You don't need to be able decrypt the data in transit if you know the endpoints and can somehow compromise the endpoints at a later date. And that is way easier. Breaking encryption is hard and time consuming. Identifying a site a user regularly visits and exploiting that is more straightforward.
If we can't convince people with their ear to the ground, how does one convince the general public. Especially since it isn't intuitive how metadata is useful. Though the analogy I typically use is a private investigator following you around. Can't hear your conversations, but can see everyone you talk to, where, and for how long.
The comfortable upper middle-class are the most conservative elements of any society; they're providing the management and expertise to implement any dystopia that's coming. Beneath them are the tradespeople and unskilled laborers who choose between working or starving, and above them are morons.
Nobody who has spent more than a moment thinking about it fails to understand the dangers of metadata, they just don't think they it will be a problem for them. Hence the most common response is something about how their lives are boring, and how they have nothing to to hide. "Who cares if I'm at Starbucks at 2 o'clock?" Technologists know full well what they could do with that information, that's what they're paid to know, and they're who are going to be doing it, or they're going to have to find another job.
Exactly, some falsely assume all technologists somehow share an enthusiasm for morality. Many of the most successful technologists I know simply work for the highest pay from military/intelligence contracts.
> hacker: A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.
Using this definition, calling this site "Hacker News" is not exactly accurate, but also not too far-off. I think this website is 40% "Silicon Valley & Startup" News, 40% "Hacker" News, and 20% misc.
One of my favourite sites is the IKEAhackers.net (no affiliation). That site truly shows what a "hacker" does, in the furiture domain, but still, decomposing, redesigning, reusing.
Exactly like the RFC 1392 (aka "Internet Users' Glossary") as you mention. There is a distinction to the word "cracker" which shows malicious intent (what our dear friends on EF + NSA are doing).
This piece of news should also be a reminder to ALL, that these agencies that "protect" us (irrespective of flag) cannot and should not be trusted with/for anything. Especially not with the truth.
(I don't actually think this is what people should do, but I do think it might be a cool expirament.)
What you do with the guns is a different issue, but there's clearly many nations worldwide that focus on defense but not offense (maybe not US, but probably Switzerland).
Working in Silicon Valley, I would not agree with saying that engineers in general are involved in this for any immoral reasons. (One of the few exceptions is ad tracking experts, who dig like pigs for truffles through PII.) The reasons are not knowing history (ie. Crypto AG pwnage), and just a lack of intellectual curiosity.
I'd like to comment on the importance of metadata analysis.
This is not well-known, but before the British were able to decrypt German WW2 traffic, they used very detailed radio traffic metadata analysis to map everything they needed to know about ground troops. (The architect of that was given US citizenship after the war and built the US' system, but on a global scale.)
Details of that were classified long after the war in both countries. And it was just metadata.
This very clearly is not the case in the US.
> But among the 64% of American voters who earn more than $50,000 a year, 49% chose Trump, and 47% Clinton.
All the political terms - left, right, conservative, progressive, liberal, etc have definitions which vary greatly from country-to-country, over time, and by which group is using them. Clinton and Biden are representatives from American's dominant liberal party and represent views which are left-of-center when you do the sane thing and define center as "median voter in the country being discussed" and not "my group of friends" or whatever time or place you're imagining.
You might as well say 'Bill Gates is very poor, by any reasonable standard' (because unlike the rich people of 2,000 years ago, he can't raise an army that rivals that of his home nation-state or the rich of the future who take vacations on the moon).
Liberal & Conservative in the US usually have to do with what changes a person wants to make but Clinton, Romney, Obama, Biden, hell Bush are all literally conservative in the scope and amount.
Yes, they wouldn't be conservative for Saudi Arabia, but they would both continue to closely ally us with the Saudis and aid them in murdering Yemenis.
> center as "median voter in the country being discussed
Both Biden and Clinton, issue by issue, are well to the right of the median US citizen. It's pretty dishonest to restrict the people allowed to have their opinions considered to the people who thought that the distinction between Republican and Democratic administrations was important, when the argument being made is about whether both candidates are conservative. The median eligible voter is barely more likely to vote than not.
I know typing this is a waste of time.
Additionally, everything you listed is just exposition on your initial claim. Saying that you will "End Welfare As We Know It" sounds like a potentially wildly liberal plan - perhaps UBI, government-guaranteed employment, housing and healthcare or some other fundamental shift. The victims of crime are disproportionately the poor, people of color and people who are structurally disadvantaged so removing the threat of violent crime from their lives falls well within the standard goals of liberals (even if the actual implementation of the bill you're referencing had more mixed results).
Look at this polling of support of Bush vs Kerry by income level, as income rises support for Bush almost always rises, and support for Kerry almost always decreases.
(On a side note, there's some smaller skew between voting Republican and having conservative political leanings. I'm conservative in fiscal policy, foreign policy, and favoring action at a local and state level, but liberal regarding most social policies, criminal justice reform, and environmental regulation. I think government enforced price transparency plus a German-style universal healthcare system via private insurance decoupled from employment is preferable to either a US model or a Canadian/UK-style single payer system. I've always registered as a Democrat.)
If the machine says "dude is terrorist based on XYZ" and the human cannot realistically verify all of that is factually correct (perhaps the subject's phone was lost as the subject walked by a mosque?), then it is much easier for the human to say "Data says this dude is terrorist" than it is to say "Data says this dude is terrorist, but the data is probably wrong and we shouldn't..."
The existence of the data itself is a threat against every subject the data includes, at a minimum.
The issue today is that the leadership (in many areas of life from business to military to government), who make the decision to kill/censor/interrupt business/etc or not, are saying "we have to follow the data" without having any understanding of what that really means.
Ultimately, this creates false confidence both in the decision-maker and those that are following their lead. I find it unlikely that there would be anywhere near the same willingness if the 'intelligence' many of these decisions were based on didn't seem as rich and unmistakably correct as it often does.
Of course, the practical effect here is that leadership gets to blame the algorithm/model/data instead of having to accept the blame themselves. If only those pesky engineers and nerds in the lab were better at the job we'd bomb less foreigners.
I'll give you an analogy that might help. Let's say that a personal investigator is following you. They have a GPS tracker on you. They can see where you go, who you talk to, for how long, what you buy, etc. The only thing is that they don't know what you are talking to people about or exactly what you buy (but they know where you bought it from). Would you feel comfortable with this person following you around?
I'm assuming not, because I don't know anyone that has answered yes. It feels like an invasion of your personal space, right? They can still learn a lot about you and your habits by doing this, right? But all they've gathered is metadata on you. So why do you feel uncomfortable?
Goal of metadata investigation isn't to directly target you, most of the time. It's to put you in the bucket of interesting people, that government will pay attention to.
It's exactly the same as ads on the internet - they maybe classifying you as a person potentially interested in computer security because you're visiting tech crunch. Are all people visiting it interested in computer security? Of course not. But you're many orders of magnitude more likely to be interested in it, than a random person from the internet.
> Even by that account, the scale of collection brought to mind an evocative phrase from legal scholar Paul Ohm. Any information in sufficient volume, he wrote, amounted to a “database of ruin.” It held personal secrets that “if revealed, would cause more than embarrassment or shame; it would lead to serious, concrete, devastating harm.” Nearly anyone in the developed world, he wrote, “can be linked to at least one fact in a computer database that an adversary could use for blackmail, discrimination, harassment, or financial or identity theft.” Revelations of “past conduct, health, or family shame,” for example, could cost a person their marriage, career, legal residence, or physical safety.
> Mere creation of such a database, especially in secret, profoundly changed the balance of power between government and governed. This was the Dark Mirror embodied, one side of the glass transparent and the other blacked out. If the power implications do not seem convincing, try inverting the relationship in your mind: What if a small group of citizens had secret access to the telephone logs and social networks of government officials? How might that privileged knowledge affect their power to shape events? How might their interactions change if they possessed the means to humiliate and destroy the careers of the persons in power? Capability matters, always, regardless of whether it is used. An unfired gun is no less lethal before it is drawn. And in fact, in history, capabilities do not go unused in the long term. Chekhov’s famous admonition to playwrights is apt not only in drama, but in the lived experience of humankind. The gun on display in the first act—nuclear warheads, weaponized disease, Orwellian cameras tracking faces on every street—must be fired in the last. The latent power of new inventions, no matter how repellent at first, does not lie forever dormant in government armories.
take a look at the history of the behavior of intelligence services through the 20th century and ask yourself how comfortable you are with this power being wielded by anybody.
you may not feel threatened by this arrangement now, but how confident do you feel that these tools will always be controlled by people you trust?
A headless chrome makes measurements of timings even easier these days. The order of how files are loaded, which file size e.g. jquery.123.min.js has, and where and when exactly in which order it is loaded from is very unique among all pages of a website.
I think that's more complicated than you realize. That list would be impossibly large to scrape and search, not to mention collisions and dynamic content problems.
>The order of how files are loaded
It's a good idea, but you don't know what files I have in my cache and when they expire, or what files my extensions are blocking. This'd only work in an ideal-case scenario.
- "What if your call logs indicated a 45-minute call to a suicide hotline made from a bridge. Do they need to hear exactly what was said?"
- "What if your call logs showed you receiving a call from a sexual health clinic, and that you then called a bunch of people in rapid succession. Do they need to hear exactly what was said?"
Colbert's white house correspondent's address covered it. Politicians don't talk about super depressing stuff like guantonomo bay and journalists have the courtesy to not try and find out.. We don't talk about data collection in any serious manner.
I think the weakness of data collection is when it gets in the average joe's way and it hasn't done that yet in a big way. The more we hammer home that it must facilitate movement through life and not hinder it, the better the middle ground will be.. maybe.
There is a requirement that both sides get really good at eviscerating lies and liars. Neither side of the fence wants fake data or betrayal.
For me, the importance of metadata can be conveyed by comparing its usefulness to knowing the answers to the game of 20 Questions.
HN doesnt seem to be security oriented community.
But it's ok, security isn't as important as algos are during FAANG interviews, so who cares.
Convince them of what? Some of us don't believe the NSA are bad actors and and possibly we also believe they're doing their jobs and support them in that.
I mean, either you're saying "no one within the NSA has ever been a bad actor", or you're saying "the bad actions are acceptable collateral damage; no oversight needs to be applied to ensure the trade off between effectiveness and collateral damage is balanced", or you're saying "not ALL actors are bad" and leaving it at that.
And...none of those strikes me as a particular defensible position to take.
Also, how can you possibly believe that the NSA are not bad actors? Between trying to hobble encryption, spying on everything, and enabling bad individual actions, and having a horrible success rate , what is left to defend?
One, handwaving institutional corrupt and violation of the constitution by claiming it's only a few "bad actors" ignores how high up that corruption emenates from. Two, it assumes that the violations are needed for national security, a claim which can easily be dissected by understanding what William Binney has told us about thinthread, just as an singular example in a vast sea of examples. Three, it's a strawman to jump to arguing that because other countries are doing this, we need the NSA too. Very few people are actually calling for the dismembership of the NSA, and in general want accountability and a return to constitutional surveillance. Four, implying the constitution is a "moral position that loses" is absolutely a machievellian, realpolitik, ends-justify-the-means policy position that we and the world have suffered enough consequences and blowback of.
Your entire argument revolves around using the safety as justification for violations of their mandate and oaths, when all the evidence points towards the truth being quite the opposite: the surveillance program has failed to be effective for safety, and not only that, that failure is largely due to this very kind of thinking in the first place! By being willing to undermine the constitution the NSA (et al intel agencies) inherently reduce long term security and safety in the US by allowing bad actors in all kinds of sectors the ability to abuse the data they get.
The totalitarian surveillance system is about control, not safety, always remember that!
"Go again and see not just the film and the play but read the text of Robert Bolt's wonderful play "Man For All Seasons", some of you must have seen it - where Sir Thomas Moore decides that he would rather die than lie or betray his faith and at one moment Moore is arguing with a particularly vicious witch-hunting prosecutor (a servant of the king and a hungry and ambitious man), and Moore says to this man "You'd break the law to punish the Devil, wouldn't you?" And the prosecutor, the witch hunter, says "Break it?" He said "I'd cut down every law in England if I could do that, if I could capture him." And Moore says "Yes you would wouldn't you? And then when you corner the Devil and the Devil turned round to meet you, where would you run for protection? All the laws of England having been cut down and flattened, who would protect you then?" - Christopher Hitchens
To keep it all-ages, let's stick with "far away from existence, and even further from OUR personal data and metadata".
This is why Signal hiding the graph as best they can, using SGX, is incredibly important work. Say what you want about Secure Enclaves, we know of no better way to conceal social graphs.
Yes there is still potentially some metadata analysis that can be done at the server to coordinate IP addresses but we know signal doesn’t keep those logs because of their response to the sealed subpoena (which they successfully sued with the ACLU to unseal):
We can only dream of a world where companies are held to this standard of transparency and user privacy.
That doesn't prove that. If Signal was, say, a NSA project they would have to respond to such things in that way to protect the signal intelligence value of the metadata they were collecting for their primary mission.
After Crypto AG we know it is a bad idea to trust any particular entity. Something like Signal can only be trusted as much as can verified.
I submit that there is no better option right now.
Not really. First of all, there is only one Signal client allowed to connect to Signal’s servers. And in the real world, the vast majority of Signal uses are getting their APK for that app from the Google Play store (the Signal team has said that they prefer you to use the Play store as well, instead of direct-downloading an APK from their website which they offer only grudgingly). That means that a state-level actor could possibly carry out a targeted attack to replace the Signal app on a given person's phone with a malicious build.
Also, Signal’s reproducible build system requires a specific version of the Android development kit. It has been pointed out that a state-level actor could be sitting on vulnerabilities in that, and not in the Signal source code itself.
If the attack is on the android dev kit, but not on signal, then.. the attack isn't on Signal, it's on the dev kit. Unless Signal's using an unusual version of the dev kit, your risk exposure to this attack is equal to any other app that you would use instead of Signal.
No, they couldn't. They would need the Signal developers' key. Android requires app updates to be signed with the same key as the original app.
That isn't to say "all crypto is hopeless", simply that you shouldn't consider Signal to be state-level actor proof.
That's all a smoke screen. Nobody is running an open client with a reproducible build, everybody is running whatever version is downloaded from their app store of choice.
It's not special, and I don't trust it a bit.
I'm not following. Secure Enclaves have nothing to do with protecting the social graph of Signal users. They're used to store the contact list (and other things) in the "cloud" in a safe way – things that weren't even shared / stored anywhere by Signal before Secure Value Recovery was introduced.
This is the relevant blog post.
Just adding an example for the people who don't see the value of metadata: WhatsApp is still a viable revenue source for Facebook even as they have no access to the text of the messages due to E2EE.
Knowing who talks to who, at what times, the type and approximate size of messages, the members of groups, and the contents of the phone book of every user gives enough information to keep their business model without exposing them to court orders asking for the plaintext (that's the reason they added E2EE to start with, there is no incentive to improve the service when they have a billion heads of cattle to milk).
A friendly reminder to everyone that even if the encryption that is used to send the messages in WhatsApp seems to be solid they upload your entire chat history as unencrypted dumps to the cloud.
Even if you turn it off your chats will still end up there as long as whoever you are chatting with doesn't also disable this.
Can you provide more information?
For contrast, Signal does encrypt the local history and the backups (to the point that is a bit harder to backup the chat to outside in Android, you need to copy a randomly generate password manually to restore it. But it's a safe approach).
My point is mostly aimed at people claiming WhatsApp is somehow very safe just because of the end-to-end encryption.
I'm saying end-to-end encryption is a really great idea and everyone should do that and still encouraging people to look beyond that and think about the entire threat model when deciding what is important for them.
Correction: they might not have access to the message text. It's entirely possible (if not plausible: FB doesn't exactly have a good track record) for FB to just self-MitM the E2EE and see everything that passes through their servers.
From their site:
> The verification process is optional for end-to-end encrypted chats, and only used to confirm that the messages and calls you send are end-to-end encrypted.
Even this process--which I'm sure very few people do--is fallible given the lack of authenticity: there's no way to confirm that the given keys are what's actually used for encryption.
Yes, this may come across as very "tinfoil-hat-y," but do you really trust FB to not be exploring every possible avenue to increase their data streams?
Why would they even need to MitM in transit when they control the endpoints? They can just analyze the raw text locally (in the app) and extract valuable information.
And looking at what has unfolded in the last decade, chances are against the user and we must, for ours and our peers' safety, assume the worst.
Similarly Google runs 188.8.131.52 so they know what services you use that aren’t HTTP that they don’t have bugged already.
And that is only speaking of something within the Rule of Law (accessing metadata with a warrant)...
Outside of the Rule of Law, people have been killed for metadata.
> According to a former drone operator for the military’s Joint Special Operations Command (JSOC) who also worked with the NSA, the agency often identifies targets based on controversial metadata analysis and cell-phone tracking technologies. Rather than confirming a target’s identity with operatives or informants on the ground, the CIA or the U.S. military then orders a strike based on the activity and location of the mobile phone a person is believed to be using.
Also, obviously, Mafias and the USSR, PRC...
> Ex-NSA Chief: 'We Kill People Based on Metadata'
So this situation can be considered a sort of a triumph. For most people metadata is no real threat to them. Generally it is already publicly known who your friends and family are and those are the people most interact with online. It is mostly valuable that no one else know what those interactions are even if they know when they occurred.
For the important instance of businesses the situation is much the same although sometimes there might be value in traffic analysis for larger businesses that have enough traffic to analyze.
"Law enforcement agencies have claimed that metadata helps to eliminate suspects by revealing their networks and contacts. But there is no information regarding the use of metadata by government bodies that are not officially enforcement agencies within the meaning of the data retention laws."
“We kill people based on metadata.”
https://youtu.be/PxwEwwlDM8Q (39s clip)
I only see one
This was revealed in details about 20 - 30 years ago in the Danish publication "Månedsbladet Press". I remember they had an insert, looked like a small newspaper, containing all the details about this. I remember this because this was the first time I heard the term "echelon". I my memory serves me correct I think that insert in the magazine was the first story or source of Echelon operating outside of the US so there is some kind of historical significance to this story.
If I recall correctly they did this wiretapping in a underground bunker in the middle of Copenhagen. The bunker had no toilet and they got spotted by the journalists that wonder why more people was coming out of that bunker everyday to go the bathroom than people going in. Something like that.
I don't have the magazine anymore but I know that the main library in Copenhagen has a copy as I checked several years later.
If any historians around here want the backstory behind all this you should contact the library and get a copy of that publication. The publication stopped long ago, but that was the only newspaper-like insert they every had so it should be easy to locate in the archives.
This is basically the very early, pre-internett version of what Snowden revealed. The book is made available for free by the author: http://www.nickyhager.info/Secret_Power.pdf
This old website also contains a lot of interesting information on Echelon: https://www.bibliotecapleyades.net/ciencia/echelon04.htm
The summary is quite something: «In the greatest surveillance effort ever established, the US National Security Agency (NSA) has created a global spy system, codename ECHELON, which captures and analyzes virtually every phone call, fax, email and telex message sent anywhere in the world.»
There was also made a documentary based on the book (?):https://www.youtube.com/watch?v=F-S0JH5YYZw
Is the name of this thing an amazing runic pun, or am I just hoping it's that clever?
"Ansuz is known as Odin's Rune and indicates great power and knowledge to be revealed."
It does not really help if every other neighbouring country does the same. NSA will get danish info elsewhere. Everyone gets played.
It works as long as USA is an trusthworthy ally. They wouldn't dare to abuse the information for private gains... right?
They already abuse this, I would even go as far and say that huge portion of data collection is just for industrial espionage to prop up government backed companies.
If you are developing a novel algorithm or even a different approach to AI then you should absolutely setup an offline work office otherwise either USA or China will take your work and give it to a government backed company. It also doesn’t matter if your company is located in the USA or if you are an American citizen, so long as you don’t have governmental connections, you have to be 100% more careful as game is pretty much rigged.
 - https://news.ycombinator.com/item?id=24546046
EDIT for clarity.
Today in fact, I got my Postman to sign an affidavit that he has "a strong and nearly binding interest in my stability, security, prosperity, etc".
In a larger sense, the arrangement might, to a degree, defeat the purpose of having separate foreign and domestic intelligence agencies, but that is a more abstract notion. I guess we'll see what the Danish public will think or do about.
> "I can not at all imagine in my imagination that the NSA would betray that trust. I consider it completely and utterly unlikely. If the NSA had a desire to obtain information about Danish citizens or companies, the United States would simply turn to [the domestic security service] PET, which would then provide the necessary legal basis."
I definitely think it would make more sense to give up on using the system on the citizens of a single small country, in exchange for not risking the extensive access to citizens of many other countries, including China and Russia.
If they want to investigate danes, they still have all their other methods at disposal.
Their responsibilities and mission are clear. There are no style points. They'll do whatever it takes to accomplish that mission. History is very clear about this M.O.
I mean, sure, they can lie about it, but that always carries a risk of being found out. Especially considering it sounds like from the article that FE can see who the NSA is searching for (and even has to approve the search queries).
While I find the above quote hilarious, you're probably right since the article also hints that they have a similar setup in Germany and most likely also in Sweden, Norway and many other surrounding countries. And since most of their comms probably also go through those, they'll just eavesdrop on the next hop and bypass all that trust and save themselves any potential political repercussions.
German BND did nothing to verify any selectors asked by the NSA and just ran them without any safeguards. During the investigation into those practices it turned out the NSA used that trust to run over forty thousand selectors that are in violation of german interests. From what can be cobbled together from media reports that includes german industry, german government, other european governments, the EU itself, multiple european defense industries, every single foreign embassy in Berlin, delegates to the UN, NGOs like Human Rights Watch, and multiple Universities, among others. More then two thirds of all targets were friendlies within EU or NATO.
We joke that "german secret service" is the service that tells the usa about german secrets.
At the end of the day, this will rely on trusting the NSA despite their dubious history.
Even more surprising that DK hasn't been paying attention to any of that apparently...
Governments that gate human rights on nationality are fundamentally amoral, and should never be trusted to self-regulate.
What do you think intelligence is?
The President then added a word of encouragement to the several thousand men and women of CIA:
'...but I am sure you realize how important is your work, how essential it is - and in the long sweep of history how significant your efforts will be judged. So I do want to express my appreciation to you now, and I am confident that in the future you will continue to merit the appreciation of your country, as you have in the past.'
It is hardly reasonable to expect proper understanding and support for intelligence work in this country if it is only the insiders, a few people within the executive and legislative branches, who know anything whatever about the CIA. Others continue to draw their knowledge from the so-called inside stories by writers who have never been on the inside."
- Allen W. Dulles, 'The Craft of Intelligence'
One gets the impression his claim that all the CIA's successes are secret is a lie. Because there never were any. You would thing 50 years after the man kicked it that at least something would be come out. Not really surprising. If you look at how successful organizations are structured the CIA is not that.
Who do you think fought and won the cold war, Seal Team Six?
Imagine thinking those are two separate things.
Do you have any evidence to make this claim?
Or perhaps politicians are the experts at both telling and detecting lies and manipulations?
Maybe they know the risks very well and yet chose their own personal interest e.g. non making enemies of the US...
Absurd statement from the article. What investigations? Internal from the NSA? It's like saying "No the NSA are not collecting data on Americans because Mr. Clapper said so to the Senate under oath."
I honestly don't know who should be blamed if there's not enough political capital to reign in these agencies globally. Either the electorate accept it, or don't know about it, which is bad enough in itself.
Never saw that before.
(nothing against the Danish - but think about what that implies about "trusted" relationships like five eyes)
As a Dane, I hope that the politicians a going to make it crystal clear the the FE is suppose to collect intel to protect the country, but not at any cost. Flat out lying and keeping secrets from the people who are tasked with the civilian oversight of the FE should be punished with prison time to make it clear, at all levels, that this will not be tolerated.
I don’t have much faith in any serious reprocaution though. At least two ministers of justice have told telcos to continue provide mass survilance to PET ( Internal police intelligence ). It’s clearly against EU law and EU courts have made rulings telling the Danish government to stop. They just don’t care. The police won’t even say how often it’s used. The general consensus seems to be basically NEVER, and it’s never the main intelligence source, still they refuse to stop.
Fat chance. Nasar Khader (conservative MP) is attacking TET (the body that observes danish intelligence orgs) on his twitter, and first whiff of any kind of top down investigation, launched Claus Hjort (former defence minister) in a series of attacks on the current minister for revealing intelligence secrets and harming the danish-US relations.
No politicians wants to deal with this, and some even seem to want unbridled spying to keep going.
I would guess by the same measure as voting and public benefits. You have to be a Danish citizen and have place of residence in Denmark.
A non five eyes member having access to xkeyscore was known 5 years ago? Please do share...
Which other non five eyes had xkeyscore access?
This whole debacle is about Danish intelligence giving US intelligence access to the Danish cables - not the other way around!
Access to cables and access to xkeyscore are fundamentally not the same thing
I've always thought about this when I was near Sandagergård (it's situated in a beautiful place off the beaten path not far from Copenhagen) but as far as I remember the stories where mostly based on speculation without any hard facts. With these recent disclosures it seems that there might have been some truth to those old stories.
It's really weird to see confirmed, year after year, that all those "conspiracy theories" (first circulated on the '90s internet) turned out to be almost entirely true, when it comes to network-based espionage.
Echelon/five eyes? Check.
Massive network surveillance? Check.
Compromised ciphers? Check.
Compromised hardware manufacturers? Check.
NSA being fundamentally devoid of oversight? Check.
US espionage targeting allies for industrial gain? Check, check, aand check.
This shit was ridiculed back then, and it makes so hard to discern what is true in contemporary news reporting.
This sounds interesting. Does it mean they write a sort of serialization/deserialization routine for whatever format they can grab at hand? For example maybe it's possible to assemble a piece of binary data travelled through the Internet to its original, Borland database file format?
Many of our extractors are stateful - ie. They need to see previous packets in the session to extract keys, state, etc.
This is done by having front ends which direct raw packets to backends based on which session they are a part of - the obvious one being the tcp 4-tuple.
The backends then don't each have many sessions to look after - perhaps tens of thousands each. That means they can keep many kilobytes of state. Each time they get a packet, they process it by updating the state. Certain state transitions (eg. The completion of a credit card transaction in a finance feed session) will trigger another event to be emitted, which goes through the same system again, and might go into another extractor or be persisted for analysts to view.
We should make a GPT-based generator of USA secret codenames ;)
I'd read somewhere (can't remember where, unfortunately) that program code names were randomly generated by selecting words from two lists. The idea is that, if (accidentally) revealed, the name wouldn't provide any information about the program's function. The thing I read said people would often re-query the generator until they got a name that they liked.
>Each rainbow code name was constructed from a randomly selected colour, plus an (often appropriate) noun taken from a list
Sounds similar, but whatever I had read was about the US intelligence community. Perhaps it was Edward Snowden's book.
At first glance, it sounds OK, but what if the US has similar agreements with some neighboring countries (and as mentioned in the article it has) and uses the data collected via them against Danish citizens and companies and vice versa? Everything will be perfectly legal, but in practice, no one is at safety and the creators of the system who have agreements with many countries have a huge advantage over their so-called "partners" because they are aggregating the big picture, but "the partners" have some guarantees only about the data which is transferred via them and have no guarantees even about it when it leaves their country.
They might have renamed it or bumped up the clearance level to tighten up the circle of people in the know, but are most likely still running it and constantly improving it to keep up and make use of most new technological, bandwidth and storage developments. They certainly won't stop collecting everything they can, that's just how things work, for better or worse.
BTW the ninth circuit court of appeals ruled that the bulk collection was illegal a couple months ago: https://www.theguardian.com/us-news/2020/sep/03/edward-snowd...
(what if they discovered things like this and told the citizens about it?)
And yes, they had multiple parties until the republicans had two elections in a row, and managed to influence the supreme court so much that they could gain total power over new arising parties (declaring them illegal from the start if they do not represent the congress's opinion), up until there was no way to get elected because the media was controlled by the very same laws.
See any parallels regarding Fox News and the Republicans or say, Dick Cheney?
No? Maybe do some research on your own and sleep over this.
China is actually the only country I would compare US's democracy with, because a lot of candidates have no choice but to join one out of two partied to even get considered to be elected. And it's not the 1st vote that decides this, because democracy in the US doesn't differ between party votes and candidate votes (whereas most other democracies have moved on, for like hundreds of years, and fixed this).
Thr problem I see here is that the US didn't have a revolution. Europe had to be crushed a couple of times in order to learn how to prevent their architectural mistakes in future.
Is USA really much better than China?
They both suck in their own way, that's for sure.
But my question really is: does it really matter to me, provided that the data is gonna be collected anyway, who does it?
They're both, at my eyes, not doing it to my advantage.
Not going to answer the 2nd question for personal reasons.
I speak English, I don't speak Chinese, my continent is watching the US elections tonight, it doesn't happen with Chinese politics, my pears stay awake at night to watch the Oscars, I don't even know if the Chinese equivalent exist, basically what US does is much more relevant in day to day life, what happens in China stays in China, so they are not really trying to buy my attention, which is the most valuable asset I own.
In that case, regardless of whether you're a grotesque dictator or a quasi-peasant just getting by with your life, better start counting the days before something bad happens to you...
So it's something between a slippery slope and futile attempt unless you have a multi layer security from different vendors or roll your own defenses.
NSA, OTOH, intercepted the switches which would isolate high security networks (red/black separation) and bleed sensitive information with these enhanced hardware.
Packet capture from the edge is where I'd start.
Huawei isn't working on behalf of a Gov that can imprison me for exposing it's wrongdoing. NSA is.
The other thing not mentioned enough is how insecure blockchain is.
Both are vulnerable to time-correlation.
Who talks to whom, When do they talk, how longm from where. What sites do they access, ...
It enables you to pick a person, find his friends, where do they meet(online and offline), where do they keep money, where do they spend it. What news do they read, what music, what their political leanings are etc.
It enables you to see the big picture. (of either a single individual or entire group of people)
The content only becomes useful, once you have general idea what is going on.
Yet they are collecting it. It's almost as if it could be useful! You need to read the Snowden book.
Lets say someone is using a northern european vpn-server to connect to facebook and that vpn-server is not cooperating. Decloaking is statistical analysis against timing and rough size of packages, so tapping the cables on both ends of the vpn-server and recording metadata for all its connections is key, even if they can't break the encryption.
You can still see the domain name until ESNI becomes a thing.
Also websites are still fingerprintable with TLS, sometimes even down to the exact URL accessed.
We know from the Lavabit case that once you start keeping private keys away from the feds they start making problems for you. Prove to me that every single root your browser trusts is not compromised.
However every such change could tip the target off: if you replace the certificate and the target knows the key of the cert they expect, that will tip them off. Now a lot of these tools are about mass surveillance and big data: collecting metadata about everyone, not about some well defined target, then run big data analysis on it to discover targets. Like you have one person who is flagged and they talk a lot to this "HackerNews-Server" and so all others who talk to that server get an increase in score and now multiple of those people have a score above a treshhold and get flagged. Can't do that if you don't spy on everyone.
But they can't run active intrusion against every civilian ever without exploding costs and high chance of being detected.