finally laws and a German constitution that were extremely pliant towards misuse and reinterpretation for the sake of dictatorship, with all kinds of clauses in favor of martial law, censorship and so forth that the Nazis used to powerful effect once Hitler was appointed chancellor. Had they been dealing with something more absolutist about freedoms like the U.S constitution, his road to dictatorship would have been much more difficult, chancellor or no. You actually have the whole thing about the value of rigidly preserved freedoms exactly backwards in your claim about Hitler and free speech.

In other words: Hitler's rabidly racist speeches never once won him a single electoral victory in Germany (and this even at a time when anti-semitism and racism were much more popular). The much greater damage was done by a weak constitution ridden with clauses against individual freedom, which couldn't effectively stop Hitler from becoming a dictator once he got the chancellors office.


> You actually have the whole thing about the value of rigidly preserved freedoms exactly backwards in your claim about Hitler and free speech.

Not my claim, it was the GP's claim and I was also disagreeing with it.


I saw that and sorry. I couldn't find his original claim again and just replied to you. Cheers


[flagged]


We've banned this account as explained here: https://news.ycombinator.com/item?id=21078055.


> If Europeans are too weak for freedom that is their perogative

We can legally drink before the age of 21 because we are able to control ourselves.

We can have sex between 14 and 16 years, because we are able to control ourselves.

We don't shoot other people in school when we are upset, because we are able to control ourselves.

Tell me more about your strength...

https://i.imgur.com/pmQWG4F.jpg


Please don't break the site guidelines by taking a thread further into flamewar and by replying to an egregious comment instead of flagging it.

https://news.ycombinator.com/newsguidelines.html


I've been called weak as European and you tell me I'm the one making a flame war by just stating what's obvious?

You've a weird sens of humor my friend.


We banned the account that posted that, so I'm not sure what the complaint is.


[flagged]

inimino 28 days ago [flagged]

I vouched for these comments because, while perhaps nearer to one extreme, I believe this perspective deserves to be heard.

Also:

> And an orator said, Speak to us of Freedom.

And he answered:

At the city gate and by your fireside I have seen you prostrate yourself and worship your own freedom,

Even as slaves humble themselves before a tyrant and praise him though he slays them.

Ay, in the grove of the temple and in the shadow of the citadel I have seen the freest among you wear their freedom as a yoke and a handcuff.

And my heart bled within me; for you can only be free when even the desire of seeking freedom becomes a harness to you, and when you cease to speak of freedom as a goal and a fulfilment.

You shall be free indeed when your days are not without a care nor your nights without a want and a grief,

But rather when these things girdle your life and yet you rise above them naked and unbound.

And how shall you rise beyond your days and nights unless you break the chains which you at the dawn of your understanding have fastened around your noon hour?

In truth that which you call freedom is the strongest of these chains, though its links glitter in the sun and dazzle the eyes.

And what is it but fragments of your own self you would discard that you may become free?

If it is an unjust law you would abolish, that law was written with your own hand upon your own forehead.

You cannot erase it by burning your law books nor by washing the foreheads of your judges, though you pour the sea upon them.

And if it is a despot you would dethrone, see first that his throne erected within you is destroyed.

For how can a tyrant rule the free and the proud, but for a tyranny in their own freedom and a shame in their own pride?

And if it is a care you would cast off, that care has been chosen by you rather than imposed upon you.

And if it is a fear you would dispel, the seat of that fear is in your heart and not in the hand of the feared.

Verily all things move within your being in constant half embrace, the desired and the dreaded, the repugnant and the cherished, the pursued and that which you would escape.

These things move within you as lights and shadows in pairs that cling.

And when the shadow fades and is no more, the light that lingers becomes a shadow to another light.

And thus your freedom when it loses its fetters becomes itself the fetter of a greater freedom.


>Now everyone knows it’s true, but still nobody seems to care…

That just about sums up every bad act.

Lots of people were aware of all the bank fraud and toxic loans leading to the 2008 real estate bubble, no one cared leading up to it, and no one cares now.

The Googles/Facebooks/amazons are collecting and doing unsavory things with your data, whether you ever used their services or not (shadow accounts), no one seems to care.

Governmental spying on citizens? Hell the Government had a program which included secret kill lists, flew military bombers into foreign countries to drop bombs and kill a citizen. Even when the US failed to kill the citizen and the family sued, their case was dismissed as the courts denied any right to know who was on the list, how they got on the list, and even denied acknowledging the list existed...yet no one cared.

Imagine a foreign country flying military missions in the US and dropping bombs on a foreigner in the US, based on the foreign governments secret kill lists. It's pure insanity.


For pure insanity Operation Northwood still takes the biscuit.

Do we really think that they are any better 50 years later because I don't.


Well it might have contributed to GDPR, which is a step in the right direction.


Source on this?




Well, it's pretty much a situation of war. And an unconventional war against terrorists.

(Also, not unprecedented - the Russians have been doing something very similar in a few high-profile UK cases...)

Of course, the main issue is that those "surgical" drone strikes still seem to have backfired strategically -

I wonder what is the state of these "who are we going to kill today" reunions under Trump ?

And of course in the background there's the whole Middle Eastern situation where the USA (and previously the British Empire) have only been making things worse for a century or so... but the control over those oil fields is just too important for them to let go !


Yeah, he's wrong that the most paranoid weren't assuming how bad it was. If anything, Enemy of the State had general public worried with Echelon revelations and technical details of Puzzle Palace making me certain they were doing mass surveillance and hacking. At least within a few years of 9/11 and Patriot Act. They'd do whatever they (a) could and (b) had to do for their mission.

Far as weakening, we were noting they did a lot of things that were public knowledge that indicated they prioritized shoddy products and surveillance over security. I had an essay listing most of them. I might dig it up and submit it Thursday if anyone is interested.


I remember people in infosec and *NIX communities being paranoid about the NSA back in the early '00s. Americans who were not trusting their own government. I myself only heard about the CIA and FBI. I familiarized myself with the concept of NSA and shrugged it off. "Never hear anything about those. Probably a very small organization..."

In hindsight, I was right, but I didn't get with the program after 9/11 (see the accounts of William Binney [1] and Edward Snowden's recently Permanent Record).

https://en.wikipedia.org/wiki/William_Binney_(intelligence_o...


Certain Richard M Stallman faced a similar problem when he talked about DRMed content a decade ago.


Oh, yeah, that too - for me, after Snowden, Stallman went from "crank"-ey to "prophet"-ey !

(Well, and GAFAM's behavior in the recent years certainly didn't help either...)

P.S.: Got Stallman to sign my The Snowden Files book after he introduced his speech with asking the public to give "three cheers for Snowden"...



Even a broken clock is correct twice a day


Isn’t it a bit like global warming? If people feel the issue is so much bigger than them they will just resign and give up.

Unless you communicate why we need to do sth anyways and what small managable steps can be taken it is hard to tackle this alone, even if you are an informed person with the motivation and the breathing space to do so.

So unless the felt pain and the impeding doom doesn’t exceed the threshold of “oh shit this isn’t fine, what was I thinking!” people will just call the whole thing off as unmanagable and move ahead.


I wouldn't say I don't care. I would say I permanently trust government less, as I do feel mostly powerless to make them less nosey. If I have an opportunity to vote against mass surveillance, I will do that for sure.


Under what circumstances can you imagine being given a vote on mass surveillance?


In The Netherlands, we had a non-binding referendum on this [1] (complete with misinformation, or downright propaganda, on TV). The vote against had a minor but significant win on the for. Result? 1) The law got active a few months later 2) A few minor changes were applied 3) The right for a non-binding referendum got removed from The Netherlands, citing we should either have a binding referendum or none at all.

[1] https://nl.wikipedia.org/wiki/Wet_op_de_inlichtingen-_en_vei... (article also available in German and Chinese)


Interesting, but I guess that considering that the govt. announced their intention to pass the law regardless of the result of the referendum my question should have been "under what circumstances can you imagine being given a _meaningful_ vote on mass surveillance?"


You can't. A democracy, and a binding referendum, stands on the shoulder of the public being informed and interested about matters. The public does not know enough about the topic. They can't, because the enemy listens as well in this global world. Hence, the proponents can pull FUD and appeal to authority at will.

I'm a proponent of binding referendum, but I don't see how it would solve the problem in this case.


Not many.


If I asked 10 people around me, who is Edward Snowden, maybe one would know. When the story broke, I never heard anyone in real life bring it up.

I know young wealthy people who don’t know who Elon Musk is. People’s attention is highly fragmented.


It's not about the guy's name, what's important is how people's perceptions have changed (which I would generalise as from scornful dismissal to resigned acceptance)


> "Now everyone knows it’s true, but still nobody seems to care… "

In general, the mainstream media didn't make much of it. At the time they hadn't yet tied outrage to revenue/profits. If Snowden were to happen today the coverage and reaction would be much different.

But alas, it's too late. The public has it in their minds it was a non-issue. That seems unlikely to change any time soon.


Information sharing is like entropy - it will only increase over time. We're moving towards a future where privacy is becoming an archaic concept.


>https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

The author dismisses CPU-level backdoors in favor of Intel ME backdoors mainly on the basis that, since CPUs can't save state, they can't protect themselves against replay-"attacks", and hence Intel would lose any sort of plausible deniability once an "activation sequence" was ever found in the wild.

But I don't really see how ME is protected against replay-"attacks" either. Sure, you might not be able to replay the sequence to the same CPU, but you can definitely replay it to a different CPU - unless every single CPU out there has a different activation sequence, which is possible, but would be vastly less efficient (if you want to hack someone you now have to know / guess some sort of unique production ID of the CPUs he's using?).

I'm really not seeing the big argument in favor of an ME backdoor here. A backdoor directly in the CPU would work just as well.

Arguably better in fact, since the CPU can just look for the activation sequence in the data it reads (if you send an e-mail or website it's very likely the plaintext string gets copied, and therefore read, by the CPU at some point), whereas the ME processor would only be able to watch specific offsets in memory.


I thought everything in it would be backdoored with each one looking like an intermittent failure, a timing error, something like MMU failing in long-lasting system due to silicon aging, "honest mistakes" all over networking-connected code in ME, something similar in its hardware, etc.

The one they'd use the most was deniable looking flaws in ME. They'd reserve their best ones for most important cases with lowest chances of detection. Maybe even with personal physically there activating it with a RF signal. Could integrate wireless in something called Centrino to make that easier. Take a pile of hard cash and lots of defense sales as a thank you.


Right, this is from 2015, I'm aware that "transistor-hidden" backdoors have been created since then... at least as proofs of concept ? But while these are a future possibility, I doubt that any of those are already in place already now, much less were in 2008, when Intel introduced IME...


You assume a device can not be tracked from creation to dsitribution. Why?


supply chain tracking is extremely difficult even for entire ecosystems that make it their near maximum priority (such as say, military procurement).

There isn't a hope in hell you can reliably keep track of who has which Intel CPU.

Think of all the stages involved, and how each one has to cooperate and how many times Intel's CPU is sitting on "undifferentiated palette of X units".


Of course one device can be tracked. But not every CPU can be tracked, I consider that quite infeasible indeed. If you already know the target, and know that target is looking to buy a new PC/laptop, you can feed it a specific CPU, sure. But you could just as well feed it some sort of modified BIOS that doesn't require any special hardware, and would be pretty much just as hard to detect for someone that isn't specifically looking for that kind of modification.

But that's usually not the interesting case. The interesting case is that you find a new target, and that target already has a PC/laptop, and you want to gain access to it without having to physically infiltrate. Now, you might be able to manipulate their network in some way, or send them an E-Mail, or get them to visit a website that contains an activation code. But having to backtrack which CPU that laptop contains seems impossible to me in the vast majority of cases. Even if you can somehow figure out where he bought it, most stores aren't even going to be able to tell you the serial number of the product they sold, and even if they can, now you have to match that serial number to a CPU, which is... impossible? How would you get that information? Retailers buy hundreds of thousands of CPUs, and they probably don't tell Intel which CPU they put into which device, or even who buys which individual CPU. If you send a CPU back on Amazon, they don't even check if it's the same goddamn model! (Hence the surprise of some people who bought a $550 CPU and got a $550 CPU box with a $50 CPU in it.) And if the CPU or laptop was bought used, now you're really out of luck. I really don't see how this is very useful, when instead of doing that you can just force Intel to give up plausible deniability and hack everything in sight. If you get caught (which is incredibly unlikely in the first place), you just say "we did it for America!" and that's it, nobody would care. I mean Intel would be kinda fucked, but the NSA wouldn't be.


You restated your position instead of addressing my question and then added irrelevant speculation in a different direction.

The issue with supply chain tracking is the sharing of information. If every part of the supply chain is hacked then you have all of the info. You also need to look at it backwards: instead of "who has X" ask "where did X go" which is easier to answer. It starts at the source, the factory, which can know which serial was in which lot. Then you know where that got shipped, etc.

Maybe occasionally units get "lost" but you do have error bounds on their location.


One of the most interesting revelations was the security agencies apparent spying on members of Congress.

But it’s like nothing happened. No investigation, no nothing. If they can’t be bothered by that, it’s little surprise they’re not bothered by their spying on regular folk.


Google "jane harman alberto gonzales". George W. Bush's Attorney General was apparently "twisting Rep. Jane Harman's arm" over some moderately bad things that FBI or somebody caught Harman saying to some AIPAC people being surveilled.

That was in 2009. I remember being kind of stunned that nobody seemed to care that the executive branch blackmailed an elected Rep. Log rolling and pork barrelling is fine, but blackmail seems like a bridge too far.


That should tell us who is really in charge.


Yes, the American people, who can't be bothered to care enough to do anything about it.


Yeah, we'll just go ahead and use x86 processors from AMD, another US company, which are surely not backdoored...


AFAIK, the equivalent of IME is not present in all AMD processors, only (maybe) those with integrated graphic chips ? But overall, yeah, Europe should just create their own chip industry, it's too critical to leave it to others...



Aw crap, they are in all Ryzens now ? Hopefully my 8-core Piledriver will last me a decade...


Ironically enough we (the UK) actually had a massive input in the current chip landscape via ARM until the government allowed it to be sold to a foreign buyer.

You have to wonder if the French government would have allowed the sale (as an example).

Seems like the conservatives don't give a shit about strategic national companies as long as the cheques clear.


ARM doesn't make CPUs, just designs for them which can of course easily be modified by any licensee. The chips themselves are usually made in Asia. So ARMs ownership is irrelevant to the issue of CPU back doors.


Are you aware that the French government allowed the sale of the maker of turbines for their nuclear submarines, aircraft carrier, and reactors ?


Me_cleaner might help with Intel's backdoor management engine


I wonder if all this recent bad intel publicity could be in response to me_cleaner actually making it more secure.


There is nothing to suggest an ME backdoor. I’d call it unlikely.


Watch this Blackhat 2017 talk and maybe it'll change your mind: https://www.youtube.com/watch?v=KrksBdWcZgQ


Very familiar with it, nothing indicating a backdoor there.


Today, if you suggest that Snowden is a plant; how he might still be working for a government agency like the NSA, CIA or State Department; how he was a black ops to see how Americans would react: you get dismissed as paranoid. Every time I bring this up, I get downvoted to grey. Can we have an honest discussion on this?

Guy makes six figured, works remotely as an NSA contractor from Hawaii, suddenly had a moral conscience, somehow had multiple laptops with classified data, leaves his smoking hot girlfriend to meet journalists from The Guardian and Der Spegiel and gave them evidence that was composed of poorly made slides; almost all of which have been released heavily redacted -- all have been heavily dismissed by the US government, Yahoo, Google, Verizon and others. Honestly, the 9/11 truth evidence feels like it should have been more convincing, and yet every media agency took this as gospel.

If the revelations are taken at face value, why couldn't it also be possible this was all just a test by intelligence agencies? Companies have strengthened their general security and the general population hasn't .. really cared. Both of those are valuable pieces of information gathered by the government.

Look at COINTELPRO and Operation Mockingbird. At the time, if you had said such programs existed, it would have been viewed as crazy conspiracy. But they did exist and intelligence agencies in the US government has manipulated their own people in past decades.

Either Snowden is incredibly clever and lucky, or he's a stage show. He should be in the situation Assange is in now. It's difficult to believe he's still in an unknown location, hiding out in Russia. The whole story stinks and I feel like no one wants to have a rational talk about the alternative: that it may be more manipulation and testing to show that Americans don't really care about surveillance.


If the govt wanted to test the public's reaction I don't think they needed to go so far as to reveal PRISM or MUSCULAR.

> It's difficult to believe he's still in an unknown location, hiding out in Russia.

Wouldn't this make Russia a party to this theory? As far as I can tell they don't deny harboring Snowden, which if he wasn't actually there hiding from the USG wouldn't they call the US on that?


I downvoted you because this conspiracy is ridiculous with zero supporting evidence.

Want to know about his motivation and background? Read his new book and watch Citizenfour. He explains what lead him to be a whistleblower.

> all have been heavily dismissed by the US government, Yahoo, Google, Verizon and others

Completely untrue. Much of it has been confirmed. If it was fake the government wouldn't be charging him with espionage.


I haven't followed this closely, but how much of what Snowned revealed has since been independently confirmed?


I wonder if seeing citizenfour swill shift your opinion.


The article mentions MUSCULAR, but neglected the follow-up: shortly after the leaks, Google began encrypting all of its internal traffic over its own fiber links.[0]

First, it's worth pointing out that "encrypt everything in flight always" is not prohibitively expensive on modern hardware; also that your own internal network should not be viewed as an impenetrable bastion where you can let down your guard, just because you keep a close eye on the external routers.

[0] https://www.washingtonpost.com/business/technology/google-en...


“Security of organisations should be done in layers” and each layer makes breaking into your (whole) organisation harder, but comes with friction for your staff.


No, I think the new consensus is that all systems are vulnerable (obviously true if all systems have users with access, whom may be compromised) - so not layers: compartments (and need to know;need to access).

I believe this is part of eg google/alphabet's new model: no hard wall, soft "inside" (egg model). Just stand alone secure sub-systems with ACL (access control lists) mediating access on a user-by-user, sub-system by sub-system level. No real trust in "location" as proof of authorization (I assume truly, off-grid clean rooms are excepted) - because "everything" needs access to networked resources.

Ah, I guess they call it BeyondCorp:

https://cloud.google.com/beyondcorp/


Sure, I used (or the person I’m quoting used) the wrong term, thanks for the clarification. I did mean and he meant compartmentalising :-)


Virtualization, privilege management, etc. are still another layer.


Not a different organizational layer, just a different techincal layer though.


Both are important in the context of security.


It should be noted that your staff are a key attack vector.


There are two problems - surveillance itself and the lack of democratic oversight and control.

Most people would agree that the state should be able to deprive people of their liberty ( prison ), but that stringent controls should be in place, with that process being public and involve peers ( though that is being slowly undermined in the west ).

What are the controls around surveillance? What processes stop abuse? Who is accountable? Where is the transparency?

You could argue that you can't be public about intent to spy, but there is a lot more that could be done.

https://www.theguardian.com/news/defence-and-security-blog/2...


As someone not from the US, the passages about how easy it was are clear reminders that just because only the NSA got caught, does not mean only the NSA was doing it. Even if they have by far the biggest budget...


We’ve seen other stories, Stuxnet in particular that implicate other countries like Israel. Anyone that thinks that the USA and Israel are spending money on cyber warfare but China and Russia are not is living in a fantasy world. Maybe some small countries like Andorra don’t have a cyber warfare division, but all the big countries do.

Everyone is being spied on. Perhaps the only distinction worth making is whether you’re being spied on by your own government in addition to foreign governments.


In fact, once the content and data are liberated, there is no reason to assume it is well-protected from criminal access. Personal facts that are not directly incriminating are often just as valuable for extortion. Those facts need not be about you, to affect you. They could be about a federal judge's brother.

As extortion is the central procedure of spycraft, people trained in its use by the government also have access to the "goods". Criminal intent is no bar to employment by Booz Allen, or by NSA or FBI proper, never mind Russian GRU or FSB or their Chinese counterparts.

Extortion works for anybody.


and not to mention for small time people, there are nefarious people who want to spy on you so they can do identity theft or similar crime to you. So even if you are one of those "I have nothing to hide" people, you still need to hide your personal information due to cyber crime that could be used to exploit you. For some people, it is almost laughable the amount of information they put out openly on social media.


Wait, are there people who think china doesn't do this!?


Yeah, there's a severe danger here that only the stories that are worthy of media play are going to be discussed. Snowden has been proven to generate clicks, so we'll probably continue to see a lot of Snowden stories.

We're in a multi-party cyberwar. We have been for years. It involves both governments and NGOs. Most of the players are pushing as hard as they can, short of real warfare, to gain the advantage over the others.

That's a much tougher story to tell, since it doesn't have clear heroes and villains. Also it involves a lot of technical stuff Joe Layman doesn't want to process. Because of this, media outlets are always going to tell the simpler story. The overwhelming danger here is that nobody learns what is going on, which presumably is the point of having a media outlet in the first place.


Naive question:

This cryptography blog seems to, but... is WhatsApp really trusted as secure end-to-end encryption chat client?

Colloquially, for one thing it's now owned by one of the biggest personal-data collection companies in the world, which would have little interest in owning a chat client it couldn't benefit from data-wise. For another, I read an article mentioning it was "known" that WhatsApp decrypted your message, stored it, then resubmitted it encrypted to the destination. (Inconveniently, I can't seem to find the article now.) If, say, your life relied on privacy, would you trust WhatsApp, and if not, why?


The protocol they use is open and very reliable, and it can be verified relatively easily from the outside that this is the protocol they're using.

If you enable backups in WhatsApp those backups aren't stored on Facebook's servers, but they are probably not encrypted very well, since you don't enter your own encryption key, and WhatsApp has to be able to decrypt those backups if you lose your device. So those probably aren't secure if you are directly targeted.

Also if you are directly targeted, it's not completely impossible that Facebook has a way to send you a custom "update" that simply sends all your messages to Facebook encrypted with their keys.

But in terms of mass surveillance, it seems fairly unlikely that Facebook can read WhatsApp messages, because something like that would not be hard to find for someone from the outside, especially since the protocol WhatsApp is supposed to use is completely known.

Facebook probably cares more about your meta-data (who has who in their address book) anyway than it cares about the content of your messages.


Or in other words, quoting James Mickens:

> My point is that security people need to get their priorities straight. The "threat model" section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic: there are elaborate narratives and grand conspiracy theories, and there are heroes and villains with fantastic (yet oddly constrained) powers that necessitate a grinding battle of emotional and technical attrition. In the real world, threat models are much simpler (see Figure 1). Basically, you're either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you'll probably be fine if you pick a good password and don't respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they're going to use a drone to replace your cellphone with a piece of uranium that's shaped like a cellphone, and when you die of tumors filled with tumors, they're going to hold a press conference and say "It wasn't us" as they wear t-shirts that say "IT WAS DEFINITELY US," and then they're going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere. Also, SANTA CLAUS ISN'T REAL. When it rains, it pours.


Except my "threat model" also includes trying to minimize the data I send to the GAFAM (and others unscrupulous private companies that could potentially profit from my personal data...)


And yet, Snowden is out of the reach of the US govt (for now).


Snowden uses a lot more to defend himself than just https.


Snowden is in a situation where it would be a PR nightmare for the US if they were to touch him. That's not the same as being out of reach.


Snowden is in a situation where it could be nuclear war between Russia and the US if they were to touch him on Russian soil.


It is highly unlikely that Facebook can read WhatsApp messages. The reason I say that is that Zuckerberg said the couldn't, repeatedly and explicitly, to Congress. If there was any chance that they could, he would have either not said anything (the context would have allowed for that) or he would have dissembled. As he did numerous other times on other subjects.

As to benefiting from WhatsApp, I'm sure they benefited just fine. They bought it for the contact info from millions of non-Facebook customers that they could use to cross sell. Their growth in, for example, LatAm seems to imply that it worked ok.


Don't have the transcript - did he say that 'he' couldn't or that Facebook couldn't? Or that other agencies, facilitated by Facebook couldn't?


For example, he said at one point:

> No, we don’t see any of the content in WhatsApp, it’s fully encrypted

It's clear he's speaking about his company. Given Snowden, it would be monumentally stupid to make such a bare faced lie to Congress if they were reading, or facilitating the ability to read, unencrypted content.

Especially as he could have chosen not to say anything so specific. Congressman Schatz was talking about advertising. He could have just said something innocuous like: we don't have the ability to use WhatsApp content for advertising.


What he said there was they don't see, not they can't see.

What he also didn't say there was whether others routinely saw with Facebooks help.

Not saying they do, just saying he didn't strictly say they didn't.

He may of also being talking in the context of using content for advertising, not surveillance.

Finally a lot of intelligence gathering is just based on who has talked to who kind of networks in the first instance, rather than content because:

1. Content can be obfuscated, but not the connections

2. Easier to store and navigate

3. Less noise


If you can read your WhatsApp messages on your phone and you don't control the WhatsApp binary... then Facebook can backdoor WhatsApp to read the decrypted message.


Again, that would mean that he deliberately, explicitly and unnecessarily lied to Congress. That would pretty much require him to be an idiot. He is many things but that's not one of them.

I'm not suggesting that no-one can read them. I have no idea. I am saying that his testimony makes me very comfortable that Facebook is not because he has way more to lose from lying than from not in those circumstances.


Your argument here is that you trust Mark Zuckerberg's statement because Mark Zuckerberg wouldn't lie, because if Mark Zuckerberg lied, he would get into lots of trouble, and therefore to avoid getting into lots of trouble, Mark Zuckerberg obviously tells the truth.

I have trouble with this logic. Also, I'm not quite clear - what are the consequences for lying to Congress?


Well, maybe that works for you, but I'm more comfortable not trusting anything coming from Facebook...


Does not suggest, in any way, that nobody else can read all WhatsApp traffic, only that explicitly-Facebook employees can't.

It would be pre-2013 naive to imagine that, now that WhatsApp traffic is no longer end-to-end encrypted, no use is being made of the change.


> now that WhatsApp traffic is no longer end-to-end encrypted

I'm sorry, what?


Yes. Use Signal, or Mastodon, or WARP 1.1.1.1 if you trust that.


At any time any analytics package or update can just read whats stored client side and send it to Facebooks servers.

Is everyone intentionally ignoring this or actually unaware?

Things stored in plain text client side, can be read in plain text client side and resyndicated.

All this focus on the first transmission being encrypted while in flight and server side is just a bit negligent.

Its a system ripe for abuse and thats it.


> It is highly unlikely that Facebook can read WhatsApp messages. The reason I say that is that Zuckerberg said the couldn't,

Not wittingly.


Given that it was built by a highly trusted cryptography team, plus the fact that the protocol can be reverse engineered to confirm encryption and decryption on device, and that over-the-wire traffic has no plaintext, the trust in this is indeed very high.

WA has a lot to lose, and big enough target on it for a backdoor to have been found, if E2E is false.


Apparently anilgulecha is, like many, unaware that WhatsApp is no longer end-to-end encrypted. It technically trivial to tap the traffic between decrypting and re-encrypting stages, and the only plausible reason for the very expensive change was to enable such access.


Looking at WhatsApp's website [1], instead of saying "your messages are definitely end-to-end encrypted at all times" they say it's "available", as in this sentence:

> WhatsApp's end-to-end encryption is available when you and the people you message use our app.

Is that what you're referring to?

[1] https://www.whatsapp.com/security/


I just remember a report that the end-to-end quality inherited from its Signal origins had been removed. At the time, the innocent-ish explanation suggested was for access to keywords for ad targeting.


While I don't know much about how secure the messages are in WhatsApp, it's easy to imagine other ways Facebook could harvest data from users. They could track what you tap on in the screen, or how much you scroll, or what buttons you click on. They could still use that information to serve ads effectively in the future.

Like, how many people click on forwarded messages or pictures.


It stands to reason that for every WhatsApp conversation they'd have access to:

- who is communicating with whom,

- dates, times, and durations,

- method (text / voice / video),

- amount of data transferred,

- type of attachment if applicable, and

- location of each device,

along with unique device identifier, and perhaps other information.

See the Privacy International report[0] or video[1] on how much data FB glean from on other apps that merely use the Facebook SDK, each time an app that uses it it opened for a clue... how much more will they want from a service they paid billions for?

[0]: https://privacyinternational.org/report/2647/how-apps-androi...

[1]: https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_...


WhatsApp is great for casual users but not truly end to end because of its design imo. Silent rekeying is the default behavior. No perfect forward secrecy here either: old messages silently re-encrypted with the new key and re-transmitted. The Guardian and others reported on this some years back and of course you can witness the behavior yourself if you flip that setting in your client. If a buddy gets a new phone, it will now disclose that to you (but not wait to send old messages). Was that really my buddy's new phone or an attacker? Hopefully I can trust WhatsApp (but trusting the broker means it's no longer E2E).

Yes, like everyone says it's all about your threat model. If it really includes nation states, you should not use WhatsApp. Everyone else can use it for iMessage like functionality over-the-top.


This is a good article. Everyone has forgotten how much has changed since Snowden.


Actually, nothing changed

Some Laws was created.

Some revelations was made.

But even manipulations with elections did not kill any company


From the post:

> Some of the top-level indicators are surprisingly healthy. HTTPS adoption has taken off like a rocket, driven in part by Google’s willingness to use it as a signal for search rankings — and the rise of free Certificate Authorities like LetsEncrypt. It’s possible that these things would have happened eventually without Snowden, but it’s less likely.

> End-to-end encrypted messaging has also taken off like a rocket, largely due to adoption by WhatsApp and a host of relatively new apps. It’s reached the point where law enforcement agencies have begun to freak out, as the slide below illustrates.

The engineering and technology culture around security and product development has certainly changed. The IETF even adopted "Pervasive Monitoring Is an Attak"[1] as a best current practice.

[1]: https://tools.ietf.org/html/rfc7258


Let's Encrypt brought TLS to the masses, browsers are bringing focus to sites still not using transport encryption, https is a signal for Google ranking.

Don't be so defeatist.


That had nothing to do with Snowden and everything to do with Firesheep. I remember people panicking when Firesheep came out, and that lead to the whole "we should all be using TLS" thing.


That's non-targeted attacks. Nothing stops the targeted attacks.

Sure, they might not be able to listen in on those https connections, but if they wanted to attack/listen to this Joe Smith over here, they are more than capable, and still do it.


World governments can also just generally have you arrested or killed without a ton of fuss if you are a big problem.

The problem with the NSA revelations wasn't that the NSA spies on people - that's their job.

It was about mass warrant-less surveillance of the american public, not individual targeted surveillance.


The problem with mass surveillance is that it's indiscriminate, not that it's targeted.


More SSL traffic gets terminated at CF, AWS & Co. Build a data center next door, mail them the NSL and off you go. Much easier than running covert operations hooking into lots of CIX and providers world wide.


I always assumed Let's Encrypt was an NSA front so that they can decrypt most of the https traffic.

Remember just after the Snowden revelations all the 3 letter agencies were very worried about https adoption rising, then their concerns suddenly disappeared.

However I have no idea how encryption works so maybe my hunch is stupid (I remember that the NSA impersonated a certificate authority for that purpose).


> However I have no idea how encryption works so maybe my hunch is stupid

Your words, not mine.

The person who created Let's Encrypt started it as his thesis in college. From there he received assistance from the EFF, some of its staff, and a few other volunteers. None of them are anonymous, all working in the space before Let's Encrypt. It's fully open source and there are no backdoors in TLS encryption.


I think you don't understand how certificates are created. You never have Let's Encrypt create a private key for you. You do it yourself, and LE just gives you a signed proof it acknowledged the new cert.


You'd need to issue a fake certificate to do a MITM attack, they wouldn't be able to decrypt existing traffic without issuing one, which would be noticed by someone watching. Key pinning would have helped with that but it was mostly used to accidentally lose your keys and lock people out of your server.


I meant more changes to people's behaviour and tools used and prevalence and awareness of encryption


if anything, manipulations of elections are being used to backdoor encryption, ensuring that nothing will change


did you actually read the article?


> ... — the agency spent $250 million per year on a program called the SIGINT Enabling Project. Its goal was, basically, to bypass our commercial encryption at any cost.

Now that things have actually started going dark for these overfunded and completely unaccountable entities this is where the biggest danger lies. They have become so desperate for continued access to endless funding that they are actually turning against the people they are sworn to serve. The most dangerous time will come when the governments of the world start the task of trimming down such entities to something proportionate to their worth. That process has not really even begun yet...


Last year the Australian government even went so far as to pass a law allowing them to force companies to sabotage their own products/services in cases where a government agency wants to get access to someone's communications.

https://www.engadget.com/2018/12/07/australia-access-assista...


For an extra scary thought: Atlassian are Australian. Jira tickets can be forced to be altered or deleted, and codebases hosted on bitbucket shouldn't be assumed as trusted. You'll never see a Jira ticket about a 0-day the Australian government doesn't want you to fix if they decide to utilize this law.


There is no reason to think that didn't happen long ago. Indeed, MK-ULTRA was directed at the American public, and its perpetrators were never even demoted, never mind prosecuted.

Everybody who believes the CIA had ESP teams, trying to use clairvoyance to extract secrets and kill goats, is evidence of the program's success.


I needed clear recap like this to put it in perspective. Thank You Matthew Green.


https://archive.org/details/PikeCommitteeReports/page/n19

>NSA's work necessarily brings it in possession of the private communications of Americans. This is so because in order for NSA to monitor international lines of communications for foreign intelligence, NSA must intercept all communications transmitted over such links.

...

>First, it suggests that NSA is able monitor virtually every international communication entering or leaving the United States. At present, some 24 million telegrams and 50 million telex (teletype) messages enter, leave, and transit the United States annually, and most of these are sent or received by private citizens. Millions of additional messages are transmitted over leased lines, including millions of computer data transmissions electronically entering and leaving the country each year. International telephone calls are yet another potential source of intelligence.


I have often wondered why everyone simply doesnt use Pidgin OTR ... or OTR for every communication


Because the UI/UX is terrible, and XMPP is not mobile friendly at all


Being ugly and functional is fine with me. Pretty and exploitable seems a bit silly as a reason for use. Pidgin does so much more than xmpp


Hmm, what is not mobile-friendly with, say, Conversations ?


It's not an app that can be awakened by a push notification.



That is a big fat lie right here.


No it's not, setting up proper push notifications (Google/Apple) with XMPP is a nightmare and the XEP is not well supported anyway


This is not true. XEP-0357 is very well supported by any modern XMPP server, and setting it up is easy. There are many issues with XMPP but push notifications is not one of them.

Source: we are releasing an XMPP client for iOS soon.


https://secushare.org/comparison may be useful to some.


Excellent article, and great blog find.


snowden = ehrenmann


Snowden's revelations proved once again that conspiracies are all false, because it is literally impossible for large numbers of people to keep their mouth shut.

Exactly as we're told on forums, exactly as we're told on TV. This is how you know Epstein is also innocent and why it won't be investigated, because we know people cannot keep silent about committing crimes, therefore we know no crimes were committed.


"Eschew flamebait. Don't introduce flamewar topics unless you have something genuinely new to say. Avoid unrelated controversies and generic tangents."

https://news.ycombinator.com/newsguidelines.html


You know this is just as effective if you don’t pretend to provide a substantial justification. Flamebait can be anything you want it to be. Seize the power, dang.


> Snowden's revelations proved once again that conspiracies are all false, because it is literally impossible for large numbers of people to keep their mouth shut.

That's both a good point and not so much. In the end, they didn't keep their mouths shut, Snowden spilled the beans and uncovered the large conspiracy. It's a good point with regard to "that would require a large conspiracy, and those don't work" not being a good argument against theories: there might be a large conspiracy that just hasn't failed yet.

And who knows how many more years or decades the large conspiracy would have worked just fine if Snowden hadn't leaked.


Its also important to note Snowden wasn't the first NSA person to warn us about this, there were a handful in the 2000s before him.


I think you did not want to state Epstein is innocent right? That would go counter to your prior point.

And yes, conspiracy theorists don't have an accurate appreciation of how hard it is to manage projects and keep them secret.


Are you saying that conspiracies don't exist because secrets are hard to keep?


Are you implying you don't know the difference between conspiracies and conspiracy theories?

There are plenty of conspiracies, plenty of which have become known. The point is that there is a limit to the number of participants, significance and age of those that are not yet known.


[flagged]


FFS stop spreading this nonsense.


Can you elaborate on the nonsensical aspect of it?


There's plenty of platforms out there to spread your truther nonsense.


Isn't the practice of the NSA just plainly treason? And why would it not be?


No, it isn't plainly treason. This is the definition of treason:

Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.

Did the NSA levy war against the US?

Did the NSA give aid & comfort to the enemies of the US?


Particularly it has been ruled that "treason" as per the US constitution or laws is impossible unless war has been declared on a foreign nation.


Makes sense. So that means Snowden cannot be a traitor either or are there exceptions?


Not in the criminal sense.

He violated several laws around the general topic of national security, he made the work of US intelligence agencies harder and he did endanger US troops abroad. He also helped along Putin's general interest of destabilization.

So colloquially, there may be a case to call him a "traitor". It's impossible to clear him from the accusation that he worked with/for a foreign government, maybe even before he fled to Russia. And at the current point in time, he wouldn't be able to refuse any request the Russian government made of him. He also featured in a fake "ask-me-anything" with Putin, just to make that point.


My initial statement was nothing else as colloquial and should be regarded as such of course.

I would say implementing mass surveillance would equally make it impossible to clear the NSA from such accusation.


The NSA is subject to oversight from all three branches of government. So, to the point that you don't believe two or three entire administrations are/were actively working for a foreign power, you can reasonably assume that the NSA is not committing treason.

A lot is going wrong there, but there are limits imposed by the transparency and rule of law. Compare that situation to a country like the Russian Federation.


But I can falsify the assumption about the effectiveness of oversight with cases from overreach that happened in the past.

So oversight probably isn't effective enough for agencies like the NSA and I am reliant on first hand information such as provided by Edward Snowden. Which have shown that it happened again.


I'd say your very examples are proof that oversight does work, in general.

And you are imposing your personal views on those doing the overseeing, namely the branches of government. From their point of view, such "overreaches" may not necessarily be that far. Also, the respective presidents didn't only know about the programs, they ordered them. And the oversight committees mostly new about that, also.

I'm not saying that nothing went wrong, but the level of oversight in the US system of government does provide better "worst case" guarantees than in many other nations. And in the end, pretty much every significant wrong-doing seems to come to light, often through the political process or in case that is too slow, the media.


Of course that is not to say that any number of people employed by or contracted to the NSA are not committing treason or any of myriad other felonies under cover of NSA-provided secrecy.

The only check on that is their higher-ups' jealousy of their income, provided they know of it.


The FBI runs counter-espionage, and a whole host of regulations make sure that it is quite hard to abuse a security clearance. Of course it still happens, but nowhere near as much as if those systems weren't in place.


Which of course stopped Snowden from collecting gigabytes of random stuff and writing it to NAND flash cards, thus we don't know any of this.

The people in counter-espionage are not subject to such regulations, nor are generals, and the evidence is that the only people they are used against are those who make any kind of fuss about rule-breaking or, you know, felonies.


That's not colloquial meaning of treason either. Not that there is particular lack of other suitable words for NSA transgressions.


> Did the NSA give aid & comfort to the enemies of the US?

The US or the people of the US?


Alright, it doesn't fit here then. But isn't the behavior treasonous towards the constitution that forbids arbitrary data collection. I think their defense here is that nobody actively looks at the data. I think this is bullshit.


Treason would not be the word I choose. Illegal maybe?


Authoritarian works pretty well.


>Did the NSA give aid & comfort to the enemies of the US?

The US suffered a cyberattack that was only possible due to NSA's subversion of Juniper Systems.

This could well and truly be considered 'giving aid / comfort to enemies of the USA' ..


That could not "well and truly" be considered that. There is a very clear legal definition of what "enemies of the US" means: countries that the Congress of the United States has declared war on.

I don't know why people are so hung up on trying to come up with bizarre explanations for why "treason" must be the right word here. It isn't and the explanations aren't even especially arcane. Just pick a different word already.


Afghani hackers can easily exploit Juniper systems.

As can Iraq, Iran, and North Korean hackers.

So, whatever your particular issue is with 'treason', the fact that the NSA has subverted our - the publics - technology, and in so doing allowed us to be susceptible to real and true danger from 'our enemies', means that yes: the NSA IS FUCKING TREASONOUS.


Do you really want to think and judge people/institutions in these terms (traitor/non-traitor etc.)? I doubt this is in any way helpful to find a political solution. I know that this is being done with Snowden -- but lets not resort to this level of (hyperbole) accusation -- else the sanke pit is open to everyone to be define the other side as "traitor" in one way or another.


Hypothetically, a benevolent NSA would primarily develop cryptographic security tools for the populace.


True. But besides their interest in acquiring exploits, I think their data collection seriously collides with peoples amendment rights against arbitrary state surveillance.

I know there are some judges and institutions that enabled this madness, but I think they might be guilty as well.

These judges should be accountable to the public in theory.

I am not saying the everyone working at the NSA is a criminal. But maybe Snowden was the only one with perspective.

The NSA as an institution certainly did more damage to the US than most of its enemies.


You must not understand how cyber war works.

The US has judges and legislation to enable the NSA.

Russia, China, Iran, NK, and many other authoritarian states seek to use their power to attack America 24x7 and do so without any oversight.


A few countries actively try to hurt us, so let's spy on everyone, including our own citizens and allies!


I am not disputing other countries to not have bad intentions, but as a justification to breaking the law, this seems to be a defense where the guilt has already been determined.

Personally, I think the "cyber war" is the typical scare to reduce civil rights. That is a pretty common pattern to bolster and justify disregarding the law.

In reality, the cyber war is probably still focused on the classical industrial espionage. I fail to see the need to subject citizens to mass surveillance.


Not that I want to spend time defending the NSA, but back then collecting all data happened because it was the easiest thing to do, more as a reaction than an actual solution to certain threats.

When society has no great way of preventing, let's say for example, the Boston Marathon bombing or the Las Vegas Concert shooting, providing an appearance of activity, however mindless, like a bunch of ants feverishly running around when a stone is thrown into the anthill, is just the default setting of the security establishment. You can't blame them for that because we aren't yet psychologically, socially or politically sophisticated enough to do anything better.

But today after collecting and sitting on top of shitloads of useless data they themselves admit its unnecessary. You don't find who the best Tennis player in the neighborhood is by monitoring the entire neighborhoods conversations but by just watching the local tennis courts.

What you can do is ask why it took so long, with that nudge from Snowden, for the establishment to admit this. That kind of questioning prevents them jumping into further "we can do it so lets do it" bullshit projects down the road.


Ah but they tried to, there's been proposals for cryptography that had NSA approved backdoors but they were never accepted or widely used.

(IIRC / I believe)



Wouldn't those same tools make it easier for the baddies to do their bad things?


In fact, there is no clear indication that they did not act in what they perceived as the interest of the US and its citizens.

Many would disagree with that perception, and I also believe that amount of surveillance to have been wrong and counterproductive, but there hasn't been any evidence or significant hints into possible corrupt motivations.

One mustn't forget that all of this was put into motion after the 9/11 attacks, and both the Bush and Obama administrations where still working under (somewhat irrational) pressure from citizens afraid of a repeat performance.


"They" is an expansive word.

We could better say there is no indication that nobody who had access to illegally-obtained information misused it.

We have plenty of evidence of cops misusing databases they have access to, and that stuff is way less juicy.


It's quite common to confuse breaking laws with treason, but that just isn't the same.

Accusations of treason at every corner hinder rational democratic discourse.


It could be argued unconstitutional, under the 4th amendment. But so far as I know, no one's brought a case against the NSA to the Supreme Court.


Typically you define treason in terms of the needs of the state, not the populace. You can come to your own conclusion how well the state interests align with its peoples’.


What if Snowden was a deep state pawn sent to take down the NSA, or at least give other agencies total control over it? It is holding the crown jewels after all.

The rabbit hole on this one is extremely deep. Hint: What agency did Snowden work for before the NSA?


It doesn't matter if he was put up to it. The facts are the same.

That criminal misuses of the data were not also exposed suggests that he knew what line not to cross.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: