MYSTIC: The NSA's Telephone Call Collection Program

The Washington Post is reporting on an NSA program called MYSTIC, which collects all—that’s 100%—of a country’s telephone calls. Those calls are stored in a database codenamed NUCLEON, and can be retrieved at a later date using a tool codenamed RETRO. This is voice, not metadata.

What’s interesting here is not the particular country whose data is being collected; that information was withheld from the article. It’s not even that the voice data is stored for a month, and then deleted. All of that can change, either at the whim of the NSA or as storage capabilities get larger. What’s interesting is that the capability exists to collect 100% of a country’s telephone calls, and the analysis tools are in place to search them.

Tags: , , , , ,

Posted on March 18, 2014 at 3:19 PM105 Comments

Comments

M@ March 18, 2014 3:31 PM

Everyone uses the same 2-4 companies telco gear, and most smaller countries use a central-exchange model for switching. Easy target.

Wondering March 18, 2014 3:35 PM

“and the analysis tools are in place to search them”

I wonder how effective that searching is. The way I envision it working is taking those saved calls, transcribing them to text, and then searching the text. I have used some different commercial voice recognition software and its uniformly poor unless the subset of words is tiny. I’d imagine that a word like “Schneier” is pronounced many different ways. So I can’t imagine that this speech-to-text approach results in many positive hits. Besides, most bad guys probably talk in code anyway and rather than talking about a bomb they talk about their cat.

So I view it as an effective way to spy on political opponents but not much use going after an actual criminals.

Stephen Smoogen March 18, 2014 3:37 PM

While it sounds impressive, there is still a point of scale that countries are not all the same. There is a large difference between being able to store say all of Luxemburg’s calls and Chinas or Japans calls. Without a scale to know about it could be the same as saying they can store all of Montana’s phone calls in a month and all of Californias.

I expect though that is a matter of storage and CPUs.. if they can only do Luxemburg now, they (and any nation/state/megacorporation) could do China in 15 years.

z March 18, 2014 3:43 PM

It would have had more of an effect if this had been leaked right after Obama said “Nobody is listening to your telephone calls”.

Peter March 18, 2014 3:51 PM

The country or countries covered by MYSTIC is actually of some importance: probably they are in the Middle East, but by redacting the names, the WaPo article now scares everyone in the world. Maybe NSA requested this redaction, and that would be just as short-sighted. If MYSTIC is used for countries in the Middle East, then it would be a rather legitimate military targeting.

Bruce Schneier March 18, 2014 3:53 PM

“While it sounds impressive, there is still a point of scale that countries are not all the same. There is a large difference between being able to store say all of Luxemburg’s calls and Chinas or Japans calls. Without a scale to know about it could be the same as saying they can store all of Montana’s phone calls in a month and all of Californias.”

Of course. But that’s a simple calculation. Here’s Brewster Khale’s calculation of what it would take to store all US phone conversations for a year. Plug in your own numbers to see the requirements for any country and any time period.

Bruce Schneier March 18, 2014 3:53 PM

“It would have had more of an effect if this had been leaked right after Obama said ‘Nobody is listening to your telephone calls.'”

Surely. But it takes time to sort through the documents and find the stories.

geep March 18, 2014 3:56 PM

Yeah, the timing on these releases needs to be better. And so long as the NSA can plausibly use the excuse that a U.S. person’s data was collected incidentally, there will be little outrage domestically. That excuse wasn’t used on the initial phone metadata reveal as the document stated all the data was purely domestic within the US.

Sam March 18, 2014 4:13 PM

Another great example of why, as a US Citizen, I do not consider Snowden a “hero”. Releasing this information does harm to my countries interests, and is completely legitimate work by a foreign signals intelligence organization. Of course, I would not expect foreign countries inhabitants to feel the same, but, well, c’est la vie.

Matthias March 18, 2014 4:14 PM

My guess is Afghanistan. Capacity is not problem for such an underdeveloped country and the US has helped build a lot of the country’s infrastructure over the last decade so there was every opportunity. We also know that drone strikes target mobile phones. Afghanistan makes the most sense. It would be quite disappointing if after all these years and billions spent in Afghanistan the US would not at the very least have managed to build up a complete phone tapping infrastructure.

Anura March 18, 2014 4:26 PM

@z

It would have had more of an effect if this had been leaked right after Obama said “Nobody is listening to your telephone calls”.

No one is listening to your phonecalls, at the most they are reading transcripts of your phonecalls. Totally different.

KnottWhittingley March 18, 2014 4:39 PM

Sam,

I couldn’t agree less.

This is exactly the kind of revelation we need. It’s unfortunate if it tips off terrorists in Afghanistan (or wherever it is), but it’s important that the people of the US and the world know what is being built.

If we can do it to one country, pretty soon we can do it to most of them, if we want. Including the U.S.

Terrorists in Afghanistan presumably already guess that their calls are likely to be recorded. The rest of us need to know about this and what we’re being set up for.

I think it’s a really good question whether “nobody’s listening” to your phone calls only in the sense that it’s just computers automatically recording every phone call, transcribing it to searchable text, and indexing it by words and phrases.

If they’re not doing that, you know they want to. What part of “collect it all” do people not understand. (The part where that implies “infect it all” to enable collection, so that we don’t have to wait for phone calls?)

Chris Abbott March 18, 2014 4:50 PM

This is truly horrifying, possibly the worst yet. They could do it to the US. Considering how they define the word ‘collect’, they may just store everything about all of us AND everything we say. They can always get a sham warrant to do as they please with it, if they even bother…

Figureitout March 18, 2014 5:00 PM

Sam
–Maybe if your superiors, and well…all of you could do a better job of telling the American people how all this surveillance is worthwhile; truthfully. Are we stealing some other country’s tech and bringing more money to US? Even if you could do something, would you in time? Any self-respecting terrorist that isn’t a complete idiot will encrypt prior to transmission or use the…oh let’s say 25 easy-to-think of ways off the top of my head to send a message from A to B.

More importantly, as the leaks have shown (and as I have tested myself to get some evidence I can trust), is the system being turned against the citizens of the United States. In which case YOU and your ilk are traitors and need to be stopped.

Clive Robinson March 18, 2014 5:02 PM

@ Bruce,

This is nothing new, we have even worked out ways to do this and the storage requirements for the entire US and concluded it’s neither particularly expensive or difficult.

The hard part not being the storage with losless or equivalent compression but the automation of the transcription.

All the WaPo article does is confirm what we’ve known to be possible for some years, and some of us assumed “if it could be done with publicaly available technology it is definatly being done by the likes of the NSA and GCHQ et al”.

The quote in the article about comms “bandwidth” on the back haul being the real limiting factor is the one identified previously on this blog when discussing the new data sink buildings the NSA has built.

JonS March 18, 2014 5:14 PM

@ Stephen Smoogen ” if they can only do Luxemburg now, they (and any nation/state/megacorporation) could do China in 15 years.”

Remember that this presentation is from 2009, so even assuming your worst (best?) case, they are already over 1/3 of the way to being able to ‘do’ China.

Or, put another way, they are already listening to and recording 1/3rd of the worlds calls.

Personarama March 18, 2014 5:25 PM

“I do not consider Snowden a hero.” Thanks for acting out DoD’s puerile understanding of the law. No one who knows what they’re talking about uses vague, loaded language like hero. Snowden is a rights defender and a refugee, with specific legal protections in universal-jurisdiction law. The statutory and common law rights Snowden defends are privacy and freedom of expression. The ‘completely legitimate’ work of the NSA Cheka breaks the law. What you call your country’s interests are legal crap, meal tickets for beltway tax parasites. When thinking about interests, you must learn to distinguish between your country and your crooked contractors and colonels.

It so happens that DoD bureaucrats were sent to Geneva for remedial education on these issues. The scale of the US government’s disgrace left a lot of ground to cover, but the Human Rights Committee made a point of specifically addressing US privacy delicts in terms of supreme US law.

http://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=14383&LangID=E

The committee experts have interpretive authority in domestic legal implementation because the US is a member of the International Court of Justice and a treaty party to the ICCPR. The Committee questioned, rhetorically, the necessity and proportionality of NSA’s Stasi-style blanket surveillance. They noted the sick joke of fake oversight by the spooks who run hearings for congress. The Committee said, nicely, that the US is illegally attempting to defeat the object and purpose of its international commitments. The Committee exposed the US government Big Lie that foreigners have no privacy rights.

They said it real slow and clear for the third-rate minds of the DoD drones. Just the basics, that’s all they can handle.

Benni March 18, 2014 5:30 PM

The capabilities to store all that seemed to exist since 20 years.

In this old article: http://www.spiegel.de/spiegel/print/d-13494509.html Der Spiegel reveals in 1989 that the nsa installed had a large system in Bad Aibling, that snoops on the directional radio of the antennas of the “Deutsche Post”. “Deutsche Post” was, at that time, germans governmentally funded phone company. The market was liberated in germany only recently, with Deutsche Telekom emerging from this as a private company. In 1989, the provider vor phone calls was run by government. The phone calls were sent with directional radio.

Der Spiegel article mentions, that the americans would store every call that they hear, and that, for example, often american colleagues would impress with private details of german celebrities.
The americans would, however, like it most to collect all facts on the german economy and what the politicians tell each other.

I guess if you have something like that in place, you won’t give it up so easily. The americans gave Bad Aibling to the BND. The new MYSTIC project is just the successor of what they had earlier, adapted to modern mobile communication, of course.

DB March 18, 2014 5:33 PM

Coming soon to EVERY country near you! Unless you do something about it now! Call your congresspeople and complain! It doesn’t matter how “little effect” that has, make their phones ring off the hook until the next election. Stop making excuses, get up off the couch, pick up the phone, you can do it!

Benni March 18, 2014 5:43 PM

The most funny line from the new article is this here, i think:

“The call buffer opens a door “into the past,” the summary says, enabling users to “retrieve audio of interest that was not tasked at the time of the original call.” Analysts listen to only a fraction of 1 percent of the calls, but the absolute numbers are high. ”

So they literally sit there and listen to 1% of all phone calls.

And the others are agents who have infiltrated “World of Warcraft” and other MMORPGs. And then, there are agents who listen to Angry Birds data. And then, there are agents, who watch webcam chats, waiting for porn….

But when fsb is calling them, that there are people coming to the us that in russia formerly used to live with terrorists, (that happened with the Boston Bombers), or when a flight coach is calling them, telling he has studends who only want to learn how to fly large aeroplans but not how to land them (that happened with the 9/11 attackers), yep, then they do nothing, since they are busy watching webcam chats or playing world of warcraft.

Given that, one comes to the conclusion that these nsa programs are largely a security threat to the US. The biggest danger for the us, nowadays seem not to be terrorists, but nsa programs that leave the spies occupied with nonsense.

Sam March 18, 2014 5:47 PM

@Personarama:
Well, Tim Brenners-Lee just referred to him as a hero. But I guess he just doesn’t know what he’s talking about?

And “universal-jurisdiction law” tells me all I need to know about your positions.

Look through the list of member states of the UNHCR, and tell me how many of them are shining beacons of freedom.. It reads like a joke, Botswana, Sierra Leone, Russia, Kazakhstan, Viet Nam… Really?

And you actually used the term Cheka? Are you really that ignorant, or do you have no sense of perspective at all, and you are OK with diminishing the deaths of the 50,000 people tortured and executed???

Anonymoose March 18, 2014 5:48 PM

It sounds like the country they’re spying on is the UK. The 30-day-delete thing and breathe of the eavesdropping is similar to the UK’s Tempora program, revealed earlier.

Benni March 18, 2014 6:05 PM

By the way, as i am not able to translate it all, I think it would be worthwile, if this old spiegel article is translated in english:

http://www.spiegel.de/spiegel/print/d-13494509.html

As it reveals much of what the snowden documents tell now. Just that the nsa did all this to germany in 1989. E.g the article says they were flying in airoplanes to snoop on phone calls, they bugged german telecomunication centres, they bugged german fibers for internet, they bugged the directional radio for snooping phone calls, they have cryptoanalytic capabilities, and so on, and around 600 people just for snooping all phone calls that are made in germany.

the article is just too much, i can not translate this all, since im writing on a physics thesis perhaps we can do this as a community. But i think americans should know that the nsa did similar things before.

can.you.hear.me.now March 18, 2014 6:07 PM

@Clive “The hard part not being the storage with losless or equivalent compression but the automation of the transcription.”

Accurate speech transcription is a difficult problem.

Tech companies like Apple and Google have been working on it for some time. https://research.google.com/pubs/SpeechProcessing.html

This poses a moral problem for scientists who now know that they are building instruments to control individuals rather than liberate them.

KnottWhittingley March 18, 2014 6:08 PM

Thanks for the spreadsheet link, Bruce.

If it’s right that we can store all of the US’s phone calls for a year for 30 million dollars, I’d think we could store the whole world’s for less than 10x that.

It also suggests that we could record a whole lot of room audio from malwared laptops, desktops, speakerphones, game consoles, bluetooth speakers with speakerphone mics, voice-controlled gadgets, etc. for quite reasonable costs.

Most people probably speak less than 2 hrs/day, so call it 50 hours a month if you have good heuristics for detecting actual conversations. (As opposed to, say, TV sound.)

That would only be 10x what the spreadsheet gives for phone calls—or about 300 million dollars a year for the whole U.S. Gee. A pittance. (Less than half the cost of one state-of-the-art bomber.) And if you speech-to-text it and put it in a database, you can keep it in freely searchable form for much less, and it gets cheaper all the time.

BTW, my guess is they auto-convert all audio to semantically-annotated text for searching, and that what the human linguists at NSA spend most of their time doing is listening to iffy snippets and marking it up to improve the training sets for the speech-to-annotated-text software and a way-above-top-secret version of something like the CYC knowledge base. They probably have some really good training sets now.

I’d also guess that they have some really amazing software for cleaning up audio (especially if they have audio from multiple mikes in a room), based on algorithms originally developed for passive sonar imaging. (They apparently can “see” subs and ships through murky water, without pings that would reveal the sonar’s own position.)

If they’ve compromised multiple mikes in your room, and a speaker or two, I’d think should be able to ping the speaker to get the finite impulse responses hitting the mics, do a bunch of magic, and create virtual microphones that are placed pretty much where they want them. That should allow them to listen mostly to you and virtually “turn down” your barking dog, your diswhasher, and TV audio to hear you better. (Maybe lots better if they have a recording of what you’re watching on TV.)

If it weren’t for Snowden, it’d be a great time to be a geek spy.

Elvis Presley, JFK & Michael Jackson March 18, 2014 6:10 PM

@Schneier:
“It’s not even that the voice data is stored for a month, and then deleted.”

The problem with above sentence is that it reflects a belief in NSA newspeak.

NSA may have a system codenamed NUCLEON from which the data gathered by MYSTIC is deleted after a month.

What they do not tell you:
NSA may do regular processing on the data and the results of that processing (such as profiles on the individuals) may not be going anywhere after a month. Except perhaps to some internal “timeline” of the users that the data pertains to.

NSA may also do regular backups of the data in NUCLEON. So although data is deleted from NUCLEON, it may be possible to find it in the backups.

Figureitout March 18, 2014 6:17 PM

can.you.hear.me.now
–Had a friend I hadn’t seen in a while the other day ask his smartphone to “call fiance”. It always decides to “call beyonce” lol. I think it’d be interesting research to see just how many false alarms happened in intel agencies; b/c if I think about it I get overwhelmed w/ possibilities…

KnottWhittingley March 18, 2014 9:30 PM

Elvis et al.,

Yes, I’d say it’s a better bet that if stuff is “deleted” after 30 days mentioned, it’s still being retained in some form elsewhere.

I’d be very surprised if they don’t speech-to-text it all and save the results of that forever. And I wouldn’t be surprised if they super-secretly save all the audio backups, too, and pretend they don’t, even in way-above-top-secret documents.

I have to wonder how much stuff that is on NSAnet is bowdlerized versions, in case somebody decides to do what Snowden did.

I’d guess that there’s a lot of still-more-secret data & docs—which we’ll likely never see because it’s actually very compartmentalized and airgapped off NSAnet—that only a handful of analysts or techies knows anything at all about.

How could there not be? Sometimes I think surely they’re not stupid enough to put the deepest, darkest secrets where scores and scores of potential whistleblowers could get at them? Then sometimes I think they appear to be precisely that dumb, given how they don’t seem to have seen Snowden coming.

Neither thought is reassuring.

DB March 18, 2014 9:38 PM

@ Henny

I hate to break it to you, but they’re tracking burner phones too…

for example:
1) if you turn one phone off and then another on at the same location
2) if you ever take your beloved burner phone to the same location as you ever did any other phone at any time in history
3) if you ever call the same people/phones as you ever called with another phone…
4) heck, why not just do voice recognition too…

da-dop indeed.

DB March 18, 2014 10:28 PM

Not exactly on topic, but I wonder if they are tracking cash, and de-anonymizing it. People seem to think that cash is untrackable somehow, but I don’t think so. Let me explain:

There’s a choke point: the bank! All banks collectively, to be precise. Since we’ve learned that all technology companies are working in cahoots with the government (some wittingly some unwittingly), why not all banks too?

I theorize that most cash is withdrawn from an ATM, spent, then immediately redeposited, without exchanging hands any more times inbetween. All they’d have to do is record the serial numbers (all of them, nation-wide, or even world-wide) every single time it’s deposited and withdrawn from all banks, and associate those serial numbers with exactly who withdrew/deposited it and when. A massive central database of all that information can be mined to tell you mostly who got how much cash where, and where and approximately when each person spent how much cash at what retailer. It wouldn’t be 100% exact, but it would get you most of the way there.

Now, if you do trade a little cash among your friends before it gets redeposited by any of them directly, then what you’re really doing is helping them flesh out your network of friends even… as if facebook wasn’t good enough.

So there’s virtually no way to use any cash anonymously therefore, unless you actually stop using banks altogether, and also get everyone you have money transactions with to stop too (and so on). Just try to get your employer to pay you in cash, and all your favorite retailers to pay all their workers in cash too, good luck with that…

Sound fun? Sound tin foil hatty? Not as much as it used to… Sounds perfectly reasonable to me, after all the revelations for the past 9 months. This can all be easily done (and I suspect likely already has been done) under the guise of stopping counterfeiting, then mission creep it and use it mainly as yet another tool of mass control after it’s all built. Computers, mass storage, big data crunching, and unscrupulously using it for mass surveillance to strip everyone of all basic human rights really changes everything doesn’t it.

KnottWhittingley March 18, 2014 11:00 PM

The WaPo (Gellman and Soltani) say:

The RETRO tool was built three years ago as a “unique one-off capability,” but last year’s secret intelligence budget named five more countries for which the MYSTIC program provides “comprehensive metadata access and content,” with a sixth expected to be in place by last October.

Unfortunately, we can’t see that for ourselves because the secret budget excerpt they show us is too redacted. I’m guessing the long blacked-out line has a list of countries, or a reference to something enumerating the countries…?

So it’s not one whole country, but apparently five and working on six? Can we infer that the “comprehensive metadata access and content” implies comprehensive content, i.e., all the audio of the calls, or is the lack of parallelism significant?

Should we guess at what countries are targeted?

I’d assume that one of the top 6 they’d want to target would of course be North Korea, but given CIA’s chronic failure to significantly infiltrate North Korea for decades, and N. Korea’s bizarre infrastructure, they can’t do it. (Last I’d heard, they’d sent in hundreds of infiltrators, but every single one was captured and/or killed, and many were turned to feed bullshit back to CIA.)

I’d think the list would have to include Saudi Arabia, unless they’re too afraid of blowback if it’s ever revealed. (Both because it’s a bigger source of terrorists and terrorist funding than Iraq ever was, and to keep the ruling class in line in the face of popular opposition.)

I wouldn’t think they could do it in Russia or China, either.

It’s easier to spy on friends than enemies.

DB March 18, 2014 11:11 PM

@ KnottWhittingley

For it to be 100% it’s obviously so-called “friendly” nations… (i.e. America’s lapdogs like the UK and such…)

KnottWhittingley March 19, 2014 12:17 AM

DB:

For it to be 100% it’s obviously so-called “friendly” nations…

Hmmm… the lack of parallelism may be significant right there. In a less-than-friendly country we might have malware that can smuggle metadata out hidden in other stuff, but I’d think it’d be hard to use the bandwidth to capture all the audio without somebody noticing and alerting somebody who’d put a stop to it.

Maybe somebody who can actually see the docs will clarify this soon.

Buck March 19, 2014 12:20 AM

@Bruce

Surely. But it takes time to sort through the documents and find the stories.

dox or it didn’t happen… If you really believe you are performing a public service by pre-filtering the document dump for us, surely you’re only foolin’ yourself! 😉

Chuck Finley March 19, 2014 12:29 AM

I guess if they are not listening to phone voice calls then my Morse encoded heavy breathing key transfer system which takes 2 months for a key transfer is solid, good and secure to keep using with my scream “Doh!” encoded encrypted messages.

What a relief I was getting dizzy with all the heavy breathing and screaming DOh Doh! DOH! doh! after only 10 minutes!
Here is some original(not mine) open sourced work;
http://soundfxcenter.com/television/the-simpsons/17cf37_Homer_Simpson_32_Dohs_Sound_Effect.mp3

I think the system actually would exploit defects in the NSA’s rigid limited petty analysis structure. Now pick your sounds, combine with with a hobby where the sounds normally occur and terms are common for the patterns you intend to encode. Use sampling with lots of random bits in your encryption not your keys.

Clive Robinson March 19, 2014 4:19 AM

@ Sam,

The problem with your Snowden helps America’s enemies view –as also held by others– id it can easily be seen to be wrong for those “enemies” the US executive names.

It can easily be seen that “terrorists” and their equivalent –and major criminals as well– practice fairly good comsec.

The only people not practicing good comsec are ordinary people such as the 300million or so US citizens, do I take it from your view point that they are the enemy and thus you are also?

The sad thing about people with views similar to yours is the expressed in the saying that starts,

“First they came for the jews…”

Norbert March 19, 2014 4:27 AM

I just have two remarks on this.

first, such interception can only be done with the knowledge of the local authorities, or even their support.

second, the terrorist did already win. By putting up such an surveillance everyone in the “free world”, or lets say in the world which is affected by terror, has to be afraid, that he will get in the scope, by using the wrong words. By knowing this, people start to censor them self, which bring us to the situation that we are no longer free. And what comes next? For sure there will be a reason, to enhance this stuff to the whole world. Simply because there are terror cells even in the US. So we will have to protect us against it.

And later on we will start to either define “wrong” opinions as terror, or we say that we must protect our world against wrong opinions… and with wrong opinions I mean social opinions or opinions against NSA …

Is this a world we want to live in??

Clive Robinson March 19, 2014 4:54 AM

@ Can.you.hear…

Firstly transcribing is not a collection problem as such it’s a post collecting filter after you’ve hovered up the audio.

It becomes part of the collection problem only when you have to “selectivly collect” due to limitations in communications or storage bandwidth.

That said you need to consider how transcribing might be used… Normaly we assume it’s to identify conversations of interest, which is how you would use it for “selective collection”.

However it can be used in a different way that is to identify conversations that are NOTt of interest, which is how you would use it for “bulk collection” or hovering post collection filtering.

In the second usage it can be used very effectivly as part of an iterative or “casscade” process [1] that would play to the strengths not the weaknesses of the algorithm no matte how few the strengths are. The result is it significantly lessenss the load on human monitoring.

[1] For a reasonably well documented example of how a cascade process works with filters that only show a 1% or less advantage see how a Uranium enrichment centrafuge casscade process works.

Skeptical March 19, 2014 5:26 AM

The country in question is almost certainly Afghanistan. This is a nation in a perpetual state of civil war and high instability, in which intelligence is both vital and sometimes likely to be days or weeks behind. Having the ability to rewind the tape extends the shelf-life of certain intelligence by allowing it to be used to identify additional sigint even when the communication occurred weeks before.

Those who claim that this tool would be useless against those who practice obsessively good opsec miss the point. Terrorist and insurgent networks sometimes don’t practice perfect opsec. Sometimes they use insecure apps on their phones; they may think a burner phone is safe to use to talk; and so forth. The sometimes ineptly redacted documents reported on from Snowden’s leaks show as much.

Keep in mind that organizations, whether small or large, absolutely must be able to communicate to be operationally effective. They must be able to plan, to receive observations and reports from their personnel, to send plans, orders, and questions to their personnel, and to coordinate times and places to meet for various purposes.

So there is sometimes a tradeoff between the need for opsec, in its many facets, and the need to be operationally effective.

Where a given group of terrorists or insurgents choose to make that tradeoff will depend on their available means of communication and coordination, their perception of enemy ability to intercept those means, and their need to undertake a particular operation.

For example, a given network may be on the verge of losing control over a region due to counterinsurgency operations, and its leaders therefore may feel a strong need to act. The greater premium placed on immediate action may require risks with communications or opsec in general that would have not have been warranted previously.

This tool puts the US in a better position to exploit occasions when the enemy cuts corners, mistakenly uses channels he thought secure, or when comms, persons, and networks are discovered only in the aftermath of a recent operation. Valuable intelligence can be discoverable if you’re able to rewind a tape and string together how a network communicated.

An article like this, though, actually damages the utility of the capability. Everyone should be skeptical of such a claim, but allow me to explain why.

Network N has successfully executed an operation against a US SF outpost and the small unit of Afghan National Police recruited and trained from a local village which the SF team was training.

If the US had broken N’s communications, they would not have allowed to attack to succeed, as the costs to US and Afghan Government efforts were high.

Therefore, in reviewing recent actions, N may well conclude that their opsec was effective, and that the same techniques can be used for another operation.

If however, N thinks that the US can rewind the tape, re-examine communications, then N may be less willing to use again what appeared to be effective means of communication. N may expend greater effort at changing means of communication for the next operation, even at the cost of operational effectiveness.

Finally, despite the usual sensationalism that accompanies the headlines (and by headlines, I include the link-bait that media organizations use to fish for views), this has little bearing on the US or other large industrialized countries with governments that protect civil liberties.

Many technical capabilities are deployed in war, in a nation large swaths of which are combat zones, that could not be deployed elsewhere. This isn’t a matter of flipping a switch, and the institutional limits on what the US can do inside the US matter.

To make the most extreme analogy, which some of the more fervent folks on the libertarian right actually take seriously, the use of UAVs in Afghanistan does not mean we should be worried about the US using Predators to kill members of the ACLU or Greenpeace or the Tea Party. Technical capability is not the only thing that matters, and sometimes, as this analogy hopefully makes clear, it’s the thing that matters least.

If technical capability were all that were important, then we wouldn’t have the liberties and protections we actually do have.

And by the way, this obviously isn’t the first time that governments have engaged in bulk collection of telephone conversations against what they perceived to be a hostile country.

The Soviet Union conducted such collection from their diplomatic compound on Long Island for some time (this was well reported during the early 1980s). For all I know Russia still does.

Clive Robinson March 19, 2014 5:52 AM

@ Benni,

It was not just Germany “post office” but the UK post office –which became BT– as well.

Back in the days of Maggie “the milk snatcher” Thatcher and Ronald “Raygun”, most of the long distance phone calls were by radio link not cable or as now fiber.

Microwave radio links were a positive boon to the spooks as all antenna’s have “side lobes” which are only a few db down on the boresight main beam. Thus a building in an appropriate place would see a side lobe of the close antenna and the edge of the main beam of the distant antenna all at comparable or better levels than the radio link.

A UK journalist Duncan Campbell documented not just the PO civilian microwave link towers in the UK but the military radio links as well which was eventually used as part of the course notes for the UK’s “Open University” however this was not before the spooks and their pompous civil servants “tickeled the tail of the Draggon” and “Mad Maggie” was screaming for Duncan’s head. A large and very expensive Official Secrets Act (OSA) and Defence Of the Realm Act (DORA) court case ensued with the Crown making many many false claims all of which got whittled away by the defence. The last desperate claim by the Crown was that he had published the secret address of GCHQ and had thus endangered all the lives of those working there to terrorist attack… The Crown barrister but all his best “Oh My God think of their children” type build up into it to put the fear of god into the judge and jury. When it was the defence barristers turn he simply held up a copy of the widely circulated thoughout the world “Wireless World” magazine which as it did every month carried a full page advert extholing the employment opportunities and address to write to at GCHQ… Needless to say this nailed the lid on the coffin of the Crown case and Duncan Campbell went on to bigger and better things including providing a very detailed report to the EU on the Echelon capabilities.

A few years after the PO/BT made a major move into cable and fiber the spooks had a lot of buildings and property they had been using to monitor the now defunct microwave links from on their hands that was usless to them. So they stripped out all their equipment and through the UK Gov “Property Services Agency” (PSA then in the low block of Tolworth Tower Surrey) put the buildings and property up for sale.

However as part of the sales they included the original buildings construction or modification drawings, which included some unusual features with survaying and construction placment details way way way more accurate than would be required for any normal building. It did not take to long for a curious soul or two (one of whom was Nick Catford of Radio Jackie and spys for peace fame) to work out the features were antenna mounts pointing directly at either end of old PO microwave radio links and shortly there after the BBC news and current affaires Dept picked up on it and put it out on “tea time” national telivison that has normal viewing figures of over half of the UK popultion back then…

So “blowing the gaff” on what the spooks had been upto way back then.

Tim#3 March 19, 2014 5:53 AM

If, as per Brewster Khale’s model, it only costs <$30m to store all the US calls, it would be a surprise if the NSA, and/or someone else, wasn’t already doing it.

Tim#3 March 19, 2014 5:55 AM

$30m to store all the US calls, it would be a surprise if the NSA, and/or someone else, wasn’t already doing it.

apols for split comment, I incorporated a “less than” character into the original message & that somehow wiped the rest of it…

Clive Robinson March 19, 2014 6:24 AM

@ Benni,

I know some people like “sources” for media stories, so I had a quick search. The main one of direct interest is,

http://www.independent.co.uk/news/how-britain-eavesdropped-on-dublin-1106606.html

However you can get other related material by googling ‘ “nick catford” spies for peace ‘ and also ‘ “nick catford” radio jackie ‘. Back in the day Nick used to get ribbed by his “pirate friends” about his subteranian activities routing out “UK Spy bases” and “cold war bunkers” and photographing them, some were unkind enough to draw comparisons to his shape and that of a mole however as I found out some of his adventures were actually quite dangerous but fun nether the less for it. It’s been a few years since I last saw him but his photo history of these places has drawn him quite a few credits in published works and others he has written or colabarated in.

As a funny coincidence Radio Jackie is nolonger an “illegal broadcaster” or Pirate and now has offices on the other side of the road to Tolworth Towers overlooking the low block where the PSA offices as were are located.

Benni March 19, 2014 7:59 AM

@clive: that they spy on iuk is no wonder. The germans forced them to leave bad aibling, so they upgraded a similar echelon site on the uk. Spiegel writes that the germsn economy is being spied on from there now. But there is certainly nothing that prevents them to spy on the uk from their british site.

Spiegel reported early last year that the nsa would collect large numbers of phone calls from getmany, mentioning that bnd officials told the numbers were similar to what he bnd collects from bad aibling and feeds into the nsa databases.
The bnd officials told spiegel that bnd would mostly fed calls from afghanistan into the nsa system.

Now the question is: how sensitive are these echelon antennas? The parlamentarian comission once made it into bad aibling and i remember the former bnd boss schmidbauer saying in an interview one could hear from bad aibling what tank drivers tell each other in iraq

When they hear iraqi tank drivers in bad aibling, could it be that they also hear individual mobile phones? After they broke the gsm encryption? Or are they just limited to all satellite calls after breaking the encryption of satellite phones?

Anyway it appears to me that this washington post article is just about an echelon site. It could even be the one that bnd now operates in bad aibling

unimportant March 19, 2014 8:20 AM

Slightly offtopic: I have not yet seen any mobile phone with an additional mechanical power-off slider to physically cut off from battery. Perhaps this feature is unwanted for these kind of mass produced surveillance devices.

Bob S. March 19, 2014 8:31 AM

I’m sorry, what part of “collect it all” don’t you understand?

That’s K. Alexander’s legacy. And, it’s still in place.

99percent March 19, 2014 8:43 AM

Nothing is 100%, this neglects non-standard telecommunications, like point to point encrytped voip.
a good example is the RedPhone app.

Benni March 19, 2014 9:23 AM

interesting in the last spiegel article is, that they say, they collected data coming from germany (BND things this is data feed by BND to nsa) from the last 30 days…….

And whilst the nsa gives bnd access to XKeyscore , nsa reports that they were interested in bnd programs Mira4 and Veras, since they would outperform nsa capabilities.

Benni March 19, 2014 9:32 AM

would be surprising anyway, if the u.s could make tech that would outperform german technologies… Naa, that wont happen in the next hundred years.

in this article:
http://www.heise.de/ct/artikel/Willfaehrige-Helfer-1929899.html

it is written that the bnd not only collects radiodata from bad aibling. But it forced all german telcos that provide a connection to foreign countries to make a copy of all communications to the bnd. the names are: BT Germany, Cable & Wireless, Colt, E-Plus, M-net, Telefonica, Deutsche Telekom, Telia Sonera, Verizon, Vodafone.

GCHQ sits on British Telecom, Verizon, Vodafone, Level 3, Interoute und Viatel

So given that the nsa gets all radio waves, and all network communications in cables,

Speeer March 19, 2014 9:41 AM

Illegal mass surveillance in Afghanistan will come in handy when the time comes to repair the US government’s ugga-bugga reputation. They’ll have all the evidence they need to convict a couple hundred GI scapegoats of torture, murder, extermination, and attacks on civilian targets. If they atone by locking up a bunch of hillbillies, then the aggressors in the NCA can skate.

Nick P March 19, 2014 10:24 AM

re morse code

One of the original covert channels mentioned in the 1970’s-1980’s literature was an unprivileged program whose operations merely changed a status light on the box. The hidden camera in the computer room captured these changes. They were in Morse code. It was said to be tricky at the time due to camera capture quality. Could probably be automated today.

Nick P March 19, 2014 10:34 AM

@ Icelander

“Did someone say Iceland?”

I praised Icelanders on this blog before for taking control of their govt from the bankers and positioning themselves as a data haven. I also pointed out that they might be a highly vulnerable data haven as they have one transoceanic link. The US could take Iceland off the Internet easily. More likely, they tapped the link at the height of Wikileaks-type activity and enjoyed the irony that many people were relocating to their recording spot for “privacy.”

Their next steps would be to subvert your infrastructure, companies, etc with implants or technical attacks. I think the infiltration method wouldn’t work as well as Iceland is so homogenous. They might extort or bribe insiders, though. If you doubt these scenarios, remember that they effectively compromised the majority of Belgian infrastructure to get an advantage on resource deals. A real threat protected by Iceland’s privacy laws would get even more effort by NSA.

Good luck with all of that, though. I hope your country succeeds. 🙂

dot tilde dot March 19, 2014 10:59 AM

advertising for the technology can be found at wikileaks, the spy files, third installment. search the list for words like audio, speech, speaker.

.~.

Thomas S March 19, 2014 11:06 AM

All switching manufacturers that sell into the US market must comply with CALEA. The NSA could easily make use of this capability to mirror all pcm packets in a phone call. Phone call bandwidth is fairly low, 64Kb/s. And that can be reduced by 50% by converting the pcm to adpcm. So this revelation is not too startling given that the switching manufacturers are required by law to backdoor the switches.

vas pup March 19, 2014 12:24 PM

@can.you.hear.me.now:
“This poses a moral problem for scientists who now know that they are building instruments to control individuals rather than liberate them.”
Real scientists versus businessmen are driven by their insatiable curiosity, not by profits, and versus politicians, not by ‘mania grandiosa’. But research to satisfy their curiosity required money. That is why scientists trade their brain for business investments or gov grants regardless of the possibility of immoral usage of their discoveries by agents stated above. You need to be Tesla to kill your own ideas and prevent their potential usage for extermination of mankind.
Those who tempted scientists, tell them if you refuse to do this, we will find out other scientist (may be his rival since postgraduate time) to do the same. That is working even better than violent/intimidating approach.Life is always trade off. I just want remind all respected bloggers that inventor of advanced garotte was executed by its own invention in Middle Ages by inquisition in Rome when he had a chance to utilize his ‘freedom of speech /thoughts’ on unrelated subject, but they thought monopoly of such freedom is belong to them only.

Benni March 19, 2014 1:21 PM

By the way, after facebook anounced its interest in buying own drones http://goo.gl/Hi6sIB , facebook has now perfectioned a face recognition program http://goo.gl/3db3Vm that it previously tired to run on all profiles. Given that the nsa sits on facebooks fibers, these anouncements are certainly of a sort that the spooks like most.

The Moother March 19, 2014 1:59 PM

Another great example of why, as a US Citizen, I do not consider Snowden a “hero”. Releasing this information does harm to my countries interests, and is completely legitimate work by a foreign signals intelligence organization. Of course, I would not expect foreign countries inhabitants to feel the same, but, well, c’est la vie.

Well, how would you feel if this just became an international game and Germany, Japan, Russia and China were recording all of your calls?

Also, the country that remains unnamed in this article is, imho, the USA!!!!!

Hahaahahaahaha!!!

0day March 19, 2014 3:43 PM

The Moother

Also, the country that remains unnamed in this article is, imho, the USA!!!!

I second that opinion. Which is likely why it was unnamed.

Sancho_P March 19, 2014 7:02 PM

@Sam wrote (18th, 4:13 pm):

Releasing this information does harm to my countries interests …
Yes, keep punching your nose for the bad smell, you will be salvaged soon!

Whatever needs secrecy is evil, will eventually be exposed and fire back to the “genius”. [1]

The more ignorants try to keep it secret the earlier this will happen.

I think the most limiting factor (with the use of bulk collection) is the language.
They’d need tons of calls in fairly “standard” English to fix the automated transcript in realtime (the US would be a difficult test scenario, from north to south, east to west, let’s assume the UK?).
But if you think of (some) foreign languages this isn’t realistic. They simply haven’t enough trusted native speakers to start with that transcript task, let alone the automated translation to English (which isn’t even possible with particular languages if it needs to be accurate).

Afghanistan? Oh my dear. Just collect in bulk: OK, could be everywhere.

It may be easier with some of the “closer allies”, though (targeted operation only).

This is a huge money laundering machine with very little payback of taxpayer’s money, until it is used for industrial espionage and blackmailing
(this would be called “Nationalcapitalism” then).

[1]
There is no crime, no ruse, no trick, no fraud, no vice which does not live by secrecy. Bring this secrets to light, unveil and ridicule them to all. Sooner or later the public opinion will sweep them out. Publication may not be enough – but it is the only means without which all other attempts will fail.
(Joseph Pulitzer 1847-1911)
[Apologize my attempt to translate, didn’t find that in English]

Benni March 19, 2014 7:14 PM

@Sancho_P

Above in this post i have posted a google translation from a spiegel article from 1989. There it is mentioned already that nsa has employed a computertechnique that spiegel considers 5 years ahead. And this computertechnique did nothing else than transcribe the phone calls that the nsa captured from Bad Aibling. The site on Bad Aibling was able to collect all phone calls that were distributed by directional radio. this were 1/3 of all german calls. For the rest, they also installed their listening posts in Frankfurt, directly over places where the cables were laid.

The article of Spiegel mentioned that they produced 42 tons of paper! every day. Of Paper. And that the nsa had problems to get away with this and to burn this paper.

That means, they have solved the problem of transcribing voice calls since 1989. Wake up, they have the software for transcribing since long ago.

Benni March 19, 2014 7:31 PM

to quote:
Jahr um Jahr vergibt der “Puzzle Palace” an Industrie und Universitäten neue Computeraufträge in Höhe mehrerer Millionen Dollar. Bald sollen Sprachroboter, die abgehörte Gespräche auch übersetzen und ausdrucken können, die Suchautomaten ersetzen. Argwöhnisch wacht der Supergeheimdienst darüber, jedes neue Superhirn und jede neue Anwendungstechnik als erster nutzen zu können.

Year after year, the “Puzzle Palace”awards new computer contracts to industry and universities, worth several million dollars.

Soon speech robots , which can also translate intercepted conversations and print , should replace the search machines. Suspiciously is the super secret service watching that he is able to use first any new supercomputer and each new technique.

West German intelligence officials have long known that the secrecy of telecommunications , the legal protection of ” the not publicly spoken word ” is worth nothing.

Whoever picks up the telephone receiver between the North Sea and the Alps , must be considering that the NSA is in the link, as a listening friend.

More difficult than the storage proves to be the problem, to get rid of all the secret material.

Nearly 40 tons of paper daily must be put into the shredder. The early seventies, an incinerator was built in Fort Meade. The “secret garbage furnace ” was indeed technically up to date , but it worked in only 17 months to 51 days. Regularly engaged columns with pneumatic drills to to break boulders hard ash residues and drive them away.

Soon the incinera tor ( estimated performance : six tons of shredded paper per hour) was shut down and, as a NSA man recalls, ” further research ” was done for suitable waste treatment techniques , and the result of the search is as different secret.

Benni March 19, 2014 7:35 PM

strange, but i think i know that i have posted this short excerpt with that nsa oven before. Now i do not see it in the post. got that deleted somehow?

Chris Abbott March 19, 2014 9:19 PM

@Skeptical

It’s very important that we know they have this capability, because as you can see with the spreadsheet, budget-wise, another malevolent actor could accomplish the same thing. In terms of your drone analogy, let’s say the government was physically harming and killing regular Americans. If they had a reputation for doing that, we’d certainly want to be able to protect ourselves from drones. The only way to protect yourself is to know about and understand the attackers’ capabilities. Going back to the NSA, they DO have a reputation for spying on innocent Americans, so we should learn about their capabilities so they aren’t used against us.

I think the threat of terrorism is overblown. 9/11 was an anomaly, that kind of thing works once. Excluding troops, more Americans die from drowning in bathtubs each year than from terrorist attacks. Way more Americans are killed each year in gun violence from lone wolf shooters like Adam Lanza and so forth. Why don’t we have more paranoia about that than terrorism?

As far as protecting the troops in Afghanistan, I know of a much cheaper and more effective and foolproof way to do it: Get them OUT of Afghanistan.

Mike the goat March 20, 2014 7:15 AM

This is entirely unsurprising given the scope of their previous collection and analysis programs. I wouldn’t be too surprised if natural language was turned into text and analyzed (and voices could be printed to establish a social network of a target no matter what phone he uses).

While many are now starting (finally) to encrypt emails to sensitive targets (I would argue that encrypting email also to uninteresting targets would also be beneficial as a diversionary technique) using either OpenPGP or SMIME – which is great, caveats about implementations and in the case of the latter the CA model aside – I imagine that most people are still talking “in the clear” on their fixed and cellular phones.

It seemed like years ago but it was probably about 2000 ? we made a prototype desk phone that could be plugged into any public switched phone network and used. It did not rely on the internet and didn’t even have a TCP stack. We used DES (solely as a proof of concept) to encrypt a symmetrical GSM audio stream. It worked quite well and the cipher could have been anything but we were limited by the slow embedded hardware of that era.

Obviously VoIP is the future and circuit based networks like the PSTN will die, so this is where the effort should be concentrated. ZRTP hasn’t delivered what it promised and we are left with solutions that are lackluster. Commercial solutions have been failures…

I don’t use Skype but imagine that they encrypt their streams to and from their servers – but what about end to end so Skype never have the potential to access the clear channel (where subversion may occur).

Fried Ape March 20, 2014 7:58 AM

What chance that the country being monitored is the UK, and that under the reciprocal agreement GCHQ is monitoring all US calls?

Coyne Tibbets March 20, 2014 8:08 AM

This should not be a surprise to anyone. There is zero effective legal restraint on our national security apparati; the only effective constraints are technical and financial feasibility.

NSA has persistently released the truth one drop at a time: Stop accepting each latest “whole truth” as gospel and start figuring out what they can do (capability), because that is what they are doing!

Clive Robinson March 20, 2014 9:09 AM

@ Coyne Tibbets,

    NSA has persistently released the truth one drop at a time: Stop accepting each latest “whole truth” as gospel and start figuring out what they can do(capability), because that is what they are doing

And then some…

In some respects the NSA can be shown to be a little behind the curve (implants etc) but when it comes to voice compression and high capacity storage they have been in the past to be consistently several years ahead of the curve.

What catches the intel orgs like the NSA out, is new technology that is not initialy impinging on their areas of speciality, but then rapidly does so for unpredictable reasons. Like many large and somewhat inflexable organisations it takes the intel orgs a while to “skill up” and get infront of the curve. Part of this is they cannot initialy pay the wages such skilled people ask for and either have to wait for the wages to drop, upskill their own people or be able to place contracts with trusted commercial entities that have upskilled in that area.

Benni March 20, 2014 9:22 AM

Skeptical wrote:
“This tool puts the US in a better position to exploit occasions when the enemy cuts corners, mistakenly uses channels he thought secure, or when comms, persons, and networks are discovered only in the aftermath of a recent operation.
An article like this, though, actually damages the utility of the capability”

Now the problem is, who is considered to be an enemy by the nsa?

Well, for “levelling the playing field” and “opening competition in the bidding arena”, the us have founded their “advocacy center” where US companies can get their first hand advice from the nsa:
http://www.heise.de/tp/artikel/7/7743/1.html

In this article: http://cryptome.org/echelon-cia2.htm the former CIA director james woolsey says that the us would spy on european companies because they would bribe governments to get contracts.

This problem with “bribing” is indeed sensible. Until 1997, payments to a third party, were, as long as this third party was not someone from the government, legal in germany. This lead to a bribing system at siemens: http://www.manager-magazin.de/unternehmen/artikel/a-464741.html

However, as these bribings are now illegal since more than 10 years, this should not happen anymore. The company siemens had to pay a high prize for their bribing, with several managers being put into jail.

Nevertheless, the idea of whoolsey, that american companies would make products that good, that the us would not have to steal the companies secrets, is quite nonsensical.

I think whoolsey should come to stuttgart, and buy a german car. then he will learn, what the definition of “car” really means.
Germany exports most of their tech, not because they bribe, but because our education system produces better educated engineers, who then simply make better products.

In fact, apart from the computer tech, I see almost no tech made by us companies in germany. If the us want a better market share here, then they must reform their education system, to produce better engineers. One step would be to allow only those who have a bachelor in engineering to a master in engineering, and to allow only those who have a master in engineering to make a phd in engineering. Then, they should require all engineers to make at least their master, and put most parts of the phd curriculum into the engineering master, with the phd only left as a research phase, with no lectures. With these engineers, the american companies then can do something.

As long as the U.S.has a trashy education system, it wont be successfull. Spying wont help them to get better.

One should note that, in germany, there is of course nothing like an ” “advocacy center” where german companies can get first hand information from the BND. German companies do not need such a thing. There would not be anything they could learn from others by this anyway. It is not through spying how engineers get better or make better products. It is by their education.

z March 20, 2014 10:10 AM

@Mike the goat

I agree, but the problem with ZRTP and SRTP is that most implementations so far are pretty terrible. The only one that’s any good (that I have used) is RedPhone, which is great, but can be a bit buggy at times.

ZRTP would work well, IMO, if it was the default. The public has shown both a great ability to adapt to new security technology, and a complete unwillingness to do so voluntarily. People don’t like inconvenience and most security tools are inconvenient, though ZRTP and SRTP are much less so.

The biggest obstacle to security is passwords. Passwords keep people from adopting tools and they inevitably end up being too short to be useful when they are used. That’s why GPG is so rarely used. Nobody wants to enter a password just to read email. TextSecure is a great tool for encrypting texts, but nobody uses it (well, quite a few people use it, but nobody that I know), mainly because they have to type a password to do a task that they ordinarily can do without that inconvenience.

I’m at the point now where I think security tools using unencrypted private keys by default may give more security than encrypted ones, just because people will actually use them. That’s not a good thing, but it’s better than everything being sent in the clear.

Nick P March 20, 2014 10:59 AM

@ z

That’s one of the reasons I stopped using TextSecure. The password stuff was annoying. Plus, the people that concerned me could hack the phone itself so it wasnt worth it.

John Campbell March 20, 2014 11:02 AM

Y’know those little debit/credit devices in stores? Many of which still need a phone line for the internal modem?

I would not be surprised, at this time, if the NSA also captures all modem-transmitted data (imagine faxes as well!) and, as part of this, is tracking every little electronic payment being processed as well.

Somehow, I suspect the code words for such a program would likely be puns on “follow the money”.

Richard March 20, 2014 4:19 PM

Here’s Brewster Khale’s calculation …

Actually, what is there is:

One account. All of Google.
Sign in to continue to Google Drive.
One Google Account for everything Google.

Grand-dad, what was a URL?

DB March 20, 2014 6:09 PM

@z:

I disagree, the biggest obstacle to security is not passwords, it’s usability. Passwords are one kind of usability problem, yes, but there are many other kinds that are just as big or even worse of an obstacle.

For example: Most email programs STILL don’t BY DEFAULT at INSTALLATION TIME AUTOMATICALLY generate a PGP key for you, without you going through any extra steps! What the heck?? What’s the matter with all the software makers? Where are their heads? It’s totally and completely mystifying to me… It’s basically criminal in the post-Snowden era of today…

Sure, email programs should allow/encourage users to OPTIONALLY encrypt that private key with a password… yes.. that’s a good idea… and useful to those who are willing to put up with the added usability problem of a password for the extra security… but why don’t you even go to the most basic non-optional step of automatically generating a locally-stored non-encrypted one to begin with? It’s just inexcusable!

Making users go WAAAY out of their way to get even a basic non-encrypted private PGP key, and use it in their messages… is terrible usability. And this is a much worse barrier than the actual passwords themselves.

You alluded to this with your last paragraph, that’s good, just take it one step further…

YeahSure March 20, 2014 6:33 PM

@Sam

“And you actually used the term Cheka? Are you really that ignorant, or do you have no sense of perspective at all, and you are OK with diminishing the deaths of the 50,000 people tortured and executed???”

That number is dwarfed by the number of civilians that we have killed in Iraq, Yemen, Afganistan, Pakistan, Vietnam, Cambodia, etc. etc.

Really what can we say about other countries when we obviously do whatever serves our purpose, including torture and assassination? Sure, the dictators of the world like to poke at our pretensions, because we are no better, no better at all, except maybe in controlling disclosure of our crimes, despite our hypocritical puffery.

Nick P March 20, 2014 7:44 PM

“What the heck?? What’s the matter with all the software makers? Where are their heads? It’s totally and completely mystifying to me…”

Easy: much trouble without demand and $$$ to justify it. Usability is part of it, for sure. There’s many usable solutions that market protecting email, chat, or some other communication. Some are free. Despite this, most users go with unprotected and untrustworthy systems that cater to advertisers. That the biggest email services think of their services as loss leaders mean they probably don’t want to add a bunch of costs to their operations if users don’t care. So, sad as it seems, they’ve been taking the wisest path given their goals and market.

Now, for businesses, it’s a different set of problems that keep it from taking off. I think Colin Robbins post totally nails it.

DB March 20, 2014 7:55 PM

@Nick P

Yes, $$$ explains it for commercial products (especially “free” commercial, where YOU are THEIR product), but not for open source software… Why doesn’t every single open source email program automatically generate such keys at install time? What’s their excuse? Is the whole world just incompetent and mad or what? I’ve been wondering about this very example for over a decade, it shouldn’t take a scandal this big to make people wake up even a little…

65535 March 21, 2014 12:56 AM

“Of course. But that’s a simple calculation”.–Bruce S.

Thanks Bruce. It shows how economically easy the NSA could record and store all phone calls. With transcription and compression the price goes down.

I would guess that to get around various legal requirements the NSA farms out the collection/and or storage of American calls to any combination of the 5-Eyes nations. The scheme would appear to be legal on the surface and the recordings could be kept for a very long time.

Other that a political crack-down on the NSA, which is unlikely, I think the only solution is to drastically cut the NSA’s budget.

I think a 50% + budget cut for the NSA is in order. The money should go to programs with greater merit than eavesdropping on innocent civilians – and no more collection of porn!

ATN March 21, 2014 6:22 AM

No squid story this Friday, so:

There is some “big data” nobody is talking about, I wonder if it is collected:
All credit and debit card transaction (and money transfer) in the world.
That can probably protect good citizens against terrorism…

John Knoxville March 21, 2014 9:33 AM

I’ve been telling people about this for years. I’m glad us “nuts” are finally vindicated. Anyone out there try Red Phone for Android? It fixes Mystic up. Just don’t use it on a Samsung Galaxy * device as it has a known backdoor.

Benni March 21, 2014 9:50 AM

We need a new squid thread for discussing this here:

New slides coming from snowden, this time with details how TAO targets sys admins

https://firstlook.org/theintercept/article/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/

The author of the slides explains in one post that the NSA scours the Internet to find people it deems “probable” administrators, suggesting a lack of certainty in the process and implying that the wrong person could be targeted.
The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target.
By infiltrating the computers of system administrators who work for foreign phone and Internet companies, the NSA can gain access to the calls and emails that flow over their networks. The NSA wants more than just passwords. The document includes a list of other data that can be harvested from computers belonging to sys admins, including network maps, customer lists, business correspondence and, the author jokes, “pictures of cats in funny poses.”.

these are the slides for this
https://firstlook.org/theintercept/document/2014/03/20/hunt-sys-admins/

KnottWhittingley March 21, 2014 10:26 AM

Benni,

Yes, those would be good things to discuss in the new
Friday squid thread, assuming we get one today.

Another thing would be the NSA lawyer’s recent claim to the Privacy and Civil Liberties Oversight Board that the providers of information under the 702 program knew all about it.

Benni March 21, 2014 12:04 PM

@Knott:
That was a wrong article from guardian. The article now has the following corrections:

http://www.theguardian.com/world/2014/mar/19/us-tech-giants-knew-nsa-data-collection-rajesh-de

“This article was amended on 20 March 2014 to remove statements in the original that the testimony by Rajesh De contradicted denials by technology companies about their knowledge of NSA data collection. It was also updated to clarify that the companies challenged the secrecy surrounding Section 702 orders. Other minor clarifications were also made.”

the nsa lawyer did not say which companies the nsa told what exactly.
Of course, google, microsoft and yahoo were informed about their fisa letters they got. As this is a process where some agent comes with an court signet letter asking for data.

However, the most information does the nsa get by listening in the in the internet backbones and the fibers.

It would be reasonable, if the nsa approached level 3 communications to inform them that they would place bugs in their fibers.

But the nsa would not be a “secret service” it they also would go up to google, and telling them they have bugged their provider level 3 now….. Why should the nsa inform the victims on which they spy on? that would make entirely no sense. It is more reasonable that the provider level 3 got a gag order, forcing the company not to say one word to google operatives..

Benni March 21, 2014 12:08 PM

So what we actually have is a new nsa wordgame. First they defended their phone call collection by tortured interpretations what collect means. Now they defend themselves by saying, they told everything to the companies, without telling which company they told what. Whilst it is reasonable that the providers knew, the customers of the providers remained most likely entirely uninformed..

Benni March 21, 2014 12:16 PM

By the way, for the time being, I use my facebookpage, to document and collect the information that is in these slides:

https://www.facebook.com/benjamin.schulz.33

I think the nsa attacks common innocent people, like engineers, sysadmins, companies that produce interesting tech, and by accident, the nsa attacks millions of innocent others too. So I use my facebookpage to collect and document what is in these slides. Just as a kind of weird hobby in my sparetime.

Benni March 21, 2014 12:34 PM

By the way, i do not know the law for demonstrations in the us. But I think there should be more public actions like this https://www.facebook.com/events/510855025700760/?ref_dashboard_filter=upcoming where people camp every week with large plaques before an nsa complex. Why do not lots of american people make a large prostes march to Fort Meade every now and then?

The nsa spies in germany show very interesting reactions if they see a peaceful crowd of protesters, who take photos and videos with cameras all around them…

Are there laws forbidding this in the US?

Moderator March 21, 2014 1:51 PM

The squid thread will be along later this afternoon, like every week. If you can’t wait, you can still post to the previous one.

And Benni, you’ve made four comments in a row on this thread, and six out of the last seven. Even on a squid thread that would be a bit over-the-top. On a blog of your own, you can post as much as you want on any subject you want; when you’re on Bruce’s blog, please have some consideration for other commenters, and limit yourself to a reasonable number of on-topic posts. Thank you.

DB March 21, 2014 2:31 PM

@ Benni regarding Americans marching on Fort Meade…

In my experience so far, I think the largest thing limiting mass marches in America is too many people have jobs… and families… (and Americans wrap their whole personal identity up in their job and family–spouse and kids mainly). Also the press in America is largely government-influenced which has a severe limiting factor on it as well. It just hasn’t dawned on most people the severity of it all, other things are far more interesting. We are an elite crowd here on this blog in this respect. Also, I think the technical-knowledgeable in America have expected this to some degree for a decade (Orweillian-named “Patriot Act” anyone?), it’s just a matter of scale that’s surprising only. It’s the classic live frog in a pot, slowly brought to a boil that never notices when it gets too hot to live… Oh, and don’t get me started on the whole totally selfish “oh, it’s just foreigners, not us” attitude that is common in America (this is the kind of attitude that enabled the Holocaust)…

Most friends and relatives I’ve talked to about it are aghast (once I explained it to them, they were only slightly concerned prior)… yet when the EFF had their little thing in Washington DC, I couldn’t get a single person to go… They were all busy, had plans, lives, etc…

But people are waking up… it just takes time. Education is key, mainly.

Benni, please stop spamming March 21, 2014 4:46 PM

Dear Benni,

Please consider using links instead of posting gigantic “text walls” which you took from Google Translate, as the outcome of such a behavior is of particular annoyance to smartphone readers, especially regarding the aspect of scrolling.

Also please stop hampering the discussion by flooding this valuable and read worthy blog with multiple posts in a row.
Thank you and have a nice day!

Dear Moderator,

please consider deleting or modifying the following post:

https://www.schneier.com/blog/archives/2014/03/mystic_the_nsas.html#c5021132

That’s just horrendous. There is absolutely no need to paste something like that when a link can be used very conveniently instead. I tend to read this blog on my smartphone, hence every time I encounter such completely unnecessary obstacles I feel the urge to smash it, out of pure rage, I should mention.

If possible, please convert it to a link to the same content.

Thank you very much!

Benni March 21, 2014 6:30 PM

@Moderator,
Yes, i will make fewer posts in the future, that is why i linked to my own page where i blog on this.

“There is absolutely no need to paste something like that when a link can be used very conveniently instead.”

I would appreciate that too, if I could make this text into a link that gives the translated text. However, i have not found a way, to make google translate this article. Whenever I try to translate the entire page, google translate will say, that “this type of url can not be translated”, the only way to get a translation was to copy the entire text. And even then, google translate would stop translating after several lines, so I had to translate several paragraphs separately.

I think it is very important to know that the nsa was up to mass surveillance before snowden.

And this article is very detailed on that. So I wanted to report this.

Just, that I could not get google translate to produce a url that linked to a translation…
If someone can do this, I would be pleased.

Benni March 22, 2014 4:55 AM

@Moderator: Yes the german text can be deleted. I originally added this just because I hoped that someone might want to translate this article in better english here. But I see, a link for the german text would suffice.

@Figuretout, yes, hitting the translate button twice did it:

In my opinion, the english text can be replaced by this url:

http://translate.google.de/translate?sl=de&tl=en&js=n&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.spiegel.de%2Fspiegel%2Fprint%2Fd-13494509.html

Although I think that this early text on the nsa should be better known by americans. I think an american version of this should be easily available by search machines. But certainly, a comment in a blog is the wrong place for this. There, a link clearly suffices.

In his lecture, Bruce Schneier argued, that perhaps the nsa does its surveillance, because after 9/11, they were given an “impossible mission:” That attacks like this never happen again, and the only way for the nsa to achive this would be to know everything.

This early SPIEGEL article shows that this is nonsense. Long before 9/11, the nsa already had a program in place to copy 1/3 of all german phone calls, and the nsa was doing this because of industrial espionage.

It is extremely important that americans recognize this. It also explains why obama does not want to take severe steps of reducing the nsa programs.

Under Obama, american military left Iraq, and is leaving Afghanistan. But if Obama would make a severe cut in the nsa surveillance programs, the “governmeng advocacy centre” where companies get their advice from nsa, could not offer anything more. This would perhaps lead to us companies taking lower profit, and forcing them to fire many employees. Obama is a liberal, he certainly wont risk a higher unemployment rate. But that is, what shutting down the nsa bulk collection and the associated industrial espionage would imply.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.