Hacker News new | comments | show | ask | jobs | submit login
XKeyscore: NSA program collects 'nearly everything a user does on the internet' (theguardian.com)
1688 points by sinak 1514 days ago | hide | past | web | 612 comments | favorite

This is overwhelming. Even when you always hear the claims about we knew this was going on, somehow it is still shocking when you see it all laid out infront of you with screenshots and the capabilities described.

I can see how they get HTTP information, since they would intercept at transit hubs - but how are they getting all Facebook private messages and Gmail?

I was also looking for another unique ID that users are identified by - perhaps a machine or browser fingerprint or some form of intel that can 'glue' different browsers together and make a best guess if they are the same person (Facebook does this with device and user cookies) but couldn't find anything. It seems they rely solely on email addresses, IP addresses, cookies and HTTP headers.

So if you are browsing via 16 tor circuits and a browser that defaults to incognito with session histories being wiped, they couldn't reconstruct your history.

Users of PGP/encryption products being singled out is terrifying. The sooner we have the whole world using decent encryption tools, the better.

Edit: Gmail messages must only be captured when they leave the Google network. They are the only provider to support server-to-server TLS: https://twitter.com/ashk4n/status/346807239002169344/photo/1

They must only be getting a slice of the Facebook chat data, since the transport there is also https.

Facebook Messenger, on the other hand, uses MQTT, so it transmits and stores in plaintext. It has support for encrypted + signed messages with OTR if you are using an alternate client such as Adium or Pidgin.

Really need to go out an audit all of these services and let users know which are better.

>This is overwhelming. Even when you always hear the claims about we knew this was going on, somehow it is still shocking when you see it all laid out infront of you with screenshots and the capabilities described.

It has become a bit of a pet peeve of mine recently to see self-aggrandizing comments from users around the net about how "we should have known" and "none of this is new."

I'm a practically addicted news junkie (especially tech news) and while I've been aware of a fair amount of what has been exposed in this latest leak, it seems that every day there are revelations new to me, and what is revealed absolutely shocks the conscience. And I'm an outlier. I'm more plugged in to reporting on this subject than 99% of the globe's population, and this subject tangles with the rights and treatment of a large portion of the population of said globe.

The staggering majority had no clue, has no clue, and no, they were never informed. For all intents and purposes, the global media has been asleep or complicit.

It's staggeringly important to keep telling this story at every level specifically because "we" don't know, and still don't.

The traditional media is complicit. And it isn't some grand conspiracy either, they just share the same interests as the rest of the establishment, being part of (and/or owned by) the establishment themselves.

There is good independent media that has been covering the story for years though. Here's a Democracy Now story from February 2005:


Democracy Now has an incredible archive on this subject too. Right now it starts here:


Specifically, they've done some great interviews with previous whistleblowers:

http://www.democracynow.org/appearances/william_binney http://www.democracynow.org/appearances/russell_tice http://www.democracynow.org/appearances/thomas_drake http://www.democracynow.org/appearances/jesselyn_radack

Other interesting guests:

http://www.democracynow.org/appearances/jacob_appelbaum http://www.democracynow.org/appearances/laura_poitras http://www.democracynow.org/appearances/james_bamford

Only when Jacob Appelbaum was at Wikileaks, they also allegedly stole people's data (through Tor networks). Assange has admitted it - http://www.theepochtimes.com/n2/world/wikileaks-intercepted-...

How is that relevant to the NSA story exactly? Are you saying that the Government vacuuming up any and all data it can, and granting internal and external analysts easy access to that data, is comparable to the owner of a private server analyzing the network traffic of their servers and networks? If you want to hold private server and network operators to a standard that restricts them from doing that you're going to have a bad time.

And the purpose of Tor might be different than you imagine:


Or are you just trying to discredit Appelbaum, Assange, and/or Wikileaks?

Also, is that your article? Should you disclose that? And is there any reason you linked to it rather than the original New Yorker article here:


You're both right. If you read the PATRIOT Act, it's easy to look backwards and see that the things we're becoming aware of now are logical extensions of what was being asked for way back then.

It is, however, VERY easy not to have been able to have that foresight, and I think that the insights people were expecting the government to have been constrained by the fact that all the information of value is collected by neutral third parties. Google, Yahoo, Twitter, etc., aren't likely colluders with the government.

Plus, at the time of the PATRIOT Act's passage, there wasn't quite as much information being put on social media, or out to the public in general. Not as much was online, digital, or otherwise easily indexable.

There were those predicting this sort of possibility before the PATRIOT Act's enactment, and since, to be sure, but you shouldn't feel responsible for not having seen the signs yourself, or for having heeded the words of what probably seemed like kooky overreactionaries from back in the day.

The funniest part about this, to me, is that somewhere, very quietly, Richard Stallman is quietly telling us all the he told us so, and he's absolutely right, and always has been. Neverminding that, he's largely seen as a crazy old paranoiac who we should respect for his IT knowledge, while having to forgive the rest of his eccentricities.

If Richard Stallman is quietly berating us somewhere, he can go fuck himself. Part of educating the masses is being a person who people want to listen to. If he failed at that, he's no better than anyone else, and perhaps far worse, because of all the lost potential.

Part of being intelligent and shrewd is listening to the words that people say, and judging arguments based on their merit. The idea that Stallman should go fuck himself for not dumbing down or tarting up the message enough for you to pay attention to him makes you the asshole, not him.

In my experience, telling people to do something hard (open source, keep privacy, etc.) in the face of a barely perceived danger (government is coming to get you) is kind of a hard message to get heard.

Aside from that, I didn't mean to seriously suggest that he's out there passing judgement on us so much as I was attempting to acknowledge how hypocritical we are for having disregarded his message because of his eccentricities. I think your statement, that he should actively try to be more popular for us to care, is further proof of how wrong we are to be that way.

In an ideal world, your response would have made a perfect satire of how Americans are likely to react in the face of the responsible elder telling us to eat our proverbial vegetables. That is isn't saddens me.

So you're expecting the world to come to terms with Stallman, rather than the other way around.

Think about that for a minute, and then explain to me why that makes more sense.

Speak for yourself. Stallman is a massively influential thinker that has indisputably changed the world positively. A lot of the world has reshaped itself to attempt to resemble Stallman's dreams. His contribution was to have the dreams and to share them in material ways, and he didn't even owe us that.

You're in the bizarre position of criticizing him for being right. You're expecting Stallman to figure out a way to market to you, rather than expecting yourself to figure out how to evaluate arguments and evidence rationally. Think about that for a minute, and then explain to me why that wouldn't make more sense.

You seem to think I'm the one who has a problem with him. I think he's always been dead on, and don't disagree with you in the slightest about his vision.

Where our expectations start to misalign is the part where he's been ignored because he doesn't know how to be a consummate human being (let alone marketer), and you say it's everyone else's fault. Idealism is fucking useless.

Be careful what you wish for because you might end up with Ted Kaczynski.

First of all: keep the staggering to a minimum.

Second: realizing that "we should have known" and "none of this is new" isn't so much about reading news articles and being "plugged in", but rather having an understanding of how the Internet works. To oversimplify greatly, you're essentially playing a very precise game of telephone between around 10-20 different people, and usually about 1-3 different publicly-owned corporations. To be surprised at the possibility of storing packets is somewhat naive considering how simple it is to do.

The technical possibility isn't the new and staggering part, it's the profound lack of morality, respect for any ideal whatsoever, and compete apathy towards the oaths these people took to serve us.

They have compeley misused the power we granted them in sacred trust. We should remove it from them at once. If this has become impossible, we need to know that as soon as we can.

I could not agree with you more re: removing them at once. Sadly, I don't think an overly militarized police force, rapid transfer of wealth to the top and the post-911 power grab is going to challenged anytime soon.

Most Americans still believe they have more to lose than to gain by asserting themselves...

> The technical possibility isn't the new and staggering part, it's the profound lack of morality, respect for any ideal whatsoever, and compete apathy towards the oaths these people took to serve us.

Again, I'll chime in as the resident apologist. The people working at Fort Meade are not evil. They truly believe they're doing a great service to the nation. They may be wrong, and they've certainly thrown privacy out the window. But they are following an ideal: national security.

Post 9/11, the nation went on a war footing. We reacted the way we did to the Nazis and the Soviets. And in their search for an existential threat, the intelligence community seized on nuclear terrorism. These analysts live in constant fear of the day they miss a piece of information and New York, Washington, or London is enveloped in a mushroom cloud.

The best explanations for this type of reasoning that I have heard came from an unlikely source, my grandfather. He's a former FBI agent and WWII Navy veteran. In war time, we threw all sorts of civil, economic, and political liberties out the window to defend ourselves. When I asked him how this was allowed to happen, he said simply, "When you're facing an enemy that wants to cross over the hill into the valley where you, your family, and everyone you've ever known or loved lives, you'll do anything to protect them."

Our grandparents grew up with the threat of the Nazis. Our parents faced the prospect of annihilation by the Soviets. We have had the luxury of coming of age in a time where there is no credible threat to our very national and physical existence.

As a result, it's difficult for us to understand the mindset of someone that spends all day, every day, thinking of the most horrible ways we could be attacked, and then trying to devise countermeasures. It's almost inevitable their perspective on the balance between security and privacy is altered.

I'm not saying this reasoning is morally correct or justifiable, especially when applied to the current surveillance programs, but simply that it is understandable.

The key danger is that these efforts are qualitatively distinct from those in previous generations. The difference between extraordinary measures now and then is twofold.

First, our capacity to surveil the citizenry has exploded over the past two decades, and our legal framework is still grappling with that change. The courts are having trouble understanding that a change in scale can be a change in kind.

For example, it's one thing to have the occasional surveillance flight to search for drug operations. It's quite another to have aerostats and quadrotors watching every inch of a city all the time. But the legal rational that there is no right to privacy in public spaces allows both.

Similarly, it's one thing to say the records generated by my water company are business records not subject to the Fourth Amendment, but it's quite another to use that rationale to justify monitoring the location of my cell phone simply because my cellular provider maintains the records.

Second, wars have a point where they end, and the extraordinary measures are supposed to be reversed. That's why the "war on terror" and the "war on drugs" are so dangerous to civil liberties. They essentially extend the extraordinary measures during wartime to police problems that have no logical end.

I agree that we've gone too far as a nation. The fact that these queries don't require FISA orders flat out shocked me, even as a careful observer of these issues. But let's not demonize the individuals. After all, they're only doing what the people demanded after we were attacked. This is a democracy, and immediately after 9/11 such measures were resoundingly approved by the public and our representatives, beginning with the PATRIOT Act.

None of that changes the current reality however. We must slowly learn the lesson the British did when dealing with terrorism. If you treat it as an ordinary police matter, something that will always be present, you deprive it of its power to shock, from which it derives its effectiveness.

The fact is that the war on terror must now end. It's time for a return to normalcy.

> The people working at Fort Meade are not evil. They truly believe they're doing a great service to the nation.

Evil doesn't require intent. Some of the most evil acts in history were carried out by people who believed they were doing a good and moral thing. Most evil people don't go around thinking "I'm going to be so evil today!"

I suspect you are correct and that the vast majority of NSA employees think they are doing the right thing for America. That doesn't make their actions any less evil.

> The people working at Fort Meade are not evil. They truly believe they're doing a great service ...

That isn't really a strong argument. Firstly, their actions is supposed to reflect the ideology of the US citizens in general. If it doesn't, either they are not being administered as well as they should be or they are purposefully ignoring the will of the citizens. Secondly, the idea that because they truly believe that they are doing great service doesn't actually justify any of the actions. If we are forgoing the label of evil because they think that they are doing great work (and I am OK will that, I hate the label 'evil'. It is unconditionally partisan) then it does question whether Nazis/Soviet union deserved the label as well. Because I fear that they too believed in their actions.

> our legal framework is still grappling with that change

US legal framework does not seem to be struggling (I am not a native speaker, so I am assuming that is what you meant). It has expanded the power to monitor and interfere knowingly and willfully. Let's not blame this on misunderstanding or incompetence. While it is the first thing that this should attribute to, the people who have built this system seem highly skillful and knowledgeable. If you claim that decision makers do not understand the new world that has suddenly bubbled up, well it's your responsibility and that of the NSA employees who seem to be following orders without questioning, to either make them understand or replace them. And in all fairness, US voters did. The man even won a Nobel Peace Prize for some reason I cannot understand. But his actions behind the doors seem totally contrary to what his words have been in past. Not really the fault of the voters but it definitely raises questions if he truly understood the costs and still took the leap.

[Edit: grammar]

> Firstly, their belief is supposed to reflect the ideology of the US citizens in general. If it doesn't, either they are not being administered as well as they should be or they are purposefully.

I think this is a very difficult question to answer. If you're a lowly NSA tech tasked with something seemingly mundane (say, writing some automated tool to be used by an internal billing dept), at what point do you refuse to contribute to an organization that may be operating against the will of the people? Who is responsible?

Concentration camps? Me!? No! I just load the trains. It's a tough job market and I need the work. I'm just a regular Johan just trying to get by.

While I feel that the programs the NSA employs are profound existential threats to our liberty and rights, I do agree with you on the balance that the human parts that make up the whole of these organizations fundamentally see themselves as benign and beneficial on the balance. I think it bears mentioning, and its worthwhile to keep this in mind while we do the necessary work of attempting to dismantle and remove a lot of their power and tools, -the ones that have gone far past the line.

Demonizing people and falsely assigning ill-intent doesn't help us address and correct the problem, even if it feels good to do so. I personally have to fight the urge constantly myself because I feel so strongly in the immorality of the net output of the programs themselves.

The issue is that we need to demonize the people who are in fact evil and deliberately built this out and got it going. That list is surprisingly short:

GHW Bush

GW Bush

D Cheney

D Rumsfeld

C Rice

G Clapper

G Alexander

P Wolfowitz

These are the guys that created the orders that the soldiers are following, and the war they are dying in for these criminal's profits.

Naive and unnecessary. The Patriot Act was overwhelmingly supported across the aisle. And it should be obvious by now that Obama is an enthusiastic supporter, based on his treatment of Snowden. Not to mention Pelosi and Feinstein aggressively defending the government's right to suppress information. This has nothing to do with party affiliation. If you believe in Republican Vs Democrat, you're still in the Matrix, and, sadly, sipping the koolaid.

I think you're missing what I am saying, which firstly, is in no way party related.

The people I listed have a decades long history which brought them to the US Coup of 9/11: Cheney in particular.

The above are at the core of PNAC, the CIAs takeover of the executive branch (both Clinton and Obama are their puppets here)

GHW Bush has been running shit since the 70s.

Cheney setup the framework for the current MIC exploitation of the world when he was in Sec. Defense position in the early 90s - then setup Halliburton to be in the position to receive all the mandated private-sector contracts so the military could focus on its "core" -- the same with the Carlyle group.

(Carlyle owned CRG West (MAE WEST) and other fiber infra and DCs)

These guys worked diligently to put all this into place. Obama is just a puppet who was meant to quell the outrage that the Bush regime was bringing.

I posted a list of the key players in this, I did not post any party affiliation....

I can provide a hell of a lot more detail than this too - going back to 1920 with these guys...

It is excessively naive and completely discredits your otherwise potentially salient points to suggest President Obama is a puppet.

You're wading far too deeply into conspiracy territory to suggest that this puppet 'was meant to quell' anything. He is a leader whose administration stands and falls on its own merits.

I think it is naive to believe that each and every administration "stands and falls on its own merits" -- and then in the same breath talk about partisanship.

There is no party but the MIC party - and clearly, the NSA owns that party.

America has died, completely, 100%. There is no such thing as "Land of the Free, Home of the Brave"

This is tin-foil hat territory. The CIA was practically dismantled under Bush 43, and the intelligence agencies fight amongst one another like boisterous stepbrothers. To think the intelligence agencies control the government is vastly overestimating their internal political cohesion and capability.

The IC isn't running the government. They've got their hands full just running themselves.

The idea that we are not free is absurd. If I want to hold a rally for the Ku Klux Klan, that activity will be protected by the full force and power of the United States government. I can worship as I wish, read the books I choose, and write whatever I want (excepting direct threats of violence) with little fear, knowing that laws and courts stand ready to vindicate my rights.

I would take our extensive package of rights over single party political control, strongman leadership, civil law jurisdictions, and common law libel standards any day.

We are certainly no longer the most free nation on the planet, which saddens me deeply. But we are certainly amongst the best on that metric.

Blue pill for me! What a lovely color; it matches this donkey on my t-shirt!

That's way too simple. Many people on that list belong on that list, but...

The American people overwhelmingly approved the Patriot Act, and the idea of surveillance, and the war on terror, and the actual wars on place.

The Obama administration resumed surveillance programs which had been previously shut down.

The military industrial complex has been growing steadily larger since the 1950s.

Congress people from both parties repeatedly approve the growth of the defense budget, and especially parts which gain them money and jobs for their own states and districts.

There are certainly people to demonize, but sorting them out from the well intentioned would be incredibly complicated.

You forgot to add President Obama and other current leaders to the list. Expansion and utilization of these programs has also occurred during his administration.

You're clearly being partisan.

I was talking specifically about the ones who setup the current situation. Clearly there is no argument that its been embraced and extended by the current puppet regime.

>The people working at Fort Meade are not evil. They truly believe they're doing a great service to the nation.

I don't want to Godwin the discussion here, but it's not at all rare for people to act in an evil (or whatever you want to call it -- bad, harmful) way while not recognizing their own actions as evil.

That people don't think their actions are evil doesn't prove that their actions aren't evil.

Add to that, evil acts are almost always done in service of an ideal. For example the USA has economically and socially gutted many nations by force in service of the democratic/free-market ideal. Yet it's rare to find an American who sees it this way. US-USSR proxy wars in the Middle East and Latin America from the 60s-90s weren't destructive, we were just trying to help those countries out. We wanted to modernize them, to improve their lives, not to destroy them. They were just too uncivilized, too barbaric to get it. Why would they hate us for that?

Hence 'ideology'. Easy to serve, hard to view objectively when you've spent a lifetime on the inside.

>We have had the luxury of coming of age in a time where there is no credible threat to our very national and physical existence.

The Berlin wall didn't fall until 1989. The Soviet Union didn't dissolve until 1991. The period of 1991-2001 was spent fighting proxy wars in former USSR terrories or allies [1]. Iraq. The Yugoslav Wars in Bosnia, Macedonia, Kosovo. Haiti. All of this was an extension of the cold war. The Red threat didn't officially end until 09/11/01, Communism continued to be a spectre held over the head of the American public. It's just the discourse shifted from "the USSR has bombs that can kill us right now" to "Communism is bad therefore we're preventing it from spreading". The constancy of threat and surety of the potential for complete annihilation was always there.

And of course, from 2001 on everyone spent all day, every day thinking of the most horrible ways they could be attacked by terrorists. With great encouragement by media and government apparatuses.

>But let's not demonize the individuals. After all, they're only doing what the people demanded after we were attacked.

Again avoiding Godwinning, but to a certain extent you must demonize the individuals. Else there is no incentive for people to be vigilant of runaway ideology, like the US is operating under currently. Else there is no incentive for individuals to formulate a moral compass external to the state, because why bother when "they told me to do it" is a legitimate excuse? The state idology becomes your morality. After all, you're just tryin' to put food on your family.

[1] - https://en.wikipedia.org/wiki/Timeline_of_United_States_mili...

> That people don't think their actions are evil doesn't prove that their actions aren't evil.

Certainly not. The issue is not their beliefs, but rather the reasoning behind them. Different experiences of the world give rise to different world views. The world view of those that operate, condone, and approve the surveillance arises from a set of historical understandings and modern experiences that neither you nor I share.

To suggest that the scare tactics of CNN and the like is comparable to the psychological effect upon an ordinary analyst of regular intelligence reports of weapons-grade uranium being smuggled out of Russia via Kazakhstan is naive at best.

The threat of true national annihilation, not a specter concocted by a manipulative elite, has been the norm rather than the exception throughout history.

Modern totalitarianism has its roots in a not too distant past in which totalitarianism was the surest defense against large armed groups of humans that would burn your fields, kill your family, and subjugate your people.

That threat didn't disappear until very recent times. The cultural history of the American people is replete with threats to our existence: the CCCP and Warsaw Pact, the Axis, the German Empire, Spanish colonial North American empires, the British Empire, the Quadruple Alliance, the Normans. The intelligence community takes it's cues from a long history of existential threats.

What seems so obvious to us is that the current world is stable, and thus extraordinary measures to protect our safety aren't justified. Those charged with national security take a longer view. They see our nation as balanced on a knife's edge between internal strife and external threats. And thus, threats to either must be vigilant observed, documented, and understood, so that if the time should come when a conflict does occur, we stand prepared.

That line of reasoning is often alien to privacy advocates. I neither endorse it nor deny it. I simply acknowledge that those who study, train, and practice for our defense are not naive when it comes to the risk of violating civilian privacy. They simply set a different value to each of the variables in the risk-reward equation. You may disagree with those values, but it is important to understand them. Blindly denouncing such views as morally bankrupt simply factually incorrect.

> The Berlin wall didn't fall until 1989. The Soviet Union didn't dissolve until 1991. The period of 1991-2001 was spent fighting proxy wars in former USSR terrories or allies [1]. Iraq. The Yugoslav Wars in Bosnia, Macedonia, Kosovo. Haiti. All of this was an extension of the cold war.

The wars you cited were in no way related to the Cold War. Yugoslavia was a strategically unimportant area, relevant to no one in the geopolitical sphere.

The intervention occurred as a direct result of ethnic cleansing that was taking place in obvious, organized, and deliberate fashion. To suggest otherwise is simply incorrect. I've spoken with the head of UNPROFOR from the Srebrenica Massacre. It was a war crime on par with the worst parts of World War II. Clinton himself stated that his reluctance to intervene was based upon the "ancient ethnic hatreds" argument of Balkan Ghosts. The Yugoslavian intervention was about genocide. As a simple fact, it had nothing to do with the Cold War.

> Communism continued to be a spectre held over the head of the American public. It's just the discourse shifted from "the USSR has bombs that can kill us right now" to "Communism is bad therefore we're preventing it from spreading".

Containment of communism was simply not a factor during the nineties. Moscow was crushed, the former Soviet block in shambles, and Russian interests retreating from throughout the world. Hence the remarkable cooperation on nuclear arms, energy policy, and democratization between the Yeltsin administration and the Clinton administration.

>I don't want to Godwin the discussion here... Again avoiding Godwinning...

I believe the Romans had a term for emphasis by pretended omission.

> to a certain extent you must demonize the individuals. Else there is no incentive for people to be vigilant of runaway ideology, like the US is operating under currently. Else there is no incentive for individuals to formulate a moral compass external to the state, because why bother when "they told me to do it" is a legitimate excuse? The state idology becomes your morality. After all, you're just tryin' to put food on your family.

In a totalitarian state, this argument would indeed hold water. However, you gloss over the most significant part of the counterargument. We didn't simply allow extraordinary efforts against terrorism, the people of the United States overwhelming endorsed it.

A democracy is beholden to its people. Its morality is, by definition, derived from the consent of the governed as expressed through the democratic process. Vox populi, vox dei, as it were. To point fingers at talented and intelligent programmers, people with whom we would be excellent allies and friends in other circumstances, excuses the true culprits: us.

We are to blame for this leviathan. Not the NSA, not Obama, not Bush, not the DNI, DIA, CIA, FBI, or any other amorphous acronym.

We need to understand the reasoning of the those that built these programs, not simply dismiss them as callous power hungry sociopaths. We need to grasp the history that informed their reasoning, both recent and that which began far before that day in September.

Most importantly, we need to remember that blaming individuals does nothing to prevent the true failure, a systematic disregard for the right to privacy and the guarantees thereof provided by the Constitution.

The war is perpetual, citizen. Remember:

"War is peace. Freedom is slavery. Ignorance is strength."

Orwell in 1984: "Part of the reason for this was that in the past no government had the power to keep its citizens under constant surveillance. The invention of print, however, made it easier to manipulate public opinion, and the film and the radio carried the process further. With the development of television, and the technical advance which made it possible to receive and transmit simultaneously on the same instrument, private life came to an end. Every citizen, or at least every citizen important enough to be worth watching, could be kept for twenty four hours a day under the eyes of the police and in the sound of official propaganda.")

It's a surprisingly interesting novel.

Yes, I quite agree.

I have a tremendous amount of respect for those in the security services, who have been given a rather difficult job to do, and who seem (from the vanishingly small amount that I know) to be approaching it in a professional and objective manner.

I have no desire to be nasty, and if I have personally offended anybody by what I have written, I most profoundly apologize for the hurt.


This is an important issue, and it deserves public attention and a detailed debate. I hope that some of my provocative wailing and doom-mongering has done what was intended: provoked some thought and consideration.

This is, after all, politics, and, as I have mentioned before, we sometimes need to make a caricature out of our own positions in order to make a point. Omlettes and eggs and all that.

I'm not American, so I'm wondering: was the public really actually behind the PATRIOT Act, or were they merely giving leeway in a time where everyone was supposed to go along? Or were you thinking that's the same thing?

Same with the politicians; were they really for it, or simply incredibly afraid of the political suicide that would be the results of standing up against it? Because this was a time when people did not question Bush. From today's perspective on his administration's actions, that seems odd, but it was the reality at the time.

Many of us were, and still are, against it. Its passage was very questionable and suspicious, particularly regarding the lack of informed and reasonable debate on its requirements and broadly invasive permissions. It was passed overnight. There was word that many (most?) congresspersons did not even read the bill before passing it by a huge majority. It was emotionally charged and rational criticism was nearly non-existent before it was passed.

Only 66 Representatives voted against it--62 Democrats, 3 Republicans, 1 Independent. Only 1 Democratic Senator voted against it, while another Democrat abstained from the vote.

At the time the Act passed, Americans were in the midst of a fear frenzy. It was a pervasive culture of fear and panic, the likes of which I can only compare to anti-Soviet fears of the Cold War. People all over the country actually went to stores to buy all kinds of emergency and survival supplies to build up their own anti-terror kits (I forget the name for this that was popular at the time).

Many of us questioned Bush from the moment he was declared the winner of the 2000 election by the Supreme Court. We took part in protests all over the country after 9/11 to oppose the buildup to war in Iraq. I took part in protests in D.C. It was all ineffectual. Fear gripped the country and few paused to consider the long-term ramifications of the actions taken in September's wake.

The public was behind doing something. Much of Congress didn't want to be seen as impeding something.

It was obvious from the length of the act alone that even Congressional staffers couldn't have read it carefully between the time of submission and the time it passed. Quite a few people that I knew were weakly opposed, but the sunset provisions may have made it more palatable.

It takes character to stand up and defend doing nothing when something "must be done".

>It was obvious from the length of the act alone that even Congressional staffers couldn't have read it carefully between the time of submission and the time it passed.

This is a little off topic, but I always see this trotted out when people talk about big laws (like Obamacare, PATRIOT Act, etc) and it's not really true. Lawmakers usually work with and read a "normal language" version of laws that then gets transformed into a stricter legal version by staffers and experts. They will look at the actual legal version of the law if they care about a specific rule or section, but they usually don't need to.

It is an incorrect characterization when referring to the Affordable Care Act, as that went through so many revisions and debate over such a long period, that anyone who did not read it has zero excuse (including the public who allows itself to be misinformed about its contents). But it's not quite unfair wrt the PATRIOT Act. There was widespread reporting, complaining, and outright indignation that the PATRIOT Act was never read by a majority of congresspersons who voted for it. It was so massive, that there was little time to actually read the legal language overnight.

Of course, I expect my lawmakers to actually read the legal language.

The point is more that for most lawmakers there's not really a need to read all of the nitty gritty legal language. If you're a House Rep from Kansas who's core issue is corn subsidies, reading all of the PATRIOT Act isn't really going to do you much good. Instead, you read the summaries and listen to the opinion of the experts in your party who have read the whole act.

It's important too to note that this isn't a "big law" or even an American thing. Virtually all bills of any substance work this way and it's pretty much standard practice in most countries.

That being said, I'm not defending the PATRIOT Act. I just think the argument that not enough people read it is weak, especially considering all the real arguments you can make that actually attack the substance of the act.

You make some decent points. However, I'm still going to counter that 'the argument that not enough people read it'--i.e., proposed laws--is strong, not weak.

The point is that for all lawmakers, there is both a need and sworn obligation, in addition to national expectation, that they read all the nitty gritty legal language they are voting on, by which all Americans are bound to abide.

That's what lawmakers are there for--to know what in the hell they are passing as laws. If they can't be bothered to do their job--which, at the national level, goes far beyond just securing corn subsidies, because they're voting on legislation that touches on all Americans--then fuck 'em. Throw the bastards out on their asses, and send them back to the cornfields.

For the most part, we as Americans didn't actually ever read the Patriot Act, and we didn't get to vote on it. Our representatives that we elected before we ever knew 9/11 would happen voted for it in a climate that made it politically suicidal to not vote for it.

To be clear, the "hawk" politicians (and let's be honest, -many on the left) believed in the legislation but also exploited the tragedy to ram it through and neutered the ability of the other side to have a reasoned debate.

Our population was attacked, angry, and for the most part followed the lead of politicians who said we needed these laws to fight the people that attacked us.

In the aftermath, the scrutiny on the part of the American people never materialized. You're basically witnessing the moment where the most scrutiny on these types of programs/laws has ever occurred since 9/11. Worth keeping in mind that many components of these surveillance programs also predate 9/11.

How can anyone really be behind something they barely know anything about? When a bill like that comes around, the general reactions usually run from If You Say So to They'd Better Not Screw This Up. Some are completely deferential, some are completely skeptical. Nobody knew the details of what the law entailed for certain, so argument over it is like kickboxing on a waterbed: pointless, but vaguely resembling real fighting/debate. EDIT: to be clear, the general assumption is that Congressman know enough about the law to understand it (some things can be withheld from the public).

> incredibly afraid of the political suicide

Afraid is not the right word. Aware. When all (public) evidence concerning a law says "fight the terror!" and buildings are still blowing up, you'd have to represent a very interesting district to be "soft on terror".

Yes, they really were behind it here in America. The overwhelming majority of the people on this planet are unamendably stupid.

So concentration camps were understandable???

You are nuts if you think that that was acceptable given the circumstances.

Just doing my job is not sufficient in jobs such as these.

You're confusing understandable with permissible.

I understand Nazi concentration camps. It was a manipulation of nationalist sentiment against an imagined internal enemy, conveniently one that could be dispossessed of a great deal of property, coupled with a never before seen combination of the pure survivalist id meeting modern state capitalism.

I understand United States concentration camps. While we certainly didn't starve, gas, or force Japanese, German, and Italian Americans, we did relocate large numbers of them to temporary camp facilities for the duration of the war. It was believed that recent immigrants and their children might harbor loyalty to extremely dangerous enemies and could serve as a fifth column in the event of an invasion. For what it's worth, despite the indignity and suspect constitutionality, that's a far cry better than most nations have acted in similar circumstances.

Both of those events are understandable, in that I can understand the thinking of the people involved. It does not mean I morally condone it. What I'm attempting to combat is the notion that all acts with which one disagrees must be the result of moral bankruptcy or internal failing.

Usually there is a logic, however skewed, behind even the most heinous events in human history. The first step to preventing those events is to understand that logic. Only then can we address the root causes of the problems we wish to solve.

In this case, I'm suggesting that the root cause was a panicked citizenry seeking shelter from a very real threat, not a government seeking to blindly expand its power. That's an unpopular opinion, but alternative interpretations lead to different actions.

Interestingly that's not the part I find new or staggering at all. I suppose that's just an exceptionally cynical worldview at work? No matter how "sacred" the trust I always expect this amount of power to be misused to this degree when it's secret and consistent with the ideologies present among those with that power.

I understand your point, but you fail to realize that comments like "why are you surprised?" induce a kind of digital bystander effect: they're essentially defusing moral outrage via social proof. If you read a comment like that, you may think to yourself, "well, this originally seemed like something worth loudly protesting, but if everyone already knows about it, then I guess it must not be that big of a deal." It has the effect of numbing outrage regardless of the outrage's merit, and I can't see how that's productive.

If you feel that the outrage is in fact without merit, then attack that on logical/rational grounds, not by appealing to social proof.

>Second: realizing that "we should have known" and "none of this is new" isn't so much about reading news articles and being "plugged in", but rather having an understanding of how the Internet works.

These are exactly the kinds of comments I'm talking about. The preponderance of people affected by this program on the globe (a staggering amount if you will) had no knowledge of this because the media failed, and are not, in fact, technically savvy on any level and don't understand, at all how the internet works in relation to the technologies employed by these programs.

>To be surprised at the possibility of storing packets is somewhat naive considering how simple it is to do.

For the vast majority of the potential consumers of this knowledge, this just simply is not the case. At all. They aren't being naive. This is highly technical to them and severely under-reported, and where it was reported it was not explained terribly well, nor was there meaningful conversation surrounding the reporting's aftermath.

But congratulations, rmrfrmrf, on being one of the select few that are not naive. We need to get you some sort of prize.

> These are exactly the kinds of comments I'm talking about. The preponderance of people affected by this program on the globe (a staggering amount if you will) had no knowledge of this because the media failed, and are not, in fact, technically savvy on any level and don't understand, at all how the internet works in relation to the technologies employed by these programs.

Of course at least the mainstream media (MSM) failed. Why? It's a very old story, rock solid in the media: An MSM media company is in business to make money. They have some old techniques for doing so. Their main technique is to get eyeballs for ad revenue; for that their main technique is to grab people by the heart, gut, and below the belt, always below the shoulders, never between the ears; the content is essentially only light entertainment following the framework of the ancient Greeks we now call formula fiction; the content is nearly never the information needed by an "informed citizenry".

The best hope for the information citizens need is Web sites on the Internet and search engines that can help people find that information.

Third: NSA whistleblowers have been stating what was more or less going on for years… (here's a talk by Binney from last November [0])

Funny enough, I wrote a post on this subject matter too before the Snowden leaks where I included the video as well…[1]

[0]: http://techtv.mit.edu/embeds/21783?html5=true&size=full&cust...

[1]: http://blog.pictobar.com/post/47787766458/why-so-silent

Maybe I am just having trouble seeing the point of "see I was right all along"? Why would we be upset at the newcomers to the ranks of the enlightened? I would prefer to just nod, point to the preexisting evidence, instead of driving people away with unproductive "I told you so" hostility.

I agree with you 110%.

That being said, I can also imagine how frustrating it must be to be a person who's spent years (maybe decades) worrying about something that's really happening, only to have their concerns dismissed with a wave of the hand or marginalized as "tinfoil hat" conspiracy theories. It's not hard to imagine how that could sour the disposition of even the sunniest person.

Welcome to /r/conspiracy - come on in!

I agree completely. We need more education on the subject as opposed to back patting, and we definitely don't need to attack the very people that need to hear and understand the reporting most, as the person you are replying to is doing, by calling them naive. A bit sad imho.

My issue with the conversation now that this has gone "mainstream" is that people are now allowing the media to shape their viewpoints (like everything else that seems to blow up in peoples minds who are normally distracted with reality tv or how awesome they think their life is[personal experience from family members/friends/how I lived for some time]), without digging further beyond what people are talking about at the surface.

The emotions are most likely to be anger and disgust of having their sense of reality shattered, inciting most people who feel powerless to change their habits, to go and protest. And as we all have seen around the world and even within the united states, protests can get pretty hairy, pretty quickly and not in the favor of people who want to live peacefully…

Outside of the issue of inciting the masses to act out physically, there is very little public "mainstream" acknowledgement that corporations are collecting and sharing the same types of data (and more) between one another, where issues surrounding any type of morality become selling points for products. So then the theoretical situation becomes: Government agrees to stop its dragnet programs, non governmental entities will continue to do so as long as people use their services… where's the protest for that (and when that comes they'll hire private contractors to protect them and their interests [remember OWS 2011])?

I posted this a while back on information asymmetry and the surveillance state [0], which lays out simply what is going on now in the minds of people and what is at the core of the issue people are talking about. I also propose an idea about the direction I feel would be more beneficial for the energy to be placed on my post as apposed to the logical conclusion of where all the anger will be placed by people who are now willing to enter the conversation from recent "mainstream" exposure [1].

[0]: https://news.ycombinator.com/item?id=6042241 [1]: http://blog.pictobar.com/post/52533760444/the-nsa-is-closed-...

To paraphrase (or is it a direct quote?) Jacob Applebaum, "Quiet, please. Adults are talking."

This is staggering, and to chide others for being staggered is the worst kind of truculence.

More relevant, and useful: What are we going to collectively do about it now that we know, beyond a doubt, what exactly is happening?

I share your pet peeve and I can only assume that the "meh, no big surprise here" response stems from two things: wanting to sound just as knowledgeable as the person who brings up the topic (despite not having any new information); and at the same time justifying their complacency about the issue.

Exactly. That type of cynicism and one-upmanship is grating.

>and at the same time justifying their complacency about the issue.

A good theory, as I have an extremely difficult time imagining anyone in an activist (non-complacent) stance on this issue ever reacting like that to these revelations.

Is it self-aggrandizing? I suppose I'm one of those people.

I was shocked by having this laid out as well but I really did just assume this was probably going on. It was technically possible, it was politically possible and it was financially possible. If I shared the worldview of the people doing this and been in the position to do this, I would have been itching to start this level of collection and data mining.

I will admit to part of it being satisfaction at no longer getting the "oh put your tinfoil hat away, no one would do that" response whenever it came up, which was always based solely on the old "I don't like the implications of this being true therefore it can't be" argument. It's also relief that there is finally a discussion about a subject that was previously only seriously discussed by a small number of people.

I take your point that the I-told-you-so gloating isn't helpful and doesn't reflect well on those who do it but I disagree that that was ever meant to discourage discussion, if anything it was anger at the fact this discussion has taken so long to occur.

For me, personally, it's not about "look how smart I am" as it is genuine surprise that the story actually seems to be sticking this time.

I'm glad that people are paying attention, but especially early on, it wasn't entirely clear that Snowden's leaks were substantially different from the leaks that have been coming out of the NSA for years that never got traction in the media.

I think the type of leak is substantially different, the other leaks were all somewhat hard to describe. The Snowden leaks have the names of well known companies in big menacing letters.

> For all intensive purposes

FYI, it should be "For all intents and purposes". :)

Thank you davej, fixed. That mistake is hard-coded in me. It won't be the last time I make it.

Great Googly Moogly this place is friendly. Like Reddit with a +7 CHR and +11 INT roll.

It's great, isn't it? :) I'm just scared some day it will wear off, like the state Reddit seems to be in now...

From the slides, apparently a node in the system just connects at an ISP or peering site and grabs all the packets. Then they essentially 'parse' the packets to TCP/IP sessions, logical user sessions, e-mail messages, etc.

Then back at HQ, can send the node what are essentially 'filters' to return 'alerts' and the associated content.

So, point: As a system, it's quite obvious. As software, it's quite routine.

And, from their description of working with anomalies, they are being just intuitive and elementary and not at all advanced or powerful.

It would appear that a terrorist Internet user could do fairly well beating that system by using a proxy server also used by many other Internet users and also using a lot of strong encryption -- PGP used well might be strong enough.

From the slides, apparently a node in the system just connects at an ISP or peering site and grabs all the packets. Then they essentially 'parse' the packets to TCP/IP sessions, logical user sessions, e-mail messages, etc.

See? No "direct access!" Google/FB/Apple's statements, totally reassuring.

I've been hearing about the NSA's massive data center in Utah for well over a year, from public news sources. They have always suspected that it's main purpose was the warehousing of American's private communications.

I'm one of those "none of this is new" types. The fact is, we ALL very much should have known. Do the words "Echelon" and "Total Information Awareness" ring any bells? These were terms being used pre-9/11. There is no excuse for someone technological and with a small inkling of understanding of human nature to not have seen all of this coming. There really isn't.

If you're waiting for someone like Snowden to come along and spoon-feed you all the ways the government can screw you, you're doing things completely wrong. Oversight requires foresight.

> It has become a bit of a pet peeve of mine recently to see self-aggrandizing comments from users around the net about how "we should have known" and "none of this is new."

I agree that "know" is a bit too glorifying. I propose "suspected".

I don't find this surprising at all. Practically 99.99% of a normal user's Internet activity is centered on Facebook, Google (including Gmail) and a handful of other sites. The amount of data everyone is requiring in order to provide a service also includes pretty much anything you need in order to track someone.

It's not news you need to pay attention to but some of the more theoretical aspects of networking in a second-year course.

I have nothing wrong with people having suspected it for a long time, or even saying so. I suspected it for a long time as well. My problem is with the attitude many people seem to have once evidence confirming those suspicions comes out and they go on about how the evidence means nothing because they knew it all along. No, the evidence confirms their suspicions, which makes it incredibly important!

Ultimately, whether they intend to or not, such statements end up making other people who are hearing about this for the first time more complacent about it because they come into the comments and see a bunch of people going on about how it's nothing new and therefore the new information is no big deal.

I think it's just a demonstration of complacency more than any actual knowledge on the subject. I've noticed it's invariably my non technical acquaintances who are the first to pontificate on how this is all somehow boring old hat.

I'm betting tonight on the news, this story will be eerily missing.

Room 641A?

> I'm a practically addicted news junkie ...

More like a news sheep. The mass market news is and has always been 49% fluff and 49% lies.

Comments from people who already knew what the NSA does are not "self aggrandizing". The are other-insulting. You should rightly be ashamed that you walk through life in a news fog of up-to-the-minute minutiae. Read books by retired insiders, talk to current insiders and contractors. That's the only way you will learn anything about anything. To wait for the newsmen to do it for you is to sign your mind over to tampon salesmen.

The NSA story is staggeringly unimportant. Every government, many companies, and rather a lot of organized criminals run intel and counterintel operations. It is just a fact of life, like antibiotics and highway construction. It is inevitable that there must be a national American signals intelligence organization.

What os staggetingly important is why the NSA alone, out of all the spy organizations, is being singled out for a comprehensive media war. The most likely explanation is that the Democratic Party needed something to distract from its pecadillos. The next most likely explanation is that a foreign government is getting themselves some payback. In any event, if you care about this non-news, you are just another mindless pawn.

Wow, what a staggering misinterpretation of what the parent said.

Every time I post the truth about this NSA fiasco, I get:

1. Downvoted to oblivion by a hivemind, and

2. Somebody like you chimes in with a content-free emotional outburst.

So exactly what did I misunderstand?

The incontrovertible fact that this really isn't news?

The fact that every history and exposé on the NSA has been saying this for decades?

The fact that the NSA tried cramming the Clipper chip and key length restrictions down our throats to make domestic spying easier? For half a decade this was a weekly running joke on Slashdot that you had to have been living under a rock to miss.

That the previous commenter claimed to be a "news junky" and then admitted that by news he means the mass media—a pack of tampon salesmen and political hatchetmen.

>That the previous commenter claimed to be a "news junky" and then admitted that by news he means the mass media

Absolutely nowhere did I say, or even begin to imply that. In fact, I explicitly called out the mainstream media for being complicit and/or not reporting on this issue while indicating that much of what is being reported was already known to me. Not only did I NOT say that I get my news from the mainstream media, the implication was, if anything, that I did not. The mainstream media is about the last place I'd look for competent coverage of this issue.

You're terrible at reading comprehension. Terrible. You make a lot of assumptions, all of them wrong, then proceed to insult other people based off your incorrect assumptions.

Additionally, the only thing incontrovertible is that this is news to the vast, vast majority of people who are affected by these programs. Those are the real numbers. But I know you. You're part of the Pedestal Crowd furiously patting themselves on the back. Good for you Danny. Atta boy.

Yikes, please read the parent's response to yours. He explains better than I can how you completely misinterpreted his initial comment.

The main thing that this new release reveals is not the scope of the data collection, but confirmation that analysts are given free reign to perform queries. Until this, there was an outside chance that the system required all database queries to be signed by a Judge prior to execution. This is not the case though; all queries are processed immediately, with essentially nothing more than a repo commit message as justification, and basically any analyst can do it.

Exactly. There were a lot of people from the government that came out in the past few months and said there are checks and balances and a lot of oversight in these processes. That clearly isn't true.

It will be interesting to go back through all of those statements with this new information/evidence on hand.

Greenwald has timed this well. He put out enough information early on to give Snowden opponents enough rope with which to hang themselves.

And if his comment further down in the thread is anything to go by then there is a lot more to come.

It's an interesting problem for the talking heads: How much will be revealed? They're caught between a rock and a hard place, if they start telling the truth they might reveal something that the leaked docs don't support, but if they tell a lie they might be found out.

This trickle strategy is working very well. The best cause of action for the people under the microscope would be to shut up and if they are compelled to talk to say the absolute minimum but to still tell the truth.

It's pretty impressive how Greenwald, Snowden et al are organizing the staggering/trickling. They're not just releasing any old info at periodic intervals. They seem to be anticipating the responses NSA/USG will give to particular leaks (e.g. analysts can't run searches, there are checks and balances) and choosing next leaks based on how they can prove those NSA/USG statements wrong.

It's like the Socratic method for public/government relations.

The goal seems not just to be exposing the magnitide of this surveillance system, but also the government's systemic disregard for public mandate in the USA right now.

>Greenwald has timed this well. He put out enough information early on to give Snowden opponents enough rope with which to hang themselves.

I have to wonder if the staggered deployment of the leak has anything to do with savvy, or more with his own need to digest what he's got as he works through it and reports as he goes.

Either way, the story has more legs than past revelations, so I'm happy for that, and I certainly would love for it to be the case that there is a degree of effective calculation behind the deployment of the info with the goal of keeping the conversation alive and neutering critics. Goodness knows that this story needs all the help it can get. It's up against not only the resources of some of the most powerful governments on the planet, but also the lacking attention spans of their populations combined with relatively disinterested media.

I'm heartened that the noise level has remained so high since the first Guardian article (in this latest series).

Response from Greenwald in the comments:

Q: Thanks for reporting this. I have to ask though, why is it that you are doling out this information now after the recent congressional inquiry into NSA spying and not earlier?

A: We've published almost two dozen exclusive articles about NSA spying in the last 7 weeks, in multiple different countries around the world. Is that pace not fast enough?

There are thousands upon thousands of documents and they take time to read, process, vet, and report. These are very complex matters. On top of everything else that has to be done with these articles, from explaining, debating and defending them in the media to dealing with the aftermath.

People can accuse us of many things. Not publishing enough or fast enough is hardly one of them.

That House vote was about one specific topic - bulk collection of phone records - that this newest article has nothing to do with. That House vote isn't the be all and end all: it's just one small battle in what I can assure you will be a sustained and ongoing discussion/controversy.

There is a lot more to report still. Accuracy is the number one priority. That takes time.

Thanks for the context Happer.

Devils advocate here: If in fact all of this is being collected, is it actually illegal to search without a warrant? If all of the above items are being siphoned off the internet via taps in concentrated NAPs around the USA and the world, and everything is in plaintext, this doesn't seem to be technically against the law.

Read the 4th amendment.

Just want to clarify something:

> I can see how they get HTTP information, since they would intercept at transit hubs - but how are they getting all Facebook private messages and Gmail?

I don't know how they're getting GMail(and this is probably a slide from when GMail was accessible via HTTP and not HTTPS), but Facebook chat specifically is done over a non-secure XMPP server. The only 'secure' part of that transaction is login, as far as I remember, once you're past that none of it is encrypted.

With Gmail, all it takes is one request to almost any Google service to leak through a non http connection and they have your Auth cookie. Once they have that, they are you. And yes it is that easy, anyone can pull it off at Starbucks, hotels, even some ISPs.

Not speaking for Google, but in general, auth cookies (rather than identity cookies) will only be sent over HTTPS using the "Secure" cookie attribute. This is something done at the browser level, so short of using a very badly behaved browser or HTTP client, this is unlikely to happen.

Sorry for being so naive... does that cookie expire eventually? I have been using HTTPS everywhere on my machine, but if I log in to my Google account for YouTube, for example, from someone else's computer, how much data can they realistically download and how long would they have that ability?

You're right the slides are pre default HTTPS gmail (2007/8).

But even then gmail is the only webmail service that offers server-to-server encryption, so data can still get intercepted when communicating with someone using yahoo mail or hotmail for example: http://news.cnet.com/8301-13578_3-57590389-38/how-web-mail-p...

Good point.

You think HTTPS keeps you safe? All it takes is ONE recipient to have an insecure connection and the entire thread is revealed.

Isn't it nice how every email conveniently includes a copy of the entire preceding conversation.

Assume that Tor is broken. With this level of deep network monitoring, low-latency onion routing is essentially useless.

Hidden services are still secure, presumably, because there is no exposed section of the network to inspect. All they can do is monitor and do statistical analysis, and maybe mess with the traffic to try to get more ideas of flow.

I wouldn't for a second bet on it. A hidden service has exactly the same issue as traffic that exits the network. The topography looks like this.

    httpd > tor node > tor node > tor node > rendezvous point < tor node < tor node < tor node < client
With enough monitoring, the location of the web server (or other hidden service) can just be found out by bombing the hidden service with traffic and seeing what end point lights up with traffic. With fine enough monitoring you wouldn't really need long to find out the real location of the server. It's just not something the network can effectively hide, even if it used chaff (padding) to hide the wheat.

There's practical attacks for enumerating hidden service public keys, and so I wager that there's somebody somewhere with a complete map of the real server locations as well.

According to tor metrics only 17% of tor endpoints [1] and a similar percentage of relays [2] are in the USA. The kind of monitoring you propose would require a much higher portion of them to be under NSA control.

[1] https://metrics.torproject.org/users.html [2] https://metrics.torproject.org/network.html?graph=relaycount...

The question isn't how many endpoints the NSA has, it is how much bandwidth they have at the endpoints (actually, it is more about how many unique users use their endpoints). But, assume that 1% of Tor connections goes through an NSA exit node. 1% of that 1% would go through both an NSA exit node at both ends, and is therefore comprimised. Tor tries to mitigate this by always using the same exit nodes for your connection (reducing the chance of ever being compromised, but if you are compromised, it is for much longer). However, inevitably you occasionally do need to change your exit nodes, which gives the NSA another roll of the dice. Additionally, when talking about drag-net surveillance, 1% of 1% is still a lot.

The bigger protection is the ease with which the NSA can mount this attack on TOR. I have no doubt that they could do it, however I do question if they can do it on a massive scale.

"Tor tries to mitigate this by always using the same exit nodes for your connection"

Think you're getting your entry and exit nodes mixed up there. Tor chooses a small number of entry nodes (entry guards) and attempts to only use those.

I imagine that when you have taps at all the colocation centers (which each node would need to go through - and even a surprising number of hops overseas go through the US due to the cheaper price of bandwidth) you may not need to control the endpoints to break anonymity, with enough statistical analysis of the packets entering and exiting the known tor nodes. Tor doesn't work against attackers who can monitor the whole network, and the developers say so up front.

The NSA seems to have extensive monitoring in many countries, not just the United States.

Who said the NSA had to limit its nodes to the United States?

I would think Silk Road provides enough incentive that if the government could defeat tor hidden services, they would have busted Silk Road.

Absolutely not. The government is not one unitary piece. The NSA is not the ATF is not the FBI. These capabilities were likely kept secret from other governmental agencies as much as the public.

Furthermore intelligence agencies are well aware that every action communicates information back to their adversaries. It's a no-brainer to let Silk Road exist if you think doing so gives you the edge on terrorism, or otherwise furthers the national interest.

Silk Road is a few pennies and few gram transactions. [See the data here http://arxiv.org/abs/1207.7139] It would be foolish to expose their snooping capabilities for this, right? Wow, Tor is not considered safe... Amazing

No way. What you forget is that once they bust it -- then they've REVEALED that they have the capability to do that.

Once they've revealed that, then people take account of it, and it becomes harder for the NSA to monitor them.

Half of the signals intelligence game is keeping your capabilities secret, so you can keep monitoring the signals, rather than have your target change their game.

That is to say, if they can get into Silk Road, then they probably ARE already monitoring everything that happens on Silk Road, and they'd rather it stay UP so they can keep monitoring the people on it (being very careful never to reveal that they can monitor it), then bust it so the people go elsewhere.

If every police officer had access to these tools, the news would leak much sooner.

So I would think these tools are available only to a select few, and those are more interested in more high-profile tasks like catching extremists or going after political opponents.

I, frankly, don't think SR is that high on government list. Not yet.

Historically, it has proven unwise to underestimate the NSA. Not being a booster, just thinking about Keyhole, tapping submarine cables, etc., etc.

Thanks for pointing this out. Good to see a peer preacher.

Steve gibson has been covering how they can get at this stuff and what alternatives you have on the security now podcast.


Briefly summarized, the only way to do secure mail is pgp, the only way to do secure chat is to avoid all the main chat networks. And microsoft actively designs their systems to be easier to access for the NSA (far beyond their legal obligation) so you may assume that any microsoft product is a direct line to the NSA.

Facebook ex-CTO joined NSA not too long ago, that might have helped?

Probably not as much as FB co-founder offering his company Palantir services to government on people's intelligence.

I also suspect that Palantir is involved.

Haha, suspect. You know their tool for importing new types of data into a Palantir system is called Prism, right? Aggregating data from different sources and linking it is all they do.

What's really sickening is that you can tell that programmers or very technical people were involved at some level to design these systems which help people construct rubber-stamp plausible deniability. Whoever these people were knew full well that they were architecting systems that skirt the letter of the law if not outright flaunt it.

Somewhere there is an architectural diagram of these systems that describes how to make people check checkboxes before releasing information. CYA-oriented programming that has clearly driven the entire design of this thing.

Keep in mind also timeframes. Facebook HTTPS use -- and more so use by default -- is more recent. Remember the whole "sheep" debacle?

Even Gmail HTTPS use is somewhat recent and not original to the product.

Further, one might combine this with reporting about initiatives to gain company SSL/TLS private keys, account passwords, and the like, in some interesting speculation -- if speculation it remains.

Amongst all the rest, I would point readers towards browser fingerprinting. It's difficult for me to imagine they are not using it.

If the public is going to have some degree of counter-measures, this will include browser and other client software becoming more pro-active about anonymizing its own profile / usage profile. For one thing, stop sending highly unique fingerprint data such as font listings to every Tom, Dick, and Harry. Just one thing amongst many...

> edit: Gmail messages must only be captured when they leave the Google network.

It seems easier for the NSA to tap datacenter <-> datacenter fiber links inside Google's network.

Why worry about decryption when you can have Google's frontend servers do it for you?

Or, the NSA could force Google to provide them with private keys to their certs for "national security" and then they can mitm all they want.

Why assume that inter-datacenter links are not encypted?

Why would Google (or anyone) link to them directly? with fiber no less! this stuff is alarming enough no need for FUD.

This XKS business seems about intercepting non-encrypted traffic as the references to HTTP payload quoted in the article would suggest.

> Why would Google (or anyone) link to them directly? with fiber no less! this stuff is alarming enough no need for FUD.

Who says Google has a choice or is even complicit? The backbone providers have mostly stayed mum and it's known that the likes of AT&T split their fiber for the NSA. If we're willing to go to the bottom of the ocean to tap fiber lines it's pretty easy to believe that we'd tap terrestrial lines too.

My understanding is that internet firms enjoy slightly more leverage, and that is why in contrast to telecos they are now petitioning the courts to reveal the scope of the orders.

That's all hand-waving. The courts won't allow it, the giants know that, so the internet giants use it as a chance to look good. Furthermore, it benefits the NSA for us all to think that Google, Yahoo, et. al., are not in their pocket.

(Keep in mind these slides are 5 years old, before Google Search over SSL)

The NSA has clearly tapped trans-oceanic fiber -- why not also tap high-volume inter-datacenter links?

I guess they could tap the fibre at a relay point, maybe somewhere like Hawaii.

> Why would Google (or anyone) link to them directly? with fiber no less!

"They have no direct access to our servers"

I wonder what a beam splitter consists of. Oh. A PRISM.

Beam splitters are, in general, not prisms. A prism, as traditionally referred-to (and in the NSA PRISM graphic) separates light of different wavelengths. In a signal tap, you want to split the intensity, not the wavelength. In simplest form, telecom signals are at a single wavelength; passing it through a 'Dark side of the moon' prism will only deflect the beam, not split it.

When one refers to a beamsplitter, it's usually a partially silvered mirror.


If it's fancy, it might use an evanescent wave to do the coupling, as in some cube beamsplitters.

Beamsplitters for optical fiber are more generally referred to as 'couplers' and involve bringing two fiber cores close enough for a long enough distance that the probability of coupling light from one to the other is the desired amount.


It is possible to split beams with a birefringent prism, but it is much less common.

http://www.thorlabs.us/newgrouppage9.cfm?objectgroup_id=745 http://www.thorlabs.us/newgrouppage9.cfm?objectgroup_id=917

Disclaimer for the following: I only work with optical fiber couplers occasionally, and not for telecom. Someone who works on telecom fibers daily will be more informed.

In summary, if someone wanted me to tap an optical fiber, I'd call up ThorLabs, get a matching coupler shipped overnight, cut the relevant fiber, slap APC ends on the fiber ends, and jack in. Splitting the beam in free space (outside of a fiber) with a prism is far more errorprone, unstable, and no more efficient. A fiber coupler has no moving parts, can't break, and won't take down a telecom's trunk line if someone breathes on it funny.

If they're actually using a prism, it's because of some sort of impedance/reflection minimization scheme; I can't conjure one that would work better than using simpler techniques though.

Are couplers detectable via time domain reflectometry in practice?

You can/do/might use actual prisms for a variety of reasons, however, such as if you're trying to get a frequency-multiplexed set of signals off a single fibre broken down as their constituent components - i.e. bulk data collection from a single tap on a mass fibre bridge.

Anyway, you're probably right, it's probably just bog standard parts, and PRISM was a buzzword for management.

Actually it's: "There is no free-for-all, no direct access, no indirect access, no back door, no drop box."


And I tend to believe him.

> I was also looking for another unique ID that users are identified by

They can use plugins / extensions installed. Fonts installed. If cookies are enabled or not, etc. Check out: https://panopticlick.eff.org/

Most of the identifying information used by panopticlick requires using javascript/flash/java to obtain. As such, it isn't available when simply parsing HTTP headers and packets (as much of the data in XKeyScore appears to come from).

(That is, unless you visit panopticlick.eff.org, which then sends all of the processed information over the wire in the clear...)

How long has https been an option with Facebook and messages? I don't think it was always required, if ever.

Connections secured with TLS aren't effective if a) you can compromise the CA, b) have the private keys, c) have cooperation of the appropriate company (most likely), d) have compromised the server, e) are aware of flaws in the encryption algorithm, f) weak keys have been used, or g) have compromised the client computer.

Compromising the CA isn't as powerful as most would think. It does allow you to MITM, however it does not allow you to do so invisibly. Someone who is paying attention to the public key could notice that it changed.

But you could do it for a specific target and that target has a high chance of not noticing. Doing it indiscriminately on the other hand...

It's also not effective if h) TLS was never used in the first place. Facebook hasn't always been all that secure to eavesdropping.

It's only been required in the last year or so, prior to that it was an optional extra in the security section.

I think it would be very easy for the NSA to obtain the private keys to SSL of popular sites, eg Facebook, Gmail. Either through coercion or hacking.

> how are they getting all Facebook private messages and Gmail?

Perhaps you missed the news about PRISM? :)

This presentation is from 2008. According to the presentation on PRISM Facebook joined the program on 3 June 2009. That would indicate that the searches here are based, most likely, not on participation by Facebook but by passive sniffing of HTTP traffic and then session reconstruction.

In 2008 Facebook ran on HTTP, so back then it would have been easy to sniff this data. I believe Gmail also transferred in plain text back then. When those companies switched to HTTPS, the NSA likely 'leverage some pressure' to get them to join PRISM, which puts the data back in this system.

You've got your timeline wrong. Facebook didn't support HTTPS for anything but user login until 2011.

[0] https://www.facebook.com/blog/blog.php?post=486790652130

From the screenshots it's obvious that the captured data is an HTTP form submission in facebook.

So they didn't have access to private messages, they just intercepted internet traffic and relied on it being unencrypted. Facebook didn't always enforce https by default like it does now

> That would indicate that the searches here are based, most likely, not on participation by Facebook

Gag warrants existed before PRISM.

EDIT: "National Security Letters"

Around about the time when people started rolling out SSL as standard. That'd make sense, as they'd need to move their beam-splitters (prisms!) to behind the SSL endpoints.

I think PRISM is just the public-private partnership aspect of this, where they have to go to service providers and install kit, as they can't tap SSL traffic.

With regards to the data collection, the thing to realize (which I did so myself) is that email truly is the glue that ties together most internet services.

Take facebook for example. By default, almost any and all activity on the site is catalogued for you by email -- for your convenience. Someone mentioned you in an update, you get a notification. A friend sent you a private FB message, you can an email notification with the content in line (even with the support of replying to message via email as well).

Now, because email traffic on the internet is not encrypted by default, one is able to piece together the contents of communications just by looking at the email.

Essentially anything that you receive via email (e.g. password reset links; credit card statement summaries etc) is subject to capture and analysis. Given this, it may make sense to perhaps disable (potentially sensitive) email notifications as a workaround around this particular collection method.

PRISM allows them to retrieve individual users' messages via a FISA court order. It doesn't allow analysts to instantly obtain private data for any user they want. :)

Once again, whilst the shrill cries of protest claim that the government has gone too far in it's intrusive surveillance, the pragmatic amongst us are forced to admit that this is a capability that the state simply will not give up, even in the face of massive public protest and discontent.

Moreover, the technological trend is clear; and the avenues for sharing intimate personal information proliferate and multiply with every passing month. The debate therefore needs to shift. The question cannot be over whether the state should have access to this information. We are powerless to push on that point.

The question has to be this: Given that our state (and others) will necessarily know the most intimate details of our lives, how do we want it to behave? How do we want this information to be used? What do we want the newly intimate relationship between individual and state to look and feel like? It may well be that we come to a startling different conclusion than our initial starting points might presuppose.

There are tremendous social benefits to be had by using this treasure-trove of information wisely, just as there are tremendous dangers to be risked by using this trove with carelessness or malicious intent. However, we need to think very carefully about how we manage the relationship between individual and state; how we manage the relationship between individual and peer; and how we manage the relationship between individual and technology.

I feel strongly that this is the most important debate of our generation; perhaps the most important debate to be had in this new millennium.

> Gmail messages must only be captured when they leave the Google network. They are the only provider to support server-to-server TLS

We should start lobbying for broader support for server-to-server TLS with perfect forward secrecy. While it alone is not sufficient to prevent the wiretapping of targeted individuals, it still makes fishing expeditions or "Big Data" level surveillance much harder. It would help keeping ordinary users' emails protected on the wire and secure the meta data of PGP emails.

> but how are they getting all Facebook private messages and Gmail?

It was reported earlier that the NSA has installed hardware at their "partner" companies. As you certainly remember from the slides, they are: Facebook, Google, Microsoft/Skype, AOL, Paltalk, ...

Your faith in Facebook and Google not giving the NSA open access...is a bit strange.

> Users of PGP/encryption products being singled out is terrifying.

I didn't see that in the article. Do you have a citation?

It is in the slides the article links to: http://www.theguardian.com/world/interactive/2013/jul/31/nsa...

Slide 16: "Show me all PGP usage in Iran"

I'm getting seriously irritated at the "I have nothing to hide" crowd. For starters, here are a few ways this can go horribly wrong:

* Industrial espionage -- it's big business, and I'm sure it pays better than being an NSA analyst.

* Foreign espionage -- since this gives unlimited querying power to every agent, a single "turned" agent could inflict massive damage on U.S. government and industry interests on behalf of a foreign power. The potential for double agents is huge.

* False positives and guilt by association -- being flagged as a "person of interest" and then essentially persecuted because you have fringe ideological interests, are looking up a lot of info on terrorism for a book project, have a friend who knows radical Muslims, etc.

* Corrupt use in political campaigns by incumbent politicians with access -- obvious.

* Blackmail and other corruption.

* Use by government agencies with access to spy on other agencies.

... I'm sure creative people can think of more.

"Industrial espionage--"

According to a New Zealand whistleblower back in the 90s, this was one of the main purposes of the Echelon network. Imagine what happens when your larger competitor gets in bed with the NSA. According to whistleblower Russ Tice, the Bush NSA was able to request intercepts on Senator Obama, so there certainly could be enough corruption for back room deals to occur for your startup's private information.

This is yet another reason to encrypt your git traffic.

I completely agree. I got very frustrated talking to two intelligent people (one a lawyer) about this the other day. I think everyone should be educated to make sure they know about these points so that they can intelligently explain them to the "I've got nothing to hide" crowd. The 4th Amendment and the right to privacy just doesn't seem to carry much weight with the average person any longer (if it ever did).

I think that the 'nothing to hide' crowd don't understand that the concept of things to hide could grow and grow unless the surveillance power are kept in check. Today, only terrorists have 'something to hide' tomorrow it could be activists, then journalists and so on, until they 'nothing to hide' people become the victims. http://rt.com/usa/justice-department-admits-spying-228/

People need to look at this long term and realise that abuses of power will continue to intrude larger and larger sets of the population unless they are stopped now.

Your points are excellent. And even if we all do have nothing to hide, an agency of the government that decides on its own to break the 4th and 1st amendments, and reinterpret the law practically out of existence, in secret, and lies about it to Congress in its oversight capacity, is A Bad Thing(tm).

It seems to be oft-overlooked that Manning and Snowden have managed enourmous breaches of what is supposed to be secured information (yours and mine, and probably everyone elses!). Staggering breaches. Any they're boh essentially nobodies - Snowden was an army washout who became a securtiy guard who has penetrated the US security apparatus in a way that would have been considered the greatest KGB coup ever if it had been a cold war operation.

There's a staggering lack of basic competance around protecting this stuff. The CIA director who lost his job over Aimes must be wondering what the modern mob have to do to get fired.

Thank you for making that post. I've been repeating these points on broken-record for the last few months.

I would also like to add /family/ as a huge pressure point, akin to your guilt by association.

IOW, one may have nothing to hide, but their family member does and one can be controlled by threats to that family member. It's disgusting and insidious, but that's how bad, scared and dangerous people operate. We are not using our intelligence if we allow ourselves to be vulnerable in this way.

Api, please make a post expanding on these ideas. Then post it here and send some copies to international news sites, like the guardian.

We need to wake up, your post would help a lot.

Anytime an adversary (opponent in a lawsuit, police investigator, promotion candidate, political candidate, etc) is owed a favor by a member of the intelligence community, you are going to lose.

The whole of your life may be innocent, but a single interaction (searched for porn? vented about someone in a private conversation?) taken out of context can almost certainly destroy you.

This. I can't seem to make people around me understand this point.

Do you list these negatives when having that conversation? Do they not see the possibility of something like this being used against them or family members when you lay out the possibilities specifically (blackmail and industrial espionage could hit anybody)?

The "nothing to hide" trope seems to me to be entirely based on a false dichotomy that contrasts "nothing to hide" with "unpatriotic/criminal". I think this is primarily because people lack the imagination to consider the other seedier and more lucrative uses of surveillance.

If they were confronted with these other possibilities, would your acquaintances change their thinking? Or do these other risks--for example, the risk of having an employer targeted by competitors unfairly (potentially leading to layoffs), or the risk of having a representative vote against the interests of his or her district because of blackmail (potentially leading to a loss of government services and investment)--simply not resonate?

When I make this argument the most common response is that they have faith in the goodness of people and dont consider these risks to be very significant.

I'm having the same problem as some other commenters here in that people don't seem to care about these hypothetical situations. They mostly trust the gov't to only track the "bad guys". Are there any good cases of the above-mentioned actually happening? Any other suggestions for responding to the nothing-to-hide argument?

My best counterargument for "nothing to hide": What do you think Nixon would have done with access to a limitless database of (effectively) every human on earth?

Privacy is important. But vastly more important is unaccountable power.

Playing devil's advocate here.

But that has never happened and probably never will. Nixon was caught quickly. Besides, that wouldn't even affect me, only people who do bad things or are in positions of political power.

Also, how about: just because I have nothing to hide doesn't mean that I don't mind being watched.

Interesting; it appears someone failed to redact some data from the slides. In the Facebook chat example, the message is "to" 1536051595.

Using the Facebook Graph API, we can gather information based on this ID: http://graph.facebook.com/1536051595

Which leads us to the Facebook profile (https://www.facebook.com/arash.gorjipour.5) of an individual, real or contrived, named "Arash Gorjipour". His email address and phone number are all exposed in one of his uploaded photos: http://i.imgur.com/0UUk5cB.jpg

I wonder what the reason for this man being in these slides is.

He's Canadian. And he has dark skin and a funny-sounding name.

He's (almost certainly) a real person, by the way. I called his office. He wasn't in, but they offered to page him for me.

Just FYI (almost certainly of no importance because this individual was chosen at random for the slides): his name (both first and surname) are Persian. I'd guess he was an Iranian (graduate) student who has decided to stay in Canada after his studies; possibly to be "free" from an oppressive government's espionage and meddling in his private life. The irony...

Probably because he has dark skin, and his native tongue is probably something other than English.

I'm a little worried now because I visited his page, and this will surely be logged, hence my past online activities may now be investigated.

Don't worry, you were already on their list.

HN fields roughly 200,000 unique visitors each day, most of which have a markedly anti-gov't-spying slant[1], that's enough evidence to be in their cross-hairs.

[1]: Such that in some capacity you might participate in the creation/promotion of methods or software to get around their snooping technologies.

Yup. I think that we all classify as "Enemy sympathizers". I wonder when we will be classified as "Enemy combatants?". As soon as somebody mentions violence, I suppose.

Oh bum..


Now lets all forward to newspeak in schools instead of English in the coming years


Did the Guardian change the slide? I couldn't see that slide, and it has now appeared with a value of 1234567890.

The relevant slide is inline in the article, under the first appearance of the string "facebook". It was apparently redacted by the gaurdian; see nwh's link to the archived page below.

In keeping with that line of thought would it not be better to redact the information you are presenting? I don't see why you need to write it out in full.

You could say 153xxxxxxx and "Arxxx Goxxxxxxx" just to be sure and if you need to post links you could use a URL shortener.

Probably picked at random. The screenshot 'test case' could have been you. We are all in the database after all.

I think it's a test account. The text string which reads something like 'does it still recognize me?' is very much like the kind of thing I'd type in my QA days when I was testing a new system.

If I were putting together a deck on that system I'd also probably favor test data over live data, if for no other reason than it's easy to come by.

Of course, it would have been more amusing had the 'selector' been chosen as 'Barack Hussein Obama II'.

Forget amusing, that would have been a perfect action trigger: people are OK with privacy infringement on others, but when it happens to them, they are more likely to be upset.

I suspect, or maybe just hope, that politicians are protected in some way from this. While it is unfair, at least it would mean less opportunities to extort or threaten lawmakers. Though, obviously, it would be best if we ALL were safe from that kind of crud.

There's a small version of the original slide here, which has since been removed — http://archive.is/xcwg6

do you see that in this document? i can't find it anywhere and wonder if the guardian subsequently redacted it:


They may have used an existing public profile since he's already displayed it openly. He's a realestate broker after all so, presumably, he's got "nothing to hide".

Anna Chapman was a realestate broker too...

This is brilliant, I love the screenshots:

Foreignness factor:

The person has stated that he is located outside the U.S.

Human intelligence source indicates person is located outside the U.s.

The person is a user of storage media seized outside the U.s.

Foreign govt indicates that the person is located outside the U.s.

Phone number country code indicates the person is located outside the U.s.

Phone number is registered in a country other than the U.S.

SIGINT reporting confirms person is located outside the U.S.

Open source information indicates person is located outside the U.s.

Network, machine or tech info indicates person is located outside the U.s.

In direct contact w/ tgt overseas no info to show proposed tgt in U.S.

It's quite easy to lose the protections of a U.S. citizen indeed!

> It's quite easy to lose the protections of a U.S. citizen indeed!

That, coupled with the fact that they only require 51% certainty in the foreignness factor makes me think this is intentionally designed to make every single person they come across a subject to surveillance.

I can see Weasel terms like "use of storage media seized outside of the U.s." be extended to mean pretty much anything.

The person is a user of storage media seized outside the U.s.

Interesting, so everyone who ever hit a MegaUpload link is potentially a foreign entity?

Kind of puts into perspective why they would coordinate such a massive raid on Megaupload. The target may not have even been the data - merely seizing the data puts anybody who has accessed the megaupload website as an easy target.

You crossed the tinfoil line. Copyright infringement was sufficient motivation for the actions taken. The megaupload raid was not okay, but I am pretty sure Hollywood was behind it, not the NSA.

Just a few years ago this very article would cross the tinfoil line. Plus, don't be naive to think that the government wouldn't use an accusation of committing a crime to cover what they really want to do.

For instance, need data from a server's hard drive? Accuse someone you know who has data on that server, not necessarily the data you want, to have an excuse to seize said hard drive and analyze it. Nope, turns out the accusation was incorrect, here's the hard drive back. Ah, is getting other data not covered by the warrant illegal? It just might be, but you can't complain if you don't know they did it and you probably don't have standing to sue over it to find out. Plus with authorities able to get double-secret warrants based on triple-super-secret laws issued by not-so-secret courts with "you can't even admit you were here" secret proceedings, how would anyone know in the first place?

Remember, government agents have the authority to lie to you in an effort to complete their goals.

Not that I'm saying the NSA was behind MegaUpload or anything, just saying it's feasible.

You've got a lot of nerve impugning tinfoil these days.

Well, there are reasons to put on our tinfoil hats now... heck, last I heard, MIT students had managed to inject memories into mice.

The headline for that article was astoundingly misleading. They created a fear response in the mice to a place that the mice had never been.

Hollywood by itself had absolutely no chance of reaching across to new zealand and persuading the NZ police to break NZ laws to arrest him.

Just to be clear, Kim Dotcom was a NZ resident, and had broken no NZ laws.

At this point it would be a bold man who made the claim that the NSA had nothing to do with investigating a foreign person and/or their company, tracking that company's international internet usage, monitoring their involvement in possible illegal activities and providing that information to US authorities who could use it to reach out across the world and attempt to have that person extradited to the US.

In fact, I cannot understand for a second why you are trying to make that claim?

@netrus - I am not even sure where the tinfoil line is anymore.

At this point, the line itself is even made of tinfoil.

Aaagh! Everything is tinfoil! Where did this tinfoil even come from! Get this tinfoil away from me! Aaaagh! Heeeeeeeelp!

Having a 3 1/2" floppy sent to someone outside of the country 15 years ago will probably count as well.

What is really interesting here, is that this disproves what has been said. EVERYBODY'S DATA IS COLLECTED, but to query the data of a US citizen you need to simply provide a 'mitigation reason' as to why you accessing that data.

That then provides an audit trail, where something, or more likely, nothing is done to check that decision was valid,.

The fact that they don't require a wiretap order or even a warrant to monitor foreign citizens is disturbing in itself and is based on a questionable internal interpretation of the law.

On cspan this morning, the phrased it as: a secret interpretation. the fact that those two words can even sit together hurts my head. How do you secretly interpret something one way, but openly interpret another way.

My favorite part is that the form assumes you need only a single line for the "Justification" field.

Holy shit... Apparently, the only way to ensure privacy is to go Stallman. Funny how yesterday's "conspiracy crackpot" became today's visionary.

Stallman never was a conspiracy crackpot, he always was a visionary. The only thing that changed is some people's judgment of him.

Exactly. It has been obvious and widely understood for years to anyone who has ever used a network analyzer that systems like this could be built. The question was always would they be built. Stallman, and others, bet correctly based on their better reading of history and human nature.

You can be completely correct and still be a crackpot.

What we need is strict limitations on what can and should be collected, and how it's used, plus better methods of securing what's being exchanged. For example, sending email as plain-text, leaving it on the server as plain-text, maybe that's a bad idea.

The NSA isn't necessarily the only reason you'd do this. Foreign governments are going to take an interest in this, too, and it's only a matter of time before someone gets access the data the NSA is hoarding. No program of this scale is ever 100% secure.

"You can be completely correct and still be a crackpot."

Not really. At that point, you are just using the term as an ad hominem in a childish attempt to ward off cognitive dissonance.

You don't win an argument by calling the other guy a weirdo.

His observations are correct, but his conclusions are incorrect, just as people like Glenn Beck start out with facts and end up with paranoid delusions and fantasies.

I think Stallman's observations are valid, but his method of dealing with the implications of those observations are impractical, if not completely wrong.

When you are done attacking Stallman with a false analogy, would you care to name a few of his invalid conclusions?

More specifically, what is so impractical or "completely wrong" about not using smartphones?

He's not opposed to smartphones, he's opposed to cellular phones as these can serve as a tracking beacon, following your movements.

Given that the cellular providers are capturing and archiving location data, this is fact, his conclusion is we should avoid using these sorts of phones completely. Why? The reasoning here is a awfully thin, but has something to do with "being tracked = bad" and then goes into crazy territory from there. It's the same thing with credit and debit cards. They can be tracked, therefore bad, therefore nobody should use them.

If he's concerned about remaining invisible, then this must be applied rigorously across all aspects of his life. Does he wear dazzle face-paint or glasses with bright IR LEDs on them so that CCTV cameras can't pick him up? Does he only use methods of travel that require no identification? If the FBI wanted to retrace Stallman's activity on any given day, it'd take hours at most to piece it together.

The sign that someone's a crackpot is in how inconsistent they are in applying what they've concluded. It means they're missing something important.

For example, there are people that have a genuine need for absolute secrecy, that need to remain invisible, yet they still use cellular phones, email, and social networks. They're aware of the same risks as Stallman, but they take precautions instead of avoiding them completely.

It's notable that Osama Bin Ladin was taken down because he'd gone to such great lengths to avoid being tracked that he stood out as an anomaly, an approach that proved to be self-defeating. He had this large house, but a paranoia about electronic snooping so severe that he had no internet connection, and that alone made that house highly suspicious. If you're that affluent, you have an internet connection, even if you barely use it.

Everything Stallman advocates to avoid detection just makes him an even bigger target.

> Why? The reasoning here is a awfully thin, but has something to do with "being tracked = bad" and then goes into crazy territory from there.

You don't understand why tracking may be bad? Or are you just trying very hard to mock his very valid conclusion?

Here's other people's thoughts about cellphone tracking: http://www.zeit.de/datenschutz/malte-spitz-data-retention/ (totally crazy, right!)

> If he's concerned about remaining invisible, then this must be applied rigorously across all aspects of his life

No, it mustn't. Every bit helps.

> Does he wear dazzle face-paint or glasses with bright IR LEDs on them so that CCTV cameras can't pick him up?

Perhaps he does not yet live in an area with seamless CCTV tracking.

> The sign that someone's a crackpot is in how inconsistent they are in applying what they've concluded. It means they're missing something important.

You must be a crackpot then because you're clearly missing that Stallman has probably managed to avoid having his daily movements tracked by some carrier.

> Everything Stallman advocates to avoid detection just makes him an even bigger target.

To whom, with what (crackpot-like) line of thought? Stallman is very open about his principles, his reasons and his actions. It would be extremely dumb for anyone to derive from this information that he is dangerous or a worthwhile target.

Tracking can be bad for some people, it can ruin their careers, destroy their marriage, completely upend their life if that sort of information got out. However, for most of us, it's not especially valuable information and any one day will look like any other.

When I engage with social networks, use a cellular phone, I'm aware of the liability. I'm making a conscious trade-off. I really would like it to be less of a big deal, that the privacy implications were minimal, but this is the world we live in. I support political parties and representatives that would restrict how this sort of information can be used, making it less likely to be collected in the first place.

> No, it mustn't. Every bit helps.

Either you're trying to avoid being detected, or you're not. There's no half measures here.

> it can ruin their careers, destroy their marriage, completely upend their life if that sort of information got out.

> I'm making a conscious trade-off.

No, you're not. If you and the people who have had what you wrote happen to them (they obviously would have been more careful than you) were making conscious trade-offs, nothing bad would have happened to anyone as a result. In fact, you do not even know what information you are disclosing to FB (it's more than you are writing) and other, unknown to you, parties, so a conscious trade-off is impossible. You are just patting yourself on the back for being satisified with your ignorance.

> Either you're trying to avoid being detected, or you're not. There's no half measures here.

From what I understand, he is refusing to provide personal information to a carrier and possibly other unknown parties, because that is potentially harmful and not beneficial in any way to him. Why are you insinuating that he is trying to avoid detection, as if he were some criminal? And by the way, even criminals aren't stupid enough to do everything wrong because they cannot do everything right.

I don't use Facebook specifically because of their habit of leaking information to anyone and everyone. I do use other "social networks" where I'm not obligated to provide a dossier on my life.

I've even got Facebook's site and associated flam blocked on my computer so I'm not bombarded with their inane commenting system, "Like" buttons, tracking features, or other garbage I want nothing to do with.

I'm taking a risk by using a cellular phone, I understand thins, however I believe the down-side of using one is better than the down-side of not using one. That I'm not a politician or celebrity factors in to this decision.

I'm not even sure what Stallman's full reasoning is behind cellular phones as it's always glossed over with some kind of hand-waving about tracking.

"Tracking can be bad for some people, it can ruin their careers, destroy their marriage, completely upend their life if that sort of information got out. However, for most of us, it's not especially valuable information and any one day will look like any other."

> I think the thing to realize here is life can change very quickly. What if, for one reason or another, you become a celebrity all of a sudden - Or happen to acquire particularly well-connected enemies. When this kind of powerful info is used against you things look quite different.

Stallman's stance is against all cell phones, not just smartphones. And I'd argue that in 2013, to the point where we're issuing basic phones to welfare recipients for the purpose of job searching, that this is an invalid conclusion.

As is only using the FSF's definition of free software (where it matters less that the software itself is free, but that the software doesn't point out to you any nonfree addons. Fedora Linux is free software, as is Firefox but since they allow nonfree firmware blobs, and addons respectively, they don't count).

Or free hardware, Good Luck With That, unless you like a single netbook made by a single company in China.

>As is only using the FSF's definition of free software (where it matters less that the software itself is free, but that the software doesn't point out to you any nonfree addons.

You're conflating the FSF's definition of free software, and the FSF's criteria for recommending software to users.

The FSF sees Firefox as free software (now that the proprietary error-reporting system they used is removed); they won't recommend Firefox, because it recommends non-free software. Fedora is a distribution, not a specific program, and they won't recommend it because it recommends non-free software.

By the FSF definition, a license is free if it protects the Four Freedoms; but software licensed under that could be something the FSF doesn't wish to endorse.

I fail to see how not owning a cellphone, only using free software and suitable hardware puts me at a greater inconvenience than, say, having all my life (movements, communication, interests) digitally recorded and made available for later arbitrary use (by any type of government we might have ...). I honestly wish I had the willpower and independence to pull it off.

On the other hand, I totally understand the people who firmly believe that neither governments nor rogue personnel will ever abuse this information to their disadvantage. After all, billions of people firmly believe in some arbitrary deity and we haven't managed to prove them wrong.

That's a laughably false dichotomy. Using free software does not in any way guarantee that you won't be tracked online.

There's been many missed opportunities to get truly open hardware, an to this day we're still missing out on them. There are initiatives to remedy this, but they're still far from complete and need more motivated drivers to carry them forward.

Using a crappy computer from some no-name company in China is a protest vote and is not pushing things forward.

On the other hand, getting hardware hackers together to create a 100% free hardware platform would. The Raspberry Pi is close, all that's really needed is for some more aggressive lobbying to get the PowerVR driver component open-sourced.

Or consider, given how people are taping out custom Bitcoin ASICs, why is it inconceivable that someone could tape out an open-source CPU?

> You can be completely correct and still be a crackpot.

This is very important. What do you mean by "crackpot"?

It's not feasible for the average person to restrict their lives to the point that RMS does and advocates for.

* Reading the web via email only

* Using completely free software and hardware (which as far as I can tell, limits you to a very small subset of Linux on a single Chinese-made netbook)

* Not carrying a cellphone

* Not using any social networks.

Stallman's principled stand is admirable, but untenable for most. I need to violate every single one of these tenets in an average day at work.

And that's before we even enter the realm of entertainment, which is even worse as far as the FSF's definition of freedom goes.

Principled != crackpot. Crackpot is an insult intended for the feeble minded and is used to reduce any opinions a person might hold on a subject as reject-able out of hand.

Over unity energy generation from the vacuum is rightly labeled as 'crackpot' imo, Stallman's position, while extreme should (again, imo) not be labeled as such.

Where Stallman breaks from admirable principle and dives into untenable crackpottery, IMO, is where he calls proprietary software evil.

Crackpot => unsupported by evidence.

Calling proprietary software evil is an opinion, and there are plenty of examples of evidence that proprietary software was created in ways that one could label as evil. Give it a while and there might be some revelation which will cause lots of people to go 'oh, that Stallman was such a visionary, calling proprietary software evil'.

Now on this particular aspect of Stallman's reasoning I find him hard to follow because that would mean a whole class of something is bad whereas I believe it should only apply to instances on a case-by-case basis. But I'm going to hedge my bets here and sit it out for the next decade or two (assuming I have that much time remaining) to see if he might not be on to something again that is still hard to see from where we are standing right now.

One way in which this could play out is that in order to avoid certain societal fates is to have nothing but open source for certain classes of application (for instance, voting computers, software in use by the government in general or software that is used to power network infrastructure).

Don't be too quick to judge, Stallman has been right more often than I'm comfortable with on some of his most 'extreme' views.

I've never heard Stallman be right about anything that wasn't blindingly obvious to anyone who was an open-minded observer of the same things at the same time.

He's not the only one that's been crowing about electronic surveillance. Ever since things like Carnivore (http://en.wikipedia.org/wiki/Carnivore_(software)) were uncovered in the 1990s, it's been obvious that there's a lot going on we will never be fully informed about, that the internet is no longer a safe playground devoid of malevolent actors. Mailing lists and USENET groups at the same period of time were constantly aflame with these sorts of issues.

If you can cite an occasion where Stallman has had a unique insight into the situation, I'd be surprised.

Stallman, for all his posturing and relentless drum beating, which is at least admirable from the point of dedication, is still no Alan Kay, Marvin Minsky, Marshall McLuhan or Raymond Kurzweil.

Moral judgements are subjective opinion by nature, fair enough, but I bring the crackpot label in for exactly what you say, thinking in absolutes, in black and white, instead of nuance.

In the real world, that shows a distressing lack of critical thinking and a further distressing abundance of dogmatism.

"Proprietary software is bad" -- Subjective value judgement.

"Properitary software is evil" -- Subjective value judgement that shows a lack of thought.

"You should always use free software wherever possible." -- Subjective value judgement.

"You should use absolutely nothing but free software ever" -- Subjective value judgement that shows a lack of thought.

I mean, the FSF "disapproves" of software that is completely free on its own (Fedora, Firefox), merely because they point out nonfree things you can use. (Fedora's firmware bundles and some repos, and Firefox's addons site).

That's completely idiotic. Apparently the FSF's "freedoms" do not include the freedom to run whatever software you choose if it's "unfree".

The proprietary software as evil thing comes as a morality judgment, that the potential evils from such software/licensing far outway whatever positive nuance it could bring to the table. A nuanced reading of the past 75 years of copyright/patent law and judgments can come to the conclusion that such an ecosystem is detrimental to the rights and ability of end-users and developers.

Guess what the solution to the proprietary software problem is? Not using or promoting proprietary software or platforms that enable it.

You are getting upset that the Free Software Foundation has standards to be met to consider software as "free". To dismiss their agenda as existing in 'crackpot' territory is invalidating a legitimate argument to support your shaky conclusion.

* RMS reads the web via email because he's traveling virtually all the time and rarely has Internet access. A batch-based system makes more sense for him. This isn't an ethical stance, and the fact you include it hits your credibility severely.

* The FSF uses computers other than Yeeloongs. The FSF also doesn't really care about free hardware. The Yeeloong has chips with non-free firmware burnt in, and the FSF doesn't care because that isn't software. It's the Free SOFTWARE Foundation, after all.

* Stallman is on a few social networks, notably identica @rms@identi.ca (possibly now defunct). He probably has a GNU Social endpoint.

I think you're conflating Stallman's willingness to be uncompromising in his own lifestyle with his calls for reform. Stallman is fairly intelligent and understands that not everyone can live like he does, but I suppose he feels the need to answer the question of "what should you do in the present beyond push for reform."

I also don't know what "entertainment" you're talking about. The FSF is against proprietary video game engines, but their mission pertains to software, not music/movies/etc.. They campaign against DRM because DRM requires non-free software to enforce.

RMS reads the web via email because he's traveling virtually all the time and rarely has Internet access

Surely you can't expect people to take this argument seriously. It's easy to get internet access on the go in much of the world already.

RMS emails in restaurants, cars, trains, etc., in Europe and the United States but also frequently in SE Asia and South America. There are pictures of him responding to email in the mountains in Nepal.

It's easy to get Internet access on the go in most of the places I've been to, but I've been to a tiny fraction of the places RMS has been to.

I didn't say one should never use offline mail. I'm just disputing that it's a sensible default, rather than a backup.

> Over unity energy generation from the vacuum is rightly labeled as 'crackpot' imo

Then it seems that crackpottery is a term that may be removed in retrospect. I'm sure at some point in the future someone will crack the energy from the vacuum riddle, who knows.

An example of a crackpot is Glenn Beck, that is, someone who is drawing incorrect, incoherent conclusions from the facts they observe.

Suggesting that people abandon social networks, never own cellular phones, avoid using the web almost entirely, these are extreme positions. What makes them crazy is when he's an advocate that everyone should follow these edicts.

Surely it's some kind of "geek social fallacy" that's being applied here. Stallman has come up with what he perceives as the optimal strategy and anyone who diverges from this is doing it incorrectly, just as how free, open-source software is the only kind of software that's acceptable, and everything else is "evil".

I think the free access to the data once it's mined is worse than the collection. Such access should require a warrant, if not a wiretap order, not a justification one-liner.

You make crackpot sound more like a personality trait than a status.

This is by far the best guide I've found to do exactly that:


I haven't read all of it, but I'd recommend using LUKS instead of TrueCrypt.

How does browsing the web via e-mails and cron jobs make for more privacy?

No javascript tracking. Very strange behaviour (therefore, less behaviour tracking). That's what I can think of.

Honestly, if the NSA wanted to know what Stallman was up to, they'd apply the $5 wrench technique (http://xkcd.com/538/). All the tin-foil in the world can't prevent them from getting what they want if you're suddenly a Person of Interest.

You're completely missing the point -- it's unfeasible, unpractical, and unproductive hitting millions of people on the head with $5 wrenches. This is the entire point -- they can do it easily with everyone now, they're not hitting people with wrenches -- that would invoke suspicion and retaliatory response that would curtail their legal powers to snoop around.

Maybe you're forgetting about the sorts of things that went on, are probably still going on, in various brutal military dictatorships around the world. Wrenches are just the start of what they do to people before they disappear them.

It isn't impossible to beat information out of millions of people. It's been done before and it'll be done again.

You say it'd invoke suspicion, but it wouldn't. If you're at the wrench phase of interrogation, you're already in a world where legal powers don't matter.

>Maybe you're forgetting about the sorts of things that went on, are probably still going on, in various brutal military dictatorships around the world

Are including the USA in the list of 'brutal military dictatorships'? Because the USA disappears people: https://en.wikipedia.org/wiki/Khaled_el-Masri

Is there no difference between specifically targeting a suspect and gaining physical access to their hardware vs. any number of government employees/contractors sitting at their desk browsing through anybody's data with little to no technical limits and little to no oversight?

One of the slides literally says that users must be careful to and their query with another parameter to avoid running afoul of the law.

At this point the only difference is cost and scale. What the NSA is doing needs to be reeled in big-time, probably even shut down completely, but that doesn't mean being all tin-foil hat will somehow make you immune to what they're doing.

I'm sure they know everything they need to know about Stallman, just as they do about everyone else, apparently. Unless he's sitting in a cave writing EMACS source on goat hides, they'll have a window into his activities.

> At this point the only difference is cost and scale.

Only if we are talking about the same types of attack, which we aren't. If you do "wrench" style targeted attacks at a large scale, you'll leave 10%+ of the population injured, how is that supposed to work out for a government?

Stallman's counter-measures probably work as long as only very few people use them. The same is probably true for terrorists, which is why this whole dragnet surveillance does not really work towards the stated goals and "crackpots" like me suspect it may have more to do with bullying people into self-censorship.

NSA spying is not designed for the individual. It's designed for the masses. It's to keep the populace in check. It's Century of the Self and Edward Bernays, except for the 21st century.

It's an update to what was already going on.

Sufficiently strange behaviour actually enables tracking; 'strange' is almost a synonym for 'unique' in this context.

He only runs code that he can vet. You can't do that when you use Javascript, or use a proprietary OS, for example.


Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact