The Democratization of Cyberattack

The thing about infrastructure is that everyone uses it. If it's secure, it's secure for everyone. And if it's insecure, it's insecure for everyone. This forces some hard policy choices.

When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.

Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well.

All of these existed before I wrote about QUANTUM. By using its knowledge to attack others rather than to build up the internet's defenses, the NSA has worked to ensure that anyone can use packet injection to hack into computers.

This isn't the only example of once-top-secret US government attack capabilities being used against US government interests. StingRay is a particular brand of IMSI catcher, and is used to intercept cell phone calls and metadata. This technology was once the FBI's secret, but not anymore. There are dozens of these devices scattered around Washington, DC, as well as the rest of the country, run by who-knows-what government or organization. By accepting the vulnerabilities in these devices so the FBI can use them to solve crimes, we necessarily allow foreign governments and criminals to use them against us.

Similarly, vulnerabilities in phone switches--SS7 switches, for those who like jargon--have been long used by the NSA to locate cell phones. This same technology is sold by the US company Verint and the UK company Cobham to third-world governments, and hackers have demonstrated the same capabilities at conferences. An eavesdropping capability that was built into phone switches to enable lawful intercepts was used by still-unidentified unlawful intercepters in Greece between 2004 and 2005.

These are the stories you need to keep in mind when thinking about proposals to ensure that all communications systems can be eavesdropped on by government. Both the FBI's James Comey and UK Prime Minister David Cameron recently proposed limiting secure cryptography in favor of cryptography they can have access to.

But here's the problem: technological capabilities cannot distinguish based on morality, nationality, or legality; if the US government is able to use a backdoor in a communications system to spy on its enemies, the Chinese government can use the same backdoor to spy on its dissidents.

Even worse, modern computer technology is inherently democratizing. Today's NSA secrets become tomorrow's PhD theses and the next day's hacker tools. As long as we're all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.

We can't choose a world where the US gets to spy but China doesn't, or even a world where governments get to spy and criminals don't. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It's security or surveillance.

As long as criminals are breaking into corporate networks and stealing our data, as long as totalitarian governments are spying on their citizens, as long as cyberterrorism and cyberwar remain a threat, and as long as the beneficial uses of computer technology outweighs the harmful uses, we have to choose security. Anything else is just too dangerous.

This essay previously appeared on Vice Motherboard.

EDITED TO ADD (3/4): Slashdot thread.

Posted on March 2, 2015 at 6:49 AM • 145 Comments

Comments

Somebody on the InternetMarch 2, 2015 6:59 AM

Now the follow up thought: Do they (NSA, GCHQ, etc.) not know this fact or don't care? I think it is the latter. The goal is not to stop other governments or even criminal organisations, the target subject is normal people, which do not use these tools at all.

SoWhatDidYouExpectMarch 2, 2015 7:50 AM

Can the following be considered "The Democratization of Cyberattack" against the citizens of this country...

White House Proposes Broad Consumer Data Privacy Bill

http://www.nytimes.com/2015/02/28/business/white-house-proposes-broad-consumer-data-privacy-bill.html

From the above web page:

"The proposal, at its core, calls on industries to develop their own codes of conduct on the handling of consumer information."

At its core, the only code of conduct that industry would put in place for handling consumer information is...

"all your data are belong to us"

This belongs in the "what could possibly go wrong department".

Does anybody think this is a good idea to let the industry develop the codes of conduct? After all, those codes would not be laid down in law but only enforceable by the government administration in power (or controlled by business interests). Further, such codes might easily include hold harmless clauses, void lawsuits, and make conflict resolution subject to industry controlled arbitration.

And, if not already being done, it would eventually extend to everything in the marketplace. It is a sure sign of the end when you have to legislate your profits (or control over consumers because you are so afraid of their influence).

Sheeple, here we come...

Alex K.March 2, 2015 7:52 AM

@uh, Mike:

I don't trust our politicians enough to believe that "we should add crypto to the Second Amendment" won't get altered to "we should re-word the Second Amendment to make clear the right to bear arms only applies to the federal military and states' national guard" along the way.

Personally, I'd much rather see an amendment be proposed worded something like "Since a democracy derives the power to govern from those the governed, any restrictions or bans upon any citizen of the United States must apply in equal force to all other citizens, powers, and agents of the United States."

Well, that's the rough draft at least, and should give you a clear idea of the intent; now just to hone the precise wording...

Bob S.March 2, 2015 7:57 AM

However, criminals and governments have chosen insecurity and surveillance. That's why both are so dangerous these days.

Rolf WeberMarch 2, 2015 7:59 AM

I disagree that secure backdoors are not possible. Dual_EC_DRBG is actually a proof that backdoors can be built that no third party can exploit.

The problem with backdoors is not technology, but that they can hardly be enforced reasonably. And that an obligation to implement a secure government backdoor would slow down innovations.

keinerMarch 2, 2015 8:01 AM

"But here's the problem: technological capabilities cannot distinguish based on morality, nationality, or legality"

MORALITY? LEGALITY? These federal thugs don't give a sh*t about that!

Now they started legislation to legalize all the things they CAN do for years. But that makes things worse, not better, because in the end there is no moral argument to total mass surveillance. NONE.

Spaceman SpiffMarch 2, 2015 8:26 AM

And to (mis)quote the Moody Blues - "Thanks to the Great Computer, we are now all magnetic ink."...

SamMarch 2, 2015 8:48 AM

@Rolf Weber:

> Dual_EC_DRBG is actually a proof that backdoors can be built that no third party can exploit.

Only the NSA knows the key. Until the NSA is breached that is, which is almost certainly an active goal of non-US intelligence agencies around the world. Would we know if it has already happened? Neither agency would publicize it (if they even knew).

In theory a second-party-only backdoor. In practice: side channels, hardware compromised at the plant, laptops accidentally left on trains (it's not all malice)...

Peter GalbavyMarch 2, 2015 8:51 AM

This article reminds me that we need to caveat that old chestnut of "If you have nothing to hide, you have nothing to fear" to ask "Who from?"

Rolf WeberMarch 2, 2015 9:25 AM

@Sam

I think most people in the real world can live with the hypothetical "threat" that somone manages to silently hack the NSA, steal the key and secretely uses it.

vas pupMarch 2, 2015 9:41 AM

@Bruce: "We can't choose a world where the US gets to spy but China doesn't, or even a world where governments get to spy and criminals don't. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It's security or surveillance."
I guess that is just usual spy arm race. Yes, I agree absolutely with the first statement in extract above, but I guess, Bruce, you are missing time dimension, i.e. any side could utilize for a short period of time own spying tools/capabilities until those tools uncovered by opposite side, then you have to develop next generation of tools, and so on. I am sure that you can't put back 'jeannie into the bottle' meaning attempt stop mass surveillance/spying (by law or by technology)is just wishful thinking. Just recall that all revolutions as soon as they come to power become oppressors (to different degree across spectrum).

GweihirMarch 2, 2015 10:16 AM

@Rolf Weber:
The backdoor in Dual_EC_DRBG is only secure against other attackers as long as the secret used stays secret and as long as the insertion of the backdoor did not inadvertently reduce security overall. Do also not forget that this secret is hold by an organization that had its crown-jewels stolen by a contractor. Claiming that the NSA can protect secrets is naive at this time.

@Bruce: "Legality" and ethics have very little in common these days, except that the second is sometimes claimed as cover story, although "security" is the more popular lie these days. I also fail to see why the US should be less of a threat than China. It rather appears to be more of one, as it slides into darker waters rapidly, while Chine seems to be relatively constant in what it does.

MPMarch 2, 2015 10:27 AM

I have a simple question,

As a mobile phone user, what is the impact of connecting via stingray on my comms, other than data being captured by it. Does it impact data transfers, phone calls?

because i can imagine that such a device would either completely deny connections to go through, or at least significantly lower bandwidth...

MikeAMarch 2, 2015 10:37 AM

@MP IIRC, one aspect of Stingray is that it drops your connection to 2G. At the very least, this is going to crimp your ability to watch HD video on your phone

Bob S.March 2, 2015 10:49 AM

Dual_EC_DRBG blah, blah, blah.

A back door is a back door.

The NSA turns the key and lets whomsoever they wish to secretly and without accountability access the previously private data:....FBI, CIA, IRS, Mossad, GCHQ, Podunk PD, my aunt Minnie....whoever they want. Also, the back door allows employees and vendors to ransack data for personal reasons, for profit or simple voyeuristic curiosity. Then one day a NSA guy with a grudge runs off with the key and there you go....

Don't confuse perfect maths with imperfect humanity.

MPMarch 2, 2015 10:49 AM

@MikeA thanks!

So how do we prevent phones from downgrading, I quite often see networks forcing my phone to 3G or 2G, even when there is perfectly good signal on higher generations. I know it's often due to congestion... know most phones can limit top end ( like do only 2G, or 2&3 but no 4G), are they any which can also limit bottom ( like do only 3G and 4G, never drop to 2G ) ?

Jean MeslierMarch 2, 2015 11:25 AM

@vas pup

I agree with your point about the time dimension. The NSA's presumed plan is to expend effort on both attack and defense with the expectation that they can stay a few years ahead of everyone else in both fields.

The point is obvious enough that I assume Bruce has something subtler in mind. The NSA is obliged to do both; if they were to ignore attack, they'd lack the expertise to defend properly. So the question is really just what is the balance of resources that they should allocate? Bruce's meaning is presumably that if they were to tilt this balance from maybe 50-50 defense:attack to 70-30, they could make enough defensive capabilities public infrastructure that average consumer security would be a nonissue.

And so I do think the question that some other posters have been asking is pertinent: why don't they do this? From the attacks that US corporations have been suffering from foreign hackers, it seems clear that the NSA et al. are failing horribly at any part of their mission that includes defending US interests from cyberattack. See, for example, Morgan Stanley's decision to relocate their cyber division next to the NSA and start poaching talent. A reasonable person must conclude that either the NSA is not allocating its resources to defense enough, or it is simply incapable of cyberdefense.

Steve FriedlMarch 2, 2015 12:13 PM

When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM
Bruce, I hope you'll write about these kinds of interactions: how did their not wanting this exposed manifest itself? Frantic phone calls? Legal threats? Begging and pleading?

More broadly: how does one interact with the NSA when one is undertaking the release of classified information?

Rolf WeberMarch 2, 2015 12:18 PM

@Gweihir

Snowden didn't steal crown-jewels. Not even remotely. Most of what he could take were "misleading" PowerPoint slides (which resulted in crappy "revelations"). Snowden absolutely obviously had no access to more sensitive stuff.

WalksWithCrowsMarch 2, 2015 12:31 PM

Devil's Advocate Argument:

Why should an intelligence agency be tasked with defense, at all? If an US Corporation is penetrated, that simply makes them into a very valuable, live, entirely realistic honeypot. Security vulnerabilities they know about can be used both for attacks and to build up covert detection systems which are nation wide. (For instance, a vague mention is made of such a system in a few news stories, the Morgan Stanley hack being one of those.)

How can the value of fixing those security vulnerabilities by giving them to the vendor be weighed against two dual values?

Further, if these nations are ramping up their attacks, how can the US fail to be behind them? Does Russia or China or Iran feel the need to not use their government to work for their companies? The US would only be very far behind if they did not do the very same thing.

Really, if your job is to get the best information - like a news station - does it really do you any good to divert those resources to activity which actually makes getting the news harder? The President everyday reads the intelligent assessment. Congress looks for actionable information. Power goes to the agency that wins out, and they have plenty of competitors.

Contrast that with the problem of quantifying attacks you prevented, and so never happened. (Performed everyday in the insurance business, but alien concept which is entirely irrelevant to intel agencies.)

And if you beef up agencies that are only defensive minded, like the secret service or DHS... well, that won't happen because their business is entirely unsexy in comparison.


Not MeMarch 2, 2015 12:40 PM

@Peter Galbavy

This article reminds me that we need to caveat that old chestnut of "If you have nothing to hide, you have nothing to fear" to ask "Who from?"

I have stuff to hide.

WalksWithCrowsMarch 2, 2015 12:44 PM

@Rolf Weber

Snowden didn't steal crown-jewels. Not even remotely. Most of what he could take were "misleading" PowerPoint slides (which resulted in crappy "revelations"). Snowden absolutely obviously had no access to more sensitive stuff.

Oh, is that why only Patreus was axed, while Clapper went on the Prime Time circuit?

NSA doesn't do counterintelligence, CIA does...


You still have the problem of putting the foxes in charge of the hen house.

And you have the problem of creating institutional backdoors in consumer - citizen - products, which means China and Russia and every other country buying the products would demand to have the key for. Just as they demand the source code for American products they buy. And how, exactly, would this reduce the demand for intentional and unintentional security vulnerabilities as backdoors, or in anyway ensure the henhouse is guarded by those... who do not primarily live on chickens?

NoMeMarch 2, 2015 1:00 PM

Dave D.

But where was the TSA when the arachnoid got aboard?

I'm sure this made it into someone's baggage, possibly even checked baggage. Would be easily missed in screening by the TSA equivalent in South America.

SkepticalMarch 2, 2015 1:06 PM


Are there any recommended essays (or books) which flesh out the idea that we have either security against all or security against none?

I see it frequently used here, but thus far I've only encountered it in the popular press. I'm skeptical, frankly, but would love to read a closely argued version of the claim to see if it's persuasive.

Nick PMarch 2, 2015 1:17 PM

@ Bruce

Excellently written. True in the general case. Next post counters the main point of dispute.

@ Rolf

re secure backdoors

It's true: I have many published and unpublished designs for assured, remote access. A subset could be certified to EAL7 down to the gate using modern technology. Naturally, evaluated for side channels as well. The risks to such a system are indeed hypothetical if it's a remote attack.

re " Most of what he could take were "misleading" PowerPoint slides (which resulted in crappy "revelations")."

That's absurd: the documents show in great detail about every trick NSA and GHCQ has at TS/SCI level. Sometimes, there's enough technical detail to replicate their methods. Hackers have been creating knockoffs of what was in the TAO catalog, which is anything but a misleading PowerPoint. Further, the very detailed PowerPoints also showed: (a) their actions contradict their statements to American people and Congress; (b) they're weakening security (as in Bruce's essay) across the board while publicly saying they should be trusted with more access to *ensure security*. Those are the real revelations and very much worth knowing in various political discussions.

@ Gweihir

re NSA keeping secrets

I agree and disagree. The NSA successfully kept many of its secrets despite Snowden. The details Snowden had were selectively leaked out of SAP's and other programs by those managing them to people in the TS/SCI community. Then, about four of the most trusted personnel in that community leaked them to the public. Their scheme basically failed at the point where there was extremely high trust with low accountability. Also, it was Booz (not NSA) whose horrid security practices allowed the largest breach of TS/SCI information in history. So, the number of leakers vs number of people involved in these programs show their security is quite effective against general leaks. SAP's supposedly greater OPSEC is evidenced by the fact that they still haven't leaked to the public IIRC. Nation-state infiltrators? That's another matter... ;)

gordoMarch 2, 2015 1:22 PM

@ WalksWithCrows

Why should an intelligence agency be tasked with defense, at all?

Well, I suppose it may have something to do with the word "security" in their name. Here's a portion of their mission statement:

The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.


The Information Assurance mission confronts the formidable challenge of preventing foreign adversaries from gaining access to sensitive or classified national security information. The Signals Intelligence mission collects, processes, and disseminates intelligence information from foreign signals for intelligence and counterintelligence purposes and to support military operations. This Agency also enables Network Warfare operations to defeat terrorists and their organizations at home and abroad, consistent with U.S. laws and the protection of privacy and civil liberties.

Executive Order 12333, ...

https://www.nsa.gov/about/mission/

@ Bruce

...we have to choose security. Anything else is just too dangerous.

Given the regular fare of data breach news (real-time; hourly; daily; weekly; monthly; annualized; 14 years late; etc.), it would seem that the NSA/CSS has been more focused on SIGINT than IA.

WalksWithCrowsMarch 2, 2015 1:45 PM

@Skeptical

Are there any recommended essays (or books) which flesh out the idea that we have either security against all or security against none? I see it frequently used here, but thus far I've only encountered it in the popular press. I'm skeptical, frankly, but would love to read a closely argued version of the claim to see if it's persuasive.

Things are rarely so black and white. I would expect Data Vs Goliath probably fleshes some of this out, not sure, just picked it up. (Ping!)

Every major defense contractor now has divisions focused to finding security vulnerabilities for the US Government. And many smaller defense contractors are in that fray. Why report them when they have such sexy dual use possibilities: arming a powerful IDS system and using them to purloin foreign (and domestic) secrets.

I, have, however, seen security issues found by the NSA and reported to companies before. No guarantee there that they report all found security vulnerabilities, however.
(This in one of those situations where the NSA performs code review on applications purchased for the US Government or running on critical infrastructure under contract to the US Government.) Don't see how those kinds of details would make it into any book.

AnuraMarch 2, 2015 1:46 PM

I've said it before, and I'll say it again: If an agency does SIGINT, it shouldn't be providing "help" to standards bodies, as that is a conflict of interest. It is crucial that all of our infrastructure is secured as well as is reasonably possible. Data breaches today are a regular occurance; it's not just government infrastructure, it's businesses and the public that are being hit. The weaknesses in the protocols and the software make things much worse, and it's pretty clear that this is something the NSA has been working towards. The economic cost is pretty huge.

We need to break up the NSA. Let COMSEC and SIGINT be completely different agencies. The mandate of COMSEC should be to help improve the security of both private and public infrastructure. I would go even a step further, and have the government (in cooperation with the open source communities and other governments) develop a high assurance operating system, written in languages that are not C, providing the core components while funidng a non-profit entity to oversee development of open-source business and consumer level applications with basic standards of development and varying security assurance depending on the component (a Solitaire application that is not given access to anything but its own config/save files does not need to be formally verified).

SoWhatDidYouExpectMarch 2, 2015 1:53 PM

More on "The Democratization of Cyberattack" against the citizens of this country...

Feds Admit Stingray Can Disrupt Bystanders' Communications

http://yro.slashdot.org/story/15/03/02/1710216/feds-admit-stingray-can-disrupt-bystanders-communications

From the post:

"The government has fought hard to keep details about use and effects of the controversial Stingray device secret. But this Wired article points to recently released documents in which the government admits that the device can cause collateral damage to other network users. The controversy has heated to the point that Florida senator Bill Nelson has made statements that such devices will inevitably force lawmakers to come up with new ways to protect privacy — a comment that is remarkable considering that the Stingray is produced by Harris Corporation which is headquartered in Nelson's home state."

The Wired article:

http://www.wired.com/wp-content/uploads/2015/02/Stingray-pen-register-order-and-application.pdf

The admission:

http://www.wired.com/2015/03/feds-admit-stingrays-can-disrupt-cell-service-bystanders/

Ultimately, nearly all of the snoops programs will produce more damage that good. Little good has been seen thus far.

WalksWithCrowsMarch 2, 2015 2:01 PM

@gordo

In context of what I was saying. Otherwise, "defense" is a very broad term and could be applied to anything. The vast majority of the paragraphs you quoted was all about 'offense as the best defense'.

The Moniker "security" works as well for a guard as for an assassin. And the assassin gets paid considerably more then the security guard.

The Information Assurance mission confronts the formidable challenge of preventing foreign adversaries from gaining access to sensitive or classified national security information.

Corporate data is sensitive to corporations, but unless that code is used by the DoD or otherwise might be tasked with handling sensitive and confidential US Government data it is not along those mission lines. And where it is, in context, it is clearly at odds with the more major mission statements.

There is no guarantee that when the NSA does perform security audits on vendor code from US corporations or other corporations that those security audits are entirely defensive in posture. But they might purloin security vulnerabilities to be used for direct intelligence gathering purposes, as well as to prime detection systems for counterintelligence signals operations. (That is, for honeypot like purposes, where companies and other organizations running the code operate as honeypots, effectively.)

What this means is that the NSA efforts at security or pure defense very often end up merely operating as a cover for intelligence gathering operations at the risk of US and other organizations.

Fox in charge of guarding henhouse. Fortunately, many of NSA's 80s and 90s efforts to derail global security failed. As but one "for instance" among many.

They do have a responsibility to consider that direct actions against foreign countries escalate the growing global cyber war, but largely that blame can be placed on vendors and consumers. So what is in it for them, realistically. And that is what people get.

Further, where the other competing agencies fail at this, they win: USSS, DHS, FBI, USAF... blame failures on them, get more jurisdiction and power. Why not. Ethics get lost in the crosshairs of day to day business.

Rolf WeberMarch 2, 2015 2:03 PM

@Nick

You are of course right that stories like the one about QUANTUM were not misleading. Or the ANT catalog. However all of the vulnerabilities were known before Snowden. I'm not aware of a single previously unknown vulnerability exposed by Snowden.
And when Appelbaum calls it "scary" that NSA is able to jailbreak iPhones -- I'm not sure I shouldn't call this misleading.

And you are right, there were a few interesting revelations. But all major revelations -- to name them: "direct access", BOUNDLESSINFORMANT, and the "Great SIM heist" -- were crap. The "direct access" turned out to be completely wrong, BOUNDLESSINFORMANT was heavily misrepresented, and the "Great SIM heist" was without any convincing evident, and denied by Gemalto. And all of these stories were based on slides.

JimMarch 2, 2015 2:07 PM

@vas pup

Along the lines of the time dimension, consider the fact that many systems cannot simply be patched overnight, in some environments where up-time is crucial a patch cycle may be months. Many hardcoded technologies would not be upgradable and need to be ripped and replaced if the key went public.

Would the US Government then be responsible to replace this equipment?

Also think of the internet firehose that is currently being stored. Even when encrypted, the data is still stored until a time when technology, techniques, or vulnerabilities are discovered to decrypt. Once the backdoor is discovered the stored back-data, which was considered secure and private, would now be in the clear.

Perhaps this may be partially true of any technology though

gordoMarch 2, 2015 2:14 PM

@ WalksWithCrows

Yes, "security" is a dual-use Moniker.

I agree with your overview/assessment (correct me if I'm wrong), i.e., conflict of interest/working at cross-purposes/maintaining institutional autonomy/plausible unaccountability.


Nick PMarch 2, 2015 2:44 PM

Counterpoint (again): Selective access to a few IS NOT total access for all

"A backdoor for one is a backdoor for all." This is repeated in the security community so much and with so little evidence it must be religion. This is despite decades of research with many successes on building secure systems with remote access, management, key sharing, and so on. The systems varied in whether they were implemented in hardware or software, level of assurance, read-only vs read-write access and so on. Yet, many were designed or evaluated to high standards of assurance (eg Orange Book A1, FIPS Level 4, NSA Type 1) where professional security evaluators decided they were unlikely to be breached in production.

Unfortunately, new knowledge emerged over time showing weaknesses in some of that technology: a side-effect of our field being new, diverse, and constantly-evolving. Most of the failures in crypto, protocols, OS's, and so on were due to not really understanding the problem, knowing the fundamentals of solving it, or having strong building blocks on hand. Over time, the wheat was filtered from the chaff where we have building blocks and fundamental principles we can use in ways that allow strong security arguments. Security schemes that leveraged the simplest and strongest without risky (often new) constructions did the best. Fundamentals such as POLA, integrity protection, small TCB's, layering, interface protection, and so on would've prevented or contained almost all the remote attacks. This led to my mantra that "tried and true over novel and new" techniques should be used in high assurance security engineering. So, the real trick is to define and decompose the problem into simple functions leveraging well-understood building blocks with straight-forward interactions (eg EAL6-7 design style).

The craziness of the debate is easier to spot when you substitute L.I. or backdoor for Remote Administration Tool (RAT). You can see the religion in the situation by just looking at the response to the two terms. Claiming you restricted access to trusted personnel with a hardened, SSH setup leads most in INFOSEC to accept your claim while noting problems might show up in the protocol or implementation. So, keep monitoring for unusual activity in the system and patches to problems. Alternatively, claiming you built in L.I. with selective access leads many INFOSEC pro's to start claiming you just let everyone in and that's absolutely unacceptable. This is despite the fact that they do *the same thing*. The only difference is a lack of control over who sees the information or how it's shared. That's unrelated to the security of the RAT mechanism itself.

So, what is L.I./RAT? Let's keep it simple: escrow to third party for encrypted messages rather than full-access to system. The scheme requires a strong method for encrypting messages. This is best a combination of a solid RNG, an asymmetric encryption of keys, and symmetric encryption of data. The normal use is the application inputs configuration, keys, and data into a black box. That black box outputs configuration results, ciphertext, and/or error messages. Highly assured implementations do it as a state-machine (or interacting state machines) with limited number of finite steps. Escrow adds an identical, black box with a different public key that accepts identical, key input and produces ciphertext as output. At this point, if the user's security can be maintained by the cryptosystem then so is the escrow's.

Another issue is ensuring the right key is used and can be updated. This may be done with manual entry by the user with a test message, TPM-style signed program, monitoring of encryption sessions vs escrows received, and so on. A variety of methods require nothing more than what the host would already have to protect itself in ways that are well-studied. Alternatively, a remote update feature might be implemented as a constrained process that runs daily to check for a new escrow key, download the untrusted data, check its signature, make sure it looks like a key (not 500KB of code etc), write it with a mutually trusted program into escrow key storage, and now we're using the new key with low risk the interaction did anything else. A basic, secure update procedure of the type I've implemented with custom symmetric and GPG-style functionality while others have done countless more variations. Nothing special and so simple that its amenable to high assurance implementation.

Next is protecting the escrowed keys: the hardest part. The requirements run the gamut of security given the high stakes and High Strength Attackers involved. It will need a combination of strong physical security, vetted personnel who check each others' work, anti-hardware subversion approaches (eg diversity), high assurance guards, high assurance interface software with manual review steps, HSM's for the keys, an EMSEC safe at the least, solid recovery mechanisms, lifecycle processes to ensure security policy (for keys and operation) are followed, and more. Good news is that we have all the components for this and with many highly assured ones at that. Further, the NSA have been doing it with their EKMS system for a while now. It has many components I describe above and I'd figure they'd panic in a visible way (eg suspending it a long time) if there was evidence of its mass compromise. *Seems* good so far.

So, all aspects of secure RAT (aka backdoor) seem achievable in a robust way. The failures others have cited were systems with these properties: low assurance design and/or TCB; attackers had unrestricted, physical access; the admins weren't trustworthy or actions audited; the "backdoor" was a common software vulnerability inserted deliberately or a result of non-rigorous development. In other words, the opposite of how you would build a high security RAT led to security breaches. I think the failure of low security methods to achieve security in no way proves high security methods can't get the job done. Further, that high security methods *did work well* and *still work* in many similar ways is evidence escrow can be built to at least as high a security level as non-escrowed methods with manageable risk for the key-holders.

Whether it should be or not is a different debate. Naturally, I'm on the side of pervasive security without RAT's in everything. Yet, the concerns of law enforcement and intelligence agencies often lead to laws mandating remote access of some kind. Individuals and businesses also depend on both secure RAT's (eg for administration) and escrow (eg compliance). That there are current and probably future needs for the functionality mean INFOSEC professionals promoting religion are only keeping people at risk. It's better to face reality, determine the requirements, make solid plans for achieving them, and start building/breaking prototypes to iron out good solutions.

I've outlined some technical issues here along with steps to take when trying to design a secure, RAT tool. I've shown arguments against RAT or escrow usually focus on the failures of designs which lacked strong, security engineering. I've shown that many components of a simple, escrow system have already been proven in high assurance academic, government, and commercial work. I've also looked at the huge security requirements necessary for the key holders. I've shown there are proven ways to meet most of those requirements while also citing a successful, escrow system (EKMS). Overall, a secure RAT tool with small residual risk is feasible with existing engineering technology. It will also benefit existing users in government and industry that rely on RAT and escrow tools that have far less assurance of security. More research into such tools can only benefit us regardless of whether it gets used in mass surveillance.

Note: I just threw this whole thing together off the top of my head while waking up with coffee from a mild hangover. I was awake by the time I previewed and revised it. Still made sense. I'm sure that teams of bright academics and engineers funded for a period of months to years could probably deliver an even better security argument along with a production-grade implementation [of the client-side portion & interface] ;)

AlanSMarch 2, 2015 2:44 PM

@Skeptical

Not sure this exactly meets the reading suggestions you requested but Susan Landau's book Surveillance or Security? is worth reading.

WalksWithCrowsMarch 2, 2015 3:05 PM

@gordo

Yes, "security" is a dual-use Moniker. I agree with your overview/assessment (correct me if I'm wrong), i.e., conflict of interest/working at cross-purposes/maintaining institutional autonomy/plausible unaccountability.

Yeah. I just am concerned that people are expecting true defense from agencies which are really tasked with offense. Some of this seems to be similar to the field as it was in WWII and the lead up to WWII. You had multiple agencies with overlapping jurisdiction. A lot of damage happened because of those jurisdiction wars.

The NSA has been suitably tasked with both offense and defense in terms of such things as ensuring DoD software was sufficiently secured. That meant one thing pre-90s, and it means something very different today. Today, you are not just talking about engineering cryptographic solutions for DoD organizations, but also performing security analysis on all software which the DoD and related organizations run. Vulnerabilities found are likely more valuable as offensive weapons, because foreign nations are using the very same software.

This is backdoor technology, too. Each critical vulnerability is, effectively, a working backdoor into that software. So, tell the vendor and shut the backdoor, or use it. Which is more valuable, when no one even knows you found it in the first place?

WalksWithCrowsMarch 2, 2015 3:25 PM

@Nick P, @subject of thread

Yet, the concerns of law enforcement and intelligence agencies often lead to laws mandating remote access of some kind. Individuals and businesses also depend on both secure RAT's (eg for administration) and escrow (eg compliance).

My problem with mandatory backdoors is the human one. Somebody well put this above that the flaw is in the humans. It does not matter if the NSA can keep their mouths shut, which is doubtful for human beings. If your country has mandatory backdoors in all of your country's software -- how do they have a competitive advantage over their competitors in other countries where this backdoor is not required?

Why should anyone outside the US trust their data to US companies? On pledges that they swear and uber promise not to be interested in their data? That they will not perform economic espionage, and especially never of the sabotage sort? That they are not interested in data of their private citizens or political leaders, and pinky swear to never try and use that data to control elections and their politicians to fit their national agendas?

Or, for Americans, as well, that the NSA and other agencies with this backdoor super promise to keep everything on the up and up, and they would never, ever perform economic espionage or political espionage at home? Never use it to control a politician or favor one big company that works with them over some up and comers that might break a monopoly or challenge a commercial asset they funded in a not so direct way as In Q Tel?

These sorts of pronouncements they are making work great in a monolithic culture of their own departments and organizations. But such a system is not how corporate America works, unless we want to move to the Soviet Style of commerce.

They would have to get this past all the US tech giants who are saying "we promise, we never worked with the NSA unlike what those documents said"!

Who might actually not lobby against it, while keeping up their protestations.

Because they make a lot of government money.

While their competitors and the little guys, and ultimately, their companies will suffer a near atom bomb of a message to consumers around the world.

Move your companies now to more friendly countries. Not just for the supermassive tax savings already tempting you to do so.

Finally, never mind the additional problem: Every other nation will demand to have the key to these backdoors. It will be mandatory for sorting out dissidents who, now, have some level of protection when companies do not cooperate. It will set a standard for the US and Germany and France... and China and Russia and Saudi Arabia and...

AnuraMarch 2, 2015 3:38 PM

@Nick P

Secure backdoors need a key at some point. My problem is that they are only as secure as the keys themselves. The more agencies that need access, the more likely those keys are going to be recovered by a malicious third party. Now, who needs access? The US Government will say they are the ones who need access, and that they need access to systems in foreign countries, but then the British will too, as well as the Canadians, and many many more, and what agencies within these governments need access?

The point is that providing for the needs of all these "good" governments means that it is inevitable that any "bad" government with a halfway-capable intelligence agency will be able to recover the keys. Beyond that, there is the possibility that a malicious individual with a security clearance in one of these countries could sell one of the keys. If it's at the hardware level, well, how many companies are lax on updating firewalls, for example?

Ignoring all the instances where they want to be able to decrypt and scan ALL traffic going through a system, which the governments of the US and UK have shown they definitely want, because they don't want to have to go through legal channels to obtain a warrant.

Yes, a backdoored system is better than a system with no access restrictions whatsoever, but it is not as secure as a system with no backdoors whatsoever.

Joe KMarch 2, 2015 4:15 PM

@uh, Mike
@Alex K.

RE second amendment comments:

Regarding freedom to use cryptographic system of one's choosing, it
seems to me that first amendment to US constitution already
covers any concerns in this regard.

How is crypto not covered, in no uncertain terms, under guarantees for
freedom of speech?

Spitzer's nylon socksMarch 2, 2015 4:27 PM

Someone else using NSA's Stasi tricks? That is the least of your worries. NSA will be passing your personal details all around to brag and bribe or co-opt everybody they can. This is a government that peddled NPT-illegal RD and Q and critical nuclear material to everybody and his brother. This government supplied Saddam Hussein with BC weapons technology, know-how, platforms, and agents, 771 licenses in 5 years. Is anybody stupid enough to think that when this government gets good blackmail shots of your O-face, or you scoring some weed, they're going to keep it to themselves? They'll be tradin that dirt like beanie babies for whatever they can get.

whprattMarch 2, 2015 5:16 PM

Agree with Joe K. I shouldn't have to join a well-regulated militia to use ROT-13.

Sancho_PMarch 2, 2015 5:32 PM

The discussion regarding key escrow / golden key / encryption backdoor is pointless,
for two somewhat related reasons:

1.
To eavesdrop on innocents, kids, friends and neighbors is insane.
Paranoia is a serious illness, as is pathological curiosity.
Those who feel to be inclined should seek for help, seriously.
The point is:
Not access to ALL, but access to SOME would be a sane request and should be discussed.

2.
Let’s assume it would be possible to have a safe “golden key” to all communication only for those who are entitled to do so - e.g. ("but not limited to") all governments of the world, democratic or not.

Great, the’d have immediate access to 93% of the world’s communication.

- Wait, where are the other 7% … ?
Right, all the “bad boyz” would run encryption on top of the escrowed system.
Putin, Obama, SCOTUS, Xi Jinping, Merkel, Clapper, me, …

Clive RobinsonMarch 2, 2015 5:38 PM

@ Anura, Nick P,

Secure backdoors need a key at some point. My problem is that they are only as secure as the keys themselves

Correct.

The backdoors you are thinking of are in reality a subset of the Key Managment or "keyMan" issue, which is known to be a currently unsolved problem beyond trivial cases.

Just to be clear there are two basic types of backdoor, those that work on tangible physical defects and those that work on intangible information defects.

Those that use physical defects like side channels are "unkeyed" and those that use information defects are "keyed".

The --incorrect-- assumption is that the keyed systems can be designed such that only one player can use them ie the key-holder. The reality is all you are doing is shifting from one problem domain to another in this case KeyMan, which we know is an unsolved problem beyond the trivial cases. That is it is like the OTP issue, to get perfect secrecy in the cipher domain, you move the issue to the the security of making, transportation, issuing, destruction and audit of KeyMat which is part of KeyMan. It can be seen that this part of KeyMan alone is way more complex than the cipher domain. Then of cause there are the authN and authZ issues of KeyMan much of which is based on "human trust". Each step away from the base problem domain makes the problem harder if not impossible to solve, and as history has shown with both OTPs and PubKey Certs, when we think we have solved a problem, the solution adds it's own attack surface to the original problem.

@ All,

There is another issue with backdoors that gets lost in all the talk of technical solutions. And it's one of awarness by those surveilled.

When information was encoded onto physical objects like typed pages, it was generally stored in safes, filing cabinets and draws etc and to copy it ment physical access by those wishing to copy it. This ment that the security of the information could be achieved with "physical access controls". And there was little chance that the physical access would go unnoticed if setup correctly. Therefore the target of such surveillance would be aware that it was going on unless very specialised human resources were used. These specialised human resources were not just rare, they also suffered from all the limitations of physical attributes, which put significant restraints on what was possible for any agency, and this more or less kept them honest when it came to ordinary individuals.

These resource limitations nolonger apply when we deal with information objects not physical objects. Thus surveillance organisations are nolonger constrained and the multitudes of ordinary individuals now automaticaly become subjects od surveillance and this in turn peverts the surveillance organisations view point and the ordinary individuals become "guilty untill proven innocent" which is "proving a negative" and thus not possible. So we all become "criminals that are not yet convicted" because currently neither the courts or the prisons have the resources to deal with all of us. But worse ordinary individuals get no warning they are under investigation, because unlike the case of physical object access there is little or no way to protect the intangible information from being accessed and little or no way to if the information has been accessed...

This is a very major change in ability for surveillance organisations and is an incalculable loss to all ordinary individuals, who now can not defend themselves.

Sancho_PMarch 2, 2015 6:03 PM

@ Clive Robinson

“… who now can not defend themselves.”
Spot on!

But this also relates to “suspects” that gain that status from any arbitrary action (accusation) and won’t be informed about for months or years.
Worse, the “good guys” finally try to push them into crimes they’d never have thought about, just to “get” them and a better success rate.
Disgusting!

Roland SchulzMarch 2, 2015 6:23 PM

I'm wondering whether it is possible to have secure cryptography and also enable access to police with a proper search warrant. Maybe a solution would be to introduce a legal requirement for using secure cryptography, to keep a physical copy of keys/keyphrases in a secure storage. This way the police with a search warrant would get access to encrypted data but security wouldn't be breached by some government backdoor. And everyone could decide for themselves how secure of a storage they want for their keys/keyphrases.

WalksWithCrowsMarch 2, 2015 6:34 PM

@Spitzer's nylon socks

Yeah, that would be the primary danger. Just not one that sells to the naive bunch. "No, not my government, never".

Controlling the politicians can mean a bloodless coup. I suppose people are inured to the possibility of this happening [or having already happened] because they assume this is already the case by money. Now, if an intelligence agency wants control of their country they maybe have to wiretap the politicians **and** the money brokers.

@Clive Robinson

Thoughtful points...

the ordinary individuals become "guilty untill proven innocent" which is "proving a negative" and thus not possible. So we all become "criminals that are not yet convicted"...

A new class based society. Where all outsiders are guilty criminals. That is the kind of social system human beings prefer. One which is heavy on the blame.

AnuraMarch 2, 2015 6:54 PM

@Roland Schulz

Well, unfortunately, it's not that easy. Let's look at the possible systems:

Method 1: Government has a way to disable encryption for a device
Probalem: This also gives any third party the ability to read the information

Method 2: Alice and Bob both have an encrypted connection to the service provider, but not with each other. This is how cell phones work today, and these can be subject to warrants
Problem: If the service provider is compromised, then whoever compromises them will be able to get access to the communications; there is no guarantee that these people are "good guys." On a tangent, when it comes to credit card theft, in my experience most attacks do not target the SSL protocol, but the services themselves.

Method 3: A key-escrow protocol is used so only the end-users and the government can encrypt
Problem: As discussed above, this moves the problem to key management

Method 4: Government convinces everyone to use a protocol with a weakness that only they are aware of
Problem: This is security by obscurity, and there is nothing preventing anyone from discovering the weakness


Did I miss anything? Method 3 is the most secure, but it's also not that secure for the reasons given in previous comments.

WalksWithCrowsMarch 2, 2015 7:29 PM

@Roland Schulz

I'm wondering whether it is possible to have secure cryptography and also enable access to police with a proper search warrant. Maybe a solution would be to introduce a legal requirement for using secure cryptography, to keep a physical copy of keys/keyphrases in a secure storage. This way the police with a search warrant would get access to encrypted data but security wouldn't be breached by some government backdoor. And everyone could decide for themselves how secure of a storage they want for their keys/keyphrases.

Frankly, things work this way already. They are playing it up as if they did not just get busted for wiretapping everyone, which they did do. And still are doing.

You have crack in front of crackheads. They are asking for everything, with zero regard for professionalism or what this means to the country (much less world), whatsoever. That is not symptomatic of reasonable people, that is pure power chasing, crackhead like behavior.

There surely are people who get information on anyone whenever they need it, and offer it as they feel necessary. That is closely guarded and not something for every politician and leo or intel executive to get.

They ultimately will not get it, and they already are way past the line. That won't last.

It is true, tech will get more difficult as more respond to people's real needs. They don't care about the really hard targets in what they are asking for. They can get at those hard targets through plenty of means, including turning people near them, hacking everything else they have, placing undercovers amongst them, wiring their home(s), business(es), their friends, their family, even their dog. Video everything. They do not even have to get inside to activate bugs, they typically will have 'across the world' options as well across the street options.

Post mortem, it can be a problem, sure. You just run into a situation, or, say, a murder case. Though considering how much is out there online which the can access and tell them an enormous amount about their suspect(s)? Really, this is not a situation.

What they really are asking for is everything on everybody, all the time. That is insane. Besides that spies should not be globally broadcasting their aggressive intentions to make everyone wary, they are not even consider the incredibly simple scenarios of 'how this would effect the economy'. But, when you are throwing the constitution out the window on a regular basis anyway? Well, that is someone spending their paycheck on heroin. That is not reasonable. That is power madness.

Right now, they can track back basically everyone, and how everyone is connected by social media and by phone records. Who is connected to who, and how. They can vet identities by vetting social media presence. They can do incredible things with pictures alone, in all of this. Sure, they aren't supposed to, but as they have no reasonable, and definitely no seeable internal adversary, they can do as they please. They can certainly go to websites as they wish and ask for anything else.

Just a footnote: I say things like "I am concerned", or "this concerns me", or "this is why this is bad and should not happen". These are just statements to communicate. I have complete confidence the excesses will become null and void, and in the remote chance they do get this really stupid and dangerous capacity for backdoors in everything or almost everything, it will not, at all, last.

People have this annoying tendency to act as if they are all alone in the universe, and play it up that if not for them and their need for complete information power the "bad guys" (who are not them) will succeed. It is a lie. Everybody gets roadblocks, the wheels of justice turn slowly, and no one is going to bother explaining 'what is really going on' because human beings just do not need to know. If they really want the answers, maybe they should go throw themselves in a tornado while wearing really pretty ruby slippers.

WaelMarch 2, 2015 8:56 PM

@Buck,

Four years and two hundredths of a score ago

Two observations:
1- Holly crap! You read all 132 score and one words?
2- The current unit of time we use is "moons"! It's crazy I have to remind you about "Moons" ;)
3- How did you land on that post? Ok, three observations :)

Yup, @Clive Robinson covered a lot of E&M tactics in this epic post :)

Nick PMarch 2, 2015 9:01 PM

@ Anura

"Now, who needs access? The US Government will say they are the ones who need access, and that they need access to systems in foreign countries, but then the British will too, as well as the Canadians, and many many more, and what agencies within these governments need access?"

In my model, authorities that can issue warrants get a supply of keys for a period of time. Once the time is up, the police stop getting keys on that account. At no time do outsiders have direct access to the system. From there, you prevent foreign governments from demanding access by not operating in their country or saying you'll only give access to communications originating in country X to that country's government. Maybe allow a communication crossing borders to be analyzed if both governments put a request on the same communication.

"Yes, a backdoored system is better than a system with no access restrictions whatsoever, but it is not as secure as a system with no backdoors whatsoever."

I agree: that's in my post. The problem is that nobody has tried to really get an idea of what the risk is if we use the highest protections possible. The other part of the problem is that detractors cite examples from low assurance systems as the end all argument on the situation. I'd like those see those problems go away and get an honest take on the situation.

@ Clive

"The reality is all you are doing is shifting from one problem domain to another in this case KeyMan, which we know is an unsolved problem beyond the trivial cases. "

This would appear to be a trivial case compared to full OTP's or CA's. The key is escrowed to the third party, possibly directly to a HSM, which protects it in storage. The trusted device releases specific keys in response to authenticated requests with human approval. The requests are logged by one or more independent party's systems and checked. A total for each country and/or category is published each year. One or more guards mediates the both incoming requests and outgoing response to untrusted system. The requests will happen on dedicated hardware using end-to-end protection over a link encryptor and/or dedicated line. The log copies might be delivered to both the management of those sending requests and an oversight organization.

BuckMarch 2, 2015 9:11 PM

@Wael

1) I did.
2) Haven't we all agreed to leave past misconceptions behind us?
3) 'tangentially' :-P

Sabu 2.0March 2, 2015 10:25 PM

"In my model..." Nick P., you give yourself this vague, allusive backstory of fearsome deadly pressure by da Man. But then you tell us about your marketing plan: going to various authorities and selling them a worthless product to stuff up an unwilling public's ass. It blows massive holes in your badass black-bloc Anon cred. That is not the revolutionary ideology of an Anon, that is the marketing plan of somebody who got scared straight when he toilet-papered a house at age twelve. It is poignantly, tragically lame.

Nick PMarch 2, 2015 11:48 PM

@ Sabu 2.0

I don't follow "the revolutionary ideology of the Anon's:" a fictional, anarchistic universe where geeks are the elites (rather than normal Type A's) that's currently dominated by people who have contributed nothing to the Internet, INFOSEC, or tech. They just hide, troll, make demands, dox people, leak nudes, DDOS, and so on. Further, their ideology is impossible in the real world. If anything, "the anon's" have brought more and stronger heat on those seeking liberty than ever before. (Ask Sabu and DPR...) This was a direct and unintended result of them scaring the shit out of authorities and voting public with their stunts [on top of normal powergrabs]. Voters ran into the embracing arms of corrupt, police-state-loving cops. If anything, I see the modern "anon's" (esp 4chan types) as a destructive force that parasites off of or disrupts the *constructive* work others did to make their online comments possible.

Note: There's plenty of exceptions such as people who just push anonymity & decentralization without all the crazy nonsense. If that's you, then present company excluded in the above statement.

My philosophy is and has always been realism. Realistically, we negotiate an agreement with a government that lets them maintain order and gives us as much liberty as possible. The original design, esp with warranted search, was a decent compromise that only turned dirty because voters let it. Internet pioneers then connected us in new, risky ways. The first online privacy movement, the Cypherpunks, started creating building blocks to get privacy and anonymity on the Internet for the masses. Many others, myself included, cranked out solution after solution for every security/privacy problem under the Sun and still do to a degree. People, including in INFOSEC, largely ignored all that and still do. Ignored liberty, too. Modern surveillance and pseudo-police state is the result. That creates... problems.

Now, don't let all that history and philosophy fool you. If you want to know, I'll tell you straight up what's behind my essay. All kinds of ideas pop into my mind. Here are three relevant to this topic:

1. Original motivation was that L.I./backdoor might get mandated if this political nonsense goes ahead. Any domestically operating business won't have a choice. In the Lavabit case, the judge considered an alternative to the FBI's black box so long as it could serve the warrant. Levison could've had a ready-to-go, secure, independently vetted alternative that would've kept his users safe. He didn't and so original order went through, forcing the shutdown. I determined trying to figure out as ideal a L.I. mechanism as possible is a good insurance policy for the future in which any U.S. system vendor has to shutdown or put in the backdoor. If you knew your cars and PC's had one, wouldn't you rather the "stop everyone else" part be done as rigorously as possible?

(End-to-end, subversion-free designs continue to run in parallel to this and actually have priority. I discuss them less now as Clive, Wael, and I worked out most key details over the years. So, I post new developments in various aspects.)

2. Technical problem. You gave me due credit on prior work and what was that work? Answer: trying to do the impossible on the defense side. Even Bruce Schneier believed that any backdoor for them will be used against everyone. But, people and businesses everywhere depend on tech that's inherently backdoorish. Are you telling me we can do all that complicated stuff but not a basic RAT or escrow? If that's the status quo, then can I gotta smash that because that's lame. If someone built it, I'd apply it to remote access, updates, key backups (escrow), and so on. Many practical uses for the mechanisms themselves and the more robust the better. That nobody has supported the concept of a door only certain people can get through means they either (a) think they don't exist or (b) don't rely on any product or service that puts restrictions on how you can use them (fat chance). I think they can exist and argued for it with empirical evidence rather than poorly applied anecdotes (status quo).

3. Business problem. I'm not sure if I noticed this in the past. My recent essay points out that escrowed solutions are in demand, even mandated sometimes, in the commercial and government sectors. It provides actual business value in the eyes of many management to keep things private yet accountable and recoverable. Although I was thinking grant-funded FOSS, you ironically got me thinking of how to squeeze money out of it. On top of escrow/RAT products themselves, there is this model: a percentage of sales of the INFOSEC product to drive rigorous engineering of its critical and reusable components that benefit all. Think of how some companies donate non-critical, yet beneficial, stuff to Apache Foundation but with steady income stream for *engineers* to maintain/expand it. They release core stuff and keep bells n whistles for profit.

So, I originally considered it as a possible necessity in the future (or present... unknowns abound). Then, seeing misinformation repeated got me to tackle it as a technical challenge in an hour of my spare time. Saw a few business angles. Then, I was back to my clean slate work that involves centralized execution with decentralized checking. Basically, my old SCM scheme applied to new problems. BitCoin is similar with a lot of takeup. So the question was, "How to automate most of the subversion resistance and incentivize participation in it?" Gotten pretty far in various ways but mainstream programmers don't like it so far. Exploring a ML- or Haskell-compatible functional take on it to leverage smarter tools and people.

So, no worries: my old style of work stays strong. Matter of fact, I'm mentally swamped by the sheer number of potential issues I'm juggling that all have to work together. If anything, tangents like this are a nice, mental break. Now, I'm going to do another and play some Xbox. Have a good night everyone.

WaelMarch 3, 2015 12:11 AM

@Nick P,

Nicely put 1K + a tagged byte write up. Enjoy your game! Me? I'll try to count some sheep now...
One sheep... Ten sheep... Eleven sheep ... A hundred sheep...

FigureitoutMarch 3, 2015 12:27 AM

Nick P
--I'll agree to an "escrow" (read bullsh*t term for a backdoor) so long as I have an escrow to the escrow and can independently verify it's being used as it should. How's that for some bullsh*t? No trust and I support breaking mandated backdoored garbage from idiot politicos controlled by billionaires who are overstepping their bounds in their competency. Break this sh*t people and expose it.

MikeAMarch 3, 2015 12:30 AM

@MP: Pick your poison. If you disable 2G fallback, you'd better make sure you know how to re-enable it. What's worse:

1) Being unable to watch all those reruns on your phone because your neighbor is cooking meth and has attracted a Stingray.

2) Being stuck somewhere in the boonies with mobile coverage just barely good enough to eventually get a call through, and a burst radiator hose. And the wolves are hungry.

There are plenty of boonies on my normal travel routes.

@whpratt. Do you consider the CSA (Confederate States Army) to be well-regulated? I was recently told that they had a decent polyalphabetic cipher system. The Union Army nevertheless read most of their traffic, since they only used some three different keys, for all communication. All were guessable political slogans.

Ole JuulMarch 3, 2015 1:53 AM

"A back door is a back door." -> "A backdoor for one is a backdoor for all." -> and I would say a back door is a door. I would also note that all keys are physical and therefore cannot be protected by digital means. Keys are physical because they, or their location, need to be within the scope of awareness of at least one human being. Everything comes down to humans in this discussion. Without humans there would be no need for encryption. In fact this whole discussion is really about humans. Of course it is possible to concentrate sufficiently hard on one thing so that all else disappears.

Wesley ParishMarch 3, 2015 4:05 AM

A story leaps to mind about keeping things in perspective:

someone once decided to learn skydiving. So up with their wallet they go to the local airport and sign on the dotted line for lessons. First set of lessons go fine, then it's up in the plane to do their first solo dive, with the instructor tagging along for moral support.

They jump.

Ten thousand feet and the instructor says, "time to pull the rip cord."

"No. Let's give it a bit longer."

Five thousand feet and the instructor says, "time to pull the rip cord."

"Let's wait a bit, eh?"

Two thousand feet and the instructor's getting nervous. "Just pull the rip cord, okay?!?"

"Come on, let's wait a bit longer, eh?!?"

Five hundred feet and the instructor's done waiting. He pulls his own rip cord. "Pull the rip cord," he shouts as his student falls faster away from him.

The student falls to five feet, then he waves the altimeter at his instructor. "It's only five feet," he shouts. "I can jump from here!"

I think we can all see the applicability of this story to the topic at hand. Yes, @Nick P, it is theoretically possible for some future backdoor to work only as designed. But in the meantime, we have this vast mass of installed backdoored equipment. By the time we finally fall to five feet, we can't stop and jump.

Alex K.March 3, 2015 8:57 AM

@Joe K.
@whpratt:

How is crypto not covered, in no uncertain terms, under guarantees for freedom of speech?

You are almost certainly right, but I think you may have misunderstood my statement's intent. Let me try anew:

Given the enormous partisanship present in Congress today, I have a hard time imagining the two parties uniting to pass a resolution saying the sky is blue, much less agreeing on amendments to one of the most divisive issues on their two platforms ("When may private citizens own weapons?"). Any such attempt at amendment would immediately be suborned from its' stated purpose (grant crypto an overt, protected status) toward the policies the two parties would favor (I made a guess at what might scare @uh, Mike-- but don't read that as a statement of my preferences; the idea of a 2nd amendment that was more "mandate an Abrams in every garage" is just as scary to me as taking away all private weapons).

That is why I personally favor, if an Constitutional Convention were to convene, proposing a "all or nothing"/"tit for tat" amendment: a formal recognition that if the power of a democratic government derives solely from the voters' authority, it logically should not differ from said authority. (Alternately, this thought can be phrased as a Socratic question: if it is immoral / improper / illegal / etc. for any voter to break encryption, operate a Stingray-like device, or conduct covert surveillance, where does the government derive their authority to do so?)

This sort of amendment (tight circumscription for government power) may be far less likely to pass, but also becomes nearly impossible for the various political groups to suborn toward a private agenda.

SnijderMarch 3, 2015 10:12 AM

"if the US government is able to use a backdoor in a communications system to spy on its enemies, the Chinese government can use the same backdoor to spy on its dissidents" That's biased writing.

Also if the US only spies on it's enemies and China on mere dissidents then the whole world is the enemy of the US. Like all the citizens of Bahamas for example that have all their phone records recorded. What about the Brazillian Petrobras, is this national oil company related to terrorism because the NSA spies on it? China may be spying on dissidents but the US is spying on many many more including dissidents (whistleblowers, Occupy, Anonymous, ...), political oponents (both domestic as internationally), economic oponents and even "friends" like Angela Merkel.

RT: "In the Bahamas and another, unnamed country, however, The Intercept reports that the NSA is allegedly recording the actual contents of every conversation, then storing it for analysts to review at a later date using a specialized project known only as SOMALGET. "

Gerard van VoorenMarch 3, 2015 11:25 AM

@ Nick P - About the mandatory universal back door

I don't know whether it has been mentioned before but Obama now criticizes China for them wanting a mandatory universal back door themselves [1].

So if you want a mandatory universal back door the question is more about who your allies are. Todays bad guys are tomorrows friends and vise versa. The list of exceptions is gonna be loooong. For starters the billionaires, then the politicians and the diplomats. Then the drug dealers and mafia. The rest doesn't matter and has to live with it. The people probably can't vote for or against it.

Worse is of course that everyone knows about the back door. We know where it is and try hard to override or tamper it. And by knowing it is there the smarter bad guys are gonna switch to other ways of communication.

If you want a mandatory universal back door, I think technology is the easy part. The hard part is dealing with / regulating the mountains of hypocrisy.

[1] http://www.reuters.com/article/2015/03/02/us-usa-obama-china-idUSKBN0LY2H520150302?irpc=932

yossarianMarch 3, 2015 2:19 PM

@Anura, @Roland

You forget:
The law requires key storage and surrender. The government detects random bits in otherwise unused space in a data storage device in your custody. They demand the key. There is no key. Uh oh.

BuckMarch 3, 2015 5:07 PM

@Wael

You may not remember because I didn't mention anything at the time, but I was a bit confused as to how you came up with your '4100 moons' the other day... Besides, I'm not entirely sure I subscribe to the 'arrow of time' theory, so I thought I might mix up our units of measurement for some fun!

I guess I could be considered a believer in the sense that I believe my beliefs are being constantly refined with respect to additional inputs of information or perspectives. ;-)

Dirk PraetMarch 3, 2015 6:34 PM

@ Nick P., @ Clive

This would appear to be a trivial case compared to full OTP's or CA's. The key is escrowed to the third party, possibly directly to a HSM, which protects it in storage. The trusted device releases specific keys in response to authenticated requests with human approval.

Which begs the question who this 3rd party is going to be since pretty much every government and LEA all over the world will demand some sort of golden key access. For argument's sake, let's imagine that some UN institution would be in charge. The only practical way to go about the problem is to delegate authority to national agencies with a subset of capabilities of what they can and cannot do. And who in their turn may delegate subsets to TLA's and LEA's. Which leads us right back to the CA model, not to mention the fact that both the UN root authority in charge of key management and every delegate would become prime targets for every intelligence agency on the planet.

Like Clive, I consider the KeyMan problem unsolved at this time, and until it is, I'm siding with folks like @Bruce and Matthew Green that every backdoor - and for whatever reason - is a bad idea that sooner or later will jump up and bite everyone in the *ss.

Nick PMarch 3, 2015 8:04 PM

@ Wesley Parish

"Which begs the question who this 3rd party is going to be"

Might be a GAO-style government organization, a foundation, and so on. What's important is that they're required to do everything they can to protect the keys, limit access, validate requests, and so on. Plus, they're legally protected against attacks by their host country.

" But in the meantime, we have this vast mass of installed backdoored equipment. By the time we finally fall to five feet, we can't stop and jump."

I agree and I said that in the original debate. I got slammed in every direction by people saying they'd never by a product with a backdoor built in. I pointed out that this was funny given they do that all the time. The only difference was that my proposal was overt, highly assured, possibly limited access, and usage mediated. What's in their system right now is quite a bit different.

@ Gerard

"I don't know whether it has been mentioned before but Obama now criticizes China for them wanting a mandatory universal back door themselves [1]."

They're hypocrites. Unexpected.

"Worse is of course that everyone knows about the back door. We know where it is and try hard to override or tamper it. And by knowing it is there the smarter bad guys are gonna switch to other ways of communication."

Tampering with it can be made illegal similar to DMCA's ban on reverse engineering. Not using backdoored products would narrow the focus on the bad guys because they'd look different. I agree, though, that the fact that smart bad guys avoid backdoored stuff is a good argument against using them to stop serious threats. Yet, there would likely be all kinds of less savvy crooks caught.

"The hard part is dealing with / regulating the mountains of hypocrisy."

Yep...

@ Dirk Praet

" The only practical way to go about the problem is to delegate authority to national agencies with a subset of capabilities of what they can and cannot do. And who in their turn may delegate subsets to TLA's and LEA's. Which leads us right back to the CA model, "

The CA model is much more vulnerable and complex. My proposal is authenticated requests for KeyMat by a specific organization for specific targets (or devices). The release of that is a centralized decision. It might be as simple as (a) give keys to governments if the device is operated by their citizens, (b) more complex in that the device is in use in their country, or (c) just HQ country can make requests with other countries asking for assistance with specific targets.

Any of these models requires the company to be operating in a country whose legal system will either not hamper its activity or will support its privacy protections. Previously, I pointed out Iceland and Switzerland as potential candidates.

"not to mention the fact that both the UN root authority in charge of key management and every delegate would become prime targets for every intelligence agency on the planet."

That's entirely true. :)

"I'm siding with folks like @Bruce and Matthew Green that every backdoor - and for whatever reason - is a bad idea that sooner or later will jump up and bite everyone in the *ss. "

It's an understandable position. Likewise, I'll still fight backdoor proposals, develop things that work without them, and spend a little time on them just in case. Like I said, there are practical applications for it with more companies using such practices all the time. The mechanisms should be developed (and assured) given the demand.

BuckMarch 3, 2015 8:15 PM

@Dirk

The only practical way to go about the problem is to delegate authority to national agencies with a subset of capabilities of what they can and cannot do.
Is that really so..? Perhaps we could consider implementing some sort of jury involving peers - maybe from a subset of the local population in combination with independent global representatives... Yeah, it's probably nothing! ;-)
Sounds silly at the surface; yet, for some reason - the phrase: 'impartial jury of the State and district' comes to mind. It actually sounds like a pretty good idea to me! Makes me really wonder how we could all go about achieving this...

Dirk PraetMarch 3, 2015 8:38 PM

@ Rolf Weber, @ Sam

I think most people in the real world can live with the hypothetical "threat" that someone manages to silently hack the NSA, steal the key and secretely uses it.

A statement that qualifies as a brainfart. I'm sure the USG would be just fine with that. As would everyone else using encryption in any way. The only people not worried would in fact be those NOT using encryption. I bet you don't, because you have nothing to hide. Even when doing on-line bank transactions.

And that an obligation to implement a secure government backdoor would slow down innovations.

Slow down innovations? It would be driving companies out of business.

Most of what he could take were "misleading" PowerPoint slides (which resulted in crappy "revelations"). Snowden absolutely obviously had no access to more sensitive stuff.

Yup, it's all lies because it's on Powerpoint slides. Do you actually know what percentage of what he took has been published so far? And if it's all meaningless crap containing no sensitive information whatsoever, why have the USG and UK gone through so much trouble to get at the man, detain Greenwald's partner, and even raid a newspaper to have computers and disks shredded?

I'm not aware of a single previously unknown vulnerability exposed by Snowden.

Unlike the rest of us. Who are you ? James Clapper ?

... and the "Great SIM heist" was without any convincing evident, and denied by Gemalto.

Yes, we all believe that nothing happened at Gemalto after a conclusive forensic investigation that took less than a week. Case closed, nothing to see here folks.

WaelMarch 3, 2015 10:21 PM

@Buck,

but I was a bit confused as to how you came up with your '4100 moons' the other day

Oh, you are referring to this:

Many moons ago when I was in school every student had to set up an Exchange 2003 email server upon a Sever 2003 box [Active directory integrated].

It was an estimate using the following information:

Release date October, 2003
Number of days between October 27, 2003 and Feb, 27 2015 is 4141

So around 4100 moons, give or take... (Ignoring other factors)

I guess I could be considered a believer in the sense that I believe my beliefs are being constantly refined with respect to additional input

I believe that's a good answer ;)

WalksWithCrowsMarch 4, 2015 12:20 AM

@Snijder

Oh please. Clearly I was just making an argument to appeal to the other sort of skeptics. Those who would - at least silently - justify such actions in their foolhardy incapacity to entertain rational, independent thought. Especially anything which is against their social mores.

Despite China having invented Kung fu, war, and chemical warfare I have assiduously pressed the merits of big companies to hire their people. At times. But, of course, to no avail.

But I think you know this...

@sabu 2.0

I hate to comment on someone's name... but which sabu are you 2.0 of? And.. why? If this implies you work for the FBI, maybe you could tell us why they let him hack Stratfor and other US targets? Really puzzling.

gordoMarch 4, 2015 3:11 AM

@ WalksWithCrows

Yeah. I just am concerned that people are expecting true defense from agencies which are really tasked with offense.

That reminds me of an interview from the 90s that I came across a while back. What I found interesting about it was “...why most efforts at computer security have been defeated.” ... thus again, then, "tasked with offense."

Warrior in the Age of Intelligent Machines: The Pentagon's resident visionary, Andrew Marshall talks to Peter Schwartz about why everything you know about war is wrong.

Wired, Issue 3.04, April 1995
http://archive.wired.com/wired/archive/3.04/pentagon.html?pg=1&topic=&topic_set=

[front matter....]

Wired:You've been talking for some time about a coming revolution in military affairs. What do you mean by revolution?

Marshall: Information and communications technologies will change how conventional battles are conducted. Instead of bombing factories, the aim may now be to penetrate information networks. As more and more of the economy of any given country is embodied in its information systems, that country will be more vulnerable to disruption.

[....]

Wired: Until now, all the wars we have fought essentially have been nation against nation. But the opponents in this new kind of conflict are probably less likely to be nation states.

Marshall: Probably. There may well be an increase in guerrilla warfare because new technologies may increase our vulnerability to it. We are living in the equivalent of the early 1920s, when tanks, airplanes, and later radar and radio were new, and people weren't sure what they were or how to use them. We have only preliminary ideas about how today's technology is going to change warfare. But it will.

In the old world, if I wanted to attack something physical, there was one way to get there. You could put guards and guns around it, you could protect it. But a database - or a control system - usually has multiple pathways, unpredictable routes to it, and seems intrinsically impossible to protect. That's why most efforts at computer security have been defeated.

[....]

Wired: How would you characterize the way you approach problems, the way you work, as opposed to other military thinkers? They've kept you around for a long time. Obviously, there's something you're doing that's different.
Marshall: Well, we are not in the business of supplying answers. We say, These are the major things you ought to pay attention to. It's important that the people in this office not be offering solutions, because if people get to be supporters of particular solutions, it tends to corrupt the diagnosis. This is very different from the business model, in which it's commonly held that if you come up with a problem, you better come up with the answer at the same time. Advocating a problem and a solution simultaneously inhibits the ability to solve problems.

Clive RobinsonMarch 4, 2015 3:16 AM

@ Nick P, and others,

There are still other problems with information based backdoors.

Whilst information is often considered ephemeral in practice these days it's anything but if a little care is taken, and NSA Bluffdale is a good indicator that the NSA has cracked that problem, along with "collect everything" from "everywhere".

Thus you have the issue of secure key transportation, from your third party repository HSM to the deputized agency, then secure key transport issues to the place and people who are going to use it in a way that the key can not be revealed to any of them in plain text form. Because if it's collected in plaintext form it alows plaintext attacks on the transport keys to be attempted. Similar reasoning applies to all steps of the KeyMan issue.

However there are a number of legal issues that have to be dealt with, the first is legally privileged information, in the UK for instance despite the draconian powers grabbed via RIPA some things are regarded as privileged such as "signing keys" and other pieces of information that could alow impersonation, communications of a legal nature, communications of faith, and still communications with journalists, medical information etc. As many now know these are nolonger considered privileged in the US and other jurisdictions. Which opens up a significant hole, as a UK resident who is not traveling outside the UK how are UK jurisdictional restrictions to be kept in place, if my phone backdoor key was granted to the US based on a warrant issued by the DoJ.

Further there are warrant issues, normally they are not perpetual "fishing licences" for good and proper legal reasons. So not only do they have very short time duration they are specificaly limited to the scope of objects that fall within them. Further there are also rules about the retension of objects, be they tangible or intangible.

How do you ensure correct compliance at all times?

You will on a little thought realise that this can not be done by issuing root keys to leaf agencies. You can only do it by reversing the process, which is the leaf agencies submit ciphertext to a root agency which decrypts it then hands the plaintext to an arbitrating court that checks it for validity with the appropriate jurisdictional rules for the time and place the ciphertext was obtained and the limits of the warrant, prior to releasing to the leaf agency. Trust me when I say that the resulting boondoggle will be the only acceptable compromise solution to all countries for their own "National Security" and "sovereignty" issues.

VimsMarch 4, 2015 5:10 AM

So the problem, dear Schneier, is that you *can't* technically choose security. Even the most sophisticated end-to-end encryption scheme falls prey to weak password, social engineering, employees running amok, and so on.

So what do we do when you can't actually choose security?

We educate people to operate on the assumption that everything you do and say is potentially known to a third party. That's why snail mail worked for centuries. Yes, governments probably checked some of the packages, and yes, your neighbor may have been peeking at or inside your envelopes. You assess the risk, and take some level of chance. There are no guarantees, because it's not possible to guarantee anything.

So we try our best to protect our communications with the bank and to protect our privacy, but never assume there is such a thing as absolute security or privacy. I does not and can not exist.

Dirk PraetMarch 4, 2015 5:29 AM

@ Rolf Weber

I recommend you read the following article:

I just did. It's an opinion of a USAF Cyber Warfare Operations Officer who has formerly served in the IC. The last sentence on the article says: "This piece should also not be thought to validate or confirm any leaked information. It is intended as a critical look at sole sourcing documents for use in debates."

I agree that some inside subject matter expertise would be more than welcome to shed some additional light, but wich the NSA is not really forthcoming with. In absence thereof, it certainly doesn't mean we should dismiss them all together, which is what you've been consistently doing.

AnonPersonMarch 4, 2015 6:38 AM

Shouldn't the creators of these leaky standards that permit exploitation hold some of the responsibility? Sure the USG spends money to develop exploits, but so do other nation states as well as non-state actors. The internet is quick to rage when Microsoft introduces security vulnerabilities and fails to patch updates in a timely manner; we don't get upset at the discloser or even the multitude of exploiters (some of them are even glorified). Blaming Microsoft or Google or Target for their problems makes sense to me because they introduced them. Frustration with a government discovering and using security problems for national defense is completely misplaced.

Minty FrogMarch 4, 2015 7:00 AM

Does not a "moon" refer to a lunar month of 29.53 days?

4141 days would thus be ~140 moons.

"140 moons ago" is, by most definitions, "many", or at least "a goodly amount of".

Some might object to the non-canonical units, however, and prefer

"A hair under 300 million micro-fortnights ago...".

WaelMarch 4, 2015 7:51 AM

@Minty Frog,

It depends on the context and culture. It may very well mean a lunar month if you say "new moon" or "full moon". It could mean a day, since the ancients distinguished the start and end of a day with the sunrise or moonrise. I tend to agree with you, though! your understanding makes more sense at least for the Native Americans.

MADMarch 4, 2015 7:53 AM

This reminds me of the nuclear debate, either everyone should have them or no one. In this case Mutually Assured Exploitation could become a thing.

Clearly the fewer people who have nuclear weapons the better. So this would mean vulnerabilities could be classified as weapons (so the crypto wars become the vuln wars). Of course vulnerabilities aren't required for surveillance currently, but you can see it happening.

Nick PMarch 4, 2015 11:03 AM

@ Rolf Weber

That's all you have? A speculative write-up by a pro-I.C. guy who *guesses* the PowerPoints might have been like the garbage he encountered. Reading the actual PowerPoints and PDF's, it's clear that many describe day-to-day technical capabilities, organizational intents, and practices. They're also quite consistent even when written by different authors or in different programs. That's called corroboration for anyone wondering. On top of that, various malware and 0-days have been found that correspond to points in the leaks. A firm even found one with the same code-name that was hitting targets U.S. would be interested in while using similar tech to the leaks.

Of course, even if I didn't know that, the U.S. government already authenticated the slides and their importance by how they panicked over the release. As Dirk noted, they went to unusual lengths to hit him and anything connected with him. This included getting a diplomatic flight intercepted. I can't recall the last time they did that. They're not saying anything past that because many are alleging the programs are illegal. The last thing they're going to do is give a confession to be used against them.

Clearly, that you find opinion pieces by non-NSA personnel to be more accurate than thousands of TS/SCI documents about TS/SCI programs says more about you than the leaks.

WalksWithCrowsMarch 4, 2015 2:47 PM

@gordo

Very interesting. Very prescient of the fellow.

Wired posted recently on a cyber Manhattan Project which they found mentioned "as early as 1997", which was interesting to me because I found an earlier mention, posted here in 2013 under the pseudonym "Michael J". That story was posted in the Pittsburg Post-Gazette in 1996. July 17, 1996. It states that the government began work after the Oklahoma City bombing in 1995.

https://www.schneier.com/blog/archives/2013/04/narratives_of_s.html#c1256016
http://news.google.com/newspapers?id=hKRSAAAAIBAJ&sjid=m28DAAAAIBAJ&pg=6819,244612&dq=clinton+manhattan-project+computer+cyber&hl=en
http://www.wired.com/2015/02/americas-cyber-espionage-project-isnt-defense-waging-war/

The Wired article links this to the Equation Group Kaspersky recently posted on. I think it probably is a little bigger and more sophisticated then that, though it is possible the "Equation Group" is part of that.

My interest was triggered a few years before when an associate passed me a book on the manhattan project, secrecy, and government projects. (I can not find that book right now on Amazon and no longer keep a copy. I did also read the Rhodes book on the subject. That was probably 2007, 2008.)

One of the earlier projects by the DoD in computers was a cover management system, back in the 70s, 80s. I only know about it because one of the primary developers became a traitor and so became a part of the US Army Counterintelligence project... which in turn, the story ended up in a memoir of an us army spyhunter.

... looking up "Andrew Marshall"...

http://en.wikipedia.org/wiki/Andrew_Marshall_%28foreign_policy_strategist%29

Marshall has been noted for fostering talent in younger associates, who then proceed to influential positions in and out of the federal government: "a slew of Marshall's former staffers have gone on to industry, academia and military think tanks."[8] Dick Cheney, Donald Rumsfeld, and Paul Wolfowitz, among others, have been cited as Marshall "star protégés."[9]
In an interview in 2012 the main author of four of the Chinese defence white papers General Chen Zhou stated that Marshall was one of the most important and influential figures in changing Chinese defence thinking in the 1990s and 2000s.

Quite a figure. April 1995 is the date of the Wired article. April 19, 1995 was the date of the Oklahoma City bombing which the 1996 links to being a pivotal event in the creation of the cyber manhattan project.

I mention the cover management system because if you want to create a manhattan project dealing with computer security, which started around 1995... well, you have a problem. A hallmark of that project was a "cell" based organizational structure, where there was intense compartmentalization. If you create that structure around a major site, that major site becomes a weak point in the entire structure. Besides that everyone involved, or just about, goes there... there is also the possibility of cross talk among employees.

That is a serious problem for nations. If everyone undercover goes for training at the Farm or Quantico, then those two sites become chokepoints for foreign adversaries to identify them. If all your undercover agents work at a singular site, then if foreign adversaries discover that site, the game is over.

Noting here, in this equation, that the hallmarks of such a project may be: many well trained individuals, where each individual is compartmentalized, and each cell is further compartmentalized from the other. Assuming you also want to use undercover agents, you then have the problem of managing their identities, from storage, to authentication, creation and destruction of identities... and this also has the related problem of creation of records and management of records supporting the legend, including the capacity to create documents, badges, and the like.

Undercover agents would be necessary in such a system at the very least for connecting the various cells together. That gives plenty of room for the far safer groups, and likely far more numerous: those who have no idea whatsoever that they are working for the government at all.

Might they have predicted the coming technological advances of social media and other aspects of 2000s+ Information Technology which would deeply impact the problems of maintaining cover organizations and individuals? In both a positive and negative way?

This does tie into the topic, if one considers that backdoors often relied on may already exist in the form of intentional & unintentional security vulnerabilities. You need, for that, hackers recruited. You need hackers controlled. You need hackers trained. You definitely want to be able to create them.

You also need defense. In fact, the entire structure needs very strong defense, but there are many other components of defense. Not a few which would fall under the category of counterintelligence. In fact, the entire system could have been very early on seen as a counterintelligence superweapon.

After all, if it was founded with defense in mind from the very start... with knowledge of existing attacks at the time which had dual 'latent sabotage' & intelligence gathering purposes... you definitely want to learn from those attacks, attack back, and above all control the intelligence and sabotage efforts.

Of course, all a very entertaining fireside story, but it is all merely conspiracy theory. (If anyone knew anything either directly or indirectly, the last thing they would want to do is ever post details of the big picture online or in any manner in public.)


WalksWithCrowsMarch 4, 2015 3:53 PM

@AnonPerson

The internet is quick to rage when Microsoft introduces security vulnerabilities and fails to patch updates in a timely manner; we don't get upset at the discloser or even the multitude of exploiters (some of them are even glorified). Blaming Microsoft or Google or Target for their problems makes sense to me because they introduced them. Frustration with a government discovering and using security problems for national defense is completely misplaced.

I probably brought the subject up as I have worked in that area. The point is not frustration that a government would do such a thing. The point simply is that they do not need established backdoor systems. Every software already has vulnerabilities. Every government with an aggressive and well funded spy program already relies on these. That system works. Why fix what is not broken. (Or are they, really.)

There is a related problem, however. That is that this situation means it has become "not in their best interest" - any such government's best interest - to have these bugs found and fixed. And it even can become in their best interest to get people in as software developers or find means to control software developers to intentional put in vulnerabilities. Protection of innocent users of these software products becomes put to the way side. In fact, if they do even get hacked by such vulnerabilities, that can tell a government many things, and provide many avenues of very valuable work from these incidents.

It is, however, simply gaming 101. It becomes an open market which thrives on competition, and therefore tends to produce excellence. If bugs are found and fixed, no loss, and much gain. If they are not, no loss, and much gain. So while competitors, they actually work together in a very much win-win economical system.

@MAD

I think that the parallel with the cold war and the MAD behavior is a very strong model for attempting to analyze this problem. For whatever reason. Of course, there are many key differences. And we have much more insight into that old problem which has come from the unqualified visionary glasses of Very Good Hindsight.

@Rolf Weber

I think that Nick P & Dirk Praet both already well commented on the fact that the analysis you linked to is invariably biased. Nick P added the fact that the papers were treated and continue to be treated "as if" they very much are the "crown jewels". My only comment on that matter is as what I originally pointed out: what is not said very much can be very powerful in persuasion. Even moreso then by saying something in an intentional lie. Which is why so many and so much resources are put into censorship.

This is natively true in any PR campaign, as well. Information may be massaged and prettied up to make a point. But ultimately there will always be information not said which is key to understanding.

Look across history and see how one person or organization said one thing, and finally, what they were not saying comes out and destroys them. For instance, the fall of Paetreus. He probably said and did many good things, but what destroyed him was what people did not know.

There is, as well, very much an inverse principle to this...

But, hence, the problem of biased authors. If you read that article and take it at face value without considering all other points of view, you most surely are willingly subjecting yourself to willful ignorance & so literally blinding your self. Plucking out one's eyes is something an enemy would do to you. Not something people really want to do to themselves. Isn't it?

@Clive Robinson

Very good analysis & finding of a critical, additional point.


SkepticalMarch 4, 2015 4:17 PM


This is a fascinating discussion, with lots of good points and interesting links. @AlanS, I appreciate the recommendation and will take a look. @Nick P et al, I appreciate the greater elaboration of the factual claims and logic behind the arguments.

There are probably accepted terms of art for what I'm about to say (and I'll be grateful for anyone who supplies them) but since I don't know what they are...

Let's distinguish first between different types of access. There is access to systems, and then there is "access" to the plaintext of a ciphertext, and the two are not necessarily coincident (though each might enable the other under some circumstances).

So, no doubt demonstrating my own ignorance, I'll call these two things "device access" and "decryption access" - and of course they enable one another in certain circumstances.

In addition, we can distinguish between the technical mechanisms of access at a high level. There is "access by design" (i.e. access to a device or to plaintext via a method that is included by design for such access) and there is "access by exploit" (i.e. access to a device or to plaintext via a method not included by design and which leverages an unintended vulnerability).

We can distinguish between types of access by public and/or user awareness of their existence. "Public access methods" are those which are known to the public (e.g. to access the content of a web-based email account, one can enter the appropriate username and password at the appropriate site); "non-public access methods" are simply those which are not known to the public.

And then we can combine these types in various ways. For example, for non-public access methods, some may be by design and some may be by exploit.

The deliberate and clandestine insertion of vulnerabilities into cryptographic implementations, or into an encryption algorithm itself, or into a device or system, would result in non-public decryption (and/or device) access by design methods.

As I understand matters, these access methods are currently of the greatest concern to many. This concern derives from two possibilities: (1) that the non-public access by design method has a greater probability of government abuse by virtue of its clandestine nature, and (2) that it has a greater probability of having vulnerabilities that could allow it to be used by entities other than those for which its use was intended.

And this brings us to what was missed in the casual dismissal of Rogers's repeated emphasis on a legal framework with respect to enabling lawful access.

Rogers seemed to be indicating the possibility of a framework in which an access method would be public (i.e. known to exist, and perhaps even published in detail) and by design.

This would have several virtues. Foremost among them would be that, being both public and by design, the access method would be subject to greater scrutiny and control. Safeguards both institutional and technical could be built to lower the likelihood of abuse to some acceptable level.

Some seem very concerned with key management. While this would - and this is only the impression of someone highly ignorant of these matters - be a key issue in any discussion, one can envision various institutional and technical means of safeguarding against widespread abuse and widespread compromise.

Among those means, for example, one could imagine a key management system whereby a government agency is only able to acquire decryption access to a specific set of ciphertext if that agency receives two additional keys, from a private company and from a court, to use in addition to the internally authorized and audited use of its own key.

And there are many challenges to how something like that could be set up in a manner that is itself secure, convenient, fast, resilient, extendable, and modifiable.

But it's very hard for me to understand (which means little, I'll grant) why the very possibility of a system should be dismissed at the outset as something obviously impossible, like a square circle. Metaphors like holes in a windshield merely underline an individual's conclusion - they don't show us the reasoning that supports the conclusion.

There are additional issues to consider with such a system - what exactly are we enabling access to, how will this function in an international context, how effective would such a system be, what are the possible ways in which it could fail (and what would the consequences of each be), etc.

So it's a big, big discussion. I imagine that there must be some in-depth research and discussion on the matter published in various places - so, if anyone has any recommendations in addition to AlanS's...

WalksWithCrowsMarch 4, 2015 4:28 PM

@Someone else On the internet

Very good quote. I did not even realize my "other countries will demand it" point was covered in that exchange. And what a curious response:

This simplistic characterization of one-side-is-good and one-side-is-bad is a terrible place for us to be as a nation.

How forward looking of him.

This means they are very much aware and willing to share the key with other nations. Technically, that presents some problems. Morally, it does as well. And political, as previously mentioned. Maybe instead of sharing the private key they plan, instead, to provide an USG - onshore system - which other countries could rent from them. Probably with a nice interface and user name and password system so they can log in, log out, and only get what they are qualified for to get. Or maybe another way. But, this would also have these other countries creating the exact same systems for their software vendors who are in their nation, and the USG would surely expect a quid pro quo.

Anyway it goes, because it violates principles of least privilege & other aspects of security garnered by compartmentalization... it means the system would be eminently hackable and abusable. Even moreso then if the fairy tale of a story "we will protect the key" if the people with access to it included every US leo & intel agency. Besides the whole "how do you control what data they will have access to and evade the problems of backwards surveillance and warrant systems" which Clive Robinson pointed out?

I have to admit, this does make me feel all kind of warm and fuzzy, however. All those intelligence and leo getting together and working together in comradely spirit against that most villainous of villains: the law abiding citizen.

Reminds me of the plot strain in the "Watchmen": the nations come together over a now common and shared enemy, and international peace results.

Ozymandias & Rorschach... you have nothing on the brilliance of the USG.

SkepticalMarch 4, 2015 5:09 PM


@Dirk: I agree that some inside subject matter expertise would be more than welcome to shed some additional light, but wich the NSA is not really forthcoming with. In absence thereof, it certainly doesn't mean we should dismiss them all together, which is what you've been consistently doing.

Well, this isn't entirely true w/r/t NSA shedding additional light. The extent to which NSA or other intelligence officials will help a journalist understand a leaked document depends to some extent on the trust that the NSA or other intelligence officials has in that journalist.

By trust, I don't mean a sense that the journalist will only publish claims helpful to the Intelligence Community or to the USG. Instead I mean a sense that the journalist is someone with whom an honest conversation can be had, that the journalist is interested in reporting accurately and not merely interested in pushing a particular cause, and that a conversation can be had with confidence that what is said will remain (if agreed upon beforehand) confidential or (if not so agreed) that what is said will at least be reported with reasonable accuracy.

There's no question, for example, that the USG has discussed these documents, and in some cases explained them, to various journalists who have published stories on the Snowden archive.

And there is no question that, as a result of that additional information, in some cases the journalists realized that a particular group of documents forming the basis for a story were completely misleading, and that as a result the story in such cases was not published.

In other cases, of course, the same journalists published on matters even when asked not to by the USG, or when their interpretation of some documents was disputed by the USG.

But there's going to be much less cooperation where the journalists involved have taken an explicitly adversarial stance towards the USG. What comes immediately to mind is Greenwald's threat to release particularly damaging information as reprisal for the detainment of his partner in London for several hours, and other statements he's made about his model of journalism and his approach to these stories.

The result isn't that Greenwald's reporting has been more revealing or more accurate than those of journalists who have not made themselves as much a part of the story. Instead the result has been that Greenwald's reporting has sometimes been less accurate, and more speculative, because it depends on more incomplete information. And let me clarify that I don't think Greenwald lacks dedication to certain norms that would result in at least some advice from the USG. I have no doubt that Greenwald would not release information if shown it would specifically cause harm to particular persons (or particular groups) at high risk of such harm, for example.

QnJ1Y2UMarch 4, 2015 7:41 PM

@Skeptical

What comes immediately to mind is Greenwald's threat to release particularly damaging information as reprisal for the detainment of his partner in London ...
Citation needed. The closest item I can find is this quote:

I intend to publish all the documents I have. The more threats I get from the US and UK, the harder I will work to publish this information.

Dirk PraetMarch 4, 2015 9:23 PM

@ Skeptical

There's no question, for example, that the USG has discussed these documents, and in some cases explained them, to various journalists who have published stories on the Snowden archive.

Several journalists and media outlets have indeed confirmed that they talk to USG officials prior to publishing their articles. That's common practice in journalism anyway. It stands to reason that said officials will have commented on the proposed articles, but it is impossible for them to have explained or "corrected" any interpretations of these documents - even off the record - for the simple reason that they can't. Unless documents in question have been declassified or the journalist/editor in chief has been given a security clearance at the appropriate level, they are not allowed to discuss them. And somehow I doubt that Greenwald, Poitras and others have been cleared for access at the levels specified in these slides.

@ Clive, @ Nick P., @ Buck, @ AlanS

However there are a number of legal issues that have to be dealt with... legally privileged information...warrant issues...rules about the retension of objects...correct compliance...

All spot-on.

You can only do it by reversing the process, which is the leaf agencies submit ciphertext to a root agency which decrypts it then hands the plaintext to an arbitrating court that checks it for validity with the appropriate jurisdictional rules for the time and place the ciphertext was obtained and the limits of the warrant

Which in practice will never fly because of the latency involved in the process. I don't see any TLA or LEA submitting requests to a supranational authority and under an adversarial process. They wouldn't stand for it because of unacceptable delays in acquiring the keys and the info they need. That's after all the exact reason they have the FISC in the US.

Technically, I do think it is possible to build a secure KeyMan system if from design specifications to operation it was left to a group of dedicated, incorruptible engineers with no allegiance to anyone. For logging and auditing purposes, a particularly hard element in both design and implementation would be fine-grained identity and access management, not from a technical but from a functional angle. Another hard nut to crack is coping with partial or full breaches of the system and a mechanism to revoke existing "golden keys" and replacing them with others. So is key transport, as earlier pointed out by @Clive.

In reality however, every stakeholder (read: nation state) in every stage of the project would be trying to subvert it as to maximise his own access and minimise that of others. Project team and facility would from day 1 be infiltrated by countless secret agents. The only way to avoid this would be by a binding international treaty in which all signatories pledge to refrain from any form of tampering or other interference with the system, either directly (political pressure, subversion) or indirectly (espionage). And at the penalty of being temporarily or permanently locked out of the program. Personally, I don't see that happening anywhere soon.

SoWhatDidYouExpectMarch 4, 2015 9:23 PM

I think this counts as a legalistic cyberattack from within...

White House Threatens Veto Over EPA "Secret Science" Bills

http://science.slashdot.org/story/15/03/04/2254242/white-house-threatens-veto-over-epa-secret-science-bills

That is, the proposed regulation to restrict or constrain science in matters of the EPA.

I mean, what is the EPA but science? We have been using science for years for the good of mankind but now the buffoons in Congress want to control science so that it only does what they "think" is ... I don't know what they can possibly be thinking.

Rolf WeberMarch 5, 2015 1:40 AM

@Dirk Praet, Nick, WalksWithCrows

I don't say we should dismiss all documents. I say we should read them carefully and try to imagine the context the were written. We should stop to blindly trust the interpretations of highly biased "journalists". I repeat myself, the most "shocking" "revalations" were all bogus: The "direct access" was completely untrue, BOUNDLESSINFORMANT was heavily misrepresented, and the "great SIM heist" is still without any evidence. "We think we have their entire network" from a PowerPoint slide of which nobody knows the context is no evidence at all.
And Appelbaum derives from a PowerPoint slide that IPSec and SSH are broken. What a bullshit.

There were some interesting and revealing documents, even PowerPoint slides, yes. But almost everything that came from Greenwald, Poitras or Appelbaum was biased crap.

gordoMarch 5, 2015 3:08 AM

@ WalksWithCrows

Of course, all a very entertaining fireside story, but it is all merely conspiracy theory. (If anyone knew anything either directly or indirectly, the last thing they would want to do is ever post details of the big picture online or in any manner in public.)

In the meantime, and, slightly tongue-in-cheek, as another story has it...

...burgeoning technologies require outlaw zones...Night City wasn’t there for its inhabitants, but as a deliberately unsupervised playground for technology itself. (Gibson 11)

---

Gibson, W. (1984). Neuromancer

Mike (just plain Mike)March 5, 2015 5:11 AM

@WalksWithCrows (and @gordo)

Of course, all a very entertaining fireside story, but it is all merely conspiracy theory...

That got me thinking (and reaching for the bold tags). You say, regarding the idea that the thrillingly named Cyber Manhattan Project may have started around 1995:

Might they have predicted the coming technological advances of social media and other aspects of 2000s+ Information Technology [...]?

What if those “technological advances of social media and other aspects of 2000s+ Information Technology” were/are actually the products of the Manhattan Project? What if FaceBook, Google, Twitter et al all actually originated with and are guided by The Project? Fiendishly clever combinations of technology and social engineering right from inception – involuntary self-contributing population-wide surveillance systems in which every prole continuously and happily spills forth data on their ongoing interests, opinions and social relationships – and those who refuse to participate stand out like sore thumbs. Keeps us all safe from the enemies-within – fun to use – and, of course, it’s all free! What’s not to like.

You also say:

If anyone knew anything either directly or indirectly, the last thing they would want to do is ever post details of the big picture online or in any manner in public.

Doooooh.

name.withheld.for.obvious.reasonsMarch 5, 2015 7:36 AM

@ SoWhatDidYouExpect

That is, the proposed regulation to restrict or constrain science in matters of the EPA.

Legislation, public law, finds science as an enemy...

Research in microbial and genetic agents, elements of nuclear science, specific material science, and other scientific research that is or considered a component of a weaponized material. The research is restricted to registered federal laboratories, if your working on your garage on a Delorean, installing a "flux capacitor" will find you in violation of public law.

I can see these restrictions moving up the chain until the only independent research one might entertain on their own is probably sized (not big enough to carry an of the above that have been weaponized) basket weaving.

name.withheld.for.obvious.reasonsMarch 5, 2015 7:39 AM

Follow-up:

Their are several reports from the Congressional Research Service that enumerate the legal constraints related to science and federalization of research. Look for it on duckduckgo using "CRS science legal federal laboratory weaponized agent" string.

Dirk PraetMarch 5, 2015 9:48 AM

@ Rolf Weber

We should stop to blindly trust the interpretations of highly biased "journalists".

Nobody does, Rolf. These documents have been studied by countless other analysts, infosec people, civil liberties organisations, you name it. And indeed, you are reiterating yourself, especially on the direct access topic which you have been going on about ever since the first PRISM stories broke. And without revisiting that issue yet again, what does it matter anyway whether it's direct or indirect access if the access is there quite alright ? The NSA has been tapping into traffic between data centers, at least two PRISM partners but probably all of them have been served NSL's. I could go on. That's a purely semantic discussion to distract attention away from the real matter at hand.

Whether or not the current interpretations of Snowden's slides are 100% factually correct, the fact of the matter is that the NSA and its partners have unleashed a secret, global surveillance dragnet unparalleled in the history of mankind, and which you are still completely in denial about. In essence, you're missing the bigger picture by blindly focusing on what in your expert opinion are incorrect interpretations of certain documents and programs that neither you or the rest of us can either prove or refute.

Feel free to interpret these document any way you like: overstated internal PR to boost morale, outright lies ("We think we have their entire network") or harmless PoC's for targeted surveillance and subversion techniques in search of terrorists only. Fair enough, but I'm not buying it because, frankly, your entire case is based on FUD and distraction only.

Clive RobinsonMarch 5, 2015 11:27 AM

@ Dirk Praet,

I don't know where Rolf is located, but his posting times have suggested the EU in the past. Which may well mean he does not have the protected right of free speech that one or two places enjoy.

I gave up trying to point out his attitude was at variance with verifiable information the first time around, as did several others which might account for why he stopped posting for a while. That said as much as I disagree with his position for valid and verifiable reasons, he is I guess entitled to try to justify his.

He is not the only one with opinions counter to what can be verified, and whilst it is an initial act of kindness to point out the differences between their beliefs and verifiable information, it quickly gets to the point where you know they are so entreched in their outlook they are not taking things on board any longer.

With regards the "back door" issue, whilst I agree that what I suggested appears unlikely, I can not see nations ceeding their sovereignty to other nations without a whole load of safe guards and specialised treaties and importantly "national security" protections.

The alternatives will work even less well, imagine a phone which has 270 odd backdoors "just in case" you visit one of those countries. We already have seen India and other countries demanding access to phones being used in their countries for what we would regard as human rights abuses and industrial espionage.

It will get to the point where people will stop using mobile phones and computers with any kind of international connectivity. The economic damage this would cause whilst not quite "incalculable" is certainly going to be extrodinary.

Nation states are therefore going to have to ask themselves serious questions about what is important, their perceived right to eavesdrop or the ability of their economy to function in a modern world. If you look at some nations such as India, their economy is increasingly based on global information exchange via electronic communications, whilst politicos can be extreamly selfish, self opinionated and myopic to the point they cannot see where they are going with their policies, large corporates and other revenue paying organisations can...

Whilst common sense is notable for it's distinct lack of commonness I would hope that even the politicos are not suicidaly stupid (even though there is plenty of evidence to suggest they might be with their "selfies" etc).

What I don't want and only an idiot would welcome is every nation "hacking" anybodies and everybody's devices, they are fragile enough as it is, which is why some malware authors have in the past "patched up" the devices they have hacked into, to avoid others making the device so bad the user is forced to get it cleaned up etc.

CallMeLateForSupperMarch 5, 2015 11:44 AM

Hmmmm.... Slashdot presents a "Accptor les Cookies" button and stops cold.
Bad Slashdot! Bad!

Clive RobinsonMarch 5, 2015 11:47 AM

Silly Suggestion of the Week Nomination

Just heard on BBC Radio 4...

A report to Government Ministers has suggested that "Mums Net" should be used to recruit "spys" for the Intelligence Services".

Apparently, whilst women represent 50% or more of UK government departments, when it comes to Intelligence Officers it's over 2/3rds male.

So all you ladies with your 2.4kids and 0.7 Golden Labradors, tired of reading Fifty Shades of Grey and disproportionately populating cafes and other places with your baby buggies, step forward your country needs you to be a new Marta Harrie / Bond Girl ;-)

WalksWithCrowsMarch 5, 2015 12:45 PM

@Mike (just plain Mike)

You also say:
“If anyone knew anything either directly or indirectly, the last thing they would want to do is ever post details of the big picture online or in any manner in public.”
Doooooh.

To some readers, but not to others. Also, it can waste time for someone if they thought I believed this. I do believe there is something "like this" going on, if one changes around some details and considers some major component is left out which makes it irrelevant to say. Such a thing as one might guess, but would immediately dismiss, and continue to dismiss even if it came up again. People very rarely are an "L" who can put together very disparate parts of a jigsaw puzzle, finding one which they can't believe could possibly fit, and dare to actually even so much as to try it and see how it works when they do.

Reality is very consistent, and human minds like to complete the picture. If a purple gorilla walks across the stage, it does not matter, we would not see it.


What if those “technological advances of social media and other aspects of 2000s+ Information Technology” were/are actually the products of the Manhattan Project? What if FaceBook, Google, Twitter et al all actually originated with and are guided by The Project? Fiendishly clever combinations of technology and social engineering right from inception – involuntary self-contributing population-wide surveillance systems in which every prole continuously and happily spills forth data on their ongoing interests, opinions and social relationships – and those who refuse to participate stand out like sore thumbs. Keeps us all safe from the enemies-within – fun to use – and, of course, it’s all free! What’s not to like.

Angel investors with covert backgrounds and agendas. All of this technology was predictable and had very early precedent. If you control the money, you can probably get a few people in there at a higher up level. And do so claiming entirely different reasons. Once you have one or more in there, then you have an open backdoor for future hiring & contracting purposes.

You can also ensure success of a company, besides just from funding, but also from a variety of ways of quietly dealing with competitors. But the key ingredient here is very necessary: to be very good at getting behind already very promising products and people.

This can be done by being able to weather failures, and by having the backing of research in emerging technologies which is top notch. Think tanks. Research departments. Very forward think defense contractors with proven histories of success.

Example of a very worthwhile trick: a singular individual can perform intensely powerful work if they are but "the face" where their job is primarily to get that work from teams of other people and present it as if they were working alone.

So not hard to create stellar people who quickly rise into key positions.

I would only add here, more interesting even then the possibilities of relevancy guided social media are security systems, including anonymizing ones, such as Tor which now is effectively the backbone of the "darknet". And, I would add, that most of the players in this game - including think tanks - would probably have no idea of what their work is being used for. Therefore, keeping the numbers involved in any singular product very small, which reduces the risk for disclosure.

So, disclosures "like PRISM" are irrelevant. Treading ground already treaded. Valuable irrelevancy, as it deepens the cover and strengthens the conspiracy. But, irrelevant, nevertheless.

WalksWithCrowsMarch 5, 2015 1:49 PM

@Rolf Weber

We should stop to blindly trust the interpretations of highly biased "journalists". I repeat myself, the most "shocking" "revalations" were all bogus: The "direct access" was completely untrue, BOUNDLESSINFORMANT was heavily misrepresented, and the "great SIM heist" is still without any evidence.


I wonder how far across the painting you would bring this particular stroke? Would you also include in here, for instance, Mannings disclosures? Would you include in here the HBGary and Stratfor disclosures?

(And with them, all the mini disclosures which were related?)

(Which, if one tallies them all up, are quite numerous.)

If so, or if not, what you are thinking here is, I am very sure, being considered by every foreign analyst and spy thinking on these cases. Probably, torturously so. Allied foreign or enemy foreign or frenemy foreign, combined.

They would find themselves unable to dismiss the thought that maybe - all of this - has simply been a very complicated and sophisticated ruse of the government's counterintelligence department.

Some sources might feed into that possibility, some sources might poker the flame of the already existing doubt. But, they would never really know... for sure.

Of course, if so, then the sheer enormity of such a distraction would boggle the mind. How many systems have they found from resulting internal audits are actually effected? And why would they want to distract the American people and other allies? Why now? And, moreso, what is missing from the picture which all of this does not say?

In fact, they think in such a paranoid, 'mind bending' manner on possibilities... they probably even saw the Patraeus situation as a triple purpose type operation. Intended to be indirect, but with just enough holes in it that they might conclude the government was intentionally trying to have those holes be found. Highly implausible to most readers here, very plausible to anyone swallowing the line which all of this is just for distraction purposes.

Maybe they get closer to the truth when they consider that recent botched CIA job in Moscow, and the ludicrously low tech tools that individual was caught with.

I do not mind saying what is not said: human intelligence. Long term, very deep cover agents operating in their respective foreign governments as "stellar individuals". Because they receive help. A vast improvement on the whole Kim Philby sort of thing.

You wouldn't need many. Just enough to be able to leave that backdoor open when you need it.

Which serves these aims more? To argue that the information is worthless, or to argue that it is devastating in impact?

Really kind of nasty, to be on the watch for disaffected employees, and then put them in a place where they might do what they have a tendency to do anyway. Who is a better "face" then someone who really believes in what they are saying? Can't lie detector them.

You and that ex-USAF fellow seem to be, however, the sort who are simply trying to downplay the value of the information, because you believe the information is just so devastating. Probably even without any manner of intention of dishonesty. Or maybe you both just really see the information as being overly hyped and really 'much ado about nothing'. Kind of hard to say.

I suppose we will all find out sooner or later. Like, you know, when those target regimes have their silent, shadow coup.

If that has not already taken place.

WalksWithCrowsMarch 5, 2015 2:22 PM

@Skeptical

Greenwald's reporting has sometimes been less accurate, and more speculative, because it depends on more incomplete information. And let me clarify that I don't think Greenwald lacks dedication to certain norms that would result in at least some advice from the USG. I have no doubt that Greenwald would not release information if shown it would specifically cause harm to particular persons (or particular groups) at high risk of such harm, for example.

The "Kill the Messenger" scenario can show just how incorrect this sort of thesis can be. Summary: reporter discovers that the CIA was working with major drug barons in Nicaragua. He followed back the story, obtained more information to it, and presented it. Teams of reporters were created in major American newspapers to attack the story. He was eventually effectively forced out and the story shut down. Later disclosures added more substantiation to it. No matter, he never worked for a newspaper again, and ended up killing himself with two bullets to the head some seven years after, on the very anniversary of the day he left.

On the surface, it all seems absurd. Surely, his reporting was just as atrocious as these "Get Gary Webb teams" made it out to be. Nothing to see here, move on. And who would ever suggest that this reaction was anything but internal, motivated by professional envy.

Only, he was right. Duh. Of course the CIA works with whomever is in power, and wants to keep trustworthy allies in power. This happens all over the world, and there is a very lengthy record of this. As critical as the "war on drugs" was, fact is, someone is going to provide the supply.

Point being: major, respected American media outlets are deeply biased. Does not mean they may be devoid of any manner of journalistic ethics & professionalism. Because, after all, there are plenty of stories they do not and will not report on, often because they are too dangerous, too important to do so. Their audience, after all, wants to hear what their itching ears long to hear. That, is where the bias comes in and stays at.

Bias is not just right wing or left wing, and the extremities of either two. No, there is another insidious bias far more powerful and dangerous even then that. It is the bias of the moderates.

That is the particularly blinding bias. That is the sort of bias which makes major social change truly difficult to gather steam. It is invisible. The majority - of both and many other arms - believe it. It must, therefore, be true.

Yet, how often in history has it been, through a very wide variety of social change mechanisms (including scientific) where what was once believed by all, or surely most, in later years is shown to have been patently barbaric and absolutely absurd?

Then, they could not see, for instance, the "flat earth" theory as being what it was. What, today, are the modern equivalents? No one would know today, anymore then their ancestors knew yesterday.


Nick PMarch 5, 2015 2:56 PM

@ amazombie

Zack's post is one-sided, misses huge parts of the discussion (esp Indian police corruption), is likely disinformation on Chinese part (unintentional), and way off on Blackberry being secure. I give full details here in my reply to him. I emailed it as a Pastebin due to comments being closed and a web app for contacting him.

WalksWithCrowsMarch 5, 2015 3:49 PM

@gordo

In the meantime, and, slightly tongue-in-cheek, as another story has it...

...burgeoning technologies require outlaw zones...Night City wasn’t there for its inhabitants, but as a deliberately unsupervised playground for technology itself. (Gibson 11)

:-) Well, it is *fun* for the inhabitants, I am sure.

If your work is not fun, then what, really is the meaning of it all? Life. And all that?

WalksWithCrowsMarch 5, 2015 4:01 PM

@Clive Robinson

Apparently, whilst women represent 50% or more of UK government departments, when it comes to Intelligence Officers it's over 2/3rds male....step forward your country needs you to be a new Marta Harrie / Bond Girl ;-)

That is positively shameful. Also means the shows like the game, spooks, worricker, tinker tailor were all presented entirely realistically & faithfully. But, noooo, it is still an old boys network. And the 70s especially so, if still today. Shame on you brits.

Sancho_PMarch 5, 2015 5:17 PM

@ Skeptical (04, 04:17 PM)

I fall in awe as you seem to find sense in Mr. Rogers evasive rhetoric, you must be experienced in dealing with such airheads.
I really don’t know if he wanted to say anything, obviously he couldn’t.

So it would be only fair to call you “Admiral” Skeptical (from admire, not the Rogers-butterfly).

“But it's very hard for me to understand … why the very possibility of a system should be dismissed at the outset as something obviously impossible, like a square circle.”

The reason simply is no one has defined “a system” to be approved or dismissed [1].
We even don’t know what “they” really mean because asking for a framework and expressing hope to solve problems is just the boss talk we hear every day - so we understand a square circle, and that’s not possible.

Why-oh-why, Mr. Rogers, didn’t you send one of your experts to the stage?
It’s not a shame to be blank, but to be blank + talk is.

As I wrote above , whatever “framework” is thought of, some will bypass it.
As a result we would waste billions to stalk innocents and all the real terrorists, banksters, drugsters, gangsters and Sanchos would slip through.

Nope, it’s not a big discussion, it’s nonsense, don’t crack your head about.

[1]
Well, Nick P made an impressive attempt to explain “something” I think he knows himself to be impractical, but be it more the square or the circle, the basic question isn’t a technical one.
—> The haystack isn’t the target, it’s the needle.

Sancho_PMarch 5, 2015 5:31 PM

@ Rolf Weber (5, 01:40 AM)

Look, this is exactly why most of us ordinary people are furious when thinking about secret, global surveillance:

The stolen (“collected”) data is (was) taken out of context.

But in contrast to the work of criminals these Power Points were brought to the public light by Ed Snowden and “highly biased journalists” [1].

What you call “crap” was from the NSA, interpreted by their own silence.

A honest and innocent USG reaction would have been:
- to accept the breach (sigh)
- come forward to discuss and explain, document by document, in public.
This could have completely restored trust, confirmed American ideals (+ corrected some misbehavior) and sent Snowden, Greenwald, Poitras, … publicly to the desert.

- Could, if the USG were mostly innocent (and wise).

But from their reaction the whole world knew immediately they were mostly guilty.
An undiplomatic plutocracy, gracefully dancing like a rhino.
Bloody cowards, too.

The horror wasn’t the breach, it was the USG (and America’s public) reaction.


@ WalksWithCrows (5, 01:49 PM)

“They would find themselves unable to dismiss the thought that maybe - all of this - has simply been a very complicated and sophisticated ruse of the government's counterintelligence department.”

Of course I can’t tell for all foreign - foreigners (= not Five Eyes), but although we have quite some conspiracists here I feel the average simply found the USG with their pants down.
Believing in a super_bright_global_brain behind is impossible when watching the POTUS and his goats on a nearly daily basis, sorry.
We have similar “corrupticos” at the top, as we always had, that’s not new to us.

However, you are right about the real danger, biased mainstream media - and their manipulating the mainstream people.


[1]
“highly biased journalists” only because mainstream media wasn’t an option, sadly.

SkepticalMarch 5, 2015 6:17 PM


@Dirk: It stands to reason that said officials will have commented on the proposed articles, but it is impossible for them to have explained or "corrected" any interpretations of these documents - even off the record - for the simple reason that they can't. Unless documents in question have been declassified or the journalist/editor in chief has been given a security clearance at the appropriate level, they are not allowed to discuss them.

In fact at least one journalist (a well-respected, very careful journalist at that) has noted that he was readying a story for publication when he was shown that he had misinterpreted the documents used by such a magnitude that he simply killed the story. I'd be happy to provide a citation if you'd like.

As to your reason for thinking this impossible, the USG can determine whether, and what, information - classified or not - to disclose to a journalist in the course of a discussion about stories like these. It'll certainly be limited, and there's plenty that they absolutely won't discuss. The extent to which they do will depend on the circumstances of the individual story - who the journalist is, who the publisher is, what the story is about, what the consequences are if the story is published without additional input from the government, etc.

Sometimes the disclosure is to persuade the journalist not to publish a story. An example might be a story about a kidnapped person's affiliations with the USG. Sometimes the disclosure is to defuse a false story before it is published, especially if refuting it after publication might be difficult for the USG to do without causing additional damage. Sometimes... etc.

There are going to be a lot of variables that affect that type of decision - but those decisions do happen, clearly.

@Walks: The "Kill the Messenger" scenario ...

Hold on. That's certainly not what I'm doing.

... Point being: major, respected American media outlets are deeply biased. Does not mean they may be devoid of any manner of journalistic ethics & professionalism. Because, after all, there are plenty of stories they do not and will not report on, often because they are too dangerous, too important to do so. Their audience, after all, wants to hear what their itching ears long to hear. That, is where the bias comes in and stays at.

To different degrees, every person carries certain biases. That's unavoidable. But the difference in degree matters. There is a great difference between a capable journalist that strives to deliver to me relevant facts and background about a subject in a way that minimizes the biases of the journalist, and a capable activist that strives to deliver to me a brief persuading me of his case.

The journalist might care most about getting his facts correct. The activist might care most that I derive the "right" message from his brief.

There's an important place for both of them in a democratic society. But it's wrongheaded to think of good journalists as simply persons with different biases than those who are openly activists.

... the bias of the moderates. That is the particularly blinding bias. That is the sort of bias which makes major social change truly difficult to gather steam.

I'd rather a journalist inform me of facts and allow me to make up my own mind concerning their implications for social reform.

There are plenty of folks with political opinions and policies to push. It's much harder to find truly good reporting by someone adequately supported by an institution that cares most about getting the facts right, regardless of what cause or what side those facts happen to support.

Good opinions and good arguments are important. But so is good journalism and good information.

@QnJ1: Citation needed.

Here's the video: http://www.telegraph.co.uk/news/worldnews/northamerica/usa/10253544/Glenn-Greenwald-threatens-UK-after-partners-Heathrow-detention.html

It's very hard not to interpret that as a threat.

And then there's the even less ambiguous, ill-advised threat he made regarding the consequences for the US should it assassinate Snowden. While the notion of the US killing Snowden is absurd - truly, seriously, bad Hollywood movie levels of absurd - it's also clear that Greenwald meant what he said to be taken seriously.

So the level of confidence that the USG has that it can go to Greenwald and have a straightforward discussion may be, understandably, on the low side. Greenwald would argue, no doubt, that this makes him less corrupted and less biased towards the government. But in fact it simply makes him less informed when he writes his stories. That should lead him to be more careful in his writing, but he's clearly a passionate guy who writes as he thinks. Unfortunately he has some deeply held assumptions about the USG as a whole that drive his analysis, and those assumptions frequently fail to capture the reality.

All that said, I actually respect the authenticity of the passion behind his work. I think it comes from a good place, that the intentions are good, that the ultimate ends intended are good. It's in part what distinguishes him from a lesser hack who is simply reading talking points for his cause, or faction, or party.

Nick PMarch 5, 2015 6:53 PM

@ Skeptical

"It's very hard not to interpret that as a threat."

I interpret it as self-defense against a police state acting on vendetta. They grabbed a guy unrelated to the crime, interrogated/held him for 9 hours, and his husband threatened a damaging response. The problem I'm seeing is how U.K. government behaved. I'm surprised stunts like that haven't had more negative consequences. That applies to U.S. (esp FBI) too.

Short version: going after people's families can result in retribution or even make them act crazy. Best not to do that.

WalksWithCrowsMarch 5, 2015 10:21 PM

Correction: " Also means the shows like the game, spooks, worricker, tinker tailor were all presented not entirely realistically & faithfully."

@Sancho_P

Of course I can’t tell for all foreign - foreigners (= not Five Eyes), but although we have quite some conspiracists here I feel the average simply found the USG with their pants down.
Believing in a super_bright_global_brain behind is impossible when watching the POTUS and his goats on a nearly daily basis, sorry.
We have similar “corrupticos” at the top, as we always had, that’s not new to us.

(-: ... heheheh....

Yes, will, I just add I really hesitated before putting "allies" in there. Not because the consideration would not come to their mind. Because of the way experience would have wired their brain, it would. But they would be unlikely to pursue the matter or discuss it because of the fact that it would be meaningless to them to do so. Partly, that is because critical or not, there is trust there. And that trust is founded on strong reasoning.

To frenemies... chess playing Russians & go playing Chinese... they might be pursuing that very angle. Not sure how alienating it might be for them to do so. I would not be surprised if they did not have very small teams dedicated just to that.

While many more and much larger teams would be busy chasing down the leads which all that thrown out intelligence gave them. Probably, they have found very many key, compromised routers, computer systems, and handsets... as well as who knows what other many types of compromises.

Well substantiating all of that information as being destructive to the five eyes cause and so substantiating the value and plausibility of it.



However, you are right about the real danger, biased mainstream media - and their manipulating the mainstream people.

Thank you.


@Skeptical

@Walks: The "Kill the Messenger" scenario ...
Hold on. That's certainly not what I'm doing.


LOL!

I'd rather a journalist inform me of facts and allow me to make up my own mind concerning their implications for social reform.

I am not aware of any inaccuracies in his work. Bruce Schneier actually acted as a technical consultant for him on this.

I do think, when dealing with people who are passionate according to one political way or another, it is important to counter that information - regardless of how persuasive - with contrary opinions of weightiness.

I do believe the disclosures were real and substantial. There is considerable evidence to that effect. Stating otherwise might be implying all or some of the disclosures of the past few years was intentional disinformation efforts with a primary focus of operating as a distraction.

That is not ethical to suggest, unless you are very confident of the irrelevancy or preposterousness of the possibility. If your argument is... it is: unintentional disinformation and unintentional distraction... then that puts into question, still, everything. And one might begin to consider that many of the projects disclosed were downright preposterous to begin with.

In fact, it would all be effectively quite a big joke for some, who would be laughing considerably at so deeply outsmarting their adversaries.

Nothing could be further from the truth. Clearly.

Rolf WeberMarch 6, 2015 9:06 AM

@Dirk Praet

You really ask "what does it matter"? The "direct access" und PRISM was one of the biggest stories, it turned out to be completely wrong, and you say just with a shrug "what does it matter"? Is this really your serios?
It matters a lot, and be it alone that the story was completely wrong. PRISM is nothing unique to the US. The access is neither direct or indirect, the companies just receive lawful requests and they are compelled to respond (the companies are no "partners" at all). Something like PRISM exists in virtually any country, and in Germany it is eg the reason why the domestic intel Verfassungsschutz can compel T-Online to hand over emails to the Russian Embassy.
And it matters a lot that MUSCULAR is a completely different story. And be it alone that Google could fix it in the meantime with encrypting its internal links.

And what does NSL's have to do with PRISM? NSL's are used only by FBI and can only used to demand non-content data.

And unlike what you said, the Snowden documents provide no evidence for mass surveillance, at least not in western countries. They rather show that the agencies are law-abiding and do not spy on own people. Not a single clear wrongdoing was revealed so far. This even surprised me.


@Clive Robinson

I'm a German living in Germany.


@WalksWithCrows

Manning at least revealed wrongdoing. This is different to Snowden. So unlike Snowden, it's ok to call her a whistleblower.
But that's another topic. I'm focused on the Snowden hoax. :-)

WalksWithCrowsMarch 6, 2015 2:13 PM

@Rolf Weber

Manning at least revealed wrongdoing. This is different to Snowden. So unlike Snowden, it's ok to call her a whistleblower. But that's another topic. I'm focused on the Snowden hoax. :-)

Seems like a dead end road to me. Whistleblower or not, seems like a matter of opinion. Spy or not, also seems very irrelevant. It is what it is. The damage seems very apparent and very real. But, also a matter of perspective [eg, "opinion"]. If there is other information not seen, nothing could vet that. He was obviously very disaffected, and besides, anything could be a lie and no way to prove anything. As for gaining any information while doing his work, either now or then, that too, is meaningless.

GoodmorningMarch 6, 2015 2:59 PM

@rolf weber
Hi first i was thinking oh no an other skeptic, but all due, i have to agree
first of all and it has been said here previously more than once, not much new
has come out that wasnt allready known, so what is the purpose of this whole thing.

Anyhow yes, what we do need is give us all the documents as raw data as it was given
in HK or whereever it happened, for now they have had i meen the IC have had alot of time to make all the steps necessary that if some information that exist in those documents would physically harm someone,to take necessary steps to make those people safe they would nolonger be there.

So this biased "crap" is unnecssary we can read our selfe very well just give out all the data and thats it, done deal. I dont really buy into this Snowden thing just because of that
its cool and all and it might turn some heads but...

It somehow has turned to some very profitable circus that seem to not end nowhere soon, and the eventual important data that still exists in that data is for every day becoming irrelevant and can only be seen as historical IC.

Nough said i think you have a point
I guess we never will know anyhow but thats life

SkepticalMarch 6, 2015 5:15 PM


@Nick P: I interpret it as self-defense against a police state acting on vendetta. They grabbed a guy unrelated to the crime, interrogated/held him for 9 hours, and his husband threatened a damaging response.

The "police state acting on a vendetta" detained a man carrying a large volume of highly classified material, along with the key for its decryption, passing through Britain in international transit. They offered him a lawyer, food and beverages, and released him after the time for which they were permitted to detain him. A court that examined the detention found it lawful.

A good journalist doesn't use the possession of classified information as a means by which to exact revenge. The man who does so is no longer acting as a journalist, regardless of whether his actions are understandable or justified.

Nick PMarch 6, 2015 6:25 PM

@ Skeptical

A journalistic source and whistleblower bringing evidence of massive criminal activity to a news organization. Those are the kinds of people that get special attention in police states. :)

WalksWithCrowsMarch 6, 2015 6:34 PM

@Nick P, @Skeptical,@Greenwald's threat of informational release


Just a note: the threat or action of shunning of Greenwald by certain governments, really is a non-issue. Just as the judgment, or opinion, or perspective, of Greenwald being a "good" or "bad" journalist. Fact remains Greenwald has the goods and so remains in a position of power. He is already not of the group that would shun him, and those who are, frankly, will also be biased anyway towards the needs and wants of their respective groups.

Put another way: there is hierarchy and distribution of "power" & "authority" in groups. US Journalists who consider [*any*] FBI & CIA representatives as part of their group will invariably react to their power and authority. This pretty well means that these US journalists are more mainstream then Greenwald. They are much more conducive to susceptibility of influence, including moralizing - justifying - direct or indirect requests to accept verbatim what is clearly disinformation & other forms of deception.

Greenwald is outside all of that, and so is less susceptible to such indirect or direct pressures of bias.

All of that is group dynamics and entirely apart from any objective classification, regardless of how forced the attempt may be.

As a "for instance", the CIA & FBI are highly cellular organizations. It is therefore routine for them to step on each others toes, even within their own agency. It is also routine for them to be entirely in the dark when it comes to even different, more powerful and more authoritative structures within their own meta-organizations.

Independently or even collectively, they can often be as Saul on the road to Damascus, but without the epiphany.

eg, not having the slightest clue of what is right or best or even what is very good, but very zealous about their ignorant world view, regardless.

Inconsequential, though not without some minor capacity for damage.


Clive RobinsonMarch 6, 2015 7:38 PM

@ Skeptical,

You might want to go back and review what you have written about the holding of the transit passenger concerned.

For instance in the court case the evidence presented by the Police and others was at best hearsay. Further an examination of those statments indicated that they were unable to get at the documents the passenger was supposedly carrying, which strongly suggests the passenger did not have the cipher key on them when detained in the transit --international waters-- area of the airport by the Met Police or the witnesses were presenting false evidence to the court.

If those from Hanslop Park or Cheltenham had been able to get at the documents at the time of the detention, it's highly unlikely they would have let the passenger get on an onwards flight. It's fairly clear the UK authorities had more than sufficient time to make preperations for the detention. Thus it begs the question of why the passenger flew from Germany to Brazil via the route taken when others were available without a UK based transit. As some have suggested at the time, it might well have been as an attempt to raise media interest in the story, in which case the supposed documents could well have been random junk.

Any way have a look at,

http://www.judiciary.gov.uk/wp-content/uploads/JCO/Documents/Judgments/queen-on-application-of-miranda-sshd.pdf

The first thing to note is that the case is not about what many think.
Secondly, it appears at that point in time the documents were still very much a supposition on behalf of the defendents (ie Home Office and Met Police) which implies either "no/junk documents" or "no key"...

Nick PMarch 6, 2015 11:36 PM

@ WalksWithCrows

"Greenwald is outside all of that, and so is less susceptible to such indirect or direct pressures of bias."

What you said of groups close to CIA and FBI is true. What you said about Greenwald is way off: the guy is plenty biased. Remember that a number of people had access to the documents and put work in as Snowden expected. Then, Greenwald ran off with the stuff out of nowhere and surprised everyone. He's a sensationalist and gets plenty of ego value out of it. So, his bias will be to make the negatives bigger than they are while his opponents will do the opposite. I've seen this dynamic in action.

That's why I try to focus on what the documents say and look at them collectively to find (or reject) corroboration.

"Inconsequential, though not without some minor capacity for damage."

That's hilarious. The State has taken down all kinds of great people and organizations with its power. It subverted or hampered many others. Ask Snowden, one of few with asylum, if FBI/CIA pursuing him worldwide is "inconsequential." Ask Lavabit... well, they don't exist anymore thanks to FBI. Ask Gary Webb about... well, he's dead.

Anyway, I find these organizations to be a major part of the situation, well worth considering. For people in the U.S., its many partner countries, and definitely its opposing countries. You must assume they'll come after you in any way they can if your actions significantly effect them. Greenwald is one of the rare few whose extremely high profile in a U.S. debate while simultaneously being an important whistleblower in Brazil has earned him more protection than most. If anything happened to him, the CIA would be in a lot worse of a situation far as international relationships are concerned. Not just for what they did but for any auto-releases of raw doc's that happen after.

Most people, even in media, aren't Greenwald and do need to think about these organizations. The consequences of not doing it are potentially severe.

WalksWithCrowsMarch 7, 2015 1:18 AM

@Nick P

Look, for conversational purposes, your definitions are fine. I was not intending to say that "the state" has not shown capacity for causing real damage, nor that Greenwald is absent of bias.

On the later, everyone has bias, from my perspective. They have bias towards their own self and they have bias for whatever group they belong to.

On the former, that is just too far from what I was meaning, so I will only go there in part.

In both cases, however, I can see your perspective, and see how I was misunderstood. It was my fault, sometimes I do not make the pains to explain things, forgetting that I have an unusual perspective.


Anyway, I find these organizations to be a major part of the situation, well worth considering. [..] You must assume they'll come after you in any way they can if your actions significantly effect them. [..] The consequences of not doing it are potentially severe.


Sure.

For conversational purposes and to clarify on this: I am looking at the FBI & CIA from a cellular level. Both are cellular systems. Agent Jane does not know what Agent Jack is doing. They do not need to know. They do not want to know.

[Here, obviously using FBI lingo, not CIA.]

Agent Jane might come to a deadend in what she is after. A locked door. She wants a warrant to get into that locked door. But, Agent Jack's work is behind that locked door, and someone above both Agent Jack and Jane privy to both cells (or made privy because of the situation) has to come and close down Agent Jane's requests.

In some cases, she may be led to believe the case was closed down because of some entirely unrelated reason to the real reason.

Agent Jane typically will note this and move on. She has experience with this. Maybe she was working undercover early in her career and a local cop arrested her. She knows what it is like. Maybe not.

I am obviously not saying Greenwald is Agent Jack. I am saying that Agent Jane may want to, say, get Greenwald's insurance. She may really fight against the cattle prod. But it does not matter. He has the insurance. That situation will not change.

Why Agent Jane might get so worked up, well, people do this all the time. Probably a reason it is one of the 12 Steps. Let go, let... your higher power. And move on.

People can rattle their sabers all day and all night, but if something will not happen, it just will not happen.

It is entirely inconsequential to get worked up about. I think, however, in situations where people have inertia, they can find that this is much more difficult then if they do not.


Dirk PraetMarch 7, 2015 7:26 AM

@ Rolf Weber

... what does NSL's have to do with PRISM? NSL's are used only by FBI and can only used to demand non-content data.

NSL's are just one of the tools the USG has at its disposal to coerce companies into cooperation. At least two PRISM partners have received them. But you are right in that PRISM was done under FISAA Section 702, not under NSL. I should have been more specific about that.

They rather show that the agencies are law-abiding and do not spy on own people.

Err, no, the NSA is conducting widespread, untargeted, domestic surveillance on millions of Americans quite allright. That's what the entire Jewel v. NSA case is about. Somehow, you must have missed the FISC order that directs Verizon to provide “on an ongoing daily basis” all call records for any call “wholly within the United States, including local telephone calls” and any call made “between the United States and abroad.” And it's very likely that business records orders like this exist for every major American telecommunication company.

Without Snowden (and Greenwald), we would never have known about it. And without Snowden, we would probably also never have heard about the entire system of secret orders issued by secret courts under secret interpretations of the law.

Both the legality and constitutionality of the programs revealed by Snowden's meaningless documents are currently being questioned in several lawsuits. Even the PCLOB has said that the program to collect the telephone records of domestic calls is ineffective, illegal, unconstitutional, and should stop. According to this body, PA Section 215 upon which the NSA claims legality for the surveillance program, provides little to no legal support for the NSA’s activities.

This has been pointed out on more than one occasion on this blog and in other places, but you are just not listening to anything that does not correspond with your views on the matter, whether it is merely an opinion or substantiated facts.

... the Snowden documents provide no evidence for mass surveillance, at least not in western countries.

I wonder if there is even one person on this planet sharing that opinion when even former colleagues of Gen. Alexander are telling that his strategy was simply one of "collect it all". And which is clearly reflected in everything we have come to know so far.

Not a single clear wrongdoing was revealed so far.

Which makes me wonder why Snowden has been charged with two fellonies under the 1917 Espionage Act. Or why UK PM David Cameron warned The Guardian not to publish any more leaks or it would receive a DA-Notice? What on earth can pôssibly be wrong with bringing out in the open stuff that is perfectly legal and everybody already knows about ?

Rolf WeberMarch 7, 2015 4:07 PM

@Dirk Praet

I don't agree, that without Snowden/Greenwald, we would never have heard about the 215 dragnet. Actually, it already leaked 2006:
http://usatoday30.usatoday.com/news/washington/2006-05-10-nsa_x.htm
It was only that nobody cared about it back then.

You can forget about the Jewel v. NSA case. It will lead to nowhere. The AT&T leak clearly refers to the NSA Upstream program (also under 702), and here we already know from the PCLOB report that Upstream is not a "catch it all", but targeted collection based on specific selectors. This means Americans cannot be targeted this way.

You correctly wrote that the PCLOB 215 report describes the program as ineffective and unconstitutionally. However the PCLOB also said the program is under strict oversight, it is used only for counter-terrorism and there are no signs of abuse or wrongdoings.

I think you are a bit cherry-picking about the PCLOB 215 and 702 reports.

Regarding "collect it all", you should first realize what "collect" means here. "Collection" in NSA speech is something which likely contains foreign intel.
Further you should realize that even if the NSA wants to have it all, they are still fenced by several technical and legal restraints.
So "collect it all" is no more than a saying. You need more to actually prove mass surveillance.

And regarding your last point, Snowden is charged with felonies because he revealed secrecies. This doesn't mean he revealed wrongdoings.

WalksWithCrowsMarch 7, 2015 4:14 PM

On the verifiability and plausibility of Snowden's releases... I have comment on that but will do so in this week's friday open thread, as all this gets quite off ground from this thread's topic.

SkepticalMarch 7, 2015 4:43 PM


@Clive: For instance in the court case the evidence presented by the Police and others was at best hearsay. Further an examination of those statments indicated that they were unable to get at the documents the passenger was supposedly carrying ...

We do only have the testimony of the then Deputy National Security Advisor that they discovered a key on Miranda's person and that it was used to decrypt some of the files. Perhaps the Advisor perjured himself, but it seems unlikely. In any case, my assessment would be that Miranda was carrying a key to at least one of the files, but that others would require other keys.

If those from Hanslop Park or Cheltenham had been able to get at the documents at the time of the detention, it's highly unlikely they would have let the passenger get on an onwards flight.

Sure they would. The point was to interdict the material, probably with three objectives in mind: (A) acquire additional intelligence about what documents have been taken, (B) prevent the transportation of at least that shipment, and (C) encourage good security practices by journalists in possession (not kidding). It's possible that there was a (D) harassment purpose, but I doubt it. That said, were (D) an effect of the detention, it's possible that it would have been viewed as gratifying if insignificant by some officials.

Arresting Miranda would have been pointless, more legally dubious, and would have had the entire press in an uproar. The USG would have been extremely unlikely to have supported an arrest, moreover, and would likely have criticized it. The payoff from this move is quite negative for the UK.

@Nick: Snowden himself said that much of the material is legitimately classified, and obviously journalists involved think so as well. Hard to contest that the UK had a legitimate interest in making the stop.

BuckMarch 7, 2015 6:16 PM

Of course the PCLOB can reccomend revoking the section 215 meta-data collection program (even if it still hasn't happened yet)... There does exist an (as of now, publically unknown) authority for a full take of domestic phone records - including content!
Former counterterrorism agent for the FBI, Tom Clemente, let that cat out of the bag a month prior to the PRISM slides:
What did suspected bomber's widow know? (May 2, 2013)

More recently, two sources familiar with the investigation told CNN that Russell had spoken with Tamerlan after his picture appeared on national television April 18.
What exactly the two said remains under investigation, the sources said.
Investigators may be able to recover the conversation, said Tom Clemente, a former counterterrorism agent for the FBI.
"We certainly have ways in national security investigations to find out exactly what was said in that conversation," he told CNN's Erin Burnett on Monday, adding that "all of that stuff is being captured as we speak whether we know it or like it or not."
"It's not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her," he said.
(Also discussed here on Bruce's Blog)
At the time, I certainly underestimated cooperation between the NSA and domestic LEO agencies, which is even closer knit now... I was also under the impression that this capability would be reserved for 'targets' whomever they may be. Not so sure about that any more either... Since then, I stumbled upon another source from the previous year:
When a Hazing Goes Very Wrong (April 12, 2012)
The records of a fourth pledge, who was 18 at the time and considered a juvenile, have been sealed. In addition to hazing he has been charged with tampering with evidence. After the police arrived at the fraternity house that morning, it was that fourth pledge who called his roommate and asked him to get rid of evidence of the kidnapping, according to court papers.
The authorities subpoenaed his cellphone records and made a transcript:
... [transcript of a phone call about hiding evidence] ...
Unfortunately, the court records are sealed due to the minor status of the 18 year-old involved... Though, I'm sure the details of this secret program will come out in due time.

Nick PMarch 8, 2015 7:29 AM

@ Skeptical

Fair point. This recurring counter-argument is why I'd like to see more leakers acting selectively where it can't be used. Then, we have a better test case. Of course, how Binney was treated despite leaking only corruption and lies supports my points. That a person cares about national security and minimizes the information doesn't lead to any protection: just less pressure on the boot U.S. government pushes into your face while trying to prosecute you.

Dirk PraetMarch 8, 2015 3:12 PM

@ Rolf Weber

It was only that nobody cared about it back then.

At the time, the information disclosed by retired AT&T technician Mark Klein and later confirmed by Bill Binney, Thomas Drake and J. Kirk Wiebe was essentially "hearsay". It was not until Snowden and Greenwald produced the Verizon FISC order that the general public got formal proof thereof and the secret legal framework surrounding it was revealed. That is what I was referring to.

You can forget about the Jewel v. NSA case. It will lead to nowhere.

We'll have to see about that. I find the evidence presented way more compelling than your simplistic dismissals. Do take some time to read it, especially the parts on wholesale acquisition of international and domestic telephone and internet communications. Maybe read up on @Bruce's book too, as suggested by @WalksWithCrows.

Last month's ruling by judge White that state secrets apparently trump the judicial process and that EFF’s clients could not prove they have standing is not the end of it. The judge did not find that it is legal/constitutional for the NSA to tap into the internet backbone (UPSTREAM). Nor does the ruling apply to the portion of case that covers the NSA’s massive capture of telephone records. For what it's worth, it's a pretty lame defense on behalf of the administration to hide behind "disclosure of classified information that would harm national security" if what you're doing is all perfectly legal. It's especially troubling because if upheld can easily become a black hole swallowing the entire US Fourth Amendment’s rule against general searches.

And there is of course also First Unitarian Church of Los Angeles v. NSA, Smith v. Obama, ACLU v. Clapper, Klayman v. Obama. All these lawsuits shed at least what one could call reasonable doubt on the legality of NSA's spying programs, having been brought forward by organisations with an undoubtedly much stronger legal background than I suspect you have. Without Snowden, none of these cases would (still) be alive today.

I think you are a bit cherry-picking about the PCLOB 215 and 702 reports.

I kinda focused on the kicker, i.e. that the program under PA 215 is definitely not targeted but ineffective, illegal and unconstitutional, which is what you have been contending all along. Although the PCLOB in its report says there were no signs of abuse or wrongdoings, there are documents showing that between 2006 and 2009 the NSA violated the court restrictions by spying on telephone calls and lying to judges about how the data was deployed. DNI Clapper, to no one's surprise, called them "compliance incidents". And let's also not forget about the (heavily redacted) NSA reports released on Christmas Eve last year, detailing 12 years of unauthorised SIGINT gathering that included data about US citizens, unauthorised personnel using the intelligence gathering systems and abuses of the NSA’s spying tools for personal use (LOVEINT).

The counter-terrorism only claim IMO sounds rather remarkable in light of what we have found out about parallel reconstruction by DEA and IRS. As to the efficiency of FISC oversight, I refer to previous discussions on this blog and judge Reggie Walton's own admission that the FISC really can't check on what the NSA is doing.

"Collection" in NSA speech is something which likely contains foreign intel.

According to NSA foundational documents, collection "occurs not when the government acquires information but when the government “selects” or “tasks” that information for “subsequent processing.” Thus it becomes possible for the government to acquire great reams of information while denying that it is “collecting” anything at all. This has also sufficiently been discussed before on this blog. The foreign/domestic distinction is interpretation on your behalf.

Snowden is charged with felonies because he revealed secrecies

What secrets if according to you he stole nothing but harmless and misleading Powerpoint slides about stuff that was already known while not having access to anything sensitive whatsoever? Charging him for theft of government property would have sufficed to get him extradited by Hong Kong. You don't go frivolously charging folks under the 1917 Espionage Act unless you know or suspect the perpetrator to have stolen some seriously classified stuff that you don't want the public to hear about in an open court.

In a nutshell: your continued denials and dismissals of what Snowden has revealed are pretty much on par with the opinion that the earth is flat. All topics I have touched above have repeatedly been discussed and clarified before on this blog, but it is obvious that - in @Clive's words - you are so entrenched in your outlook that you are not taking things on board any longer. And which basically turns any form of discussion into an exercise of futility. You can lead a horse to water, but you can't make it drink.

Dirk PraetMarch 8, 2015 6:15 PM

@ Skeptical, @ Nick P. , @ Clive

A good journalist doesn't use the possession of classified information as a means by which to exact revenge. The man who does so is no longer acting as a journalist, regardless of whether his actions are understandable or justified.

I'd like to draw your attention to a short scene from "Taken", starring Liam Neeson as a retired CIA agent who has his daughter kidnapped by a gang of slave traders. When he finally gets his hands on the ring leader, the man tries to explain to him that it was "only business". Neeson goes on to reply that to him it was all very personal, then shoots him several times at point blank range.

Most people, including Greenwald, understand that by sticking it to the man one can put himself and one's entire environment in harms way. Snowden at some point told Barton Gellman that until the articles were published, the journalists working with him would be at "mortal risk" from the US IC "if they thought they were the single point of failure that could stop the disclosure". In Israel, authorities tend to demolish houses of family and known accomplices of suicide bombers.

Conversely, authorities should understand that threatening relatives or spouses can blow up in their faces, and equally regardless of whether their actions are understandable or justified. Failing to do so is ignoring basic human psychology. The moment either party in a conflict makes things personal, or is perceived to be doing so, all bets are off. And I'm quite sure this consideration has contributed to Mr. Miranda's overall treatment by British authorities. I can only speak for myself in saying that whoever threatened or hurt any of my loved ones would find on his path a particularly unfriendly version of myself, striking back with great vengeance and furious anger using any leverage at his disposition, and regardless of collateral damage and consequences.

SkepticalMarch 8, 2015 10:17 PM


@Nick P: This recurring counter-argument is why I'd like to see more leakers acting selectively where it can't be used. Then, we have a better test case. Of course, how Binney was treated despite leaking only corruption and lies supports my points. That a person cares about national security and minimizes the information doesn't lead to any protection: just less pressure on the boot U.S. government pushes into your face while trying to prosecute you.

I'm an extremely strong supporter of government institutions providing well-supported mechanisms whereby a concerned employee or a concerned contractor can come forward, have a full discussion of his or her concerns, and not have any fear of reprisal. I don't think that those institutions are there yet, but I think they're making good progress.

I view these mechanisms as not only in the best interests of the country, but also in the best interests of the institutions. If someone has a serious ethical concern with a program, it's important that the concern be heard. Otherwise, due to the nature of bureaucratic decision-making and the pressures of immediate demands, something counterproductive and unethical might be put in motion.

@Dirk: You're providing examples of shoddy reporting by Greenwald.

Miranda wasn't detained because he was Greenwald's partner. He was flying on a ticket paid for by The Guardian, as part of a trip to ferry information between Poitras et al and Greenwald. He was detained because he was carrying a large volume of highly classified information, which everyone involved agrees contains large amounts of legitimately and highly classified information, i.e. information the disclosure of which would cause exceptionally grave harm to national security (and in the case of some of the documents that may have been in Miranda's possession, placed individuals in imminent danger). Greenwald's attempt to spin the detention otherwise is unvarnished propaganda.

It's classic Greenwald. The emotion is genuine, but he channels that emotion into making arguments like a lawyer, or some kind of political strategist. When he lets this get the better of him, the result is inaccurate reporting.

And Snowden's comment that journalists would be at mortal risk from the US until the documents were published is indicative of the extremely uneven nature of his knowledge regarding US intelligence (deep in some areas, shallow and sometimes flat wrong in others). Journalists have received documents relating to major impending covert operations, prior but still highly sensitive covert operations, the names of covert operatives, highly classified information regarding sources and methods - and the US has never come close to, never even considered, killing a journalist, even in the days when the CIA was the most unfettered and the least subject to oversight.

Clive RobinsonMarch 9, 2015 2:55 AM

@ skeptical,

Stop "putting the cart before the horse" it makes you look amateurish.

Mr Miranda was not "detained because he was carrying a large volume of highly classified information".

He was detained without proof in an international transit area questioned for the maximum time prescribed by UK law and released[1], because of his associations with two other journalists on the off chance he might be acting as a go between and have information of interest.

Because if your version is true they UK or USG must have used illegal surveillance in Germany[2] to know what he might or might not be carrying with him.

As for if he was carrying the documents you claim he was or not we don't know. Officially the only evidence given by the UK Home Office and Met Police is meaningless hearsay (read their witness statments).

However, there is an alternative possability, in that the whole episode was a plan to embarrass the UK / US by the Guardian and the journalists and get another "human interest" story line going.

Of the two alternatives which you chose to believe is dependent on two things. Firstly why was the flight payed for directly by the Guardian, and why that route, when other safer routes were available. Secondly how good you think the OpSec practiced by the journalists and Mr Miranda was.

We know one journalist in Brazil claimed to have little or no experience in OpSec initially, whilst the Journalist in Berlin where Mr Miranda started his journy was apparently well practiced in OpSec. Of Mr Miranda's OpSec ability we know little other than he survived nine hours of UK IC/LE agency questioning.

I suspect that the truth will not come out in any of our life times unless the journalists or Mr Miranda give further details by which we can piece it together.

[1] This is what can be found from reading the official comments, documents and witness statments.

[2] That is somebody working in Germany directly or indirectly for the UK/US contrary to the laws in that jurisdiction intercepted communications or placed surveillance equipment in private areas without warrant. Such a person would have to be, a person with diplomatic protection as a "legal resident", be a NOC "illegal resident" or a person breaking German laws. Even with diplomatic protection the act would still be illegal under German law.

Dirk PraetMarch 9, 2015 8:51 AM

@ Skeptical

You're providing examples of shoddy reporting by Greenwald.

What do you mean? I merely pointed out the obvious that Greenwald took his partner's detention quite serious and very personal. As would anyone else in his shoes have done. For my then opinion on the matter, see here, and in which I outlined about five different scenarios.

For what it's worth, @Clive does have a point that you're getting a bit carried away on the subject with your claim that "he was carrying a large volume of highly classified information". That should indeed read "suspected of carrying". Whether or not Miranda was we will probably never know, but it is certainly not reflected in the official reports and, to the best of my knowledge, he was never charged with anything.

the US has never come close to, never even considered, killing a journalist, even in the days when the CIA was the most unfettered and the least subject to oversight.

*tinfoilhat*The Michael Hastings affair comes to mind.*/tinfoilhat*

Assassination would probably have been a bit extreme, but let's not kid ourselves here. Snowden knew very well what had happened to Manning and Assange, and the Obama administration isn't exactly known for its leniency towards whistleblowers and investigative journalists. Ask John Kiriakou, Thomas Drake, James Risen, Barrett Brown or Aaron Swartz's relatives any time.

SkepticalMarch 9, 2015 12:43 PM


@Clive: He was detained without proof in an international transit area questioned for the maximum time prescribed by UK law and released[1], because of his associations with two other journalists on the off chance he might be acting as a go between and have information of interest.

Hardly the "off chance" that he might be carrying classified information from Poitras et al to Greenwald. Strong chance would be a conservative estimate, and they don't even need that much to detain someone.

But the point here is that it was the belief that he was carrying classified information that motivated the detention, not some desire to harass Greenwald by targeting his partner.

As for if he was carrying the documents you claim he was or not we don't know. Officially the only evidence given by the UK Home Office and Met Police is meaningless hearsay (read their witness statments).

Hearsay isn't meaningless, Clive. It's possible that the UK officials who testified perjured themselves on the matter, but I rather doubt it.

@Dirk: What do you mean? I merely pointed out the obvious that Greenwald took his partner's detention quite serious and very personal. As would anyone else in his shoes have done.

Greenwald claimed that Miranda was "targeted" simply because he was Greenwald's partner. That's an obvious falsehood.

Assassination would probably have been a bit extreme, but let's not kid ourselves here. Snowden knew very well what had happened to Manning and Assange, and the Obama administration isn't exactly known for its leniency towards whistleblowers and investigative journalists. Ask John Kiriakou, Thomas Drake, James Risen, Barrett Brown or Aaron Swartz's relatives any time.

You've named one journalist in that list, Risen, whose treatment does not approach assassination, and who was not punished in any way for publishing or for reporting or for possessing information.

There is a reason why The Guardian sent its archive to The New York Times when they wanted to keep it safe, and it's not because they think that the USG assassinates journalists. Let's get real.

Clive RobinsonMarch 9, 2015 5:03 PM

@ Skeptical,

I do actually mean "meaningless hearsay" in the literal sense.

A femail witness for the met police gave in her statment what she considered information about the contents of one of Mr Miranda's electronic devices.

She said that she had been told that there were about fifty thousand encrypted documents in files.

Now the fact she said she had been told ment it was "hearsay" that is she had no actually first hand knowledge. As the person who supposadly told her was not identified and their proffesional status verified then it could not be clasified as "opinion"

As you and I both know for some one to say that there were about fifty thousand documents in encrypted files is meaningless. Either they new the exact number of documents or they were just pulling numbers from the air. If the documents were in a few encrypted archives then unless the archives were decrypted then there is no way to tell how many documents were in them. Likewise if there were fifty thousand encrypted files unless they were decrypted there is no way to say if there was more or less than one document per file.

As other testimony from a later date indicats that the files had still not be decrypted then the Female Met Officers written statment was without meaning, thus meaningless.

Thus I very much doubt she had in any way committed purjury, because she gave no information that was first hand, she was just sumerising unatributed hearsay.

In times passed the judge would have thrown such a statment out as being inadmissable hearsay, and probably would have if it was a criminal trial. Sadly these days in civil cases any old rubbish appears acceptable irrespective of if it is hearsay, opinion or first hand knowledge.

But if you want a real eye opener lookup what is admissable under the "bad charecter evidence" rules in criminal cases since Tony Blair's "flat mate" changed it back in 2003... it's unreal and destroys a thousand years of carefully considered and tested court proceadure on what constitutes allowable evidence.

Dirk PraetMarch 9, 2015 7:22 PM

@ Skeptical

Greenwald claimed that Miranda was "targeted" simply because he was Greenwald's partner. That's an obvious falsehood.

Again: I pointed out that Greenwald took his partner's detention very personal. I did not (on this occasion) speak out on the reason Miranda was detained and whether or not I agreed with Greenwald's opinion on the matter.

You've named one journalist in that list, Risen, whose treatment does not approach assassination, and who was not punished in any way for publishing or for reporting or for possessing information.

Technically, Aaron Swartz was not assassinated or punished either. He was prosecuted into suicide. As to Risen, he fought an uphill legal battle from 2008 onwards until SCOTUS rejected his final appeal in June 2014. If federal prosecutors in the Sterling case had chosen to pursue his testimony, he would have gone to jail. The only reason that didn't happen was because of a direct intervention by AG Holder who - in a rare moment of sanity - realised that sending a two-time Pulitzer Prize winner to prison for refusing to reveal his sources from a PR-point of view was probably a really bad idea.

Sterling was eventually convicted of espionage charges on January 26, 2015, and without a testimony by Risen, who in essence at the time had then been legally bullied for about seven years, to the detriment of both his health and his wallet.

Even with direct assassination out of the picture, destroying people's lives in more creative and entirely legal ways definitely is not.

SkepticalMarch 9, 2015 10:18 PM


@Clive: That was not the testimony I referenced, however.

@Dirk: The point is that Greenwald knew better, and his threats in this case were not the first. Miranda wasn't keelhauled for God's sake. He was carrying a large amount of classified information, which he knew, which Greenwald knew, which everyone knew (and that was part of the problem). He was lawfully detained for several hours, given food, drink, an offer for a lawyer, and released.

Listen, I really do respect Greenwald's passion. But his model of journalism is piss poor. He's courageous, he pursues good stories hard, and he writes well if verbosely. But he cannot seem to recognize the value to thinking citizens of a journalist who attempts to report facts and not make arguments, and who permits a reader to be informed of a story without being confronted with a long-winded, at times nearly shrill, sandstorm of loaded descriptions, questionable conclusions, and swirling pockets of outrage. There is a vital place for such pamphleteers, no doubt, and I myself enjoy those pamphleteers, from those who made such use of the device during the period leading up to, and surrounding, the American Revolutionary War to some of the well fortified arguments I see today.

As to Risen, journalists can be compelled to give testimony just like anyone else. When they don't, they can be held in contempt, and jailed until they do - or until it becomes apparent that jailing them will not get them to testify.

The DOJ sought to have Risen testify as to the identity of his source for a story revealing a covert program to undermine the Iranian nuclear program. It brought pressure to bear in pursuit of prosecuting a clear felony that had absolutely nothing to do with whistle-blowing.

Nor is that the first time. Judith Miller, for example, was sentenced to 18 months in jail for refusing to testify before a grand jury investigating the leak of Valerie Plame's identity. Eventually the source himself urged her to testify, and the sentence was lifted.

Since in this case Snowden himself was quite willing to reveal his identity, none of the journalists was at much risk of a subpoena to which they could not answer, much less the incredibly far-fetched idea that they were in mortal danger.

WalksWithCrowsMarch 11, 2015 4:15 PM

regarding Greenwald and the 'dead man's trigger file'...


I think, for one, it is naive to believe Greenwald might not actually be offed. As at least one poster, I think Dirk Praet mentioned, there are very many things that they do do which they have been consistently caught at doing. This is especially true in London, where the Met Police have been consistently found engaged in harassment. There are many forms of harassment secret police have, historically, done, many which are extremely bad. Not even to mention legal nightmares they have put upon people.

There is little reason to believe any service of the US or UK is lily white.

The dead man's trigger file, however, is more interesting to me for another reason: does Snowden not have access to it? If not, does he not show a remarkable memory for everything he has looked at? So, that is a massive value right there to put into the Snowden equation. Both in terms of "what is Russia thinking in regards to Snowden", and in regards to many other issues.

While, for us everyday people on the street, it may hardly even come to mind... and, apparently, if it does, it simply does so on questioning Greenwald's veracity as a reporter... it might very well be an important part in many different scenarios being worked out, currently.


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.