The "PRISM" stuff, the stuff with specific internet app/service providers, is actually the _least_ troublesome. (And the closest to legal/constitutional, with FISA orders involved and all.)
MUCH more troublesome, but receiving MUCH less media attention (such that I don't even know the special program names, they are not 'prism'):
* They are recording everything that goes over the internet, by tapping in at major backbones, undersea cables, etc.
* They deploy RAT malware to take over and observe targetted person's computer. (Have we been given evidence by Snowden that they do this inside the US and/or to US citizens? I am not certain. Do they get FISA orders/warrants first? I am not sure. Have we gotten info released on the RAT stuff yet? This interview is the first I've heard of it, in fact.)
Both of these are WAY more alarming, more significant invasions of privacy, less likely to be legal/constitutional, than PRISM. But PRISM's getting all the attention.
I wonder if this was in fact part of NSA/government counter-PR, to make sure PRISM gets the attention and people get burnt out on the story before they get to the REALLY disturbing stuff.
As the leaks have moved on, the information has become progressively more concerning. Anyone who has followed this issue should have at least a vague idea of the caliber of information that could be coming (your post as an example). So, rather than releasing the big ticket items first, and having the rest of the issues make no impact in comparison, they're allowing as much information as possible to have it's greatest individual impact before moving on (not to mention the now well-discussed benefit of authorities lying themselves into corners trying to cover up the smaller issues).
In this way, they're priming the public so that we've spent months digesting the impact, and understanding the issue so that when we get (say) screenshots proving everything going over telecommunications is recorded, the public is prepared to understand and digest that fact quickly, and can move to action quicker--or even at all.
The more I think about it, the more I earnestly believe that this technique is the most effective methodology available to them and may be our one and only shot to stop it (keep in mind that once a subgroup of society reaches enough power and intelligence over the rest, there is literally nothing the rest of humanity could do to overthrow them; we can't dump tea in the ocean and fire guns at them anymore if they have drones and know everything about everyone).
He doesn't have to convince HN readers that this is worth stopping our daily lives for to stand against, he has to convince the general public.
With that in mind, the best thing we can do right now, is help them to prime the pump. Bring it up to everyone that will listen. Make the electorate informed. Because when the news comes--the one that we will need to act on--the public needs to be ready to hear it and move on it.
The opinion of the general public doesn't matter. It's been being effectively managed for years, and that won't change now. The proles will never revolt.
The fact is, these programs existing and being public knowledge to "foreign entities" (Obama's words), pose an existential threat to Google, Apple, Amazon, Microsoft, and any other US-based company that intends to make money handling the private data of those filthy foreigners (whom outnumber US citizens on the internet something like a dozen to one).
Sure, tell everyone who will listen. But you'll find that most people don't give a fuck, and wouldn't know what to do with the information even if they did.
This change, if it comes, will come from industry, as all major internal policy changes in US government have for decades.
So independent of my opinion, there's demonstronably a non-trivial chance that you're wrong. And from chances like that, movements are born.
You're right: cannabis is still illegal in Colorado and Washington.
although I'm not sure I'm confident that there is a 'big one' coming 'the one that we will need to act on' (if what we've already gotten isn't it) -- we will see. I am curious to hear more about the RAT stuff.
It's possible 'we' did, but I just didn't notice it because I wasn't paying attention and the media didn't make too much of it.
I did hear about the immunity thing, but figured that was for individual requests for particular information for particular investigations; it honestly didn't occur to me that they'd record the entire internet, I naively thought that would obviously be unconstitutional and thus not done.
If "we" did know that before, then I guess the Snowden leak has been great PR, because I didn't know about it until now!
If you take the body of people who use Google/Yahoo!/Facebook and get the % of people who are aware of the existence and importance of internet infrastructure, you will find that the % is nowhere near 100%.
I think the order is okay, but the issue is that the media is making it a personality focus to make the story more sensationalist (do we sense a pattern here!?) and said average Joe is surely distracted.
If I were to guess, they probably only stick to ISP-level monitoring in most cases, and in other cases maybe they'll physically install malware on a system when they have to.
This bit worries me less than PRISM or malware. We've already designed our networks to resist MITM where we believe security matters and there is a general push towards TLS for everything.
Im amazed why do you US citizens always derail the debate towards this question "us citizens or not"?
Are you guys more important than us? Dont you think US citizens are spied upon by UK, New Zeeland, Canada, Sweden, Germany etc and then exchange of information happens with those countries?
Does it matter that much how many laws NSA broke and how many lies they told you? Would you be fine with all of this if NSA had lobbied for a law, like FRA did in Sweden, to make all their activities, spying on US citizens included, perfectly legal? Just suck it up and accept "democracy" then?
Is this legal, who broke what law. What theyre doing is immoral no matter how they twist the law and how much they talk about what direct means in direct access.
Please, avoid discussing legality of minor details and focus on the implications for democracy, power and inequality. How do we fight back?
It's certainly not the only debate worth having regarding the whole affair, but as far as things go in the US, it's significant.
"The [telcom] companies should write enforceable clauses into their terms, guaranteeing their clients that they are not being spied on. And they should include technical guarantees. If you could move even a single company to do such a thing, it would improve the security of global communications. And when this appears to not be feasible, you should consider starting one such company yourself."
Google and Facebook don't seem to care, but the people here can create the kinds of companies that do. Let the PRISM collaborators starve of a talent storage.
How do we create, maintain and support companies that guarantee our privacy? What do we do when those companies and its employees receive threats, blackmails and various attacks by the feds? When they become infiltrated? When they buy them up like Skype and close its security down?
Facebook, Oracle, Google all seemed to crap their pants when PRISM came out, can we increase the heat on them to stop what theyre doing?
What methods do we have? What can we, the good hackers non-NSA-employed hackers, do?
We have various encryption technologies, mega made some fine client-side encryption kind of easy to use, what else?
Whatever we build will not be a perfect solution, it will require agreements and legal frameworks and support from a major group of people. Isnt this what GNU is about, the FSF and freedom box project?
EDIT: Its kind of tiresome that HN must always have a critical comment at the top, no matter the issue, someone always tries to tear any story up to pieces. Id like to remind you people of this awesome quote;
""It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better.
The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat. ""
> The analyst can then decide what he wants to do - the computer of the target person does not belong to them anymore, it then more or less belongs to the U.S. government.
This is kind of like when he said:
> You are not even aware of what is possible. The extent of their capabilities is horrifying. We can plant bugs in machines. Once you go on the network, I can identify your machine.
Software types reading this stuff know that this is not how computer networks generally work. Maybe it is a dumbed-down reference to some sort of government malware. If so I would like to see more technical precision from Snowden before I can say that he has any chance of knowing what he's talking about.
That's what I took it as. With government-level resources you can pretty easily throw a team at all the common web browsers and find exploitable 0-days and then MITM the next connection the target makes to any website to exploit it, and then find a local privilege escalation vulnerability if necessary. Once you have root (or equivalent) on any given machine you pretty much own it.
That sort of thing isn't necessarily in reach of your typical J. Random Hacker against a patched machine (may not have access to 0-day, can't easily MITM target's internet connection, etc.) but it's really not a stretch to imagine that the NSA can do it if they have no regard for the law.
In what kind of numbers, though? I mean, from what I remember reading Stuxnet had this kind of crazy stuff in it (multiple zero-days if I recall), but also a clear target in Iran. Would they have the resources to do this to everybody? Is there any evidence of that? Certainly if there were it would be really fascinating to know more, but all we have is this movie plot scenario.
With what Snowden says it makes it sound like they do it to anyone out of sheer boredom. I think to understand the scope of this claim we need more details.
The software to take over someone's computer like that exists, and can be used by script kiddies that don't even know what they're doing, to take over and 'own' many people's computers, complete control. Presumably the NSA knows about even more exploits than the easily available hacker-distributed software does.
That's the weird thing about Snowden's claim. It makes them sound all-powerful. If it were really something concrete, there'd be more knowledge of scope, mitigations, etc. It's also hard to believe they are doing this on everyone, by default.
But I didn't see any implication in this interview that they were doing it on everyone, universally, by default. Rather, Snowden specifically says this is what happens to a targetted person, he some of the ways you become targetted are "because of a Facebook profile or because of your emails", presumably certain keywords or profile or whatever. Then he says the 'monitoring' which completely takes over your computer is done to 'targetted' people.
I too am very curious to learn: How many such targetted people with malware-monitored computers there are, how often this is done; is it done to computers in the US and/or to US citizens; what sorts of suspicion lead to this targetting; what warrants or court orders or other judicial oversight there are on individual monitoring cases; among other things.
I am now eagerly awaiting release of documentation or evidence on these issues.
I think either Snowden is incorrect in what he's talking about, or the NSA is doing something rather devious like hijacking the Windows update process or some other automated task to install malware, which they could only do with heavy cooperation from Microsoft. This would be rather risky though as it could certainly be detected.
He is the most honest speaking government employee I have ever seen.
I wish he would have remained anonymous the whole time, almost like a Banksy character through this all. I almost feel like we're seeing too much of his face and not enough (like the top comment suggests) about the actual problems with this all. The stories that need coverage are getting upvoted here but this site pales in comparison to the power of CNN on popular opinion. It's a reality show called "Find Snowden" now.
I read that as it is commonly understood among my colleges at the NSA that America and Israel wrote Stuxnet and this understanding seems to be reputable rather then rumor.
Stuxnet is largely believed to be created by the US and Israel to cause problems to Iran's nuke programs (http://topics.nytimes.com/top/reference/timestopics/subjects...). Part of defense is offense against infrastructure that is a threat and will be as long as there are countries.
That's like asking how he would be in a position to get Top Secret documents.
Easy. Omniscience is not the default state of a human being. Perhaps he had access to information revealing this, and didn't find or read it. Perhaps he had no access to such a thing. I don't think we can safely assume he knows everything there is to know about anything the government (or even some small sector) is involved in. He's just one guy, after all.
It is a sad state, that the world the conspiracy theorists have been crying wolf about for so long is now verified fact.
It was an honest recommendation that he follow this closely. There is history being revealed in this matter and everyone should be paying close attention.
At a minimum, everyone should be thinking critically about what it means to be an American and what one really stands for/believes in.
If you can pick your enemies' locks, you can pick your employer's.
>You should break your pills in half.
That's a content free ad hominem.
What he said is more or less correct, depending on where you draw the line.
For a lot of people massive warrentless wiretapping, against the constitution and the law, is what they'd call a police state.
You might be more forgiving, if you want (some people can justify anything), but you don't have to be rude about it.
Especially with a surname as thus. I doubt the original Whitman was in favor of extended government power abuse and mass surveillance.
* They couldn't find WMD in Iraq -- because they weren't there.
* They couldn't find bin Laden for 10 years.
* They thought Snowden was on a plane with Evo Morales -- and were wrong.
So, given these observations, I wouldn't be too surprised that one guy was able to get access. Like all big organizations, I'm sure the NSA & CIA have some amazing small groups capable to Bond-like performance.
But as a whole, they are probably a nightmare of incompetence. Therein lies the reason I'm not in favor of giving them Carte Blanche for domestic surveillance: they will fuck up on an epic scale with probability=1. It is only a matter of time until their infrastructure becomes a tool for some oppressive politician or bureaucrat. HUAAC 2.0.
I realize this puts me in tinfoil-hat territory, but I'm not sure this wasn't intentional. He was of greater strategic value while still "alive", both to the U.S. and to the jihadists. Moreover, he had serious health problems for the last decade, and quite possibly has been dead for years of natural causes. The rapid and secret funeral at sea also seemed odd, as well as the timing, just before the election.
I have no evidence, so I can't square that circle. But given the record of shady behavior (competent and otherwise) by the three-letter agencies, neither would it surprise me.
There was a NYT story a couple of days ago which claimed that he was a NSA-trained 'hacker', he self-described as a 'infrastructure analyst', and a long time ago as a 'wizard.'
I know people who with just 'Analyst' as their titles have tech-PM'd MS Project implementations at large telco's, and others making stupid money in finance - it's also the title extraordinary spies are given in movies.
I imagine there were people with access and knowledge inside NSA who didn't want to risk becoming whistleblowers themselves, and pointed him in the right direction or outright gave him stuff.
The Kryptos sculpture has been there for all to see for many years, and the man who designed it thought it would be decrypted in months.. Yet it still hasn't been fully decoded, including by the NSA and CIA (part of it publicly was, so we know that if they did they would probably tell us).
This tells me that they're probably very good at some things, but that we also shouldn't overestimate them (the hollywood effect).
Ha! That's what they want you to think! In reality you're a sleeper agent/hacker.
Snowden: The target person is completely monitored. An analyst will get a daily report about what has changed in the computer system of the targeted person. There will also be... packages with certain data which the automatic analysis systems have not understood, and so on. The analyst can then decide what he wants to do - the computer of the target person does not belong to them anymore, it then more or less belongs to the U.S. government.
I wonder if regularly wiping and reinstalling your operating system has any effect on the aforementioned computer compromising by government/criminal elements?
Obviously, an open source OS is a better choice than some closed, proprietary, OS, but I seem to remember some controversy about BSD developers being approached by government agents for the purpose of coding a backdoor into the systems which they were working on.
Just how secure is my unix-like OS?
That's not going to happen anymore, because now everybody is distracted by sensational asides: we're hacking everybody, we're behind Stuxnet, we're in cahoots with the Europeans, etc etc etc. Snowden is allowing the spotlight to remain fixed on him; this whole thing is perfect fodder for the media -- an individual on the run, Hollywood-style hacking plots, and predictable Internet outrage. All while the constitutionality issue gets swept under the rug (see Congress). What's more, Snowden will probably lose the battle of public (and legal) opinion because these foreign operations are arguably justifiable , and the leaks weaken the US bargaining position with other countries.
I'm not sure what the goal of this leak is anymore. Snowden is completely fucking himself over while diverting public attention from issues that have the best odds of an immediate fix -- the surveillance of Americans. This whole thing is a bitter popcorn-fest.
William Binney said this during the USA Today interview  a few weeks ago:
I would tell him to steer away from anything that isn't a public service — like talking about the ability of the U.S. government to hack into other countries or other people is not a public service. So that's kind of compromising capabilities and sources and methods, basically. That's getting away from the public service that he did initially. And those would be the acts that people would charge him with as clearly treason.
 Sorry, non-Americans: the Constitution doesn't cover you guys. But we need to protect ourselves from our own laws first before we can help the rest of the world.
 If you think the US is the only one doing this, or if the world should just hold hands and sing Kumbaya: get a clue.
Protecting the US internet industry from these actions means not permanently undermining the credibility of every single US company when they say they're not spying on their international customers to further the government's (secret) national interests.
Americans are outnumbered more than a dozen-to-one on the Internet, you know. (And that ratio stands to get even more lopsided as the next 2 billion people get on the internet, too.)
OK, here's a clue: truly moral governance is only sustainable if all governments follow the same moral behaviors. Unfortunately, that's not a stable equilibrium, because the world is not Kantian -- thinking otherwise is naive.
1) Governments spying on governments, sure. On foreign businesses even, sure, if they're big or important enough, I've heard that too. But does any other country do indiscriminate mass surveillance on the entire US population? Make no mistake, this is the informational equivalent of carpet bombing other countries. And not just your purported and declared "enemies" but even your friends and allies. You should not wonder if you end up having none.
2) "It's right because other people do it too / did it first." Hm, grow up?
3) "It's ok because it's always been done like that." Don't I love this time-based argument. So it was ok to have concentration camps in 1944 because they've been there in 1943? Or where is the line? And who determines it?
If they don't, it's probably because NSA is actively preventing it (albeit while doing it themselves). Anyway, we're not disagreeing here.
Like it or not, it's how the world works.
...and Godwinned. One would hope that it's conversations like these that allow us to call out the slippery slope between liberty and (overbearing) security.
I think he simply wants Americans, and the world, to know the truth about what their governments are doing, and doesn't believe that the best chance of that happening is staying within the bounds set by US law. He probably believes the best chances for pushback on privacy lie outside the five-eyes states, because those states have been co-opted so completely by their intelligence services. In the UK for example, every secret communication of every politician, judge and public servant is now available to those services.
Binney in his heart still believes the US government can be reasoned with and negotiated with and it seems you agree with him. It appears Snowden has decisively broken with that point of view and sees it at somewhat naive (probably after seeing what was done to Binney and Manning). As to treason (in a broad sense as betraying his country), I think that depends on whether you believe he's exposing wrongdoing or not. If he's found extensive wrongdoing, it's impossible to make that public without damaging the US in the short-term, but in the long-term, he may believe what he does is in the interests of the US. I certainly agree with him.
Sorry, non-Americans: the Constitution doesn't cover you guys. But we need to protect ourselves from our own laws first before we can help the rest of the world.
Personally I think we should try to move past this sort of parochial patriotism and look at this issue as one which affects the whole world. If you accept the argument that foreigners may be spied upon, and anyone having contact with foreigners, you're accepting that anyone who does business outside the US or has contacts outside the US is a potential surveillance target. That probably covers almost the entire cosmopolitan US population nowadays. So much for American privacy. You also accept that states like the UK and Canada will be allowed to take every bit of information that passes through them and pass it back to the NSA, because that data is now 'foreign'. By the same argument text messages in the UK are all swept up, because they pass over the border for technical reasons apparently.
Of course the only country and legal framework we can currently work within is our own, but it is inconsistent and ultimately futile to view this as a struggle for rights in only one country, because the network which we're objecting to is global in scope and global in ambition.
Perhaps more important than the difficulties of separating foreign from US data is the damage this attitude causes to the standing of the US in the world - if this deepens the perception that there is one law of US citizens and another for everyone else, why should other countries treat American data and persons with respect?
Whistle-blowing is an important exercise that keeps the system in check. And I do think this whole thing was an important wake-up call. But it really seems that Snowden has gone beyond any capacity for protection -- the leaks are so far-reaching that it will be easy to steamroll and discredit him. He doesn't deserve treason, but the politicians will be able to make a convincing argument of that (or at least espionage), given the scope of the leaks.
> this issue as one which affects the whole world
> Of course the only country and legal framework we can currently work within is our own
Exactly. This information is too much, too fast, and is overwhelming reasonable options for what can be done. Fix the first things first (surveillance, tapping US companies), and other things later (vacuuming up data globally).
Of course it's impossible to say how fixing the "other things later" should/would have worked -- it could've required another leak (or at least a less egocentric approach), or the process of fixing things in the US could have strengthened rights elsewhere. The way things are going now, I fear we may not even have chance to fix anything at all.
It doesn't convince me. YMMV.
The way things are going now, I fear we may not even have chance to fix anything at all.
Fixing things doesn't depend on what happens to Snowden, even the release of information doesn't rely on Snowden (he's already leaked it all). Fixing things depends on people being informed about the issues and implications, and taking action on it. I don't see why you'd want to be less informed or pretend that this does not require global solutions. One country alone cannot fix this, but we can start with our own countries, by expecting and demanding equal treatment under the law for all.
Personally I think there's plenty of chance to fix this - there is plenty wrong with our societies (UK or US), but also much to celebrate, and much opportunity to discuss what is wrong and put it right. That requires us not to fear failure before we even begin, but to discuss these issues at every opportunity in public forums (in the UK this is particularly important due to Section D notices limiting reporting). I'd like to see my politicians answer to the world as to why this information is collected on innocent citizens on the news rather than hide behind excuses of national security and terrorism.
Well, look who the interview is with.
If you think that's an argument, you should follow your own advice.
On the other hand, I think it's incredibly naive to believe that, once a technology exists, it won't be aggressively used to further the interests of nation-states and multinational corporations alike.
What makes you think for a second that China and Russia aren't using (or at least in the process of building) the same sorts of systems?