US plan calls for more scanning of private Web traffic, email

US plan calls for more scanning of private Web traffic, email
http://www.nbcnews.com/technology/t...-scanning-private-web-traffic-email-1C9001922

"The U.S. government is expanding a cybersecurity program that scans Internet traffic headed into and out of defense contractors to include far more of the country's private, civilian-run infrastructure.

As a result, more private sector employees than ever before, including those at big banks, utilities and key transportation companies, will have their emails and Web surfing scanned as a precaution against cyber attacks..."

 

This seems curious.

I would expect much banking email -- not to mention email among defense contractors -- to be end-to-end encrypted. For that, scanning would be useless.

Or am I just totally out of touch?

 

I find this paragraph most interesting:

Firstly, it touches upon what I suspect is a major force behind all these cybersecurity efforts. Namely, commercial players trying to set themselves up as key players that will receive lucrative contracts from government, contracts from other commercial players, and government backed secrecy and legal protection against a wide range of offenses. Secondly, it draws some attention to plans to process things on behalf of others rather than simply (tap) monitor things (at the TCP/IP level). It sounds like the data collection efforts may (also) involve SaaS solutions, cloud computing platforms, cloud AV platforms, etc. Things that would give them a deeper look at everything flowing into and out of financial institutions, defense contractors, transportation companies, utilities, various large tech companies and ISPs, etc.

However, a later paragraph:

implies that things won't be so closely inspected. You never count on public comments about classified programs being accurate though, and what those key commercial companies actually do may very well be more than what they need to do in order to look for rev 1.0 NSA/DHS signatures.

One question that seeps into my mind while thinking about this is... will this weaken our cybersecurity? If you truly want cybersecurity you would do things like 1) promote a larger number of dissimilar solutions because they are less likely to have the same vulnerabilities, 2) minimize centralization in every respect and promote geographic/other dispersion, 3) promote independent computing solutions so that even if many high profile targets were hit there would be many smaller nodes/areas still up and running. The last thing you would want is a small group of companies/solutions handling a large percentage of the nations computing and communications infrastructure. Unless of course you were trying to set the stage for a "digital pearl harbor" that is.

 

Specifying they won't use Deep Packet is code for "We don't need it, but you're too stupid to realize that". They don't need it, hell, deep packet inspection is as old as the hills and mostly used to catch pirates on BT. It's just a statement to get the privacy crowd off their backs and to comfort the mouth breathers who get their information on all things security from the mainstream tech sites and nightly news.

They're claiming to pass a bill now that requires warrants to read your email, but then they turn around and come up with this crap. Citizens are being played, that's all there really is to the matter. The population as a whole is stupid, gullible and too lazy to do anything but listen to whatever they're told, and they're going to pay for it in spades.

 

""The population as a whole is stupid, gullible and too lazy to do anything but listen to whatever they're told, and they're going to pay for it in spades""

Wholeheartedly agree with that statement

 

This quote from the article:

has been bothering me. The more I think about this together with other things I've read, the greater my suspicion that this will be a centrally controlled network of automated supernodes that will be hooked into the infrastructure at various levels so as to give the NSA/DHS an unfettered ability to remotely command data analysis, collection, and/or blocking. As in there will be little or no human participation, awareness, let alone approval from those infrastructure companies that allow the supernodes to sniff and MITM their unencrypted traffic. Thoughts?

 

You guys need to start learning to do what I do. Does not effect me, Don't care. If people out there are stupid and get their emails and internet traffic recorded then fine, that's them. I came to the conclusion that as long as "Our/Your" stuff is secure, then why worry about others that will never understand. None of this stuff effects me, so why should it bother me kind of mentality.

 

I think this is exactly what they are aiming for. A lot of folks seem to think that the NSA, Secret Service and other agencies have a bunch of geeks or black-attired people sitting around watching traffic line by line or with a headset on listening to a whackjob in Colorado or a terrorist in Yemen. We left that behind years ago, and it's nowhere near efficient. The various "Black Box" technologies set up by countries like Russia, Room 641A, the brand spanking new NSA facility in Utah...these are all set up to remove humans from the equation as much as possible.

Humans suck at this kind of work, and these technologies don't require the head guy walking into the room every 20 minutes to approve something. The agency sets out guidelines, makes exemptions, then programs the hardware and software to abide by them. If the systems catch suspicious activity, the data is saved, sent to whomever might be in charge of overseeing individual cases, and then is inspected by humans and decisions made as to how to further act if needed. You'll always have humans involved in some manner, since tech has a bad habit of being fallible and have the occasional brain fart. But these systems are designed to remove "babysitting" as much as can be done. It saves money, time, and risk of humans falling asleep, sabotaging things and just generally lessens the risk of humans being humans.

 

Then you either don't use email and the internet or are under some false belief that only criminals get watched.

 

My email is encrypted only uses HARD SSL to transfer data to and from my encrypted machine, I use a VPN and always pay without giving away my identity to either my email provider and or VPN provider. I also live in a country that is neither where my email or VPN service is located. I may not be a criminal, but I'm not getting watched.

 

Smart setup Not foolproof, depending on the countries involved, but not easy to follow you either.

 

Taliscicero, I wish you were right. Explore this forum and see what it would take to be really private.

No amount of software gives absolute security against a professional effort. At some point, perhaps already, such an attempt will attract automatic attention, and a higher level of scrutiny. The system will iterate until you are totally observed, or deemed worthy of a real live personal visit.

As an intermediate step the observers will simply make it a felony to withhold a password, or any other information deemed necessary to protect the innocent. I believe this is already true in Britain, and other less enlightened societies.

There is also the exit node problem. You may be ready for the rack and clamps, but there is somebody on the other end who just may not care about your ass as much as you do.

Besides, how can they keep us safe if they don't know everything we do?

 

Re: PS MODERATOR, POSTERS

PS MODERATOR: Occasionally posts are deemed too 'political' for this board and deleted. Your field, your rules, no problem.

However, putting things in perspective of the Big Changes that are happening so fast could be extremely valuable. Is there, or can there be a place on Wilders that Forbidden Threads could be shifted, as occasionally happens with other topics?

PS POSTERS: Their field, their rules, no problem. Anybody like this idea or know of an alternative site?

 

Re: PS MODERATOR, POSTERS

There's pretty much no way of knowing from day to day when a thread will get killed for being "political". It seems incredibly random.

You're right though that if somebody really wants to know who you are enough and conduct surveillance, there's really nothing you can do. I think also that not many think about the fact that going to extra lengths to avoid surveillance simply makes you stand out more.

 

@Mman79: Having humans (other than NSA/DHS/government personnel) in the loop is required for checks/balances. Otherwise, this may/will be not just an expanded warrantless surveillance system but *also* a warrantless control system. Which won't just be operating at the country's borders! That the NSA/DHS will be using signatures to identify traffic of interest seems clear. What are the verbs though? I can think of various ones which could be used to collect, analyze, and optionally forward information to the NSA/DHS. We see evidence of BLOCK support. I'd bet on REDIRECT support as well, and probably one or more related to injecting/modifying/forging traffic.

@Taliscicero: Humans often become interested in things, and do things, for less than very personally practical reasons. Ever help a stranger just to help them? Ever volunteer or make a donation where the beneficiaries were others and the cause was something that you simply thought important? I'm sure you have. I'm aware of no one here being a threat to the USA or its infrastructure, so I can sort of understand the "doesn't affect us therefore we need not concern ourselves with it" POV. However, we're basically just guessing about the system's characteristics and we have no way to be sure of what it will become and how it will be used.

Americans, particularly adults, have accounts and share information with utility companies, tech companies, communications companies, transportation companies, financial companies, etc that may end up under the umbrella of critical infrastructure. We don't know to what degree these "infrastructure companies" will be opening all that information up to the "small group of telecommunication companies and cyber security providers" (supernodes for short in my earlier comment) and by extension the NSA/DHS. Needless to say, many non-Americans also interact with American companies that might fall into the "critical infrastructure" category.

 

Wind, we're already operating under a warrant-less control system because we operate under a warrant-less surveillance system. Checks and balances doesn't have to mean a group of people sitting there thinking "Gee, this isn't really right, we shouldn't spy on everybody unless they are a real threat". Again, the humans are mostly there to keep the computers from fouling up and to look at the flagged data.

The fact that they are keeping this blanket, warrant-less surveillance and the techniques used as secret as Oak Ridge activity was in the 40s should be worrisome enough, whether humans are involved or not. The surveillance techniques and internet surveillance itself isn't the bad part, that's just adapting to the world as it is. The bad part is that it's conducted on the population "just in case", and checks and balances are pretty much removed or severely weakened simply because no warrants are needed. The people that argue back and forth all day about hiding from it all, and what tools can do what are missing the entire point. Which is why threads like this are nearly impossible to have because the moment you start talking about the real issue, the Wilders police swoop in and shut it down.