[Shaddim]

Originally Posted by ghporter 

Orwell's Thought Police were watching individuals for their actions, not looking at what is essentially aggregated data for trends and patterns. Big Brother was there to control everything about everyone. Watching for indications that a random phone number is connecting to some other number that isn't so random in some perceptible pattern is hardly Big Brotherish.

I don't trust that the gov't is limiting themselves. I'm expecting the worst, given what history has taught us.

[subego]

Fittingly, a guy named Hoover comes to mind.

[subego]

Originally Posted by subego 

Steve Gibson of Security Now seems to think PRISM works by sitting right at the I/O of Google, Facebook, etc. and sucking everything up.

So, they can't tunnel directly in, but they know everything which is happening at that moment, and are saving it. If they see something which bothers them, then they "tunnel in" by subpoena, which they can do because there's a direct chain to the organization from their sniffer.

That's why it's "PRISM". It's splitting off an an exact copy at the source.

I'm quoting myself because this got orphaned on the last page and I think is pertinent info.

[ebuddy]

This is all well and good, but I'm more interested in what Jon Stewart thinks.

[subego]

I just wanted to add, Gibson thinks it's a literal prism. The NSA simply installs a beam splitter on the fibre optic cable sitting between a targeted company and their ISP's mega-pipe router.

[ghporter]

Originally Posted by subego 

I just wanted to add, Gibson thinks it's a literal prism. The NSA simply installs a beam splitter on the fibre optic cable sitting between a targeted company and their ISP's mega-pipe router.

Somebody with more fiber experience will probably correct me, but I don't think that exact approach is feasible. Now a two-way fiber repeater, while complex and expensive, is a possibility. In any case, this would be a physical intrusion on all of these networks, which would be physically difficult to do, easy to spot if someone looked in the right place, and would have a substantial lead time problem if a new observation target were selected. Not saying that all of what has been said is wrong, but that it would be clunky and slow to implement, while some other, "out of the Internet ether" method would have none of those problems.

[subego]

Here's my ultra-laymans notion of what's going on. I'll use Google, but it could apply to any important company which functions as a social information "node". Apple, Facebook, whoever.

Giant Google server complexes need to hook into the Internet, so Google buys a giant-size pipe to a Tier-1 provider. My understanding is Google is buddy-buddy with Level 3 Communications.

In the most basic terms, there's a room at the Google server complex which has either some insane Lovecraftian router which can handle all that bandwidth, or a bunch of routers, I'm not exactly sure how that works. This room of router(s) has a fiber optic link to an analogous room at Level 3, which Level 3 then connects to the backbone.

The NSA drops a National Security Letter on Level 3. Now Level 3 is gagged, so they can't tell Google what's about to happen.

The NSA puts a splitter on every cable coming into that room at Level 3 from Google. The only physical result of this is you cut the signal strength in half.

Now even as a layman, I can fix that problem outbound from Level 3. Double the output from the router. Inbound I'm assuming is more tricky, but remember they have different needs there. It's okay for Level 3 to know they're getting a weak signal since they're gagged, as long as they can rig it so they aren't dropping packets from their client (Google) there is absolutely no way for Google to know any of this is happening.

Now, the NSA has a copy of everything going in and out of that complex.

I agree that needs physical intrusion, and this would just happen to be something we have explicit knowledge of the NSA doing to Tier-1 providers.

I'm not sure what you mean about the lead time problem. Giant server complexes have giant lead times.

[subego]

I'll fully admit my fiber experience are those 80's sea anemone looking things and that someone here once claimed you can weld it.

[Shaddim]

Why 'I Have Nothing to Hide' Is the Wrong Way to Think About Surveillance | Wired Opinion | Wired.com

1. There are so many laws on the books that it's impossible for the average person to know whether they are in compliance with all of them.
2. "If everyone’s every action were being monitored, and everyone technically violates some obscure law at some time, then punishment becomes purely selective".

[ebuddy]

Originally Posted by subego 

Here's my ultra-laymans notion of what's going on. I'll use Google, but it could apply to any important company which functions as a social information "node". Apple, Facebook, whoever.

Giant Google server complexes need to hook into the Internet, so Google buys a giant-size pipe to a Tier-1 provider. My understanding is Google is buddy-buddy with Level 3 Communications.

In the most basic terms, there's a room at the Google server complex which has either some insane Lovecraftian router which can handle all that bandwidth, or a bunch of routers, I'm not exactly sure how that works. This room of router(s) has a fiber optic link to an analogous room at Level 3, which Level 3 then connects to the backbone.

The NSA drops a National Security Letter on Level 3. Now Level 3 is gagged, so they can't tell Google what's about to happen.

The NSA puts a splitter on every cable coming into that room at Level 3 from Google. The only physical result of this is you cut the signal strength in half.

Now even as a layman, I can fix that problem outbound from Level 3. Double the output from the router. Inbound I'm assuming is more tricky, but remember they have different needs there. It's okay for Level 3 to know they're getting a weak signal since they're gagged, as long as they can rig it so they aren't dropping packets from their client (Google) there is absolutely no way for Google to know any of this is happening.

Now, the NSA has a copy of everything going in and out of that complex.

I agree that needs physical intrusion, and this would just happen to be something we have explicit knowledge of the NSA doing to Tier-1 providers.

I'm not sure what you mean about the lead time problem. Giant server complexes have giant lead times.

As I understand it, the government does not have direct access to the call records databases of various providers as the call records databases are already maintained by the provider and are merely handed over to the NSA. IP traffic can be picked up through WDMs or splitters / mux and demux on either ends of the "points of presence". With the provider's consent, this equipment is installed in a short amount of time, equates to a mere 50ms switch-hit to redundant networks at the time of installation, and rolls with very little maintenance from then onward. i.e. Large providers like AT&T are performing major backbone maintenances every day; throwing a split in the optics at their POPs, in Carrier Hotels, or even on either end of a metro ring are nothing odd, extraordinary, or intrusive as they occur nationwide on some span of the backbone dozens of times a day. It could be for a new customer or business park turn-up or under the guise of a turn-up and few would be the wiser. In fact, much of this activity could be administered at the State level quietly under Federal mandate for all I know.

[subego]

Just to make sure I'm getting you, you're basically saying these splitters are a common piece of equipment, the routers are designed to handle techno-voodoo of having a split inserted in the chain, one can be put in with the only indication to the target being a 1/20th of a second pause on a line they have failover on, and this kind of bump happens all the time for legit reasons?

[Chongo]

Originally Posted by Shaddim 

Why 'I Have Nothing to Hide' Is the Wrong Way to Think About Surveillance | Wired Opinion | Wired.com

1. There are so many laws on the books that it's impossible for the average person to know whether they are in compliance with all of them.
2. "If everyone’s every action were being monitored, and everyone technically violates some obscure law at some time, then punishment becomes purely selective".

The traffic laws are written the same way. That way the cops can pull you over for a "mechanical violation" Once they do, anything is possible.

[Shaddim]

Originally Posted by Chongo 

The traffic laws are written the same way. That way the cops can pull you over for a "mechanical violation" Once they do, anything is possible.

Yep, if an officer digs long enough he'll find something. That's on purpose.

<--- cop

[ebuddy]

Originally Posted by subego 

Just to make sure I'm getting you, you're basically saying these splitters are a common piece of equipment, the routers are designed to handle techno-voodoo of having a split inserted in the chain, one can be put in with the only indication to the target being a 1/20th of a second pause on a line they have failover on, and this kind of bump happens all the time for legit reasons?

In a nutshell, yup. Any time you're installing a new node or customer box, you're cutting into a smaller metro ring to do it which causes switch-hits to those around that span. Some may witness a slightly slower than normal connection upon a single click on a web page, that's about it. VPN connections may drop and you'd have to reconnect. Core router maintenance, port moves, grooming, new turn-ups, fiber relocates around road projects, and the like are extremely common occurrences on a backbone and cause minimal interruption to traffic by design. As everyone is expanding the capacity of their networks, this sort of thing goes on multiple times a day over many carriers.

[mattyb]

Originally Posted by ebuddy 

As I understand it, the government does not have direct access to the call records databases of various providers as the call records databases are already maintained by the provider and are merely handed over to the NSA. IP traffic can be picked up through WDMs or splitters / mux and demux on either ends of the "points of presence". With the provider's consent, this equipment is installed in a short amount of time, equates to a mere 50ms switch-hit to redundant networks at the time of installation, and rolls with very little maintenance from then onward. i.e. Large providers like AT&T are performing major backbone maintenances every day; throwing a split in the optics at their POPs, in Carrier Hotels, or even on either end of a metro ring are nothing odd, extraordinary, or intrusive as they occur nationwide on some span of the backbone dozens of times a day. It could be for a new customer or business park turn-up or under the guise of a turn-up and few would be the wiser. In fact, much of this activity could be administered at the State level quietly under Federal mandate for all I know.

Originally Posted by ebuddy 

In a nutshell, yup. Any time you're installing a new node or customer box, you're cutting into a smaller metro ring to do it which causes switch-hits to those around that span. Some may witness a slightly slower than normal connection upon a single click on a web page, that's about it. VPN connections may drop and you'd have to reconnect. Core router maintenance, port moves, grooming, new turn-ups, fiber relocates around road projects, and the like are extremely common occurrences on a backbone and cause minimal interruption to traffic by design. As everyone is expanding the capacity of their networks, this sort of thing goes on multiple times a day over many carriers.

Educate me why mobile phone calls would be going over any of this infrastructure.

[subego]

In the example I gave with Google? There aren't calls going over that network, unless Google is using VoIP.

The NSA is running two separate operations which were leaked back-to-back, hence the confusion.

The first program involves the telephone companies handing over all their telephone metadata. There's no networking voodoo going on with that. As ebuddy said, the NSA/CIA/FBI/WHATEVS asks the FISA court for a warrant, the court rubber stamps it, and some intern drives over and gets the information from them.

The second program (PRISM) is the bulk of what ebuddy is talking about. This program puts a tap on all Internet traffic going into or out of a target. Targets in this instance being the big IT players. Google/Apple/Facebook/Whatevs.

[subego]

And, thanks for the info ebuddy.

[subego]

Originally Posted by Shaddim 

Yep, if an officer digs long enough he'll find something. That's on purpose.

<--- cop

Wait... you're a cop?

[ebuddy]

Originally Posted by subego 

And, thanks for the info ebuddy.

NP

[Snow-i]

Originally Posted by mattyb 

Educate me why mobile phone calls would be going over any of this infrastructure.

Pretty sure ebuddy is talking about PRISM. Not the phone record dragnet. Then again, VOIP calls via skype or similar would be fair game.

[Shaddim]

Originally Posted by subego 

Wait... you're a cop?

I've been a reserve county deputy for years. It's how I can walk into a school or gov't building armed and not get killed.

[subego]

Well, shit...

Since you haven't used your cop powers to find the mole, that pretty much means you're the mole.

[Shaddim]

Originally Posted by subego 

Well, shit...

Since you haven't used your cop powers to find the mole, that pretty much means you're the mole.

Not following you. There's an NSA mole?

[subego]

Ha!

That's exactly what I'd expect the mole to say.

[Snow-i]

[Shaddim]

Wise man, we'll all sit in rapt anticipation for his resignation.

[OAW]

Originally Posted by Snow-i 

The point again is that this is NOT "warrant-less surveillance". If you wish to be critical that's fine. But don't misrepresent what's happening.

OAW

[ebuddy]

Originally Posted by OAW 

The point again is that this is NOT "warrant-less surveillance". If you wish to be critical that's fine. But don't misrepresent what's happening.

OAW

It's the same program Obama was criticizing in that quote of his from 2008. Either it's warrantless or it's not, right? Otherwise, the cronies of this administration have shown a remarkable ability to judge-shop.

[mattyb]

Originally Posted by ebuddy 

Otherwise, the cronies of ANY administration have shown a remarkable ability to judge-shop.

Fixed that for you.

[ebuddy]

Originally Posted by mattyb 

Otherwise, the cronies of ANY administration have shown a remarkable ability to judge-shop.

Is this the Hope and Change you voted for? Again?

You're right though, the real problem here is how inept and sloppy this administration is at the abuses game.

[Shaddim]

"Hope and Change" means, "Bush did it too!"

Not a lot of change there, and only the most gullible have any hope left.

[OAW]

ebuddy,

During the Bush Administration they didn't even bother with the FISA court. It was all done by Executive Order. Congressional Oversight was essentially non-existent. Under the Obama Administration (or technically since Jan. 2008) the NSA has to go through the FISA court again and Congress has explicitly authorized these activities and oversees them via the intelligence committees. So again, if one wants to criticize the underlying activities that's fine. But under the Obama Administration all of these activities have been sanctioned by all three branches of the federal government. Whereas under the Bush Administration that was simply not the case.

OAW

[mattyb]

Originally Posted by ebuddy 

Is this the Hope and Change you voted for? Again?

You're right though, the real problem here is how inept and sloppy this administration is at the abuses game.

Originally Posted by Shaddim 

"Hope and Change" means, "Bush did it too!"

Not a lot of change there, and only the most gullible have any hope left.

The only change was the political party. Politicians are still politicians, right, left, middle. They care about one thing only : getting re-elected.

[subego]

Originally Posted by OAW 

ebuddy,

During the Bush Administration they didn't even bother with the FISA court. It was all done by Executive Order. Congressional Oversight was essentially non-existent. Under the Obama Administration (or technically since Jan. 2008) the NSA has to go through the FISA court again and Congress has explicitly authorized these activities and oversees them via the intelligence committees. So again, if one wants to criticize the underlying activities that's fine. But under the Obama Administration all of these activities have been sanctioned by all three branches of the federal government. Whereas under the Bush Administration that was simply not the case.

OAW

It's not that simple. The laws changed in the interim, in part because Senator Obama voted for a bill he promised he would filibuster on the campaign trail.

[ghporter]

I think it's important to note that the president has access to "a little bit more" information about various bits of national security aparatus than the junior senator from Illinois did. It sort of changes one's perspective when they find out that what they thought they knew about something turns out to be quite wrong.

This is particularly true in this context, since Snowden apparently has drawn conclusions about the whys and wherefores of the programs he publicized without knowing more about them than what data they were supposed to be collecting. Smart guy or not, without "the big picture," he was unable to evaluate the programs accurately, and he was certainly not in a position to see that big picture.

[subego]

The "if you knew what I knew, you'd agree" argument doesn't fly, nor should it.

[subego]

Let's get down to brass tacks.

How many lives need to be saved per year for it to be worthwhile to allow the government to hoover-up all electronic communications?

By what mechanism would "knowing seekrits the President does" make you change that number.

[subego]

I also want to add letting the government spy on you isn't fighting terrorism.

Fighting terrorism is not letting the fact you may take one for the team make you go crying to the government to install a baby monitor on you.

[ebuddy]

Originally Posted by OAW 

ebuddy,

During the Bush Administration they didn't even bother with the FISA court. It was all done by Executive Order. Congressional Oversight was essentially non-existent.

At the time the executive order was implemented, the surveillance required that one end of the conversation be outside the US and the practice was ceased in 2007 at which time it was handed over to FISA. (although it should be noted that Congressional approval was sought and granted in 2004. The issue at odds was the fact that the program had been implemented quietly to that point through executive order.) The FISA requirements were eased up by Congressional Act in 2008 and in January 2009 Obama took office...

Under the Obama Administration (or technically since Jan. 2008) the NSA has to go through the FISA court again and Congress has explicitly authorized these activities and oversees them via the intelligence committees. So again, if one wants to criticize the underlying activities that's fine. But under the Obama Administration all of these activities have been sanctioned by all three branches of the federal government. Whereas under the Bush Administration that was simply not the case.
OAW

In April of 2009, a report surfaced through several whistleblowers and reported by the New York Times that the NSA intercepted private e-mail messages and phone calls of Americans in recent months on a scale that went beyond the broad legal limits established by Congress last year (which would have been the Act in 2008 that loosened the FISA guidelines), government officials said in recent interviews. Several intelligence officials as well as lawyers briefed about the matter described the practice as significant and systemic. Which of course includes the fact that one end of the conversation no longer needs to be outside the US. i.e. there had been no sanctioning by all three branches of government. The program was being abused by the NSA under the Obama Administration.

Many of you are correct that this is not a recent phenomena, but it certainly ratcheted up in scope upon Obama taking office and it's only now that its breadth is better understood. While it had been reported early on, too many were still caught up in Obama's first-term honeymoon... and are attempting to equivocate now with BUT BUSH™ -- which as it turns out is really; BUT BUSH ain't seen nothin' yet!

[subego]

Questioning the legality of PRISM, I've heard three big things the administration has to show for this to be legal under FISA.

1) "Acquire" as used in FISA means "look at" as opposed to "obtain".
2) "Target" as used in FISA does not mean the person the data is collected from, but the target of an investigation.
3) "Incidental" to the gathering of foreign intelligence as used in FISA includes communications between Americans in America about recipes for fudge.

[ghporter]

Originally Posted by subego 

The "if you knew what I knew, you'd agree" argument doesn't fly, nor should it.

I agree completely. People in his position should be much more eloquent and able to express the subtleties of being briefed into stuff that Congress members shouldn't see. However, the president is supposed to be in the know on things almost nobody else knows, at least to the extent that he's aware of how we're doing with various ways of defending and protecting Americans. Something like "after significant further study, I find that my previous position on this subject was lacking in several specifics, and today my opinion of this subject is significantly altered" is a lot better than "now that I know more about it, I have changed my mind," and leagues better than just not acknowledging the disparity between past and present situations.

There is an awful lot of history of congresscritters blabbing something or other without thinking and winding up essentially blowing a highly classified program wide open. I think it was Nixon that told a press conference that our electronic warfare folks could identify specific radar sets, not just the locations of the sites but the specific hardware there, by their electronic signatures, allowing us to tailor the countermeasures used in various missions to those sites...the North Vietnamese made immediate hardware changes and U.S. pilots lost their lives because of that.

There is a time and place for transparency with some of the national defense systems we're talking about here. As has been pointed out previously (here and by individuals involved in NSA), being close about how we monitor specific things keeps the people who are being tracked and monitored from knowing how to evade that stuff. Rep Ruppersberge of Maryland said “If you want to find a needle in a haystack, which is a lot of what our intelligence community does, you need the haystack.” If you've ever even thought about how one searches a haystack, you realize that it involves disposing of almost everything, almost out of hand and definitely without examining it more than to see whether or not it is hay or a needle. The same is true about this sort of data; a lot of stuff is just blitzed through because it has nothing to do with what is being looked for, and that means almost no attention is paid to it at all.

[subego]

Whether Snowden has endangered lives is only relevant if the programs he leaked are legal. Whether you agree or not with the conclusion they are illegal, you must certainly agree there's a reasonable argument to be made they're illegal.

The issue I take with you focusing in on the danger, is there's an implicit assumption the program has been determined to be legal, which it most emphatically has not.

If it is found to be legal, then your point is 100% valid.


WRT your point about the needle in the haystack, while you are correct there is a limit to the amount of data you can coherently analyze at a single moment, that limitation is strictly technological. While we could trust the limits of technology to keep us safe, I believe (and would hazard to say you do as well) that would be a horrible method for maintaining boundaries when compared to a law.

As I mentioned before, I've read pre-2008 FISA thoroughly. Like most legislation authorizing surveillance, it calls for a set of "minimization procedures", the purpose of which are quite specifically to limit the government acquiring, or if it does, retaining the information of unconsenting citizens.

Unfortunately, the law gives Eric Holder some wide berth on how to design these procedures. Judging by the information we have now, he's designed them to stretch so far beyond the intent of the law it would be laughable if we weren't talking about the utter, global destruction of privacy.

[subego]

Listening to some enterprise people talk NSA fiber tapping.

I guess the idea is you can just peel away the cladding on a piece of fiber, bend it a little, and poof, you've got enough light coming out to copy it.

It was noted this kind of tap is detectable if you have a reflectometer on one end. There are ones so sensitive they can detect the attenuation caused by someone walking over buried cable.

It was also mentioned that newly-laid, hyper-secure, government fiber has a marine standing over it while the concrete dries.

[subego]

Originally Posted by Shaddim 

I'm going to just assume that publically available encryption is a joke...

I know this was from awhile ago, but I was wondering if you could elaborate.

Do you think open-source crypto has holes, or the NSA has the iron to crack it?

[Shaddim]

Originally Posted by subego 

I know this was from awhile ago, but I was wondering if you could elaborate.

Do you think open-source crypto has holes, or the NSA has the iron to crack it?

I'd say more the latter than the former, the NSA likely has more powerful tools at their disposal than mere mortals.

[subego]

That's absolutely to be assumed, but I imagine what they have can be predicted to some extent. The world's most insane supercomputers are clusters of off-the-shelf equipment. That's probably what the NSA is using.

Mere mortals aren't even close to practically cracking a 1024-bit RSA key. My understanding is it's not merely a question of iron, you're playing with some high-level number theory as well.

Unless the NSA has a stash of quantum computers, I imagine they're a long way away from cracking a 4096-bit key.

[subego]

All that said, seeing as how the NSA protocol appears to be "keep encrypted communication in perpetuity", you have to think of your encryption in terms of how long a particular method will protect you.

When storage wasn't as cheap, you could afford to think in terms of "this data will no longer exist by the time it's crackable".

[Shaddim]

Most folks are running 128-bit encryption online, however.

[subego]

Which is toast. All that will do is slightly discourage amateurs.

[subego]

Originally Posted by subego 

That's absolutely to be assumed, but I imagine what they have can be predicted to some extent. The world's most insane supercomputers are clusters of off-the-shelf equipment. That's probably what the NSA is using.

Mere mortals aren't even close to practically cracking a 1024-bit RSA key. My understanding is it's not merely a question of iron, you're playing with some high-level number theory as well.

Unless the NSA has a stash of quantum computers, I imagine they're a long way away from cracking a 4096-bit key.

Facebook is taking flack for not using 2048-bit keys, and as background some of the (theoretical) data on how cracking a 1024-bit has floated to the top.

Circa 2005, the (custom) hardware for cracking a single 1024-bit key in one year cost $1.1MM. IIUC, it's exponential, so if you put in about $9MM, you can crack a key in under three days.

This was with 90 nm, now we're at 22 nm. What's that now, half to quarter the price for the same performance?

So, if the NSA wants your 1028-bit key, they're taking it.