Matt Blaze on TAO's Methods

Matt Blaze makes a point that I have been saying for a while now:

Don't get me wrong, as a security specialist, the NSA's Tailored Access Operations (TAO) scare the daylights of me. I would never want these capabilities used against me or any other innocent person. But these tools, as frightening and abusable as they are, represent far less of a threat to our privacy and security than almost anything else we've learned recently about what the NSA has been doing.

TAO is retail rather than wholesale.

That is, as well as TAO works (and it appears to work quite well indeed), they can't deploy it against all of us – or even most of us. They must be installed on each individual target's own equipment, sometimes remotely but sometimes through "supply chain interdiction" or "black bag jobs". By their nature, targeted exploits must be used selectively. Of course, "selectively" at the scale of NSA might still be quite large, but it is still a tiny fraction of what they collect through mass collection.

This is important. As scarily impressive as TAO's implant catalog is, it's targeted. We can argue about how it should be targeted -- who counts as a "bad guy" and who doesn't -- but it's much better than the NSA's collecting cell phone location data on everyone on the planet. The more we can deny the NSA the ability to do broad wholesale surveillance on everyone, and force them to do targeted surveillance in individuals and organizations, the safer we all are.

Me speaking at the LISA conference last year:

What the NSA leaks show is that "we have made surveillance too cheap. We have to make surveillance expensive again," Schneier said. "The goal should be to force the NSA , and all similar adversaries, to abandon wholesale collection in favor of targeted collection."

Blaze's essay is good throughout, and worth reading.

EDITED TO ADD (1/20): A related essay.

Posted on January 7, 2014 at 8:22 AM • 48 Comments

Comments

Ian McNeeJanuary 7, 2014 8:29 AM

The link to Matt Blaze's point is just a link to your blog - got the actual link?

DisagJanuary 7, 2014 8:34 AM

I disagree: NSA has attached spying devices to quite everyone, and only activates the one they need.

But anyone else can now activate the spying device attached to you.

This is why it is bad to attach spying devices to everyone.

AJanuary 7, 2014 8:51 AM

I have to disagree as well: some of the tools described would allow wide scale surveillance of presumed-secure networks. Backbone routers, too. On the individual computer side of things, I agree it's not as much of a problem. But that's not the only target of TAO.

LumpenploretariatJanuary 7, 2014 9:07 AM

"Schneier said. "The goal should be to force the NSA , and all similar adversaries, to abandon wholesale collection in favor of targeted collection.""

hello.

Anybody who did archive research knows that TMI is bad. Very bad.

In fact, slows down time fewfold, as even copies of same docs need to be reviewed and compared each to see if they contain that sought little additional hint as opposed to original one.

"collect it all" means that they drown in mostly garbage. For starters, we know how accurate credit reports are,

NSA needs fresh blood to reinvent themselves. Old guard seem incurable. They still live in Curtis LeMay era. But their new toys are not nukes. It's Intenetz.

Thomas ReinholdJanuary 7, 2014 9:11 AM

I disagree as well. The TAO might not seem too scary from a IT-security point of view- From the point of militarisation of the cyberspace (in its real human and international security rights sense) the TAO is farmost realisation of a cyber war unit. They build their own "weapons", act on enemy territory and or part of the offensive security plan of the US. Even if their weapons might not be as sharp as everyone now thinks they are, this will be a whole new dimension concerning the international political sorrows over cyberwarfare.

YeahSureJanuary 7, 2014 9:33 AM

Historically we are seeing that these "national security" capabilities end up being used for other purposes. For example, to put African American youth in prison for non-violent drug crimes that their rich white peers skate on.

Furthermore, many police departments were happy to label peaceful Occupy protesters as "terrorists" and apply all these national security mechanisms to suppressing them. I think it is inevitable that these capabilities will be used much more frequently to ensure the continuance of our anti-democratic plutocracy than to fight actual terrorists, who are so few and far between these days that the FBI has to continually manufacture them. Targeted operations are perfect for gathering dirt on up and coming politicians so they can later be blackmailed into submission by the powers-that-be to ensure that nothing changes.

It is totally reasonable to apply hacking techniques to important foreign intelligence targets. But what we are seeing are powerful techniques actually being marketed. Their extensive use is being sold, possibly to justify the cost of these programs, or possibly as inter-agency bargaining chips, or possibly simply from arrogance. What is reasonable on a small scale becomes totalitarianism when it is applied more and more extensively.

Violating people's privacy should be a sober business, an unfortunate necessity, not something to cheer about. I am the only one who can hear the cackling behind these documents, the joy in owning everyone, everywhere?

These are dangerous people, with no sense of propriety, justice or scale.

William EntrikenJanuary 7, 2014 9:33 AM

>> The goal should be to force the NSA , and all similar adversaries, to abandon wholesale collection in favor of targeted collection.

Is this goal supported by publishing (read: destroying) TAO operations and its implant catalog, which are the more favorable types of surveillance?

And in the absence of evidence of companies intentionally weakening their security, have any debatable ethical issues actually been raised regarding TAO?

MarkusJanuary 7, 2014 9:41 AM

@ Bruce
I think the train is already gone to make surveillance expensive enough to force the NSA & Co. not to spy on anyone.

How do you think this could be achieved in times, anybody pays hundreds of bugs for smartphones that can be turned into surveillance devices easily (this is the worst example of expensive surveillance, because the victims pay the bill and make surveillance cheat)?

We just need trustworthy systems that are used by normal people. Less trust (of users into new/modern systems) isn't the actual problem, if we take a look at the services billions of people use to store all their secrets and thoughts to give direct access to their mind.

Saul TannenbaumJanuary 7, 2014 9:41 AM

I'll disagree with the disagree-ers.

TAO is the core competency of spy agencies. This is what they did before communications went digital - tap phones, bug rooms, intercept radio communications. This isn't militarization of cyberspace any more than tapping the phones of Soviet leaders was militarization of the phone system.

What is different in the NSA approach now is the wholesale, collect everything dragnet, and the development of technologies to store, manage and analyze these data. Sure, they're drowning in these data, but they're going to keep refining their toolset until they can do something with it. That's what has to be stopped.

LundgrenJanuary 7, 2014 9:50 AM

@Saul Tannenbaum:
This isn't militarization of cyberspace any more than tapping the phones of Soviet leaders was militarization of the phone system.

With or without TAO there is today a major difference to those olden days. The difference is that back then the US government was happy to spy on Soviet leaders.

Nowadays they are not just spying on regular individuals but they are analysing the data and creating profiles of pretty much everybody.

So even though TAO in principle has always been the core competency of spy orgs, the mentality of spy orgs is such that todays TAO is not your parents TAO.

Rolf WeberJanuary 7, 2014 9:53 AM

Great article!

Maybe I err, but I think there recently is a growing amount of more well-balanced articles, instead of these one-sided anti-NSA ones, containing lots of exaggerations and even claiming wrong facts.

I think more and more people understand that the press was overdoing it. On the long run, Appelbaum's show at CCC was counterproductive. You cannot seriously blame the NSA when they just do their job. And to target individuals is their job.
I know that a lot of people want to get rid of spy agencies at all, and they will blame them, regardless what they actually do. But you have to realize that we are living in a world where any nation would be stupid if they voluntarily go without secret services. If you want it or not, that's a reality we have no possibilty to change.

So we should focus on other goals, which is pretty realistic to achieve in our democratic societies: to prevent the spy agencies from mass surveillance and from spying on their own citizens.

Here is another great article I just read:
http://www.wired.com/threatlevel/2014/01/how-the-us-almost-killed-the-internet/

PeterJanuary 7, 2014 9:53 AM

Indeed, these TAO tools are for specifically targeted interceptions, exactly what NSA is supposed to do. So is there a legitimate reason to publish this catalog? It's very interesting to read about these James Bond-like gadgets, but there's nothing in them what's illegal.

EvanJanuary 7, 2014 10:07 AM

@Disag, others:

Importantly, from what I've read so far, the TAO suite is not based on NSA-mandated secret back doors. They are hardware hacks and 0-days. The hardware hacks all necessarily involve physical access via infiltration or interdiction, and the 0-days seem to be a lot of things centering around overwriting the portion of firmware used for updating firmware in the future - that may not be fixable except by moving those instructions to hardware entirely, nor is it somehow the result of NSA meddling. If anything release of these documents will likely make hardware companies more mindful of security implications of their designs.

In short, these are not things that anyone without the resources and skillset of NSA teams can easily take advantage of. The holes deliberately put into security standards and communication systems, on the other hand, could be exploited by anyone that found out they were there and how they worked or what the login credentials are, and that's another reason why the surveillance programs are far more worrying.

ThatLoonieAgainJanuary 7, 2014 10:42 AM

Well I disagree as well. Gently but adamantly, or so I try.

While completely understandable taking any comfort in a perception of TAO as "limited" and "directed" is unfortunately delusional and totally disregards the massive race towards further automation. Maybe I can only say this because I suffered the same delusion. The truth hurts, but please accept the consequences it reveals.

Why wouldn't the NSA automate what every scriptkiddie automates? Are Shy and Bashful their secret mascots? :)

We can ill afford having any of our best and brightest fooling themselves.

NSA et al are (far) ahead, let's not add even more to that by willfully ignoring their insane intent: omniscience in a vain quest for total "control".

How can anyone truly shut their eyes to this when they in practice already operate at the level of sifting every electron they can get hold of?

How can anyone think they ever did stop there? Why would they when they haven't already stopped before they brashly crossed every conceivable written and unwritten law and tossed aside any understanding of what the very concept of freedom entails?

Snowden did not get to pick and choose except from what had solidified enough into the bureaucracy to leave a paper trail.

Snowden's revelations are years old. Remember how short a computer "generation" is, realize that the cutting edge of specialized computing scales faster than consumer goods.

This will be yet another disastrously interesting year. Sometimes I don't think even people directly involved, like both Snowden and Schneier, grasp the magnitudes of the motions taking place.

Maybe we're all still stunned by the initial shock but what then when the next one arrives? And the one after that?

DBJanuary 7, 2014 10:47 AM

There seems to be a debate here about targeted vs mass surveillance... Has anyone considered that they are inextricably linked together? Targeted enables mass. Technologically speaking, you can't get rid of mass without gimping targeted. Let me explain:

It seems to me that the way mass surveillance is done, is that they target routers, major servers, even mundane things like cables... and use that targeted capability to listen to everything that passes through them on a mass scale.

Put more specifically, here's an example: imagine the NSA targeting Google's firewall box in front of their gmail server farm. You know, the one that has an SSL accelerator on it, etc.. They use this to glean the SSL private key. Poof. Now they can mass listen to every SSL connection from gmail (assuming Google wasn't using Perfect Forward Secrecy, which until recently they weren't, and most sites still don't)

You see how targeted is linked and enables mass stuff? Some of the recent ones Bruce posted are for large expensive proprietary firewall boxes, so what I just wrote is not out of the realm of possibility. This is not for targeting terrorists, terrorists don't use such boxes, this is for industrial espionage that enables mass surveillance.

SkepticalJanuary 7, 2014 11:06 AM

Worth looking at the discussion on this same topic in the last Squid thread:

https://www.schneier.com/blog/archives/2014/01/friday_squid_bl_407.html#c3352156

The point is that not only does the existence of these exploits (those in the catalog) cast doubt on the extent to which systems have back doors built-in at the manufacturing level, but given NSA's budgetary constraints these exploits cannot be applied on a truly massive scale.

See also Nick P's response to my comment (I disagree with a number of things he says in it, but I think he raises the right questions and arguments).

Bill StewartJanuary 7, 2014 11:37 AM

Moore's Law makes the technical side of "making surveillance expensive again" really difficult. The most expensive pro-surveillance components in the whole process are warrants and court orders, and even those are far less expensive than court challenges against surveillance by outsiders.

Fixing the process by requiring transparency is going to be really hard, and I doubt we'll succeed, because the "can't be transparent about classified data" excuse continues to be successful*, and the "don't need an individual court order to pen-register a third-party corporation's records" precedents are an argument the Roberts Court is unlikely to overturn or even narrow. Congress could theoretically pass a law changing that, but most of the Democrats and Republicans haven't been willing to rock the boat that far, and they'd need to prevent "national security" exceptions from being added to the laws by Congress or a presidential signing statement and provide enough enforcement mechanisms to prevent the executive branch from just ignoring them. Maybe the "three degrees of separation doesn't require a warrant" position can be overturned, but for now we've got a Justice Department that doesn't feel compelled to release its legal opinions on that or much of anything else controversial.

So we're going to be stuck with expensive retail protection of privacy vs. cheap wholesale attacks on privacy. It's a fun place for Anonymous Cypherpunk Bravado, but realistically we haven't gotten most people to use PGP in 20 years, and commercial data mining keeps getting better and better.

(* And they'd have gotten away with it, too, if it hadn't been for those meddling kids Snowden and Manning!)

RSaundersJanuary 7, 2014 12:04 PM

I completely agree with Matt. TAO isn't "scary" in the traditional disaster sense. It might happen to you, but it would be news (news = stuff that almost never happens).

The conclusion that NSA doesn't need phone records as a result doesn't connect for me. I think we're talking about the difference between a "person of interest" and everyone in the world. Given that with some sort of rationale, the full weight of US surveillance might be brought down upon someone through traditional means like search warrants. TAO seems like a part of that weight.

The question it raises is "What makes someone a POI?" How do you get a list of suspects to work through? I accept that traditional police-work takes suspects and investigates them to try and find the perpetrator. Most law enforcement abuses involve making people POIs based on poor criteria (the neighbor saw a black man so now every black person is a suspect). Too many folks have been sent to prison, as the only suspect the police could find, only to be vindicated later when the actual evildoer is found.

We can't rely on "see something say something" or water-boarding as means to identify terrorist POIs. We need something, and the "surveill everyone a little" mechanism seems to be the NSA solution. They can't take the police stance "until a crime has been committed we can't arrest anyone", because politicians has promised "this will never happen again". I don't buy the promise, so the police stance is fine with me. I don't mind that the Boston Marathon bombers weren't caught until after the explosion, but I know mine is the minority view.

For those (including Matt) who think the NSA doesn't need all the metadata they collect to find POIs, where do you expect them to get suspects?

t3phJanuary 7, 2014 12:10 PM

This may be true for some of the TAO/ANT methods. But for many it is not true at all.

A BIOS backdoor turns from retail to wholesale in about a week. All it takes is a FISA court order. Then all Juniper Firewalls, Cisco Routers, Dell and HP Servers will be TAOed and ANTed.

How could Matt Blaze and Bruce miss this?

DanielJanuary 7, 2014 12:12 PM

I also disagree with Bruce's plan of action not his thesis. The problem with making surveillance "expensive again" is that this becomes a never-ending war that destroys society via a process of attrition and thus exhaustion. Every surveillance tool that is "cheap" today was "expensive" a decade ago. And every targeted opportunity that is expensive today will become cheap within a decade. Look at what Amazon and Wal-Mart are doing with their storage lockers. It won't be long before "interdiction" is the NSA walking into an Amazon office, opening a locker, and simply switching equipment. Interdiction is going to become very cheap.

In my view "who are the bad guys vs who are the good guys" is the only substantial conversation worth having in this regard because it is the only conversation that gets us off the treadmill. Making surveillance expensive works in the short run but it is not a long-term basis for social harmony.

EricJanuary 7, 2014 12:13 PM

I find some comfort that this situation must be temporary; after all, did not Lao Tzu say "The TAO that can be told is not the eternal TAO"?


...and yes, that was a joke.

DanielJanuary 7, 2014 12:27 PM

@RSaunders. Exactly. You hit the nail on the head.

I'd argue that underlying problem is that the NSA views its remit as crime prevention. Its not possible to prevent all crime and one only destroys a society in the process. The problem is not that the NSA has TAO or any other tool. The problem lies with it trying to do the impossible with those tools.

The fact that we task the NSA with the impossible is not fundamentally a problem with the NSA but with American culture.

SkepticalJanuary 7, 2014 12:33 PM

Sorry, just want to add one more thing, given the amount of attention that the NSA is getting here.

Those who are presenting these stories (I don't mean Schneier, to be clear)... my sense is that they often think: I'm going to focus in on the least flattering parts, and let the NSA's public affairs officer provide their side. I don't need to say anything good about the NSA, because the NSA is going to do that; I'm here to report on aspect X of this story, perhaps as connected to privacy and liberty concerns, nothing more. And if the NSA isn't going to provide any quotes or comments, then that's their problem. I don't need to worry about full context, because there's plenty of information and interested parties out there to provide it. And my concern is that this reflects a naive view of how most people receive their information.

Most people will not read two sides of a story. The person who reads The Guardian is much more likely to then turn to Mother Jones than to turn to The National Review. As human beings we actually dislike information that causes cognitive dissonance. We prefer tidy pictures, clear narratives, and confirmation of what we already believed. That's why stories which confirm what you believe are usually easier to read and understand than stories which conflict with what you believe.

In a courtroom, the trier of facts is guaranteed to hear both sides of the argument. So as an advocate of one side, in presenting a good argument one perhaps helps that trier reach the truth. And it's freeing to be an advocate in such an environment: the responsibility for presenting the other side of the argument, or the other sides of the argument, rests with someone else.

But in a world where we largely control our sources of information, we're not guaranteed to hear all sides. In fact it's likely we'll tune in to just one side. There is then a greater burden on any reporter to not be an advocate, but to really attempt to make a balanced presentation.

So consider this simply a broad plea to anyone reporting on this subject for some balance in the overall presentation (I think this post, by the way, adds some of that). The NSA, and the role of signals intelligence generally, desperately needs to be put in context. It's not as though all the NSA does is controversial surveillance. This is a world in which the importance of signals intelligence is only going to grow. Is it important that the government be able to gather information about the intentions of a Chinese naval squadron on a course towards the Senkaku Islands or Taiwan? How about information on Syrian chemical units? North Korean nuclear units?

I'm concerned that for many this story is devolving into an "us vs. the NSA" narrative. Not only is such a narrative far from true, but it would probably lead to some harmful consequences in the future resulting from a diminished and demoralized signals intelligence capability held by democratic nations. One can be concerned about certain NSA programs, while still believing that the NSA does many good things - and that it's a good thing, not a bad thing, that we have some of the brightest minds working there.

Besides, quite frankly, it's probably a more effective political strategy for proponents of reform to speak in terms of freeing the NSA to focus on truly important capabilities and missions.

mesrikJanuary 7, 2014 12:33 PM

Gentlemen,

By any chance have you checked up the "NSA’s “Tailored Access Operations” Elite Hacking Unit Revealed *)" document yet?

*) a first document at the momentfrom same site Bruce has referred already many times.

Reading from that report summary fourth slide "Requirements & Targeting", can be seen fiscal year 2008 outcome by quarter, totals and also where Collection and Exploit operations have been done.

That is possibly quite accurate and telling about the breadth of the scope of the time it was reported. Things could have changed in 5 years sure, but I think looking other figures of the document like staff size etc. and it's estimated (~250 at FY2014) growth up to times we are now makes me think TAO is exactly what name says, a group arranging collections from carefully selected targets rather than wholesale operation.

And a new BACONRIDGE codeword for some project state, likely a new site some new facility or what?

ThatLoonieAgainJanuary 7, 2014 1:12 PM

It seems people are more than a bit confused or pretend to be so let's clear something up.

Those working at/under TAO are not employed to carry out mundane work. The retention rate would be zero.

So that's simply not how it's done.

They are employed to create and polish the tools. Think of them as anti-Schneier's if you will. Sure this involves a few initial operations but when that's done it's on to the next attack.

Yes all of them. They are operative, not administrative, but operative in this context does not mean moving about executing the attacks after they've left the shop and entered the toolbox. Unless it's something super-special. Like everyone else they'll have monkeys in some second or third tier outside the NSA for all the mundane stuff.

Proof: otherwise they'd never get anything fun/new done and wouldn't exist in the first place.

(What transpires during compile time and other breaks is another matter).

So maybe certain people here should be careful who they insult while astroturfing? Nerdrage rules all XD

milkshakenJanuary 7, 2014 1:21 PM

for these TAO exploits to work, NSA keeps infrastructure vulnerabilities unreported (when it is not introducing them actively). And they just ruined export opportunities, for so many US companies, that I wouldn't be surprised if some retirement funds ended up suing the government...

HermanJanuary 7, 2014 2:54 PM

"I wouldn't be surprised if some retirement funds ended up suing the government..."
That would likely be the only way that the Prez and the NSA will see the error of their ways.

I am already finding it very easy to convince IT managers to avoid buying American networking equipment and rather roll their own routers, VPNs and firewalls using servers and multiple network cards sourced from multiple sources, with Linux as the OS.

The idea being that if your equipment is different from the norm, then the usual exploits will not work or at least be more difficult and less likely to be executed.

FirefoxJanuary 7, 2014 2:55 PM

I don't understand the confident assertion that "they can't deploy [TAO] against all of us."  Of course they can.  If you were the NSA people in charge of enabling TAO, wouldn't you subvert every device that you could get access to, at design time?  Wouldn't you bribe or blackmail someone at every company that makes the relevant essential chips (yes, in PRC and Taiwan too) to implant suitable backdoors into every device?  Then your TAO is just a matter of accessing the targeted person's backdoor – no need for 'interdiction' or any cloak-and-dagger stuff.

Rolf WeberJanuary 7, 2014 3:05 PM

@DB
First, you are technically wrong. PFS doesn't help if your enemy has your private key NOW. If he controls the other endpoint, he can of course read easily, if he is in the middle then with a MITM.

Then, you cannot seperate technology from purpose. The NSA might tap into a home or a undersea cable -- it's the same technology, but the one is clearly targeted surveillance while the other is mass.

And you ignore the fact that if you roll out something in bulk, the likelihood rises that you are detected. If the NSA only compromised Google's firewall, Chance are good it will stay undetected. But if they compromised any firewall they could touch, most likely some of the targets would recognise it.

BuckminsterJanuary 7, 2014 3:13 PM

Regarding the price points reference in TAO catalogue; It's not often you see something given away for free ( especially the government) , and yet the catalogue is littered with 0 cost options, available for immediate deployment (2008)

Is it possible the no cost options were/are referencing systems/ devices/ OS already implanted and distributed? Maybe the NSA decided it was easier/ more cost effective to "insert" themselves into the food-chain earlier on; what if ALL iPhones ( how else can they guarantee 100% success at compromising ANY iPhone?), tablets, laptops, servers, monitors, routers, switches, cables, drives- what if ALL are shipped from their respective suppliers already surreptitiously compromised, ready for remote activation at any time.

That seems consistent with the way the NSA conducts itself; opportunistic, secretive, amoral. With no concern for constitutional limitations, why not cover everything out of the gate? if you had the leverage to force suppliers to comply, if you have no concern for respecting an individual's right to privacy. Having all that in place, the NSA could boast of a truly zero cost option.

myopsJanuary 7, 2014 3:23 PM

I don't completely buy your's and Matt Blaze's argument on the retailness of TAO. The leaked documentation shows, that wholesale surveillance is used (an needed) to get the selectors to apply TAO on. So you can't just argue to skip wholesale surveillance in favor of retail surveillance only. As DB said, there's a link. And the link goes in both directions. Targeted enables mass and mass enables targeted.

DBJanuary 7, 2014 3:32 PM

@Skeptical: here's the context: 9/11 so shocked and traumatized the USA that 90% of the people were willing and even eager to democratically elect Hitler himself if they thought that would ensure that NEVER EVER happened again for the rest of time. But is that really wise? This is the backdrop we need to consider gross erosions of human rights against.

You see, none of this knee-jerk reaction we've done will actually prevent another 9/11. As an example: it didn't prevent the Boston bombings. Therefore, what it really does is set the stage for absolute-control-over-everybody so that it's very likely a Hitler-like person REALLY WILL BE elected next time! Why can't people see a few chess moves ahead?

This is much bigger than the NSA. This is the beginning of the end of free society and a new great dark ages dawning, or the beginning of a new era of openness and enlightenment... our choice!

Horse with no nameJanuary 7, 2014 5:46 PM

For those that are absolving the NSA of collection excesses, you also must remember that the NSA is not even allowed that task.

Just like the Homeland Security now going into ICE and stretching for copyright enforcement worldwide, this is mission creep extraordinaire.

NSA is tasked with protecting military bases, and the inter-military communications. Everything else is DNI and CIA. This is why the CIA is now the most heavily funded division in the intel bureaus.

The fact that NSA has created internal legal opinions and mission directives by themselves is further proof that they are out of control.

Simply dissolve the division.

As for the thought that you should be reading both sides of the discussion, it has been reported for decades that the intelligence communities have placed operatives in all the major news operations, and all influential think tanks and working groups.

You also have to look at how much of the hate spewed in comment sections and discussion groups is actually done by our fusion centers trying to radicalize someone who is already worked up by the news and the movies.

Notice the militarization of the movies and tv. This came about from the TARP plan subsidies and loans for movie studios. Want to get a loan to have a movie made ? Insert some military or law enforcement angle in a flattering light to get a go ahead.

How is any of these communication models being compromised not a direct infringement of the laws made against propagandizing the US people ?

As to the Boston Marathon bombing, maybe we should stop rewarding folks that help the CIA by allowing them to come to the states.
The guys that did this were kids originally allowed into Canada as a reward for their uncle and fathers work for USAID. For oil intel work in Az or Kazakhstan ,we are told.
They were then allowed to immigrate into the US.
Their friends (the kid shot, his girlfriend deported) in Florida were under constant surveil by the FBI, what makes us think the bombers weren't also ?

Most folks know USAID , like the Hotel Intercontinental, is used as worldwide cover for US intel groups.

What is really the question, is as Mr. Green said, about the NSA skills,
and our abilities to infiltrate.

ISN"T this what we want.

SkepticalJanuary 7, 2014 6:55 PM

DB, Hitler really?

Look, the US Government is too complex and decentralized for a Hitler, and the mechanisms through which the federal government uses force are highly controlled and regulated. Abuses occur, though more often on the local than the federal level (local cops are less subject to scrutiny), but for the most part they don't. You can file lawsuits in federal court alleging all kinds of nasty things about a sitting President; you can run commercials and ads doing the same thing; and you can make quite a bit of money doing so in fact! The FBI doesn't drag you away, beat you up, and warn you that next time they'll use more than their fists. This isn't Russia.

I'd be more concerned about the telephone metadata database if it weren't being monitored by a court. That is, if only the executive branch were monitoring the use, then I'd have much more serious problems with it. As it stands currently, I think the arrangement is probably okay from a privacy/liberty vantage, though I'd like to see some separate changes made to the FISC. It's made it a little easier technically for the government to obtain metadata, but the standards aren't any looser than they'd be for a grand jury (and the access itself is actually better monitored than would be the use of lots and lots of grand juries - or one grand jury issuing lots and lots of subpoenas).

I think the disconnect between people such as yourself, who see only a database and a bunch of people with government access cards and God knows what intentions, and others, who see a database, a court system, a gigantic web of procedures and regulations, at least three different offices conducting oversight, and lots of individual bureaucrats who want to do well but also keep their job and not violate any of those procedures or regulations, is that the others understand the extent to which the US Government is governed, sometimes for better and sometimes for worse, by tons of rules and lots of institutions. This is why the US can put detainees in a prison in Gitmo, apparently far from the hand of any courts, and then end up fighting cases in federal courts with some of the best law firms in the country representing some of the detainees, and being forced to abide by those decisions.

It's a weird contrast, I admit, to see examples of very brutal power (e.g. air strikes from UAVs) and then to also comprehend the vast array of regulations, lawyers, and, in the background, always, the courts, the legislature, the press, that affect when and how that UAV is actually used.

In the US system, it's never as simple as one individual or one group making a decision. That's made for a remarkably stable system, despite some of the terrible abuses during the mid 20th century, a system that has managed to increase vigilance against abuse peacefully and sustainably. It has also made for a system that is very slow to change and react.

The balance is never going to be perfect... but in the history of political systems, this one is pretty good.

But if I wanted two things to change about the way data is handled in this country it would be this:

1 - stored email should require a warrant to access. Our law on this is about 3 decades behind, and unlike all the noise about the NSA, this is a truly serious gap in privacy protection easily subject to individual abuse.

2 - every customer should be given the right to demand a company disclose to the customer what information it has relating to the customer; every customer should be given the right to demand a company NOT sell any such information to any other party or to use such information beyond processing a customer's immediate order; every customer should be given the right to delete certain data held by a company (I'm willing that this could be subject to a freeze period, to account for the need for law enforcement investigations to access this data).

The NSA stuff is well down on my list.

ZakhariasJanuary 8, 2014 4:59 AM

Facts are:
1. This is from the year 2008; 5 years ago
2. NSA paid 10 M USD to RSA for a backdoor.

So, why shouldn't they - say - pay an USB-cable-manufacturer 1USD per item for implanting an additional platine on regular products?

65535January 8, 2014 7:01 AM

“As scarily impressive as TAO's implant catalog is, it's targeted. We can argue about how it should be targeted -- who counts as a "bad guy" and who doesn't -- but it's much better than the NSA's collecting cell phone location data on everyone on the planet.” –Bruce Schneier.

True. The geolocation data is the stuff that can get you kidnapped or killed – it’s a hot button issue. The rest of the statement is only mildly comforting.

We have only heard the exploits against Juniper. What about the exploits of it’s larger competitor Cisco?

Lets say Cisco own 50% to 60% of the total market share for routers and switches. Let’s say Juniper owns 25% to 30% of the router market.

http://gigaom.com/2013/02/27/chart-cisco-owns-the-switching-and-routing-world/

http://www.enterprisenetworkingplanet.com/netsysm/wan-optimization-and-adc-markets-decline-in-3q12.html

If the TAO “owns” both Juniper and Cisco the picture looks very ugly The TAO would have pawned 75% or more of the market. That is very invasive given NSA has our phone records, Financial records and any records that the FISA court will give them.

@ A

“I have to disagree as well: some of the tools described would allow wide scale surveillance of presumed-secure networks.”

Good point.

@ Thomas Reinhold

“I disagree as well… Even if their weapons might not be as sharp as everyone now thinks they are, this will be a whole new dimension concerning the international political sorrows over cyberwarfare.”

A great point to examine.

@ YeahSure

“…what we are seeing are powerful techniques actually being marketed. Their extensive use is being sold, possibly to justify the cost of these programs, or possibly as inter-agency bargaining chips, or possibly simply from arrogance. What is reasonable on a small scale becomes totalitarianism when it is applied more and more extensively. Violating people's privacy should be a sober business… not something to cheer about. I am the only one who can hear the cackling behind these documents, the joy in owning everyone, everywhere? These are dangerous people, with no sense of propriety, justice or scale.”

I sense that also!

@ William Entriken

“And in the absence of evidence of companies intentionally weakening their security, have any debatable ethical issues actually been raised regarding TAO?”

I agree. The ethical and moral hazard side should be examined. If I were the Chinese or the Russians I would consider Cyber Warfare a free-or-all. The Americans have gone over-board. Attack American citizens and their infrastructure. No holds barred. Discard all rules of warfare. This type of warfare tops the nuclear weapons race.

@ Lundgren

“Nowadays they are not just spying on regular individuals but they are analysing the data and creating profiles of pretty much everybody… So even though TAO in principle has always been the core competency of spy orgs, the mentality of spy orgs is such that todays TAO is not your parents TAO.”

Very salient point.

@ Evan

“The holes deliberately put into security standards and communication systems, on the other hand, could be exploited by anyone that found out they were there and how they worked or what the login credentials are, and that's another reason why the surveillance programs are far more worrying.”

If the holes are permanent it is a ugly and expensive problem.

@ ThatLoonieAgain

“Why wouldn't the NSA automate what every scriptkiddie automates? Are Shy and Bashful their secret mascots? NSA et al are (far) ahead, let's not add even more to that by willfully ignoring their insane intent: omniscience in a vain quest for total "control". How can anyone think they ever did stop there? Why would they when they haven't already stopped before they brashly crossed every conceivable written and unwritten law and tossed aside any understanding of what the very concept of freedom entails?”

I agree. It’s too much power in too few hands.

@DB

“…a debate here about targeted vs mass surveillance... Has anyone considered that they are inextricably linked together? Targeted enables mass. Technologically speaking, you can't get rid of mass without gimping targeted… imagine the NSA targeting Google's firewall box in front of their gmail server farm. You know, the one that has an SSL accelerator on it, etc.. They use this to glean the SSL private key. Poof. Now they can mass listen to every SSL connection from gmail… This is not for targeting terrorists, terrorists don't use such boxes, this is for industrial espionage that enables mass surveillance.”

You have hit on the ugly problem. The NSA could be trying to control the masses (not terrorists – but Americans and others).

@ Bill Stewart

“Moore's Law makes the technical side of "making surveillance expensive again" really difficult. The most expensive pro-surveillance components in the whole process are warrants and court orders, and even those are far less expensive than court challenges against surveillance by outsiders. Fixing the process by requiring transparency is going to be really hard, and I doubt we'll succeed, because the "can't be transparent about classified data" excuse continues to be successful*, and the "don't need an individual court order to pen-register a third-party corporation's records" …most of the Democrats and Republicans haven't been willing to rock the boat that far, and they'd need to prevent "national security" exceptions from being added to the laws by Congress or a presidential signing statement and provide enough enforcement mechanisms to prevent the executive branch from just ignoring them… we haven't gotten most people to use PGP in 20 years, and commercial data mining keeps getting better and better.”

Very True.

@ Firefox

“I don't understand the confident assertion that "they can't deploy [TAO] against all of us." Of course they can…”

Good point. Nobody has explained why they can't “scale-up” TAO operations. It is very possible.


@ Buckminster

“Is it possible the no cost options were/are referencing systems/ devices/ OS already implanted and distributed? Maybe the NSA decided it was easier/ more cost effective to "insert" themselves into the food-chain earlier on; what if ALL iPhones ( how else can they guarantee 100% success at compromising ANY iPhone?), tablets, laptops, servers, monitors, routers, switches, cables, drives- what if ALL are shipped from their respective suppliers already surreptitiously compromised, ready for remote activation at any time. That seems consistent with the way the NSA conducts itself.”

It’s possible.

@ Horse with no name

“For those that are absolving the NSA of collection excesses, you also must remember that the NSA is not even allowed that task… this is mission creep extraordinaire… NSA is tasked with protecting military bases, and the inter-military communications. Everything else is DNI and CIA…”

I agree. Mission creep is a very good description!

@ Zakharias

“…why shouldn't they - say - pay an USB-cable-manufacturer 1USD per item for implanting an additional platine on regular products?”

Super point. I can’t think of a reason given their goal of total communications interdiction.

Observing From The ShadowsJanuary 8, 2014 8:58 AM

As more of Snowden's leaks appear in various media outlets, people have become more and more paranoid about the surveillance state. One of the biggest challenges we are facing is the inability to validate what is real and what is not.

Many of the items in the NSA TAO catalog serve a realistic purpose in various types of operations. If you believe these operations are only performed by the US government, you haven't been in the security space long enough. How many of you remember what else was going on in 2008? Here is a hint "FBI Says Military Had Counterfeit Cisco Routers". US and China aren't the only ones spying on everyone The Russian State and Surveillance Technology.

Snowden has basically brought to light what many of us have know for years. The younger crowd may not remember programs like Carnivore, but how can you expect projects like this not to grow and expand into different agencies. If corporations are addicted to this data, why wouldn't governments be addicted.

As we sit back and blame the government for these evil programs, who really created them? Many times the idea begins after a presentation at a hacker convention. Here's a challenge, look at BlackHat, DEFCON, 2600 and many of the older cons and compare how many presentations have advanced into part of a government program or part of the TAO kit. Your next challenge is to look through the catalog and see how many of the products have the schematics online, or are being sold to the public (HINT: Red Team tool kits).

As the world becomes paranoid, I will sit back, observe and laugh at the day when we find out Snowden was a COINTELPRO, using Media Exploitation Analysts and Document Exploitation Analysts for political purposes.

Till then, Stay Paranoid, Trust No One and ALWAYS maintain strong OPSEC posture.

Clive RobinsonJanuary 8, 2014 10:07 AM

@ YeahSure, 65535,

    “…what we are seeing are powerful techniques actually being marketed Their extensive use is being sold, possibly to justify the cost..."

There is another perhaps more sinister explanation, and it's to do with "Turf Wars".

Think of the NSA like "drug dealers" they push their product onto the other agencies "for free" untill the other agencies are hooked.

The "zero cost" means that it is not worth the other agencies setting up their own exploit development teams...

Thus the NSA "capture the market" in a "winner takes all" stratagie.

Thus they end up controling all the information flow with a strangle hold, it makes "for one large mother of a barganing chip" on the table at the very least with compleat control of all other agencies and a major slice of their budget as a desirable goal...

Clive RobinsonJanuary 8, 2014 10:45 AM

@ YeahSure, 65535,

    “…what we are seeing are powerful techniques actually being marketed Their extensive use is being sold, possibly to justify the cost..."

There is another perhaps more sinister explanation, and it's to do with "Turf Wars".

Think of the NSA like "drug dealers" they push their product onto the other agencies "for free" untill the other agencies are hooked.

The "zero cost" means that it is not worth the other agencies setting up their own exploit development teams...

Thus the NSA "capture the market" in a "winner takes all" stratagie.

Thus they end up controling all the information flow with a strangle hold, it makes "for one large mother of a barganing chip" on the table at the very least with compleat control of all other agencies and a major slice of their budget as a desirable goal...

MikeJanuary 8, 2014 11:30 AM

@Sceptical

Hello. I thought I'd take the liberty of re-writing one of your paragraphs (in your reply to DB) by focusing it on the regulation of the financial services industry rather than the security services (I've boldified my substitutions):

I think the disconnect between people such as yourself, who see only wealthy private banks and their lobbyists with God knows what intentions, and others, who see wealthy private banks, a court system, a gigantic web of procedures and regulations, at least three different offices conducting oversight, and lots of individual bureaucrats who want to do well but also keep their job and not violate any of those procedures or regulations, is that the others understand the extent to which the US Government is governed, sometimes for better and sometimes for worse, by tons of rules and lots of institutions...

In light of this I'd like also to quote a very recent news story:

"JP Morgan has agreed to pay a record $2bn to settle charges that it knowingly ignored evidence that convicted fraudster Bernard Madoff’s massive Ponzi scheme was “too good to be true.” The settlements, announced Tuesday, included a so-called deferred prosecution agreement that requires the bank to acknowledge its failures but also allows it to avoid criminal charges provided reforms are enacted at the bank within two years. No individual executives were accused of wrongdoing."

Getting back to security: I think there are several questions here:

1. Are the lines (the legislation) drawn in the right places?
2. How fuzzy are those lines?
3. How effectively are those lines actually being enforced (how much regulatory capture and regulatory evasion do we have)?

These questions are difficult enough to answer in the financial services space, which is at least nominally more susceptible to public investigation and review than the security services.

From following this blog for some time I think I can reasonably say that most of the commenters have come to realise that, if everything they now know/suspect is indeed both true and legal, then the lines are probably not drawn quite where they thought they were. I think this is probably why they're a bit edgy. On the other hand, the general public don't really seem to care very much about this. That is not the same as saying that the general public, having heard the odd story about the recent leaks, are now cheering the security services from the roof tops.

This is a blog about security – defining it, creating it, maintaining it and subverting it. People put links to documents, specifications, essays, papers and all manner of other material, mostly of a technical nature. I'm not sure the expertise here is focussed on government structure. In order to make any progress it would probably be very helpful if you could post a link to some sort of colourful info-graphic of the structure of the state's 'checks and balances' with regard to the conduct of the various agencies – or an equivalent entry level document. The assembled commenters here could then perhaps start engaging in some sort of critical review?

With regard to the question of where the lines are, and how fuzzy they are, I guess we also need to include James Clapper – who – I am lead to believe by the media – despite having been sent a question about data collection on US citizens some time prior to a Senate hearing in which he was required to answer it, somehow managed to give the wrong answer, and later had to apologise:

"My response was clearly erroneous – for which I apologize."

Anyhow – Sceptical – you are right – the US isn't Russia – and I trust you're not advocating that we sit on our hands until it is. Price of freedom, internal vigilance – all that.

As you point out – recent advances in technology have meant that vastly more information about individuals and private companies is stored and transmitted by electronic means. For example – most citizens now willingly carry an always on location aware light weight device with a camera, microphone and radio transmitter that they use to mediate much of their personal private communications. If it is indeed the case – as I think many who contribute to this blog suspect – that a sufficiently large actor (government sponsored) *could* archive, intercept and arbitrarily retrospectively pillage much of this data then this creates an historically unprecedented shift in the *potential* balance of power between the individual and the state. That power is now just sitting there – either in reality or in potentiality – rather like when humanity first worked out that it could make nuclear weapons – and it is like a huge great big thrumming Ring Of Sauron. This is a *new* thing. This is what worries people – that the extraordinary power that such a system would grant, if it exists, or were it created, might perchance corrupt.

The greater the power of a thing, the more strongly we need to regulate/reign-in/monitor/constrain those who are societally endorsed to exercise that power.

It is starting to look like the power and influence of some parts of the financial services industry is getting beyond the ability of our existing institutions to control it (what is it they say about the crash – "no one could have foreseen it") – the worry here is that this may also be true of the power of the security services – but we are even less likely to hear about it.

Simply appealing, as you do, to the *existence* of complexity and nominal checks and balances in current government/state arrangements is, in the light of the recent technological advances, not likely to be good enough to dispel people's concerns.

Details man – that's what people here like. Juicy nerdy details of how things (are supposed to) work.

DBJanuary 8, 2014 1:17 PM

@skeptical: you seem to be of the opinion that "everything's fine, there are too many regulations for anything to go wrong, go back to sleep, sheeple"... how can you say this, when we do "double taps" with our drones, first killing a target, and then a few moments later killing the medical response to that first hit? In what universe can anyone reasonably claim that's just fine? The people who do this are war criminals, violating the Geneva convention. Our country leaders are war criminals. But no court will ever try them for it (just as powerful people can freely commit Felony Perjury and lie to Congress), they will get off scott free for it. They are totally and completely above any law and human decency. Can't you see this state of things is just getting worse and worse? Where exactly do you think things are headed when things keep getting worse over time?

DBJanuary 8, 2014 1:44 PM

Just to be clear: I was paraphrasing skeptical in my own words, not directly quoting :P

SkepticalJanuary 8, 2014 3:54 PM

Mike, I don't know of any graphic out there that illustrates the web of oversight in a friendly way.

By way of reliable references, let me just quickly provide the following:

US law (specifically 50 USC 1871) requiring that the US Attorney General submit to certain Congressional committees various data associated with the use of FISC orders and any FISC decisions or orders that significantly interpret FISA. See http://www.law.cornell.edu/uscode/text/50/1871. Note that the intelligence committees are also given briefings, regularly, by members of the Intelligence Community itself.

If you google around, you'll find declassified copies of those reports available as well.

Recent FISC decisions and orders on the metadata program, which details the reporting requirements imposed by the Court on the NSA, and the extent to which the NSA must meet with and brief the Department of Justice. See http://www.uscourts.gov/uscourts/courts/fisc/br13-158-memo-131018.pdf

For a more general list of recent and declassified decisions, orders and motions in the FISC, see http://www.uscourts.gov/uscourts/courts/fisc/index.html

For a good list of the documents declassified by the US Government, and statements they've made, organized in a timeline, with brief descriptions and links to the documents themselves and discussions/summaries thereof, up to about November, see http://www.lawfareblog.com/wiki/nsa-papers/

I'm sure there are many more, but that's a decent enough corpus to sustain my point regarding the amount of disclosure to, and control by, departments and branches outside the NSA.

Essentially you have:

(1) Compliance within the NSA, which would include that conducted by its Inspector General's office
(2) Compliance by the Department of Defense and the Office of the Director of National Intelligence
(3) Compliance and oversight by the Department of Justice
(4) Oversight by the Foreign Intelligence Surveillance Court (from which decisions may be appealed to the Foreign Intelligence Surveillance Court of Review, and from there decisions may be appealed to the US Supreme Court). These courts are independent federal courts.
(5) Reporting requirements to House and Senate Committees.

Now, that's a pretty large array of persons and institutions to be involved in continuing oversight. Note that all of them must be told precisely how the law is being interpreted, and precisely how the law is being applied.

All that said, I'd like to see certain improvements, particularly with respect to the FISC. I'd like to see continued movement towards allowing the FISC greater transparency; and I'd like to see the appointment of a designated privacy advocate within the FISC to argue matters in opposition to government requests (this can be, and is, done by parties served with government requests falling under the FISC's jurisdiction).

I do think this is important stuff. DB, nowhere did I ever say people shouldn't pay attention; I'm an advocate of people paying more attention and reading more broadly and deeply on these issues.

But, I have to say that I don't see this as anything close to the NSA being "out of control" or posing a threat to civil liberties. These activities are well enmeshed in regulations that are overseen by a number of different institutions, in different branches of government, in some cases involving opposing political parties and completely independent federal judges.

I'd much rather Congress enact laws fully regulating the massive amount of personal information collected by private industry, which with a few exceptions is unregulated in this regard, than debate the fine points of the NSA metadata program. But since the latter is actually much easier (check out Google's spending on political lobbying in recent years), and regulating private industry is much harder, I know what I expect to see.

The Wyden-Clapper incident is a little more complicated than it seems. Clapper's answer was misleading at best, but Wyden's own conduct in asking the question isn't all that much better. Wyden was fully briefed about the program, but also knew that it was classified and could not be disclosed or asked about (though he'd arguably have immunity from prosecution if he did so in a Senate proceeding). He asked a question, deliberately, that he knew Clapper legally couldn't answer. The Office of the DNI argues that Clapper was thinking about the collection of content when he answered. I'm not sure I find that convincing. To me, admittedly having only seen some brief clips of the affair, it seemed that Clapper was surprised and confronted with two very unappealing options: answer forthrightly but thereby disclose the existence of the program (one way or another), or give an answer that wouldn't mislead the Committee (they all were briefed) and that might even be considered in a very technical sense true, but which would mislead the public. He chose the latter, and if that is indeed the choice he was forced to make, then while I don't think he chose correctly, I also think he was put in a very tough spot.

MikeJanuary 9, 2014 4:21 PM

@Skeptical

Thank you very much for your considered reply and the references.

On the Clapper incident – my understanding was the he *was* pre-warned of the question and that those 'in the know' were somewhat surprised that he did not simply answer 'I'm afraid I cannot answer that question on grounds of [such and such obligation(s)]' – however, I'm not 'in the know' and am anyhow getting all this from the press, so I may be mistaken. Perhaps a bit of posturing and playing to the gallery was happening on *both* sides – though I guess you'd maybe expect playing to the gallery from the questioner (a politician after all), but not so much from a well behaved apparatchik – I think that's why it caught my notice in this context. I'm a Brit – we had a vaguely similar bit of public questioning of some of the service heads by politicians recently – there seemed to be acknowledgement on both sides that some things simply could not be answered.

This aspect of the problem fascinates me increasingly. In a way, the construction of a state – the checks, balances etc. – is an engineering problem – maybe the kind of engineering problem to which the naturally sceptical and flaw-finding hacker mentality of people who work in the security engineering industry could usefully apply themselves. I'm thinking that one of the most difficult parts of this is going to be working out how to manage intelligence agencies because of their by-design/necessity opacity to wider public scrutiny.

I think I chose to draw an analogy with financial services regulation because there is some similarity in the potential power that the subject of regulation has in its ability to corrupt the regulators and law makers: In the case of financial services they have and control all the *money* – money is power - and in the case of the security services they have and control a lot of (if not *all*) the information – information is power (including, perhaps, compromising photographs etc.). Financial services do not, however, have baked in opacity – the head of an investment bank can't say 'I'm really sorry, but I can't answer that question on grounds of national security'. Now, it is a matter of opinion, for sure, but I think there are a lot of people who feel that some parts of the financial services industry have run rings around the state's efforts to control them – and that this may have been a contributing factor to the recent crisis – so I suppose my general point was that regulation may not be effective even if there are many regulators and many rules – and that this may be more of a problem when the regulated entity has significant potential to corrupt. However, the actual details of how the system actually works (the engineering of the checks and balances) are, obviously, important – the devil is in the details – and I guess further useful discussion can only really take place with regard to those details - and the references you've provided could be a very useful starting point for that - thank you again.

In your earlier comment you referred to earlier terrible abuses:

"In the US system, it's never as simple as one individual or one group making a decision. That's made for a remarkably stable system, despite some of the terrible abuses during the mid 20th century, a system that has managed to increase vigilance against abuse peacefully and sustainably..."

I'm wondering, do you have an opinion on why those abuses occurred at that point – was it perhaps because of technological advances (that they 'could'), or because of extra funding derived from a 'scare' – or possibly a combination of the two? You may well not have an opinion – and I certainly have little knowledge of the background – but it occurs to me that there may be parallels here.

I agree with you very much in regard to the need for us to worry about private companies as much as, and in some ways perhaps even more so, than governments – and I find myself more and more drawn into almost 'philosophical' issues around all of this – thinking maybe there is a broader unifying picture – a mild parallel to the industrial revolution (though I guess I'm partly re-gurgitating some of Bruce's thinking here). We suddenly find ourselves with unprecedented amounts of information about what everyone and everything is doing being mediated increasingly by electronic means, which are – mostly – fairly trivially intercepted and collected by both government and non-government entities. The idea that we aren't going to need new laws and principles – ways of thinking even – to deal with this seems to me very unlikely – just as the arrival of the industrial revolution required an overhaul of ideas around employer/employee power balance and environmental legislation. Some people are starting to get increasingly edgy about this – what with the Snowden stuff on one side and people like Eric Schmidt on the other; two of my favourite Schmidt quotes are "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place" and "Would you prefer someone else [to be collecting all this information about people] - is there a government that you would prefer to be in charge of this?"

Both the private and public 'beneficiaries' of this vastly increased window into everyone's lives seem to be saying something along the lines of 'no – nothing to worry about here – the rules we have already are quite sufficient as they are – nothing to see...' My guess is this isn't going to change until some sort of sh*t hits some sort of fan – some scandal in which this new power is clearly dangerously abused – either in the public or private sector. I wonder sometimes about Snowden – this rumoured trove of supposedly *really* damaging information – if it even exists – could it be actual 'data' – actual stuff – rather than just information on how the stuff is collected – something like private correspondence of politicians, celebrities, generals, presidents even? The idea – if true – that someone like him could just tap a few buttons and call up such information – and then do a runner to Russia with it – that would probably be a bit scandalous; on the private side – maybe if Google (can people inside Google just tap a few buttons and read everything they have on any one of us?) were to be shown to be using their privileged access to information about peoples' likes/dislikes/browsing-habits/gmail-correspondence etc. to 'assist' in their business or lobbying activities – something like that would cause a bit of a stir presumably? Who knows – not that I'm saying these things necessarily *are* the case – or necessarily will ever be the case – but that is the sort of thing people would likely consider to be 'going a bit too far'.

I accept the need for security agencies – external and internal. I accept that it is usually futile to try to argue against the idea that for every increase in their knowledge and power we will get some sort of increase in their *potential* effectiveness at doing what they're supposed to be doing – keeping us all cosy and safe – but I also accept that with every increase in their knowledge and power we get an increased risk that that power will be co-opted to the advantage of the few over the many, or even to lock down dissent and impose and sustain a non-representative government. How much power is too much power? If we put trackers in everyone, cameras and microphones in every room of every home and on every street – make always on Google-glass compulsory – it can be argued that all these things would improve the *potential* to prevent crime and fight terrorism.

I have a thought-experiment, please don't get me wrong – I don't have you down as an advocate of more surveillance – but what if those who are, are right? Maybe privacy *is* an old fashioned idea? Maybe the answer is to *really* do away with privacy properly and to do all of this (cameras, compulsory Google-glass etc.) and *open* it all up. Make it so that *everyone* can see all of it – so that everyone can look through any camera whenever they want. Anyone can look at anyone else's bank account transactions – or access a full archive of anyone's full email and phone conversations or browsing history. Many eyes! Why should I worry that my neighbour can look at my bank-balance if, like Mr Schmidt says, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." I have suggested this to some of my acquaintances who are inclined to say that they don't know what all the fuss is about and why would anyone be interested in them anyway and/or "if you've got nothing to hide..." but, interestingly, none of them so far seem to be very keen on my 'total open surveillance' idea!

65535January 10, 2014 5:51 AM

@ Clive

…what we are seeing are powerful techniques actually being marketed Their extensive use is being sold, possibly to justify the cost...


'There is another perhaps more sinister explanation, and it's to do with "Turf Wars".


'Think of the NSA like "drug dealers" they push their product onto the other agencies "for free" untill the other agencies are hooked. Thus they end up controling all the information flow with a strangle hold, it makes "for one large mother of a barganing chip" on the table at the very least with compleat control of all other agencies and a major slice of their budget as a desirable goal...'

Gad, that is despicable – but very plausible! I would change that from drug dealers to Drug Pushers.

[Sorry for the late post but I am pressed for time]

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..