My Conversation with Edward Snowden

Today, as part of a Harvard computer science symposium, I had a public conversation with Edward Snowden. The topics were largely technical, ranging from cryptography to hacking to surveillance to what to do now.

Here's the video.

EDITED TO ADD (1/24): News article.

EDITED TO ADD (1/30): More news articles.

Posted on January 23, 2015 at 4:57 PM • 205 Comments

Comments

Lawrence D’OliveiroJanuary 23, 2015 6:04 PM

Re “Bureaucratization” of NSA snooping programs: the other word that goes with “bureaucracy” for me is “large-scale”. If you had a small, close-knit team, you wouldn’t need such elaborate user manuals. The fact that you need them indicates that you have large teams operating these programs. With, as Snowden points out, mostly less-than-expert technical skill levels.

FigureitoutJanuary 23, 2015 8:50 PM

Great talk, really interesting (not technically, big picture wise).

Main Points:

--Public/Academic community seems to be "closing the gap" as it was once believed TLA's had at least a decade of research ahead of them/us. "There's no magic".

--Bad implementations, algorithms are strong (still not sure...why do we keep saying this but can only point to maybe 3..?--OTR, PGP, ZRTP...). People keep saying this but crypto isn't practical on pencil/paper (unless you want to keep out almost all attackers, assuming you created it in a semi-secret mobile place and destroyed material you wrote on). Programmers have to know concepts crypto and how to code (preferably how a computer works, very well). Hence we only have a very few implementations we could trust (then worry about how you get it, are download sites attacked and did you build it w/ your very likely backdoored mega-compiler).

--Criticizing homebrew solutions (disagree to an extent, people are trying to learn not just copy; also having single-system compromise is a risk instead of many different ones--look to BIOSes of past, people try to have an exploit work across them compared to UEFI on every single computer). Sounds good for security professionals to say until the knowledge and skills become well known, then it's protecting your paycheck like everyone else.

--Cascading algorithms should be looked into further (Poster by name of Justin mentioned, as well as implemented in TFC by M. Ottela). Strongly agree, tweak algorithms or multiple layers; won't be as many automated tools.

--Weak endpoints, "focus on the endpoints" (Many others and I will keep screaming that this is how we can cut off attacks very effectively, EMSEC too once you get the PC airgapped, but the I/O when you bring in software and how exploits get into layers of your computer below the OS and loads *every single time* and will be very hard to see/remove; getting software in is the other killer here, also what's it running straight from the factory).

--Attack tools are beginning to be available to everyone (Kali linux, metasploit, aircrack-ng, Nmap, Wireshark, etc.).

--Risk analysis compared to different kinds of attackers (don't leak your methods/sources).

--Questioning of operations being more considered due to possibility of exposure "should we do it just b/c we can?".

--NSA reducing trust of American tech. industry and our infrastructure and how damaging this is.

--Structure of internet and how market makes collecting private info a business model.

--How we can rebuild phone networks and the internet to fight meta-data creation?

--We all use the same technology (for the most part) and by keeping vulnerabilities secret we leave the entire population the gov't is supposed to be protecting, vulnerable.

--Ends on that the endpoint is vulnerable again once you view the unencrypted info on it...


d33tah
--That'd be an unnecessary OPSEC breach, no? Post whatever question you have in public channels I think.

RickJanuary 23, 2015 11:38 PM

I gathered from the presentation that preventing or disrupting acts of terrorism is not especially effective using the current NSA & Co. surveillance model. The multi-billion dollar budgets and extraordinary man-hours invested cannot be justified using the anti-terrorism argument.

So... what *IS* the reason for the current surveillance model? To stifle dissent? To blackmail anyone who threatens the current power structure? To establish some perverted, 'benevolent' form of social engineering currently in adolescence? Is it a race to fill a power vacuum, perhaps a game of "one-upmanship" between nations? Seriously, I'd like to know. Does anyone have any evidence as to why the current paradigm exists, and, why the gigantic budgets for this model of surveillance are so hard fought for? And why no one in power is interested in ratcheting down the level of encroachment on society's rights to be free as well as the encroachment upon the constitution?

I'll take a stab at a quick answer: an inexorable desire for power and control. Governments always evolve-- regardless of their form and institutional framework-- demanding more control over the populace until, eventually, the populace rebels or the government collapses from a variety of failings, moral and economic being the two most salient that come to mind. But that's just my opinion, idle speculation, and if I thought about it more, I might come to a different conclusion.

Does anyone have any evidence to support the real reason? Or am I just missing the self-evident? I can imagine the NSA answering, saying to themselves, "It's all about the momentum, mission creep, forward motion, too big to fail... we've got to 'collect it all' to ensure security (but mostly job security for those of us involved)."

Answers, anyone? That answer could open up avenues of discussion on what the next step is to actually correct the problem. Because assuredly, the InfoSec community asking politicians to politely mind the constitution is not going to affect change in this millennium.

Turned down by EFFJanuary 24, 2015 12:07 AM

In case anyone has medical experiments conducted on them by person or governement entities unknown (said for convenience but we know) in case anyone tries to do a medical experiment on your family by computer and breaks these rules don't look to the EFF for help:

The 10 points are, (all from United States National Institutes of Health).[7]

The voluntary consent of the human subject is absolutely essential. This means that the person involved should have legal capacity to give consent; should be so situated as to be able to exercise free power of choice, without the intervention of any element of force, fraud, deceit, duress, over-reaching, or other ulterior form of constraint or coercion; and should have sufficient knowledge and comprehension of the elements of the subject matter involved as to enable him/her to make an understanding and enlightened decision. This latter element requires that before the acceptance of an affirmative decision by the experimental subject there should be made known to him the nature, duration, and purpose of the experiment; the method and means by which it is to be conducted; all inconveniences and hazards reasonable to be expected; and the effects upon his health or person which may possibly come from his participation in the experiment. The duty and responsibility for ascertaining the quality of the consent rests upon each individual who initiates, directs or engages in the experiment. It is a personal duty and responsibility which may not be delegated to another with impunity.
The experiment should be such as to yield fruitful results for the good of society, unprocurable by other methods or means of study, and not random and unnecessary in nature.
The experiment should be so designed and based on the results of animal experimentation and a knowledge of the natural history of the disease or other problem under study that the anticipated results will justify the performance of the experiment.
The experiment should be so conducted as to avoid all unnecessary physical and mental suffering and injury.
No experiment should be conducted where there is a prior reason to believe that death or disabling injury will occur; except, perhaps, in those experiments where the experimental physicians also serve as subjects.
The degree of risk to be taken should never exceed that determined by the humanitarian importance of the problem to be solved by the experiment.
Proper preparations should be made and adequate facilities provided to protect the experimental subject against even remote possibilities of injury, disability, or death.
The experiment should be conducted only by scientifically qualified persons. The highest degree of skill and care should be required through all stages of the experiment of those who conduct or engage in the experiment.
During the course of the experiment the human subject should be at liberty to bring the experiment to an end if he has reached the physical or mental state where continuation of the experiment seems to him to be impossible.
During the course of the experiment the scientist in charge must be prepared to terminate the experiment at any stage, if he has probable cause to believe, in the exercise of the good faith, superior skill and careful judgment required of him that a continuation of the experiment is likely to result in injury, disability, or death to the experimental subject.

Reprinted from Trials of War Criminals before the Nuremberg Military Tribunals under Control Council Law No. 10, Vol. 2, pp. 181–182. Washington, D.C.: U.S. Government Printing Office, 1949. Note that complete electronic copies of the Trials of War Criminals Before the Nuernberg [Nuremberg] Military Tribunals Under Control Council Law No. 10[8] are available online, as are most of the other proceedings from the Nuremberg Trials.[9]

WaelJanuary 24, 2015 12:13 AM

@Rick,

So... what *IS* the reason for the current surveillance model? To stifle dissent?

I think it's the "Throw everything we've got on it" mentality. More money, more computing power, more storage space, collect everything we can. It's like someone who's sick and doesn't know the cause of the desease (or knows but ignors it) and thinks: Hmmm! I'll take five asprins, 17 Tylenol® pills, a few antibiotic pills, a couple of acupuncture sessions, what's in this bottle? Hell, I'll take a few sips from it as well - can't hurt, wow! what are these expired blue pills? I'll sprinkle some in my cereal bowl -- what's an extra line on a zebra?... That oughta do it ;)

Because assuredly, the InfoSec community asking politicians to politely mind the constitution is not going to affect change in this millennium.

It's not going to affect any changes because I seriously doubt humanity will make it to the third millennium...

RickJanuary 24, 2015 1:02 AM

@ Wael,

Your description reads (almost) like the diagnosis of a compulsive, paranoid meth addict. I enjoyed that. If only the NSA could fail so easily, liberty herself would weep with joy. I suspect momentum (AKA, 'too big to fail', mission creep) is part of the problem, yes, but in the end, these multi-billion dollar budgets must produce results for someone (or some cabal... congressional committees?) that justify renewal year after year. In other words, the people with the purse strings actually *like* the results... and what is their real agenda? Why, I ask? Or can it be that we are governed by the minds of children to just *that* degree?

Regarding your thoughts on the third millennium, I'm as unfortunately cynical as you: the dystopian rot of the current plutocracy must be complete before real change occurs. People must firstly feel enough pain to be diverted from their 1st world temptations and shiny baubles such as the latest reality TV show or NFL sports scandal before the political process can be effective.

If the year were instead 1015, at least there would be enough undiscovered territory to start a new nation-state. But noooo... now we need space travel to make that alternative viable and I'm not at all comfortable relying on the mere hope that my spacecraft would be free of GPS tracking, pinhead-sized cameras, and mechanized mosquitoes that profile my DNA (http://www.dailymail.co.uk/sciencetech/article-2921758/Privacy-dead-Harvard-professors-tell-Davos-forum.html)

RickJanuary 24, 2015 1:55 AM

@ Daniel,

Thank you for providing the link. I was unaware of that post by Bruce, and found it thought provoking. I agree that the privacy debate should not assume hidden wrongful behavior... instead, privacy is first and foremost a legitimate need to remain productive and healthy.

And, I agree that we should be fighting for privacy regardless of the question, "why?", but I assert that answering that question will provide practical insight and distill specific strategies with which to defend privacy. Otherwise, we're just shooting ideological arrows at giants. We need 'teeth' to take a bite out of their motive(s).

WaelJanuary 24, 2015 2:19 AM

@Rick,

In other words, the people with the purse strings actually *like* the results

Or they like the perception of the results. Perhaps they also fear the outcome of not spending this money as well. You can add other games that are played. I often refer to "Our man in Havana" story.

and what is their real agenda?

If I have to guess, I would say typical human desires: Job security, pride, feeling superior, powerful, above the law, prestige, a cool looking badge ;)... Humans are humans whether they work in a public company, private company, or a spook organization.

Regarding your thoughts on the third millennium, I'm as unfortunately cynical as you [...] craft would be free of GPS tracking, pinhead-sized cameras, and mechanized mosquitoes that profile my DNA

I meant to say "through the third millennium". Space travel won't be as safe in the near future either. We have polluted the orbit with a lot of trash -- we made a space dump out of it, as if polluting earth wasn't enough. As for mosquitoes, doesn't surprise me. The way I see it, if someone can think of some science fiction story for a movie, you can bet another one with at least as much budget is working on making it a reality.

On a relevant note, and this is just a "feeling". I am willing to say that more than half the people (not including you of course - just so you don't think I am taking about you) on this blog who complain about spook organization's violation of privacy, would take a job with them if the "numbers" are right. Everyone has a price[1], and "convictions" take second priorities when the "price" is right. How valid is this hypothesis?

[1] An ugly looking man met a really beautiful woman -- way out of his league. He asked her once: If I give you a million dollars will you "spend" the night with me? She said: Sure! He then said: Now that we got the principles out of the way, let's negotiate the price :)

DanielJanuary 24, 2015 2:32 AM

@Rick

Earlier you mentioned power and control. It's useful to have a definition of this concept. I'd define power and control as the ability to force a person to do something they would not otherwise do. In a metaphorical way there are two means to exercise power and control--the carrot and the stick. Phrased academically, the power of data lies in its utility to punish and/or to entice. Catholicism has its hell and its heaven. It doesn't matter too much whether a person obeys because they anticipate a reward or they obey because they fear a punishment. They obey.

However, most of the debate in privacy centers around the punitive use of data. This is regrettable because much of the power of data collection lies in its use for propaganda.

http://bigstory.ap.org/article/31490a20926d4ed3b98ff2d0ed8fc81d/new-privacy-concerns-over-governments-health-care-website

The government's health insurance website is quietly sending consumers' personal data to private companies that specialize in advertising and analyzing Internet data for performance and marketing,

There is one piece of evidence that the government cares about the carrot. See, only a curmudgeon would object to the collection of data to improve the performance of the website. Oh, and all those coupons you got in the mail for the new miracle cure for your bunions, total coincidence.

VeginJanuary 24, 2015 3:51 AM

Really enjoyed the talk between Ed and Bruce! What amazes me is how fast information flows across the internet. N. Korea, Sony, Regin, and FoxAcid. I was able to follow right along with these current events and it felt like we were having a public debate about these issues. Thank you for the debate Ed and Bruce!

gordoJanuary 24, 2015 4:55 AM

@ Rick

So... what *IS* the reason for the current surveillance model?

This may be part of the reason:

The tenets of NCW [Network-centric Warfare], once again, are: Eliminating the “fog of war” through a sensor grid, and a combination of precision-guided weapons, ISR [intelligence, surveillance, and reconnaissance], and command and control. The U.S. military, and other militaries around the world on both sides, were late to the computer and networking game (now dubbed “cyber”) but determined to catch up. A global information grid was sketched out. Satellites for reconnaissance and communication were launched. Precision GPS systems deployed. Drones for ISR and weapons delivery to targets were built in ever increasing numbers. A high altitude drone, the Global Hawk, was deployed not only to replace the 50s vintage U2 platform but to add a layer to the ISR and command and control from land, sea, and air systems.

Article has excellent supporting links and touches upon a number of issues including: interoperability; slowness in transforming the Pentagon's operational networks; poor software assurance/vulnerabilities; security by obscurity; and the roots of NCW.

Source:
Network-Centric Warfare Set the Stage for Cyberwar
Richard Stiennon
Posted on November 9, 2014
http://ciceromagazine.com/features/network-centric-warfare-set-the-stage-for-cyberwar/

Clive RobinsonJanuary 24, 2015 5:23 AM

@ Rick,

There is quite a large part of "keeping my job" involved with the NSA and other Intel agencies, but you also need to think in terms of the organisation within which they are set (ie the Gov and who has a grip on the purse strings).

If you go back half a life time ago you will find we had a similar situation, the Berlin wall came down, and shortly there after --supposadly-- did the Iron Curtain. At that time questions were asked about what to do with the IC "now that they were redundant", well several people pointed out that "You don't lay off spooks" because either "They will sell their skills and knowledge to others..." or "They will invent or find new targets to spy on...". Both have happened in various forms.

However in the process of trying to find suitable targets 9/11 rather conveniently happened, it was clear that the IC and their political masters had their focus wrong, Condi Rice being a classic example of a fish washed up out of the water, flipping and flopping trying to get back in. Thus there was a backlash to "cover up" the focus failing in order to look credible to the voters, and the "tax dollar doors" opened wide and hemorrhaged into the pockets of various vested interests, with no hope of getting any worthwhile return. The game was "be seen to be taking control" rather than the actuality of "rearranging the deck chairs".

Thus in the IC the numbers swelled and makework had to be found for them... but once on the payrole the old "Can't lay of spooks" arguments came back...

So the makework had to become entrenched and thus the old "collect and keep forever" mentality was augmented to "collect everything and keep forever" and the target was "terrorists" which is a code word for "the enemy within" which means the citizens of the state, nobody can be allowed to be "Ceaser's Wife" not even Ceaser.

To make it worse the likes of Google started paying salaries that were grabbing the "brightest and best" of what would have been the NSA's normal intake. And worse Google was producing results that the IC were envious of, the "leaders had been cast aside" their "laurel crowns" withered by a young geek upstart, or that is the story told to purse string holders.

Thus the money tap remains firmly on in a devils pact, the IC know that what scares the purse string holders more than anything else, it is the loss of status, the faux power of being at the center on the pulse. More so than the ability to monetarize their position. Thus they are easy to manipulate with Orwellian techniques and that is a game not just the IC but now the LEAs like the FBI are playing, building empires on the fears of a venal and corrupt few.

The solution is for the citizens to "man up" and accept that terrorism is not the threat they have come to fear. Death happens in the millions every day, much of it avoidable, and the few to terrorism is so slight as to be off the bottom of the list of major avoidable killers. But that is what --supposadly-- scares the voters and why the venal are controllable... Break the link and then you have a chance to get control back on the IC and LEAs, but they will fight, they will use entrapment and other highly questionable tactics and techniques to keep their empires, we know this from history, the question is "Are the citizens prepared to clean house?" and if so "How?".

Michael And Ingrid HerouxJanuary 24, 2015 5:43 AM

Michael And Ingrid Heroux michaelheroux1967@gmail.com

http://michaelandingridheroux.wordpress.com

https://plus.google.com/109414718225592332058/about

WOW, great interview, that was the coolest thing being able to talk to the number one hero of the century, it doesn't get much cooler than that. It was interesting what he said about the SILK ROAD trial. I looked up the news article and got the log entries from Ross Ulbricht, intelligence was using him as a piggy bank, as soon as they couldn't get any more money from him they arrested him. GREAT INTERVIEW. KEEP UP THE GREAT WORK. Follow the money.

BoppingAroundJanuary 24, 2015 9:37 AM

Daniel,

> See, only a curmudgeon would object to the collection of data to improve the performance of the website.

How to deal with these kinds of attacks? Rational responses do rarely work; returning fire works better but not always.

+1 to the transcript question.

TripJanuary 24, 2015 12:32 PM

@Rick

I think the real impetus behind the massive budgets and expanding programs is the same as we find in almost every bureaucracy...cover your ass. We here it time and again in speeches by elected officials and management, that if we "don't do everything in our power" to prevent some tragedy or other, it's blood on our hands and public humiliation.

I don't buy the theory of ever-expanding greed for power. Fear is much more powerful.

65535January 24, 2015 2:01 PM

Good interview Bruce.

Snowden was clearly leery of talking about specifics [ie, the RC4 cipher, collection of keys, and Certificate authority’s role in stripping of SSL/TLS and/or man-in-the-middle attacks]. I would have liked him to layout a few more details – but, then I am not in Snowden’s position.

“The multi-billion dollar budgets and extraordinary man-hours invested cannot be justified using the anti-terrorism argument.” – Rick

I agree. The amount spent spying seems grossly over-priced compared to the actual benefit of stopping terrorism. Worse, there seems there is a large discrepancy of the actual amount of money spent for spying [possibly due to deception, re-categorizing, and sharing of costs among other agencies].

Wikipendia:
NSA Budget: Classified (estimated $10.8 billion, 2013)

https://en.wikipedia.org/wiki/National_Security_Agency

Wasington Post:
$52.6 billion

http://www.washingtonpost.com/wp-srv/special/national/black-budget/

Snowden:
Estimated $75 billion

https://www.youtube.com/watch?v=7Ui3tLbzIgQ&feature=youtu.be

“…what *IS* the reason for the current surveillance model? To stifle dissent? To blackmail anyone who threatens the current power structure? To establish some perverted, 'benevolent' form of social engineering currently in adolescence? Is it a race to fill a power vacuum, perhaps a game of "one-upmanship" between nations?...” –Rick

My intuition is the “Agency” helps certain politicians and government players smear their adversaries in addition to highly enriching said politicians and government players. Or, all of the above.

MikeJanuary 24, 2015 2:18 PM

Sadly for the online audience this was not a dialogue.
The sound from Snowdens computer was barely registered on the recording.

Next time you should set up this interview in a place around smart people who knows what needs to be done and can do it right.

AlanSJanuary 24, 2015 2:25 PM

@Bruce

Did DeLong have anything interesting to say in response? I couldn't find a video for his comments.

@Rick

"What *IS* the reason for the current surveillance model?" My question as well.

Here's one answer:

Balkin, Jack. The Constitution in the National Surveillance State. Yale Faculty Scholarship Series, January 1, 2008.

The National Surveillance State is a way of governing. It is neither the product of emergency nor the product of war. War and emergency are temporary conditions. The National Surveillance State is a permanent feature of governance, and will become as ubiquitous in time as the familiar devices of the regulatory and welfare states.

I think that while it may not have been a "product" of emergency it has been able to expand very effectively through crisis and emergency. See earlier thoughts in Security and Accountability thread.

albertJanuary 24, 2015 2:43 PM

I'm not buying into psycho-social motives. They can and do motivate groups and individuals, but the primary motivation is greed. For every terrorist attack, for every hack, for every war, for every protest, there's always money in the background.
.
Follow the money. A good forensic accountant can tell you everything you want to know.
.
An efficient security state is essential for corporations to have the unlimited power they need to monetize everything. In addition to paper wealth (Wall Street), they also want to milk the taxpayers dry. The easy way to do that is government spending, by privatization of everything possible in the public sector (like infrastructure), or outsourcing everything possible in the public sectors (mercenaries and IT).
.
What folks don't realize is this: it's a positive feedback loop. US Middle East meddling gets us oil, but also gets 'terrorist' blowback, which leads to more meddling, and so on. It's an endless cycle. Most politicians and policy-makers don't know this, but techies and engineers do: positive feedback systems will self-destruct.
.
Social unrest and undesireable criticism of the gov't can be monitored and controlled by a well-equipped surveillance apparatus. It's much easier to spy on law-abiding folks than real subversives. The FBI has an active program for 'turning' disgruntled citizens into 'terrorists', then prosecuting them as examples of their great anti-terrorist capabilities. The whole point of surveillance apparatus is to monitor anyone who might threaten the political/corporate establishment.
.
I gotta go...

Sancho_PJanuary 24, 2015 3:49 PM

@ Rolf Weber

He may be a technical dumbass, I dunno, but he is brilliant in common sense.
Many are not.

Sancho_PJanuary 24, 2015 3:58 PM

@ Rick

Re: "What *IS* the reason for the current surveillance model?”

The motive you are looking for is “control”.
They want to control us to protect us.
Basically their intent is not malign (no paranoia, please!).
It is not to exploit us - because they do already (OK, growth is our economy-mantra, they will always need more, but they do not need surveillance to increase their wealth, they have the shareholder value to achieve that).

They do not only feel to be obligated to protect us, it is their (the powers’) duty in democracy.

The problem is: The enemy is (within) us.
They have to protect us against us.
So they think they must control us but are unaware that this would cost us our liberty.

But as it was pointed out already, it doesn’t really matter “why”.
Constraints on liberty will always end in some form of rebellion / revolution.
Now they have to pick up speed protecting us against … us.

Nick PJanuary 24, 2015 4:05 PM

@ Rolf

Most data I've seen indicated he was a smart problem solver and later sys admin. What did you see that made you think technical dumbass?

SkepticalJanuary 24, 2015 4:38 PM


Interesting discussion, and I have some notes on the positive side and some notes on the negative.

On the positive side:

- I thought the point distinguishing between "tactical compliance" and the broader rules that determine the contours of compliance was well put (though I think tactical vs strategic may not be a perfect fit as an analogy). Hayden of course used a different analogy that draws on the same distinction, i.e. (paraphrasing) "just give me the box that defines the space of lawful conduct, and I will play to the edges of that box, but no farther."

I don't think Snowden was entirely pleased with the assertion that the NSA is good at tactical compliance, but he shifted well to speak on the broader point.

- The distinction between a situation in which the sets of vulnerabilities in communications and information systems are disjoint, and that where the sets to some degree intersect, was also well made.

However, we should note that even common vulnerabilities may not be equally exploitable by both adversaries, for obvious reasons (and of course sometimes they will be).

- The point that the US has more to lose from having its information stolen than does China was well made.

But what Spiegel made obvious, and what the US hinted at quite strongly in the leaks surrounding the indictment of five members of the PLA, is that much of the NSA's "offensive" capabilities are actually aimed at defense.

The penetrations that Spiegel so blithely published to the world, and separate instances that were reported in earlier months by other publications, are the hard penetrations. These are the penetrations that cost money and personnel hours and energy. Not the Section 215 telephone metadata that seems to be infrequently accessed, but the penetrations into the cyber-ops units of foreign military and intelligence services.

And what is the NSA doing with these penetrations? They seem primarily to be playing defense - observing how adversaries are planning and conducting network penetrations and attacks, and even attempting to acquire control over the instruments of adversaries without the knowledge of those adversaries.

Remember that the NSA is primarily a foreign intelligence agency (leaving aside the more purely military functions), not a domestic regulatory or law enforcement agency. It has the greatest scope for autonomy and direction within the realm of penetrating foreign networks and communications. And that it has chosen to focus, within that scope, on matters that bear quite directly on the defense of US information systems is telling.

On the negative side, a few moments of the discussion made me cringe.

- When Snowden declined to give additional details about what ciphers NSA may have had success against, he gave as his reason that "he didn't want to get ahead of the journalists." He then goes on to explain that because he has his own political bias, he is relying on "the journalists" to determine properly what should be disclosed and what should not be disclosed.

That's a pretty astonishing claim. "Hey, I have a political bias, so as an intelligence professional I may not be the best person to decide what should be published. So let me hand all this stuff over to Glenn Greenwald and various staff/contractors of Spiegel." Seriously? Greenwald doesn't even believe in the possibility of journalism without a political bias; and he quite openly argues that journalists should write and publish with a particular bias. So it's really hard for me to believe Snowden on this point. In fact I think he's obviously being deceptive.

The more interesting question is: why is he being deceptive on this point? Four possibilities come to mind:

(1) he expanded the circle of people involved because only some of those people were willing to give him help after his exposure, which he claims to have believed was imminent;
(2) he didn't have time to examine all of the material and be selective, and so he chose those whose biases best matched his own and perhaps who he thought could be trusted (how this trust was earned is an interesting question in itself);
(3) his initial plan was to hold the information, much of it still unexamined, himself from a position of safety; once that was dashed, he had a choice to make between destroying the cache or handing it over to journalists in the hope they would choose wisely, and he chose the latter;
(4) it wasn't solely his decision or his operation (I don't see strong evidence for this, but it's possible).

- When he repeated the false narrative that the government first claimed that surveillance programs authorized under 215 and 702 had stopped 54 plots, and then backtracked until finally in a Senate hearing they admitted that only 1 plot was stopped.

In fact the NSA issued the correct numbers in June of 2013, carefully distinguishing between Section 215 and Section 702, and never backed off from them. Section 215 played only a contributory role in several cases (and a critical role in only one case), but Section 702 played a crucial role in over 50 cases, which is something the PCLOB reports confirmed.

- When he claimed that FISA judges aren't "real judges" (though in fact they're federal judges who are appointed by the Chief Justice of the Supreme Court for a limited term to the FISC), or that the PCLOB is stacked with former assistant directors. Neither of those claims is true, and they illustrate just how little Snowden actually knows about the legal regime, and the compliance and oversight rules, governing the NSA's activities. It ranks with his rather bizarre recollection of the email he received in response to a question he asked.

- When he posted the photograph of an interdiction of a shipment as an example of what the NSA shouldn't be doing. Really? Did the three people painstakingly unsealing, or resealing, that box appear to be on a fast-moving assembly line? That looked pretty targeted to me, which is exactly what the NSA should be doing.

Gerard van VoorenJanuary 24, 2015 4:47 PM

I just have been watching Citizenfour (on youtube). Laura Poitras: thumbs up!

Really great work!

@ Rolf Weber,

Calling Snowden a technical dumbass doesn't make sense. I don't know his skills but even watching the documentary Cizitzenfour made clear he is far from being a technical dumbass.

t bensonJanuary 24, 2015 5:20 PM

Jesus H. Christ! I'm only 13 minutes into this video and it has been the most frustrating 13 minutes of my life.

Snowden looks like an arse, talking vaguely and obliquely about things he purports to know well. Schneier is the nagging voice of logic and reason--so far getting no good answers.
I honestly wouldn't mind if Snowden said 'I'm a low level tech guy and I don't know much, I just saw a treasure trove and knew to deploy it'. I'd be okay with that.
Rather than competing with Schneier--which is a major ego thing to do. Even I would be careful doing that. Snowden is too vague to be trustworthy in his words, though his released data speaks for itself.

I do not need another arse with an agenda in this age. I need facts. I will calm down and watch the rest of this video interview, but so far I am horrified at the lack of clarity Snowden provides. And I'm on his frickin side.

argh!
T

ps: if Schneier ever needs a defense army--I'm signing up.

AlanSJanuary 24, 2015 5:28 PM

@Skeptical

I'll let other people pick apart the other stuff. This one is too simple.

"- When he repeated the false narrative that the government first claimed that surveillance programs authorized under 215 and 702 had stopped 54 plots, and then backtracked until finally in a Senate hearing they admitted that only 1 plot was stopped."

Alexander in front of the Judiciary Committee: Leahy calls out Obama administration for lying about NSA effectiveness (YouTube).

Sancho_PJanuary 24, 2015 5:35 PM

@ Skeptical

“And what is the NSA doing with these penetrations? They seem primarily to be playing defense - observing how adversaries are planning”

I can’t see the “defense” in simply watching, burning money.
Defense would include improving infrastructure = prepare + protect.
They have been watching NK, and - ? Didn’t prepare.

You’ve cited Hayden’s ”just give me the box” which is typically thinking for a authoritarian follower, not a leader.
Probably good as a beltway grunt, but not creative enough to drive a Humvee through Bagdad.

The issue with asymmetric warfare is that on the high tech side all these guys come back but on the other side only the brightest survive.

RickJanuary 24, 2015 5:51 PM

@ Everyone who answered, "What *IS* the reason for the current surveillance model?"

Thank you! I thought the answer would be important to discuss and those who have responded so far obviously thought the answer was worthwhile, too. So far, we have the following submissions (to paraphrase and with uneven emphasis on various points):

1. Effectively, the surveillance state is the product of a global arms race begun largely by politicians who claim to desire to "do all we can" to prevent 'xyz' threat. To quote Gordo's posted article, "As the military and federal government caught “cyber fever” and scrambled to shore-up defenses there was also a land grab to claim the cyber domain." That fairly well sums up the comments by Gordo, Wael, et al.

2. Participation in the development and maintenance of the current surveillance model is often a function of job security/lure of a salary/and similar measures of coercion which work well by appealing to human self-centeredness. Clive R. touched on this point (among others).

3. Momentum. Some comments fall into the "too big to fail" camp, that once momentum for a project like the current surveillance model reaches a certain critical mass, support for it is inescapable otherwise a choice between secure employment and/or support of the constituents vs. maintaining integrity to the constitution and the human requirement for privacy is required. Again, Clive's and others' point(s) touched this motive, too.

4. Albert asserts that greed is the reason- follow the money. I say that money is always involved, to at least some degree, too. "What folks don't realize is this: it's a positive feedback loop." And, he makes a good point about the feedback loop, which correlates a bit with the momentum argument, #3 above.

5. Alan S's citation (and to some degree, Sancho P's opinion) asserts that the surveillance model provides a platform and method to govern the masses. Another quote from the cited article:

"In the National Surveillance State, the government uses surveillance, data collection, collation, and analysis to identify problems, to head off potential threats, to govern populations, and to deliver valuable social services. The National Surveillance State is a special case of the Information State-a state that tries to identify and solve problems of governance through the collection, collation, analysis, and production of information."

Essentially, the author is asserting that you can't put the cat back in the bag. We simply have to develop ways to protect the individual-- with the state's permission and approval, of course-- and, to accommodate the surveillance model's omnipresence.

Note: The *.pdf article (http://digitalcommons.law.yale.edu/fss_papers/225/) is *well* worth your time. Lots of citations, clearly presented, reasonably even-handed, mature treatment of the subject.

Personally speaking, as a libertarian and proponent of capitalism and democracy ("Democracy is the worst system of all, except for all the others"... Winston Churchill), I find this explanation the most plausible and the most frightening. If true, then the surveillance state is wedded to every other political institution in our society, and indeed an inexorable part of the framework of the 'Welfare State' and the 'National Security State'.

----------------------------------------

Other Thoughts:

1. BoppingAround said, "Rational responses do rarely work; returning fire works better but not always." And, Trip said, "I don't buy the theory of ever-expanding greed for power. Fear is much more powerful." I surmise that these two are related: retaliation and fear can both be used as instruments to affect change. Indeed, fear is more powerful than greed; this is a well documented dynamic of the capital markets, and history clearly demonstrates that retaliation is a much more effective form of coercion than pleas and overtures.

2. The government's public argument in favor of the surveillance model is basically (my quote), "Technology distills power so effectively that the threat of terrorism committed by a small handful of individuals requires granular surveillance as a means of threat mitigation." But I also suspect that following up on leads to target a single suspect is a far, far more effective means of law enforcement than massive passive collection of citizens' data. Not only more effective, but more moral, law abiding, and palatable to all. And I think the government knows this, too. Furthermore, I assert that backdoors in digital systems are not required to prosecute criminal activity, and attempts to establish backdoors are thinly veiled attempts to maintain power. I want to explore this idea further, and hopefully cite some sources to either validate or invalidate the hypothesis.

3. Clive's suggestion that we are engaged in a power struggle that has slowly evolved to this point because of the government's fear of loss of prestige/power/money is noteworthy. In fact, Wael, Daniel, and Gordo all seem to be making almost the same point, but with different voices.

----------------------------------------

On another note, I want to thank Bruce Schneier and Edward Snowden, both, for contributing their conversation and experience to the public debate. I think everyone with an interest in this matter would like to see more and more of the same.

Michael And Ingrid HerouxJanuary 24, 2015 6:02 PM

Michael And Ingrid Heroux michaelheroux1967@gmail.com

http://michaelandingridheroux.wordpress.com

https://plus.google.com/109414718225592332058/about

@albert "I'm not buying into psycho-social motives." You are right, it is about money, I have spoken with them. It is about fine dining, fine wine, fine clothes, fine cars, fine houses, fine company, fine living is the goal and doing whatever they want. It is psycho-social in a way because these people don't have sympathy, they don't think of humanity like other people do and I think they are the majority. They love sex but the emotion of love is not there but jealousy is, they love the company of their own kind but they have no patience for sympathetic people, it is a weakness to them that they don't understand. Anything they don't understand like that they have no patience for. Education doesn't matter either, they come from all walks of life, rich and poor, smart and stupid. I also think politically the majority are republican/conservative. Most law enforcement and intelligence are republican/conservative. The first thing the nazis did when they invaded a country was to round up all the intellectuals and machine gun them down. Be careful people.

_nomapJanuary 24, 2015 6:35 PM

The video conference on "plus.google.com"... (look at browser's top address field)
It is funny that Snowden says Google is spying on people...

I wonder why he is using Google. Isn't google evil?

Daniel E. GreenJanuary 24, 2015 6:39 PM

I think we're all getting ahead of ourselves. Much debate, and skepticism, has revolved around the, in contemporary American, Constitution's ability to abide by its fundamental laws, all the while, attempting to conform to this era of technological advancements that without doubt, indirectly command everyday necessities.

We post and blog all these conceptual and intangible ideas and philosophical debates in attempt analyze, and then ultimately, find concrete and empirical evidence to buttress a claim, but why not step back 300 years?

Why not recreate the Founding Fathers? Why not reform the Constitution so it doesn't inadvertently be so ambiguous in contemporary America?

And I'm not talking about reforming it to justify the legality of NSA surveillance. I'm talking about taking the power away from POTUS, and putting it back into the hands of the American people. All of this to be created by the help of unbiased,leading economists, scientists, philosophers, lawyers, etc. etc.

And I know how this may sound at first, but I can honestly say, I've rationally pondered about this for roughly a year. Of course, it's way more complex than what I'm making it out to seem, but the general idea of this has shuffled through my mind since E.S.'s revelations.

Maybe I'm an idiot..?

SkepticalJanuary 24, 2015 7:17 PM


@AlanS:

Here's the hearing transcript:

Senator Leahy: Would you agree that the 54 cases that keep getting cited by the Administration were not all plots, and that of the 54 only 13 had some nexus to the US. Do you agree with that, yes or no?

General Alexander: Yes.

Here's what General Alexander said 4 months earlier in June when he stated the numbers:

Of the 54, 42 involved disrupted plots. 12 involved cases of material support to terrorism. 50 of the 54 cases led to arrests or detentions....25 of these events occurred in Europe, 11 in Asia, and 5 in Africa. 13 events had a homeland nexus.

Yeah, Senator Leahy sure set the record straight. He merely reiterated Alexander's numbers - that's why Alexander looks surprised at the tone of the questions. Someone less respectful than Alexander would have retorted: "Senator, I'm not sure why you're putting my own speech into Q&A form. Here's another copy, by the way. Does your staff have anything of substance to ask, or will the rest of your time be devoted to grandstanding BS?"

RyanJanuary 24, 2015 9:04 PM

Ugh. Snowden just wanted an excuse to hear himself talk.

Snowden: You know, some governments use their own cryptographic algorithms, the Russians use...

chickenJanuary 24, 2015 9:48 PM

Gerard van Vooren • January 24, 2015 4:47 PM I just have been watching Citizenfour (on youtube). Laura Poitras: thumbs up!
Really great work!
@ Rolf Weber,
Calling Snowden a technical dumbass doesn't make sense. I don't know his skills but even watching the documentary Cizitzenfour made clear he is far from being a technical dumbass.

From his released bio, I gather that Snowden started out as HUMINT who gradually studied his way into desk jobs as a techie. That tells me he's speaking from a System Analyst perspective, which make him a good source for usability, i.e. system overview and user manuals to show.

When we look at this surveillance state of being that was exposed, we must also consider each component including both machine and human, that were designed to spec, abstracted, encapsulated, distributed, and scaled.

This should be considered the 11th Wonder. As much as the world is in awe, its architect(s) are anonymous in historic context. For many centuries to come, this will remain the greatest mystery of our times.

ef090wejJanuary 24, 2015 10:17 PM

@Rick "1. Effectively, the surveillance state is the product of a global arms race begun largely by politicians who claim to desire to "do all we can" to prevent 'xyz' threat."

There is also a deeper strategic motive involved. During the Cold War, the policy of mutually assured destruction (MAD) was formulated. It hinged on the premise that for all their defects, at least our opponents were rational enough to avoid mutual suicide.

The repurposing of the military from a focus on Russia to terrorism carried with it a review of MAD.

For example, if a religious fanatic regards suicide as a viable option, then the MAD policy has no deterent effect.

That leaves prevention and that requires knowledge, provided by surveillance. The active response to intel is then pre-emptive action against people thought to be threats.

Or so that kind of argument goes.

BorondaJanuary 24, 2015 11:18 PM

I would fall to my knees and weep with pride and thanksgiving, openly and without shame, for the rare and precious opportunity to put two bullets in Snowden's forehead.

He betrayed every technical foreign intelligence collection capability we had -- the privacy conversation, important public discourse though the subject may be, is a red herring. He's not a whistleblower; he is the most damaging traitor in US history.

Among the very few certainties in life is this: Edward Snowden *will* *not* die a natural death.

chickenJanuary 24, 2015 11:40 PM

@ Figureitout

Curious as to what you mean by this and how did you detect it?

"There's this malware I can't get rid of keeps getting everywhere unless I kill all my PC's and accounts (that's around at least $5,000 loss and severe social affects again, not doable for me now; too weak to do so)."-Figureitout

Nick PJanuary 24, 2015 11:42 PM

@ Boronda

Hopefully, if you're in the military or intelligence field, you would apply the same sense of justice to those in charge of various agencies who routinely betrayed the American people and lied to Congress in pursuit of power. Personally, I'm more concerned about leaders that bullshit their way into needless wars that cost thousands of soldiers lives, maim many more, and create decades of debt. That's more *real* harm to us than any terrorist has done. They're still free and collecting money from taxpayers.

If you wanted Snowden dead on top of them you'd, at least, be acting consistently. But I doubt you were screaming for those traitors' execution. Now, the guy who blows some legit spying work with no proven death and whistleblows on criminal activity? *That* guy you and many others burn inside to kill. Unnecessary American death & foreign mass murder is OK but lost spying worst than treason.

People have strange morals these days...

Note: I agree he probably won't die a natural death. Fake democracies like America don't like due process for their top enemies. He'll be executed, tortured to death, or die in a cell after years of physical and psychological abuse. The American Way. A few other twisted possibilities. Unless he's extremely lucky compared to other people who expose covert ops corruption. Almost all of them die before they should. Like this poor bastard.

BuckJanuary 25, 2015 12:11 AM

In America, media own state -- but in Soviet Russia, state own media...
What a coupla countries!

P/KJanuary 25, 2015 12:58 AM

For Your Information:

Der Spiegel recently published the full version of that NSA document about the interdiction of shipments - the version which was published earlier in Greenwald's book wasn't complete.

Here's the full version: http://www.spiegel.de/media/media-35669.pdf

What was left out in Greenwald's publication is a section that describes a succesfull supply-chain interdiction against the Syrian Telecommunications Establishment (STE), which provided usefull access to the Syrian phone system.

BlimpoJanuary 25, 2015 1:20 AM

Given what Snowden said, sounds like he had some crypto experience as well. And the shills are out in force here it looks like trying to discredit him. "Technical dumbass", really. That's among the most retarded of statements that anyone coulda said. Snowden is many things, but stupid is not among them. Unless the shills here are implying a stupid person outwitted the NSA?

RickJanuary 25, 2015 1:41 AM

Boronda stated, "I would fall to my knees and weep with pride and thanksgiving, openly and without shame, for the rare and precious opportunity to put two bullets in Snowden's forehead."

Perhaps this: https://en.wikipedia.org/wiki/Troll_%28Internet%29

@ef090wej,

Your explanation is rational and plausible. In the minds of those in power who choose to pursue that course of action, I can see how they might justify it, however, I am tempted to debate the efficacy of, "The active response to intel is then pre-emptive action against people thought to be threats." In theory, this makes perfectly good sense, but I still think effective threat mitigation is likely engendered by acquiring leads and employing targeted crime prevention and not supported (or justified) by incredibly resource-intensive wide-scale passive surveillance expended upon the general public. Unfortunately, I am working only with gut instincts and no data at present to support my argument on that point.

WaelJanuary 25, 2015 2:41 AM

@Nick P,

Like this poor bastard.

Looks like a good movie to watch. I like the distinction between "conspiracy theory" and "conspiracy". I also think the expression towards the end: "Some stories are too true to tell" is real. And the movie is based on a true story!

BorondaJanuary 25, 2015 3:06 AM

Nick,

Your response betrays your root position on the United States as a nation, and so your topical positions subordinate to that don't interest me -- they're all derivative.

I don't typically argue with those who shrug with nonchalance at the leakage of a nation's -- any nation's -- most sensitive secrets. And the reason I don't typically argue with those holding that position is that it's reflective of the most abject abdication of basic human reasoning that I've ever encountered. It's the position of a child, an adolescent idealism wholly disconnected from not just the modern world, but from world history.

Anyhow, all that aside -- Rick, feel free to call me a troll as you like. It's an easy dismissal, isn't it? :) I use it occasionally myself.

Despite all the hero-worship, despite all the absurdists and their celebratory braying at the crippling of our security apparatus, Edward Snowden is going to die.

And we'll dance *furiously* in his blood, like West African shamans calling the summer rains.

Gerard van VoorenJanuary 25, 2015 3:28 AM

@ Chicken

When we look at this surveillance state of being that was exposed, we must also consider each component including both machine and human, that were designed to spec, abstracted, encapsulated, distributed, and scaled.

This should be considered the 11th Wonder. As much as the world is in awe, its architect(s) are anonymous in historic context. For many centuries to come, this will remain the greatest mystery of our times.

A dark mystery indeed. And even with the Snowden revelations the names are censored (for good reasons). But still, all of NSA programs did have budgets that were approved. Orders were given and carried out. That part is no mystery at all.

For me the bigger mystery however is the immense scale of what is going on and that they could keep it silent for all this time while doing *really* immoral things. Things like that can only work with large scale propaganda and young people who are susceptible for this propaganda, like the people who stand up and salute when the national anthem is being played.

Clive RobinsonJanuary 25, 2015 3:52 AM

What is it about the mention of Ed Snowden's name that brings out the "Saturday Night post pump crazies"? I wonder if the go to church the following morning to "confess their sins"?

As for Ed Snowden being a traitor, I've yet to see anything from him that was not either known or suspected long prior to his revelations.

The simple fact is the NSA like everyone else is constrained by the laws of physics, thus they can not do magic, which means that you can with an appropriate education and thinking ability reason out these attacks for yourself, assuming of course that you have the mental faculties in the first place and have not addled them in alcohol or worse subsequently.

And this reasoning out has happened a number of times on this blog and other blogs quite a few times prior to Ed Snowden and prior to Stuxnet etc. In fact it could be argued that some of the NSA attacks are in fact a theft of others IP, it's certainly known and well documented that GCHQ have stolen the work of others, and where GCHQ leads, the NSA follows like a dog that senses a bitch in heat, it's why it's called "The Special Arrangement" amongst other names.

And for those who proclaim the desire to do injury to others for political ideology remember it is a crime in it's self in most jurisdictions. It's not clever, it does not make you any kind of hero, infact if you care to look it up I think you will find that it can be treated as act of terrorism.

Oh and I hope that concept is not making your head ache to hard.

CompIlluJanuary 25, 2015 4:05 AM

@Figureitout

Layering crypto systems has to be regarded with great trepidation.
In the past, the implicit assumption that combining crypto systems will yield a system of enhanced security, has bitten their inventors and delighted cryptanalysts. They even gave it a name: 'complication illusionaire'.

ef090wejJanuary 25, 2015 4:05 AM

@Rick

I agree with you that the end of enemy threat mitigation does not justify the means of "wide-scale passive surveillance expended upon the general public". And not just for pragmatic cost/benefit type reasons. There's a matter of principle involved. To violate the individual rights of everyone is a crime so large that it almost can't be comprehended as such.

The question "What *IS* the reason for the current surveillance model?" would be easily answered if national security policy was public knowledge, but that information is a very closely guarded secret. So secret that I expect even speculating on what it might be would be strongly discouraged. It is a telling indication of where we that we are compelled to find out anyway as a matter of self defense.

The shift from retaliatory use of force to pre-emptive operations is inherently destabilizing. With retaliation, there is no action till some act of agression puts a reaction into motion. But pre-emption is unbounded in scope. It requires the use of force against others even in the act of intelligence gathering. If the objective is all knowledge, then that includes the contents of people's minds. Active mental probing to get that knowledge involves spoofing operations to find out how people behave under stimulus.

Pushed to the limit, pre-emption also means shaping the contents of people's minds. Identifying precursor thoughts to crime and eliminating them before they can even form in the mind of a potential criminal.

If US government actions are indicative of their policy, then total and arbitrary control of the population is the goal.

BorondaJanuary 25, 2015 4:12 AM

Right, the guy with the outlier position must be a troll. Makes sense.

Gerard, how is foreign intelligence collection in support of a nation's defense and security interests "really immoral"? Wouldn't it instead be immoral to abandon that responsibility, particularly given the reciprocal efforts of every other nation, including friends, foes and everything in between?

If you think spying is endemic to the US, you've got a screw loose. A cog has disengaged from your mental machinery and now sits idle amongst the buzzing and whirring.

Worse, many other nations don't have *any* checks/balances on their security apparatus. Our occasional overreach pales in comparison to their domestic efforts.

Yet there is no Snowdenista outcry about that. And Snowden didn't leak material that betrayed their secrets -- only ours. That's because this isn't really about privacy at all. It's an attack on the US... complete with, hilariously, Snowden's overt defection to Moscow.

BorondaJanuary 25, 2015 4:19 AM

Clive,

You've got a guy/gal not two comments away from yours openly concluding that the goal of NSA's collection efforts within the US must be, quote, "total and arbitrary control of the population," end quote.

...and I'm the crazy one? :x Heh.

I regret commenting here. Just figured maybe the Schneier crowd would mostly have their heads on straight.

Gerard van VoorenJanuary 25, 2015 4:27 AM

@ Boronda

I lack the IQ, knowledge of the English language and most of all the desire to have a serious discussion with you. Sorry.

BorondaJanuary 25, 2015 4:44 AM

No worries -- you're apparently well-versed in the use of ad hominem, which is more important around here than those other trifles anyhow.

mementoJanuary 25, 2015 6:07 AM

The unusual vigor with which the NSA fan boys have scrambled to troll the thread made me curious, so I downloaded and watched the entire video (which I wouldn't otherwise have done). I was right: an excellent discussion and an invaluable resource that I will be playing to my students. Thank you Bruce, thank you Snowden.

Political ScientistJanuary 25, 2015 6:28 AM

Is it just me, or is there something deeply disturbing about members of a governmental institution logging on to a public forum to taunt and heckle their own citizens in a western democracy? Rousseau would have a field day!

Clive RobinsonJanuary 25, 2015 6:54 AM

@ Boronda,

Right, the guy with the outlier position must be a troll. Makes sense.

Have you thought about how you said it, in what is in effect a criminal act that made people call you a troll?

As for your comment to me of,

You've got a guy/gal not two comments away from yours openly concluding that the goal of NSA's collection efforts within the US must be, quote, "total and arbitrary control of the population," end quote.

Well it is an opinion, that there is quite a bit of historical evidence to sugest it is a reasonable possibility. After all how would you describe the behaviour of J Edgar Hover or the pre-fall of the Berlin wall East German leader?

Further it was expressed in moderate language, and as far as I can see you are the only person making comments such as,

"I would fall to my knees and weep with pride and thanksgiving, openly and without shame, for the rare and precious opportunity to put two bullets in Snowden's forehead."

And,

And we'll dance *furiously* in his blood, like West African shamans calling the summer rains.

As for,

Despite all the hero-worship, despite all the absurdists and their celebratory braying at the crippling of our security apparatus Edward Snowden is going to die.

We are all going to die, untill somebody invents immortality --and research on this is progressing--, however as for "hero worship" no suprisingly not, and as for "crippling our security apparatus", sorry no I don't think so, as I've said any one with an education and a little thought could reason out all that's been revealed, further as I've also said in the past it's been revealed in the past by other insiders and printed and widely diseminated (read "Spy Catcher" for one where some of the still used techniques were revealed thirty odd years ago). If you think that the real enemies of the US don't read or think then you realy are making invalid assumptions. The Russians for instance are well aware of these techniques they did after all invent some of them in the first place, and they let this information be known to various terror groups in the past that they were using as proxies in their battles against other super powers. Likewsie various US IC agencies taught the likes of OBL the very same or similar techniques again as part of proxy wars like Afghanistan. Therefore the terrorists are very much more upto date on these techniques than the majority of US Citizens. And it's this where the supposed harm has been done, Snowden has opened peoples eyes and embarrassed the US Government, especialy the administration and shown them to be at best culpable fools if not entirely complicit. And it is this reason the administration is keen to get their hands on him, they want to make an example of him not for any supposed harm -- which even they admit they can not find or show-- but because he held them up to ridicule and it is continuing and it hurts their poor little egos to think people are laughing at them and they are like a cuckold impotent and can not stop the sniggers as they try to pretend that all is well... if you want proof of that go look up the letter sent to the NSA staff trying to pretend it was not so.

Finaly you say,

I regret commenting here. Just figured maybe the Schneier crowd would mostly have their heads on straight.

Bearing in mind your previous criminal comments, I'm not sure why you thought you aproach hear would bring anything but rebuke. After all there is enough evidence to make a presumption that US LEO's "go fishing" for those they can embroil at the very least on conspiracy charges, if not push them further into other crimes that can then be used to justify the outrageous waste of tax money that the current "homeland security" is.

Also bear in mind that your comments could easily be classified as "giving aid or comfort to the enemy" which is considered treason which still carries a death sentance in the US, so not the best approach to make realy...

chickenJanuary 25, 2015 7:11 AM

@ Gerard van Vooren • January 25, 2015 3:28 AM
@ Chicken
For me the bigger mystery however is the immense scale of what is going on and that they could keep it silent for all this time while doing *really* immoral things.

Morality is a tough call. It varies. Read these posts. You know what I mean.

There are two types of geniuses. A genius who believes in achieving fame. Let's use Applebaum as example. Extremely intelligent, his name on a lot of things, very well known by historians. Add Bruce to this list. There are also geniuses who believe in staying anonymous doing great things for humanity. I propose these are the types who end up working in the shadows of these agencies.

Pick up a history book of choice, do a random walk down history, we can read about geniuses, well known and transcribed, who exerted extraordinary influence in their primes and may even have shaped our times. Sometimes I wonder, how many anonymous geniuses existed, those who contributed to the greatest historic feats, from the shadows, but never gotten a page of their own. Such is that, we must salute these individuals, whom we never knew existed.

EolicJanuary 25, 2015 7:12 AM

@Clive: They can afford to make criminal comments because, as everybody knows, they're above the law. ;-) Anyway, why humor them? Everyone in the forum sees them coming from a mile away.

chickenJanuary 25, 2015 7:18 AM

@ Buck

Whatever Snowden did. I believe he will eventually be brought to a court of law. It will be highly publicized, perhaps even televised, because he stood no chance in the court of law.

Bruce SchneierJanuary 25, 2015 7:22 AM

"Did DeLong have anything interesting to say in response? I couldn't find a video for his comments."

No. He did not.

He made a big deal that the NSA did not -- and presumably does not -- break the law, by which he means "our secret interpretations of a secret court's interpretations of what we can trick Congress into passing as law." While that may technically be true, I'm not convinced it's how we want our democracy to work.

HermanJanuary 25, 2015 7:39 AM

@Boronda: Please, you should not stop taking your meds. Now sit down, breathe deeply a couple times and try to relax.

make bzImage; echo not war

chickenJanuary 25, 2015 7:47 AM

@ Clive Robinson
As for Ed Snowden being a traitor, I've yet to see anything from him that was not either known or suspected long prior to his revelations.

I won't get in the debate about whether Snowden is a traitor, but it's a stretch to say whatever he brought forth was already known. Speculated, yes, but most definitely not known by public domain.

Markus OttelaJanuary 25, 2015 8:29 AM

@ Bruce Schneier

You asked pretty much all the right questions, thank you for that.

Regarding algorithms
What confuses me is how on one hand Snowden emphasizes that open source peer reviewed AES implementation is secure, and on the other hand he does seem to consider cascading algorithms important.

I don't see why he would recommend cascading to beat implementation errors and algorithm wise, the 17 year old Rijndael should have received enough peer review to be considered robust. No one would recommend cascading home-brew crypto or using boutique algorithms and yet he expresses his concern that 'NSA should close vulnerabilities in public algorithms'. I'm not saying the discussion contradicts itself but I'm having trouble making sense of what needs to be fixed.

Regarding endpoints
I'm sort of glad Snowden often emphasizes the fact keys are exfiltrated from end points and that the subject got a fair amount of attention.

When discussing the packet injection and exploitation with Foxacid, Snowden says the main difference is scale; reach and complexity. Things like QUANTUMINSERT seem to be automating implant insertions. Should these attacks be considered targeted or mass surveillance?

Do you see the battle with end points a cat and mouse game with exploits and patches to vulnerabilities or will there be an end to this?

Melanoma MoleJanuary 25, 2015 9:21 AM

Don't sweat Boronda's death threat, he doesn't have the training. He can only wring his hands in futile dismay as US elites dismantle their degenerate quasi-Soviet regime.

Skeptical is extra full of shit today, MEGO, highlights only.

It's been funnier since skeptical finally learned to post links. To prove something he actually seems to expect a willing suspension of disbelief for Starfleet Cadet Alexander (Psft, Vwp-wp! go the doors!), that developmentally-disabled fabulist, the crookedest BMD commander ever. Putting his reputation and integrity on the line before the fearsome public integrity watchdogs of... AFCEA. He swore on a pallet of counterfeit Euro $500s.

"Remember that the NSA is primarily a foreign intelligence agency (leaving aside the more purely military functions), not a domestic regulatory or law enforcement agency."

Parallel construction. He thinks you don't know about parallel construction. That is how stupid skeptical thinks you are.

"real judges"

Of course FISA judges aren't real judges. Federal judges aren't real judges. Ask the Justice Integrity Project, or ask Special Rapporteur on the Independence of Judges and Lawyers Gabriela Knaul - oh, right, the US government won't ask her, they're scared to let her look around.

"PCLOB is stacked."

Even considering skeptical's groveling faith in authority, it's remarkable that he dares to bring up the abject Señor Wences fists of PCLOB. NSA flushed that sordid humjob down the memory hole soon as they could.

Clive RobinsonJanuary 25, 2015 9:23 AM

@ CompIllu, Figureitout,

With regards,

'complication illusionaire'

A search on google of [cryptography "complication illusionaire"] with the exception of this blog page only pulls up German language documents and very few of those.

Whilst I understand some of the combinatorics background to this in PK and that of issues in QC, much of the advancment in this area has only occured this past decade, and I'm getting way to long in the beard to keep up.

That said it appears to be a better understood problem with classical cryptography. Where the easiest way to think about it is with stream ciphers not block ciphers, even though it applies to both.

An early example is book codes, where it's reasonably well known that due to the predictable nature of the redundencies in natural language statistics such as the index of coincidence will show not just that it is a book code but wihout decoding what languages are involved. It is however assumed by many that if you apply four book codings in succession to a message that it is nolonger possible to get sufficient statistical information to determin the nature of the books.

Well like many things it's not an absolute but a probability, to see why rather than use +mod26 we will use xor. If the position in all four books lands on the begining of a paragraph the most likely first three letters in English are THE. If all four book positions begin with a THE then the resulting key will be three zero's similar problems occure rather more often than we would like especialy with certain types of book. These statistical issues do appear in the final cipher text and can be found in certain ways, even very short lengths of the resulting key stream can give rise to the books being fairly quickly found with an electronic system. If a formalised message structure is used this rather aids the process especialy if it is known what certain message fields are likely to contain. Only one such break which gives the four books can then be fairly quickly used to break all other messages rather rapidly as well as other messages that use three or two of the books...

However using non self similar ciphers provided the basics are understood are usually quite safe. Thus using a combination of NESSIE or AES final round ciphers is likely to be secure.

Also there are ways to use the ciphers that make life mor interesting, most people know how a Fiestal round works by splitting the plain text into two halves, only one half of which gets encrypted at each step the other going through unchanged. Well you can use a block cipher such that the the half which does not change in the half round provides the key input to the block cipher whilst the other half goes into the plain text input. In the next half round the cipher text output goes to the key input and the unchanged half into the plain text input. You can build hashes from theses structures for the likes of password protection etc. However if you have a method of key expansion you can have a secret key for each half round that you mix in with the input to the block cipher key input. The simplest mixer function being the xor. As long as the width of the blockciphers can be kept the same then you can use different block ciphers in each round. With some thought and care even different width block ciphers can be used.

Such cascades using reliable cipher blocks generaly do not give problems, however one or two older block ciphers will.

However there is a limit on the benifit you get. Obviously the maximum number of permutations a block cipher can give is (2^n)! where n is the number of bits in the plaintext input to the cipher. However half those permutations are of no real extra benifit as they are inverses of the other half, or worse can result in weaker permutations.

Clive RobinsonJanuary 25, 2015 10:13 AM

@ Chicken,

I won't get in the debate about whether Snowden is a traitor, but it's a stretch to say whatever he brought forth was already known. Speculated, yes, but most definitely not known by public domain.

I won't split hairs on the difference between "speculated" and "suspected" for most people it's not the subject matter but the view point the person thinking about it takes.

As for public domain, well actually most of the basic knowledge is out there being taught on standard university courses, it's a matter of joining the dots and seeing what the benifit is of such an arrangement is.

Further you will find an example of that in action on this blog where Bruce expressed some doubt as to the storage capacity of the NSA Utha facility that had just come into the news. You will see that several people provided technicaly sound ways to do the job much to others suprise. The answer came out that not only was it technicaly feasable, it could actually be quite simple to do it with rathef less resources (which opens up other speculation).

Was this result in the public domain (yes) was it well known (no), thus the issue is not so much is it in the public domain but how much publicity does it get at the time it's put into the public domain or later.

Take for instance the "radar bugs" in the TAO catalogue this was a great suprise to many people even though it was most definatly in the public domain and had been so for a third of a century thanks to Peter Wright's "Spy Catcher" book, but also the NSA have a model of the "Great Seal Bug" or "thing" in their museum. And I've talked a out it several times on this blog in the past because I've actually designed better devices using that principle than the TAO people have.

I've yet to see anything that the TAO or other technical revelations from the Snowden cache that I can not find either actual examples of or all the basic knowledge to make them. Hence my comment a out the NSA having to follow the laws of nature just like the rest of us. And if you look back on this blog you will find various technical discussions that sufficiently pre date what we now know about the TAO to say they appear to be more "stealers" than "originators" of this type of technology. As I've also said GCHQ has been caught out several times stealing other peoples IP one of the more famous being the anti bugging Time Domain Refectometer designed by the journalist Duncan Campbell. When the UK Special Branch raided his home they took it away, shortly there after a contract was issued secretly to the likes of Plessey and Marconi to build the device for diplomatic and other uses. David Khan also documented the theiving behaviour of the predicesor of the NSA with regards the patented work of a rotor based cipher machine designer.

But also in other areas I've known for years as have very many others that under the auspices of the BURSA agreement the US spied on UK citizens and the UK spied on US citizens and handed over the information. That way politicians could stand up in front of their peers and truthfully say "we do not spy on our citizens", you will if you look back on this blog find that I've said it a number of times, one in particular was when Bruce bloged about the original BRUSA agreement was available to be viewed in the UK Public Records Office in Kew near Richmond South West London. You will also see that others tried very hard to say I was wrong. Well I had perfectly good reason to know that they were wrong, because somewhere in the records of the US IC they have records on me that they passed over to the UK and having been involved in that side of things in the past I got carpeted. As usual it was a case of the left hand not talking to the right hand. I'm just thankfull UK Customs and Excise were not involved otherwise I could have ended up like the Matrix-Churchill defendents, or like others from Datong who were designing a very high speed high energy switching device (Libya wanted for reasons you can probably guess).

Nick PJanuary 25, 2015 10:49 AM

@ "Bong-smoking..."

You're right: Boronda almost exclusively used personal attacks and sophistry to no clear end. Trolling 101. Better to focus on people that are debating instead.

Nick PJanuary 25, 2015 11:04 AM

@ Gerard van Vooren

re how so many keep silent

It's a combination of things. The first is that talking is 15 years minimum if the government choses to prosecute you. Worse if you're military. The second is that their paycheck and future references depend on following the rules. The specifics of the work are often classified. This leaves a huge gap on your employment record if you leave and makes it harder to find work. Ironically, the more loyal you were and the longer you serve in black programs the worse you look in the civilian job market. One commenter here and myself (for NDA's not govt) had this problem.

The third part is elitism. Ellsberg described this when he briefed Kissinger on his clearance. Many have confirmed it to me with their own bragging and ego-centric behavior. The idea is that they are part of an elite, privileged club with access to secrets nobody else can have. Further, they *know* what's going on in the world and we *don't.* They also get better job security with perks and pensions that don't disappear so easily. So, it's kind of like they're a loosely connected family and feel better than everyone else. Another place you see that attitude is Marines, albeit with less secrecy focus.

So, it seems to be a combination of elitism, community, economic dependency, and threat of imprisonment that keeps most quiet. I'll add that there is probably also a chilling effect from people seeing that each leak has done almost nothing for democracy: voters don't do shit about any abuse. That's certainly affected what I'll do for them. I'm sure there's people on the inside saying "I'd sacrifice a lot for our democracy but I won't throw my life away for nothing at all."

SkepticalJanuary 25, 2015 11:35 AM


@Bruce: He made a big deal that the NSA did not -- and presumably does not -- break the law, by which he means "our secret interpretations of a secret court's interpretations of what we can trick Congress into passing as law." While that may technically be true, I'm not convinced it's how we want our democracy to work.

Well, first I think you're undermining your good point with an unnecessary bad point. Congress wasn't "tricked" into anything. It's fairly remarkable how accessible the fact of the Section 215 telephone metadata program was to them.

As to your good point, you and DeLong may be speaking at cross purposes.

You're speaking to policy questions, and thinking about the leaks in a way that is focused on policy. And so the question you raise - should an interpretation of Section 215 that has potentially sweeping ramifications for limitations on investigative government power be made in a classified court decision - is a good one.

But there's another emphasis here, an emphasis on scandal, which comes out much more strongly in Snowden's statements and tone than yours. Snowden's not merely discussing policy, but is pressing the point that the NSA was acting illegally, unethically, and contrary to its own principles and those of the United States. His emphasis is much more of an attack on the NSA. And his justification for his actions largely depends on that attack - that's why you see Snowden's face tighten when you assert that the NSA was good about "tactical compliance." He can't bring himself, at least not yet and perhaps not ever, to see the truth of that. For him, the NSA was acting illegally, unconstitutionally, criminally, and it was his duty to reveal such wrongdoing that it might be stopped.

I didn't read or hear DeLong's statement, but it sounds to me as though he were responding more directly to the "scandal" emphasis - which is perfectly fair on his part, and it's an important issue in itself.

What I think is clear is that there isn't any scandal here. This isn't an unveiling of a secret Stasi of some sort; there are no efforts to blackmail anyone; there is no corruption; there isn't any violation of the laws.

There are important (and interesting!) policy questions raised by all this, and made poignant in a way that they were not before.

On that note, frankly one of the major weaknesses of the continued framing of the story as one of "scandal" is that it sets up the public for disappointment. The issue becomes "was the NSA engaged in wrongdoing" rather than "what's the best way for us, as a democracy, to defend and to further our interests and values". And so when the public sees a story sold as a scandal, and reads, and discovers no scandal, they become disinterested.

At the same time, a policy focus lays bare the agenda of certain publications (yes, I'm thinking of Spiegel, among others) in what they choose to report. That makes their editorial decisions much more open to criticism, because while we all agree that a free press should be able to expose wrongdoing, we're wary of the idea that journalists should decide what stays secret and what does not based upon the particular policy preferences of those journalists.

So the monetary and reputation interests of the publishers all align strongly in the direction of selling the story as a scandal. So do the personal interests of Snowden, and, insofar as they think it promotes their cause, so might the political interests of activists engaged in "reporting."

Unfortunately therefore the policy angle of this story will likely continue to be bound up in the scandal angle. And as the scandal angle continues to grow weaker, there's some likelihood that it will reduce the poignancy of the policy angle - to the detriment of everyone. Put differently, there's limited bandwidth in the public channel, and the scandal signal is acting with increasingly destructive interference, not constructive interference, with the policy signal.

And from my vantage, the more controversial the disclosure of information - if that information is not revealing of scandal - the more destructive that interference becomes. Nothing is guaranteed to more quickly kill public interest in the policy discussion than the disclosure of information that most people believe should remain secret. In fact, such disclosures tilt us in the direction of an entirely different policy question, one focused on the limits of journalism and not of government. And that might be good for the sales and advertising department, but it's less good for anyone interested in good policy. Some of those who are more activist than journalist like to speak of unintended consequences; they should consider their own advice when writing these stories, as the cause they champion may be the one they damage most.

The worst thing Snowden could have done, from the perspective of changing intelligence policy, is take tons of properly classified information and give it to people likely to publish much of it. Mission accomplished.

keinerJanuary 25, 2015 12:16 PM

Remark:

You have a strange use of the word "democracy" when it comes to surveillance tools. Democratic use would be if we all, the citizens of the democratic states could use such tools to control the feds, the parliaments the elected politicians to see, if they are doing find with our rights as citizens. Under the control of the judges.

Democracy does not mean that every totalitarian system in the world can buy such surveillance tech...

I would have been highly in terested in the answer to your question regarding a "database of keys" and in my opinion, Mr. Snowdens replay was not really convincing. He could have given us a hint, how long will the newspapers continue to release new materials in smal protions? Until nobody listens as everybody has recognized that nothings going to change anyway?

One more: The message "crypto works, but the endpoints are weak" implies the question: What is the value of crypto in everyday live? If I have to rely on openVPN tunnels as a single person/small business, is there any chance to be on the safe side to keep a little bit of privacy?

You mentioned that our current internet is built as a "net of surveilance" paying for the infrastructure (Google is supposted to spy on its users by himself). What would bee the way out of this? peer-to-peer communication? Who pays the infrastructure in an alternative to this google-facebook-microsoft-cisco-NSA net?

WaelJanuary 25, 2015 12:21 PM

One thing that annoys me when I watch conversations or interviews is when the interviewer takes an excessive proportion of airtime. Another annoying thing is when the interviewer frequently interrupts the interviewee. Neither of these situations occurred during this talk; Bruce rarely interrupted Snowden, and when it happened it was appropriate. An interesting point in the discussion takes place between 25:00 and 26:00 about the capability to hack country A, exfiltrate data through country B, then use back channels to collect the data from country B. Country A would then be convinced that country B hacked it's systems -- Nothing out of the ordinary but interesting to hear nonetheless... Another interesting subject was the question about how far spook organizations are ahead of the civilians. Bruce hinted a decade or so, but Snowden didn't agree and said both are on par. I seriously doubt Snowden had access to everything...

DanielJanuary 25, 2015 12:26 PM

As usual in these situation where one stands all depends on where on sits. In general, however, there are two domestic critiques of the NSA and mass surveillance. On one hand there is the libertarian critique that views mass surveillance as one more example of big government run amok, just like the ACA and even for some people like Rand Paul the Iraq War. For libertarians the problem is mass surveillance.

On the other hand there is the liberal critique that views mass surveillance as an example of bad government. They look at shock and horror at the way the CIA spied on the US Senate. Liberals generally like big government because they see mutual help as a social positive. The problem for liberals is that surveillance leads to large gaps in asymmetric power, which in their view is like the wealth gap and other forms on inequality. For liberals the problem is mass surveillance.

Thus for libertarians the answer to mass surveillance is less government and computer security is a tool to reduce government power by protecting the individual from the advancing horde. For liberals the answer to mass surveillance is better government because good government, as the 4 Amendment shows, cares about privacy as a natural right. Computer security then is about defending privacy.

Liberals and libertarians may be on a common boat for the present but they are not headed to a common destination.

Gerard van VoorenJanuary 25, 2015 12:43 PM

@ Nick P

Yet, perhaps the punishment for rocking the boat is too powerful in itself. Rhetorical question: When whistle blowing is too big a risk to the whistle blower, then how is "the system" able to correct itself?

Nick PJanuary 25, 2015 12:44 PM

@ Wael

Snowden was closer to the truth. Clive and I argue, with evidence, that they're years behind both academia and top private companies in all sorts of ways. Emanation attacks and defenses are literally the only thing they're still ahead of. In everything else, they're either using COTS or obvious attacks on risks people simply ignore. I'd say they also got clever occasionally with how they combined or applied existing methods. The USB cable computer and radio is an example.

They're mostly behind, though. Extra comforting is the slight increase in the number of academics designing or exploring highly secure system. The combination of trends might produce some sanctuary for privacy lovers over the next decade when it turns into usable products.

@ Daniel

Interesting comment. The one nitpick is common destination. You said both needed computer security to achieve their goals. So, wouldn't that be a common destination?

Sancho_PJanuary 25, 2015 1:01 PM

@ Daniel E. Green (24, 6:39)

Instead of answering your last question I’d like to point you at the sequence at 36:30+ into the video, listen what Bruce says / suggests. [1]
(“Are we doing things right?”)
However, you can say that in public only if you are outsider (out of "the system".
Sadly, inside they don’t even think about.

[1]
Unfortunately Snowden then turns more to the financial consequences (that’s what “the majority” in America would be thinking first) but initially he led Bruce to the question after Bruce started to talk about the ethical background of (foreign) surveillance (usually called espionage) at 31:15.
Amazing talk anyway!

Sancho_PJanuary 25, 2015 1:02 PM

@ Skeptical

I don’t think it’s a question of scandal or not, at least outside of the US.

It is the question “Does the US lead the world in freedom and tolerance,
bound to the principles of their Founding Fathers, or not?”

Sancho_PJanuary 25, 2015 1:06 PM


Re: Traitor versus hero + common sense

It’s disheartening to see some people not thinking one day ahead.

Imagine anything - the simplest car accident - would happen to Ed Snowden.
He would slip in the bathtub or staircase.

Instead of uncertainty it would turn him instantly to the Worldwide Peoples Hero,
and the US down, probably including worldwide financial disaster.

The unimaginable would unite billions, regardless of their confession or religion,
and very likely regardless of any visible external (US) culpability.

You know that there is no other country than Russia that would allow him to stay because of the imminent danger of the US tricksters.
It is Putin alone having the guts to stand this pressure.

@ Boronda et all: Pray for Ed Snowden, to see him alive is not the danger!

[ Even better: Donate now ]

GrauhutJanuary 25, 2015 1:40 PM

@Rick: "What *IS* the reason for the current surveillance model?"

Its consequence out of the witches law: Be careful what you wish for - you just might get it.

The western system was "the big winner" of the cold war.

The old model:

- Concurrence of systems
- Rule of law
- Private ownership
- Free markets
- Free world trade
- Equal human rights for all
- Unlimited energy resources
- Winning military firepower

The big promise: "If we win we will bring our standard of living to you!"


With the fall of iron curtain the allies of the west were waiting for their dividend... But the new system couldn't deliver.


- No more concurrence of systems
- Private owners began cherry picking on legislations, markets and workforces around the globe
- Firepower was reduced


Equal rights and a common standard of living were not workable, but being "the winning system"(tm) they were unable to reform it, no dialectic synthesis.

Politicians still had "the big promise" on their election posters, but they had lost power to multinational corporations, they needed credits to hold the status quo high, they became more and more dependent.


Here we are. They can only hold together the "winning system" with totalitarian measures. Their actions are spitting on your constitution, they know it, but they have no choice.

Reform would mean revolution.

But as long as you buy the emperor puppets show the cherry picking 1% will continue to milk you. And you cant redistribute their wealth, this would be anti-something, such a poor minority of riches, they need to be protected! :)

There it is, the reason for the current surveillance model. It protecs the top one percent against you!


The poor arab bastards were simply unlucky to be the ones with the massive youth bulge, so they became "the terrorists", the external enemy the psyops need to hold your society together in times of enonomic decline. And the military industrial complex had someone to shoot on and produce ammunition and waepon systems demand... Milking continued.

albertJanuary 25, 2015 1:46 PM

The thing that impressed me about Snowden in his interviews is how exact and thought out his answers were. I don't recall specific examples, but the guy sounded like a lawyer. If that's not his personality, then he was well coached. OTOH, that's exactly the sort of personality that I would want in an analyst.
.
Now, immediately after his revelations, a lot of folks said they wanted to see Snowden dead, including some pols who should know better. It's really just vengeance, like punishing a murderer by killing him. I don't even think 'deterrence' even occurred to these people. (The fear of death was usually enough to get enemies to talk, but martyrs welcome it, so torture is now employed instead.)
.
Living in Hell seems to be a more severe punishment than dying, but that wouldn't satisfy the blood-lust of the retributionists. Besides, aren't more of these folks Christians who believe in the Afterlife?
.
We, like our brothers around the world, live in political systems that we have little or no control over, and little or inaccurate information about. These systems operate under the 'truth by proclamation' policy. When challenged, they say "Take our word for it", "Trust us", "We have proof", etc. Repeat the mantra, "National Security". In some countries, they just throw you in jail....wait...
.
While there may have been public information about the various techniques employed by the NSA, anyone with a least two brain cells connected together should know that 'our enemies' (nation-states specifically) probably had already guessed at the extent of the NSA's spying efforts, if not quantitatively, certainly qualitatively. Does US Exceptionalism prevent the TLAs from seeing any kind of technical or tactical competence anywhere else in the world? If 911 was any indication, the answer must be 'yes'.
.
IMO, the drones at the NSA and their handlers were simply really mad about their exposure as lawless hackers, pissing on the Constitution, and ineffective in their efforts. How does your two-year old react when you take his toy away?
.
I gotta go...

Nick PJanuary 25, 2015 2:21 PM

My review of the interview

Finally had time to watch the video. Mostly a rehash of points we've already discussed so I'm focusing on a few key points.

1. He won't reveal the capability and lets journalists decide instead? That's ridiculous and makes me wonder what his agenda was there. He's already revealed all that information to several organizations who have already published a lot of material on this exact topic. He might as well add a few details which are probably minor in comparison. And we're discussing facts about what he knows so bias isn't even an issue: they have the attack or they don't.

2. Bruce's attacks vs defense line. Bruce's old position is more clear and better: solution is computers that are inherently harder to attack. That knocks out easy capabilities. My old line is compatible: "eliminate the low hanging fruit and raise the rest much higher."

3. That they were worried about a public debate of legality of their operations more than loss of SIGINT is a great point. Undermines their claim of the legitimacy of their operations.

4. FOXACID turning a nobody into a cyberwarrior. Put another way, empowering and leveraging script kiddies. Cyber security in general is so bad across the board that this turned out to be both economical and effective on a massive scale. Funnier still because old school hackers always thought the government's would eventually hire massive amounts of actual hackers with elite training. Instead, they have a small number of ordinary hackers building tools for a large number of script kiddies. Who use actual scripts saying "Do this, Then that. Not this. Turn back if this." That's more robotic than script kiddies doing regular black hat stuff. We need a new term for these people to reflect the difference. Script drones? Scriptcogs? Scriptborgs? What?

5. Country A to B methodology ties into our debate of SPE. The same methodology could work against us to misdirect toward NK. Attribution on the Internet is a recurring problem for all. It's a double edged sword for NSA as they want it to identify enemies' attacks but don't want it when they're spying on "friends." ;)

6. Unlawful collection of journalists data. Shows a risk to democracy. Supports why they might not want a public debate. How much do you want to bet those journalists' reporting would be even more damaging to GCHQ's goals after that leak?

7. His position on Chinese military units is weak and somewhat arrogant. They've been among the most successful in stealing our I.P. and government secrets. Their talent level and skillset varies with many of them being low talents as he said. That's not as important as *effectiveness* where China has been high and to our economic detriment (eg Huwei vs Cisco). They also operate largely with criminal immunity due to Chinese government support unlike many hackers. I'm surprised he left that off as it's probably *the single greatest reason* that they use "sloppy" techniques. They're not sloppy: they do what works and are confident they'll continue even if caught. That shows Chinese power in the international scene rather than incompetence.

8. "They sell it." The information seems to flow from Chinese military units to Chinese intelligence and industry at a steady rate. The military units' are also supposed to gather information for industry. So, I think he's right where they skim info and money on the side. However, he's very wrong in his focus as the military and intelligence units themselves deliver volumes of information to Chinese industry. It's a goal not a side effect. It works too.

9. FISC being a rubber stamp proven by the numbers is always a good point to reiterate. Should always add that nobody important ever gets fired, fined, or imprisoned for violations. The organization doesn't get fined, put into receivership, or otherwise worry about its future. The court also doesn't use discovery process to get full data instead of relying on questionable self-reporting. Unlike a court run by "real" judges.

10. NSA and GHCQ tools used to hack and even massively damage allies. Little proven benefit plus proven damage like this should make people rethink these programs. That's damage to systems, our businesses, and our reputation internationally. Not intelligence collection to stop terrorism as they told us with fingers-crossed.

11. He did wince at tactical oversight lol. And dodged it. Doesn't bother me: it's just his bias kicking in and he at least admits he has one.

12. Cost/benefit analysis: tens of billions of U.S. sales lost to get surveillance of little to no benefit. Good point. However, he left off the fact that the money was lost because *he leaked everything* rather than the ops were happening. Quite a difference and makes him the cause of damage. His point partly remains because a leak can happen at any time and independent researchers have been finding many NSA-style vulnerabilities through reverse engineering. Countries can send the message that their products are trustworthy (eg Swiss image) or they'll screw you allied or not (U.S. image). Is the surveillance gain worth that image? I think not. And is it still worth it given we could just do targeted bugging or HUMINT where it counts instead? Those techniques proved far more effective and did so predating the existence of the United States. I've always been in favor of many deep covers and agents in various places as it lets us use strong security while getting good intelligence. SEAL 6 and Red Cell anti-terrorism head Richard Marcinko said the same. He often called SIGINT garbage that they had to ignore to avoid getting killed. Matter of fact, why doesn't anyone mention HUMINT alternatives in surveillance discussions anymore?

13. Long-winded monologue about the leaks causing an interesting change where they need a warrant and can't just hack into anything. However, the leaks show the opposite in two ways: FBI mandates backdoors which enable them to do whatever they want regardless of passive link monitoring; FISA warrant targets parameters rather than people with execution that doesn't seem to involve the vendor. So, nothing has changed as they could take certain measures that protect their public image while secretly supply information through mandated backdoors. If anything, the situation is WORSE on that front because people get the illusion that things have changed. Also, keep in mind that companies and agencies are legally allowed to lie if it involves warranted collection or classified programs. Required to lie in many cases (SAP's, Lavabit)... Long as these laws exist, you can't trust a single U.S. company to tell you the truth about any aspect of government collection.

14. Both made good points on surveillance-friendly products (technical side) being a byproduct of legacy design choices. And Bruce makes the key point that the providers at about every level have incentives to keep it that way. He didn't add that most of the market ensures this by using free, surveillance products/services rather than paid, private ones. Even if the cost is tiny and product is very usable (eg Threema). Highly assured systems will be even more costly to develop, maintain, and operate. Almost all failed in the market. So, given market apathy toward privacy/security, it actually *doesn't* make sense to try to develop all these alternatives as they might just loose money massively. More thinking, debate, and creativity must be put into that problem. I'm currently running some innovative business models by some business owners and thinkers to see if I can remedy this. My model makes higher assurance systems financially sustainable, but I'm not sure if it will be adopted by businesses due to market apathy & greed. Hence, the peer review I'm doing before publishing it.

15. I think it's a very powerful point that people with incentive to promote mass surveillance (ex-CIA types) said that it was nearly useless against terrorism. I'd like to have the reference to back that up and the fact that they were mostly former intelligence professionals.

(Edit: Then Bruce mentions a New Yorker article about some of that. Guess I have more reading to do.)

16. Summary: defend our networks and attack theirs made more sense when they used different stuff than us. Now, an attack on them is an attack on us. Interesting point. Makes the claim that attacking their stuff leaves us vulnerable. This is *not true* as I've argued here plenty. It's really just a matter of putting a high assurance authentication and remote administration system in. Even better if its function is immutable due to implementation in hardware. Similar systems were designed in the past with NSA themselves depending on them for some critical applications. NSA uses some today in form of Type 1 products and EKMS. So, I think this problem can be solved just by putting in some engineering work leveraging proven solutions. The risks kick in at the organization doing access control and what happens to information once it leaves. I only have solutions for the former: can't control information once it's in their hands.

17. Snowden says we've been massively hacking North Korea since at least 2010. Yet, U.S. intelligence missed about every significant event happening in North Korea. And missed the Sony attack on top of it. Additionally, none of the mass surveillance programs stopped any major attacks. Strong arguments that they're totally ineffective and governments might be pushing them so hard for completely different reasons (eg control of governed).

18. Ends on a great point by Snowden: given insecure endpoints and strong cryptography in combination the FBI and NSA need no extra legal authority to bypass crypto. Contradicts FBI's public position showing they're dishonest and should have these capabilities for that reason alone. Least some people's setups still give them a much harder time. ;)

AlanSJanuary 25, 2015 2:22 PM

@Skeptical

You are being selective. Alexander and other government officials have stated different things at different times. Usually they have hedged a bit but sometimes not. On at least one occasion Alexander has stated "54 Attacks Thwarted". Snowden was not repeating a "false narrative" and Leahy had good reason to have Alexander clarify the effectiveness of the programs.

Claim on “Attacks Thwarted” by NSA Spreads Despite Lack of Evidence.

AlanSJanuary 25, 2015 2:50 PM

@Bruce

"He [DeLong] made a big deal that the NSA did not -- and presumably does not -- break the law, by which he means "our secret interpretations of a secret court's interpretations of what we can trick Congress into passing as law." While that may technically be true, I'm not convinced it's how we want our democracy to work."

Agreed. I think Jennifer Granick makes the point well: The Surveillance State’s Legalism Isn’t About Morals, It’s About Manipulating the Rules.

WaelJanuary 25, 2015 3:28 PM

@Nick P,

Clive and I argue, with evidence, that they're years behind both academia and top private companies in all sorts of ways

If you and @Clive Robinson are aware that the academia is ahead of NSA by years, wouldn't you think NSA is necessarily aware of this fact as well and decided to leverage the academia for its own research? These are some examples:

NSA funds and supports certain areas in academia, Mathematics research, here, here too,
or MDA904. I'm not convinced an organization that partners with and supports academic research can possibly be "years behind" in the sense of lagging -- "NSA behind the funding" of these academics makes more sense.

Nick PJanuary 25, 2015 3:57 PM

@ Wael

Their TAO catalog is mostly commercial stuff that wasn't even high end in 2008. Their IAD pushes stuff that maxes out at EAL4 despite similar commercial products hitting EAL5-7. Some of the leaked open "research challenges," like isolating Android instances on a phone, had already been done (OK Labs) in commercial sector and academia at the time. As Snowden and Bruce illustrated, their attack tools mimic what black hats have been doing for over a decade. Their internal analytics engine was a knockoff of Google's. And so on.

They're not ahead of the curve: they're behind it and continually copying those ahead. They *might* fund others ahead of the curve. Far as I can tell, though, the leaders in most categories aren't NSA funded. DARPA, military, NSF, European, and Australian organizations are all doing much better. If you want to see ahead of the curve, compare Cambrige CHERI+Capsicum to NSA's x86+SELinux or look at the performance/consistency of FoundationDB* vs NSA's Accumulo DB.

People looking to the future are better off looking at non-NSA-funded academia and tech companies. You get more ROI that way.

* Do look at it because it's friggin amazing for a strong consistency system if they aren't fudging numbers. Finally a replacement for NonStop that's COTS and cheap.

RickJanuary 25, 2015 5:49 PM

@ keiner • January 25, 2015 12:16 PM

"You have a strange use of the word "democracy" when it comes to surveillance tools. Democratic use would be if we all, the citizens of the democratic states could use such tools to control the feds, the parliaments the elected politicians to see, if they are doing find with our rights as citizens. Under the control of the judges."

I think the point you are making can be further illuminated by the article recently cited in this thread by AlanS (January 24, 2015 2:25 PM):

Balkin, Jack. The Constitution in the National Surveillance State. Yale Faculty Scholarship Series, January 1, 2008.

Link to pdf: http://digitalcommons.law.yale.edu/fss_papers/225/

In the article, we find this:

Page 17, "We might begin by distinguishing between an authoritarian
information state and a democratic information state. Authoritarian information states are information gluttons and information misers. Like gluttons they grab as much information as possible because this helps maximize their power. Authoritarian states are information misers because they try to keep the information they collect-and their own operations secret from the public."

Page 18, "By contrast, democratic information states are information gourmets and information philanthropists. Like gourmets they collect and collate only the information they need to ensure efficient government and national security. They do not keep tabs on citizens without justifiable reasons; they create a regular system of checks and procedures to avoid abuse. They stop collecting information when it is no longer needed and they discard information at regular intervals to protect privacy."

I suspect we are dealing with the evolution toward an authoritarian information state in the "five eyes" countries, but there is yet hope if those voters awake and respond to the danger. Hope is conditional, however.

----------------------------------------------------------------------------------


@ef090wej • January 25, 2015 4:05 AM,

"If US government actions are indicative of their policy, then total and arbitrary control of the population is the goal."

To which, Boronda • January 25, 2015 4:19 AM responded,

"...and I'm the crazy one? :x Heh.

I regret commenting here. Just figured maybe the Schneier crowd would mostly have their heads on straight."

To which, Clive Robinson • January 25, 2015 6:54 AM responded,

"Well it is an opinion, that there is quite a bit of historical evidence to sugest it is a reasonable possibility. After all how would you describe the behaviour of J Edgar Hover or the pre-fall of the Berlin wall East German leader?"

* * *

And my response to your assertion is that I agree with Clive. I also posted this opinion (https://www.schneier.com/blog/archives/2015/01/david_camerons_.html) backed up by a few facts that tangentially (spuriously?) support the notion that the government would like to know what you are thinking:

"The following individual was director of a small CIA-funded lab to research the concept. Funds were cut in 1995. Despite small successes (the discovery of sidereal time as a statistically significant independent variable in anomalous cognition experiments) yet overall mission failure, it is interesting to note that the US Government was willing to legitimately fund this research 20 years ago. James Spottiswoode: http://jsasoc.com/library.htm

I don't argue the aforementioned research so much as I wish to point out that the TLAs around the world are definitely serious about monitoring/controlling thoughts."

Overall, this discussion has been productive in that it has provided a few launching points from which to eventually achieve the following in my mind:

1. determine the real reason why the surveillance state evolved to its present condition and its purpose for existing.
2. what can be done about it if enough people oppose its mission (or its collateral damage strategy, for that matter).

----------------------------------------------------------------------------------

Grauhut • January 25, 2015 1:40 PM

"Its consequence out of the witches law: Be careful what you wish for - you just might get it."

I followed your witches brew tale and found myself nodding with most of those points until you got to the end and concluded that the "poor arab bastards" were unlucky due to their demographics and the west's need for a scapegoat. I think their lot in life is more a product of their religion, their culture, their collective choices. I honestly don't want the conversation to drift too far into the nether depths of a tangent... but I couldn't sit idly by and honestly agree with that point. Otherwise, thought provoking... thank you!

----------------------------------------------------------------------------------

@ Nick P - "Review of the Interview"

1. "And we're discussing facts about what he knows so bias isn't even an issue: they have the attack or they don't."

Edward Snowden is an idealist who advocates the right of the people to determine their own fate. A human rights advocate, if you will. He's not a double agent for Russia. But I think Snowden didn't reveal this information in the recent interview because Russia forced him to agree not to reveal anymore information which amounts to an attack in and of itself:

http://www.cbsnews.com/news/putin-snowden-must-stop-damaging-our-american-partners/

4. "We need a new term for these people to reflect the difference. Script drones? Scriptcogs? Scriptborgs? What?"

Hmm... just for fun, how about labeling them "Shackers" - from "sheeple" and "hacker". Plus, the term fittingly implies infidelity for old-school US citizens.

"6. Unlawful collection of journalists data. Shows a risk to democracy. Supports why they might not want a public debate. How much do you want to bet those journalists' reporting would be even more damaging to GCHQ's goals after that leak?"

Great point, and a potential attack vector to use in the future. Bonus motivation that Nick P. duly noted: journalists with a vested interest to protect the establishment are less likely to do so when it's a NIMBY situation (Not In My BackYard).

17. Snowden says we've been massively hacking North Korea since at least 2010. Yet, U.S. intelligence missed about every significant event happening in North Korea. And missed the Sony attack on top of it. Additionally, none of the mass surveillance programs stopped any major attacks. Strong arguments that they're totally ineffective and governments might be pushing them so hard for completely different reasons (eg control of governed).

That point dovetails into my discussion about the reason (and purpose) for the surveillance state. I was cynically inclined to believe in those "different reasons", though not necessarily the leap to "control of the governed", although I am at the moment leaning that way and entertaining that notion. To couch my thought in the language of the movie, The Matrix", I want the "red pill", not the "leap off the cliff pill", but if the "red pill" takes me over the cliff, then so be it.

Other good points to note, but time does not permit...

DanielJanuary 25, 2015 5:54 PM

Nick P writes, Funnier still because old school hackers always thought the government's would eventually hire massive amounts of actual hackers with elite training. Instead, they have a small number of ordinary hackers building tools for a large number of script kiddies. Who use actual scripts saying "Do this, Then that. Not this. Turn back if this."

This is an insightful point and one to which I need to give more thought. My first reaction was--of course, every army has its foot soldiers and a cyber army would be no different. The guy driving a conventional tank acts just like script kiddie--he doesn't need to know how explosives work--he pushes a button and the tank moves and he pushes another button and the gun fires. Most soldiers don't know the technical details of the weapons they employ and it wouldn't be efficient for them to know it.

It does have some interesting ramifications. For one, it suggests that the NSA understands it has a leveraging issue. There are only so many gurus while there is too much work so how how else do they go about getting the max bang for that buck: scripts. Second, it suggests that cyber security degrees that are NSA accredited are focused on the wrong things--these degrees are like demanding that a Uzi-toting infantryman have expertise in chemistry, ballistics, and lathing machine tolerances. These degrees would be better off focusing on law, strategy, and ethics--teaching the solider where and when to point the gun. Most of actual computer science need to deploy most scripts could be covered in a course or two--who the hell needs three semesters of networking?!

As I said, I need to think about this more but this is an important insight on your part.

you_know_whoJanuary 25, 2015 6:17 PM

Let's go down on some random memory lane, shall we?

Say, All American companies or organisation... Mozilla.. now working with Akamai and Cisco Lol to do some freessl stuff. Takes me back to Mozilla including CACert as a root certificate, (as opposed to all those I can't trust already in there, which is known to be utterly compromised by the US).

A huge protest by some "Mister SSL", Nelson Bolyard, whoever he is. Memory lane, 2003, he happens to include the NSA backdoored stuff if I am not mistaken:

https://bugzilla.mozilla.org/show_bug.cgi?id=195135

This same bloke, rotten to the bone, NSA agent, vehemently wishes to oppose people having ssl, especially outside US , albeit it an ally state:

https://bugzilla.mozilla.org/show_bug.cgi?id=215243

Fun though innit?

Well, in 2015 CaCert is surely in something "libre" like Mozilla?

If not, since we know NSA demands NISC, NISF, NIST whatever it is called to be compromised, things are broken. Eg. IPSEC is and was a solution to encryption but thwarted by US still.

I think the world, should create a common group which demands that standards fulfill their requirements, which by definition do not fulfill NIST's pretty much.

Let the yanks do their facist stuff, but world, beware, if you keep on just never acting, all your children will be murdered again, like in WW2, soon enough.

There are even people who wish to buy and use google glasses L..O...L... poor sods.

I think a world conglomeration should fork code and forever more leave the US counterparts behind.

SkepticalJanuary 25, 2015 6:28 PM


@AlanS: You are being selective. Alexander and other government officials have stated different things at different times. Usually they have hedged a bit but sometimes not. On at least one occasion Alexander has stated "54 Attacks Thwarted".

Here's the full context for the article's "Claim on 'Attacks Thwarted' by NSA Spreads Despite Lack of Evidence" headline.

From the article itself:

When NSA chief Gen. Keith Alexander spoke at a Las Vegas security conference in July, for instance, he referred to “54 different terrorist-related activities,” 42 of which were plots and 12 of which were cases in which individuals provided “material support” to terrorism.

But the NSA has not always been so careful.

During Alexander’s speech in Las Vegas, a slide in an accompanying slideshow read simply “54 ATTACKS THWARTED.”

My God! A powerpoint slide that, taken out of context from the actual presentation, could be considered misleading. In other words, if we looked at the slide and completely ignored what Alexander said, we can say that Alexander once claimed "54 attacks thwarted." That's somewhat ridiculous, but I understand the urge to defend the sanctity of powerpoint slides given the nature of some of the reporting on Snowden's leaks.

The closest the article comes to showing that the NSA was deliberately spreading false information is a letter sent out to NSA personnel in which it is claimed that "54 plots" were thwarted. Certainly a mistake, but hardly indicative of the NSA propagating a false narrative, especially in light of the limited circulation of that letter in contrast to the very public nature of Alexander's other statements.

The article does a much better job documenting numerous careless statements by Representatives on the subject (the most serious of which attributed success in all 54 cases to Section 215, which is a significant error), but, again, those aren't the NSA either. Anyone actually reading what the NSA claimed would immediately recognize those statements as careless and false.

What Senator Leahy could have said is: "General Alexander, some seem to have misread or to be distorting the information that the NSA has presented to us and to the public. So for the record, to make the point to them and to everyone, I'd like you to confirm here again the information that you presented to the public in June, in July, and to us." And then he could have simply quoted Alexander's June speech.

Instead he asked in a way that implied he was catching Alexander out, and gave rise to the ridiculous narrative Snowden repeats (though in Snowden's telling, the NSA's numbers drop from 54 to 1). It's yet another example of Snowden emphasizing "scandal" over "policy." And because there isn't really scandal to be had here, it's an emphasis that comes both at the expense of truth and at the cost of distracting from, and weakening, more serious policy discussion.

And by the way, even looking at the single mistake Alexander made in the letter, this is really getting into angels dancing on the head of a pin territory. 54 events, of which 42 were plots - does anything of significance turn on 42 being plots instead of all 54? Of course not.

BlipoJanuary 25, 2015 6:42 PM

@Skeptical

Except only one of those plots had a nexus to the U.S. We should not be the police of the world.

Clive RobinsonJanuary 25, 2015 6:43 PM

@ Nick P,

With regards point 12 on HUMINT and the US Gov. The problems the US have with HUMINT go back possibly longer than you have been alive, ie Gary Powers and the US citizenry response to TV pictures and body bags from Vietnam.

Due to these the US decided to focus on SIGINT and ELINT and the belief that "eyes above the skys" could tell them every thing they needed to know.

The first sign that this policy was not going to be a success was the joint UK US "Berlin Telephone Tunnel". The Russians knew from a mole inside MI5 that UK Post Office engineers had been called in to do a job in Berlin for MI6 and GCHQ, and their US equivalents. The Russian's decided that there was little point doing much about it as most of the traffic on the cables in the East German side acrually carried low level traffic that the Russian's again new that the UK and US already new via other moles in MI6. The only thing the Russian's did was to move high level and strategic traffic off of the cables, they did not warn the lower ranks etc. Thus the UK and US only got what they already new plus a few other bits and pieces. The Russian's then waited untill an optimum time before revealing the tunnel to the western world.

A few other disasters of this sort showed that the Russian's were quite adept at knowing what was going on via their moles, only some of which were found during their life time.

The US and UK went their seperate ways on intel gathering, the US prefered to throw money and thus technology at problems, the UK not having much in the way of financial resources went for the human touch and developed considerable HUMINT assets.

The thing is ELINT has a problem it can only tell you what is where today, it does not give either context or future direction, both of which HUMINT can if done properly.

Untill fairly recently this split of activities was benificial to both sides as it alowed one source to be tested against another source.

However the desperate need by the US to keep the war on terror alive has ment that the US has become profligate with other peoples methods and sources and as a result have burned both for fairly cheep political points to impresse the press. This has not endeared the US to the ICs of various of their supposed partners and things have according to some sources got a little frosty.

Unfortunatly for the US this "burning of assets" has not gone unnoticed by existing assets and thus the chance of the US setting up it's own HUMINT sources is not good. In fact it turns out that quite a few supposed US HUMINT sources were infact liabilities, just talking up what would put most cash safely in their pockets.

Running assets is a fine art and one thing that is fairly certain is that both the Chinese and Russians have been way better at it than the US by quite a large margin.

Dirk PraetJanuary 25, 2015 6:44 PM

@ Boronda

Gerard, how is foreign intelligence collection in support of a nation's defense and security interests "really immoral"?

That's not what @Gerard van Vooren said. If my reading of his post is correct, he's referring to the exact same thing as @ef090wej, i.e. the unparalleled global surveillance dragnet of the Five Eyes directed not only at terrorists and "legitimate" foreign targets, but just as well against allies and the public at large, both at home and abroad. Not only is it the crux of Snowden's revelations, it was also his reason for going public. And yes, it has caused the USG immense and well-deserved embarrassment, diplomatic and economic fall-out of which they still have to deal with on a daily basis.

As far as the legality is concerned, I share @Bruce's opinion that the NSA's programs under US law probably are, beit under a very sick and twisted interpretation of a democracy rife with secrecy and doublespeak. On the international level, it may be worth noting that on January 21st 2014 the UN General Assembly unanimously adopted Resolution 68/167, a symbolic "anti-spying resolution" to "protect the right to privacy against unlawful surveillance" in the wake of reports that 35 foreign leaders were subjects of US eavesdropping. The non-binding resolution "unequivocally states that the same rights that people have off-line must also be protected online."

But whether we are talking illegal or immoral, consider this: every nation spying on other nations - even for the best of reasons - also has severe laws when it comes to espionage against itself. Whichever way you turn it, that's a double standard and no different from a man demanding an exclusive relation from his wife while at the same time finding nothing wrong with having extramarital affairs himself. Putting all "Realpolitik" aside, it essentially amounts to pure hypocrisy.

If you think spying is endemic to the US ...

Nobody says or thinks so. Most, if not all nations are doing it, capabilities and other resources permitting.

Worse, many other nations don't have *any* checks/balances on their security apparatus. Our occasional overreach pales in comparison to their domestic efforts.

Rest assured that most governments over time have learned that it is in their best interest to have strong checks and balances in place on their security and intelligence apparatus. Maybe not necessarily out of concern for their constitution, laws and citizenry, but primarily out of fear that uncontrolled it can also be turned against themselves. As @Clive already pointed out, the case of one J. Edgar Hoover comes to mind. Or the ill faith of Lavrentiy Beria, the once chief of the Soviet security and secret police apparatus NKVD who shortly afer Stalin's death was accused of treason by other members of the politburo and executed after a show trial.

As to the "occasional overreach", I believe there are plenty of audit and oversight reports out there attributing all sorts of qualifiers between "bumbling ineptitude" and "systemic abuse" rather than the term you are using.

And Snowden didn't leak material that betrayed their secrets -- only ours.

To the best of my knowledge, Snowden was working for the NSA, not for the FSB, SFR RF or GRU. Or the PLA, for that matter. But imagine some Chinese or Russian spook having spilled the dirty secrets of his country. Do you really think anyone on Capitol Hill would have called the revealed activities "perfectly legal" or "morally justified"? They would all have been crying bloody murder. Including yourself.

It's an attack on the US... complete with, hilariously, Snowden's overt defection to Moscow.

Snowden did not defect to Russia. He fled to Moscow, applied for asylum with about 20 countries and eventually stayed there because besides there being only a few countries that wanted to have him, it was also the smartest thing he could do after the US in downing the plane of Bolivian president Evo Morales had made it very clear they wouldn't stop at anything to get him.

feel free to call me a troll as you like. It's an easy dismissal, isn't it ...

In any civilised discussion, you dismiss yourself when inciting to hatred and calling for someone's assassination. I have nothing to add to what @Clive already told you about that.

SkepticalJanuary 25, 2015 6:57 PM


@Nick P: Thoughtful analysis - just a few points

9. FISC being a rubber stamp proven by the numbers is always a good point to reiterate. Should always add that nobody important ever gets fired, fined, or imprisoned for violations. The organization doesn't get fined, put into receivership, or otherwise worry about its future. The court also doesn't use discovery process to get full data instead of relying on questionable self-reporting. Unlike a court run by "real" judges.

Judges everywhere, when presented with applications for search warrants or wiretap warrants also make a call based on information presented by the government. And they do so in secret, for the most part, though obviously the results of the search, if used, provide an opportunity to challenge the original warrant. There's nothing unusual about that part it.

Federal judges are appointed for life, until they retire or are impeached or become disabled from performing their duties. The judges on the FISC are drawn from the population of federal judges. And if you ask any attorney who has practiced in both state and federal courts, she will assure you that federal judges are as "real" as they get.

I really dislike the numbers argument used here, mostly because it's an example of how statistics divorced from context can be misleading. FISC approval numbers are high mostly because the Justice Department writes and reviews the warrant applications (I'm sure attorneys from other departments are involved as well in many cases), and quite simply they will not waste the time if they don't think the application will succeed.

The other reason I dislike the numbers argument is that it gets things backwards. Low approval numbers would be indicative of a serious problem. It would mean that FISC judges are applying standards inconsistently, or that the Justice Department doesn't understand the standards. Frankly it's perverse that these numbers are used to indict the FISC.

Countries can send the message that their products are trustworthy (eg Swiss image) or they'll screw you allied or not (U.S. image). Is the surveillance gain worth that image? I think not.

In other countries, there is far more - how to put to this - integration between businesses and government. You're kidding yourself if you think companies aren't doing as much, and almost certainly much more, for their governments as a US based company might do for its government.

And is it still worth it given we could just do targeted bugging or HUMINT where it counts instead? Those techniques proved far more effective and did so predating the existence of the United States.

XOR probably isn't the right function to apply here.

I'm currently running some innovative business models by some business owners and thinkers to see if I can remedy this. My model makes higher assurance systems financially sustainable, but I'm not sure if it will be adopted by businesses due to market apathy & greed. Hence, the peer review I'm doing before publishing it.

As you know I think this is a hard question, but there are enormous positives associated with this kind of effort, and I hope (subject to qualifications I've expressed in here many times) that you succeed. I think people will become increasingly willing to pay reasonable fees for better privacy.

I think it's a very powerful point that people with incentive to promote mass surveillance (ex-CIA types) said that it was nearly useless against terrorism. I'd like to have the reference to back that up and the fact that they were mostly former intelligence professionals.

(Edit: Then Bruce mentions a New Yorker article about some of that. Guess I have more reading to do.)

They're talking about a particular program - the telephony metadata collection under 215. "Bulk surveillance" in other cases has been significantly fruitful according to those who have examined it (that includes the PCLOB and Senators who are/were borderline hostile to the IC).

My own interpretation of what those with access have said publicly (and I've never heard anyone with access speak out of school privately) is that the bulk surveillance goes hand in hand with targeted surveillance. In other words, bulk surveillance, in conjunction with more specific intelligence, enables certain targeted surveillance and analysis, and that yields very useful intelligence - and so on.

17. Snowden says we've been massively hacking North Korea since at least 2010. Yet, U.S. intelligence missed about every significant event happening in North Korea. And missed the Sony attack on top of it. Additionally, none of the mass surveillance programs stopped any major attacks. Strong arguments that they're totally ineffective and governments might be pushing them so hard for completely different reasons (eg control of governed).

To this point in time, I don't think monitoring for attacks on companies like Sony has been a high priority mission of the NSA, but perhaps that is starting to change. So that they missed it doesn't really tell us much about the value of the capabilities they have.

Moreover, that the capabilities they have enabled fast attribution is incredibly important from a deterrence vantage, a point which Snowden misses entirely. In general I've found Snowden's grasp of the strategic and geopolitical game to be weak.

Finally, what we've been told about USG knowledge of NK attack on Sony amplifies my earlier point about the use of bulk surveillance. Bulk surveillance becomes useful only when combined with targeted surveillance and specific intelligence. The NSA doesn't have time to read all the traffic coming out of NK cyber-units, much less the unbelievable volume produced domestically, so the notion that this is all part of a grand scheme to exert social control (per some of the other comments in this thread) is utterly and completely absurd.

Re FOXACID manuals and script kiddies:

The deduction is rather weak. To use a military analogy, what is described in those manuals sounds akin to ROE. You may want to centralize certain decisions on certain types of risk from a strategic level, notwithstanding the tactical proficiency of whatever teams are engaged in executing missions. We also don't know - or at least I don't know - the proportion of personnel for which those manuals describe the scope of discretion. Do they set a baseline, from which teams routinely deviate as necessary? Finally, we don't really know the justification behind whatever rules or guidelines are specified. The rationale may be somewhat more sophisticated than has been hypothesized.

So, who knows.

RandomJanuary 25, 2015 7:06 PM

I recently watched 1971. It turns out that the FBI in Media, Pennsylvania were using a lot of energy learning who was having sex with whom. Apparently, one agent even boasted in his report that he had destroyed a marriage.

I imagine the same type of behavior is present within these NSA analyst. I bet they get really excited when they come across anything salacious. I bet they spend most of their energy just looking for "dirty" pictures and movies.

CorollaJanuary 25, 2015 7:14 PM

Daniel • January 25, 2015 5:54 PM Nick P writes, Funnier still because old school hackers always thought the government's would eventually hire massive amounts of actual hackers with elite training. Instead, they have a small number of ordinary hackers building tools for a large number of script kiddies. Who use actual scripts saying "Do this, Then that. Not this. Turn back if this." This is an insightful point and one to which I need to give more thought.

Funnier to hear this coming from an opsec perspective.

Security training is essential but a majority of these skills are presumably 'honed' not taught. What is taught is known. Many would say skills are picked up in the 'honing' process. This is general true in all fields of expertise.

Say for instance you've been watching some people suspected of hacking, for the past 10 years you watched but they haven't done any hacking. Then these people are not Hackers, period.

Bruce SchneierJanuary 25, 2015 7:20 PM

"One thing that annoys me when I watch conversations or interviews is when the interviewer takes an excessive proportion of airtime. Another annoying thing is when the interviewer frequently interrupts the interviewee. Neither of these situations occurred during this talk; Bruce rarely interrupted Snowden, and when it happened it was appropriate."

Interesting. It was supposed to be a conversation, not an interview. So I should have had about half of the airtime. I don't know if I did, though.

You're right that I didn't interrupt Snowden, although I wanted to a bunch of times -- mostly when I wished he would make shorter comments.

Still, I think the conversation went very well. We covered most of the points I had planned, although not always to the same depth I expected.

Actually SkepticalJanuary 25, 2015 7:21 PM

@Bruce

No, it's not technically true. When they were trying their best to sound technically truthful and build up the talking point of "The United States Does Not Torture" back in 2004 or so, it was simply a lie. It was not even technically true by any stretch of rational argument. They are acting lawlessly. They are acting to maintain the provable illusion that they even _could_ be technically law abiding. There is no magically efficient government that can mitigate the threat of other Snowdens with more financially directed intentions. Thus such violations of the law are occurring, that are only possible because of the valuable intelligence database they have been assembling all these years.

Dirk PraetJanuary 25, 2015 7:28 PM

@ Skeptical

... because while we all agree that a free press should be able to expose wrongdoing, we're wary of the idea that journalists should decide what stays secret and what does not based upon the particular policy preferences of those journalists.

I believe one George Orwell was bang on the money when he said “Journalism is printing what someone else does not want printed: everything else is public relations.”

samJanuary 25, 2015 7:55 PM

@ Wael

One thing that annoys me when I watch conversations or interviews is when the interviewer takes an excessive proportion of airtime.

That's a good point. I find this interview a lot easier to understand compared to Snowden's previous ones.

You also made a great point about shadowy agency being ahead of academia still, though not as apparent compared to 20 years ago. The advant of internet has changed that quite a bit. Any random fool with web can access this knowledge base without jumping thru hoops for it. We are catching up because we have been freen to circulate and discuss, hypothesize and peer-reviewed without the heavy burden of maintaining secrecy. The shadowy folks still have access to all this but what they lagged is the peer-reviewing process, where a secret must be shared among few from within. They may still be ahead by 10 years, but the momentum has certianly swung towards the other direction.

AlanSJanuary 25, 2015 9:24 PM

@Skeptical

Careful with the ridicule. You are defending a guy who is trying to hide the fact that since 9/11 the only success resulting from his agency's bulk collection of data on American citizens is the prosecution of a hapless cabbie who sent $8500 to Somalia.

We don't even have to argue about the civil liberties implications. On economic grounds alone the program is ridiculous waste of money.

WaelJanuary 25, 2015 9:34 PM

@sam,

I find this interview a lot easier to understand compared to Snowden's previous ones.

It's the only Snowden talk I've seen, so I can't compare it to other talks. Still, I believe it went well and covered areas I wanted to know more about.

You also made a great point about shadowy agency being ahead of academia still, though not as apparent compared to 20 years ago

I refuse to believe such organizations are behind. You are probably correct about the gap narrowing, though. Some say spooks are behind based on the little information we know. Researchers in the academia have to publish their work -- it's a "Publish or Perish" thing. Spooks keep their secrets. So we are comparing two entities: one that's transparent to some extent, and another that's by definition "spooky", meaning it keeps things "hidden" or invisible. "Spooky" is ghost-like. Besides, Snowden hasn't revealed *everything* yet.

FigureitoutJanuary 25, 2015 10:40 PM

chicken
--Wrong thread, but I also can't (a USB-stick opens up 2 devices, some kind of virtual filesystem, which then spreads to any other USB stick from that PC and always makes a copy of any file created (in Windows), and some very similar symptoms of HDD malware mentioned (hidden partitions that resist regular formatting somehow, should just wipe and smash but I can't afford it); there's so much more...just annoying looking into it all and so distracting) for my own protection. I am saving some of this USB-malware for a proper rundown of the malware eventually, I want to get into the USB chips more, but I'm swamped currently. It'd be useful for backups I guess lol.

Complllu
--True, yet isn't everything to do w/ security to be regarded w/ great trepidation? Since I don't know all the cryptanalytic attacks (I feel like the practical ones really have some stringent requirements as opposed to just bypassing the crypto...), and I put myself as an attacker, what I'd wouldn't want. There won't be any existing tools for some of the wacko encryption chains one can do, I'd have to write it down just to remember and guard the slip of paper, and automatic decryption would be almost out of the question.

I don't even want to do cryptanalysis b/c I would always think even plaintext is another code...you can't be sure w/o physical evidence and real-time tracking.

Clive Robinson
If a formalised message structure is used this rather aids the process
--I apply that common sense to a non-standardized way of encryption, not to always use the standard. Academically it won't be recommended ever, practically you won't be the one decrypting an unknown ciphertext.

If an attacker doesn't know how it was encrypted, they won't be able to decrypt based on just ciphertext; all I'm saying. I understand the caution and all the cryptographers getting nervous.

RickJanuary 25, 2015 11:31 PM

Although I would love to know Edward Snowden's response to the question, "What is the current as well as the ultimate purpose of the current surveillance state,"... this article answers the question from William Binney's point of view. Interesting. His answers are very similar to those asserted this weekend in this thread. Article:

http://www.dw.de/binney-the-nsas-main-motives-power-and-money/a-17862571

---------------------------------------------------------------------

Bruce Schneier said, "We covered most of the points I had planned, although not always to the same depth I expected."

My only wish is that the presentation was longer, and therefore could have afforded more depth. Hopefully, there will be a follow-up presentation someday soon.

---------------------------------------------------------------------

@Skeptical

"The NSA doesn't have time to read all the traffic coming out of NK cyber-units, much less the unbelievable volume produced domestically, so the notion that this is all part of a grand scheme to exert social control (per some of the other comments in this thread) is utterly and completely absurd."

I disagree that the notion is absurd. It requires proof, but it's not absurd given the mountain of evidence exposing the abuses of power revealed in the last few years.

According to William Binney, "Totalitarianism comes in the form first of knowledge of people and what they're doing, and then it starts to transition into using that power against people. That's what's happening - in terms of newspaper reporters, in terms of crimes. That's a direct violation of our constitution."

Binney continued (while essentially equating the current conditions to that of a totalitarian state such as the German Nazis), "The motives of totalitarian states are not exactly the same every time, but they're very similar: power, control and money."

Skeptical... on another note, I'm curious about your perception. For example, you said in regard to the FISC judges signing almost every warrant crossing their desks, "Frankly it's perverse that these numbers are used to indict the FISC." The argument you use to back up that conclusion is almost justifiable if it weren't so myopic. Consider these allegations (with evidence):

http://www.theguardian.com/world/2013/jun/20/fisa-court-nsa-without-warrant

(Be sure to peruse the embedded docs, too)

So, I say to myself, if that's all you have to defend the FISC numbers--a logical construct that almost seems drawn from experience somewhere in or around the field-- then I see a problem while comparing it with the above cited article. And that's just one example of the lens through which you view these matters that I've observed.

So I come to the half-baked conclusion that you want to cast the NSA, et. al. in a good light. Why work so hard to do that... instead of just letting the data speak for itself? At least, though, you aren't trolling in the most obvious sense which is designed to deter and distract. Good conversation ensues, so, for that I welcome it, personally speaking.

GlavlitJanuary 25, 2015 11:36 PM

Every once in a while Skeptical fails to stay in character. While much of what he says is merely stupid, now and then he slips and says things that no amount of stupidity can explain. Then the mask slips, revealing profound contempt for the public that is forced to pay his wages.

One tell, at 11:35, is skeptical's glee: Snowden knows that NSA follows its own rules! Of course they do. The US government hires slimy shyster lawyers to win at all costs against their adversary, the American public. The resulting US laws fail to comply with US commitments and obligations. As Alan S. points out, Jennifer Granick is on to this cheap Soviet trick. The Human Rights Committee exposed the trick as well, with binding legal force in front of all treaty parties who interpret their pacts in good faith. Skeptical's phony rule of law is shit.

Another tell is "properly classified information," to which, the only legal response is, Fuck you, it's my information, not yours. We the people are going to Collect It All. And publish it. And try you Stasi fuckers with it.

Then, at 6:28, there's skeptical's interminable Rain-Man rumination on precisely why and how Starfleet cadet Alexander happened to be full of shit in this particular case. Up to a point, we could explain this gibberish with extreme levels of obsessive and dumb, the US military's two critical success factors. But then we hear the magic word "mistake." That's beltway argot for serious crimes of concern to the international community. The mistake here is misleading tabulation of how many times FBI told feckless sad sacks what to blow up, how to blow it up, bought what the sad sacks couldn't afford, did all the work for them, paid them to go along, and busted them for what the poor saps could not begin to do on their own.

At 6:57, 'federal judges are as "real" as they get.' Skep has to make up lots of imaginary lawyers to say so. Lame though it is, Skep's sensitivity is telling. Bent and blackmailed judges are the linchpin of CIA control. Kennedy, the one and only guy who got a vote in the 2000 election; Scalia, target for NSA surveillance and EOP kompromat; Thomas, who might as well have a "blackmail me" sticker plastered on his ass; and on down to alkie wifebeater Mark Fuller. Federal judges are losers, hanging on by their fingernails, one phone call away from ruin, always relying on the kindness of CIA strangers. That's how CIA rigs cases.

VJanuary 26, 2015 12:21 AM

I finally got to watch the video. Every time Snowden appears in video from Russia he's sitting in front of a green screen. I'm trying to come up with a theory why this is.

WaelJanuary 26, 2015 2:37 AM

@Rick,

From the article link:

Q: What's changed in the NSA's methodology since you were working there, until 2001?
A: We're focusing now on everyone on the planet - that's a change from focusing on organizations that were attempting to do nasty things. When you focus on everybody, you're moving down that path towards population control.

It's the logical expected continuation of this path. No surprises, as William Binne explained.

tyrJanuary 26, 2015 2:45 AM


@Corolla

Say for instance you've been watching some people suspected of hacking, for the past 10 years you watched but they haven't done any hacking. Then these people are not Hackers, period.

LOL You need to read Shockwave Rider by John Brunner.

While you're at it, update your dictionary with the meaning of hacker.

eTrusted?January 26, 2015 3:07 AM

@keiner
If WikiLeaks staff really are deep into OPSEC, Google functions would be the first thing they would have disabled. No one really trust Google due to their bad name in spying anymore.

Clive RobinsonJanuary 26, 2015 3:27 AM

@ V,

Every time Snowden appears in video from Russia he's sitting in front of a green screen. I'm trying to come up with a theory why this is.

Err "green is the new blue" for certain video and cinematography techniques. It's an easy colour to subtract to transparent when you want to superimpose one image on another. I've seen "green screens" used frequently behind news readers for syndicated news feeds, because it alows different station logos etc to be dropped in behind thus shared studio use etc.

I've not watched Ed Snowden interviews on line[1] only the traditional terestrial TV broadcasts, where he's always been shown in front of a "city scape" backdrop.

[1] The reason for this is I've always assumed the online sites that carry them are either monitored by the IC or honeypots for data aggregators, either way you end up getting tagged [2].

[2] It's the sane assumption I make for this and other ICT security related sites. It's just easier to justify security site usage than whistleblower site usage, if you ever have to (and people are having to do that these days).

CorollaJanuary 26, 2015 3:45 AM

@ tyr

new to this blog? lol you might want to update your wiki with the meaning of 'watched'.

WaelJanuary 26, 2015 4:01 AM

@Clive Robinson, @V,

It's an easy colour to subtract to transparent when you want to superimpose one image on another.

Oh, no! Make no mistake. He is worried about catching a strain of snipers' measles :)

CorollaJanuary 26, 2015 4:17 AM

@keiner
If WikiLeaks staff really are deep into OPSEC, Google functions would be the first thing they would have disabled. No one really trust Google due to their bad name in spying anymore.

according to report, that was dated back in 2012.
google's reputation only took a drastic turn for
the worst as far as privacy goes only after snowden
came out with the files.

@Clive Robinson
[1] The reason for this is I've always assumed the online sites that carry them are either monitored by the IC or honeypots for data aggregators, either way you end up getting tagged [2].

i've seen a coupel of you use that word 'tagged'
frequently. whatever that means does not sound
like fun.

@Rick
Although I would love to know Edward Snowden's response to the question, "What is the current as well as the ultimate purpose of the current surveillance state,"

has he not answered that? i assumed he did, but
i guess he hasn't. we all assumed his action
spoke for itself, but it was really like we just
assumed he did it for the reasons we assumed he did
without really hearing it from himself.

@albert
I don't recall specific examples, but the guy sounded like a lawyer. If that's not his personality, then he was well coached. OTOH, that's exactly the sort of personality that I would want in an analyst.

it sounds like he's thought about tehse questions
already, not in preparation for an interview but
soul searching and reading good books. either that
or reporters were very good at asking the right type
of questions.

@Sancho_P
You’ve cited Hayden’s ”just give me the box” which is typically thinking for a authoritarian follower, not a leader.
Probably good as a beltway grunt, but not creative enough to drive a Humvee through Bagdad.

isn't the reason to drive :a humvee: thru bagdad
a solution to not being creative good driver? i mean
yeah a tank may have been the better choice to run
over anything in your path but still better than
driviing a corolla thru it.

SkepticalJanuary 26, 2015 5:10 AM


@AlanS: Careful with the ridicule. You are defending a guy who is trying to hide the fact that since 9/11 the only success resulting from his agency's bulk collection of data on American citizens is the prosecution of a hapless cabbie who sent $8500 to Somalia.

Alexander hasn't hid any facts regarding the Section 215 telephony metadata program. Nor was that the only program at issue. Also at issue were programs under 702, which, as everyone who has viewed the results agrees, from NSA critic to NSA spokesperson, have been highly effective.

@Rick: So, I say to myself, if that's all you have to defend the FISC numbers--a logical construct that almost seems drawn from experience somewhere in or around the field-- then I see a problem while comparing it with the above cited article. And that's just one example of the lens through which you view these matters that I've observed.

I don't see where the article disputes anything I've said. You'll also find high acceptance numbers with respect to tax filings submitted, This isn't because the IRS is a rubber stamp agency - it's because taxpayers, accountants, and tax lawyers understand the rules. There are still, no doubt, a significant number of filings that are submitted that are knowingly false but which the filer hopes will escape notice. In an application to the court, though, you know that there isn't any escaping of notice. It's as though the IRS is telling you advance, "hey, we're going to audit your return this year, so make sure it's squared away before you file it."

@Dirk: I believe one George Orwell was bang on the money when he said “Journalism is printing what someone else does not want printed: everything else is public relations.”

By that standard awful poetry qualifies as journalism, but then again Orwell actually never gave that quote. You're thinking of a line by a very different man: News is something somebody doesn't want printed; all else is advertising. - William Randolph Hearst (champion of responsible journalism...).

But whether we are talking illegal or immoral, consider this: every nation spying on other nations - even for the best of reasons - also has severe laws when it comes to espionage against itself. Whichever way you turn it, that's a double standard and no different from a man demanding an exclusive relation from his wife while at the same time finding nothing wrong with having extramarital affairs himself. Putting all "Realpolitik" aside, it essentially amounts to pure hypocrisy.

No. Dirk, for some reason you seem to think that when the US passes a law against committing espionage against the US, this amounts to the US claiming that espionage is inherently unethical. But of course that's manifestly not what the US, or any other government, claims. If they did, it would be a double standard. It would amount to saying: "All nations of the world should stop committing espionage. Meanwhile I shall continue to commit espionage." No nation is actually saying that. Instead each nation says, "you try to spy on us; we'll try to spy on you; we have laws to try to prevent you from doing so here easily, just as you do."

What seems to be throwing you is the simple idea that nations act in their own interests, and that they pass laws as part of acting in their own interests. You may not like that system, but there's nothing hypocritical about it.

@Clive: Running assets is a fine art and one thing that is fairly certain is that both the Chinese and Russians have been way better at it than the US by quite a large margin.

:) Occasionally you sound like a British character out of a le Carre novel full of post-Imperial resentment at the unsophisticated "cousins."

GordonSJanuary 26, 2015 5:21 AM

@Nick P

12. Cost/benefit analysis: tens of billions of U.S. sales lost to get surveillance of little to no benefit. Good point. However, he left off the fact that the money was lost because *he leaked everything* rather than the ops were happening. Quite a difference and makes him the cause of damage.

That's a rather strange argument to make; the highly dubious and often criminal actions of the NSA & CIA are OK as long as they are kept secret? The mind-boggling scale of their programmes surely meant it was only a matter of time before someone with a conscience, morals, and a big set of brass balls outed them. Without the NSA/CIA actions, there would be nothing to leak. The actions are squarely to blame.


17. Snowden says we've been massively hacking North Korea since at least 2010. Yet, U.S. intelligence missed about every significant event happening in North Korea. And missed the Sony attack on top of it. Additionally, none of the mass surveillance programs stopped any major attacks. Strong arguments that they're totally ineffective and governments might be pushing them so hard for completely different reasons (eg control of governed).

Just because they didn't act on these events doesn't mean they didn't know about them. The NSA and CIA have their own agenda, as do US foreign policy makers (although it often feels they are sometimes one and the same). It's quite convenient to build up more 'evidence' against the nasty communists should the US desire to take military action in the future, and it also stokes the fire of the 'red danger' narrative.

waterbadgerJanuary 26, 2015 5:56 AM

@Nick P
" We need a new term for these people to reflect the difference. Script drones? Scriptcogs? Scriptborgs? What?"

I'd call them flickers, cause all they do is automated switch flicking.

VoidJanuary 26, 2015 6:05 AM

@waterbadger

And because they get paid over the odds to sit behind a desk flicking themselves?

waterbadgerJanuary 26, 2015 6:49 AM

"And because they get paid over the odds to sit behind a desk flicking themselves?"

Flicking themselves at the screenshots of naked teenagers stolen from Yahoo chat!

Clive RobinsonJanuary 26, 2015 7:51 AM

@ Skeptical,

:) Occasionally you sound like a British character out of a le Carre novel full of post-Imperial resentment at the unsophisticated "cousins."

Err in that case would I not say "colonial cousins"?

The problem the US has is that it has the resources to waste on various forms of electronic surveillance, and thus it has followed that path.

Other nations of way way less monetary, physical or human resources have had to work not just harder but a lot smarter to keep worthwhile skin in the game. Thus they have followed other routes to achive their objectives.

Look at it this way, if you have the money to buy a cherry picker lift then spying over your neighbors fence is the easy way to go, and presents little risk to you. However if you cannot aford a cherry picker, then you have to actually get over the fences by invitation or trespass both of which are considerably more risky. If you can then the best way is by invitation, that way you get to know your neighbour in a way that peeping through a telephoto lense does not. Importantly you get to know how they feel on things etc etc.

For a well practiced con artist getting an invite and friendship is relativly easy. How ever if you have a faux superiority complex because you have a cherry picker, trying your first steps at being a con artist is going to be very far from easy.

The other thing is that the US and UK are still fairly open societies, seeing Chinese and Russian people in society is quite common, the converse is not true for China and Russia. Large US people tend to stand out in a crowd and are thus easy to spot from a distance, slightly shorter UK people less so but still fairly obvious. Whilst a Chinese or Russian person can spot an "outsider" bytheir lack of local knowledge and customs, in the UK and US we have so many first to third generation immigrants --nearly half UK population if you belive one set of stats-- that we don't tend to have local customs and even where we do not knowing them or local knowledge is generally not treated as suspicious.

Thus it's easier for both the Chinese and Russians to place operatives in the west, whilst the opposit is considerably harder.

When you compare the UK and US, after WWII the UK did not have the resources to get into the technology game in the way the US could except in education and original thinking up untill the late 1980's. Thus the UK had no choice but to become well practiced in HUMINT, and in this area the UK had the advantage in that time period of having had an empire that was now crumbling into a Commonwealth of independent nations, it had people well placed to recruit not just agents but officers of all creads and colours who could and did fit in better around the world than the WASP types.

Some in the US have woken up to the fact that their technology solutions do have significant limitations and that a need for covert boots on the ground not just as special ops drop ins but as long term "illegal residents" is now more important than it has ever been. They also realise it's going to take a few generations to build up the required human networks as enablers, which is why they are so dependent on the other Five Eyes that are "Commonwealth" and bring not just science and geographic but importantly HUMINT resources to the table.

The problem these more far sighted US individuals have is fighting those who are still inward looking and believe despite all evidence to the contrary that technology alone is the way to go. They also have to fight that other problem that most politicos don't think more broadly, they love technology for it's "Pork grease" and "Power projection" value not it's real strategic value. Big high tech secret projects are like cat nip too way to many politicos, as well as having kick back value in other ways such as "revolving door policies" and "lucrative sinecure positions" that feather their nests directly or indirectly.

So like it or not, yes the Chinese and Russian's are better at HUMINT than the US is, and no it does not have anything to do with a "Post Imperial resentment" or "post colonial" one either, because the UK has similar "open society" and "politico" issues as well. As has been pointed out in the past there are just as many jewish netwoks as there are Chinese world wide and so the Israeli IC benifits in the same way.

Clive RobinsonJanuary 26, 2015 8:14 AM

@Nick P,

We need a new term for these people to reflect the difference. Script drones? Scriptcogs? Scriptborgs? What?

How about naming the action lists, that is instead of "script kiddy" you have "kiddy scripts". You can then replace "kiddy" with something more appropriate such as "droid", "numpty", "grunt" or the more general "slave", "wanabe", "gopher" or "Cyber-n00b", or other less savoury name, of which I am sure many can think of, after all they are just "fiddling with their tools"...

Uncle Francisco puts his foot in itJanuary 26, 2015 8:20 AM

At 5:10 we have skeptical blabbing last-ditch lies like a randomly-abducted terror patsy at Camp No.

"When the US passes a law... Nations act in their own interests."

More government indoctrination, the biggest lie of all. Skeptical thinks you can't tell the difference between the people inhabiting this continent and the ruling junta of the US. The ruling junta of the US has pissed away its legitimacy and sovereignty with widespread, systematic crime and failure to protect. So now they're trying to tell you that all this was your idea. That this is what you voted for. That we did this, not them.

Ever since Snowden exposed the saboteurs and assassins and secret police, they have frantically struggled to wrap their busted asses in the flag. They're disguising themselves as The Nation, as the US, as America, as We the people. What do you mean, we? They're not part of we. They're parasitic criminals. They need to be purged and dragged into the light and hung upside down from lampposts one by one.

SkepticalJanuary 26, 2015 9:15 AM


@Clive: I think you're conflating the difference between Russia and China, and the UK and US, as environments in which to conduct HUMINT collection, and the difference in skills which those respective countries bring to such endeavors. I of course agree that a closed society is much more difficult to operate in than an open society.

I have to say that, based on what I'm able to read in the public domain, I don't agree with your narrative about US HUMINT efforts. Immediately following WW2, the UK, initially, had of course far more depth of experience and personnel in country in areas across the world. They selectively cooperated with the US, acting as partners where US help was necessary, and keeping a distance where US help was unnecessary. But the US began investing quite heavily in HUMINT, in regions across the globe. As US commercial and military interests became more global, moreover, US connections and capabilities advanced further.

You paint the US as risk-averse on HUMINT, but with the exception of a period during the 1990s it was anything but risk-averse. It would parachute officers into China, the Congo, and elsewhere; it would recruit and run assets, often successfully, even in environments like Moscow.

I do agree that during the 90s intelligence programs across the board saw cuts in funding and personnel, and that post-9/11 there was a scramble to replenish the ranks of intelligence officers whose primary mission was HUMINT.

All that being said, I actually think open societies have advantages in HUMINT that closed societies lack, and moreover I think the now normal involvement of Americans in many different cultures and nations, and the long history of American involvement in many different cultures and nations, deepens the American bench, as does the fact that the US is itself a nation primarily of immigrants or those descended from immigrants from a broad cross-section of the world.

In some cases, the US has been able to leverage contacts developed during the Cold War and adapt them to more contemporary intelligence requirements. One example, which illustrates both the cuts of the 90s and the extent of contacts the US had on which to draw, is the first team that the US sent into Afghanistan after 9/11. That team included veteran, in at least one case I believe retired, CIA officers who had worked in, and developed contacts in, Afghanistan and Pakistan during the 1980s.

As the differences between open societies and closed societies remain stark, and may unfortunately become even more stark as closed societies clamp down, I suspect the HUMINT capabilities of the agencies of democracies will only increase.

There will be failures and leaks. These things are inevitable in any system that involves human beings. But thankfully they seem to be rare, and they're certainly not limited to the US. CURVEBALL was not a US asset; neither was the suicide bomber who killed seven at Camp Chapman.

And for its assets, the US and UK, and other democracies, offer something that Russia and China cannot: a secure and reasonably prosperous future in a nation that respects, and defends fiercely, the basic freedoms and rights of its citizens.

BoppingAroundJanuary 26, 2015 9:55 AM

Nick P,

> SEAL 6 and Red Cell anti-terrorism head Richard Marcinko said the same. He often called SIGINT garbage that they had to ignore to avoid getting killed.

Any chances he was lying?

Random,

> I bet they spend most of their energy just looking for "dirty" pictures and movies.

Snowden mentioned that in one of his interviews. Not sure about the amount of energy.

samJanuary 26, 2015 10:06 AM

@ Clive Robinson Re:Other nations of way way less monetary, physical or human resources have had to work not just harder but a lot smarter to keep worthwhile skin in the game.

Not sure why you insist on US being at disadvantage in HUMINT. US corporations can be found everywhere in the world. If anything the UKs are at a disadvantage due to their spoken tongue.

Clive RobinsonJanuary 26, 2015 10:35 AM

@ Rob1,

I will need to read it more thoroughly, but on skim reading the review appears to be comparing "eggs from the same chicken" rather than with other chickens or birds. Thus you would expect the very similar results, just as with "twins".

The clear indicator that something is wrong with FISC and the comparison courts is the success rate of over 99%.

The argument that this shows that only cases that are known to pass the court requirments are submitted is a nonsense, unless the court passes everything. Human behaviour is such that with any rule there are "edge cases" that may or may not be passed by the adjudicator of the rule, and thus people will try to push the boundaries to get edge cases through.

The success rate says that the number of edge cases is so small as to be statisticaly improbable. This means that if you discount the "always stay safe" rule, there are two cases. Firstly there are no edges of any consiquence and thus every thing passes. Or secondly the edges cases are so fine they don't realy exist and telling what will or will not pass is very very simple.

That is in the second case the edge case on the rule is like that of under age drinking, either you are above the age or you are below it, the edge case being a few seconds either side of midnight on the qualifing birthday where the arresting officers watch could be wrong.

Now personally when it comes to FISC rules I doubt very much they have such a narrow and clearly defined edge case. Further I doubt that those submitting to FISC will not take "a punt". Thus I can only conclude that the rule edges are such that everything passes them as far as the adjudicator is concerned.

Thus the only question is there a problem with the rules or a problem with the adjudicators? As the latter also make the interpritation of the rules up as they go along I can only conclude the problem is with the latter.

Based on this I can thus only conclude on the balance of probability that the FISC --and similar courts-- are in effect "rubber stamping" as had been suggested by several people.

Clive RobinsonJanuary 26, 2015 10:57 AM

@ Sam,

Err the UK akso has a significant number of international corps, and perhaps you don't know but the US and UK speak within reason the same language so your argument fails on you differentiation.

The reason the US has poorer HUMINT than the UK is one of choice, they chose the "high tech" route due to the political problems from the US citizens not liking the idea of US personnel ending up in prison or worse. Have a google around on Gary Powers and Vietnam. It's also one of the same reasons why the US is very pro "stand off weapons" such as cruise missiles and UAV's.

I'm not realy sure why people find this a contentious issue, the US has the resources and unlike others had more of a choice and they went down the technology route considerably more than the HUMINT route.

Nick PJanuary 26, 2015 12:22 PM

@ Rick

1. Might be the case. Yet, in Citizenfour, he says the same thing as his reason for handing everything over to journalists. Which is kind of retarded: Americans would trust bias of well-meaning, U.S. operator with U.S. secrets much more than competing nations' journalists with a pile of U.S. secrets. I still think he's just self-serving on that point.

4. We'll add it to the running list.

17. They originally said it was all about terrorism, not to be used for other things, and only metadata for U.S. citizens. Leaks show the opposite was true across the board. Leads one to wonder what actual goal is. Looking at what they collect, a new tool of control of Americans is most likely. British targeting journalists and social media are similarly motivated.

@ Daniel
(+ Corolla)

Good points. Didn't think about it outside the domain. It is enlightening to do so. A recent article at Cracked on hacking (by a hacker) pointed out something similar. He says most people he trains have no hacking experience and little computer experience. It's not necessary as web application vulnerabilities are just endless variations of the same thing that can be tested with semi-automated tools. So, I guess it's just good ROI for human assets to focus on script kiddies with good tools.

@ Clive Robinson

Good points. Especially on Cold War proving the value of HUMINT and U.S. burning their assets too much. The movie Body of Lies plays on that theme. Far as Cold War, do give us some credit as U.S. and U.K. largely won both WW2 and Cold War due to excellent use of spies. I particularly liked the guy that visited all the German fuel factories posing as a businessman and coincidentally each factory was bombed after a visit. All those tanks and trucks can't go anywhere without fuel. Smart move.

@ Skeptical
(+Rob1 on FISC)

re FISC

Ok, even if I accepted counter to rubber-stamping, they're still not a real court giving accountability. Let me explain how real courts work since FISC supporters have apparently never been in court or seen a news story referencing a trial.

Courts are part of the judicial branch. Per the Constitution, they're a check on the other branches with their own powers. They deter and punish crime via the possibility that, if caught, you may be fined, assets seized, imprisoned, and/or executed. Companies might be fined or seized. They also have a discovery process, warrants, and even police support to obtain your secrets and data to assess your guilt. Those accused can also challenge the procedures or evidence, argue for their innocent, and try to set precedents that lead to new procedures or case law. It's a two way process with access to relevant information, a presumption of innocence, and serious consequences for those found guilty.

Now, let's look at this other "court." It has real judges, they look at "warrants" (err, targeting criteria), and can tell them to rewrite those warrants so the paper says the right stuff. The judges don't have access to internal data, don't know whose actually plugged into the system, don't know how it's used, can't use police to investigate abuses, and further don't even fight for these rights. They only know what is on the paper and what few mere infractions NSA confesses to. If NSA violates the rules, they aren't fined, assets seized, imprisoned, or executed. Secrecy also lets them violate rules without court knowing anything other than they admit.

That's not a court. That's not accountability. You could get away with about anything under such circumstances. In a *real* court, NSA would've been ordered to cooperate with independent agents who search their operations, collect evidence on what they're doing, have IT experts review risks of potential abuse, have legal experts look for evidence of serious wrong doing, potentially order them to stop certain activities with judicial authority, potentially take a chunk of their budget with fines, and potentially imprison management for unlawful activity. It's not a real court, though, so NSA can just do what they want and make sure it looks good on paper.

I want a real court and investigators watching the agency wiedling the power to control the government in event of abuse. There's real courts handling about everything else.

re other countries

Certain countries do a lot of espionage, some do a little, and some don't do much at all far as I can tell. Levels of judicial corruption vary too. We've already seen with offshore havens the value of presenting an image saying "we won't screw with your money like other countries do." The market's response to the leaks show there's similar value for data havens saying "you're data is your data and nobody else's." I'd add consideration for warrants that make sense to reduce hostility from other countries. Iceland and Switzerland are currently trying to position themselves this way along with doing very little to no destructive espionage that I can tell and with strong laws backing their claims.

We'd be better off not being one of the data pariahs of the world.

re bulk surveillance

Every case that's been examined shows bulk surveillance of *Americans* had little to no impact. Massive power in secret hands and risk to democracy in exchange for almost nothing. I'm with Bruce that we should keep our civil liberties, let good investigators/intelligence do their job, and live with the fact that people occasionally kill people. They did pre-9/11, they did post-9/11, and they always will.

re North Korea

I agree Snowden doesn't understand how it ties into our strategy. He's too idealist to even consider the value of what was built for foreign collection. Although, I agree with him they go overboard there too.

However, the North Korea situation is relevant because they said preventing cyberattacks and terrorism are the main reason for what they're doing. They repeatedly mention North Korea among others. They *do* have time (read: equipment) to monitor all North Korean traffic with filters spotting unusual traffic or obvious attacks. If Mandiant could do it for dozens of companies and attackers, then the NSA can do it for one they watch steadily. That they watched them pounding Sony's network and did nothing is aiding/abeiting. (See a recurring theme where NSA is consistently helping the enemy for their own gains?) That they then leverage the attack for politican gain shows they gain more from successful attacks that make media than from stopping them. This has been true since 9/11, which led to drastic increase in budget and power.

Scarcy incentives. I'd rather they experience a small budget *cut* if they fail to prevent something and they were looking at it the whole time. I mean, they say bulk collection is what they need to stop terrorists. Fine those programs budgets for every failure until they become effective or get cancelled with an admission they're full of shit.

re FOXACID manuals

The ROE analogy is a good one. Didn't enter my mind. Between you and Daniel, I'd say my point is partly refuted. Refuted: use of script kiddies and manuals is worth mocking. Remaining: armies of script kiddies dominating the internet is still hilarious because it contradicted the future hackers envisioned. Well, some had more foresight but I wasn't among them.

@ GordonS

re cost/benefit analysis

You're changing my words into a strawman, then beating it down. Let's focus on what I actually said instead, yeah? What I said is the spying itself was doing *zero* damage far as anyone can tell. Thousands to tens of thousands in five main countries and 20+ SIGINT allies just doing their daily work. Then, Snowden leaks what they're doing, international outcry happens, and tens of billions are lost. Hence: Snowden is the reason for the damage. As usual, espionage in secret has little cost and espionage in public can have tremendous costs.

I then added that this is a recurring risk in espionage. So, even without Snowden, they might get detected due to a leaker. A journalist or foreign spy on top of that. So, the potential cost of detection must be weighed against whatever rewards come from collection. The Russians, French, Chinese, etc gain a ton financially and strategically from their collection efforts with mostly just griping when caught. So, it makes sense for them to continue. The Five Eyes' global dragnet hitting everyone everywhere? Not so much sense as the financial and political losses indicate.

On top of that, there's no such thing as OK. There's simply what people/organizations want to do, what they can get away with, and what they do from there. Foreign espionage is totally legal in U.S., even mandated. A certain amount of domestic espionage is as well. So, to NSA, those are "OK" because they're allowed to do them, ordered to do them, and will get away with doing them. See how the laws and incentives are the real problem? Gotta change them first.

re NK

See my claim at Skeptical above. We're actually somewhat in agreement about their incentives with NK.

@ waterbadger

Added to the list esp for the Yahoo chat line. Lol.

@ Clive re name

Cybergrunts immediately comes to mind because it's literally true. Yet, they might find that too endearing and feel like soldiers. To hell with that. Gotta use a different variation of your words.

@ BoppingAround

re SEAL 6 and Red Cell

The videos show how effective Red Cell's people were. Matter of fact, they were so effective at showing our vulnerability they were shut down. So, when their leader and a bunch of other operators all talk about how terrible SIGINT was in the field I listen.

But, I'd rather answer your question with another: any chances the NSA was lying about their effectiveness when billions in funding were on the line? ;)

GrauhutJanuary 26, 2015 1:13 PM

@Nick Any chances effectiveness was never a goal and all this NSA surveillance was and is just a psyop and job creation scheme? :)

albertJanuary 26, 2015 1:42 PM

You guys are killin' me!
.
I can't possibly keep up with all this information, opinion, and discussion. (I even read @Skeptical).
.
Forceful, yet reasonably civil discussion (with a few obvious exceptions).
.
Please don't try to reason with the exceptions.
.
Even though some of you are quite wrong, keep the discussions going. Well done!
.
Even though you're still killing me :)
.
I gotta go...
.
P.S.
@Bruce, your 'rogues gallery' of commenters must be unique on the Web.

Rolf WeberJanuary 26, 2015 1:52 PM

To those who still doubt that Snowden is a technical dumbass, I recommend you read his posts on Ars Technica. Even considering he was much younger than, this guy has no clue about crypto, no clue about networking, and no clue about systems.

I find this interesting because I wonder how such a clueless guy could steal bulk documents from NSA. I see only 2 explanations: Either NSA is/was very, very bad with its internal security, or he had help.

Dirk PraetJanuary 26, 2015 2:12 PM

@ Skeptical

You're thinking of a line by a very different man: News is something somebody doesn't want printed; all else is advertising. - William Randolph Hearst

I stand corrected on both phrasing and origin. This quote seems to be incorrectedly attributed to Orwell in many places. More to the point: freedom of speech and freedom of press means journalists and editors get to decide what "responsible journalism" is, not governments and their cronies.

... for some reason you seem to think that when the US passes a law against committing espionage against the US, this amounts to the US claiming that espionage is inherently unethical.

That's not what I said. If you have laws against something, then you don't want it to happen, irrespective of ethics or morality. And under the tenet "don't do unto others what you don't want others do unto you", it does amount to hypocrisy and double standards. The way you're phrasing it is nothing but wordplay.

What seems to be throwing you is the simple idea that nations act in their own interests ...

You're not getting it. Most, if not all, individuals, corporations and nations alike act in their own interests. That's why we have laws in the first place: to protect the weak from the strong. And I quote from the preamble to The Code of Hammurabi (1750 BC) : "... to bring about the rule of righteousness in the land, to destroy the wicked and the evil-doers; so that the strong should not harm the weak ..."

The one thing you are absolutely spot-on about is that countries pass laws or try to prevent the passing of others in their own interest. It's got nothing to do with equality, ethics or justice, but everything with self-interest. That's for example why China doesn't differentiate between military and economic espionage whereas the US does. That's why the permanent members of the Security Council refuse to give up their veto power. And that's why in international law there are so many grey areas.

FISC approval numbers are high mostly because the Justice Department writes and reviews the warrant applications, and quite simply they will not waste the time if they don't think the application will succeed.

Oh, come on. You're just repeating judge Reggie Walton's official but laughable reply to Senate Judiciary Chairman Patrick Leahy that the 99 percent statistic fails to take into consideration the fact that many warrant applications are modified or rejected before they are ever officially submitted. The approval numbers are so high because the FISC is not a trial court but one that mostly hears the government’s side only absent a defense of the target. Moreover, and by their own admission, they have no capability to independently verify any information provided to them. We also know that since the passage of the FISA Amendments Act in 2008, the court was no longer able to reject surveillance applications for failure to show probable cause. And if that isn't enough, the FBI et al can still use NSL's in the rare case an application is rejected.

Such a court belongs in China or Russia, not in a western democracy.

Section 215 played only a contributory role in several cases (and a critical role in only one case)

A somewhat meager result for a top secret, highly intrusive and controversial program, constitutionality of which is still under heavy debate. But we've been there before and I guess we'll just have to await the final outcome if and when one or more of the ongoing lawsuits (e.g. ACLU v. Clapper) makes it to SCOTUS.

Sancho_PJanuary 26, 2015 3:37 PM


@ Bruce Schneier

“Interesting. It was supposed to be a conversation, not an interview. So I should have had about half of the airtime. I don't know if I did, though.


You're right that I didn't interrupt Snowden, although I wanted to a bunch of times -- mostly when I wished he would make shorter comments.”

Yes, the “conversation” went very well but I put the word in quotes to highlight the depressing situation surrounding the talk.
The situation was absurd not for the big audience or far reaching electronic communication.
It was absurd for the person at the end of the line, living in self-destined exile, to flee the most powerful powers of the world.

You were discussing with a bright young man who gave up his life for his ideals, in full consciousness, to serve American freedom, reputation and history.

I think you were the first “well respected person” to do so frankly for ideals, not for sensationalism.

As always, one can feel the pressure in the first seconds of the talk, but suddenly Ed’s window to freedom, the “normal world”, was open for a couple of minutes.
My eyes ran wet when you had to close it again.
I felt as it was forever.

In terror not to get an open and fair trial, not being able to discuss controversial points side by side in angst any silencing action will happen?
Is this the land of the free, the country I love? (needless to say, I’m not American)

Sancho_PJanuary 26, 2015 4:10 PM

@ Nick P

FISC: “That's not a court.”
Thank you.

“Snowden is the reason for the damage.”
Keep blaming your nose for the bad smell.
Because Snowden is an American patriot the world has still some hope for America’s self-healing potential.


@ Rolf Weber

¿ And the NSA of the United States of America gave him their golden key ? Plus money ?
So yes, they must be really dumb dumbasses!
Hilarious, thanks!

BoppingAroundJanuary 26, 2015 5:00 PM

Nick P,

> But, I'd rather answer your question with another: any chances the NSA was lying about their effectiveness when billions in funding were on the line? ;)

That's a rhetorical one.
I'll look further into the SEAL 6 and Red Cell matters. Haven't heard anything about the latter.

Orange Line, Jonestown StationJanuary 26, 2015 5:48 PM

"a secure and reasonably prosperous future in a nation that respects, and defends fiercely, the basic freedoms and rights of its citizens"

Let's give skeptical a hand, because in a forum frequented by the sort of trained and liberally educated individuals to which this regime must appeal, skeptical dramatizes the glassy-eyed delusions of the regime and its apparatchiki like no one else. He never stops digging in deeper.

Now he puts his hand on his heart and gives us this little ad-libbed Pwedge of Awwegiance like a slow child in a Mississippi special-ed class. I defy you to find a North Korean this brainwashed. Skep wouldn't know a right if it wiggled up his urethra like a Candiru. He couldn't tell you the legal meaning of respect for rights, or its origin, if you took him to Camp Nama and put a power drill to his head.

This is your security state: dim-witted fanatics parroting a psychotic creed.

CarlJanuary 26, 2015 5:58 PM

@ Rolf Weber

That's a very plausible theory. I don't read that website because it started as an experimental, one-up'd by google later on, i hate sites like that, personally speaking, but I can imagine what you said is true of what he said.

If what you suppose is true, then there is a bigger problem, but maybe your theory was simply wrong. We have no way of knowing it.

Nick PJanuary 26, 2015 6:23 PM

@ Sancho_P

Again irrelevant to fact that he singularly caused the damage with the leak. It is possible to accept that fact and be glad he leaked the stuff. Personally, Im glad for all the domestic and subversive activity to be known.

@ BoppingAround

Read Rogue Warrior by Marcinko. Great book. Far as Red Cell, type it into Youtube to see videos of them laying waste to Naval security.

Dirk PraetJanuary 26, 2015 8:11 PM

@ Nick P, @ Sancho_P, @Rolf Weber

“Snowden is the reason for the damage.” / "Again irrelevant to fact that he singularly caused the damage with the leak."

Both parties are to blame. The NSA for creating the mess and Snowden for exposing it. But considering the NSA failed to properly assess Snowden's psychological profile, seemingly had very weak security controls in place allowing one man to collect and get away with such a trove of sensitive data and on top of that had no contingency plan in place, I'd still say the main cause of damage is the NSA itself. The damage being so huge in its turn is the inevitable result of a flawed doctrine that espionage is entirely legal until caught by or exposed to parties that are at the receiving end of it.

@Clive

... they chose the "high tech" route due to the political problems from the US citizens not liking the idea of US personnel ending up in prison or worse.

Spot-on. Probably also the reason why the US doesn't recognize the authority of the International Criminal Court (ICC) in The Hague.

We need a new term for these people to reflect the difference. Script drones?

I'm going with cyberhorns, as in greenhorns. When they get more proficient, they become cyberhornets. Those doing LOVINT can be called cyberhornies.

@ waterbadger, @ Void, @Scribat

I'd call them flickers

Which in Dutch is a rather demeaning word for gay men.

GweihirJanuary 26, 2015 9:31 PM

@Rolf Weber:

If Snowden is not really competent with regard to technology, that makes things worse on the NSA side: Because that would mean he stole their crown-jewels as a mere user or super-user, but not as a competent attacker at all. This would mean zero safeguards in place. And that is the agency that want any and all secret data? WTF?

Still, I do not buy it. I think Snowden has the typical self-education of somebody very bright that cannot build on enough formal education: incomplete, broad, non-systematical, sometimes astonishingly deep, sometimes surprisingly shallow. That does not mean incompetence, although a superficial analysis that mistakenly compares to a formal education in the subject matters can come to that conclusion.

FigureitoutJanuary 27, 2015 12:31 AM

It should be stated that being the subject of economic-based spying means that you have info a spier wants.

If it's "IP", that spier probably couldn't create it on their own, and won't be able to do much more w/ it besides selling some knock-off.

It's good to be the one being spied on, means you're probably leading the market now and people are trying to copy/steal your work, b/c you're superior to them.

Once everyone's spying on everyone and no one has anything new actually worth spying on b/c we've all stolen each other's ideas/products or we're all so focused on security instead of new actually interesting technology (technology being a word for all kinds of new advances, aka medical ones too), means we got a bunch of worthlessness all around.

Nick PJanuary 27, 2015 12:35 AM

@ Dirk Praet

Ok, mutual blame (esp for NSA's poor security) is a fair counter. My point was along the lines that many organizations have secrets or critical data with some trusted persons to protecting it. Further, security pro's often claim you can't stop a determined or resourceful enough attacker. So, it seems logical to push more of the blame for damage on the security violator that causes it.

That said, I think NSA took on way too much risk and should get some blame for *that*. Far as their mission, I blame voters and Congress for giving them free reign, secrecy, and immunity. Results were predictable. And then not doing crap about abuses. Disgusting.

FigureitoutJanuary 27, 2015 12:53 AM

Nick P
--You quoted above that the reasons for other gov't employees remaining quiet above atrocious abuses was the risk of being killed or having life ruined. Yet you think that citizens under that same gov't can't reason the same way and will stand up when it means high chance of destruction "for the goodness of others". You also stated in the past that you *don't* vote so aren't participating in our "democracy".

If it's fake, what's the point, eh?

And I'm having a hard time registering that logic, but ok...sounds like a grudge; continuously blaming others for problems, especially the public, will lead you absolutely no where besides "I'm right". You are the public lol; I have to tell myself that too sometimes when I say "god the f*cking public is dumb!".

WaelJanuary 27, 2015 1:09 AM

@Figureitout,

means we got a bunch of worthlessness all around.

Way too much of that. Such is the world we live in and deal with! Makes me want to change my stupid wish for super powers! Worthlessness is worse than mosquitoes. Best to ignore it, just like one with a sane mind wouldn't bark back at a dog. Easier said than done. Too bad!

samJanuary 27, 2015 1:23 AM

@ Clive Robinson

why do you assume US HUMINT is not as effective as the UKs? technology can only make them work better. oh, why did you talk about humint at all? i don't quite follow...

We need a new term for these people to reflect the difference. Script drones? Scriptcogs? Scriptborgs? What?

what's the point of flicking insults at those people? i fail to see how that accomplish anything. technology makes things easier for humans. it gave people tools, vehicles, weaponry, etc. thankfully they did not leave out human factor of decision making. what would you rather have full-blown automation, scripts just pick targets of their own so we can conveniently call them 'smart cyberweapons?'

FigureitoutJanuary 27, 2015 1:47 AM

Wael
Makes me want to change my stupid wish for super powers!
--Which in itself is...well...it's just a fantasy! lol I can't ignore something annoying like mosquitos now, tiny flies (I think called fruit flies, like little gnats) getting everywhere and in our pantry. One little f*cker got in my tea! *gasp* And my soup, I smeared its guts on the plate... :(

I can ignore it a lot better now that most active attacks have chilled out (well...), I was freaking out earlier. Others may have to experience it...it sucks! Let me tell you...

sam
--Clive Robinson isn't one to assume about anything IC-related, he kinda lives/breathes that stuff. Humans *can* be much harder to "hack" if they've got the proper mindset, training and practice. I have my questions about, an Israeli soldier (well 2 now), a "close" Chinese associate and another worker, some random Russians in public affairs (took a lot of pictures lol), etc. They can just play the "tourist card". It requires satellite surveillance of the known centers and then just watching everyone coming in/out. We know that in some ways these satellites are "jammed", I don't know how, when they pass over each other's territories. What I do know is we could read the date off a nickel in the 1970's from space.

OPSEC can render a lot of technology useless. A shielded bunker w/ strong verification and scrutiny, not going to get much from above, need a mole.

Nick PJanuary 27, 2015 1:56 AM

@ Figureitout

I don't remember saying citizens can't have the same reasons. Quite a few do and have stood up. Myself included. There are also many ways to participate in democracy other than casting a vote. I've worked on securing the vote, helped others understand where to cast their vote, pushed for candidates less likely to screw America, educated voters on all kinds of issues, and so on. Yet, when they filter the candidates down to two scumbags... I couldn't vote in conscience. That's the one thing that would have no benefit to democracy at all. If anything, I'd say I did plenty and it wasn't enough to have an effect.

Note: I'm going to try to vote in all the upcoming elections just as a favor to you, homie. And note how often scumbags in office was the result. At the least, you will be able to call me a participant in the democratic process.

re grudge

Who knows: it might be! The strange thing about you bringing this up over and over is that you assume I should act without feelings or even without using past experience in pure reason. That's ridiculous. I'm human like anyone else. I've lost much and was prevented from gaining a whole life's worth of shit by what Americans chose. Nothing I did, no wrongdoing others exposed, nothing they noticed... nothing led to action. They still, to this day, talk more about bullshit like football and what a celeb is doing while those who fought for them are rotting in prison, evading the law, fighting the law, or waiting for their door to be kicked in.

It's not like the Church Committee, Civil Rights Movement, or anything like that. There's been a small number of people taking real action that failed due to lack of majority support. Overall, people haven't given a shit past some gripes and everyone who does the right thing will suffer for that. Doing the right thing almost guarantees you no audience, market, or future. AND *no recognition* for doing that unlike many historical figures. Today's sacrifices are invisible outside a few. Because people don't care or do shit now.

I guess you think that's supposed to make me happy as I live dollar to dollar with no references and knowing any high assurance business I start = prison time & bankruptcy eventually. Probably. Who knows and American doesn't care... It doesn't make me happy: I fucking hate the people of this country that contribute to that situation even after their press shows them only evil came out of it. After all, they're paying and supporting my adversaries (and theirs). Hard to look at them as neutral, sensible, or anything else.

Maybe I'll try to do you another favor and not be pissed about the situation others are creating. Not making promises on that one: they make it worse and create more personal risk every year.

FigureitoutJanuary 27, 2015 1:58 AM

sam
--Oh forgot to point out, a Russian is in a rather large power plant company (they don't generate, just move it around...kinda weird company...). Just found it odd. The company views in real-time power consumption across a decent chunk of the midwest. May want to check him out (lots of military in the company too so..), could potentially be involved w/ some infrastructure attacks or price-setting.

gordoJanuary 27, 2015 2:01 AM

@ Nick P, @ Daniel, @ Corolla, @ Grauhut,

Training-up recruits for leadership of the next generation is also part the picture; expected. Yes, as in any field, the elite are that, and in time, they hone their own. Anecdotally, I’m reminded of meeting folks at CTF’s [capture the flag competitions] and security conventions who started out game hacking, e.g., in their teens; they’re a decade-, or well-into now, near-, if not six-figures (private-sector). My sense was that some were starting to get bored; restlessness; next-move/career-choices/management.

In my mind, the longevity of cautious, procedure-driven [which is common also in help-desk/help-desk-like environments], the longevity of cautious, procedure-driven manual recon work is a question of how much can be intelligently/safely automated before hands-on are required; it may also help to serve as a form of training. I suppose the issues on the defensive side are similar: alert volumes, analytic/disambiguation capacity/capability and safe-to-automate/scale-up kinds of issues.

Psyops being played for personnel budget $$$/job creation seems to imply a lack of oversight. I think they’re competing for personnel just like everyone else.

A few different perspectives/views on this bigger picture, necessarily incomplete, i.e., demand for high-end/boutique/consultancy experts; operators; hackers; engineers; and others; infrastructure; etc., and why specialization follows below.

=============================================

A critical element of a robust cybersecurity strategy is having the right people at every level to identify, build and staff the defenses and responses. And that is, by many accounts, the area where we are weakest. According to interviews conducted with Jim Gosler, NSA visiting scientist and founding director of the CIA’s Clandestine Information Technology Office, there are about 1,000 security specialists in the United States who have the specialized skills to operate effectively in cyberspace; however, the United States needs 10,000 to 30,000 such individuals. (p. v.)

Source:

A Human Capital Crisis in Cybersecurity
Technical Proficiency Matters
By Karen Evans and Franklin Reeder
NOV 15, 2010
Center for Strategic and International Studies (CSIS)
http://csis.org/publication/prepublication-a-human-capital-crisis-in-cybersecurity

=============================================

For audio that includes Mr. Gosler’s estimate and Christmas-in-July wish, see:

Cyberwarrior Shortage Threatens U.S. Security
Tom Gjelten
July 19, 2010
NPR - Listen to the Story [4 min 39 sec]
http://www.npr.org/templates/story/story.php?storyId=128574055

=============================================

NIST appears to have been tasked as a clearinghouse for workforce development:

National Initiative for Cybersecurity Education (NICE)
National Institute of Standards and Technology (NIST)
Last updated: January 20, 2015
Page created: May 11, 2010
http://csrc.nist.gov/nice/index.htm

=============================================

...there’s an interesting thread, from a different vantage point, on the Carnal0wnage blog, that also speaks to staffing issues:

People tend to focus on various areas as being important for computer security such as memory corruption vulnerabilities, malware, anomaly detection, etc. However the lurking and most critical issue in my opinion is staffing. The truth is, there is no pool of candidates out there to draw from at a certain level in computer security. As an example, we do a lot of consulting, especially in the area of incident response, for oil & gas, avionics, finance, etc. When we go on site we find that we have to have the following skills: 1.) ... 8.) … [with descriptions].


The problem with this? These people don't exist,** they are unicorns.

... - valsmith

** From later in the thread:

... we are approaching a point in which its not feasible to have as many full spectrum experts as we currently do and still be effective - C. Sanders


... how it would even be ‘possible’ to divvy up the work that would normally require a full-spectrum expert. - Dre

Initial post: also touches on low-bid contractors; cube farms; college recruiting; remote work; automation; team size/resource perception/use; SANS; CISSP; star-player cultivation; how much work one needs to do just to be decent

Follow-up posts: kinds of learners/types of intellects; company cultures; specialization (echoes of arguments over infosec as occupation or profession); nerd-culture/Manhattan project; exceptionalism; egotism/personalities

Source:

The Biggest Problem in Computer Security
Posted by valsmith
Thursday, November 1, 2012
http://carnal0wnage.attackresearch.com/2012/11/the-biggest-problem-in-computer-security.html

=============================================

A point similar to that made in the previous is by Dan Geer in his keynote at last year’s Black Hat Convention in Las Vegas:

The rate of technological change is certainly a part of it. When younger people ask my advice on what they should do or study to make a career in cyber security, I can only advise specialization. Those of us who were in the game early enough and who have managed to retain an over-arching generalist knowledge can't be replaced very easily because while absorbing most new information most of the time may have been possible when we began practice, no person starting from scratch can do that now. Serial specialization is now all that can be done in any practical way. Just looking at the Black Hat program will confirm that being really good at any one of the many topics presented here all but requires shutting out the demands of being good at any others. (para. 5)

Source:

Text: http://geer.tinho.net/geer.blackhat.6viii14.txt
Video [54:34]: https://www.blackhat.com/us-14/video/cybersecurity-as-realpolitik.html

=============================================

Also, an FYI for those so inclined, Mr. Geer posted a new speech earlier this month:

6 January 2015: T.S. Kuhn Revisited, keynote address for Secure and Trustworthy Cyberspace (SaTC) Principal Investigator's meeting, National Science Foundation, Arlington, Virginia

http://geer.tinho.net/geer.nsf.6i15.txt

. T.S. Kuhn Revisited
. "Does a field make progress because it is a science,
. or is it a science because it makes progress?"
. Dan Geer, NSF, 6 January 15

FigureitoutJanuary 27, 2015 2:38 AM

Nick P
--Alright, you dig in your heels instead of admitting a fault.

I don't remember saying citizens can't have the same reasons
--Me neither, you just continually bring it up that it's the citizen's fault. When there is not institution or any sort of coherence to stand up and make a difference. It's a sh*tshow; and let me tell you, you will be ostracized in the gov't for those views.

All the things you did (talking isn't enough whatsoever), not enough eh? Not even close, this is a huge country. You actually have to stick you neck out and commit. It's why I say starting local is an imperative for people seeking real change; be realistic. The bureaucratic machine is entrenched. Remember what I said? The FBI actually will join student political groups, isn't that nice? Just something to keep in mind kiddos.

RE: your grudge
--Uh, it's pretty obvious. I have a huge grudge on a certain subset of people that actually attacked me, you have one on nearly everyone (the public) that don't even know you. Everyone complains about people talking about football and kardashian butt; they do it I think b/c they can't handle a life so depressing, the reality. They will eventually, it already is for many; student loans. Sh*ts going to go down, just collapse and no one will be able to pick it up (like sewers/power/clean water).

And now you're making all these assumptions on me about dollar-to-dollar living, what the hell? It's the 1% that has the blame squarely on them, not the public that is just trying to live and not get thrown in jail in a building police state running out of criminals to chase.

F*cking wrong what I'm thinking, your last paragraphs. Think you're the only one going bankrupt? I got sub $1000 in my bank account and still live w/ mommy & daddy, want to talk about bankrupt? This house of cards is collapsing and people need to start prepping seriously for actual survival.

I said, get a job that's stable that you enjoy and are proud of and focus on supporting yourself and not giving away free product. And do the free stuff on the side.

gordoJanuary 27, 2015 4:49 AM

What will a future without secrets look like?

The line between public and private has blurred in the past decade, both online and in real life, and Alessandro Acquisti is here to explain what this means and why it matters. In this thought-provoking, slightly chilling talk, he shares details of recent and ongoing research — including a project that shows how easy it is to match a photograph of a stranger with their sensitive personal information.

Excerpt [@ 10:35]:

The way we are doing things now is not the only way they can done, and certainly not the best way they can be done. When someone tells you, "People don't care about privacy," consider whether the game has been designed and rigged so that they cannot care about privacy, and coming to the realization that these manipulations occur is already halfway through the process of being able to protect yourself.

- Alessandro Acquisti, Privacy economist

TEDGlobal 2013 · 15:00 · Filmed Jun 2013

Video:
http://www.ted.com/talks/alessandro_acquisti_why_privacy_matters?language=en

Transcript: http://www.ted.com/talks/alessandro_acquisti_why_privacy_matters/transcript?language=en

---

See also:

“People Are Not Very Good at Matching Photographs to People”
https://www.schneier.com/blog/archives/2014/08/people_are_not_.html

Dirk PraetJanuary 27, 2015 8:49 AM

@ Meh

I presume cases like Lynne Stewart does not belong in China and Russia but only in US' version of "democracy"?

Please re-read my comments. Like a lot of other people, I have serious questions about the way the FISC operates. I didn't compare the entire US judicial system to its Russian or Chinese counterparts. For what she was convicted of, Stewart would probably have gotten the death penalty over there.

WaelJanuary 27, 2015 8:50 AM

@Fgureitout,

One little f*cker got in my tea! *gasp* And my soup, I smeared its guts on the plate

That's pretty funny! I laugh everytime I read it :) I needed that, good way to start the day ;) Welcome to the "tea" club! @Clive Robinson will fill you in on the protocols!

SkepticalJanuary 27, 2015 11:21 AM

@Dirk: More to the point: freedom of speech and freedom of press means journalists and editors get to decide what "responsible journalism" is, not governments and their cronies.

We agree, although I would state it differently: freedom of expression means that we allow both good and bad, responsible and irresponsible, journalism.

That's not what I said. If you have laws against something, then you don't want it to happen, irrespective of ethics or morality. And under the tenet "don't do unto others what you don't want others do unto you", it does amount to hypocrisy and double standards. The way you're phrasing it is nothing but wordplay.

No, hypocrisy doesn't mean that you violate the "golden rule."

Hypocrisy means that you engage in the very conduct which you are condemning. But nations quite clearly do not condemn all espionage. That's why there are laws, funds, institutions, honors, etc. all supportive of certain types of espionage, even while there are penalties to deter and punish other types of espionage.

One might make an analogy to lawyers and diplomats. A lawyer's job is not to do unto parties other than his client as his client would want other parties to do unto him. A lawyer's job is to represent his client's interests, including by doing things that his client would not want to be done to him. One can make similar analogies to negotiators of a trade treaty, or diplomats generally: they do not follow the golden rule, and indeed it would be a gross violation of their duties if they did.

You're not getting it. Most, if not all, individuals, corporations and nations alike act in their own interests. That's why we have laws in the first place: to protect the weak from the strong. And I quote from the preamble to The Code of Hammurabi (1750 BC) : "... to bring about the rule of righteousness in the land, to destroy the wicked and the evil-doers; so that the strong should not harm the weak ..."

Was Britain wrong to conduct espionage against Germany in the 1930s, while retaining the right to prosecute those in Britain who spied on behalf of Germany?

Was the US wrong to conduct espionage against the Soviet Union in the late 1940s, while retaining the right to prosecute in the US those who spied on behalf of the USSR?

The international system is a self-help system Dirk. That means that there is no governing authority above nations with a monopoly on the use of force that will enforce any law. It means that each government is ultimately responsible for its own, and, in the case of democracies, that governments act as agents of their respective nations in the international arena. There is no elected international government who will come to your rescue if your security as a nation is threatened or violated.

For that reason, states conduct espionage on one another. From a security vantage, international law is about as potent as eloquent speeches and cultural exchange programs.

The one thing you are absolutely spot-on about is that countries pass laws or try to prevent the passing of others in their own interest. It's got nothing to do with equality, ethics or justice, but everything with self-interest. That's for example why China doesn't differentiate between military and economic espionage whereas the US does. That's why the permanent members of the Security Council refuse to give up their veto power. And that's why in international law there are so many grey areas.

It has to do with all those things, actually. National security is important in large part because it enables us to live in systems that accord with our ethics and values.

What type of international system would you prefer instead that is currently feasible? We don't live in a world where all governments, or all peoples, share the same conception of justice and fairness.

Oh, come on. You're just repeating judge Reggie Walton's official but laughable reply to Senate Judiciary Chairman Patrick Leahy that the 99 percent statistic fails to take into consideration the fact that many warrant applications are modified or rejected before they are ever officially submitted. The approval numbers are so high because the FISC is not a trial court but one that mostly hears the government’s side only absent a defense of the target.

That my reasons match the explanations given by the federal judges who actually sit on the FISC and make the decisions we are attempting to explain is a mark in favor of those reasons, not against them.

As to your alternative explanation, every search warrant, wiretap order, and subpoena (and the last is usually not even examined by a court) is approved without the target of the investigation present to argue differently.

Moreover, and by their own admission, they have no capability to independently verify any information provided to them.

Nor does any court when asked to approve an application for a search warrant or a wiretap order. They rely on the affidavits given in the application.

The US doesn't have an inquisitorial legal system, but rather an adversarial legal system. Judges don't conduct their own investigations.

We also know that since the passage of the FISA Amendments Act in 2008, the court was no longer able to reject surveillance applications for failure to show probable cause. And if that isn't enough, the FBI et al can still use NSL's in the rare case an application is rejected.

You're confusing different things. The FAA, among other things, changed the standard required to show that a target of electronic surveillance is not a US Person with respect to electronic surveillance of persons outside the United States. In such instances, the FISC just approves the minimization procedures proposed by the government.

Where the FISC issues an order authorizing electronic surveillance or physical searches of persons within the US, however, the standards have not changed.

National Security Letters can be used in certain circumstances to acquire the same items which a grand jury can acquire by subpoena: business records, financial records, etc. Electronic surveillance is quite different, and cannot be undertaken via a NSL.

SkepticalJanuary 27, 2015 12:02 PM


@Clive: The success rate says that the number of edge cases is so small as to be statisticaly improbable. This means that if you discount the "always stay safe" rule, there are two cases. Firstly there are no edges of any consiquence and thus every thing passes. Or secondly the edges cases are so fine they don't realy exist and telling what will or will not pass is very very simple.

You're failing to consider a possibility, the actuality of which deals with your objection.

As has been reported, there is discussion regarding a proposed application between the government and the FISC's staff before the application is finalized. There is also discussion between the court's staff and the judge who will hear any final application, and the FISC staff may of course communicate the judge's thoughts to the government. This is all before any final application is made to the FISC.

So what happens? The edge cases you're talking about, cases where even the long experience of the Department of Justice in matters before the FISC is insufficient to indicate whether an application will be approved, are given additional clarification before the final application is made. Either the application is modified to meet standards, or the final application is not submitted.

As a result, very few final applications are made to the FISC which do not meet FISC's approval.

So to make an analogy, this is a bit like the fact that an editor approves a final draft, which might follow rough drafts that were changed to meet his specifications and according to his feedback. That doesn't render his approval of the final draft a rubber stamp.

The reason the US has poorer HUMINT than the UK is one of choice, they chose the "high tech" route due to the political problems from the US citizens not liking the idea of US personnel ending up in prison or worse. Have a google around on Gary Powers and Vietnam. It's also one of the same reasons why the US is very pro "stand off weapons" such as cruise missiles and UAV's.

Your conclusion about the relative quality of UK and US HUMINT is based upon Gary Powers and Vietnam? Quite a few assumptions between your evidence and your conclusion.

TõnisJanuary 27, 2015 1:17 PM

I thought the video discussion was excellent. I wanted to mention one of Snowden's excellent points which I wish he and others would stress more emphatically. It was around twenty-eight minutes into the discussion when Snowden noted that intelligence agencies had intercepted and kept journalists' communications, and he questioned (rhetorically), "Why?" Well, the reason why is because these government acts are to a very small extent about stopping "terrorism" and to a great extent about controlling the people and perpetuating the power of a ruling class of financial and political elite. This cannot be overstated.

I'm also noticing a lot how people in online discussions are arguing for back doors and opining that it's okay to compel one to reveal a password "so long as there's a warrant." I maintain that it's not okay. As Snowden pointed out, the FISA court is a rubber stamping authority for the government. From the sheer number of warrants approved and by the miniscule amount denied it's clear that the warrant process is there to give the government's spying and other police state activities some semblance of lawfulness. Even with regular judges in legitimate Article III courts the rubber stamping of warrants, the routine giving to law enforcement of anything it asks for is a big problem. Technology, "terrorism," or any other purported "complication" of the modern world does not negate the Framers' wisdom when it comes to the Constitution/Bill of Rights and state constitutions. Americans should brush up on their civics. One cannot be lawfully compelled to give up his password or otherwise help the police gather evidence against him despite what government sophists might opine to the contrary. Attorneys in black dresses who rule against the Constitution are not acting lawfully. They are guilty of sedition and are enemies of the American people.

RickJanuary 27, 2015 4:55 PM

@ Tonis,

I would largely agree that a defendant in a US court forced to provide a password would violate the 5th amendment of the US constitution against self incrimination. However, these cases have historically gone both ways:

http://www.outsidethebeltway.com/suspect-ordered-to-provide-decryption-password-a-fifth-amendment-violation/

And then there's this, too (note the 5th amendment mention):

http://blog.m2sys.com/comments-on-recent-biometric-news-stories/impact-recent-court-order-request-unlock-iphone-biometrics/

Sancho_PJanuary 27, 2015 5:25 PM


@ Nick P, Dirk Praet, re: Snowden the reason for the damage ?

Nick, let me try again, last time (I promise ! ), and take it to your technical world:

Imagine there is a software suit we all trust in, because the vendor / publisher is highly reputed, more than Microbrain and the others are.
I know - but just assume!
We use that software suite for our business and private stuff, day in day out.
We love it!
But:
A damned hacker, who wants to know how this incredible proprietary sw works, starts, against the EULA, against the law, against all warnings, to disassemble.
And encounters a pile of shit.

Without the user’s knowledge, the company’s sw abuses our data to make money, localize and create “suspects”, twist the law, create extra business, educate and support terrorists to later fight them, keep us vulnerable, silence critics and make fun of our private life.
Not by accident, intentionally by spyware.

The hacker goes public, an uproar follows, the company is in deep trouble.

OK, what caused the damage to the company, their regrettable conduct - or the hacker who brought it to light?

I understand the reason / cause as being the root of the issue, not that or how we learn about it.


In case of Snowden I’d bet if he felt comfortable with the conduct of the NSA we wouldn’t have heard any tone.
As well as he would have had the “feeling” it’s a (minor) flaw that could be corrected internally, without pressure from outside.

- The latter hurts me personally the most.
It indicates feedback isn’t working, the loop is out of control, we are just waiting to blow the fuse.

TõnisJanuary 27, 2015 5:41 PM

@Rick, yes that's government sophistry. That's why I said that one cannot lawfully be ordered to do so. The same thing happened in Massachusetts recently, same absurd arguments ("foregone conclusion," key vs. combination, etc.) and rulings from the government (police and judge). These judges are guilty of sedition for making rulings that violate the constitutions. The entire argument that an accused can be compelled to unlock with a key (but not a combination) is absurd. An accused has the right to remain silent, yet the judge is saying he can be ordered to do other things, to unlock doors, help the police, etc.? Sure, he can "ordered" to do anything. It can even be "ordered" that he be sent to a concentration camp. But not lawfully. These judges are in rebellion against the the states' and federal constitutions.

Another point often conflated all over the place is the fifth amendment right not to have to witness against oneself and the "privilege" not to have to witness against someone else (lest it incriminate the witness). The former is the absolute right not to have to witness against oneself in any criminal proceeding. The latter is a privilege that can be overcome by various means (grants of immunity, etc). Of course, the attorneys in black dresses have twisted unlocking with a key and even with a password in some of these cases into "non-testemonial" (i.e. "It's not witnessing.") Sophistry! They with their legal perversions are enemies of the constitutions and the American people.

SkepticalJanuary 27, 2015 6:39 PM


@Sancho: I agree with part of your comment and point, but I think Nick may have the better of the argument.

Let's say:

A = collection programs of US and allies that involve US tech industry
B = Snowden's conduct (i.e. revealing A to the public)
C = publicity about A
R = damage to US tech industry

Here, A and B are both necessary, but not individually sufficient, conditions for C, which causes R.

In other words, AB -> C -> R (where AB means "A in conjunction with B", ie Boolean multiplication, or a logical AND, if those are useful points of reference, and "->" means the verb "causes.")

Nick's point is that Snowden seems to say A -> R, as though it were simply the existence of the programs (A) that causes the resulting damage (R). And since A causes R, we shouldn't do A (Snowden seems to be saying in this argument).

But Snowden's claim is false because it omits the necessity of his conduct (B) to the existence of R.

That's important, because the argument Snowden wants to make is "these programs are bad because they harm American industry."

There are lots of matters which, if revealed to the public, would do harm to the US, to its allies, to individuals abroad who risked life and limb (perhaps more) to help the US and its allies.

But that doesn't make all those matters bad in themselves. For instance, let's say that the US were receiving information from persons in territory controlled by ISIL. Hell, let's say from people inside ISIL's organization. And then let's say this fact is revealed, along with the names of those people.

Result? Bad for the US (loss of intel, loss of some credibility in other intelligence operations), bad for those people named, bad for anyone with a stake in ISIL being defeated. But the actions revealed weren't wrong in themselves. Only when combined with the public exposure do they result in harmful consequences.

To generalize the original diagram, let

X = any secret activity.
B = exposure to the public (via whatever means you like)
C = publicity about X
R = negative consequences

That XB -> C -> R does not mean that X is bad in itself. To make that claim, you have to look at what X actually is and what it involves. It's not enough to just point to R.

So, sure, maybe A is bad policy in itself (in itself i.e. unethical, ineffective, or not cost effective).

Or maybe A might be a good policy if you could reduce the risk of B to some sufficiently low magnitude, but because the risk of B is >= a certain magnitude, A is a bad policy choice.

And those are both arguments that have been made about A (Schneier in particular has emphasized the latter). But the specific argument Nick highlighted in Snowden's comments which I describe above? That one doesn't do it, unless you want to claim that no activity should be (or alternatively can be) secret.

BuckJanuary 27, 2015 7:36 PM

So, when should we expect to start seeing these supposed harms to American Industry? U.S. governmental agencies have seemingly double-downed on their purchase of such services, and my understanding is that there are no current plans to slash the budgets of said agencies anytime soon... Heck, the iPhone wasn't even sold in China until after Snowden! World governments have seen a glimpse into the extent of the U.S. surveillance apparatus, and they love it and want some of that action for themselves too...

Nick PJanuary 27, 2015 7:38 PM

@ Skeptical

"That one doesn't do it, unless you want to claim that no activity should be (or alternatively can be) secret."

Bingo. A recurring theme in his arguments (except his latest comment).

@ Sancho_P

That's a good comparison except it leaves out two things: consumers almost exclusively demand shit and their laws force the inclusion of even more shit. Throughout IT history, there have been many upstarts that created more private or robust hardware, OS's, languages, services, and so on. Consumers usually bought cheap, fast, buzzword-laden shit from sneaky companies instead. Now, the market is full of shit disguised as great software because most doing the opposite go bankrupt or don't make enough to compete with turd polishers. Intel and HP, for instance, have pissed away $80-100 mil on their NotShit processor and ShitFree messaging apps are getting well under 1% of the market. Consumers surveyed often either know or suspect their product is shit underneath, esp after reading a shit-centric EULA. Yet, the market always moves for more shit.

The other side is the National Shithead Administration and Federal Butthole Inflamers that can legally (and secretly) push shit into products. Voters with shit between their ears encouraged or tolerated this practice despite leaks that NSA and FBI were flinging shit in inappropriate directions. Congress, a supplier of premium [bull]shit, also tolerated these practices. So, implicitly, both the voters and Congress demanded a steady increase of shit forced into their products and services.

Now, back to your metaphor. A hacker finds shit in one vendors' product, then publishes the result. The smell makes a lot of people run from that vendor: right into others in the domestic or foreign shit peddling business. That one vendor (or other hacker targets) looses a bunch of money. In the end, they take a lot of damage, shit peddling moves full steam ahead, consumers keep buying shit of all sorts, and it's still the hacker that published the shit.

I still blame the hacker. And everyone wanting shit in *our* machines. The shit-peddlers are only doing the rational thing in a country demanding and/or mandating more shit everywhere. The demand side needs to use their brain matter to demand a more hygienic world. Hackers publishing the stuff anyway are simply shitheads that could be doing better things with their time. Unless, as with Snowden, there was evidence of unauthorized shitheadry: that by itself should be published.

Nick PJanuary 27, 2015 8:14 PM

@ Buck

That article was a combination of a laugh and "wtf!?" I left a sharp critique in their comments. Here's some of my favorite parts:

"but the CIA’s acceptance of commercially developed cloud technology “has been a wake-up call” to those who balk at it, according to John Pirc, a former CIA cybersecurity researcher who is now chief technology officer at NSS Labs, a security research firm. "

“To me, this removes the clouded judgment that cloud isn’t secure. Their moving forward with this should send a message to the rest of the industry that cloud is something you shouldn’t be afraid of.”

An agency notorious for buying insecure software and hardware buys something with extra layers of unknown risk. That's "a wake up call" that what they buy is trustworthy enough for the rest of us. Where did he learn about security arguments?

" Being able to have that compute power, something that might have taken a couple of hours might instead take a few seconds. Profits aren’t lost when you make mistakes in the intelligence community—people die when you make mistakes.”"

Works both ways: cloud services are famous for serious downtime popping up out of nowhere. Now it might kill people. Yay.

"Think of it as the intelligence community sharing information behind a walled castle apart from the rest of the world operating on the Internet. "

Ah, now we have a *real* castle metaphor. With all the problems Clive illustrated a while back.

"agencies to securely discover, access and share information. The goal: greater mission success."

"The Defense Intelligence Agency and National-Geospatial Intelligence Agency have piloted shared desktop capabilities across their agencies for several thousand users. Those capabilities eventually will spread throughout the IC. "

I'm sure spooks reading this agree how important these practices are for mission success: embedded Chinese or Russian spies are likely filling out sys admin applications as I type this.

Dirk PraetJanuary 27, 2015 8:15 PM

@ Skeptical

Hypocrisy means that you engage in the very conduct which you are condemning. But nations quite clearly do not condemn all espionage.

Exactly. They condone espionage on others while condemning espionage against themselves. And that, if nothing else, is a violation of the golden rule. Ideally, the world would have clearly defined international law and an international court with the authority to judge on individual cases. But that's probably never going to happen because, as you say, there are just too many nations - especially the powerful ones - acting in their own interest only and who have nothing to gain from a disturbance of the status quo that would expose their dirty laundry.

Was Britain wrong to conduct espionage against Germany in the 1930s, while retaining the right to prosecute those in Britain who spied on behalf of Germany?

Careful: Godwin's Law !

From a security vantage, international law is about as potent as eloquent speeches and cultural exchange programs.

Finally something we can agree on, and impotence thereof to be blamed exclusively on those that keep putting their own interests in front of those of the global community.

National security is important in large part because it enables us to live in systems that accord with our ethics and values

Then what about the ethics and values of others ? A world leader as the US claims to be aspires to reconcile different ethics, values and interests, not impose its own. There's a subtle difference between true leadership and the pursuit of world domination.

That my reasons match the explanations given by the federal judges who actually sit on the FISC and make the decisions we are attempting to explain is a mark in favor of those reasons, not against them.

You must be joking. It makes them all the more suspicious. Anyway, what several others and myself have been arguing is that a secret court that hears only one side of a story and has no means to verify it in any way, for all practical purposes is not a real court but an aberration. Even the Babylonians had already figured that out some 3,800 years ago. So let's just stick to Occam's razor for as far as the 99.9 success rate is concerned.

You're confusing different things...

Maybe I should have added that what I said applied to persons "reasonably believed" to be outside the United States. You may have noticed that my perspective in most of our discussions is that of a non-US citizen living in Europe and who under US surveillance law in practice has about as much rights as live stock.

Electronic surveillance is quite different, and cannot be undertaken via a NSL

Feel free to differentiate between surveillance and electronic surveillance. The fact however remains that NSL's under 18 U.S.C. § 2709 as expanded by PATRIOT Section 505 are being served on communications service providers like phone companies and ISP's, allowing the FBI to secretly demand data about ordinary American citizens' private communications and internet activity without any meaningful oversight or prior judicial review. Which for some cases may still come in handy if a FISC application is rejected.

Nick PJanuary 27, 2015 8:50 PM

re Citizenfour documentary

This news report describes much of what's in it for those who haven't seen it. It also puts it in context of other leakers, fills in some gaps, and adds Snowden's interesting personal background.

Bong-smoking Primitive Monkey-Brained SockpuppetJanuary 27, 2015 10:31 PM

@Skeptical,

B = Snowden's conduct (i.e. revealing A to the public)

If you removed "to the public", it'd be more accurate since there is an overlap between event 'B' and event 'C', the way stated above. In other words, event 'B' and event 'C' aren't disjoint, in which case 'B' and 'C' may sometimes be the same event. And that would lead to XB -> C -> R being simplified to XB->R.

Keep in mind that "publicity" means: Something that attracts attention of the public. You may also need to define attribute 'D' to denote that what Snowden revealed is worthy of public attention, which is also a necessary condition for 'R'. You may then want to explain "why" it's a matter of interest. I think that would make your description more granular.

I like your breakdown and analysis. Now apply it to the other side, and tell me what you think ;)

Clive RobinsonJanuary 28, 2015 3:38 AM

@ sam,

Oh, why did you talk about humint at all? I don't quite follow

HUMINT feels the pulse on the ground and gives strong indicators of future direction. Most other types of intel don't.

To see why this might be a problem, watch a 24Hour News Channel with both sound and subtitles off. This is in effect the world view you get with satellite technology sensing. Now with the same 24Hour News Channel just listen to the sound, that's what HUMINT brings to the party as the first step.

HUMINT is also like being the priest in the confessional, you get to hear peoples inner thoughts.

Whilst other forms of intel might tell you that a secret facility is in the process of being built HUMINT would have told you it was going to be done months if not years before that.

Further images of construction work don't actually tell you very much, take the NSA facility at Bluffdale Utah or the GCHQ facility in Cheltenham, what do the aerial photos actually tell you? Actually not a lot, it just gives rise to a lot of possibilities. HUMINT however tells you way way more long before resources turn up on site.

As a real example North Korea had a nuclear reactor for making plutonium. Now plutonium is not realy an ideal nuclear material, enriched uranium is better in many ways. The reactor was decommisioned as part of a deal with the US where the US were supposed to supply alternative energy sources but found reasons to weasle out after the decommissioning. The US assumed from non HUMINT intel that the buildings were nolonger being used for nuclear material production. Shortly after Stuxnet broke onto the world news, the NK government took the UN inspectorate to the building and to his utter suprise saw thousands of centrifuges for uranium enrichment. What has subsiquently become clear is that whilst the US knew --long prior to stuxnet being developed-- from HUMINT passed to them by another nation that NK had through "The father of Pakistan's bomb" A Q Kahn aquired centrifugal technology --originaly stolen from European research-- and were also well aware from HUMINT from another nation that NK had a technology exchange going with Iran, the US were effectivly blind to the "what, how and where" of the NK enrichment program. The NK authorities made it abundently clear to the UN inspector and thus the US that Stuxnet had failed to have any effect on them as they had gone down a very different path for their control systems. This was probably quite a blow to the US as it has been sugested and partialy confirmed that the "real go" on Stuxnet from the US perspective was not Iran but actually NK, Iran was seen as the partialy open end of a path into the closed NK due to the technology swap. Any damage to Iran was more of a concern to another nation, who we know due to indiscretion of one of their senior IC members was very much involved with Stuxnet and in effect outed the US involvment and target interest.

Thus whilst other forms of intel give you a skeleton view which you can flesh out in many ways, HUMINT can put the real meat on the bones....

Oh as for the "offensive names" contest, look at it this way, if the general perception of the NSA work is likend to the less desirable self pleasuring traits of certain spieces of the smaller monkey families talented people are much less likely to consider working for them. This is not just "negative propaganda" because the NSA will over time get starved of such resources and will have to "contract out", and the nature of contractors is that to be successful and robust as businesses they need many clients thus the oportunity for such information to leak goes up significantly, which if you think about it has been the major HUMINT resource for those trying to look into the activities of the "Puzzle Palace".

Sancho_PJanuary 28, 2015 5:45 PM


@ Skeptical, (Nick P)

Holy crap!
What a sophisticated dribbling around the simple fact that what was revealed by Snowden was wrongdoing.

Nick’s argument ”I still blame the hacker” is honest, but his repeatedly blaming the victim(s) for being exploited by uncontrolled national capitalism was never to be understood as an excuse for the bulk surveillance.
On the contrary, I understood Nick as opposing surveillance (at least against Americans).

Skeptical, I doubt your point that Snowden wants to make the argument that ”these programs are bad because they harm American industry.”
- You are once again twisting words and sense to fit your agenda.

Snowden is a patriot but not a pure capitalist, on the contrary.

And I don’t think it makes any sense to search and compare arguments in favor or against the revealing, like collecting stamps or butterflies.

Point is the hidden bulk collection programs are wrong - and dangerous.

Would have any POTUS after 2001 publicly said:
“Americans, we have to collect and store all your private data, from mason to journalist, lawyer to judge, student to politician, meta and content, telephone and Internet, all your ID’s, credit card, money transfer, pictures, videos, whatsoever is spoken or written, forever, - no place to hide, we need it to keep America safe!”
and it would have been commonly agreed on
then the Snowden revelations would have to be seen in a very different light.

That’s another example that secrecy is wrong and was used to hide wrongdoing [1] .


BTW: The direct damage to the US tech industry is minor, it's just (fake) money.
The real damage is the loss of moral leadership, the bankruptcy of western ideals.
This is NOT a direct harm from the NSA programs, it is caused by the USG’s official reaction, including SCOTUS.


Re: HUMINT

Espionage / eavesdropping on friends, partners, even competitors, is wrong.
However, a declared state of war / aggression transforms normal life into a battlefield. Espionage as action of war is better than killing hundreds, even enemies.

HUMINT is at the border of espionage and may be, if done ethically, acceptable even between partners - if both are basically aware of such connections.
It could be a stabilizing factor and a sign of mutual respect, though.
(The wife of my friend may count as an accepted spy, my wife too ;-)

When @ Clive Robinson stressed the invaluable importance of HUMINT he’s right, this is the only form of information pre-interpreted by a human (intelligent) sensor, it is pre-filtered, completely different from a translation of intercepted communication of (e.g. Somali) dialect from other cultures. The translated word is fact but maybe dead wrong, whereas HUMINT gives a much broader picture in context.

However, the worldwide perception of Americans make HUMINT nearly impossible for their native flag riders, I’m with Clive at this point.
Needless to say it gets worse with nearly every news of dishonest conduct within USG.
Let’s face it:
Nowadays a US passport isn’t necessarily a ticket to a hearty and honest welcome.


[1]
It seems you both have issues with my statement “secrecy is wrong”.
To be clear:
When secrecy hides wrongdoing then secrecy is wrong.
Most of the time secrecy is used to hide wrongdoing (cowardly or criminal).
“Secrecy” == “Alarm”
When you prepare a birthday present for your mom in “secrecy” that’s not wrong, however!
Easy, isn't it?
Also there is a huge difference between secrecy and privacy, at least in my mind.

@ Nick P: Thanks for the link “Filling the blanks …”
The truth always comes to light, no matter how encrypted it was.

Sancho_PJanuary 28, 2015 5:56 PM


Err, it seems we need a first amendment to the POTUS request:

(1) “And, folks, to be clear, you can’t use encryption anymore, we want to understand content.”

Dirk PraetJanuary 28, 2015 7:25 PM

@ Nick P

The shit-peddlers are only doing the rational thing in a country demanding and/or mandating more shit everywhere.

I must admit that I almost pissed myself laughing reading your shit rant (twice). One of the funniest comments I've read in a long time on this forum, while at the same time making some really good points. A combination of subject matter knowledge and expertise, intellectual prowess and a keen sense of humour really is what makes commenters like yourself stand out from the rest of the crowd. I do hope @Moderator accomodates @Wael's suggestion from last Friday's Squid blog to add a statistics box and some voting functionality as well as an additional category "funniest contribution".

@ Sancho_P

It seems you both have issues with my statement “secrecy is wrong”.

So do I. It's way too close to "if you're not doing anything wrong you have nothing to hide". There's plenty of good reasons for indviduals, corporations and governments alike to have secrets without any wrongdoing or foul play going on. But that's an entirely different debate.

BuckJanuary 28, 2015 8:56 PM

@Sancho_P

BTW: The direct damage to the US tech industry is minor, it's just (fake) money. The real damage is the loss of moral leadership, the bankruptcy of western ideals.
This is NOT a direct harm from the NSA programs, it is caused by the USG's official reaction, including SCOTUS.
Yeah, that's pretty much what I was thinking... The affects on industry won't be readily visible 'till twenty or thirty years down the road when "brain-drain" really starts to become a pain in the @$$.

Ironically (or not) enough, after a generation or two, this will be greatly beneficial to American HUMINT (networks to fight networks)... Interesting times indeed!

Nick PJanuary 28, 2015 10:49 PM

@ Dirk Praet

I appreciate the compliment. Glad to make people laugh instead of shout on occasion. ;)

DanielJanuary 29, 2015 12:56 AM

@skeptical

The flaw in your logic is your assumption that all secrets are equally likely to be shared with the public. That's false. Snowden is correct that A_>R because if it wasn't Snowden it would have been someone else. What the USA was doing/is doing was too massive to have been kept hidden. Now, I'll accept the fact that there are specific programs that Snowden revealed that might not have been revealed so soon.

There were lots of leakers before Snowden and some who were in fact actual spies for other countries working in the security apparatus. The security agencies as a general matter overestimate their ability to keep secrets. So the counterargument doesn't reduce to "no secrets". It reduces to "some secrets are more secret than others."

Wesley ParishJanuary 29, 2015 5:37 AM

Well, what more is there to add? @Skeptical, I thinka possible answer to your comments on US HUMINT after teh Second World War might be found in the fiction of one Dr Paul Myron Anthony Linebarger aka Cordwainer Smith, propagandist extraordinaire aka Psychologica War Expert. For what it's worth, he was one of the US' assets in China following the Japanese invasion of 1937, and so had quite a picture of what was happening.

Judging from the viewpoints of his major characters, such as Elaine, the Hunter, Jestocost, Crudelta, the Lady Goroka, etc, he loathed the then-prevalent (Western) Eurocentric (Jim Crow below Mason-Dixon) attitude the US intelligence agents took with them. (Need I say that the 1930s was a decade of suspicion towards immigrants from Eastern Europe? The (in)famous "Polish joke" is a legacy of that.)

One of the most important personal characteristics a HUMINT agent can have is empathy. This point Linebarger makes in Psychological Warfare, which is not admittedly, about espionage as such. But the ability to put oneself in another's shoes is as vital for HUMINT as it is for Psychological Warfare.

I think perhaps you should read Wildred Burchett on the Vietnam War to understand just how badly the US mismanaged that war. He reported it from the Viet Cong perspective, but I suspect he was closer to reporting the average South Vietnamese than anyone other than Thich Nhat Hanh in his book Vietnam: Lotus in a Sea of Fire.

Wesley ParishJanuary 29, 2015 5:48 AM

Re Wilfred Burchett,
Vietnam: Inside Story of the Guerrilla War. New York: International Publishers, 1965. 253 pp

That's the title I was trying to remember. His comments on the Strategic Hamlets provides a chilling view of the differnce between the American view of what was necessary to win, and the Gulag Solzhenitsyn write about. In a phrase, none whatsoever.

SkepticalJanuary 29, 2015 6:19 AM


@Bong-Smoking Monkey: If you removed "to the public", it'd be more accurate since there is an overlap between event 'B' and event 'C', the way stated above. In other words, event 'B' and event 'C' aren't disjoint, in which case 'B' and 'C' may sometimes be the same event. And that would lead to XB -> C -> R being simplified to XB->R.

I agree that we can make this much more granular and defined, but given the wc of some of my comments, I tried to keep it just granular enough to make the point.

I also agree with your criticism. Can we distinguish between conduct exposing A to the public, and the eventual effect C (call C "public knowledge" rather than "publicity")? As written, and as you pointed out, it does seem that the former could overlap or intersect partially with the latter. But as we further refined the definitions of the variables, the criticism might drop out.

Keep in mind that "publicity" means: Something that attracts attention of the public. You may also need to define attribute 'D' to denote that what Snowden revealed is worthy of public attention, which is also a necessary condition for 'R'. You may then want to explain "why" it's a matter of interest. I think that would make your description more granular.

I like your breakdown and analysis. Now apply it to the other side, and tell me what you think

All good points.

samJanuary 29, 2015 8:54 AM

@ Westley Parish said, "One of the most important personal characteristics a HUMINT agent can have is empathy. This point Linebarger makes in Psychological Warfare, which is not admittedly, about espionage as such. But the ability to put oneself in another's shoes is as vital for HUMINT as it is for Psychological Warfare."

HUMINTs are also prone to errors because their judgements could be clouded by human emotions. By following the hornet home, the hunters usually expose themselves to other types of predators.

Sancho_PJanuary 29, 2015 6:01 PM


@ Dirk Praet

Probably you are confusing secrecy and privacy?
Yes, it’s a different debate anyway.

But what you see close to my (exaggerated) “secrecy is wrong” statement is far away and a rhetorical trick that backfires badly if you think twice:

"if you're not doing anything wrong you have nothing to hide"
or, more prominently:
- Nothing to hide, nothing to fear.
Right, no one would argue against that.

To see behind let’s phrase it positive:
- Something to hide, something to fear.
Yes. Agreed. No problem.

I confess:
I have something to hide, and I have some thing(s) to fear.
Don’t you? [1]

But how would you conclude from here that one is free to put their nose into my stuff?

On the contrary, I said I have something to fear so I insist on my privacy!

If (!) there is a right of privacy in our society then they can not silently access it.


[1]
I hide my bank details, profession, log in(s), friends, preferences (food, sex, religion, news, music, activities, …) because:
Fear of being exploited, robbed, tricked, discredited, targeted, blackmailed, disadvantaged, misunderstood, …

Especially when I do not know who, when and why has access to which details of my privacy, because I’d have no chance to address potential abuse or fraud when I do not even know about.

- See why secrecy (here the secret access) is wrong?

Dirk PraetJanuary 29, 2015 7:21 PM

@ Sancho_P

I have something to hide, and I have some thing(s) to fear. Don’t you?

But of course, we all do. And I certainly didn't imply that everyone is free to stick their noses in our stuff. Quite to the contrary. My stance is pretty simple: I share what I choose to share (explicit opt-in) and with whom I choose to share it with, and unless someone can produce a valid warrant based on probable cause that I'm up to no good, what I am doing is strictly nobody's business. That goes for individuals, corporations (Google, FB, ad networks etc.) and state actors. Let's just say that "secrecy is wrong" as a statement is oversimplifying the issue which always carries a risk of backfiring against yourself in the sense that it will divert the attention of your audience away from your core message, especially those opposing it.

Clive RobinsonJanuary 30, 2015 12:32 AM

@ Sancho_P, Dirk Praet,

I have something to hide, and I have some thing(s) to fear. Don’t you?

Everybody does and our bodies know it... did you know that if you blush when clothed it's effectivly "neck up" but when naked or nearly so it's a whole body response? We would not have such a response mechanism unless there was an evolutionary reason for it, that has remained constant for millennia....

Scientific studies have shown some interesting things about personal secrecy / privacy and how they may have come about.

Going back sufficiently far mankind has always been a herd animal for protection against other apex creatures, but only up to a point.We appear to have learnt that there were disadvantages when groups got to large and thus limited the size of a herd to a small "tribe" of various sizes as we evolved.

But as omnivorous creatures we were "hunter gatherers" and our survival as individuals within a tribe and as a tribe depended on keeping the knowledge of limited food resources hidden from others. Thus we learnt to keep things secret.

So from the get go secrecy in many humans was a survival mechanism that was inherently adverserial, which could cause a break up in larger social structures.

Privacy also has it's roots in another area in the continuance of life which is fertility/breeding. In many creatures the female is larger or more agressive and thus can keep undesired males at bay or treat them as prey. When the females are less easily capable of keeping unwanted males away they either stay around a large strong "desirable" mate who can fend of undesirables from them --as often seen in herbivour behaviour-- or cover up their state of fertility in some way, even if it is just by "making distance" --as is seen with many carnivours or omnivores--. Evolution has also helped this in mammals by making females less fertile when they are bringing up young as part of the lactating process.

Thus when some one trots out the "nothing to hide" line simply accuse them of being an "untrustworthy and abusive individual intent on causing harm, because of their own perverted inadequacies", it's generaly a bit of a "show stopper" but it serves as a warning that such "nothing to hide" lines are a social no-no and they are wrong to think it let alone say it. If they are stupid enough to persist tell them they are "ill educated and incapable of thinking and reasoning". Eventualy they should get the message, if they don't keep on about their inadequacies untill they ether shut up or go away, but don't make the mistake of saying "everybody has something to hide" or equivalent because you will give them an opening, which you don't want to do.

It works with interrogators as well, because they get wrong footed and lose control, it also alows you to kill off the "bad cop, good cop" routine before it gets started by allowing you to accuse all others as "guilty by association" and "morally corrupt for failing to stop the other persons behaviour". Having derailed their aproach it also enables you to not answer any questions they might put, no matter how reasonable they try to be, you just keep accusing them and don't stop, as long as you behave this way they don't get an opening, because to do that they have to get you to treat them "rationaly" and listen to them, which is the last thing you want to do, because that way they can get inside your head. Thus the moment they start to talk, you talk over them and keep accusing them, don't pause unless they do, and remember you are getting inside the "listeners head", because their job is to listen to you and that works on them the way they want to work on you. Eventualy the pair of them will get the message they then have very limited choice at that point and what they do next will tell you rather more than you are telling them. It also importantly gives you something to concentrate on which actually gives you focus and thus mental strength to carry on fighting them, because you will start to see small victories which will boost your moral.

SamJanuary 30, 2015 1:45 AM

@ Dirk Praet said, "But of course, we all do. And I certainly didn't imply that everyone is free to stick their noses in our stuff. Quite to the contrary. "

If you follow link Nick P posted, it is interesting to read about Snowden's past experience as a HUMINT under diplomatic cover, even though he was a self-professed branch office network administrator. It is quite likely that during this experience he was ideologically infiltrated, as Assange likes to call it.

WaelJanuary 30, 2015 2:57 AM

@Dirk Praet,

And I certainly didn't imply that everyone is free to stick their noses in our stuff

Even if they're doing us a favor? Look at the positive side! If you forget your password, you can retrieve it :)

SamJanuary 30, 2015 4:30 AM

Re: privacy vs. secrecy (playing with words)

privacy is something everybody knows you have but only you have access to it.
secrecy is something whose existence is uncertain.

ex; private lover vs. secret lover

thus, Sancho_P is referring to privacy not secrecy when he insisted on lawful access. when he said "secrecy is wrong" he is making a case for unlawful warrant-less access.

you can trample over someone's privacy because you know what it is. you can't trample over someone's secrecy without first discovering what you are suppose to look for and without that you can't prove lawful access.

happy trollin'...

Sancho_PJanuary 30, 2015 5:38 PM


@ Dirk Praet

“… that it will divert the attention of your audience away from your core message, especially those opposing it.”

Yep, seconded, but of course you have noticed:
The real believer is not open to any argument.
(I know that from myself … ;-)

@ Sam

Not sure if I understood completely but I think it’s something along your lines.

SkepticalJanuary 31, 2015 8:51 AM

@Dirk Ideally, the world would have clearly defined international law and an international court with the authority to judge on individual cases. But that's probably never going to happen because, as you say, there are just too many nations - especially the powerful ones - acting in their own interest only and who have nothing to gain from a disturbance of the status quo that would expose their dirty laundry.

Clearly defined international law which does what? Forbids espionage? That's as likely as an international law forbidding armed forces.

Nations would be opposed to such a law because it's not consistent with their national security, not because it would expose dirty laundry.

I wrote: Was Britain wrong to conduct espionage against Germany in the 1930s, while retaining the right to prosecute those in Britain who spied on behalf of Germany?

You replied: Careful: Godwin's Law !

I also gave the example of the US spying on the USSR in the late 1940s. We could also take Britain spying on Germany in 1913, or the French spying on Germany in 1869, or the Russians spying on the Japanese in 1900, or the Israelis spying on the Syrians... well, at any point, or the Indians spying on Pakistan, or... you get the point.

Finally something we can agree on, and impotence thereof to be blamed exclusively on those that keep putting their own interests in front of those of the global community.

International law is impotent from a security vantage because there is not global agreement on norms or interests, which means that no nation wants to give up the power to defend itself to some supranational authority.

Then what about the ethics and values of others ? A world leader as the US claims to be aspires to reconcile different ethics, values and interests, not impose its own. There's a subtle difference between true leadership and the pursuit of world domination.

Nor is the US imposing its own values on the world. If that were the case you'd have American armies occupying nations in perpetuity until they became liberal democracies. US goals are much more modest.

The point that parts of the world differ greatly on the question of ethics and values is to indicate the problems with establishing a true global government.

You must be joking. It makes them all the more suspicious.

Because a group of independent federal judges with tenure for life is going to lie to a Congressional Committee? This is possible but highly unlikely Dirk. How familiar are you with the American judicial system?

Anyway, what several others and myself have been arguing is that a secret court that hears only one side of a story and has no means to verify it in any way, for all practical purposes is not a real court but an aberration. Even the Babylonians had already figured that out some 3,800 years ago. So let's just stick to Occam's razor for as far as the 99.9 success rate is concerned.

For a third time, there is nothing abnormal about a court hearing "one side" when approving a warrant. That is standard practice, and for obvious reasons.

Ockham's Razor doesn't mean you can simply ignore inconvenient facts. That the FISC looks at proposed applications, and gives feedback to the government, before the applications are finalized, is a fact. That the "success percentage" relates only to final applications, not proposed applications, is a fact. That attorneys have no interest in pointlessly appearing before a court to argue an application that they know will be rejected is a fact.

The nearly exact analogy is to a writer who is submitting a piece, as a "rough draft", to the editor for publication. The editor looks at it, says he wouldn't publish it unless the following things were improved and the following questions were answered. Writer listens, sees if he can make the changes, and if he can then submits it again as a "final draft." Editor sees that the writer made the changes he wanted, and so is satisfied with the submission, and publishes it.

Now if we were simply keeping track of how many "final drafts" are approved by the editor, we'd get a very high percentage. And if we were ignorant of the process that involves "rough drafts", we'd be tempted to say that the editor either has very loose standards, or that the editor has extraordinarily clear standards and that writers can apply them almost perfectly.

But once we learn about the entire process, it becomes clear that we're looking at the wrong number. The "final draft" approval numbers don't tell us much.

SkepticalJanuary 31, 2015 8:58 AM

@Clive: HUMINT is also like being the priest in the confessional, you get to hear peoples inner thoughts.

I hadn't realized that all HUMINT sources were paragons of honesty who earnestly tell you their inner thoughts. That sure makes things like CURVEBALL and what happened at Camp Chapman harder to explain though.

@Wesley: The Strategic Hamlet Program was largely an attempt by the South Vietnamese government, on the advice of the US, and following the example of the British in Malaysia (though also the French), to isolate the population from insurgents and guerrillas. Although sound as a concept (it worked in Malaysia, for example), it was very poorly executed by the South Vietnam government and collapsed in 1963 or 1964.

This has much more to do with counterinsurgency strategy than with whether the US Intelligence Community appropriately pursued HUMINT as well as other forms of intelligence following WW2.

Clive's point re Vietnam is that (in his view) because the US population was sensitive to seeing US casualties, and because HUMINT carried additional risks of US casualties, the US government was inclined to stay away from HUMINT.

The problem with Clive's argument is that he provides no supporting evidence other than his hypothesis which I just described. Indeed anyone familiar with the history of reported US covert action since Vietnam, or reported US intelligence operations since Vietnam, will find it easy to point to evidence that contradicts his hypothesis, e.g. US covert action in Afghanistan throughout the 1980s, numerous Soviet assets recruited and run throughout the Cold War, and so forth.

samJanuary 31, 2015 9:56 PM

HUMINT at peace time, spying on partners, proxie wars, et al.

The deceptive nature of HUMINT operatives means they are not to be trusted by apparatus. During peace time, they are prone to other side channel profits such as participation in 'expert networks' for their personal financial gains. I would highly suspect any intel provided by such sources, be it official or moonlight.

Ironically, any time these folks are to be mobilized, a tail-telling sign of imminent war escalation, bad things follow.

BuckJanuary 31, 2015 11:02 PM

High Schools Add Classes Scripted by Corporations (March 6, 2008)

A presentation shown to company executives outlining Lockheed's educational efforts specifies that "increasing general interest in math and science for all students" is "not our goal." Nudging students toward Lockheed, the presentation says, is.
...
Lockheed is bracing for a worker shortage. The company estimates that about half of its science- and engineering-based work force will be retiring in the next decade or so. Meanwhile, interest in engineering as a career is declining among U.S. students.
...
"We're already within the window of criticality to get tomorrow's engineers in the classroom today," says Jim Knotts, director of corporate citizenship for Lockheed. "We want to address a national need to develop the next generation of engineers -- but with some affinity toward Lockheed Martin."
Just a random link from my mind... Probably with no relation to anything I've posted in the past, right?

Dirk PraetFebruary 1, 2015 11:51 AM

@ Skeptical

Clearly defined international law which does what? Forbids espionage?

That's not what I said. What I called for was the establishment in international law of clearly defined rules of engagement that, among other things, would differentiate between "national security" and "national interests". That's what international law and supranational institutions were invented for in the first place, but neither of them will ever work as long as the key players on the international stage cannot make that distinction or exercise a minimum of constraint in pushing their own strategic interests only. And in which the US is no different than Russia and China.

Nor is the US imposing its own values on the world.

Perhaps not from a US point of view, but I'm afraid there's many people out there that see it quite differently. You may choose to ignore them, but it's one of the main reasons of the complete failure of US foreign policy over the last decades. Perhaps a better statistic than nations occupied in perpetuity is the number of overt US military interventions since WWII till 2008, i.e. 390 with at least 20 million killed. I believe there are few nations that did better.

Because a group of independent federal judges with tenure for life is going to lie to a Congressional Committee?

That's not what I said, although some of these folks have made some pretty awkward and even wrong statements about their win rate. And I am well-aware of the difference between adversarial and ex parte proceedings, thank you. I'm not even arguing that DoJ lawyers after 33+ years and 33,900+ submissions have acquired a ton of experience in drafting high-quality requests that comply with every requirement. In fact, we are seeing similar statistics with Title III wiretaps and delayed-notice warrants.

The fact of the matter however remains that a secret court issuing secret opinions based on one sided procedures and secret interpretations of the law, and in which the executive almost always wins, for all practical purposes is nothing more than a rubber stamp that raises serious questions about the extent to which it performs the function it was envisioned to serve in a democratic society. Irrespective of the quality of compliant DoJ requests submitted, their win rate will remain the same as long as no form of adversarial process is introduced and the secrecy about procedures and interpretations of the law on behalf of both court and executive is lifted.

BuckJanuary 30, 2016 12:00 AM

Do you think that the embedded Chinese or Russian spies are likely filling out sys admin applications from the third-world as fast as the U.S. is..?

DoD Building Foreign Defense Institutions
Yesterday, a new DoD directive [pdf] was issued to formally structure and to assign responsibility for executing what is called the Defense Institution Building (DIB) program.
"DoD, in coordination with other appropriate U.S. departments and agencies and when authorized by law, will develop the capabilities and capacity of allied and partner nation defense institutions in support of defense strategy," according to the new directive. See Defense Institution Building (DIB) [pdf], DoD Directive 5205.82, January 27, 2016.
The directive does not mention any specific nation in which such development is to be performed, but it would presumably include countries such as Afghanistan.
Not that I think there's anything particularly wrong with that per-se, but I'm still skeptical of this supposed harm to U.S. industries due to 'national security' leakage...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.