NSA has direct access to tech giants' systems for user data, secret files reveal

Discussion in 'privacy general' started by Dermot7, Jun 6, 2013.

  1. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Well, I really hope you're right, I really do. The problem I have though is that I cannot have confidence that they will not do this form of attack on the basis of algorithmic association of guilt and lack of process - visiting some website might be sufficient, or taking an interest in online privacy, or encrypting anything. Regrettably, what the revelations have shown is that if something is technically possible, then they will be doing it, regardless of whether it's sensible, advantageous or lawful. I never thought they'd be so stupid and short-term as to do mass surveillance without democratic approval and decent assessment of real-world costs and iatrogenics, even though I knew very well it was technically possible - but they have.

    I understand the point that they will not want to reveal their methods by using some kinds of attack on a large scale, but I think that applies to the nature of the payload, not necessarily how the communications were intercepted. Clearly, they have a range of attacks into VPNs, but it would be extremely hard to prove that that was broken because the initial attack there would be passive. It is known that the Quantum inserts can be programmed in, and there's nothing stopping that being algorithmic end-to-end.

    Until there is a new deal, where they stop treating the internet as their fiefdom, and foreigners as dirt, in other words, act in a civilized manner, so that the deal that people agreed to - targeted, lawful and warranted surveillance for a tightly defined and legitimate and reasonable aim is true, then civilized people have to mistrust them and take steps to protect themselves - which should not be necessary. But here we are.
     
  2. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
  3. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    @deBoetie

    I believe that there is a huge distinction between passively logging and archiving all of your web traffic because you visit the wrong site (like this one or torproject.org) or Google the wrong thing, and actively infecting you with spyware. The former is totally undetectable to you and in all likelihood your data is just being put in a massive pool that no human ever lays eyes on; the latter measurably damages your system. Is it possible that the NSA intercepts all OpenVPN traffic and uses the vulnerability to decrypt it? Maybe, but there's probably too much torrent and Netflix traffic for them to sift through to actually find anything of interest, and actually manipulating said traffic to serve malware is a completely different matter. And besides, anything that they collect/decrypt illegally can't be used against you in court, short of some clever parallel construction (admittedly precedented), in case that's a concern.

    All that being said, I understand your point that if they went so far as to break so many laws, there's little reason to suggest they wouldn't take it a step further, maybe I'm too optimistic. It does seem that the US is going in the right direction with the recent Congress ruling, and the approaching expiration of the Patriot Act. If somebody that cares about liberty and the Fourth Amendment is elected in 2016, then *maybe* this will be history.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I think I trust algorithms even less than people frankly, and that's particularly the case if you have "nothing to hide". My view is that you cannot keep these data "repositories" - read toxic radioactive dumps - safe at all, whether you mine them or not. And I think it's eminently likely that you could end up on a no-fly list or something without any human involvement. Or being refused some classes of job. Basically anyone who knows about databases knows that a) you cannot keep them completely secure, and b) rubbish data harms real people.

    The second problem is that your Constitution - if they bothered paying it much attention - only applies to US citizens, the rest of the world are ferriners, dross. Doesn't make you very popular, no? Used to be that the US had some moral authority because they did keep closer to the Constitution. But you've blown that now, which is a terrible shame and cost; and makes the world more dangerous for everyone, including for US citizens.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @krustytheclown2
    @deBoetie

    Thanks for your comments. More to read, I guess :eek:

    Playing safe and avoiding too much attention has always been my approach. Not defense/attack or vice versa.
    Well, they are the new incarnation of CryptoCloud ;) There's quite a story about that, some of which they share :)
    Maybe they are shady enough to attract NSA attention. Or maybe they're just paranoid. I have no clue.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    OK, but recall their standard approach of pwning sysadmins in order to pwn stuff that they manage.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Right. And a major thrust seems to be automating attacks and scaling up, using massively parallel attack systems. At some point, we're basically looking at AIs with human overseers. And from Snowden, we know that many of the overseers are totally cynical. They're no more than black-hat hackers with cushy jobs ;)
     
  8. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
  9. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    Russia will be edward,s new home country from now on i would think.:gack:
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  11. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    @mirimir
    Well I was referring to that old story about their founder being a federal drug informant and animal "lover," not exactly the type of people I would care to entrust my information to, but the NSA doesn't care about cocaine or horse love afaik ;) If they're working for anybody, it's probably just federal law enforcement.

    Beyond just the history, I find that their philosophy is a bit eccentric and suspect. I looked at their site a few months ago and I remember seeing them hammer the point "We're not a honeypot" and calling every other VPN a "honeypot." This makes me inclined to believe the exact opposite. It's also rather unprofessional, other activist outfits like Riseup and AirVPN are much more civil and refined. Anyhow, I really don't trust anything those guys say or do so I would take any article from their site with a grain of salt.
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Exactly, this is the risk of having these industrial-scale (and scalable) automated tailored attacks, as revealed by Snowden. I saw references to hundreds of thousands of attacks happening. The main costs are borne by the victims, innocent or not, and the cost of attack is peanuts, especially in relation to their budget. I expect them to be used thoughtlessly, careless of the cost to the innocent and foreigners. All it takes is an overbroad selector or even a typo, and WHAM - you're attacked without any further human judgement, let alone real targeted human investigation (which is what people naively imagine).

    Plus

    • apparently total legal immunity
    • embarrassingly pathetic internal audit and oversight, by the same organisation, in secret.
    • being given carte blanche instructions from their leaders to go ahead and do whatever they want, the ends justify the means
    • huge open-ended public-funded budgets and no effective internal operational and legal critical voices
    • the ability to go home at night, secure in the knowledge of doing a patriotic duty to keep the world safe for democracy.

    What could possibly go wrong?
     
    Last edited: May 23, 2015
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  14. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    in article they say:
    So they might put it on fold before June 1st as they probably don't have ON/OFF switch to make this happen instantly.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    More likely it will continue under some other "authority" in a more underground fashion. There is no way that the NSA and their cohorts are going to relinquish this power without physically being forced to.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Right, informants do tend to make up extremely radical personas. For example, consider all of those Islamist frame-ups over the past few years. Informants lead on the clueless, radicalize them, and then set them up to get busted :eek:
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    OK, here's my plausible story about CryptoCloud, its founder, and CryptoStorm, in bullet form.

    The founder had money, odd practices, and like-minded friends worldwide.
    He set up CryptoCloud for secure communications.
    He hired skilled hackers/engineers to do the technical stuff.
    They sold it as a VPN service in order to get cover traffic.
    They hired more skilled hackers/engineers as it grew.
    The founder was running out of money, from living large or whatever.
    And so he started smuggling drugs: cocaine from the US to Canada for export, and marijuana from Canada for domestic sales.
    We don't know whether his CryptoCloud people were involved in his hobbies, or in his drug smuggling. Do we?
    Anyway, he got busted. We've read news articles about that. Sad :(
    His CryptoCloud people were freaked, I'm sure.
    He wimped out, and became an FBI informer.
    Someone figured that out, and leaked. Maybe it was some of his CryptoCloud people. Let's say that it was.
    The FBI was unhappy about the leak.
    The CryptoCloud people melted away into the shadows.
    Recently, some of them regrouped, and setup CryptoStorm.

    Bottom line: It's arguably unfair to tar CryptoStorm with CryptoCloud's founder becoming an FBI informer.

    Yes?
     
  19. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    @mirimir

    Most of that is probably true, although I don't think many normal people just start smuggling drugs out of the blue unless they were in that crowd before, but it doesn't matter. The fact that the guy got three years for getting caught with hundreds of kilos is enough to tell you what's up, no need for a leak, that's normally decades in the States. If I used to work for CryptoCloud and wanted to start a new VPN service, I would want to distance myself from the history as much as possible- brand new name, style, based in a new city, etc. So I am inclined to believe that the oddball has something to do with the new service.

    Whatever the reality is today, you need to admit that there is at the very least a slight air of criminality associated with their service, which is enough to make me keep my distance. I don't want my privacy to be confused for being a pedophile or whatever, and it seems like that's sort of their target audience (I'll stick with torrenters), although I might be a bit judgmental. And the attitude they show in their forums and general setup seems much more extreme than other services, which makes me wary and skeptical of their claims. Do you believe that the person who wrote that article is individually that super-duper important to the NSA and is writing the article purely to help people :rolleyes: ?
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @krustytheclown2

    Those are all good points :) But still, maybe they all weren't in on the drug running. Also, what's considered "criminal" depends on who's making the laws, and who has the power to enforce them. As I've said many times before, if everything that's illegal somewhere were illegal on the Internet, then just about everything would be illegal on the Internet.

    Anyway, I was wondering whether their technical points make any sense to people who know this stuff. If they do, then maybe I ought to understand it better.
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
  22. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  24. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I've lost count of the number of times people have asserted some measurement is unique to an individual. But they'll be very coy about giving you scientific, independently verifiable false positive and false negatives. Look at what the FBI asserted with the hair samples. But none of them go to jail for those assertions, it's some innocent that does that. I'd like courts to throw out any evidence which can't scientifically and reputably provide false positive/negative rates, and what factors might influence those.

    Doesn't take much of a false positive rate to finger you and a lot of other innocent people (literally?!) out of 500M or 1bn people with smartphones.

    On a related topic, I've also seen similar notions applied to typing patterns at regular keyboards.
     
  25. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Good point but I don't think that identification measures by the NSA ever see light in a court of law, they're meant to be secret. You can expect an "extra-legal" punishment, i.e. being quietly kidnapped and taken to a black site or hit with a drone strike :eek:

    Going further, eyewitness testimony is actually quite unreliable, people forget, being in court is stressful, and recollections become distorted by emotions. Yet few people think to question that...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.