Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid New Year |
| SOUFFLETROUGH: NSA Exploit of the Day »
January 13, 2014
How the NSA Threatens National Security
Secret NSA eavesdropping is still in the news. Details about once secret programs continue to leak. The Director of National Intelligence has recently declassified additional information, and the President's Review Group has just released its report and recommendations.
With all this going on, it's easy to become inured to the breadth and depth of the NSA's activities. But through the disclosures, we've learned an enormous amount about the agency's capabilities, how it is failing to protect us, and what we need to do to regain security in the Information Age.
First and foremost, the surveillance state is robust. It is robust politically, legally, and technically. I can name three different NSA programs to collect Gmail user data. These programs are based on three different technical eavesdropping capabilities. They rely on three different legal authorities. They involve collaborations with three different companies. And this is just Gmail. The same is true for cell phone call records, Internet chats, cell-phone location data.
Second, the NSA continues to lie about its capabilities. It hides behind tortured interpretations of words like "collect," "incidentally," "target," and "directed." It cloaks programs in multiple code names to obscure their full extent and capabilities. Officials testify that a particular surveillance activity is not done under one particular program or authority, conveniently omitting that it is done under some other program or authority.
Third, US government surveillance is not just about the NSA. The Snowden documents have given us extraordinary details about the NSA's activities, but we now know that the CIA, NRO, FBI, DEA, and local police all engage in ubiquitous surveillance using the same sorts of eavesdropping tools, and that they regularly share information with each other.
The NSA's collect-everything mentality is largely a hold-over from the Cold War, when a voyeuristic interest in the Soviet Union was the norm. Still, it is unclear how effective targeted surveillance against "enemy" countries really is. Even when we learn actual secrets, as we did regarding Syria's use of chemical weapons earlier this year, we often can't do anything with the information.
Ubiquitous surveillance should have died with the fall of Communism, but it got a new -- and even more dangerous -- life with the intelligence community's post-9/11 "never again" terrorism mission. This quixotic goal of preventing something from happening forces us to try to know everything that does happen. This pushes the NSA to eavesdrop on online gaming worlds and on every cell phone in the world. But it's a fool's errand; there are simply too many ways to communicate.
We have no evidence that any of this surveillance makes us safer. NSA Director General Keith Alexander responded to these stories in June by claiming that he disrupted 54 terrorist plots. In October, he revised that number downward to 13, and then to "one or two." At this point, the only "plot" prevented was that of a San Diego man sending $8,500 to support a Somali militant group. We have been repeatedly told that these surveillance programs would have been able to stop 9/11, yet the NSA didn't detect the Boston bombings -- even though one of the two terrorists was on the watch list and the other had a sloppy social media trail. Bulk collection of data and metadata is an ineffective counterterrorism tool.
Not only is ubiquitous surveillance ineffective, it is extraordinarily costly. I don't mean just the budgets, which will continue to skyrocket. Or the diplomatic costs, as country after country learns of our surveillance programs against their citizens. I'm also talking about the cost to our society. It breaks so much of what our society has built. It breaks our political systems, as Congress is unable to provide any meaningful oversight and citizens are kept in the dark about what government does. It breaks our legal systems, as laws are ignored or reinterpreted, and people are unable to challenge government actions in court. It breaks our commercial systems, as US computer products and services are no longer trusted worldwide. It breaks our technical systems, as the very protocols of the Internet become untrusted. And it breaks our social systems; the loss of privacy, freedom, and liberty is much more damaging to our society than the occasional act of random violence.
And finally, these systems are susceptible to abuse. This is not just a hypothetical problem. Recent history illustrates many episodes where this information was, or would have been, abused: Hoover and his FBI spying, McCarthy, Martin Luther King Jr. and the civil rights movement, anti-war Vietnam protesters, and -- more recently -- the Occupy movement. Outside the US, there are even more extreme examples. Building the surveillance state makes it too easy for people and organizations to slip over the line into abuse.
It's not just domestic abuse we have to worry about; it's the rest of the world, too. The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others. Our choice isn't between a digital world where the NSA can eavesdrop and one where the NSA is prevented from eavesdropping; it's between a digital world that is vulnerable to all attackers, and one that is secure for all users.
Fixing this problem is going to be hard. We are long past the point where simple legal interventions can help. The bill in Congress to limit NSA surveillance won't actually do much to limit NSA surveillance. Maybe the NSA will figure out an interpretation of the law that will allow it to do what it wants anyway. Maybe it'll do it another way, using another justification. Maybe the FBI will do it and give it a copy. And when asked, it'll lie about it.
NSA-level surveillance is like the Maginot Line was in the years before World War II: ineffective and wasteful. We need to openly disclose what surveillance we have been doing, and the known insecurities that make it possible. We need to work toward security, even if other countries like China continue to use the Internet as a giant surveillance platform. We need to build a coalition of free-world nations dedicated to a secure global Internet, and we need to continually push back against bad actors -- both state and non-state -- that work against that goal.
Securing the Internet requires both laws and technology. It requires Internet technology that secures data wherever it is and however it travels. It requires broad laws that put security ahead of both domestic and international surveillance. It requires additional technology to enforce those laws, and a worldwide enforcement regime to deal with bad actors. It's not easy, and has all the problems that other international issues have: nuclear, chemical, and biological weapon non-proliferation; small arms trafficking; human trafficking; money laundering; intellectual property. Global information security and anti-surveillance needs to join those difficult global problems, so we can start making progress.
The President's Review Group recommendations are largely positive, but they don't go nearly far enough. We need to recognize that security is more important than surveillance, and work towards that goal.
This essay previously appeared on TheAtlantic.com.
Posted on January 13, 2014 at 6:28 AM
• 62 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Here is a somewhat parallel video of a police intelligence operation in England: 'Confessions of an Undercover Cop'.
He was in what is called the 'National Public Order Intelligence Unit' that infiltrated and spied on people in England who were basically protester.
If the NSA treat me as their enemy, is that a sign the NSA consider themselves to be my enemy?
(where "I" is every citizen)
It's obvious what needs to be done : p2p everything.
Not going to happen? Tough shit, then it's total surveillance.
Build foolproof tools and make them the default. Sell them cheaper than those sudsidized by surveillance. Can't be done? Then it's not going to ever stop.
Which wouldn't be a problem if I had access to it. And you. And everyone. I'm willing to give up MY privacy in exchange for EVERYone else's, but NO less. That's called 'reciprocity'. And I'm ok with that. And if you think for one second, you will be, too.
It seems to me the best way to control the NSA is by severely restricting its budgets. No need for more laws! But this would require the executive and legislative branches to concur that the NSA needs to be controlled. Maybe I am naive...
*stands and applauds*
It feels weird standing in front of my computer and clapping to an empty room, but it's the right thing to do.
To the list of abuses you could add that the Dept. of Homeland Security was only a few months old when Tom Delay tried to use it to track Texas Democratic legislators who had left the state to block a GOP redistricting bill. People sometimes overstate slippery slope arguments but our government has a long history of using whatever information is possesses.
Very good article.
A thought that I've entertained for the last few months, albeit combating just a tiny part of the whole surveillance apparatus - the subversion of equipment/firmware/software with vendor knowledge - is as follows:
Just as a the vendor attaches an EULA or a copyright notice with each deliverable product, or declares that the product abides by the ITAR regulations, UL, FCC rules etc, I want to see a certificate, signed by the acting Vendor's CEO and CTO, guaranteeing that they have no knowledge whatsoever of any influence, contact, discussion or effect by a gov agency during the product design, manufacture and shipping. If the product or one of its modules were OEM or outsourced, to get the declaration from the whole product chain.
CEOs can play with words, but try very hard not to be caught lying, so they will be careful with such a statement if it composed properly by an independent group, like, for example, the GPL licensing terms.
If there is no signed statement accompanying the product, people will take notice.
The force behind such a notion may come from EFF, IETF, IEEE, DIN or other groups.
This is a stunningly incisive, thorough and persuasive INDICTICTMENT of US electronic intelligence agencies.
People should be marching in the streets, with pitchforks, after reading it. But, they aren't and won't. We have become sheep.
I'm glad you finally see the government will not correct, to any significant degree, mass abuses of our Constitutional and human rights. American aristocrats in Congress simply don't think we are equal or entitled, like them.
I think it's time we offered our governments an amnesty...
We know they cannot stop themselves from snooping on our every word (the habit is too engrained); but the ultimate affront is that we pay for it.
So, the amnesty - I will give my government the passwords to everything I have - snoop away to your little hard-hearted heart's content.
One condition - you spend the money I've just saved you on something useful - hospitals, would be a good start.
What is the use of reform if the government and it's agencies just lie about what they do and do not obey their own laws or changes those laws to suit their purposes?
I have a certain degree of faith in the national policing, security & intelligence agencies of the US & other five-eyes nations.
However, that faith is a moot point in this debate.
Firstly, these surveillance capabilities are NOT unique to the state organs of the five-eyes nations. Given that national borders are largely transparent to the flow of personal information, it is certain that innumerable state and non-state actors are feasting on the glut of compromising personal information that flows across the face of the globe today.
Secondly, the senior ranks of our political and administrative classes are not completely devoid of amoral and opportunistic individuals. If we provide the tools of mass surveillance to an elite, no matter how trusted, no matter what checks and balances we put in place, abuses by *somebody* are a long-term statistical certainty.
However, I would like to de-emphasise this second point. Media attacks that directly or indirectly seek to denigrate the character of the intelligence community are polarising and counter-productive.
We desperately need the assistance of the intelligence community to defend our privacy from others who would exploit our increasing personal insecurity. We need to reach out to our intelligence community; to recognise that it is populated almost entirely with patriotic, diligent, hard working professionals; to note that we entrust our personal data with them, placing enormous faith in their ability to do their job and adhere to the highest possible ethical, moral and professional standards.
However, having recognised their contribution and dedication, we need to point out that the intimacy, persistence, and ubiquitousness of modern technology raises the level of responsibility that we ask them to shoulder to unprecedented levels; beyond any burden that they have had to bear before.
I feel that it is unreasonable to ask our security services to bear this burden. The responsibility is far beyond anything that I would contemplate forcing upon myself.
As a result, we should recognise that the present juncture offers an opportunity for our society to take a position of restraint and enlightenment; one in which we collectively recuse ourselves from the ever-increasing burden of responsibility placed on us by the advancement of technology.
Let us engineer a future with deliberate technological barriers to surveillance: state, commercial or criminal -- or, failing that, let us do away with the technology that so undermines our personal liberty.
The remedy you suggest is a variant of what is called a "warrant canary" (referencing the old convention of a "canary in a coal mine", and a form of the "dead man's handle" on trains). There have been many proposals along the same lines - basically the idea is that if the messsage disappears, users can conclude that the provider has been coerced to trojan the product or service.
I'm not sure whether it's been tested in a US court, but the general consensus seems to be that anyone who did this would be jailed for violating the gag order. In other words, there is no longer (if there ever was) any right against being forced to lie to the public and deceive customers.
Any speculation on the possibility that NSA degradation of online security protocols (RSA encryption, for example) may have contributed, unwittingly, to the Target data thefts?
@harald: "there is no longer (if there ever was) any right against being forced to lie to the public and deceive customers." ...
Q: How can you tell when a salesman is lying?
A: You can hear someone talking.
There are times when I would not mind telling the truth... but the whole truth? Maybe not!
Remember, we all have a certain degree of programming to desire respect (usually through "reputation"), and, yes, that is the thing many people find attacked (it is far easier to attack someone's reputation than their honor) in order to "shame" them. Surveillance makes that easier.
Let's also look at what happened to GrokLaw.net, silenced because, with the NSA able to do some digging, those blowing whistles on crooks using patents and the like can be intimidated by exposure.
If a capability exists, some crook will find an exploit, be it technical, legal, social or psychological.
"It does not matter how well-crafted a system is to eliminate errors; Regardless of any and all checks and balances in place, all systems will fail because, somewhere, there is meat in the loop." - me
The NSA have essentially changed the game, so to speak. The Internet was founded upon collaboration and just being friendly to the extent that for much of its early life some of the most critical infrastructure relied on unencrypted protocols like plain snmp or telnet, or BGP without any authentication extensions.
Well, the game has most definitely been changed. I think in the next twelve to thirty six months we will see:
- any site that processes user information in the form of a submitted form, no matter how mundane will be compelled to use TLS to protect that data. Moreover, sites that typically wouldn't have a need for TLS will start offering a mirrored version of their site on https for privacy concerned users. Some may make it their default.
- a complete review into the completely broken certification authority model which our browsers are programmed to implicitly trust. It is broken. Root certs are in the hands of those who you just can't trust and the game is over. It is time for a better solution. Hell, even an openssh style solution where the browser keeps a cache of site information and alerts on a change would be an improvement. Personally I think that with a little initiative a crowdsourced distributed "web of trust" could be created. The more entrepreneurial could probably see a way to bind this to a cryptocurrency in the form of a bond, ie: "XXX industries puts up XXX BTC to assure that YYY LLC is who they say they are."
- an open revolt against advertisers and conglomerates like Google from mining our personal data, identifying us through browser profiling, etc.
Almost everything about the breach is privately held, and what little is publicly known comes from Target press releases. I'm aware of only three disclosures so far. From memory, with help from Wikipedia, I will paraphrase what Target stated. My comments are in italics.
December 19: 40 million credit / debit card transaction records were stolen from us between November 27 and December 15. No PINs from debit cards were stolen. So sorry, everyone.
December 27: Oops, the debit card records included PIN numbers, although as these were encrypted with 3DES, we can assure you they're safe and secure. So sorry, once again.
Those who read Bruce's blog should already know that just because a 3DES cipher was used doesn't mean this information is "safe and secure". A cipher is not an implementation, and an implementation can render an secure cipher insecure in usage.
January 10: Oops. 70 million records of PII were also stolen.
There was no disclosure of how many of these overlapped with the 40 million financial transactions, leading most press to describe the total breach as "up to" 110 million records.
@Mike the goat - both pointless if there is a "man in a dark suit" sitting next to the admin in the companies data center.
What is more likely is that people will move their business (and data) to countries that they trust. Just like you put your cash in a Swiss bank rather than a Zimbabwean one, you will put your cloud data on a Swiss server rather than a USA one
The Maginot Line could be circumvented and was. And it was a clearly defensive structure, so on the "good" side (as long as military properties can be good; having defensive structures can free soldiers for offensive actions).
I think battleships are better for comparison. Expensive, visually and technically impressive, good for propaganda... and essentially useless in nearly all wars. They were used, but using them to their purpose was rare and mostly not relevant. They were mainly used for auxiliary actions where specialized units would have been better. No country has any battleships anymore today.
It requires ... a worldwide enforcement regime to deal with bad actors.
Any idea how this could work?
Today the USA isn't even following its own constitution nor international laws concerning human rights it signed, in broad daylight (e.g. Guantanamo), without any institution (domestic or international) being able to do anything about it, including even the President of the USA.
Regarding legal restriction within the USA: All it takes is to ask "do you really want to be that politician who signed a law that could be blamed to have enabled a terrorist attack where people died?" and everybody will back off.
@Bruce. The Law should establish general principles of Government/business and citizens rights related to current and future technology. Regulations could be more flexible and generated based on those general principles of priority: interest of citizens (privacy, security of their PII) is going first, interest of business (all PII collection) is going second with upfront clear agreement of citizen, Government is protecting citizens' privacy/PII using technology and resources against any unautorized access/collection/storage/distribution/sale etc. by any culprits domestic (crooks of all sorts including corporates) or foreign (you know them). Government is autorized to collect meta data as intelligence activity without disclosing/looking into details until clear 'red flags' (terrosism, violant crimes, etc.) popped up as warning sign of preparation of crime or commited crime.
As soon as details collection is required for particular targets/names, then Court order is required. Citizens could do anything not banned openly by non-accordeon law. Government could do what it is authorized to do within scope of authority only state in statute/regulation, i.e. what is not authorized is banned.
@Winter: NSA (and any other LEA) not your enemy, but they are NOT your friend except when YOU ask them for help/protection. For all other cases - 5th!
@Harald: I guess oral 'gag order' is not appropriate at all. There is no remedy for citizen to overturn it in a court. For all cases person should have a right to refuse for any communication with LEO without presence on his/her lawyer.
@William Payne: yeah, NSA could restore trust by simply found out who recently violated privacy of many customers (Target, NM) meaning as soon as their technological and intellectual potential is utilized for common good. Just do small right thing for the common folks!
The Maginot line worked as intended: it prevented Hitler from accessing France directly over the Rhine, forcing Germany to go through the low countries first. (I'm sure they were less than thrilled about being used as France's buffer countries.) This gave French forces a much narrower field of engagement, and they faced German forces that had very recently seen combat with the associated losses and damage. Moreover, the supply chains were less straightforward.
Unfortunately, these advantages were insufficient in the circumstances.
You can argue that the Maginot line was too expensive for the effect it had, but it was far more effective than NSA surveillance.
A completely different POV from Fred Kaplan in Slate:
The documents that he gave the Washington Post’s Barton Gellman and the Guardian’s Glenn Greenwald have, so far, furnished stories about the NSA’s interception of email traffic, mobile phone calls, and radio transmissions of Taliban fighters in Pakistan’s northwest territories; about an operation to gauge the loyalties of CIA recruits in Pakistan; about NSA email intercepts to assist intelligence assessments of what’s going on inside Iran; about NSA surveillance of cellphone calls “worldwide,” an effort that (in the Post’s words) “allows it to look for unknown associates of known intelligence targets by tracking people whose movements intersect.” In his first interview with the South China Morning Post, Snowden revealed that the NSA routinely hacks into hundreds of computers in China and Hong Kong.
These operations have nothing to do with domestic surveillance or even spying on allies. They are not illegal, improper, or (in the context of 21st-century international politics) immoral. Exposing such operations has nothing to do with “whistle-blowing.”
Many have likened Snowden’s actions to Daniel Ellsberg’s leaking of the Pentagon Papers. (Ellsberg himself has made the comparison.) But the Pentagon Papers were historical documents on how the United States got involved in the Vietnam War. Ellsberg leaked them (after first taking them to several senators, who wanted nothing to do with them) in the hopes that their revelations would inspire pressure to end the war. It’s worth noting that he did not leak several volumes of the Papers dealing with ongoing peace talks. Nor did he leak anything about tactical operations. Nor did he go to North Vietnam and praise its leaders (as Snowden did in Russia).
"gauge the loyalties of CIA recruits in Pakistan" is ironic, since if they have been recruited by a foreign country, such as the USA, then they are already traitors. Gauging the loyalty of traitors ... unreal.
@Corwin "I'm willing to give up MY privacy in exchange for EVERYone else's, but NO less."
You make some very good points, but the above sentence entails the advocacy of collectivism.
Substitute "intellectual property" for "privacy" and you'll see what I mean.
Defending individual rights on a collectivist premise involves a contradiction.
IMHO all the 'no help against terrorists' talk goes in the wrong direction. They _know_ that it doesn't help against terrorists.
It's just the official excuse to some other secret goals.
Any idea which goals that might be? I'm sure 'prevent terrorism' is very late on that list!
It's probably more sth. like 'control the crowd', 'keep the crowd calm', power, money, .. things like that .. just guesses though.
"the [*] surveillance state is robust. It is robust politically, legally, and technically."
Those are truly post-Orwellian words. When the officers grow old and have time to think back about their actions, they will probably ask themselves "what have I done?" And they will try hard to find excuses because they are the good guys and have always helped the matrix.
"the NSA continues to lie..."
What does "lie" link to? To Conor Friedersdorf, who links to the like-minded Mike Masnick, who links back to Conor Friedersdorf (echo chamber anyone?). Friedersdorf claims that "We can audit the actions of our people" is a lie because the NSA didn't audit Snowden's actions.
This is a deliberate ignoring of context. The context of the audit claim was with respect to the NSA's capacity to catch employees who snooped on Americans without authorization. "I have four daughters. Can I go and intercept their emails? No. The technical limitations are in there." For Alexander's statement to be fairly described as a lie, the context of Alexander's statement would have been Snowden, not his capacity to spy on his daughters and not get caught.
Not anyone else's job to note the context, you say? An all too common attitude. If the NSA did backdoor Dual EC DRBG (and that is a very big if), no other actor could go through that door. Schneier knows this, but he has sat on this knowledge of his instead of reminding people of this fact because it doesn't fit the NSA is a bogeyman line. This isn't to recommend widespread use of Dual EC DRBG, which has other issues, performance not being the least of them. It is rather to note that the claim that if there is a door any common criminal can hop through it as well it totally bogus.
"...the diplomatic costs, as country after country learns of our surveillance programs against their citizens."
Everyone should be fully aware that foreign governments and international criminals are consistently attempting and succeeding in compromising US public and private information systems. Nation states are not going to stop cyber espionage just because we ask nicely. Moreover, most nations states will do very little to combat cyber criminal syndicates operating from their borders. It is therefore unrealistic to expect the US to abide by a standard to which no one else will hold themselves to.
The US Constitution does not apply to the Chancellor of Germany or the Prime Minister of Israel. I expect that our intelligence services do everything they can to obtain and maintain preeminence in the realm of spycraft.
I've got a solution; just dissolve all of the NSA's surveillance operations, and put the money into NASA's budget!
@ Michael Barbere
Are you for such NSA efforts even if it means weakening every layer of our security against those same national opponents? Introducing weaknesses into our critical software and infrastructure aids the enemies you described. That's treason far as I see.
They want to try to spy and hack foreign targets? Fine. Just dont make us vulnerable to attackers while saying on TV that you will protect us from same attackers. That theyve continuously done this shows they are a liability to national security.
The solution to defending against hacker threats is called INFOSEC. NSA led the way decades ago to promote and certify systems that were largely impenetrable. They then killed off that entire market by accepting the lowest assurance software and buying little high assurance software. They also restricted sales of it. So, if anything, NSA control of IA activities did more damage to our national INFOSEC than many adversaries combined. They're still doing same things with likes of SELinux, VMware-based platforms, and so on.
So, to recap:
1. NSA knows the solution is secure by design systems.
2. NSA has rare expertise to build and certify them.
3. NSA had political power to make market do that for federal contracts (and did for a while).
4. NSA buys and certifies massive amounts of insecure software for classified or critical systems.
5. NSA weakens crypto standards.
6. NSA ensures truly secure software has no ROI.
7. NSA both inserts and maintains 0 days black hats can find in US systems.
8. NSA insists solution to INFOSEC is they get to implant and monitor and control all critical systems.
9. NSA fails to protect its own systems from basic insider threat tactics.
10. Those same systems have massive surveillance and attack powers over American systems.
Put it together, we'd be safer if NSA didnt exist because at least they aouldnt be making the baseline weaker every year, detracting from real infosec efforts, and putting us all at risk to foreign high level attackers.
The Maginot line was very effective, nowhere was it crossed by the invaders.
1st: the M.L. was not prolonged along the Belgian boundary, mainly for political-diplomatic reasons : the Belgians were (supposed to be) neutral (though it turned out King Leopold had a weakness for Hitler !). Notwithstanding Leopold's penchant, anyway, all the German had to do and did was to cross Belgium to attacj France : it's not as if hitler had any scruples violating a neutral country.
2nd point: the Ardennes forest was reputed "uncrossable", thus not protected by Maginot's line of forts and defences. However Guderian"s tanks were able to cross the uncrossable ... (This alone would not have given the German troops the edge however, factor 1 above was the real cause of the success of the "blitz" offensive of May-June, 1940)
Success of intercepting the Syrian chem weapons info ?
Not what the Syrians say.
There is an interview with some Syrians who say the chem weapons were from Saudi's, and have pics of the canisters. They were left in tunnels by Saud's, for another attack on Syrians, and some dumb grunt triggered one.
Those canisters were tagged with a Saudi division of a Brit chemical company.(there is also a div in Texas)
It's on RT, but interviews with folks who knew about the tunnels, and the pics.
The "intercepted calls" has elsewhere also been shown to be a VERY bad interpretation of actual spoken words.
It is quite easy to assume we have been "handled" on that incident also.
As for the Target breach.
That is actually a criminal incident against Target.
We have to go thru a audit that makes sure we do NOT store that info. After a days sales, we are supposed to dump all that info from our machines. If this info was stored, instead of scraped, every single one of these folks has a legal right to sue.
What makes you think the elliptical encryption is backdoored ?
It is weakend in a simple way to allow easy brute forcing. This is a wholesale encryption baseline attack, which is why so many folks are pissed at RSA.
I am glad there are still patriots that believe that the US is doing the right things.
After reading the Economic Hitman, and the revelation of the Gulf of Tompkin treason, I have no assumption of the good faith and honor of the DNI or the Justice Dept in being accessories to the fact.
The real reason the ML failed was because it was an outdated method of warfare before even pen went to paper on it's design. It was done for political reasons (just like the DHS) and it was so expensive (just like the DHS) that it crippled the French economy and thus prevented any possible investment in more upto date methods of defence.
It's been said that WWI was the first to bring modern science and engineering to the theater of war. It's also the first where civilian targets well well behind any defensive measure could be targeted and more importantly the effects of such attacks recorded accuratly and be analysed within six hours. This is because it was the war where the fledgling technology of aircraft became in just a couple of years a platform from which to project war deep into enemy teritory.
Whilst the German Generals picked up on this change in the order of battle the victors of WWI either did not or ignored those who did.
The indicators that Germany were planning "fast warfare" were clearly there to be seen and heard on the airwaves, as well as the build up of weapons such as tanks, planes and infantry transport and support vehicals.
The German involvment in fighting in spain (as reported by amongst others George Orwell) should have raised all sorts of concerns in the British, French and US Governments and military commanders. If it did it went without attendant action as politicaly Britain practiced appeasment in Europe and hid on the other side of the channel, the French hid behind the illusion of the ML, the US went further into isolationism from Europe and chose instead to focus it's self on the Pacific. And Russia went into a form of appeasment as well supplying German with many resources at favourable rates and agreeing to divide up Eastern European countries like Poland.
It's not hard to see why Hitler must have thought the way he did.
Arguably the only reason it went wrong for Hitler the way it did was that the then King of England who was much taken with Hitler decided he would marry an American divorcee by the name of Wallice Simpson. The British Government of the time forced him to abdicate and in the following fall out a lot of those who had sympathies for Hitler lost political power which alowed Winston Churchill who saw Hitler as a significant threat to regain political power and start re-arming Britain.
Re Target, this was posted here a while back:
Target is "a high-tech [forensic-services] firm masquerading as a retailer." They can hire themselves to solve the crime, if it isn't some kind of internecine warfare.
"@Winter: NSA (and any other LEA) not your enemy, but they are NOT your friend except when YOU ask them for help/protection. For all other cases - 5th!"
But the NSA and my local Intelligence Service treat me as an enemy. They put me under constant surveillance and collect intelligence to use against me. I have never heard of any hint that they might use this information to help me, except in very abstract ways, like collateral benefits.
As far as I know, the probabillity that I might suffer as collateral dammage from their work seems to be far greater than that they might bring me any personal benefit.
We already know they do not reduce terrorism nor crime. They also do not protect my online nor computer security. On the contrary, they reduced my online security and might very well hack into my computer at some time when it fits them.
So how should I treat organization that will likely damage me and treat me as their enemy?
So much is successfully justified on the premise that government has our best interests at heart, and its adversaries don't. Nice world, but not ours, and if you really understand democratic principles, it's almost backwards.
@TimL "Defending individual rights on a collective premise involves a contradiction"
Not necessarily. I can say for example 'the law should apply to everyone'.
Also I think privacy is a much more complicated idea than the concept of property. For example, you may agree to disclose separately some bits of information about yourself which on their own don't constitute any breach of course, but that when put together by a database form a bigger picture, an inferred knowledge about you whose disclosure you would consider a breach, even though you had signed off on the small bits separately. Just one of many cases in which the analogy to property falls short.
Lastly, I personally agree with @Corwin in that if everyone else had no privacy (in other words, if all those in positions of power were unable to resort to secrecy at any given time), I would be in favor. However such scenario will never happen in the real world, so what we can have is everyone's privacy rights respected.
Unlike him though I'm not so sure everyone else would agree no matter the amount of reflection. :-) One of the reasons it could never happen...
Mexaly: Indeed. "Put away from you a wicked friend, and summon to your side a virtuous enemy". ("Atsumori" by Zeami Motokiyo)
Before bitcoin, we had (have?) Zimmerman's web of trust. Maybe we should scale that up and over to a routeable protocol for high speed.
The NSA is exploiting defects in implementation.
There's an adversary in the channel. We have apps for that.
(BTW, great use for Bitcoin: legal marijuana trafficking.)
there are news about people boycotting the RSA conference. Any thoughts on that?
The NSA's collect-everything mentality is largely a hold-over from the Cold War, when a voyeuristic interest in the Soviet Union was the norm.
There were two aspects to this arguably one was right and the other wrong just as it is today.
The first was the interception of "spy traffic" signals encrypted by One Time Pad. As project VERNONA showed mistakes made by the Russian's years and thousands of miles apart paid dividends.
The second was the interception and recording of all civilian communication with communist countries and investigations by the FBI. Although not all records have been released yet, those that have suggest that just as today little of any worth was found.
Still, it is unclear how effective targeted surveillance against "enemy" countries really is. Even when we learn actual secrets, as we did regarding Syria's use of chemical weapons earlier this year, we often can't do anything with the information.
It's usually refered to as "methods and sources" but this hides it's charecteristics in obscure meanings.
There are two basic types of intel, that which you get passivly and that you have to activly go out and get. In effect countries and organisations "radiate information" in countless ways, as a broad analagy much like electrical/electromechanical equipment and TEMPEST. The problem is how you gather this information, if it becomes known to the country they can either find ways to stop it radiating or render it useless by poluting it with false information.
This problem was well known back in WWI and Churchill was rather indiscreat about it in one of his books. He appeared to have learnt his lesson by WWII and as a result laid down very strict rules for the handeling of decoded German Enigma intercepts. And famously he made his comment about "the geese that laid the golden eggs but never cackled" about those at Bletchly Park.
However the Winterbottom bock in 1973 let the cat out of the bag and shortly there after much of the old WWII crypto equipment that had been sold to third world countries stopped being used and was replaced by equipment from Switzerland.
Likewise Ronnie "raygun" was indiscret and low and behold a middle east country realised that it's encrypted traffic was being intercepted again and worked out it's crypto gear had a back door. What came out from this was the existance of a cosy little arangment between the NSA and Crypto AG in Zug Switzerland that had designed and manufactured the crypto gear. Now I've good reason to belive that Crypto AG equipment still contains flaws/backdoors as it's the Crypto Fax equipment that the EU uses that appears in the NSA/GCHQ slides. So I expect quite a few countries will nologer be buying CryptoAG kit, or will find ways to render information from it effectivly usless...
More recently Hillary Clinton accidently released NRO capabilities when Obama had that little "photo op" in the situation room that included Hillary's laptop screen. The question now becomes have other countries changed their behaviour because of it.
Oh and then there was that classic example of a guy sitting in the desert with his laptop displaying the drone footage of himself...
And then there is the example of this blog being switched over to using HTTPS as the default, in response to Ed Snowden's releases, even though prior to that NSA snoping had come up several times on the blog it's self over a number of years.
Arguably all but the last example is bad, even though it is OpSec wise the same as the other examples. From the FBI point of view they call it "Going Dark" and they have argued that it will result in a loss of "criminal inteligence".
However like LEAs in other countries the FBI has failed to demonstrate that they actually need intercept data, at best it's been supporting not primary evidence. And nobody has provided even though challenged the details of a case that could only have been brought to court by intercept data and not by more traditional policing methods (the Dutch have been the closest as far as I can tell).
So outside of immediate action in the likes real war (ie "hot war" not phoney / faux / cold ) or trade negotiations there is either very little or no evidence that "going dark" actually effects anything in a significant way.
As for Cyber-war arguably it does not exist as conventional warfare and is more correctly called Cyber-espionage or Cyber-crime. Would a lack of secret inteligence effect it? To be honest, probably not.
And this is the issue with inteligence, it is in many respects like journalism. Most journalism provides news which informs but rarely does it directly effect a persons course of actions.
A classic example of this is the Ed Snowden revelations, in many cases they just confirm what was already known or suspected. The reporting in most cases is good journalism, but can anybody reading this blog put their hand on their hart and say it's had any real effect on their behaviour?
I suspect very few, now consider not security professionals but "the comman man on the Clapham Omnibus" he is considered the bench mark for reasonable behaviour thought and action, how has he been affected? what changes has he made due to the reporting..?
Most likely none, and it's the same with nation states like Germany and Belgium have they done anything other than make token protest?
And the underlying reason in nearly all cases is even if they wanted to change, they cann't or at best only with glacial slowness.
Further even if they can change will it make any difference?
The simple answer is no.
For example this blog is now by default using HTTPS, what has it actually achieved. The simple answer is on it's own little or nothing. Even when using a mix-net the answer is again little or nothing if you are a targeted individual.
There are some good points in this article, but much of it is a rather weak repetition of scattered and misleading assertions.
but we now know that the CIA, NRO, FBI, DEA, and local police all engage in ubiquitous surveillance
The NRO link takes me to an ars technica article on the NRO's logo for a spy satellite. This has zero to do with Snowden's documents, or with any of the surveillance programs at issue. It's included simply to create the effect of a mountain of evidence.
Brian Dell, above, caught the weak reference linked in the the NSA continues to lie about its capabilities claim.
NSA Director General Keith Alexander responded to these stories in June by claiming that he disrupted 54 terrorist plots. In October, he revised that number downward to 13, and then to "one or two."
This one of the most widespread and tenacious myths about Alexander's initial claims.
The "54 terrorist plots disrupted" comes from the headline of your link. But Alexander was actually much more careful and much more specific when he spoke.
He did not not say that "54 plots" were disrupted. There was no walking back during his testimony to the Judiciary Committee in October, as another one of your linked articles claims.
Here's what Alexander actually claimed back in late June:
On 21 June...we provided 54 cases to several congressional committees in which these programs contributed to our understanding, and in many cases, helped enable the disruption of terrorist plots in the U.S. and in over 20 countries throughout the world...
Here are some statistics of those 54 events. Of the 54, 42 involved disrupted plots.
Alexander distinguishes from the outset between plots and events. There was no hiding ball, and no lying. He goes on:
Twelve involved cases of material support to terrorism. Fifty of the 54 cases led to arrests or detentions. Our allies benefited too. Twenty-five of these events occurred in Europe, 11 in Asia, and five in Africa.
He's clear that many of the cases occurred overseas, and not in the United States.
Thirteen had a homeland nexus. In 12 of those events, Section 215 contributed to our overall understanding and help to the FBI - 12 of the 13...
Mind you, those 13 are the only ones where Section 215 could play any role. They helped in 12 - something not denied by Senator Leahy, or anyone else. Senator Leahy asked Alexander for the number of those 13 in which the government would NOT have disrupted the event but for Section 215. Alexander responded "1 or 2." However you don't use a "but for" test to evaluate whether an intelligence tool is useful. In hindsight, you may see 5 different ways to come to the correct conclusion, and so NONE of those 5 ways, considered individually, will satisfy a "but for" test. Instead you ask, "if this tool did not exist, would it have been more or less likely that you would have arrived at the right conclusion, with the same amount of confidence, in the same amount of time?" Analysts aren't interested in wasting time - and when the issue is disrupting future terrorist events, time is absolutely of the essence.
In 53 out of 54 events, Section 702 data played a role, and in many of these cases, provided the initial tip that helped unravel the threat stream.
This is another claim that no one has disputed or denied, and is, if anything, more important than the Section 215 claim.
Contrary to the impression your own article gives, the NSA didn't walk back from their statement of the usefulness of Section 215 or Section 702 programs.
One more claim from your article:
It breaks our political systems, as Congress is unable to provide any meaningful oversight
links to two sources. One, a youtube video of a speech by Rep. Amash, essentially complains that to find out about the Section 215 program, he would have had to attend classified briefings and actually ask questions like, "are you using this authority to conduct mass surveillance?" This is because a Congressional committee failed to distribute a document given to them by the Administration, which was expressly designated for distribution to all of Congress and which briefed the Section 215 program (the Senate distributed it; the House did not). I suppose his claim is that Congress lacks meaningful oversight because Congress screwed up. Of course, access to the document doesn't pass Senator Leahy's "but for" test either, as he could have simply shown up and asked some perfectly obvious questions.
The second source is an article by Rep. Alan Grayson. He complains that:
Recently, a member of the House Intelligence Committee was asked at a town hall meeting, by his constituents, why my requests for more information about these programs were being denied. This member argued that I don't have the necessary level of clearance to obtain access for classified information. That doesn't make any sense; every member is given the same level of clearance.
One would think that he's talking about NSA domestic surveillance activities. But he's not. He's actually talking about a request for Syrian intelligence, some of which was denied to him by a 14-1 vote, and the rest of which was denied to him by a unanimous vote. What does any of this have to do with meaningful oversight of NSA programs under Section 215 or Section 702? Absolutely nothing.
So the storm of links that the article presents in a series of unqualified statements about the NSA gives the impression of far more evidence and truth behind those statements than there actually is, whether we're talking about how useful these programs are, or how substantive legislative oversight actually is. And because our background knowledge here on the NSA, and how Congressional oversight works, and how courts function, is really quite sketchy for the most part, these impressions make a big difference to how we perceive the issues at hand. They can easily lead one to think it obvious that the NSA is lying, that these programs are clearly useless at best, and that neither the courts nor the Congress has any control. And things just aren't quite that simple.
I could go on, but the comment is long enough already, and I've left no room to discuss the really interesting claim of the article, which is that it is in US interests to render communications completely secure even against lawful surveillance, on the rationale that if the US can do it, then so can someone else.
That's a really interesting argument, but I'd like to see it more fleshed out. There seem to be a lot of cases where surveillance capability actually was one-sided, notwithstanding great technical competence and resources on the part of both parties involved.
More and more NSA scandal resembles what happen in Europe in late Middle Ages.
When Gutenberg put printing press on the market (which was financial for-profit enterprise) it allowed masses to communicate quicker via mass reproduction of books and posters. I will skip illiteracy rate of the time.
Soon after, the biggest criminal enterprise of the age, the Catholic Church, came up with an answer by censorship. It confiscated ships for contraband books, burnt at stake, etc. But the free flow of ideas continued to spread.
Then, there came around an educated monk, who made pilgrimage to Rome and found how filfhy it really was. When the pope send his enforcer named Tetzel to collect protection money for afterlife in monk's own area, the people threw the whole Church out. It did not stop there. In fact, most of Europe did. Ups.
Now, substitute printing press for internet. Can you stop it?
General Alexander was caughtlying with a smile. That proves he is ready to lie to protect NSA anytime he sees fit.
When he said those statements, there was nobody to challenge him. That clearly shows there is lack of even basic congressional oversight. The small group of people who could potentially dispute his claims are legally obliged to remain silent. Only unsystematic information leak exposed his lies.
54 cases of "first tips" are just another nonverifiable claim, until some independent body confirms it, but that is not legally possible.
We don't know the content of the document briefing Section 215 programs and we do not know timing. However, if it was before leaks, Alexander wouldn't be able to lie in contradiction to official document. That means there was either substantial lack of information about controversial scope of programmes or it was distributed after Snowden - Senators learned more from newspaper headlines than from actual institution they should supervise. This is in my opinion as far from "meaningful oversight" as it gets.
to hell with national security ... all valuable intellectual property of prominent US corporations is at risk thanks to the NSA's stupid decisions to maintain and exploit known vulnerabilities instead of pro-actively fixing them. we have massive data thefts, financial data stolen, corporate secrets stolen, widespread mysterious system downtimes, all coming at a huge cost to an economy mired in a long depression. Bad timing!
you gotta choose, NSA! spy agency or security agency? destroy secure communications or provide security for communications? billions of taxpayers dollars spent paying hackers for exploits, and for building big data collection and analysis centers - while leaving everyone insecure? good choice NSA, you just got yourself a lifetime tenure job, you've made such a fine mess now.
The ars technica article sourced the acronym NRO. It possibly also pointed to the expected work product of that agency.
On point to the Schneier article:
DEA has a pretty legitimate mission. How many drug dealers are we arresting and successfully prosecuting?
NSA is supposed to catch spies and terrorists. I want to know why no trials? I don't believe is prophylactic surveillance! Does our surveillance produce evidence that holds up in court against criminals? If it doesn't hold up against criminals why does it hold up against me? (I pretty sure I can't afford a good enough attorney.)
I believe that your analysis of the events are both conservative and naive. As to the conservative nature our your opinion, I sense a tendency is to discount, in favor of the government, based on more stringent requirements for the "intent" as opposed to the behavior of said agency(s). Where observers, you and I, must make specific cases of a veracity and burden to facts not required of said government. To have so easily discounted the FACT that the NSA did operate "unlawfully"--the debate would be how and in what manner a prosecution could be brought to bear--and that the court (yes Bates) made much of the "intent" of the NSA but not necessarily with respect to the violations of law. Thus I believe your objectively is somewhat subjective--no matter the form or nature of your internal biases and proclivities.
Have your confirmed the fact that the NSA violated the constitution, thus the law, under 702 and 215--both under the FAA. The cited EPIC FAIL, 50 U.S.C. 1801(h)(1). For the person or persons that were victimized by the taking of nonpublic communications, protected fourth amendment communications, thus there are multiple counts of civil rights violations.
There are three years of this activity, along with 100,000's of citizen's that had their civil rights violated by the government sworn to protect and defend those rights, seems to be the height of hypocrisy. This is the FISA courts rendering of the facts, not my own.
If this isn't a/the stark event, the quiver leaving the bow of Orwellian state action, I don't know what is. Oh, wait, it gets better--it can now be said--this is my opinion--that the government is engaged in a conspiracy. A deliberate effort to subvert the constitution AND THE RULE OF LAW.
For example, the 2008 FAA was written is such a way that orders were to include, specifically stated in the law, sources and methods. This results in the near INSTANT CLASSIFICATION OF THE ORDER. This was deliberate--this was to keep the public from knowing the nature of the order--that goes against the very principles of the constitution, specifically the 5th amendment--and--is an affront to well established English and cannon law.
This would give the government the ability to render anyone mute--even the supreme court is considered inferior in this case...the blatant and obvious TOOL that this law represents should be a clarion call to all whom share and honor the law--not superstition, hearsay, and title--to shape our decisions and rule over [wo]men.
Our choice isn't between a digital world where the NSA can eavesdrop and one where the NSA is prevented from eavesdropping; it's between a digital world that is vulnerable to all attackers, and one that is secure for all users.
I just had to repeat that for posterity. Well stated, Bruce.
"We need to build a coalition of free-world nations dedicated to a secure global Internet,"
Are you serious? Do you think governments will voluntarily give up their abilty to spy on people? You can't seriously believe that.
You can create some kind secure of private network maintained by individuals, but any global network will be spied upon forever.
Governments won't give up this power. Ever.
I disagree, a trustworthy society and a useful internet do not require more "broad laws". Nor do they require more of the "right technology".
They require a proper approach in how you treat other human beings to begin with. For example, "Don't punish everyone at a very high cost, for the mistakes of the individual few." (in other words: Broad surveilance is not an antidote for terrorism; mutualy beneficial action is.)
Terrorism is a weapon of fear. Fear makes you do stupid things, and it makes you give up your own values for your promised "defense". It makes you cure the symptoms first. No matter the cost.
He openly sabotaged US commercial interest, such as Cisco are being avoided in Europe now, I believe his days are numbered!
Let me become 'advocato diabolo' of NSA activity to provide some balance in discussion.
(1)"General Alexander was caught lying with a smile. That proves he is ready to lie to protect NSA anytime he sees fit". Just recall "You want truth? You can't handle the truth!" - Bruce actor, not Schneier. My guess that as good soldier General understood ramifications, but is ready to sacrifice his position protecting NSA as the structure and its importance for domestic and foreign security.
(2)Do I like total surveilance? No. But in this case if surveilance and enforcement are NOT in the same hands, that looks more favorable for me. As I stated in previous posting in this respected blog, NSA does not have own enforcement arm, could not generate 'gag order', 'three felonies a day', which is more dangerous than surveilance.
(3)I am sure that combined intellectual power of NSA employees is many times higher than any other LEA/Intel Agency because they have to rely on brain, rather than force to achieve goals. Goals are set not by NSA, but by political needs.
(4)Reality of life after 9/11 rearranged priorities/tasks for NSA incorporating domestic intelligence which was before primary task of other LEAs, but legal base for such activity was not timely set up for those changes matching technical capabilities of NSA. Yes, law/regulation is always behind changes in real life, but could NSA wait for such regulation and put on hold
vital activity becoming reactive rather than proactive?
(5)Looks like poor results (prevented acts of terror inside) is not caused by poor collection (ubiquitos), but insufficient: filtering, fast cross-analysis of collected data patterns in real time, business/intelligence meaning of 'flags' taking into consideration different 'consumers' of such processed information: CIA, FBI, DEA have their own angle of activity and needs of particular input from NSA (targeted sharing of intel).
(6)Do you know that your bank must file SAR (suspicious activity report) on you as a customer for FINCEN without notification you about that. Some criteria are preset, e.g. taking off your account huge amount of cash even that is your money, but Bank has wider discretion on that surveilance activity.
That SAR just triggering further covered (for you) investigation, but not by bank.
Same model may work for NSA - other LEA interface on intelligence collected by NSA. SAR-type report is forwarded to the LEA based on functions/primary targets, those LEAS conduct own further intelligence/enforcement within requirements of Bill of Rights.
"And finally, these systems are susceptible to abuse."
My belief is that these systems are achieving their intended goal. The justification for implementing them may have been terrorism, but the thing they are actually useful for is giving those with access to the data leverage over others who don't. Those others might be terrorists, but they are also citizens, and even government officials.
These program have been implemented and used by many countries, and they are sharing data. The NSA may be at the core of it all - who knows? - but the problem is much bigger than just the NSA.
The only way I know to fix any of this is to make governments - all governments - as small as possible. The only way I know to do this is for citizens to withdraw, as much as is feasible, their contribution to government via taxes. This requires living a more modest lifestyle that requires less income and therefore generates lower tax revenue. I don't really expect it to happen voluntarily on a broad basis, but with the way our current governments worldwide are "growing" (by deficit spending), they may implode on their own.
The most important question is: have they aided our enemies?
I can name three different NSA programs to collect Gmail user data.
I think this needs some clarifications.
The first one ("PRISM") is a targeted program, not feasible for mass surveillance.
The second one is hardly feasible for mass surveillance because gmail users almost always connect with HTTPS.
And the third one is fixed by Google in the meantime, private links are encrypted now.
@Just Drop Out: "The only way I know to fix any of this is to make governments - all governments - as small as possible".
Agree, that size matter, but just to some extand. If you have strong middle class and less income disproportion, you need less enforcement Agencies and less prisons (less crime rate - see Iceland); if you have sound demographic policy and good affordable health care, in the long run you need less spending on chronic/genetic deseases and all health system altogether(see Sweden).
If you create incentive to smart and honest people to work for the Government (not like stepping stone to jump into corporate board) based on clear vision that Government is for at least 75% of population and hiring is based on merits first (see Japan, South Korea), then taking into consideration all other factors (you know what I am talking about), you need less people to conduct same functions, and smaller Government.
If you let adult people alone in what is their personal business (what they smoke, drink, have intimate relations, etc.) meaning you are not babby sitter for your citizens in their private matters, then less prisons, jails, LEA, and smaller Government.
If you support businesses (regardless of size)
which deliver good products or services, create new jobs, then you have bigger tax base, and could decrease taxes, but you do differntiate tax rate based on business nature
(not big fan of oil companies, farmacutical 'mafia', but they got their money with sweat
and tears). Point is one million dollars of profits in manufacturing sector NOT Equal one million dollars in banking, hedge funds, gambling, you name it. The latter have to be taxed accordingly (higher rate) and behave humble gaining respect as bankers in Canada. Yeah, sweet dreams? Not really. In Singapore most of stated above is reality due to proper functional Government.
One big difference between the Maginot line and the NSA is that the Maginot line was essentially useless for political oppression (especially compared to plausible alternatives e.g. large numbers of troops and tanks with a resilient transport network that could concentrate force to oppose any invasion, or just as easily to crush internal dissent).
Likewise battleships have the big advantage (from the POV of the citizens paying for them) that there is not much they can do against political dissidents.
Mass surveillance is like a vast poorly-trained conscript army - very effective against Joe Public but useless against a disciplined, well-equipped enemy.
The failure of congress, and in many respects the NSA, to fully comphrenend or grasp the necessity for transparency and honesty. These organizations operate as though the "customer" is each other. Congress is a boss/client of the NSA and the NSA is the supplier to the executive and congress.
The concept that it is we, the people, that are the party of interest. The tax return I file this year will have a self designated dedection for the loss of privacy and potential harm to income. I am sure next year I will have a number and not an estimate.
The United States government, can take their contempt with a grain of justice, irrespective of my status as a "concerned" citizen has failed by inpuning my sense of cultural pride and self identity. Seems I need to get a Canadian passport.
I am at the bottom of the thread. I’ll keep my thoughts to a minimum.
…[Mass] surveillance ineffective, it is extraordinarily costly. I don't mean just the budgets, which will continue to skyrocket. Or the diplomatic costs, as country after country learns of our surveillance programs against their citizens.... It breaks our political systems, as Congress is unable to provide any meaningful oversight and citizens are kept in the dark about what government does. It breaks our legal systems, as laws are ignored or reinterpreted, and people are unable to challenge government actions in court. It breaks our commercial systems, as US computer products and services are no longer trusted worldwide. It breaks our technical systems, as the very protocols of the Internet become untrusted… these systems are susceptible to abuse. This is not just a hypothetical problem. Recent history illustrates many episodes where this information was, or would have been, abused: Hoover and his FBI spying, McCarthy, Martin Luther King Jr. and the civil rights movement …” –Bruce S.
When American technology companies see revenue plummet because of subverted security it will be very destructive. The NSA does more damage than good. I sense the McCarthyism is spreading and it could flow down to the local police department. It will be ugly.
1. Drastically cut spending on the NSA and other spy agencies! De-fund the FISA court. Force the congress to slash spending on these programs.
2. Make it expensive for the government to spy. Use HTTPS/TLS and other forms of encryption as the rule and not the exception.
3. Switch to open source platforms. American products will always have the CALEA spying loophole (If the NSA can't do it than the FBI will). Try to use secure foreign products.
When I recently read a NYT Oped, suggesting a pardon for Edward Snowden (and not Manning and/or others), it seemed to make the point that the NSA revelations are destroying the sales of technology products manufactured by the U.S., and that is why Edward Snowden was to be treated differently .... the cost is too high.
While Americans may not mind the U.S. government spying upon its own citizens, the rest of the Free World do not appreciate it much.
I am quite certain that if there were other manufactured products on the market which were not in anyway associated with the U.S., people would purchase those instead.
"Back Doors" frighten people.
If all the surveillance only prevented one plot, think about how many plots there were - if there were, for instance, a hundred, then the net result of all that spying was that 99% of plots went undetected.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.