Comments

AdrianSeptember 20, 2016 6:51 PM

"... [T]he NSA may exclude certain types of irrelevant traffic — like Netflix videos...."

This makes me wonder whether it's possible to bypass the search by disguising your international communication such that it looks like a streaming video or other uninteresting bulk data.

FBI wears the daddy pantsSeptember 20, 2016 7:07 PM

"From the second paper, "These misconceptions need to be addressed before they completely derail the unique opportunity at hand to have a well-informed discussion about much-needed reforms"

Only children have concerns about civil liberties and human rights. The adults in the room will decide what reforms, if any, are needed and they will structure the debate accordingly.

GIGOSeptember 20, 2016 10:04 PM

Next year, we’ll explore how broad the collection of Americans’ communications under Section 702 (and other authorities we have not yet been read into) were not only illegal at the time, but have already been ex post facto legalized

Peter ShenkinSeptember 21, 2016 12:32 AM

Why doesn't this bother me so much? What bothers me is not what is collected and who is subjected to collection (even if it's everybody who can be), but rather the warrantless, unsupervised use of the specific information about individuals, as divulged by Snowden.

To me, it's a little bit like having surveillance cameras out on the street. It doesn't bother me that they're looking at me when I walk by. It does bother me if some schmuck with access who happens not to like me (like an ex-wife, if I had one) is able to ask her boyfriend in the police department where I was the night before I showed up late to pick up the kids, smelling of booze and stale cigarette smoke. But when a bomb goes off, or someone is mugged, I'm glad the footage is there to be examined.

I realize that there's an intrinsic constitutional difference between the surveillance cameras and what is now being collected, under current interpretation. Observing what goes on in the public streets, even if everything is captured, isn't deemed unreasonable search and seizure (violation of the 4th amendment). To the extent that what is being collected goes beyond "envelope information" (metadata) to content, it may. I say only "may" because it's not completely clear to me that collecting the data and then never looking at it except in situations when a warrant is issued would be a violation of the 4th amendment. What if it were collected and nobody ever looked at it? Would that be a violation? To say so seems overly formalistic and pedantic.

It may be hard, to draft restrictions that allow universal collection but only warrantful examination of the content (beyond the metadata) and to put safeguards in place to enforce the restrictions. But making the effort seems to me the right course of action.

fivehunluvSeptember 21, 2016 4:02 AM

> What if it were collected and nobody ever looked at it? Would that be a violation?

If I stole $500 from your bank account and you never noticed, is that theft?

Ben LangmeadSeptember 21, 2016 7:33 AM

@ Peter Schenkin

It's the old argument that crops up whenever a Government tries to introduce national identity cards. If you have done nothing wrong you have nothing to fear. I don't think that argument holds water any longer.
For starters the quantity and quality of the information that can be gathered electronically goes far beyond what could have been collected before. And as the articles mention it is all warantless.
It strikes me that, in the case of the New Zealander, all a government need do is ask the NSA, GCHQ, or other snooping agency to look at someone and then sit back and wait for the report. They need answer to no-one and the courts seem powerless to stop them.
I'm new to this way of thinking and I find it absolutely fascinating.

Clive RobinsonSeptember 21, 2016 7:59 AM

@ Ben Langmead,

I'm new to this way of thinking and I find it absolutely fascinating.

Well a good few of us have been thinking this way since well before 9/11 and we find it horrifying.

As for the "if you've done nothing wrong" is a compleat load of... This is not an academic debate and there are lots of people who have done nothing wrong who have ended up being accused of all sorts of things if not shot or electrocuted. So save it for some one who is to credulous to think further than the end of their nose.

Clive RobinsonSeptember 21, 2016 8:23 AM

@ Adrian,

This makes me wonder whether it's possible to bypass the search by disguising your international communication such that it looks like a streaming video or other uninteresting bulk data.

You are not quite thinking right... Just assume that the NSA has relatively simple ways to know if the video you've requested is the real thing or not. Thus they only need note which file ay what time and if and when it was not streaming correctly or not.

There are a number of ways they could do this without having to see the plain text...

Jim NSeptember 21, 2016 9:10 AM

@ Peter Shenkin,

"To me, it's a little bit like having surveillance cameras out on the street. It does bother me if some schmuck with access who happens not to like me (like an ex-wife, if I had one) is able to ask her boyfriend in the police department where I was the night before I showed up late to pick up the kids"

She won't need videocams for that, and they most probably won't have a clear shot of your face under nightfall, if you put on a pair of sunglasses. There are other more orthodox methods, however.

DanielSeptember 21, 2016 10:06 AM

It may be hard, to draft restrictions that allow universal collection but only warrantful examination of the content (beyond the metadata) and to put safeguards in place to enforce the restrictions. But making the effort seems to me the right course of action.

This angered me because it is either a deliberate troll or a person engaging in willful blindness. Making an effort? What the hell do you think people have been doing for the last twenty years!! You think this way, and I used to think this way, because you are assuming that there are reasonable ways to deal with reasonable people. But what if the people in power are not reasonable? We have people in power that when reasonable objections are raised resort to petty insults by implying such objectors are children. The only thing the FBI and the NSA seem to understand is "more power to me and my friends" and anyone who objects is an unreasonable trouble-maker.

Peter sounds exactly like Rodney King, "Can't we all just get along?" We all could just get along if what people wanted to do was to get along. There is overwhelming evidence that the Intelligence and Justice communities don't want to get along, they won't accept reasonable restrictions on their behavior, and that their way is the only way.

As someone who has been involved in privacy issue for more than two decades let me say that I no longer consider it worth the effort, I no longer consider it the "right course of action." Your course of action is for wimpy people who simply don't want to deal with the fact that many people in the intelligence and justice communities are fascist thugs who wear the "USA" label out of mere convenience. The tragedy for Peter is that by the time he realizes just how unreasonable his plea for reasonableness is he'll be in jail or dead.

CallMeLateForSupperSeptember 21, 2016 10:31 AM

@Clive Robinson
(Re: @Ben Langmead)
"As for the "if you've done nothing wrong" is a compleat load of..."
"So save it for some one who is to credulous to think further than the end of their nose."

In Ben's defense, I think he intended merely to *cite* the "old argument" not *posit* it, because he followed with "I don't think that argument holds water any longer." A colon (instead of full-stop) after "identity cards", and quotes around the offending argument, would have better conveyed such intent.

Or maybe I'm all wet. Wouldn't be the furst time.

Jim NSeptember 21, 2016 10:50 AM

@ Daniel,

" We have people in power that when reasonable objections are raised resort to petty insults by implying such objectors are children. "

Even if our government officials were to have said that these programs are to be stopped, would you trust it? I think it is to assume safely that they are here to stay. Thus, the best version is one with proper safeguards. Not my own words. This is an issue that has been repeatedly discussed on this blog.

rSeptember 21, 2016 5:25 PM

Responsible disclosure: I've been reading your posts. (not all of them, just the funny ones)

You really can't make this stuff up, well not to discredit the single grain of inspiration truth behind the sockpuppet prattle.

It's way better than SNL.

The more either side opines the more information leaks, can one hide meta behind a steely cask? The magick 8 ball says: 'No'.

Clive is right about laying traps, there's no other way to tell what is on the other side of the collection plate other than to test their knowledge. Restricting the flow of information to the public is not indicative of restricting the flow of information into the system. You absolutely have to feed them actionable misinformation and even then, do we know if they failed to collect or if they failed to act?

Jesse ThompsonSeptember 21, 2016 6:51 PM

@Clive Robinson

You are not quite thinking right... Just assume that the NSA has relatively simple ways to know if the video you've requested is the real thing or not. Thus they only need note which file ay what time and if and when it was not streaming correctly or not.

Oh....kay? Then a sender can just subtly interfere with the connectivity between the recipient and the netflix server, and the latter can scan the wireshark log of tcp resets and retry attempts to pull out several text messages worth of stenographic entropy that the five eyes are going to overlook.

Alternately, both proxy party and end-user party alter their TLS ramp-up headers on each TCP-reset just enough to add even more bi-directional entropy.

But at the end of the day you and I both know that the breads and circuses don't get patrolled that tightly. Netflix and it's competitors change video delivery formats and strategies and protocols so quickly that five eyes would view it as a waste of resources to try to keep up, so as long as Sandvine/etc marks the traffic flow as "known safe/boring" — which *they* in turn will only do as a result of some simple DPI confirming SSL content and one or more registered Netflix server IPs as endpoints — then the powers that be will happily pluck that 60ish% of all packets to consider out of the equation entirely.

At least until any credible stories of stenographic methods *in use* pop up, at which point they'll start trying to add detection methods over the previously un-checked data that cost them as little as possible. And even then, only on their own schedule per how reasonable of a threat the channel appears to be.

Keep in mind that terrorist and military communication are far, far from the frontlines of these organizations' interests. First and foremost are commercial profit centers like copyright infringement (which requires huge data storage and transfer payloads) and next behind that are political control over the dissemination of news (which requires consumption by large populations of highly tech-illiterate users).

Jim NSeptember 21, 2016 6:54 PM

@ The Hanssen Medal for Personal Integrity

Glaring double standards that makes you go Hmmmm.....

Mr. Combetta's alleged reddit episodes is rather interesting. Makes you wonder why couldn't they have hired a real guru with all that money. It's probably a loyalty-first regime though.

GrauhutSeptember 21, 2016 8:11 PM

@Clive,Jesse

N00b sayz: Just share some bad video quality stegano vintage pr0ne over kademlia, things that are difficult to explain for a snoop to his commanding officer.

"What is this on your screen? This is disgusting! Delete! Now!"


Simply use stuff that could lead to a sexual harassment case in the snoopers office... :)

hips.hearstapps.com/cos.h-cdn.co/assets/15/07/980x7760/gallery_nrm_1423775776-sexual-harassment.jpg

SpookySeptember 21, 2016 9:50 PM

@ Grauhut,

On that note, if you had connections to a well-funded theatrical FX department, you could probably hire actors made up to look exactly like Clapper and Hayden and film them committing various atrocities and perversions, preferably together. Embed your stego in a grainy, simulated VHS dub of THAT.


General: "So analyst, watcha got there... ?"

Analyst: "Uh, well sir, I uh..."

General: "YGBSM! I never, ah, nev.. er... (faints)"

Analyst: "So that's where the General stores his encrypted DAT backups..."


Cheers,
Spooky

GrauhutSeptember 21, 2016 10:56 PM

@Spooky: Then they would come for me for the wrong cause!

No, thanks, FaceRig them yourself! ;)

Anon10September 21, 2016 11:37 PM

Part of the problem is applying 1700s legal constructs to 21st technology with no obvious analogues. Take this quote from PCLOB: From a legal standpoint, under the Fourth Amendment the government may not, without a warrant, open and read letters sent through the mail in order to acquire those that contain particular information. That's true standing alone, but it embeds a critical assumption: that e-mail is more like a letter in an envelope than a postcard, which wouldn't require a warrant for collection.

hamishSeptember 22, 2016 5:25 AM

@Anon10

> it embeds a critical assumption: that e-mail is more like a letter in an envelope than a postcard, which wouldn't require a warrant for collection

Under that metaphor ... encryption is like sealing the envelope containing your letter, and deep packet inspection is an attempt to open these envelopes, and "we need lawful access through encryption because terrorism" is just "we need to be able to open everyone's mail just in case".

So saying "an email is more like a postcard" might help in the plaintext email case (which most are) but still admits that there are massive constitutional issues with the wider plan.


This is still assuming that we grant you your hidden assumption that email is more like a postcard, which you haven't said anything to support. There's nothing in your post that actually discusses what the best analogy for an email is, and nothing to encourage us to regard it a postcard. Would you communicate with business clients via postcards? Would you receive a copy of an invoice from Amazon attached to a postcard?

Frank WilhoitSeptember 22, 2016 8:58 AM

The problem with the NSA is not what they are curious about, whom they spy on, why, or even the fact that they are willing to break any rule or law.

The problem with the NSA is that no matter what they do, they can never be held accountable.

The details of their techniques, motivations, and abuses are all deliberate distractions from the real problem, which is their unaccountability.

Ben LangmeadSeptember 22, 2016 9:14 AM

@Clive Robinson

I think you got the wrong end of my argument there, the next line I wrote was does not hold water any longer.

And believe it or not, this was going on long before 9/11, that is not the watershed moment for intelligence gathering and snooping.

One day I'll be as paranoid but for now I'm enjoying my babe in the woods naivety!

Clive RobinsonSeptember 22, 2016 2:03 PM

@ CallMeLate..., Ben Langmead

In Ben's defense, I think he intended merely to *cite* the "old argument" not *posit* it, because he followed with "I don't think that argument holds water any longer." A colon (instead of full-stop) after "identity cards", and quotes around the offending argument, would have better conveyed such intent.

Which does not absolve me of jumping in with both hobnailed boots. So, yes Ben is due an appology from me.

@Ben sorry, I jumped on you, your comment does not deserve what I said. So my apologies.

Clive RobinsonSeptember 22, 2016 3:54 PM

@ Jesse, Adrian,

Oh....kay? Then a sender can just subtly interfere with the connectivity between the recipient and the netflix server, and the latter can scan the wireshark log of tcp resets and retry attempts to pull out several text messages worth of stenographic entropy that the five eyes are going to overlook.

And a hundred and one otherthings, that those with sufficient technical sophistication could try.

There are however a couple of probs,

The first is that it's unlikely you are going to want to speak covertly with NetFlix, so you somehow have to route through a node your recipient can monitor.

Secondly the likes of the NSA have probably rooted the first router upstream of you and almost definitely the first router upstream of NetFlix. Which means that they are likely to realise the "odd" network behaviour orriginates from your PC/LAN. As other PC/LANs connected on the downside of the router you are connected to don't.

If they watch for that sort of traffic or not I have no idea. But the first time they catch somebody doing it for real, you can be fairly sure, they will be sticking their filthy maw up to the spigot of tax dollars with a demand for more of the pie.

The problem is that we don't know the answer to "Where are the NSA taps?". Whilst there is sufficient evidence to suggest that they could have backdoored any US made router within the Internet, that is very far from saying they have backdoored all routers, or even more than a few strategic ones. We don't know, and would have difficulty finding out.

However common sense also says it is not all routers that have 100% traffic monitoring and storage. Simply because of the level of duplicated data involved and the hidden infrastructure to support it.

Thus we are playing a game of poker against an opponent that has marked the deck, but also choses not to exploit it for every hand. Provided they play carefully then we will never know if they are looking at our data or not.

Thus we are in a probabilistic game that revolves around why the NSA --or other High Level Actor(HLA)-- might or might not be monitoring what we do.

Which means that we are "playing the odds in a high stakes risk game", where the opponent does not have to show their hand to win. That is the HLA can pass on info to other agencies who can via "parallel construction" seemingly catch you by accident.

Thus to stay ahead of the game we need to be able to mitigate the "other agency" problem. In effect we have to mitigate,

1, The message.
2, The transport mechanism.
3, The connection of the parties.

Arguably the use of encryption will hide the message (1). Some form of steganography "might" hide the transport (2). Which leaves the problem of decoupling the communicating parties from each other (3).

Whilst we can assume we can solve (1) hiding the message by say the use of the One Time Pad (OTP), we can not say the same for the transport (2). Thus we are looking for a way to transport messages that will not reveal both parties.

I've looked into ways to decouple communicating parties from each other for the likes of controling zombie botnets without having a findable or blockable control "head".

One way is to find and use an unwitting agent that can be watched but not stopped. One such is a search engine such as Google and One Time Identifiers (OTI). The OTI has a similar proof of security as the OTP. That is you have a list of totally random strings you can use as an Identifier. I find an open blog or other system such as a newsgroup etc, and I post the OTI to it at pre-arranged time. At some point after this pre-arranged time a search engine will slurp the OTI and put it in it's search index. Having alowed enough time for the OTI to get into the search index you query the search engine for it. Having found the OTI you can get the OTP encrypted message and act upon it. You don't actually need to go directly to the site I posted to you can use a copy held in a cache either on the search engine or at a University etc (think squid etc).

Alternativly I can use a "Tee". If I send a message to a host I have hacked, my final destination point could be /dev/nul on the host. Somebody only monitoring network nodes will see the message go to the hacked host. However if you own an intermediate router or other node and you know when and what to look for then you can "tee off" the message as it passes. Depending on how you do this it would not be visable to an agency monitoring only some of the routers on the Internet.

This "tee off" is in essence what the NSA or other HLA does, the clasic example would be "the gift from the gods" that was the CarrierIQ debacle with smart phones.

If you think about the two aproaches I've mentioned you will realise there are several other options open to you that are broadly similar but different in actual implementation.

But at the end of the day these methods can not be universaly used, which kind of puts them in the "security by obscurity" camp. But also requiring the communicating parties to be technicaly sophisticated.

It's one of the reasons I'm looking at using Mix Nets based on a Ring protocol to sit on top of packet switched networks. Such solutions can be made universal with a little care.

Celeste Guap, hubba hubba!September 22, 2016 4:58 PM

Anon10 11:37 is back with today's propaganda bulletin from Big Brother. Today he tries manipulatively deriding that 1700s legal construct formerly known as rights. Since this is the latest statist Big Lie, Anon10 is naturally not going to cite the 20th-century supreme law that supplanted his '1700s legal construct.' Because that says surveillance of correspondence should be prohibited. No, Anon10's here to mansplain how you gave up your privacy by trusting the state to respect it.

Anon10, this is not like where you work, there are smart people here. Your Wonderlic-15 slogan will go over better with the retards at theerant.yuku.com.

GrauhutSeptember 22, 2016 5:30 PM

@Clive: "Provided they play carefully then we will never know if they are looking at our data or not."

Is this "Schroedingers router and the quantum theory of spookery"? ;)

You should file a patent! :)

Clive RobinsonSeptember 22, 2016 6:21 PM

@ Grauhut,

You should file a patent! :)

But where....

Every country appears to have an IC first clause in their patent system. You come up with such a patent and they will say "Sorry but we already have secret patent and you are now bound in secrecy...".

Anon10September 22, 2016 8:53 PM

@Hamish

I wouldn't communicate with a business client via a postcard, but, with few exceptions, I view physical mail, whether from an envelope or a postcard, as obsolete technology. With an envelope, the sender wraps the message in a way that the carrier shouldn't be able to read the message. The analogy probably makes the most sense if you view e-mail with end user encryptions like envelope mail and e-mail without end user encryption like postcards.

Rolf WeberSeptember 23, 2016 1:02 AM

If you send emails to friends abroad, message family members overseas, or browse websites hosted outside of the United States, the NSA has almost certainly searched through the contents of your communications — and it has done so without a warrant."

That’s simply not true.

First, because Upstream surveillance only covers a fraction of America's international backbone links.

Second, because the NSA doesn’t tap the lines directly. It just sends specific selectors to carriers, and they only return matching traffic. So only those emails are collected and searched that include communications with specific NSA targets.

Third, at least today, with the widespread use of STARTTLS, virtually all emails are transmitted encrypted, making them unreadable for the NSA (they can't even collect useful metadata).

Contrary to what the article claims, the chance that emails of average Americans are collected and searched is close to zero.

Clive RobinsonSeptember 23, 2016 2:00 AM

@ Rolf Weber,

You do not know what you are talking about as has been pointed out less and less politely. People are obviously getting very tired of pointing out your repeated assumptions and errors.

So do everyone yourself included and give it a rest.

Ben LangmeadSeptember 23, 2016 3:27 AM

@ Clive Robinson

You're too kind, I really must learn to write English correctly when writing publicly.

Have a great weekend and remember; just because you're paranoid, doesn't mean they're not after you!!

Rolf WeberSeptember 23, 2016 4:50 AM

@Clive Robinson

I know that you have more trust in absurd misrepresentations of stolen documents than in reliable sources like the PCLOB 702 report. Doesn’t change the facts.

Clive RobinsonSeptember 23, 2016 6:05 AM

@ Rolf Weber,

I know that you have more trust in absurd misrepresentations of stolen documents

There you go with another --deluded-- assumption, to make a faux / strawman argument.

To use your method why do you say,

than in reliable sources like the PCLOB 702 report.

Why do you in your judgment say one is "reliable" yet imply by "stolen" that the Snowden Trove documents ar any less reliable?

You don't pass the credibility test, after all if an official published report said "the moon is made of cheese" would you just take it as correct or would you think "is this actually credible?"

So as long as you carry on with these delusions your credability will be at best minimal.

Just take your head out of the sand and use that lump of fat between your ears as something other than a self reinforcing echo chamber.

WaelSeptember 23, 2016 7:11 AM

@Rolf Weber,

Doesn’t change the facts.

You must have a pretty accurate IFF: Identificaton Facts from Falsehood!

GrauhutSeptember 23, 2016 7:51 AM

@Clive: Every AS Admin-C has sooner or later contact with law enforcement or ic people.

Maybe they made him feel important, so RW4371 enjoyed it a little too much, Stockholm syndrome victim. ;)

GrauhutSeptember 23, 2016 11:58 AM

@Clive: Yes, if you look behind the theater decoration the world becomes a strange place.

Apropos strange, strange thought on Quantum-Surveillance:

Maybe the Trumps of this world are the product of a wave function collapse induced by NSA surveillance... :)

It possibly pushes people to decide where they stand in the political process.

ab praeceptisSeptember 23, 2016 1:28 PM

Rolf Weber

What a pile of BS.

Upstream surveillance only covers a fraction of America's international backbone links

This one is particularly questionable, if not evil minded. What is "upstream"? Hint: "upstream" is more than your local providers link to his regional provider. In fact, the international backbone is part of the upstream.

Second, because the NSA doesn’t tap the lines directly. It just sends specific selectors to carriers, and they only return matching traffic.

It seems you do not even know what you're talking about. Strange for a man who on his google+ page bluntly states that he wants to clear bnd and nsa from injust accusations.

So, let's look at how it actually works in your own country, germany.

The bnd, basically just a colonial cia outpost, does *not* hand out selectors to providers. Actually, they themselves get most selectors from nsa (which they fail to examine, such happily acting against the law) and those selectors end up in *their* equipment.

You are german and you should know about DeNic's (the worlds biggest IX) "confession", that bnd (mostly for others, read, the nsa) extracts vast amounts of (meta)data through bnd's equipment that DeNic has been forced to connect.

with the widespread use of STARTTLS, virtually all emails are transmitted encrypted

Pardon me, but what's your job at that german IT company? Janitor? Cook?

Starttls is largely a last leg protection. Most of the inter provider traffic is still unencrypted. And even if that were just the exception that would still be a lottery.

The only way to have end to end encryption is still burdened on the users, most of which find PGP (somewhat understandably) too cumbersome and complicated.

And *if* you send encrypted mail, guess what -> that puts you smack in a selector.

You might also want to actually try using PGP, because then you would find out that it expressly tells you that meta-data are *not* encrypted.

Oh and btw: You forgot to mention that (not only) the german government now officially plans to create an agency for the explicit purpose of decrypting inet traffic.

Try a fishing blog. There you might count on a sufficient level of BS tolerance.

rSeptember 23, 2016 1:47 PM

@by the rules,

RE: Janette or Cook?

Ms. Information Nick.

Corrective microsurgery on your eyes and ears.

rSeptember 23, 2016 1:50 PM

@by the rules,

What is important, isn't what us radicals with our radical beliefs believe... but the Morale of those without morals.

The moral of this morale? Be very sure you inspect you know what you are eating - it could be poisonous.

rSeptember 23, 2016 2:42 PM

@by the rules,

I'm likely inviting the P=NP problem into my lyf, I understand I'm vague and hard enough to follow even for native English speakers so I'll Eclair-ify.

Janet, is a female name in english. It's insulting The Wolf in Sheeps clothing.

Cook is left as a job or last name, the demeaning meaning you implied was enough to satisfy my tastebuds there.

Ms. Information is another needle-point of mine to the (a)Moral Pillar, I mean misinformation 'nick(nickname)' as in a member of a "sewing circle".

Related to my over-arcliving theme for the day: a pilaf vs a pillar, but it seems to be more of a wheat/rice stew than a bread. A morale (edit: I spelled it wrong - Morel/False Morel) is a type of mushroom that can be to the casual observer confused with a poisonous variety.

My appologies, but I have a fuzzy (think mold) way of looking at things/expressing myself. Most of you should consider me compromised. :) (I do believe the Spooky called me Spooky)

Rolf WeberSeptember 23, 2016 3:44 PM

@ab praeceptis

What is "upstream"?

This question clearly shows your first misconception. "Upstream" is a domestic NSA surveillance program, authorized ander section 702. This is what we are talking about here. Please do a quick research. Google is your friend.

So, let's look at how it actually works in your own country, germany.

Why should we look to Germany, when we are talking about a U.S. surveillance program, called -- you know -- "Upstream"?

The bnd [..] does *not* hand out selectors to providers.

This is correct. But this is a difference between domestic German and U.S. internet backbone tapping. The BND taps directly, NSA not. And I tell you something: We are discussing here about a surveillance program called "Upstream". Do you know it in the meantime?

Starttls is largely a last leg protection. Most of the inter provider traffic is still unencrypted.

OMG. STARTTLS has nothing to do with providers. It is the encryption between 2 email servers, or email server and client. Please, please before you reply, get familiar with some technical basics.

You might also want to actually try using PGP, because then you would find out that it expressly tells you that meta-data are *not* encrypted.

Yes, but I spoke about STARTTLS, which encrypts email metadata, dumbass.

My InfoSeptember 23, 2016 4:17 PM

@r

Too many magic 'shrooms.

P != NP ?

That is known as Cook's hypothesis, after Stephen Cook.

No one has been able to prove or disprove it, despite a $1,000,000 prize offered.

Baker, Gill, and Solovay demonstrated that no method of proof that relativizes to oracles can settle Cook's hypothesis. Their demonstration is elementary and not difficult to verify.

R azborov and R udich showed later that no method of proof that they call "natural" can settle this question. I find their paper quite puzzling, and I have not seen or heard of any significant progress since.

ab praeceptisSeptember 23, 2016 4:38 PM

Rolf Weber

And how comes that project is called "upstream"? Is that maybe to do with, I quote, "Upstream surveillance consists of the mass copying and content-searching of Americans’ international Internet communications while those communications are in transit" - in other words what I talked about and what is typically referred to as "upstream"?

But this is a difference between domestic German and U.S. internet backbone tapping

Proof #2 that you don't know. The fact that nsa i.a. also demands logs, meta-data, and other data from providers does *not* contradict my understanding. In fact, it is well known that nsa and probably other agencies do have *their own* equipment at central points. And it makes sense from their perspective. As you like google I suggest you look up "OpSec", "plausible deniability" and nsa's anger about Snowden.

What actually happens is that nsa et al. *do tap* directly and themselves but *additionally* they ask providers for data.
You are, of course, free to focus on the "upstream" project only, as that seems useable for your agenda, you have, however, to accept that others prefer a wider perspective, namely one that does not try to whitewash diverse nsa, bnd, ghcq et al. operations.

STARTTLS has nothing to do with providers.

... followed by ...

[STARTTLS] ... between 2 email servers

dumbass

Thanks for your confession to be out of arguments (and out of your depth).

Starttls not only encrypts meta-data; it also opens wide gaping open holes to MITM and other attacks. And - as I wrote - it is very often not used at all.

Let's play the game. A sends an email to B. Both A and B use Starttls. To transmit the email their providers email servers A' and B' communicate. So, all in all there are 4 systems involved - if only 1 out of those 4 doesn't use tls nsa can grab the complete transmission.

Btw, as you chose to provide a rather direct link back to the company you work for, you might want to reassure yourself that your boss, Dr. Leinenbach, does welcome your insulting of colleagues.
Is that indeed they way Infoserve GmbH wishes to be seen?

rSeptember 23, 2016 5:00 PM

In heretospect, I think now is a good time to bring up the following four points bulletin. Please, take it (to your head) with a couple grains of saltrock.

Let us not forget that not only do we have our own hardware, but that we also have our own rooms dedicated explicitly for things such as tee time.

I'm sorry if any of you failed to get that memo, you were all so cordially invited.

See: https://en.wikipedia.org/wiki/Room_641A

(I believe someone alluded to room 404 in reference to this above, or in the squid pro quo thread)

ab praeceptisSeptember 23, 2016 5:01 PM

Rolf Weber

You are evidently way out of your depth.

explain ... that "Most of the inter provider traffic is still unencrypted" is nonsense

As EvilKiru so friendly and patiently explained to you, Starttls is just another variant of TLS, namely one where no dedicated SSL/TLS ports are needed (which makes software more complicated and hence enhances the risk of errors ~ attack surface, just as a sidenote).

As you hit on it I'll go in somewhat deeper. In the vast majority of cases (email and web) SSL/TLS is one-sided in that only one side, the server, provides a certificate. Second, pretty every major state has one or even more widely accepted CAs at its disposal. Hence, nsa et al. have multiple opportunities to MITM and quite feasible ones as the number of servers (and their certificates) is by far smaller than the number of clients; this leads to a situation where offline precomputation make sense.

Moreover SSL/TLS is *expensive*; while it's neglegible for the clients, it quickly becomes very expensive for servers serving thousands of connections. This fact can be observed in most commercial service which save even on the (comparatively very cheap) symmetric encryption by e.g. accepting aes-256 but strongly preferring aes-128.

It also seems that you haven't understood the different tasks of the different schemes. SSL/TLS is about *transmission* security and not concerned about content security (like e.g. PGP). This is relevant as, as I explained above, it depends on *all* legs being transmission secure.
A single leg being insecure (or cracked, e.g. by MITM) doesn't lead to less security but to *no* security. This is even more true when looking at agencies who operate internationally.

rSeptember 23, 2016 5:05 PM

I'm on a qwest to find out what happens to a company when they politely refuse such a request?

@Wael, how do you do that lavabit font of yours?

I shutter to think what might happen.

Rolf WeberSeptember 23, 2016 5:19 PM

@ab praeceptis

it is well known that nsa and probably other agencies do have *their own* equipment at central points.

This is not "well known". It would be completely illegal on American soil. So what you pretend is no more than a conspiracy theory.

So again, the NSA does *not* tap directly under the Upstream program.

Starttls not only encrypts meta-data; it also opens wide gaping open holes to MITM and other attacks.

That's correct, but again, you should understand some technical basics. MITM is not exploitable with passive tapping.

Let's play the game. A sends an email to B. Both A and B use Starttls. To transmit the email their providers email servers A' and B' communicate. So, all in all there are 4 systems involved - if only 1 out of those 4 doesn't use tls nsa can grab the complete transmission.

Great. You seem to make progress. Nowadays, it is highly likely all 4 support STARTTLS. And when we speak about *backbone* tapping, after all only the email *servers* are relevant.

Btw, as you chose to provide a rather direct link back to the company you work for, you might want to reassure yourself that your boss, Dr. Leinenbach, does welcome your insulting of colleagues.

You really complain about insulting? You remember "What a pile of BS" or "Pardon me, but what's your job at that german IT company? Janitor? Cook?"?
But other than you, I stand by my comments with my real name, with my real identity. Dumbass.

rSeptember 23, 2016 5:26 PM

@Rolf,

So again, the NSA does *not* tap directly under the Upstream program.

Mincemeat again?

So they do tap just not with their own hardware?
They forward it down subverted channels into the dark crevises they hide in?

ab praeceptisSeptember 23, 2016 5:36 PM

Rolf Weber

This is not "well known". It would be completely illegal on American soil. So what you pretend is no more than a conspiracy theory.

Read i.a. what Snowden has shown to us.

As for illegal: Funny, there is evidence after evidence that nsa, bnd, and ghcq don't care the slightest about legality and yet you use that as argument.

MITM is not exploitable with passive tapping.

And again you try to weasel by artificially narrowing. Who said that we are talking only about *passive* tapping? And btw: It's a rather arbitrary issue. In my books "forcing a provider to connect a tapping device" is a quite active thing. So, too, is "forcing a provider to hand over meta-data".

Nowadays, it is highly likely all 4 support STARTTLS

a) Evidence?
b) Nice try. "supporting" isn't good enough. The question is whether it's actually *used*
c) How many of the servers are using only, say, at least TLS 1.0+ (rather than SSL2 and 3)?
d) How many of those servers have a reasonable setup rather than whatever happens to come shipped?
e) Even if it's widely used there is still the *major* problem with SSL/TLS around.

I stand by my comments with my real name, with my real identity. Dumbass.

Let's see what your boss will say. I'm quite confident he doesn't like at all to see Infoserve GmbH (and the group) to be closely linked to dirty nsa and bnd games.
Similarly, he probably doesn't like for his company to have an image of being run by technically clueless people with a political agenda.

But no need to discuss that. We will find out quite soon.

rSeptember 23, 2016 5:39 PM

@Rolf, All,

Here, let's put this in full perspective:

This is not "well known". It would be completely illegal on American soil. So what you pretend is no more than a conspiracy theory.

So again, the NSA does *not* tap directly under the Upstream program.

I'm really getting sick of mincemeat, what's the deal with the quotes and emphasis?

Why is it not "well known"? Because it's technically hush-hush and classified hactivity?

Is it because most people don't care?

Illegal on American soil? Only if
a) we did it here and not there (overseas, you),
b) what if it's being done over-the-air?
c) you're doing it here, for us.
d) the isp's are doing it for "us" (they doo have immunity yanno)

It's only a theory because you wads can't/wont admit it. Your meta leaks more than enough to build a full picture through pointilism.

They don't tap, somebody else does for us right?
Or
Maybe it's under a different program :)

My browser froze otherwise it would've been a little more succinct.

I repeat: just say no thank you to mincemeat.

rSeptember 23, 2016 5:43 PM

@ab,

A large part of what snowden has published cannot be legally viewed by those who have a clearance. It's fighting a losing battle trying to force the two-shoes to look at you squarely.

He hasn't denied anything, just shifted the implementation details - nothing we weren't already honestly aware of.

Qwest refused, Lavabit refused, google in-house encrypted. AT&T && Verizon complied. The BND & 5 Eyes do our dirty work for us we likely have BCC access etc.

Aside from their ant-toolkit why would they use custom hardware when they can just pop holes in juniper and cisco?

He really hasn't said anything, hasn't refuted anything imb.

rSeptember 23, 2016 5:44 PM

@Rolf,

Another thing, aren't army bases or classified locations not considered american soil?

I'm going to need more info on that but I'm pretty sure I can say that with some amount of certainty.

GrauhutSeptember 23, 2016 6:57 PM

@rw4371: "The BND taps directly, NSA not."

Stop dreaming and read:

Sontag, Sherry; Drew, Christopher (2000)
Blind Man's Bluff: The Untold Story of American Submarine Espionage
William Morrow Paperbacks
ISBN 0-06097-771-X


An agency that uses nuclear subs for undersea wire tapping doesnt tap directly because the navy does it for them, right? :)

Peter ShenkinSeptember 23, 2016 7:17 PM

@Langmead Though the time for this response has probably passed, let me just state that I never said or implied that "If you have done nothing wrong you have nothing to fear". Of course you had better be scared. It's just that I believe that safeguards built around the use of the data, if they could be enforced, would serve the public as well as the non-collection of the data. The idea that such safeguards would be enforced may be naive; but, I submit, less naive than much bigger proposition that the collection of the data in the first place would actually be ended. It would require the secret courts to take a more active role, for sure; and yes, I have a problem with the secret courts; but they have a long history in this country and are not going away.

I wrote, "What if [the data] were collected and nobody ever looked at it?" @fivehunlove responded, "If I stole $500 from your bank account and you never noticed, is that theft?" My response, of course, is yes, because then I can't spend the $500 myself. But if information about me sits on a server and is never examined, I have lost nothing.

GrauhutSeptember 23, 2016 8:24 PM

@Peter Shenkin: "But if information about me sits on a server and is never examined, I have lost nothing."

So its not a copyright infringement if i download a movie screener torrent but leave it unused on my disk and never play it? Because the copyright owner lost nothing? :)

Jim NSeptember 23, 2016 8:44 PM

@ r,

"I'm really getting sick of mincemeat, what's the deal with the quotes and emphasis?"

Snowden's "revelations" is technically a "conspiracy" theory (albeit a very realistic one) because these "files" are not authentic thus they have no effect under the court of law as "proof" of fact. It's like our recent Hillary "tech guy" bruhaha, the "contents" of which were categorized as 'circumstantial evidence' even though you can be damn sure he was the dude.

This is part of the legal system which leaves room for "selective punishment" and please pardon the quotes. :)

rSeptember 23, 2016 9:52 PM

@Jim N,

I don't think it's a theory at this point, we have technically had responses from both congress and the NSA at this point - confirming whatever details have been omitted or alluded to.

As to the conspiracy? That's where I think the myst lays, is the conspiracy it's happening? or the conspiracy that's happening?

Is it a conspiracy? No - not in the sense that it's some crackpot make believe delusion. It's a partial view of a national security endevour. Is there a conspiracy? No, there's a national security aparatus involved - there's a need to know and according to whatever behind the scenes juriprudence they believe they have we are most certainly not privy. Is the NSA directly tapping the fibres of free speech? No, AT&T does it for them (As does the Navy and GCHQ) seemingly pro-bono like when a cat brings it's owner a mouse. Why else would AT&T charge the 'Sick LE carrying harvesters' cash money if they were not self-administering the ever so linear feet of diversion?

It's a Tee Party, and we're all invited.

Upstream as per the choking point Mr. Rolf Webber is poking at is a matter of your position in or on a network or stream. Have there been instances of anal leakage? Yes, so he refutes proprietary hardware - he doesn't refute room 404 - he doesn't refute AT&T hardware - he doesn't refute custom software or coersion. When Qwest's founder was jailed he was crying about how his intent wasn't to sell his very own share holders short - he was counting on the .gov contracts. But we'll never know the truth, like the Wolf says - it's not "well, known.".

Should we accept his assertions as true? That's your decision, is it safe for you to do so? I can't tell you left or right honestly, but like I said - there's at least one example of a CIA blacksite or military installation not being "American Soil" - Guantanamo #1. When that hack came to fruition was it the only one? Are there other "Blacksites" that don't count towards the official SQueeMIsh total? What he can tell you paints a picture of what he can't, it outlines it. It provides a narrative, a narrower, a narrowing view of what is and what isn't. If him, they, them, anyone of them have a clearance - they can't read the disclosures safetly - they'd #1 have to be sanitized first - #2 they'd have to be so hard headed or hell-bent that reading even the summations and human interest sides of the articles wouldn't have an impact on their hearts.

So I posit, that a small portion of the american disinformation trolls are to provide morale building services for the 'in the field' workers. Maybe even co-ordination between disinformnick cells. I don't know. Information on the internet these days is ageless, it will be here forever - it could easily be signaling and damage control.

Target selection.

It's just much easier for your superiors to send someone down from heaven to tell all the grunts on the front line that "we're going to win this" than to tell them they'll all be dead or jobless and traitors tomorrow.

What would you tell them in their heart of hearts?

"Good job soldier, now go find me another wife beating muslim or some poor deluded kid that can be prepped just in time for your next raise."

"The less would-be terrorists the better, uniformly uniformity is a unifying thing. (Or is it uninformed?) This is the United States of America, we'll scare them all and let the dog's sort them out."

Are you outraged at your people being shot? We can shoot you too brother, this is where the line forms... around you - around YOU.

They, we, you, me, Rolf, we all have a job to do. I'm not patting you on the back telling you it's all going to be okay though.

rSeptember 23, 2016 9:59 PM

@Jiminy Cricket,

This is where you and I, and the rest of those watching throw the US Constition into Boston Harbor.

Anon10September 23, 2016 10:52 PM

Surveillance of conversations of foreigners that may be of foreign intelligence interest is thus neither necessary nor proportionate, as international human rights law requires.

Granick undermines her credibility with the above statement. Neither US law nor the 4th amendment requires the "necessary and proportionate" standard, and certainly not as applied to foreigners. To the extent a US failure to meet this standard is a violation of international law, that is an indication that international law is flawed and needs to be changed.

WaelSeptember 24, 2016 12:12 AM

@r,

how do you do that lavabit font of yours?

This:

0<sub>1</sub><sub><sub>2</sub></sub><sub><sub><sub>3</sub></sub></sub><sub><sub>2</sub></sub><sub>1</sub>0

Will produce this:

0123210

I shutter to think what might happen.

Is that worse than shudder?

rSeptember 24, 2016 12:49 AM

@Wael,

I thought it might've been a sub, thank you I didn't want to invite any more &spectors that I may have already.

On shutter vs shudder, I think it's the difference between quivering your arrows and quivering in your pants.

One is packing up and leaving, the other is more of an "oh crap!".

WaelSeptember 24, 2016 1:01 AM

@r,

One is packing up and leaving, the other is more of an "oh crap!".

In that case, the correct word has an 'i' instead of a 'u'!

rSeptember 24, 2016 1:11 AM

@Wael,

While I agree that Lavabit's business technically took a dump in the "loo" as @Cliver would say, I don't believe in the least that their image followed.

Lavabit is dead, long live the Lavabit font.

Rolf WeberSeptember 24, 2016 1:51 AM

@r

So they do tap just not with their own hardware?

Again: Under Upstream, they send specific selectors to American carriers, and the carriers return the matching packets. The NSA has no access to cables, routers, switches or whatsoever. Read the PCLOB 702 report.

Where does this fit-in-to-your architectural genius?

This was most certainly done somewhere abroad under EO12333.

Again, until you guys eventually get it: We are talking here about Upstream, which is authorized under setion 702. This is what the article Schneier referred to are about. It's only about Upstream and 702, which is to be re-authorized by Congress. We are not discussing what the NSA is doing abroad under EO12333, we are discussing what they are doing on American soil under section 702. If you don't understand the difference, you are simply not qualified to join this discussion.


@ab praeceptis

Who said that we are talking only about *passive* tapping?

Yawn. Upstream is only about passive tapping. Will you understand some day?

a) Evidence?

Look for example here:
http://www.adweek.com/socialtimes/facebook-95-notification-emails-encrypted-thanks-providers-starttls-deployment/437247?red=af
Facebook observed that after enabling STARTTLS, 95% of sent emails were transmitted encrypted. And this was November 2014, almost 2 years ago. The number will be even significantly higher today.

And hey, you shouldn't grumble, this is a good development, and it was thanks to your Savior Snowden. One of the very few good things he caused, and I always acknowledged this.

c) How many of the servers are using only, say, at least TLS 1.0+ (rather than SSL2 and 3)?

Check it out. There are a lot of tools to test the TLS settings of email servers. You seem to have a lot of spare time. Seems like a good pastime for you.

e) Even if it's widely used there is still the *major* problem with SSL/TLS around.

You guys are so funny. After the Snowden "revelations", you cried out: "Encrypt! Encrypt! Encrypt the world! This is how we defeat the mean NSA!".
And when encryption is actually used, then you scream: "Encryption? Haha? Encryption is pointless against the NSA!".

Whom do you want to impress with such a childish "argumentation"?

Jim NSeptember 24, 2016 3:06 AM

@ r

"So I posit, that a small portion of the american disinformation trolls are to provide morale building services for the 'in the field' workers. Maybe even co-ordination between disinformnick cells. "

What we know about history is clearly no exception to the rule. It gives rise to conspiracies, conspiracies disguised as conspiracies, etc. Words often can't describe what really goes on, as the perceived truth could only fit a narrow definition, so nobody knows wtf Rolf is talking about until he narrowly defines it, and then a narrower definition appears out of his back pocket.

"What he can tell you paints a picture of what he can't, it outlines it."

That's interesting. Should we read papers for what it doesn't write? like... in our own augmented reality, or applying information to misinformation? sounds like a typical intel job?

Rolf WeberSeptember 24, 2016 4:12 AM

You guys are so funny, you speculate about me, and in the same time you worship to a guy who worked for U.S. intelligence (ok, just as a low-level Microsoft Windows admin, but anyway) and then most likely detected to Russian intelligence.

Clive RobinsonSeptember 24, 2016 7:28 AM

@ Jim N,

Snowden's "revelations" is technically a "conspiracy" theory (albeit a very realistic one) because these "files" are not authentic thus they have no effect under the court of law as "proof" of fact.

Wrong in all counts.

If the files are not authentic, then Snowden has not committed any crime by which the US could have used against him.

Further the doccuments have already been used in court and treated as sworn proof.

So it's not on that basis a conspiracy.

Inconvenient but true...

IanashA_TitocIhSeptember 24, 2016 10:44 AM

@ Sos fans, shills, and disinformation specialists (paid or volunteer)

Draft Definition of 'The 4D of the Weberr' ("'4D Weberr'")

The 4D of the Weberr ("'4D Weberr'") is defined as: Deniable Deliberately Deceptive Drivel of the Weberr.

please note: 4D Weberr is meant to neither resemble Weber Barbecue Grills, nor the 'www', nor the disputed Boiling frog)

From Wikipedia:
https://en.wikipedia.org/wiki/Boiling_frog:

"The boiling frog is an anecdote describing a frog slowly being boiled alive. The premise is that if a frog is put suddenly into boiling water, it will jump out, but if it is put in cold water which is then brought to a boil slowly, it will not perceive the danger and will be cooked to death. The story is often used as a metaphor for the inability or unwillingness of people to react to or be aware of threats that rise gradually."

Here is an example of 4D Weberr in action. Using the power of nation states 4D Weberr could be used to prevent citizens from around the world from fighting back against rule 41 changes and things like putting malware in Unix, Google, Microsoft, Linux, Cisco, Apple, etc., OSs, or updates, as part of implementing Network Investigative Techniques (NITs):
https://threatpost.com/judge-rules-use-of-fbi-malware-is-a-search/120527/
https://threatpost.com/privacy-watchdogs-vow-to-fight-dystopian-rule-41/117763/
https://www.eff.org/deeplinks/2016/09/playpen-story-some-fourth-amendment-basics-and-law-enforcement-hacking
https://www.newamerica.org/oti/events/how-should-we-govern-government-hacking/ (video starts around minute 12; lasts around four hours)

Besides IoT problems, I wonder how bad things (like hacking and ddos attacks) might get when citizenry around the world stop applying updates, if possible)

Since this is somewhat off topic, I am also posting it in the current squid:
https://www.schneier.com/blog/archives/2016/09/friday_squid_bl_545.html#comments

Input is welcome.

ab praeceptisSeptember 24, 2016 3:34 PM

Rolf Weber

Again, you are free to focus on "upstream" only, as that happens to fit your agenda. Many, however, in the field of security look at much more; to them "upstream" is but one facet within a much larger scenario.

"adweek article & facebook"

So you offer an article from adweek als evidence? Seriously?
Moreover, facebook is not the internet, neither is it a major part of email traffic.

And again: Usually there are 4 systems involved of which 1 not using SSL/TLS breaks the whole chain.

"saviour Snowden"

He isn't my saviour nor do I consider him a hero. But your insinuation of him almost certainly being a russian intellence asset shows that a) you have a political agenda and b) you know very, very little about the things you talk about. Rest assured that any intelligence agency, no matter whether russian or other, would hesitate to publish any valuable asset with lots of noise.

"lots of TLS settings of email servers"

For a start that's plain wrong. Actually there are quite few SSL/TLS settings.

Those, however, are quite confusing for most admins and require considerable know-how to be properly tuned. Quite few admins, for instance, know which key exchange algorithms they should chose. Accordingly all data known to me show that the vast majority of SSL/TLS related configurations are hardly ever touched; admins tend to simply leave them the way they come preconfigured.

"you guys are funny..."

And again you bend reality as it fits your agenda. We always said "Encrypt!" and we also and at the same time said "we need even better crypto to defend against i.a. against nsa". Learning (e.g. through Snowden) how evil nsa acts (e.g. tainting nist algos) and how rotten quite some of crypto is, we enhanced our efforts.
When we say that crypto doesn't protect against nsa we talk about crypto as it is widely configured and used out there.
To offer an example: We talk about people like you in inet related companies who did not even understand the difference between transmission and content security and who didn't understand that SSL/TLS related to email is like a chain whose strength is defined by it weakest element.

Funny that you address me as I'm among those of us who always pointed at the human factor, too, namely at the fact that crypto must be simple to use and reasonably default.configured.

Summary: you are not capable of giving satisfaction and you have disqualified yourself by *obviously* pushing an agenda and by gross lack of relevant knowledge.

Rolf WeberSeptember 24, 2016 5:10 PM

@ab praeceptis

Again, you are free to focus on "upstream" only, as that happens to fit your agenda.

This has nothing to do with my "agenda". We are discussing here a blogpost from Bruce Schneier, and if you only care to have a look at the title, it's called:

'Two Good Essays on the NSA's "Upstream" Data Collection under Section 702'

So the topic is Upstream and 702. That's what I commented so far. No more, no less. Don't blame me when you actually derailled the discussion.

Rest assured that any intelligence agency, no matter whether russian or other, would hesitate to publish any valuable asset with lots of noise.

OMG. Are you really *that* naive? Snowden stole more than 1.5 million documents, published were just a few hundred. Do your own math.

[A lot of boring smattering deleted]

ab praeceptisSeptember 24, 2016 7:03 PM

Rolf Weber

Snowden stole more than 1.5 million documents, published were just a few hundred. Do your own math.

Do you have any proof or evidence showing or at least solidly indicating that the unpublished documents have been given to Russia (btw: or to China because after all that was the last destination he was at liberty to freely choose himself)?

I you don't - which is next to certain - then you are empty handed and nothing but wildly accusing without any base.

Once more you show yourself disqualified.

Jim NSeptember 24, 2016 7:46 PM

@ Clive Robinson,

"Further the doccuments have already been used in court and treated as sworn proof."

Which documents would that be? Would you kindly provide a link to it?

Jim NSeptember 24, 2016 7:55 PM

@ Rolf Weber,

"So the topic is Upstream and 702. That's what I commented so far. No more, no less. Don't blame me when you actually derailled the discussion."

Funnier is that, in your "example", you wrote Email and wiretaps in one sentence, while it was widely reported email contents are obtained in bulk directly from hosts.

Clive RobinsonSeptember 25, 2016 12:55 AM

@ Jim N,

Which documents would that be? Would you kindly provide a link to it?

It was in a criminal case against nine US companies including Apple, the US Government and the Irish Data Commisioner held in front of Judge Prof. Gerard Hogan brought by Austrian student Max Schrems back in 2014. Max took the entire published parts of the Ed Snowden revelations and squeezed them in fourteen large lever arch folders and swore them in as testimony. Thus at that point the Ed Snowden ceased to be hearsay and became sworn evidence in a court of law dealing with criminal charges. It did not take the judge very long to hand down guilty verdicts for "indiscriminate mass surveillance".

Whilst not widely reported out side of Ireland it caused a considerable howl from the USG and US companies who are dragging it upto and through the European Court of Justice (the ECJ not the ECHR).

The Taoiseach (ie prime minister) on realising the damage to his "get rich quick tax fiddle scheme" quickly booted the judge up to the appeals court to get him out of the way. Max got what he wanted the US indicted in court for the mass surveillance and an order against the Irish regulator to "perform" her statutory duties.

However the regulator lurking in her grubby little abode above a "little shop of horrors" in Portarlington conveniently close to the largest bog in Ireland has decided, prrsumably on orders from above her pay grade to play dirty rather than comply with the court order. She has hit Max with no less than eleven spurious cases in the obscure but nether the less very expensive commercial court.

However the attempts of the Irish Taoiseach and regulator to keep it all bolted down and quiet to keep the commercial gravy train of US corporate tax avoiders going has just hit a massive rock with the EU Commission that has found against Apple and it's tax avoidance. We now have the interesting case of the Commisson saying Apple has to hand the goverment in Ireland 13billion Euros... Which the grubby little Taoiseach is desperatly trying to find fault with the EU Commission so that the 13billion can be rejected...

Which has unfortunatly started shining a light back on Max's little win that is heading for the ECJ as slowly as the defendants can force it. What they originaly thought would be an "easy win" suddenly became an endless nightmare. Because shock horror the ECJ last year made a very damaging (for the US and it's companies) decision. Rather than stop PII transfers it halted all "legal transfers" by making such transfers illegal... Ouch...

Appart from making the US Government a willing partner in illegal activity and giving the Snowden revelations the force of legal evidence, there is another little problem for the US IRS/Treasury, which is that mammoth ball of cash thay has avoided US taxation. Whilst the US is unlikely to get at it the EU look likely to take a huge slice out of it. Which will almost certainly cause serious political headaches for those schmoozing corporates of US politico's, unless they can buy off the US MSM... Expect to see a lot more tax deductable advertising on a TV near you any time soon as the very least of it.

Rolf WeberSeptember 25, 2016 2:46 AM

@ab

There is, of course, no hard proof, but many, many indications. This is why I mostly express it like "Snowden most certainly shared documents with Russia". Of course you are free to believe in his fairy tale narrative, as well as I am free to call you naive.


@Jim N

Where did I write email and wiretaps in one sentence?
And you seem to confuse PRISM with Upstream.


@Clive Robinson

You were asked for a link. What you say is nonsense in big parts. E. g. it was no criminal case, and while the documents were filed, neither the Irish courts nor the European Court of Justice really dealed with them.

Duck Duck GustavSeptember 25, 2016 3:33 AM

Mr. Weberr,

I've been monitoring things here, and I would like to point out that in sharing documents with the international media those documents have been thus shared with Russia via proxy.

You may be right, concentrating on the "upstream" issue seems to be what's at play both at the start of this topic and within the confines of it.

However, we can make up whatever names you want for whatever operation you want today: tomorrow it can all be reclassified removed and repurposed. Concentrating on today's treat, and treatise in the long term no matter what the disclosure will be found to be ineffective as long as the ball is in play.

Unfortunately for both of us, Schrodingers cat is out of the box.

You cannot reuse said box for it's coffin and we can't execute something we can't see with the public light.

Duck Duck GustavSeptember 25, 2016 3:47 AM

Do you recall the name of Schrodinger's cat per chance?

The box itself belonged to Pandora.

You should've never opened it, you have lost all trust and integrity in doing so.

Go ahead, blame it on some lowly windows administrator. Some runt of the mill criminal.

We could infer from his inabilities that your inabilities run deeper, my recommendation is that you paint him as a Messiah, as some Uber Hacker to make yourself not some fool.

If he could accomplish to much and yet so little, imagine what the FSB could do with their non-MAC spoofing mayhen's.

Don't try to evade that logic, it does you no good.

We the public can blame you and yours for not securing the box, and for misappropriating public funds in it's operative functions.

No amount of damage control will recover your pitch and your yaw from this one, so quit wasting our time and our public money and get back to work. It's business as usual behind closed doors and minds.

Jim NSeptember 25, 2016 6:51 PM

@ Rolf Weber,

"Where did I write email and wiretaps in one sentence?"

Right up there. (hint: 'backbone')

"And you seem to confuse PRISM with Upstream."

I'm not well-versed in these names. Care to elaborate?

@ Clive Robinson,

"Austrian student Max Schrems back in 2014. Max took the entire published parts of the Ed Snowden revelations and squeezed them in fourteen large lever arch folders and swore them in as testimony."

While I'm not well-versed in legal matters, I seriously doubt you can download a bunch of files from the internet and "swore them in" as testimony without an AOK from the source of these documents, and I highly doubt the three letter agencies would put a stamp on such docs brought forth by the Austrian in Ireland. The whole thing is too theatrical. Thus, on U.S. soil atleast, a conspiracy theory is what it remains.

Rolf WeberSeptember 26, 2016 5:54 AM

@Jim N

Right up there. (hint: 'backbone')

I still don't know what exactly you mean. I said that Upstream is wiretapping of internet backbone links which one end on American soil and the other abroad. With this tapping, it is possible to collect the content of emails -- before Snowden, when STARTTLS was very rarely used, this means it was possible to collect almost all emails transmitted through the tapped links in cleartext. Nowadays this changed, because today only a fraction of emails is still transmitted in cleartext.

I'm not well-versed in these names. Care to elaborate?

Upstream is the explained tapping of internet backbone links, while under PRISM American internet companies (like Google or Facebook) are compelled to hand over userdata and content of specific accounts.

If you are interested, I wrote a technical explanation about the differencies between PRISM and Upstream, about the possibilities and limitations of each:

https://plus.google.com/+RolfWeber/posts/bkvXuB9DfXJ

Clive RobinsonSeptember 26, 2016 5:59 AM

@ Jim N,

I seriously doubt you can download a bunch of files from the internet and "swore them in" as testimony without an AOK from the source of these documents

They were sworn in as evidence, not as testimony. You need to understand the difference.

Whilst compelling testomy from a witness requires certain legal niceties, published evidence requires no such niceties, it's in the public domain.

Such evidence can be contested but it was not --possibly because it would have failed-- thus "it's taken as read"...

Now it has the status as having been recognised as evidence, not just in the court in Ireland but also the premia court of Justice in the EU, recognised by some 27 states, which means arguably it trumps the US Supream Court which is limited to recognition in only one sovereign states jurisdiction.

Interestingly though due to Europe being the birth place of most types of judicial process it is likely to be considered valid in most jurisdictions in the world unless there is superceading legislation to disbar it (which in many places there will not be).

You might not like the idea, but there are plenty of American, Russian and more recently Chinese using foreign justice systems to get judgments that are then transferable either into another court in another juresdiction or likewise for Enforcment.

Clive RobinsonSeptember 26, 2016 6:25 AM

@ Jim N,

Sometimes "multitasking" goes astray, especially when busy.

In my above to you,

"not as testimony"

Should have been,

"not as testimony given verbaly or written by a witness".

Rolf WeberSeptember 26, 2016 6:31 AM

@Clive Robinson

It is simply not true that the European Court of Justice referred to Snowden or any of his documents or "revelations" in its ruling. SafeHarbor was just invalidated for other reasons (shortcomings of the EU Commission).

And in the meantime, SafeHarbor was replaced by PrivacyShield. That's all what happened. A lot of people were busy, lawyer earned some money, but the reality didn't change a bit. The Schrems case is dead.

Clive RobinsonSeptember 26, 2016 6:47 AM

@ Rolf Webber

It is simply not true that the European Court of Justice referred to Snowden or any of his documents or "revelations"

They would have had no choice but to referre to the documents in making their descision as they were part of what was refered to them from the court in Ireland.

As a matter of course, specific evidence is not refrenced in most court rulings, and often summings up.

So there is nothing to be read into it's absence.

So stop trying to "make hay out of sand" it's becoming very embarrassing for even the most pro readers of your comments.

Clive RobinsonSeptember 26, 2016 8:16 AM

@ Rolf Weber,

Why don't you go and equate yourself with what went on and why?

I Like many others here are tired of your ways of going about trying to show you are some kind of super genius who can make definitive statments on that you have not performed research on or understand the processes behind.

Personaly I'm very sick and tired of it thus untill you actually show you have done the requisit work to actually make a statment with some grounds to it, I propose to leave you to that echo chamber lump of fat between your ears and ignore your sniping and carping.

Clive RobinsonSeptember 26, 2016 11:19 AM

@ Rolf Weber,

You claimed the ECJ used the Snowden files as evidence. So you carry the burden of proof.

I do not have any "burden of proof" as you should well know if you knew anything of relevance. So do not inappropriately use some expression you have heard being used in respect of the law, but have no knowledge of what it means or why.

Further I did not "claim" anything, I told you why they would have had to use them. Plain and simple. You can if you know how look it up for yourself.

Which leaves the question of are you a moron, a troll or both?

ab praeceptisSeptember 26, 2016 3:34 PM

Rolf Weber

Continuing to ignore the diverse professional facts and stubbornly repeating your nonsensical assertions will not lend you any credibility or standing here. Try to somehow get that into your head-

For a start, your "Starttls made emails secure" assertion is wrong on multiple levels.

Starttls is but one way to use SSL/TLS, namely one that does not need dedicated SSL/TLS ports. Which btw. strongly hints at it not being worth too much. Why? Because it doesn't make any difference for users whether they enter 25 or 495 or whatever 16 bit number into their setup. Moreover it makes the software more complicated which usually translates to more attack surface. Also note that quite many servers use diverse constructions like a SSL/TLS "proxy" for diverse reasons (like their email server doesn't support SSL/TLS or "that's how it was set up x years ago and I won't touch that" or "I want all SSL/TLS stuff in one software/place" ...). Those will be excluded from Starttls.

There have been options to run a SSL/TLS enabled email server since many many years. Starttls was *not* any major evolution, it war merely a supposedly easier way to use SSL/TLS with email servers. If it *looks* major in any way than that is based on marketing effects like the one you love to mention (fb is using it).

Moreover the decicion of many of the major services you like to mention, was *not* driven by user experience but by purely internal reasons as they are in large part (or even exlusively) based on a closed stack, i.e. on offering webmail preferredly or even only (and hence control all software included).

Leaving aside what makes SSL/TLS poor securitywise and concentrating only on the human factor and the interface, the situation hasn't changed much in many many years. The problem isn't this or that port or 2 ports instead of 4 but rather proper SSL/TLS related choice and configuration which must be done right on both sides, server and client - which, that's the next problem, is often not even feasible because old systems must be supported or weak ciphers, etc. The problem with that is that an attacker goes against the weakest one.
SSL3, for instance, may be quite insecure and will yet not be excluded by *many* providers simply for the fact that they are not willing to exclude 20*% of their potential, let alone existing customers.

Another very major issue is cost; that one can even be a show breaker. aes (and generally symmetric crypto is cheap but PK isn't. Just have a look at the limits of even high end, say cavium based boards. Running thousands of connections wth PK is something that vastly changes things and that even many companies don't like to or can't afford. Setting up a jail or a VM on a standard machine and putting an email setup on it is one thing. Buying a dedicated server with *very expensive* crypto acceleration, however, is a very different thing and out of reach for many companies.

Finally I'm amazed over and again how many people who feel to understand security talk about checking the SSL/TLS setup or quality thereof of servers e.g. through diverse services or some super-duper special software. The reason for my amazement is that SSL/TLS *by design* is very talkative (which some, probably not unreasonably consider a weakness in itself). It's very *easy* to find the weakest algo, the version, etc; SSL/TLS servers will happily blurt pretty everything about themselves out to anyone who cares to ask.

While I can't word it as elegantly as Clive Robinson (who had to bear you, it seems, a lot longer than myself) i'm fully behind him: Do yourself a favour and shut up. You may feel like a hero but actually you are the village idiot.
Well noted, I say that politely without any intention to hurt or to insult you. It's merely stating the obvious and actually invited by yourself as you seem to sincerely believe that stubborness and chuzpa can serve as a replacement for professional knowledge.

Finally, politics touches (and taints) pretty everything, so it'll come up here, too. The focus of this blog, however, is *security* (preferably technical and human factor aspects, I feel). Posters who bloodily obviously have no interest whatsoever in security but only a heavily biased political agenda will have a hard time here.

You see, it's not a secret that agencies like the bnd have a hard time to get good personel. But at least they shouldn't advertise that fact aggressively.

Rolf WeberSeptember 27, 2016 1:51 AM

@ab

For a start, your "Starttls made emails secure" assertion is wrong on multiple levels.

I never made such an absolutistic claim. To declare systems either 0% or 100% "secure", but never ever something in between, that's the job of "experts" like you.

I said "before Snowden, when STARTTLS was very rarely used, this means it was possible to collect almost all emails transmitted through the tapped links in cleartext. Nowadays this changed, because today only a fraction of emails is still transmitted in cleartext". No more, no less.

You may feel like a hero but actually you are the village idiot.

Your problem is that all the discussions here are archieved and everybody can re-read them with the knowledge of today. And then every neutral observer will clearly realize that not I'm the exposed idiot, but the "experts" I discussed with. And that's not because I'm so good, but because so many of the self-declared "experts" are so bad.

My pet example: One of Snowden's bombshell "revelations" from the very beginning, the alleged "direct access" with PRISM. I said from the very beginning that this is evidence-free bullshit. And I discussed it with many "experts" like you, who "argued" exactly the same way like you. And today we clearly know that I was right and the self-declared "experts" are the exposed idiots.

And sorry, I have zero respect for self-declared "experts" who celebrate Snowden as a security guru. I always considered him to be a quack. And today we know he worked at NSA as a Microsoft Windows admin and helpdesker.


And what you say about "political": The question whether Congress should re-authorize section 702 is a political question. And that's the topic here. Bruce Schnneier frequently blogs about political topics. I had expected you know this.

ab praeceptisSeptember 27, 2016 3:04 AM

Rolf Weber

I found Clive Robertson somehwhat harsh and wanted to give you another chance to demonstrate at least some basic qualification for a professional discussion. Now I Have to see that Clive Robertson was right.

You are but a stubborn troll bar of any relevant knowledge and not worth our time.

Rolf WeberSeptember 27, 2016 4:39 AM

@ab

You anonymous prole can call me however you want. I don't care about opinions of people who worship to a low-level helpdesker who defected to Russia.

The reality is, that what I said in my first comment here (and everything I added), is factually correct, even when you dislike uncozy facts:

First, because Upstream surveillance only covers a fraction of America's international backbone links.

Second, because the NSA doesn’t tap the lines directly. It just sends specific selectors to carriers, and they only return matching traffic. So only those emails are collected and searched that include communications with specific NSA targets.

Third, at least today, with the widespread use of STARTTLS, virtually all emails are transmitted encrypted, making them unreadable for the NSA (they can't even collect useful metadata).

Contrary to what the article claims, the chance that emails of average Americans are collected and searched is close to zero.

rSeptember 27, 2016 11:45 AM

To say, that "Upstream" only "covers a fraction of America's international backbone links" does nothing more than say it covers 1-99% of them and 100% of foreign backbone links.

To say, the "NSA doesn’t tap the lines directly" and "It just sends specific selectors to carriers, and they only return matching traffic" is to illustrate what one could assume to be an extreme weakness in the design.

You can lead a horse to water but you cannot force it to drink, who and what are the selectors it sends? Checks? Bonuses? Insider Information? Maybe employees?

Do you deny that your professional role here is to downplay the underpinnings of this echosystem?

I find you alarming.

rSeptember 27, 2016 12:22 PM

@Rolf Webber,

By simply excluding Netflix and the actual streaming component of YouTube we cover "a fraction".

What's the deal? Do they have your daughter or something bro?

Rolf WeberSeptember 28, 2016 12:46 AM

@r

I can't help you, I just state the technical and legal facts. Contrary to what Snowden and his fanboys claim, Upstream surveillance is not mass or indiscriminate, it is rather targeted, and it affects only a very small fraction of the worldwide internet traffic.

And, at least equally important, from the very beginning the internet was considered an untrusted network, from which nobody should expect any privacy. This is why most sensitive data is transmitted encrypted (today even much more than pre-Snowden), making it very hard and in likely most cases even impossible to read tapped data.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.