My Talk on the NSA

Earlier this month, I gave a talk about the NSA at MIT. The video is available.

ETA: The video doesn't display on some Firefox browsers. If you have trouble, try a different browser.

ETA: or you can try this direct link to the video.

Posted on February 14, 2014 at 2:50 PM • 19 Comments

Comments

A maze of little formatsFebruary 15, 2014 5:21 AM

If it's in MP4 format, then it won't work in most browsers.
You want Webm or Ogg. I think Apple browsers will only want MP4 though. Chrome likes all three. Firefox likes the firsrt two (and some versions of FF can piggyback on MP4 if another software has installed those publicly, I think). In the future, Webm _should_ work with all recent browsers, but we aren't there yet,

khoraFebruary 15, 2014 2:46 PM

One argument against "terrorists will kill our children" is that it didn't stop the Boston bombings, and at least the metadata collection program hasn't stopped anything, according to Obamas review group report.

PeterBFebruary 15, 2014 6:29 PM

Great talk.
Coincidentally, BBC carried the following story:
http://www.bbc.co.uk/news/world-europe-26210053

Data protection: Angela Merkel proposes Europe network
"It would avoid emails and other data automatically passing through the United States."

If the reaction to NSA surveillance is fragmenting the internet, we'll all be the losers.

maikmFebruary 15, 2014 7:24 PM

This is of course totally irrelevant, but I love how your shirt is combining the color from the upper background with the pattern from the lower background! Can't unsee.

SchneieronSecurityFanFebruary 16, 2014 12:48 AM

One point that Mr. Schneier makes approximately halfway through the video is making surveillance harder. How can this be possible when two of the biggest factors are advances in technology and the internet practices of people?


For example, the first 3.5" 1TB hard drives were released just less than ten years ago. This year 5TB hard drives will be released. Think of how much easier it will be to work with data in regards to power consumption, monetary cost, space utilized, etc.
Also, the people practically live online, now: appointments, pictures, contacts, etc..

Magnus ReftelFebruary 16, 2014 12:58 AM

You mention the issue of how we change when we lose the ability to hold ephemeral conversations. Something that can be interesting to look at is the reactions when Dejanews showed up and retroactively made the once-ephemeral conversations on Usenet into a searchable archive.

Clive RobinsonFebruary 16, 2014 2:00 AM

@ PeterB,

    If the reaction to NSA surveillance is fragmenting the internet, we'll all be the losers

It depends on what you mean by fragmenting...

From a technical, logical and laws of physics point of view it makes little or no sense for much of the Internet traffic to go the routes it does. Infact it could be looked at as harmful that it does so and it actually makes the Internet more brittle and likely to fail as well as being slow and unresponsive. Which is why quite a few organisations have spent time and quite a bit of money making their opperations de-centralised to get around the "brittle hub" issue.

From the political side there are several conflicting issues to do with rights and who should have them. They occure at various levels, some fall under the notion of Soverinty and others on the notion of personal privacy.

The whole rights issue is heirarchical in nature with those at the apex beliving that they have the right to dictate to those at lower levels with you the individual citizen having little or no rights being at the bottom.

What most people missed or did not recognise as significant was the shenanigins going on in Dubai at the end of last year. The United Nations (UN) controled International Telecomunications Union (ITU) had it's World Confrence on International Telecommunications (WCIT) to revise the Internatonal Telecomunications Regulations (ITR) which was last done back in 1988.

http://www.zdnet.com/itu-chief-claims-dubai-meeting-success-despite-collapse-of-talks-7000008808/

Since the last world conferance a quater of a century ago the telecommunications world has changed dramaticly the Internet and various "digital technologies" has decimated the old cosy radio, phone and telegraph worlds. Thus the WCIT was seen by many as a chance to reighn the Internet in by various factions.

Unnoticed by most is that the Internet has major nodes all controled by the 5eyes nations, who unsurprisingly did not sign the ITR document... Which did not surprise me in the slightest. As long as the nodes and the traffic that flows through them remains under 5eyes control the "Spy on Every One" game will remain in play.

But if you read various associated information you will read that "Continental Europe" wants to split off from the Internet "every one is equal" idea for commercial reasons. European Telco's have seen income streams decimated by the Internet, their old cosy blatant profitering models struck down, they are desperate for "the old days". So I suspect "Mummy Merkel's" idea to be very favourably received by most if not all "Continental" Telcos who will loby hard.

And this is where we the unrepresented and unvoiced citizens find out that although a coin has two sides it also has a rim and we are set to get the full rimming treatment by both our Governments and Commercial organisations.

BenniFebruary 16, 2014 8:27 AM

@PeterB
This european network idea of Merkel is stupid. European network, thats what GCHQ likes. As the uk is in europe. So they would have to toss britain out of europe first....

DesaparecidoFebruary 16, 2014 5:13 PM

PS Just to be clear, Bruce has expressed reservations about Truecrypt but it is not clear how dispositive those reservations are. Hence the question.

ETS2 ReviewsFebruary 19, 2014 12:28 AM

I have study quite a few exceptional information the following. Surely well worth book-marking to get revisiting. I'm wondering the amount of endeavor you add to help make the almost terrific insightful internet site.

SchneieronSecurityFanFebruary 20, 2014 1:51 AM

@ Clive Robinson -

Let's say that I want to register a domain name for a company that I own that is incorporated in one of the fifty states in the United States. Before the Internet (and cybersquatting), there could only be one company with a given name incorporated with that name in a state. The Internet changed this. A foreign entity - in another state or country - could register a domain name that could be identical to the name of my company. In other words, the internet domain name system took precedence over my own state's law which is still recognized and in effect in the U.S. I always felt that there should be better coordination there.


All Blackberry messages sent in the United States used to go through the Blackberry center in Canada. Security and performance should improve if the messages never left the U.S.

Clive RobinsonFebruary 20, 2014 7:49 AM

@ SchneieronSecurityFan,

    In other words the internet domain name system took precedence over my own state's law which is still recognized and in effect in the U.S. I always felt that there should be better coordination there

The problem is partialy one of "naming" and partly of people not understanding the difference between the tangible physical world and the intangible information universe(s) [1].

Think about the business naming system not on a state level but on a village or town level which it would have once been.

Firstly people are not just lazy they have short attention spans and dificulty remembering words that are beyond seven charecters unless broken up in some way into related small piecies (it's how we got many of our surnames such as "son of Robin, becoming Robin's Son and finally Robinson). It was not untill Shakespear came along and invented lots of new words and later the Victorians came along and did the same again that words became longer and they did this by using multiple words from other languages (Greek Latin) which they spliced together to snobishly set people appart, and thus make "proffessions".

However most businesses want to have short distinctive names that people remember, which unfortunatly are already taken thus we we get contractions in various ways such as "coke" and "IBM".

Initialy business names were about people, it might have "Dry Good's Store" over the window but it would be called "Ned's Store" or just "Neds". Thus "Neds" was fine in a village but a town might need "Neds dry goods" and "Neds undertakers" that in one town might be owned by the same "Ned" but in other towns by different "Neds". But people would still use "Neds" simply because the context of talking would differentiate them as in "I'm of to Ned's for flour".

When towns became bigger people still lived in small areas or districts and not much changed except people might say "Ned's on the west side" to differentiate from the local "Neds". So you started to get "of" so you would have "Harrod's of London".

Then postage came along and started causing problems. Streets not only had to have names and buildings numbers because "local knowledge" did not translate into a physical location for anyone who did not have that specific "local knowledge".

So we have the issue of businesses wanting short memorable names but having coverage of much wider areas. As businesses grew their ownership changed from sole practicioner through partnerships to having investors. Legal entities start happening, and to prevent legal problems companies are registered and have not just unique names, but registration numbers. Which gave rise to "trading as" thus you might have "discombobulators Ltd trading as 'Neds Motors'" or even "... trading as Ned's of Bolton" (usually with "Registerd in England and Wales Company number 73456184" added).

The problem is to few desirable --easily memorised-- names thus they need to be either localised (address) or differentiated (trading as) or both in some way, and to prevent argument they have to be unique. The problem is in an infinate scope you need an infinate number of names, but humans don't do big, let alone infinite names.

This has a further unstated assumption underlying it which is a single register is possible --it's not-- or single arbitrating authority to control it. Thus we have the same issue as we have with patents that have the same fatal underlying assumption.

The second issue with scope or covarage area was as communications went from post and telegraph to phone with insividual instruments giving point to point communication. The same problems of "local knowledge" arose with the use of "local operators" giving a very temporary solution and many problems which gave rise to an undertaker devising a way to automate the fickle operators out of the phone system. Which quickly started revealing that the problem of naming uniquness existed.

However as phones use numbers a working but ineficient solution was to have exchange codes but the expanding usage turned this into area codes and eventually into national codes under the ITU which is part of the UN.

The Internet grew up in the light of this knowledge but was constrined by technology and we ended up with IPv4 and it's limitations amongst which the most limiting being that of 32bits for addresses. IPv6 was supposed to resolve the address limit as well as many other issues, but it has not been taken up by the bulk of users for various reasons, one of which is a central authority with sufficient authority is lacking or seen as very partisan, which is a problem that exists in other systems.

As noted earlier humans have memory issues bad as it is with words it's worse with letters and numbers. Even with a 32bit number in dotted quad decimals format it is still impossible for most to remember even with practice more than one or two numbers. So a way with more natural words was developed that has the strengths of words but also the strengths of numbering systems which has given us the Domain Name System distributed heirachical database. The problem with this is that current control is felt by many to be in the US by a US organisation controled for the benift of the USG and it's intel organisations and LEO's. Which is why many countries tried the take over at the ITU's WCIT meeting in Dubai.

However DNS is not a long term solution and actually failed from virtualy day one. The registra immedatly segregated the US from the rest of the world by forcing countries appartfrom the US to use the country code in the domain name. Thus a mom&pop in the US gets .COM status where as other countries have to use .CC.com...

Which has given rise to the problem you mention all businesses should use a country code thus neds.us.com would not conflict with neds.uk.com. But this still leaves a middle ground issue do you go for area codes so neds.ma.us.com and neds.sry.uk.com or an area of business or both such as neds.boston.ma.us.cafe.entertainment.com and neds.slough.sry.uk.cafe.entertainment.com. Whichever it can quickly be seen that the chance of error is very high --thus crime-- and again to difficult for the average human to remember.

So if you can think of a "better mouse trap" to solve this problem and make it fair, error/criminal proof and not being under the control of any vested interests government or otherwise, don't expect a knock on the door, it won't happen and your path will get overgrown. The reason is humans and their failings yet again, power political/criminal/otherwise is not based on fairness, business is almost always skating on the wrong side of the edge of criminality using the complexity of legislation to get their way and using lobbying and the inherant coruption in the heirachical political process to get legislation in their favour.

[1] Not being funny, but many theoretical physics models either don't exclude or appear to work better if there are multiple universes. With information being the only commonality between them all and thus arguably the superset that contains them all.

name.withheld.for.obvious.reasonsFebruary 20, 2014 12:42 PM

@ Clive Robinson

However DNS is not a long term solution and actually failed from virtualy day one. The registra immedatly segregated the US from the rest of the world by forcing countries appartfrom the US to use the country code in the domain name. Thus a mom&pop in the US gets .COM status where as other countries have to use .CC.com...

Just to add to your observation(s)...

I must say that there are significant challenges in the tech start-up space. I know from personal experience. Recently I have written a short piece on the "fidelity" and "integrity" issue that is associated with information assurance...did you verify the root certificate authority that provided the SSL/TLS session connection for the issuing certificate authority used by your business computer web browser today? Does DNSSEC work for you? What TLD registrar holds the domain name for your company or business partners you rely on? This is the simple list--data and information assurance management models do not linearly map to service models on the Internet or with business models that can be reliable used to determine the accuracy of data or information you may be using for your business. In other words, if your company relies on resources outside your domain (meant in the widest terms) than you have more work to do than you know.

James ThomsenMarch 12, 2014 5:43 PM

Just to be clear, B. Schneier has expressed reservations about the entire internet by saying "trust no one".
I believe no one should dare to feel secure no matter what they use, as long as it works on an internet invented by and for those in control who continue to work at a rate far beyond any of what the leaked material conveys. All the Snowden docs are old and there should be no use in trying to defend against anything you read about on a day to day basis.
Trucrypt, lavabit, all of them are utilizing a web, they are trapped within, a Net that owns the very electrical impulses they claim to work on. I wish we would all stop trying to glue the branches back on to a broken trunk and spend this time (and money) trying to either grow a new tree or an entire forest. Mesh-net was promising at one point anyway, so I thought.
I don't mean to be negitive, but I see no positive outcome to the privacy issue as long as the internet in it's entirety is being funneled through a Trillion-Dollar Box in the Nevada desert! It can't matter what app or device we use when they are at least years ahead of anything we see, hear or do.
We must fucus on the legality / politics of the situation if we are going to 'change' anything. We must take the long road by trying to convince those who know how the internet works to run for positions where they can do something about it (unlike Rep. Feinstien), until then, we are all 'seperately' up on tall shakey ladders trying to glue those branches back on to an infested dying tree.
Thanks for all the hard work so far everybody, but really, do you even think your packets are safe from the algorithms-in-a-box that is now replacing vast portions of our justice system?
Today, Tim B. Lee said we need an internet bill-of-rights, well, he's a little tardy to the party, and his voice on top of millions of others is just being drowned out by the media hystaria over news too old to even address.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..