We are not religious (at all). We do not attend church, synagogue or mosque. We are lower middle class white Americans born and raised in the USA and have never traveled outside the country.
I have no idea why they thought this about us. Maybe it was an IP mix-up, but it was very disturbing. I feared that I may lose my job. I became very afraid of the FBI that day. I think this could happen to anyone at anytime.
I understand that police/FBI have to conduct investigation. What dont understand is involvement of the employer , it's extremely disturbing - you have not been convincted, you have not been charged, you are not even a suspect or accused of anything at this point - how is your private life the business of your employer?
Why is your privacy being breached and livehood being placed at risk?
Surely the FBI is not allowed to publicise random dirt they find on innocent people?
If they're doing an investigation, they very likely got the employer involved in order to get more information on the person they're investigating, and companies have liaisons for law enforcement, as well. If the FBI comes knocking and says, "we think you've hired a terrorist," it's going to ruffle some feathers at the company no matter how unfounded or untruthful the claim is.
It isn't just the suspicion of terrorism that might have law enforcement or the FBI knocking at an employer's door. If someone is suspected of any type of cyber crime, the FBI will be coming for all of their computers and electronic devices, including the ones they use at work.
What is an employer going to contibute, realistically. "Oh yeah, he always carries potassium nitrate and makes explosions during lunch breaks!"
Thereby isolating the person during a period of high emotional anxiety.
The title may vary from place to place but all companies have people filling this role, even if you've never met them.
Normally falls somewhere under a team like Global Intelligence, Workplace Security, Business Continuity, etc.
Note that the US law does not apply to noncriminal processes --- civil lawsuits or other elements of law.
Without specifics, or some indication of who is triggering the delay (e.g., defendants may request delays), I couldn't possibly comment.
Given law and legal processes are not my baliwick, I'd probably not be able to comment intelligently regardless. But you've posed a null-content question.
I'm reading a book where the main character receives a subpoena to go to a interview with the Portugal dictatorship political police. Nothing happens to him (till now) but everybody in the hotel where he is hosted starts to treat him differently.
Who will be the first in the line when a firing is necessary? Probably the guy that has problems with the FBI.
From your further description:
> We are not religious (at all). We do not attend church, synagogue or mosque. We are lower middle class white Americans born and raised in the USA and have never traveled outside the country.
Would not the FBI have been able to any amount of background searching (read: further electronic information gathering), that would be less effort-intensive than getting arranging a 'threat assessment' coordinator from throw_away_dgs' actual workplace and a local police officer for an in-person door-knock. If such background checks were performed, then they either don't have much data or their threat weightings are set to red-scare levels of paranoia. Either way, it's scary.
Unless there's more to the story.
It used to be that if a teacher saw a kid get bullied and then punch his bully back, the teacher was empowered to evaluate the situation using their best judgement, and punish the bully while congratulating the bullied kid who stuck up for himself. The system sees a problem with that; the teacher's perception of the incident might have bias and prejudice. The system's solution is to have zero tolerance for any violence and punish both students equally. The system's solution to the possibility of prejudice against one student is to ensure prejudice against both students.
I mean that's not entirely wrong either. Bullying was still a thing before zero tolerance policies.
Not to say zero tolerance policies are the right solution, but personal bias _is_ a big problem when it comes to enforcement.
But the zero tolerance response to this circumstance ensures the bullied student is prejudiced against, judging him guilty before considering the facts of the individual circumstance. What does that teach the kid? That the system itself cannot be relied on.
Either their intel is better than they let on and didnt think they would be walking into an ambush or they are more stupid than we think.
If the FBI visited me and casually asked about my web history, I would casually ask them to pound sand (as should everyone!). But if the agent was accompanied with someone from my employer, I would eagerly cart up every single device in my home and offer to carry it out to their vehicle (as I fear most would).
It smells like someone is taking massive investigative shortcuts, at very significant cost to the accused. Then again, I can’t even fathom the upside for the FBI.
Or - you know - “weeeelp, I’ve been sitting at this desk all morning, let’s go talk to someone”.
Why spend the extra time and effort, let's just hit the road and totally and completely fuck at least one citizen's opinion of the entire system upon which their life and livelihood depends.
Saves me a couple of hours, and the sun's out. Sold!
Ironically, maybe this will actually radicalise the people they're investigating for radicalisation.
The upside is power.
You yourself said as much: "If the agent was accompanied with someone from my employer, I would eagerly cart up every single device in my home and offer to carry it out to their vehicle."
You fear them. Rightly so. The FBI has incredible power, backed by the full might of corporate media. To cross them is to be crushed.
Why would they need a warrant, when Apple and Google climb over each other volunteer every scrap of your private information? Why take the time for a trial, when justice can more efficiently be served by both your employer and your union gleefully ruining you financially upon request?
People have been demanding this for years. Now it's here.
They're not gonna have anything happen to them if they go tough on (and fuck over an) innocent guy.
They're gonna look bad if they miss a terrorist.
So they have no incentive to not have "red-scare levels of paranoia".
Now, visit a 'bad' website, or somehow be mistaken for someone that visited a 'bad' website, and you'll get some deep personal treatment.
Feds can't win, but it seems to be through their own laziness or incompetence or lack of interagency cooperation.
Or just going there out of intellectual curiosity, like how a leftie might read Main Kampf to check what that shit is.
You can end up in a very bad position...
The IRS proceeded to audit me (16 years old) and my $8k a year woodselling business I had with my dad. You tell me.
And on that note, why didn’t you sue your workplace for harassment? Whether you’re religious or not isn’t any of their business and is a protected class.
They didn't care what the consequences were for targeting someone innocent.
They also made nasty threats like "Someone has to go down for this, and if you help us collect intel on your industry peers we suspect then someone else can be that person"
I told them politely to go die in a fire because I was not about to help them harass other innocent people but it was terrifying none the less that they seemingly had the power to end my whole universe.
I became convinced through that ordeal that the FBI is a deeply corrupt organization that creates pressure to close cases by any means needed.
The OPs post seems totally believable and consistent with stories I have heard from others, particularly if they work for an organization that has the US government as a customer like a defense contractor.
The so called "justice" system, I guess.
I’m not surprised at all that the FBI is harassing people, I find it incredibly hard to believe a private business would touch the situation with a 4,000 foot pole. They have absolutely nothing to gain and massive liability.
Use Tor browser if you are going to research anything a criminal might regardless of pure motives.
If you so much as want to research lock picking, use Tor.
ISP traffic logs can and will be twisted against you in a court of law.
So "keyword" (could be a word, domain or some other pattern) X may trigger only if Y and Z was already triggered. And some keyword A may only trigger if B was NOT present.
This way you can distinguish doctors, reporters or people studying history or chemistry from those who plan something.
Or e.g. ML applied to patterns over time. Globally.
And yes I do not like it at all, HN is full of people that may likely research some kind of bomb, religion or whatever else out of pure curiosity, but since there are not many such people it can be problem in court one day.
Mix in some Snowden, your hardware stack, gag orders and the fact that we have more laws that anybody can read and you may feel like watching some stupid memes.
It's not prohibited but they notice and subject you to harassment by the system at every action with every part of the system that is integrated with their database.
Next day they might visit you to ask you why you are visiting an opposition party web site.
What was the reason for this? What type of workplace?
Build your own VPN https://github.com/hwdsl2/setup-ipsec-vpn
I am most curious why you believe that is a defense against radicalization. In the US that is perhaps the most common demographic for radicalization of any type.
OP apparently managed to clear up the mistake without much bother by speaking to them (although they were understandably shaken up by the experience). This presumably wouldn't have happened if they'd done what you suggest.
* Message content: All
* Subpoena: can render all message content for the last 1-7 years
* 18 U.S.C 2703(d): can render all message content for the last 1-7 years
* Search warrant: can render all message content for the last 1-7 years
* Vague suspicion plus a small fee to the carrier: can render all message content for the last 1-7 years
* Law enforcement simply asks nicely: can render all message content for the last 1-7 years
Yet, I'm pretty sure all these are still happening, to a certain degree, to this day.
You know, like the US does in the countries of it's "allies" like Germany 
Do you really think the US would allow German intelligence agencies to build whole complexes, plugged right into the US's largest IPX?
That's why this situation is not nearly as "symbiotic" as it's often made out to be. At best that applies to Five Eyes countries, and even there only to a very limited degree as no Five Eyes member as as much foreign presence as the US.
And then when they get caught, they do this:
It's funny how much this differs from my own personal experience with law enforcement. The friends I know are timid as hell and don't do anything without a warrant just to stay on the safe side- even if they probably don't need one.
In my case the government did violate the SCA and my constitutional rights, but two judges have looked at it and both stated the same answer - the police must be allowed to commit crimes to gather evidence. Next stop: appeal courts.
I was involved with a case that sounds similar - the judges don't care about your rights and blatantly missapply the law. Also, magistrates are also complete BS, and don't even know basic legal stuff. I had one think I called him prejudice when requesting a case be dismissed with prejudice... Complaints do nothing. There's no real oversight, leading to a completely incompetent system.
It's the system working as intended. If you want something that looks like justice, you'll need substantial wealth to get it.
So these kinds of claims just don't make any sense in a world where we know that government has conducted surveillance without a warrant, and where we know that the FBI has built entire programs designed to make it easier for them to conduct surveillance without a warrant.
From the article posted that you're replying to:
> What Administration officials tend to obscure is that what they seek is not immunity for future cooperation with lawful surveillance, but rather telecom immunity for assisting with unlawful surveillance conducted from October 2001 through January 17, 2007, as part of the warrantless wiretap program initiated by the White House.
I'm not sure I understand what your implication is. I don't understand how it's possible to respond to an article that is about telecoms seeking immunity for previous unlawful actions by saying, "the government/businesses would be way too scared to do anything unlawful." I mean... obviously not, they sought immunity for it. They wouldn't just randomly do that, the most likely explanation is that they made immunity a pressing issue because they thought they needed it.
It does not seem to me that the optimistic world you describe and the observable actions and lobbying efforts of companies/administrations line up with each other.
If on the other hand his friends are street cops tasked with clearing a corner of drug dealers because some neighbor complained to their council person who complained to the police chief then those cops don’t necessarily care about extrajudicial activities.
Having been harassed by street cops and interacted with homicide detectives, I can tell you they vary tremendously in professionalism.
This is terribly naive in my experience.
An EO making it lawful for a federal agency to collect doesn't mean it is lawful for a private company to disclose, it doesn't change when a company is permitted to disclose the content of messages under the SCA
This was for a startup.
I have no doubt they do the same for governments.
Still. It meant a very powerful API key had to be protected and never abused.
I can only imagine others obtain God SMS access like this with less than ethical intentions.
Nobody should make decisions based on this comment.
It doesn't matter where your data is held, locally or cloud, (if you are an American resident and your data is in the USA) as it is _your_ data and it is unconstitutional for them to read it without a warrant. In theory.
In the US it does
This ruling has been adopted by the US Supreme Court:
Not counting media and assuming they are all 160 byte messages, that's 4 terabytes per day, or about 200 wikipedia's per day. I guess that's not too bad in terms of storage requirements, certainly a management amount of data for a telecom to store. But assuming that you want those indexed and easily retrievable somehow, it could get very burdensome to manage and interact with, and that tends to balloon the size at least a little bit as well.
The liability and legal issues around it (both externally and internally - don't want employees spying on their exes, leaking data from celebs, in addition to the policing issues, etc) makes it pretty undesirable to store though.
All of these projects are more properly grouped with government funding in other spheres, such as the BBC or PBS in media, than they are with the surveillance state or the NSA. Levine overlooks basic details, such as reproducible builds, that quickly collapse the house of cards that is his narrative. He tries to paint them all with the NSA brush, when, in fact, they’re simply projects that have historically received some of their funding from the government while fulfilling missions with extraordinary humanitarian benefits. Levine’s own knowledge and experience in this area is shallow. Look elsewhere.
> would be more fully saturated with corporate control of the internet
You might disagree. His point was that the "corporate controllers of the internet" support projects like Tor because A) it gives a (somewhat ineffective) channel for people to focus on rather than political recourses and B) there's no real threat to the corporate model. What would you do in this e2e encrypted internet without corporate services?
> such as reproducible builds
Seems like a tangential point. You can have an untampered copy of a client with a vulnerability.
> funding from the government while fulfilling missions with extraordinary humanitarian benefits
I don't think this is in disagreement with anything either
Ahh yes, the famed operation Condor, operation Gladio, operation iceberg and so many other famed "humanitarian" projects
At the end of the day all that you mentioned goes back to a post-facto "it is good because *we* do it", I would go to say that most people here in HN are well aware of the start of Google when it was funded by us Intel as a way to parse Vietnam era datasets, or how US Intel uses Radio Free Asia to destabilize enemy countries abroad, but again, it is only good/not bad when "*we"* do it
Apologies for a rather low quality comment, but these types of persons handwaving the actual structure behind all of this really get on my nerves, specially when I have had family members be tortured as a consequence of these US activities
USAID is specifically designed and called that so as to tangle it, tell me, how would your average joe understand that USAID is a intelligence agency spinoff designed to sound "good" while doing evil all over the world rather than what its name suggests? You know... Aid?
The NSA, CIA, Extraordinary Rendition and so many other things dont exist there by accident, if said """government""" wishes to spend such amounts of money and resources to enact such evil under the veil of security, then i dont know about you, but then that to me and several other people just reads as "US Gov being flat out evil"
Do remember that there was *wide* support and acceptance back on the Kennedy days to just dissolve the CIA
> Levine tries to lump all of this in with surveillance.
I am not particularly kind to the guy, but he's just merely looking at it on a holistic system design level, any programmer minded person would do the exact same thing when presented with a black box problem
But as far as the foodstamps go, wouldn't it be great if the system where set up in such a way as that foodstamps where not needed to begin with? And on the flipside, why would "the government" allow for such a societal structure where the maintenance of "foodstamps" is necessary for the organization of the nation? I see that last bit in particular if anything as a national security problem...
As Clintonites would say: "It is the economy stupid"
What do you mean by "concrete evidence"?
Nothing of this is disputed, they even have their own wikipedia pages for their different operations and branches within USAID
*Specially* that we are talking of USAID, on the case of NED for example, things get slightly murkier because then it is a matter of private rather than public record, but it still works as a tool for management of semi-clandestine operations and operations which need plausible deniability from CIA's end, or at least as much deniability as it can muster, tho these days they prefer to work with shell groups and other associated partners such as for example Atlas Network, Radio Free Asia also falls on that category, same with Voice Of America
If you are interested in books both, Killing Hope by William Blum and Legacy Of Ashes by Weiner are very, very, very good authoritative sources on the matter
If you prefer podcasts, Warnerd Radio has a couple very good episodes on the National Endowment For Democracy, tho they both quote excerpts of the books above
Radio War Nerd EP 274 — National Endowment for Democracy, Part 1
Radio War Nerd EP 275 — National Endowment for Democracy, Part 2
This is in fact a distinct reason CIA/NSA (and vice versa) won't accept recruits who have served in the peace corp previously, amongst other reasons.
> Without them, we’d basically be left with Wikipedia as the only popular entity on the internet outside of corporate control.
Wikipedia is absolutely not "outside of corporate control". It is trivially astroturfed to advance special interests.
> All of these projects are more properly grouped with government funding in other spheres, such as the BBC or PBS in media
Both BBC and PBS routinely publish outright disinformation to advance the special interests of their corporate/government clients, including the intelligence community. For example, look at PBS Frontline's ridiculous puff piece for the violent extremist group HTS last year.
> Levine overlooks basic details, such as reproducible builds
Reproducible builds are also easily circumvented by selectively deploying backdoors and other malware, based on IP or other fingerprints.
If there are good reasons to dispute Levine's investigative journalism, they're not here.
I’m not claiming PBS and the BBC are perfect entities, but they do offer an alternative source of information that runs against the grain of corporate media. You would prefer…what exactly?
Let's start with "not being created/funded by the State Department or Pentagon".
> You would prefer…what exactly?
Again, let's start with "not being blatant propaganda produced by warmongers".
> WHILE FUNDING FOR TOR ORIGINALLY FOCUSED ON BASIC RESEARCH TO BETTER UNDERSTAND ANONYMITY, PRIVACY, AND CENSORSHIP-RESISTANCE, THE MAJORITY OF FUNDING NOW FALLS INTO THREE CATERGORIES: DEVELOPMENT FUNDING FROM GROUPS LIKE RADIO FREE ASIA AND DARPA TO DESIGN AND BUILD PR OTOTYPES BASED ON RESEARCH DONE BOTH INSIDE TOR AND ALSO AT OTHER INSTITUTIONS; DEPLOYMENT FUNDING FROM ORGANIZATIONS LIKE THE US STATE DEPARTMENT AND SWEDEN'S FOREIGN MINISTRY; AND UNRESTRICTED CONTRIBUTIONS FROM PRIVATE FOUNDATIONS, CORPORATIONS, AND INDIVIDUAL DONORS FOLLOWING IS A BREAKDOWN OF THE TOR PROJECT'S FUNDING SOURCES FOR THE PERIOD ENDED JUNE 30, 2020: FUNDING FROM US GOVERNMENT SOURCES US STATE DEPT - BUREAU OF DEMOCRACY, HUMAN RI GHTS AND LABOR 752,154 GEORGETOWN UNIVERSITY - NATIONAL SCIENCE FOUNDATION 98,727 RADIO FR EE ASIA/OPEN TECHNOLOGY FUND 908,744 NEW YORK UNIVERSITY - INSTITUTE OF MUSEUM AND LIBRARY SERVICES 101,549 GEORGETOWN UNIVERSITY - DEFENSE ADVANCED RESEARCH PROJECTS AGENCY 392,00 8 FUNDING FROM NON-US GOVERNMENT SOURCES DIGITAL IMPACT ALLIANCE - UNITED NATIONS 25,000 S WEDISH INTERNATIONAL DEVELOPMENT COOPERATION AGENCY (SIDA) 284,697 FUNDING FROM CORPORATE SOURCES MOZILLA 157,500 AVAST 50,000 MULLVAD 50,000 FUNDING FROM PRIVATE FOUNDATIONS OPEN SOURCE COLLECTIVE 23,100 MEDIA DEMOCRACY FUND 270,000 ZCASH FOUNDATION 51,122 MOZILLA OPEN SOURCE SUPPORT MOSS 75,000 RIPE 53,114 CRAIG NEWMARK PHILANTHROPIC FUND 50,000 STEFAN THO MAS CHARITABLE FOUNDATION 50,000 KAO FOUNDATION 10,000 MARIN COMMUNITY FOUNDATION 1,000 IN DIVIDUAL DONATIONS 890,353
SecState Kissinger orchestrated the incineration of Laos, Cambodia and Vietnam.
SecState Powell orchestrated the flattening of Iraq.
SecState Clinton orchestrated the butchering of Libya.
SecState Pompeo tried and failed to orchestrate the annihilation of Iran by assassinating top officials and drawing them into war.
And so on and so forth. These aren't even theories. The State Department is closely involved in destabilizing sovereign governments through the full spectrum of means, including war, to advance Washington's interests.
Brilliant reposte, but I am curious what software are you referring to here?
You should be extremely skeptical about people who bring OTF/BBG up in these discussions. I have complicated feelings about Tor stemming mostly from culture and effectiveness concerns and would push back on claims that it's co-opted by the Navy or corporate interests, but at least I can see a clear (if silly) line connecting Tor to these supposed conflicts of interest.
Correct, it is not funded by "the military", but this is incorrect
> any branch of the USG government
Because Signal/TextSecure received considerable amounts of seed capital from Radio Free Asia which is a CIA spinoff with the explicit aim to fund the development of the cryptography at grass roots level, not per se to have full control of it like NSA would have done, but because having strong cryptography on such platforms (Telegram might be other) is highly effective against perceived US enemies like well... Iran, or Syria, and to allow their assets/agents to communicate more easily while abroad without bulky extra proprietary phones or software
All of that above is mentioned at length on Surveillance Valley btw
Which also unfortunately points to them having exploits no one has discovered yet in said technology tools.
They can still maintain generalized situational control via additional superiority vectors(MASINT, HUMINT, GEOINT, OSINT, FININT etc.)
That's how Ulbricht sometimes spelled hey, and the agent had seen that particular spelling before in his investigation, in an email from Ulbrict’s student email address.
Nick Bilton's book “American Kingpin: The Epic Hunt for the Criminal Mastermind Behind the Silk Road” is a great read, highly recommended.
much more likely -- sigint tooling was applied to identify ulbricht, bulk metadata was turned over for his comms history, and it was pored over for things they could connect with sr to get warrants. imo, at least.
but getting to claim you're such a sharp investigator that you can figure it out by noticing the word heyy makes for a much better story to tell an author.
It's been awhile since I've read it, but my impression was that solving the case was mostly traditional casework, and a lot of it, by many different people/agents/agencies.
That Reuters article certainly gives pause. Thanks for the link.
Also, lots more went into catching him than just heyy, but that was the lucky break that had him caught. Now he shares a prison with Dr. Unabomber Kazinsky.
I thought I had heard it was stackoverflow, is that looped in somehow?
The parallel construction argument seems way more plausible if there’s nothing else besides “heyy”. If there is more, please say what it is instead of mentioning it exists but refusing to say it.
No one tries to take notice since they're hosting the worst content on the internet regularly.
Are those "facts" avaiable for investigating, without having to buy the book?
(that Tor is partly US administration funded is known, but Signal? And what is OTF and BGG?)
Funded by Open Technology Fund (OTF) https://en.wikipedia.org/wiki/Open_Technology_Fund
Which is funded by Radio Free Asia (RFA) https://en.wikipedia.org/wiki/Radio_Free_Asia. It had a few reboots but was created as a CIA program in 1951 (https://en.wikipedia.org/wiki/Radio_Free_Asia_(Committee_for...) to blast shortwaves into China from Manilla to try to overthrow the Chinese government. Rebooted more recently since the advent of the great firewall of China.
The main tool, used for private communication?
And Whatsapp will give them the target's full contactbook (was to be expected), but also everyone that has the target in their contact list. That last one is quite far reaching.
Most people don't realize that most people have something to hide. The USA has so many laws on its books. Many of which are outright bizarre and some of which normal people might normally break.
And that's only counting current/past laws. It wasn't that long ago a US President was suggesting all Muslims should be forced to carry special IDs. If you have a documented history being a Muslim, it could be harder to fight a non-compliance charge.
Barratry. If a person wickedly and willfully excites and stirs up actions or quarrels between the people of this State with a view to promote strife and contention, he or she is guilty of the petty offense of common barratry[.]
EDIT: Ultimately, the nuance in that history is not relevant to the point that criminal law changes to include new categories in unexpected ways.
> “We’re going to have to look at a lot of things very closely,” Trump continued. “We’re going to have to look at the mosques. We’re going to have to look very, very carefully.”
That's all he said to the interviewer. The interviewer was asking the hypothetical and suggested the special identification! He wouldn't take the bait, so since he didn't answer the hypothetical they said "he wouldn't deny it" and wrote the campaign of hit piece articles anyway. Whatever response they got they would have wrote that same piece. If he would have answered one way they would have quoted out of context. Since he responded generically it's obviously drummed up. The fact check is hilarious. "Mixed", lol.
Never answer a hypothetical, it's always a trap.
And then the next day, he clarified:
Reporter: "Should there be a database or system that tracks Muslims in this country?"
Trump: "There should be a lot of systems, beyond databases. I mean, we should have a lot of systems."
And then he tried to backpedal. Decided it was a watch list, not a database, etc. Basically the usual shtick of his where he tries to say everything and nothing at the same time.
> There should be a lot of systems, beyond databases. I mean, we should have a lot of systems
Beyond databases. What does that mean? That could be analog systems, that could be anything not stored in a computer.
Nothing to do with identification which would need a database. It's a generic answer to avoid a hypothetical. It's a nonanswer.
He said nothing, not everything. You are attributing the reporters question to him. The reporter is posing the hypothetical that they created in the first place by the initial interview.
My main point was hypotheticals are always trap (unless among friends!), but that's a great example of an obvious one.
The usual shtick is to say nothing, because the journalistic usual shtick is to ask gotcha hypotheticals.
> "We’re going to have to look at the mosques. We’re going to have to look very, very carefully."
I already do not trust the person who has said that. Does it really matter if he proposed a full-fledged ID system? He still proposed monitoring mosques. He still proposed surveillance based on religious identity.
The correct answer to that question, "should Muslims be subject to special scrutiny" is a simple "no". I don't really get the debate about hypotheticals; this a question that does have a straightforward, right answer. And the implications here in regards to surveillance and ordinary people having stuff to hide -- those implications are all the same regardless of whether or not Trump actually proposed a literal database.
He was open to increased surveillance on Americans based on their religious identity, he didn't immediately shut the idea down.
> The below quote is already bad enough. He still proposed surveillance based on religious identity.
He said nothing about citizens or monitoring them based on religious identity. He said look at mosques, that's all. Mosques are often the target of attacks.
> "Certain things will be done that we never thought would happen in this country in terms of information and learning about the enemy," he added. "We’re going to have to do things that were frankly unthinkable a year ago."
> "We’re going to have to look at a lot of things very closely," Trump continued. "We’re going to have to look at the mosques. We’re going to have to look very, very carefully."
And once again, it kind of doesn't matter. An increased focus on monitoring places of worship is monitoring people based on their religious identity. I don't know a single Christian who would argue to me that monitoring churches isn't the same thing as monitoring Christians.
Mosques and churches are not abstract concepts that are divorced from the people inside of them. When you monitor an institution, you are necessarily monitoring the people inside of it, and it is reasonable for them to be concerned about the government taking an interest in their religious-identity. To argue otherwise requires someone to completely divorce religious identity from the practice of religion, and that's just not a reasonable argument to make.
> Details are important.
Not in the context of the original statement, "ordinary people often do have something to hide, and should care about privacy." Look, whatever, you trust Trump. You shouldn't, but you do. Fine.
Do you trust Biden? Do you trust the current government not to attempt to monitor you based on your vaccine status?
You're fighting over the idea that "your guy" wouldn't surveil ordinary people, but this also kind of doesn't matter because your guy isn't in the Whitehouse right now, and I can guarantee you that Republicans are never going to have permanent power over the government. No party wins forever. You have as much reason as anyone else to care about personal privacy, why are you fighting over who specifically is a threat? Does it change anything about the overall privacy debate?
Like I said, he always manages to say exactly the right things so the people who support him will read between the lines, but leave just enough ambiguity so those same people can quibble constantly over whether that was what he really meant.
> hypotheticals are always trap
He could have just said "No." Or "I have no such plans at this time." if he wanted to sound like a typical politician. His circumlocution is legendary, because it allows everyone to believe what they want to believe. Politicians all have this problem, but Trump elevates it to a whole new level.
> On each of your devices, the data that you store in iCloud and that's associated with your Apple ID is protected with a key derived from information unique to that device, combined with your device passcode which only you know. No one else, not even Apple, can access end-to-end encrypted information.
HN tends to get very frothy-at-the-mouth over Apple and privacy but the reality is that iPhones can be easily set up to offer security and privacy that best in class, they play well with self-hosted sync services like Nextcloud....and unlike the Android-based "privacy" distros you're not running an OS made by a bunch of random nameless people, you can use banking apps, etc.
The only feature I miss is being able to control background data usage like Android does.
Either way looks like Signal wins by a lot. The size of it spot is so small, it seems almost squeezed in. But only because they have nothing to share.
as a casual reminder: The fifth amendment protects your speech, not your biometrics. do not use face or fingerprint to secure your phone. use a strong passphrase, and if in doubt, power down the phone (android) as this offers the greatest protection against offline bruteforce and sidechannel attacks used currently to exploit running processes in the phone.
- Use a strong pass phrase
- Enable biometrics so you don’t need to type that pass phrase 100 times per day
- Learn the shortcut to have your phone disable biometrics and require the pass phrase so you can use it when police is coming for you, you’re entering the immigration line in the airport etc. - on iPhone this is mashing the side button 5 times
On my Pixel (Android), it's hold the power button for ~2 seconds then select Lockdown.
Apple's docs also say that pressing the side button 5 times still works.
> If you use the Emergency SOS shortcut, you need to enter your passcode to re-enable Touch ID, even if you don't complete a call to emergency services.
I just verified this on iOS 15.1 on an iPhone 12.
Just tested all of them
But I guess yours is the “official” way to do it indeed:
It locks the phone when a movement threshold is broken, and then requires the password instead of biometrics to unlock the phone.
So the snatch the phone when it is unlocked vector gets harder.
A compromise would be to just save the messages to a passphrase. You could use a public key so that you would only need the passphrase to read the old messages. I haven't heard about anything that actually does this.
You'll feel a vibration, and biometric login will be disabled until you enter your passcode.
I liked it in Wrath of Man where one guy is acting tough as fuck until they bring his girl into the room.
Also, if you can, if you are encrypting data, use a hidden volume inside the first - that way you can give the government the outer password and they'll be happy thinking they have everything.
Almost _all_ my Signal chats are on 1 week or 1 day disappearing settings. It helps to remind everyone to grab useful info out of the chat (for example, stick dinner plan times/dates/locations into a calendar) rather than hoping everybody on the chat remembers to delete messages intended to be ephemeral.
The "$person set disappearing messages to 5 minutes" has become shorthand for "juicy tidbit that's not to be repeated" amongst quite a few of my circl3es of friends. Even in face to face discussion, someone will occasionally say something like "bigiain has set disappearing messages to five minutes" as a joke/gag way of saying what used to be expressed as "Don't tell anyone, but..."
(I just looked it up, https://signal.org/blog/disappearing-messages/ from Oct 2016.)
I think encrypted messengers should have a "completely off the record" mode that can easily be switched on and off. Such a mode would guarantee that your messages are never stored anywhere that might become permanent. When you switch it off then everything is wiped from memory. That might be a good time to ensure any keys associated with a forward secrecy scheme are wiped as well.
The analog hole ALWAYS exists. Pretending it doesnt is ridiculous.
Not if the message has already been deleted. Auto-deleting messages are so the recipient doesn't have to delete them manually, not so the recipient can't possibly keep a copy.
IAAL but IANYL
The real solution is for a federal statute to require warrants.
but can't they force you to put your password in that case, instead of your finger?
The contents of your mind are protected because you must take an active part of disclose them. Of course, they can still order you to give them the password and stick you in jail for Contempt of Court charges if you don't.
Check out Habeas Data. It's a fascinating/horrifying book detailing much of this.
"Understood. The defendant's Fifth Amendment right to protection from self-incrimination is secured. As per the prior ruling, the defendant will remain in custody for contempt of court until such time as they divulge the necessary password to comply with the warrant."
If it is you not divulging your own passcode, then legally the judge can't give you contempt, but in reality they could give you contempt until you fought it through the appellate court. Contempt is a special type of thing - certainly here in Illinois you have no right to a jury trial on contempt charges. You're just fucked.
In one case, the appellate court at the federal level simply refused to hear the case that had been decided at the sate supreme court level.
Although there are apparently a whole bunch of legal details that matter here; courts have in some cases held that defendants can be forced to decrypt a device when the mere act of being able to decrypt it is itself a foregone conclusion.
(If you want to google a few of these cases, the all writs act is a decent keyword to include in the search).
The defendant never needs to divulge the passphrase - they simply need to provide a decrypted laptop.
Knowing that is possible law enforcement would then hesitate to ask.
This is how the statute is worded here in Illinois:
"A person obstructs justice when, with intent to prevent the apprehension or obstruct the prosecution or defense of any person, he or she knowingly commits any of the following acts: (1) Destroys, alters, conceals or disguises physical evidence."
Ugh. It's a vague law. I don't even know how they would prosecute that for virtual evidence held on a device that they didn't already have a view inside of.
https://www.reuters.com/business/legal/us-supreme-court-nixe... for example.
Lots of FUD out there there about Telegram not being encrypted that's just not true. There's nothing either side can to do send a message in clear text / unencrypted.
This is proven by an extremely simple experiment: you log in on your new phone, enter password and instantly see all chats.
Another simple experiment points that chats are unlikely to be even encrypted at rest is that Telegram has an extremely fast server side message search. You log into a web client, half a second later you can type a search query and uncover chats from years ago.
How much data there are on your chats? 1 megabyte is around one thick book in plaintext.
AES-CBC as example method decrypts more than 2 gigabits per second with hardware opcodes (2012 processor), for example if we look this data https://www.bearssl.org/speed.html
It is impossible to say based on delay when searching plaintext on this level whether there is encryption.
What this means is that any conversations where you do select E2EE are the ones the "authorities" will take interest in, even if only to the extent of metadata.
That's the fundamental problem with E2EE-by-exception, rather than by default. It calls attention to specific data, even if its not cleartext, rather than obscuring everything.
also curious - how does telegram support encryption for chatrooms without the parties being known in advance? or are those chats not encrypted?
E2EE: As long as it is correctly set up and no significant breakthroughs happens in math, nobody except the sender, the receiver can read the messages.
> Does the former mean that telegram itself can read non-private-chat messages if it so chooses?
Correct. They say they store messages encrypted and store keys and messages in different jurisdictions, effectively preventing themselves from abusing it or being coerced into giving it away, but this cannot be proven.
If your life depends on it, use Signal, otherwise use the one you prefer and can get your friends to use (preferably not WhatsApp though as it leaks all your connections to Facebook and uploads your data unencrypted to Google for indexing(!) if you enable backups.
Edited to remove ridiculously wrong statement, thanks kind SquishyPanda23 who pointed it out.
E2EE means the service provider cannot read the messages.
Only the sender and receiver can.
E2EE means that the users exchange encryption keys, and they encrypt the data at the client, so that only the other client can decrypt it. Meaning Telegram can never inspect the data if they wanted to.
I haven't dug enough to know what telegram does or claims to do.
Maybe there are laws preventing legal access to message content? Maybe related to wherever Telegram is incorporated.
Well sure. A lot of laws require a court order. In the U.S. that's usually not too difficult.
Biggest example as of late: https://www.bbc.com/news/world-middle-east-58558690
How do you know I'm intercepting the transmission? Does the emoji sequence verify the call, perhaps?
I'm not a cryptographer, but that's what I glean from their explanation: https://core.telegram.org/api/end-to-end/video-calls#key-ver...
For a "standard" DH key exchange it would be possible to brute force the emoji sequence to be the same (since it's too short to be resistant to brute forcing), but the protocol that Telegram uses specifically defends against that by having both sides commit to their share of the key ahead of time, so they cannot try different numbers.
So person A and person B are going to see different emojis no matter what you do. To fake a phone verification while performing a main-in-the-middle attack you'd also have to fake their voices to each other. That's hard.
It is not necessary to provide real security, do fingerprint verification, etc if the users are already happy with the level of security they are promised.
What I'm envisioning is a 'build hash' that is reproducible based on the public source code with a given set of compiler settings (i.e. same used for publish.) The systems app-management widget could then display this build hash in the app-check menu.
This would likely require more care in packaging, as well as some form of secure config API that allows companies to provide certain bits of configuration (i.e. remote servers to contact) without impacting the build output. This would mean that yes, people would still need to audit the code, but at least it's easy for anyone to canary out to the internet that the hashes are mismatching, same for when someone does find something on an audit.
OTOH, I'm sure Telegram's competitors in the chat space would love a reason to de-legitimize them, so it wouldn't surprise me if -someone- out there was already doing some sort of compare on published builds.
I assume what they're showing for Telegram (basically no data except IP/phone data if Telegram decides it's for a legit counter-terrorism activity) is a matter of Telegram business policy.
Signal gives the limited information they do because I assume they are subject to warrants from U.S. courts. Telegram is run, to my understanding, from jurisdictions where enforcing a U.S. court order would be difficult-to-impossible, and they keep the private keys to decrypt their stored message content split between servers in relatively non-overlapping legal jurisdictions, so even a successful seizure of data in one wouldn't be enough to decrypt message content.
That's all well and good -- and I appreciate Telegram for setting things up that way -- but that means at any time Telegram could make a policy decision to cooperate with law enforcement and provide much more than what is shown on this chart. Signal, on the other hand, could choose to cooperate as much as they want but not have the technical capability to provide more information. (Barring them updating their client to intentionally build in a backdoor, etc., but I'm basing this on what the current implementation is.)
The other important thing about this chart: this is the unclassified version. Is there another classified document out there which says "we have a secret relationship with Telegram/whomever and they give us all the message content we want" but they don't advertise to the law enforcement community at large? They secretly use it to aid in parallel construction so they don't ever have to reveal that a messaging vendor is giving them message content in court? We have no idea.
tl;dr: Telegram looks great on this chart because of policy, not technology. I love Telegram, but I'm under no illusions that it's appropriate for talking about things I wouldn't want law enforcement to have access to. Luckily, I haven't found myself needing to talk to my friends about illegal activity.
This is what puzzles me about Apple, they absolutely have the capability to mitm iMessage pretty discreetly. Because Apple just completely hand waves away key distribution and they can silently add and remove keys at their leisure it's largely only policy that underpins their security. They're not Telegram, they aren't structured to be in a position to be able to ignore demands from the justice system to assist with some agent's latest fishing expidition. How are they getting away with not providing stuff that they obviously have access to? The PDF lists "Pen Register: no capability"
My bet is on the fact that they are based in Russia, so they don’t give a shit about a US warrant or subpoena.
Telegram doesn't store your messages forever and they are encrypted and seizing the servers won't allow you to decrypt them unless you also seize the correct servers from another country
This is a similar process to what Dropbox, iCloud, Google Drive, and Facebook Messenger do. Your files with cloud services aren’t stored unencrypted on a hard drive - they’re encrypted, with the keys kept somewhere else by the cloud provider. This way somebody can’t walk out with a rack and access user data.
What Telegram claims to have done is set this up in a way that makes it very hard for a single party/state to get these keys. It's not possible to make this completely impossible (if you have a server processing user data, it will have the keys loaded at some point, and there is always some way to physically attack it), but it is possible to make it very hard (physical tamper detection on the servers, secure boot tied to machine identity credentials required to access key material, etc - it's hard, but not impossible, to make this too difficult for any nation state to bypass). We don't know how good their set-up is, but it's certainly possible to do a good job at doing what they claim to be doing.
I just don't see why they would make life harder for themselves developing stuff, given how often Durov lies. He claimed that all Telegram developers are outside of Russia, but then it turned out that they were working next floor from his old VK company office, right in Saint Petersburg.