| HN Mirror

NSAs collection capabilities have been greatly degraded. They can no longer read all internet traffic, basically everything is encrypted now.

NSA does not have magic tools to break modern encryption.

notepad0x90 191 days ago

1) They don't necessarily need to break all encryption, just knowing who is talking to who and then delivering a tailored payload is their M.O.; The Tailored Access Operations division exists just for this.

2) They didn't build a Yottabyte-scale datacenter for no reason

3) They have the capability to compromise certificate authorities. Pinned certs aren't universal.

4) Speculation, but, Snowden's revelations probably set off an "arms race" of sorts for developing this capability. Lots more people started using Tor, VPNs, and more, so it would almost be dereliction of duty on their part if they didn't dramatically increase their capability, because the threats they are there to stop didn't disappear.

5) ML/LLM/AI has been around for a while, machine learning analysis has been mainstream for over a decade now. All that immense data a human can never wade through can be processed by ML. I would be surprised if they aren't using an LLM to answer questions and query real-time and historical internet data.

6) You know all the concerns regarding Huawei and Tiktok being backdoored by the Chinese government? That's because we're doing it ourselves already.

7) I hope you don't think TAO is less capable than well known notorious spyware companies like the NSO group? dragnet collection is used to find patterns for follow-up tailored access.

None of your proposed solutions are stealthy enough to enable bulk collection at a pre-Snowden scale.

Yeah, they can still collect lots of useful metadata.

notepad0x90 191 days ago

I don't understand, all they have to do is tap submarine cables, why is that infeasible now? What specific thing do you think they were collecting before that they can't now?

Metadata is extremely valuable!! lots of things can be inferred from it. In other comments I've decried companies like slack including your password reset or login codes in the email subject for example. They can take any packet and trace it back to a specific individual, even if you're on Tor, chaining VPNs,etc.. without decrypting it. They can see what destinations you're visiting. they can build a pattern of life profile you and mine that. The ad industry does much of this without access to global internet traffic captures already lol.

That's perfectly feasible. It is not feasible to do the same kind of captures as NSA was doing pre-Snowden, when most of that traffic wasn't encrypted.

> In other comments I've decried companies like slack including your password reset or login codes in the email subject for example

That's still just as encrypted as the email body itself.

notepad0x90 191 days ago

I think the disconnect is that you think all they do is passive listening and after the fact decryption.

They don't break encryption, they circumvent it. They get into people's computers and access the stored data after it's been decrypted. They stockpile zero day vulnerabilities and use them against their targets in order to install persistent malware. They intercept equipment and literally implant hardware onto the PCBs that let them access the networks. They have access to hordes of government CCTVs. They have real time satellite imaging. They have cellphone tower data.

cperciva 191 days ago

They don't break encryption, they circumvent it.

To quote a former Chief Scientist of the NSA, Rule #1 of cryptanalysis is "look for plaintext". Implementation flaws are very common.

This is all in line with significantly degraded collection capabilities.

They can easily go after specific targets, but bulk collection is no longer viable in the same way it was pre-Snowden.

Yes but I wouldn't say their capabilities have been "greatly" degraded. It's still very much in the "push a button and have someone's entire life history up on the screen" territory.

Degraded would be "it is impossible for them to know anything about people unless they send dozens of human agents to stalk them".

I think going from "lol we can read and store all the emails sent by everybody" to "lol we can hack any specific person and then read their emails" indicates a massive loss of capability.

The first approach enabled them to find targets that were not on their radar based on message contents, they can no longer do that.

They still read emails. No doubt they're inside Google, Microsoft, Apple. They might not be inside Proton Mail, it uses PGP but keys are stored server side so I wouldn't know.

No doubt they still read texts. I think the US is still among the countries that use SMS a lot.

They no doubt have access to the data big tech's mined out of the entire world's population. That capability alone puts them into "bring everything about this guy up on the screen" territory.

yupyupyups 191 days ago

>NSA does not have magic tools to break modern encryption.

They don't. But they have other options.

For example, Cloudflare is an American company that has plaintext access to the traffic of many sites. Cloudflare can be compelled to secretly share anything the NSA want.

https://www.newsweek.com/exclusive-inside-militarys-secret-u...

tehjoker 191 days ago

Or if they have a deal or double agent working for them, there is a possibility for "full take" just like at AT&T. Seems pretty likely to me. Allegedly there are tens of thousands of undercover employees stationed throughout the economy in the "signature reduction" program. National security programs don't respect laws when there is something considered "important" if they can get away with it.

A double agent would not get you "full take", it'd be impossible to hide the traffic. A double agent could maybe feasibly steal keys from Google, but they'd have to do that all the time because the keys are constantly rotated.

And even then, stealing keys does not give you passive decryption and active decryption would be incredibly noisy.

NSA does not have enough money to spend to be able to incentivize Google to give them full take intercepts either.

tehjoker 191 days ago

I think you are not being creative enough with how one might attempt this. For example, splice the cables leading to the datacenter, put an inconspicuous chip in the servers that intercepts the keys and feeds them via wireless signals to a collection point. Perhaps you could even do something clever like put very short range EMF into a metal co-location rack and collect the signals almost totally invisibly using a mesh network of devices built into the metal.

There's lots of fun tricks you can think of when you have national resources at your disposal.

However, you are forgetting that NSA works for Google. It works to support the promotion of American companies worldwide. They're on the same team, and Google knows that. They even have the same mission: To usefully organize the world's information!

Now that Google is openly a military contractor, it's even easier to make this click. Back in the day, you had to read things like this Julian Assuage piece to understand this: https://wikileaks.org/google-is-not-what-it-seems/

If we were to accept that the NSA works for Google, there's even less reason to believe that Google would grant NSA full take access to plaintext content.

Google has a lot to lose by doing so, and not all that much to gain. Google has also been a leading force in pushing for broader use of encryption on the internet, making the NSAs work significantly more difficult even in a hypothetical scenario where Google is happy to give them anything they want.

>Cloudflare can be compelled to secretly share anything the NSA want.

This is true given some possible interpretations, false given other possible interpretations. Cloudflare can be secretly compelled to share specific things, there's no legal mechanism to compel Cloudflare to share everything.

morkalork 191 days ago

Wasn't the whole thing that the secret courts were too liberal in access they were granting?

Not in the sense that they were ordering companies to facilitate full take collection of content by the NSA, no.

Hence the famous "SSL added and removed here ;-)" slide

doobiedowner 191 days ago

Wasn’t room 641A just the NSA strong arming At&T to facilitate full take collection?

xboxnolifes 191 days ago

Even if they aren't compelled, if that unencrypted traffic ever moves over a wire that the NSA could tap into...

So instead of collecting at AT&T Room 631 you now collect at Google Room Whatever.

The NSA has spent no small amount of time in the last decade obviously interfering with NIST and public encryption standards. The obvious reason is they _want_ to have the magic tools to break some modern encryption.

https://www.ethanheilman.com/x/12/index.html

Brief list of NSA backdoors:

>So instead of collecting at AT&T Room 631 you now collect at Google Room Whatever.

Even if true, significantly degraded. Probably not true though, NSA has been very leaky and such a story would be kind of devastating for Google. NSA lacks the legal capability to force Google to do so, the money to bribe Google to do so and also almost certainly lacks the political backing to put one of the biggest US companies in such a position.

I don't doubt for a second that NSA could hack Google (or just bribe employees with appropriate access) and break into specific Gmail accounts if they wanted to. Bulk collection would be far more difficult to implement.

>The NSA has spent no small amount of time in the last decade obviously interfering with NIST and public encryption standards. The obvious reason is they _want_ to have the magic tools to break some modern encryption.

They do try, they just haven't been very successful at it.

Google, along with all other major service providers, has a legal portal so law enforcement can process warrant orders. I think all you have to do is hack that portal or process.

Sure, and you could also just submit fake warrants as many criminals have successfully done.

Neither of these approaches would enable bulk collection.

I'm sure the NSA can read essentially any specific emails they're interested in, they just can't do so at anywhere near the scale they used to pre-Snowden.

Not only that, these days almost all chats have moved to E2EE platforms. Reading that traffic in a stealthy manner requires compromising endpoints, bulk collection simply isn't possible.

ls612 191 days ago

It’s not Google room whatever, it’s Cloudflare room whatever. That’s why you don’t hear much about undermining encryption standards anymore, who needs that when you have SSL termination for 40% of the internet?

globalnode 191 days ago

Dont need to break encryption if you read data from the source -- O/S vendors will do it for you.

tehjoker 191 days ago

Israel produced Pegasus for hacking smartphones and taking them over. You don't think NSA can do that? They control all the endpoints they want.

So what? They can't do that at scale without making a ton of noise.

That's a very boring capability compared to what they were able to do pre-Snowden. That's also not a new capability, they were able to do that pre-Snowden too.

ch2026 191 days ago

You should read about Project Cloudflare

hollow-moe 191 days ago

They surely don't have any kind of access to letsencrypt root certs whatsoever

You can't decrypt anything with letsencrypt root certs, you can issue your own certificates but it would be impossible to use those at any significant scale.

It's also worth considering that CT makes it extremely noisy to use such certificates to attack web browsers.

hollow-moe 191 days ago

I'd bet they could absolutely proxy large parts of people and make use of these certs. I wonder how much are CT logs scrutinized, would these "rogue" certs be found easily because we can't find traces of them being generated by letsencrypt ? Browsers checks CRLs but are they checking CT logs to be ensure the cert they're checking was logged ?

They couldn't do that at scale without being detected, no. There are various people actively looking for this, and the existing tooling makes it easy to detect.

>Browsers checks CRLs but are they checking CT logs to be ensure the cert they're checking was logged ?

Yes, all modern browsers require certificates to be in the CT logs in order for them to be accepted.

For example, we can easily pull up logs for gmail.com and see which certificates browsers would accept. https://api.certspotter.com/v1/issuances?domain=gmail.com&ex...

cannabis_sam 191 days ago

This is naive to the point where it is indistinguishable from disinformation.

Aside from a tiny minority of people applying their own encryption (with offline confirmed public keys) at end points with securely stored air gapped private keys, this information is available to the US government, it’s the god damn job of the NSA.

The NSA can hack pretty much anybody, yes. The NSA can no longer collect everything as they were doing pre-Snowden.

The crucial difference is that it is no longer nearly as easy for the NSA to identify new targets as it used to be, because they don't have full take access to the vast amounts of content they used to.

snorbleck 191 days ago

store now... decrypt later...

Sure, why not. If quantum computers capable of factoring sufficiently large numbers ever arrive, we'll be living in a very different world anyway.

You only need to look at a few headline "true crime" cases to see the obvious parallel construction that is being done.

Could you be more specific? It's really hard to have an useful conversation based on a comment like this, but really easy to have one based on a comment which links to specific cases and perhaps even explains how the obvious parallel construction appears.

https://www.reddit.com/r/LateStageCapitalism/comments/1hlmq3...

It's a common "conspiracy theory" that this happened in the Luigi Mangione case even thought I don't agree he's "probably innocent":

The FBI apparently attempted to use this in the Bryan Kohberger case:

https://www.nytimes.com/2025/02/25/us/idaho-murders-bryan-ko...

It's hard to find solid coverage of this because obviously the methods are often hidden and rarely leak out to the press at large. The press also gets confused and thinks that defending our constitutional rights will lead to criminals being acquitted.

If you spend a lot of time watching and studying these cases and how they evolve throughout the courts it becomes obvious that this is likely occurring more than most people realize.

I don't think the Mangione case is a particularly good example, you wouldn't use a 911 call by a random McDonald's manager to disguise parallel construction.

The caller is easy to identify, how could the government ever trust this person to not reveal their parallel construction? If they were planted by the government, that'd be extremely difficult to hide. The government also likely wouldn't be able to compensate them in any meaningful way for telling such a lie.

The Kohlberger case also does not suggest parallel construction, the DOJ policy isn't binding and the DOJ can in fact legally violate that whenever they want.

dialup_sounds 191 days ago

NSA is under Pete Hegseth's Department of War [sic] if that is any indication of their position and priorities.