[grownseed]

> "[...] he has demonstrated absolutely no interest in protecting it"

> "The filing described Mr. Martin as computer genius who easily outsmarted government efforts to protect secrets and said he possessed an advanced understanding of how to encrypt messages and hide information in cyberspace."

This doesn't really make sense and the wording also hints at sensationalism. It reads like a classic case of deflection, making the accused appear considerably more powerful than he actually is.

This, to me, shows a few things:

- the NSA clearly has no clue who accesses "their" data, when, or how

- the NSA will throw anybody under the bus to save face

- the NSA, to this date, still refuse to put their own inadequacy in the balance and traded their integrity for the power to sustain the organization itself at the cost of everything else (including their original purpose)

Why on earth is this organization still allowed to operate at all?

[tptacek]

It's hard to give a concise response to a comment going in so many different directions at once, but I'll take a whack at it:

* Should NSA be broken up? I think so. It's a mainstream policy idea. NSA has two conflicting missions --- IAD and SIGINT --- three, if you want to count pure research separately. Splitting up NSA would solve some conflict of interest problems, but would also add the practical benefit of minimizing the number of people who might end up with access to documents like this guy collected.

* Does that mean NSA is lying about the Martin case? No. They could be, but I would not put money on that. Prosecutors definitely shade facts to make their cases sound stronger. But it's less likely that in an extremely high profile federal prosecution like this one, they're going to entirely make things up. With Martin, we're talking about a case where someone hoarded extremely classified documents about ongoing operations against "known enemies of the US" (that's a term that probably has pretty specific meaning). He left them laying in his car. On the back of the printouts were handwritten explanations of tradecraft and terms of art.

If I had to guess, the most likely outcome here is going to be that we are talking about someone with very serious mental health issues who NSA had no business putting within 1000 miles of the information he managed to hoard in his house.

[xenobioticants]

One of the biggest beefs I have with how Americans deal with the NSA is that they're cool with them spying on EU citizens. As long as its not domestic, you guys are cool with it. Its as if when you are not an American, you have no right to basic human rights like privacy according to Americans. Add to that they even did stuff like tap Merkels' phone.. spying on your allies is a serious faux-pas and wtf all rolled into one.

[tptacek]

One of the biggest beefs I have with Europeans who take issue at NSA spying on the EU is the misconception they have that their own spy agencies aren't doing the same thing to everyone else: us, Russia, China, and other states in the EU.

More annoying about this argument though is the fact that the leaders of the most powerful EU states, regardless of what they may say to their own citizens, demonstrably benefit from and invite NSA spying. The German NBD, for instance, spied on Austria in collaboration with the NSA --- got caught doing so just last year. It's easy for EU SIGINT agencies to get away with this stuff, because they can launder the unpopular spying they want to do through NSA in private while "blaming" them in public.

If we want to have a world without spying, we should be honest about it. More honest than the conversation is today.

But we should also be careful what we wish for. The prevailing sentiment on HN is that NSA is more or less spying on behalf of Disney's copyright enforcement corps and the Moral Majority. But a lot of the reason we conduct foreign surveillance is to avoid large scale armed conflict. To allow us to head conflict off surgically, and to prevent intractable problems (for instance: unchecked proliferation of nuclear arms to countries that we'd have to invade to keep them from deploying).

I have real, bigly problems with NSA and think it needs drastic reform and completely restructured oversight. But I'm not in the (very large) faction that believes surveillance to be intrinsically evil. I personally feel fortunate to have made it out of the 1970s without disintegrating in a nuclear barrage. That threat is not gone; it is far more realistic than evil AI.

[jacquesm]

> But I'm not in the (very large) faction that believes surveillance to be intrinsically evil.

I don't think anybody on HN had that impression.

> I personally feel fortunate to have made it out of the 1970s without disintegrating in a nuclear barrage. That threat is not gone; it is far more realistic than evil AI.

So, essentially you're scared and that's why you are ok with surveillance. What I don't get is why you feel that all this surveillance is helping to keep you safe from nuclear barrage?

Personally I'm against mass surveillance of any kind, it is against our collective human rights (which does not stop at the border of the US or any other country), also I'm by extension against any kind of surveillance of the private individuals of any other country by intelligence operatives of my country.

Finally, 'Europeans' and 'Americans' are not entities that you can compare directly, Europeans are typically the citizens of some country and those countries have very different capabilities when it comes to surveillance and usually a very different role on the world stage. You can't compare the intelligence services of say Greece, Germany, Finland, the UK and Slovenia with respect to their capability and you really can't compare their role in Europe as an entity and in the world at large. States are not countries, the USA is a continent sized country with an extremely large federal budget when it comes to things like mass surveillance, military (aka 'defense', but it hasn't been used for that purpose in ages) and so on.

Finally, the reason that you'll find a lot of Europeans taking issue with any kind of spying on allies (also by their own intelligence services, which are most likely just as unhinged as the US ones) is that it isn't all that long ago that there was a large chunk of what is now the EU under the boot of an army of occupation, and that this was kept that way to a large extent by mass surveillance of the citizenry.

I sincerely hope you'll never be given a reason to regret your stance on being 'ok' with mass surveillance, but if you do end up regretting it don't be surprised by any lack of sympathy from my end, of all the people that I know that support this stance you are probably the only one where I will never understand why your position is the way it is.

[tptacek]

You've moved the goalposts, perhaps without realizing it. I'm OK with signals intelligence. I'm not OK with "mass surveillance" in the sense that you probably mean it --- a giant data warehouse in Utah storing and indexing everybody's email.

The comment to which I replied talked about tapping Angela Merkel's phones. If monitoring Werner Faymann's phone calls prevents a war, I'm fine with that --- as, apparently, is Angela Merkel.

Meanwhile, for those of us concerned about dragnet surveillance, the answer is to replace the janky 80s protocols we use to send and receive electronic communications with modern encrypted alternatives.

[jacquesm]

> I'm OK with signals intelligence. I'm not OK with "mass surveillance" in the sense that you probably mean it --- a giant data warehouse in Utah storing and indexing everybody's email.

They are to all intents and purposes equivalent, it is pointless to be 'for' signals intelligence but 'against' a giant datawarehouse in Utah storing and indexing everybody's email the one results in the other.

Besides email being only a very small part of the picture 'metadata' in the form of who-calls-who, when and how frequently is gold and there is no amount of encryption that will protect you from that data being captured and stored.

In many cases the difference between dragnet surveillance and signals intelligence is as small as whether or not someone (not something) has looked at the data stored.

And that giant data warehouse with all that email exists, it's just that there are three of them right now, one run by Google, one run by Microsoft and another by Yahoo regardless of what intelligence agencies are trying to accomplish in less direct ways. Other email servers are probably so lightly protected in comparison to those you may as well consider them compromised.

Finally, I can think of several simple ways in which even encryption isn't going to make much difference in collecting that data regardless of what is happening on the wire, and I'm sure you can too.

On the whole, the trend seems to be to store more data for longer times on an increasingly larger slice of the world population, some call that 'signals intelligence' when it suits them, others call it dragnet surveillance because that is what it is.

We're talking about: email, web surfing behavior, mobile text messages, location information and so on.

Whether Merkel is ok with having someone else's phone tapped while probably disagreeing with whether or not her own phone is tapped I'm against phone taps without warrants by the country where people reside, foreign entities should simply respect the law of the land and go through the proper channels. That way we don't have to deal with another 'Belgacom' (oh, sorry, Proximus).

It doesn't matter whether you call it signals intelligence or mass surveillance, the key is that it is warrantless surveillance, and that it is usually not your own country doing it.

> Meanwhile, for those of us concerned about dragnet surveillance, the answer is to replace the janky 80s protocols we use to send and receive electronic communications with modern encrypted alternatives.

That's going to make a relatively small impact, it will simply raise the bar for the various agencies to attack the network infrastructure and servers of the more interesting choke points as well as the originating endpoints (consumer computers) a little harder. The only thing that will really stop that is to make it illegal in some treaty. (Not that that will every happen, but it would be a nice change.)

I'm not sure why you believe monitoring Werner Faymann's phone would prevent a war or why it prevented one. Wikipedia has him currently working at the United Nations, what are you getting at here?.

[harry8]

Do you think if any european ally of the US was caught out spying on Barack O.'s phone that the head of that agency would keep their job?

What about if they were caught out because they can't control contractors?

Who has been fired at the NSA after a series of total WTFs? Regardless if you think they do god's work or are in league with the devil, incompetence giving america a black eye ought to be something that has consequences. Apparently it doesn't.

[saiya-jin]

Ptacek... sounds Czech more than any other slavic language (means small bird). If you went through 40 years of communist oppression like Czech people went through, you would have a VERY different stance on these topics

[tptacek]

I'm Slovak and Irish. Which is another way of saying I'm from Chicago.

[smokeyj]

> The prevailing sentiment on HN is that NSA is more or less spying on behalf of Disney's copyright enforcement corps and the Moral Majority.

I'd leave out the moral part. It's too easy to spy on foreign execs, act on insider knowledge and fund political agendas. That's what I would do which is why I'm sure it happens. Accountability determines how rational people act. When we give total secrecy and no accountability to a portion of the population they tend to act.. a certain way.

> But I'm not in the (very large) faction that believes surveillance to be intrinsically evil

No one here would ever accuse you of such. But the phrasing lacks specificity. This isn't surveillance by the 7-11 Inc. where daily slurpies are purchased but rather surveillance by a multi trillion-dollar agency with a mandate outside of the public's knowledge or approval. There isn't anything a bit.. spooky about that?

[jonathanstrange]

>One of the biggest beefs I have with Europeans who take issue at NSA spying on the EU is the misconception they have that their own spy agencies aren't doing the same thing to everyone else: us, Russia, China, and other states in the EU.

I've never heard of a fellow European claiming this, but I also think that discussions of such issues should be based on evidence rather than speculation and general paranoia.

NSA and GHCQ were unlucky, because such evidence emerged. So they can rightly be criticized on the basis of published evidence about their spy programs.

Speculating about what intelligence agencies do without any evidence and knowledge at all, on the other hand, is quite pointless.

[nickpsecurity]

"One of the biggest beefs I have with Europeans who take issue at NSA spying on the EU is the misconception they have that their own spy agencies aren't doing the same thing to everyone else: us, Russia, China, and other states in the EU."

Same thing I kept telling them on Schneier's blog, etc. They sure aren't building those spy buildings as art projects. The worst part is that info on whose involved in spying agreements, even whose in "no-spy" agreements, is so public we have much of it in one Wikipedia article.

https://en.wikipedia.org/wiki/Five_Eyes

Then there's the espionage documents talking all the cases where foreign countries were spying on us. Then there's the Snowden files showing that basically every European country was partnered with NSA spying on who knows who (probably Europeans) with exceptions being Iceland, Switzerland, and maybe one other country (don't recall).

A teacher of mine used to say that people often point a finger at others but are pointing at least three back at themselves as they do so. Europeans are doing it with both hands.

[eeZah7Ux]

> misconception they have that their own spy agencies aren't doing the same thing to everyone else

Never heard anybody claiming that.

> demonstrably benefit from and invite NSA spying

Citation needed.

> we conduct foreign surveillance is to avoid large scale armed conflict

Building the most powerful surveillance system is no different than creating the largest army. It escalates conflict worldwide.

[scotty79]

Why spying your own citizens is bad then? What magical qualities person obtains through us citizenship that makes him/her harmless to usa?

If you justify spying by scary things you need to show why people you agree not to spy are not scary.

[tptacek]

Because there is no probability that we are going to end up in large scale armed conflict with our own citizens. Ask a simple question, get a simple answer.

[scotty79]

Why? What if some of them are spying for foreign power or prepare sabotage or are paid up by foreign powers to incite political unrest or, God forbid, political change that might end up in unilateral nuclear disarmament that might end up with destruction of usa with nuclear weapons?

The fact is you can imagine scary enough scenario to justify one thing but can't imagine other scenario to justify another. Thing is ultimately you need to act on some principle and current principle in USA is, us citizens have right to privacy, other people have no right to privacy.

This is silly rule because it creates places like current NSA. If it wasn't ok to spy on foreign citizens there'd be no NSA and if it was ok to spy everybody then NSA would have way more oversight.

[finid]

When you believe that your exceptional, that you're Gods most special creation, the privacy and rights of others is not something you lose sleep over.

[wbl]

In Air France first class there are microphones in the seats, to record the conversations of any businessmen travelling to France.

[fweespeech]

> If I had to guess, the most likely outcome here is going to be that we are talking about someone with very serious mental health issues who NSA had no business putting within 1000 miles of the information he managed to hoard in his house.

I agree with you.

That said, this statement is at odds with your statement in regards to lying.

> The filing described Mr. Martin as computer genius who easily outsmarted government efforts to protect secrets and said he possessed an advanced understanding of how to encrypt messages and hide information in cyberspace.

They are certainly lying in terms of how capable he was with the "genius" implications.

The simple truth is NSA internal security is fucking terrible as we are shown time and again that lone wolves are easily able to do this if they so choose. Snowden isn't some magical computer genius of exceptional ability either. He honestly comes across as more of an above-average (but not 1 in 100) IT guy.

I'm willing to bet Martin is "above average" but, once again, not a computer genius mastermind capable of outsmarting competent security practices. It is simply the NSA is not competent at implementing such practices when it comes to internal actors.

[tptacek]

I agree with you that NSA security appears to be a total clusterfuck and that this is an instance where Walter Peck is fully justified in coming in and shutting down the Ghost Containment Unit.

A lot of people that know more about this stuff than I do disagree pretty forcefully. Dan Guido on Twitter just reminded me that Martin was specifically read into extremely sensitive programs at NSA; he was one of just a few hundred people with this access.

The court filing is pretty damning. For instance, there's the email he had prepared to send his team in 2007, noting that "they" are "inside the perimeter" and threatening to bring his coworkers "into the light". The emails, the hoarding, the guns, the weird handwritten notes... this looks extremely bad. Keep in mind that he could have been trying to do some terribly stupid things.

[Pyxl101]

> > The filing described Mr. Martin as computer genius who easily outsmarted government efforts to protect secrets and said he possessed an advanced understanding of how to encrypt messages and hide information in cyberspace.

> They are certainly lying in terms of how capable he was with the "genius" implications.

Yes. It's hard to wrap my head around the characterization of him being a genius at cybersecurity, but he's leaving materials obviously marked "top secret" sitting around in his car. It seems a little convenient, almost like a movie plot.

If this guy had decent opsec at all, he would not have been caught with any detectable materials in his house or car; a raid of his house would have uncovered nothing without his cooperation.

Perhaps they had been tracking him for a while and this was a sting that launched at a particular time. Otherwise, I don't understand why he'd have any printed materials in his car, much less with tradecraft instructions on them! Sheesh.

Why would you ever have printed materials with you with secrets on them? Transmit the information digitally protected by encryption. If a skilled operator needed to recover information on printed documents, then I would expect them to expeditiously scan them and destroy them, not keep them sitting around in a car unattended.

The story does make a bit more sense interpreted through the lens of him being a hoarder with not particularly good opsec. Either that or he's a sloppy spy that they've been tracking for some time, and chose to execute a sting at the right time when he was undertaking vulnerable activities like transporting material or preparing for a drop.

But, the idea that this was a sting does not resonate with the fact that they did not arrest him while serving the search warrant on his house. ... unless they deliberately left him free while observing him, in the hopes of discovering how he contacts his handlers. </speculation>

[tptacek]

This is another example of attribution error. People who work in TAO aren't super-spies. They're people with access to a lot of weird random exploits and with very peculiar collections of very deep knowledge into things like the operating systems of Chinese Internet gateway routers and the DLL offsets of whatever versions of Windows Russia is still using.

[strictnein]

> "Snowden isn't some magical computer genius of exceptional ability either"

Yeah, his main "hack" was social engineering - convincing others to give him their credentials for various made up IT work.

[strictnein]

It's a little late now, but I'm truly curious why people downvoted this, because it is literally how he gathered large swaths of the data he stole.

[jessaustin]

That's still "hacking". NSA apologists have to be careful when scoffing at the exploits of their various rogue employees: if it was so easy, one really must assume that agents of China, Russia, etc. have done it too.

[languagewars]

While I agree with your overall summary, I find it odd that you skip the issue of whether he had special access/ability or is just just one contractor among a group of essentially all NSA employees and contractors given access to a library of all of this information (as stated in a previous article.)

Given the NSAs general behavior and the nature of the Snowden leak in comparison to Manning's, I believe it is more credible that they have virtually everything at a single (and lowest) clearance and compartment, so this:

> If I had to guess, the most likely outcome here is going to be that we are talking about someone with very serious mental health issues who NSA had no business putting within 1000 miles of the information he managed to hoard in his house.

Is simultaneously true and a deflection from how incredibly inevitable this was and how incredibly incompetent they are as an institution. I am all for splitting their capabilities across existing agencies where it makes sense and cancelling programs all together where it doesn't.

[tptacek]

I simultaneously agree with the premise that NSA is secured incompetently and also disagree with the idea that everything is at a singe lowest clearance level, which is the opposite of how things have been described to me by people who worked there.

[languagewars]

My impression is that they have the NIH and refuse to use standard LSPP in favor of FLASK. They take this so far that they accept no feedback from the SELinux community. While they may have analyzed all the great reasons not to use every competitor, they probably lack oversight and critical evaluation of the EOU problems that causes, leading to less practical security than those using off the shelf software with proper oversight.

[mikecb]

Three missions even, if you count offensive operations, as our laws do.

[nickpsecurity]

They just have two:

1. SIGINT. Collect intelligence anywhere from anyone overseas using electronic communications. This includes offensive hacking and black bag jobs they do via other groups.

2. Information Assurance. The only real requirement I've seen is that they protect COMSEC of DOD and defense contractors. There's less requirements saying they protect computer security. I'm not sure they're even required to protect government as a whole. They have no mandate that I've seen to protect Americans. They even make it illegal for Americans to obtain Type 1, TEMPEST-certified, etc products that they recommend to Defense organizations.

So, those are the jobs. I'm with Schneier and others on splitting them into two. I'd also expand IAD's mission to cover recommendations for mass market and overall government. For now, NSA has no requirement to protect our computer systems. Hard to say if they even have to protect Defense systems vs COMSEC since other laws paid for by lobbyists say DOD must try to buy COTS stuff that's almost all insecure. Can't mandate buying insecure stuff from nefarious companies plus expect strong security simultaneously. I think it's a legal, grey area they're exploiting for maximal SIGINT.

[mikecb]

Not sure why this is a reply to me, since it also forgets Cyber command, which I was pointing out.

[nickpsecurity]

That's a military command with lots of military units that reports to Strategic Command. NSA sort of administers it even though it's not really theirs. Even if we count them as NSA, that would fall under SIGINT in my division of their activities. It would still be SIGINT rather than IAD doing that stuff. So, splitting off IAD wouldn't affect the analysis whether it's NSA's teams doing SIGINT or NSA + STRATCOM's sub-commands doing it with NSA SIGINT personnel.

[mikecb]

The premise of this sub thread is that cybercom and NSA proper have fundamentally different missions, in part because they are governed by fundamentally different legal frameworks, and it should therefore also be split from NSA proper. It was not an argument that IAD should not also be split off.

[tptacek]

You mean Cyber Command, right?

[mikecb]

Yes.

[bogomipz]

>" Should NSA be broken up?"

From the reading I have done it sounds as though IAD and SIGINT aren't very close. So much so that there's push by some within the agency to connect them. This recent'ish article talks about it:

https://blog.immixgroup.com/2016/04/21/nsa-reorg-vendor-oppo...

I agree that they have very different and conflicting objectives but it sounds as this might already create somewhat of a walled garden between at least two of the three.

But when you hear stories about critical US infrastructure being broken into you have to wonder why aren't these agencies working more closely. You have one agency that specializes in offense and the other defense. Some amount of the offensive should be to help some of the US defenses no?

[TallGuyShort]

Unable to read the full article, but...

>> easily outsmarted government efforts to protect secrets

But we've all seen government website that stored and enforced passwords in plaintext Javascript.

>> possessed an advanced understanding of how to encrypt messages

So adding this, we now might just be talking about a guy who can 'View Source' in his browser, and use GPG.

Presented like a cybernetic superspy, but might just be a dude with an IT degree.

[fweespeech]

> Why on earth is this organization still allowed to operate at all?

If you look weak on "National Security" you lose your next election campaign the vast majority of the time.

That is really the entirety of the reason and its frightening how disconnected our election process is from the reality of the results they produce.

[nickff]

The more important question to me is how the other government agencies compare to the NSA. I have no reason to suspect that the NSA is below average; everything I have seen suggests that the are probably better than HHS, HUD, etc. and this is very troubling to me.

[tptacek]

They are much better than the civilian agencies.

[jdubs]

The leaders have determined that the value they bring outweighs the liability they are.