[notepad0x90]

1) They don't necessarily need to break all encryption, just knowing who is talking to who and then delivering a tailored payload is their M.O.; The Tailored Access Operations division exists just for this.

2) They didn't build a Yottabyte-scale datacenter for no reason

3) They have the capability to compromise certificate authorities. Pinned certs aren't universal.

4) Speculation, but, Snowden's revelations probably set off an "arms race" of sorts for developing this capability. Lots more people started using Tor, VPNs, and more, so it would almost be dereliction of duty on their part if they didn't dramatically increase their capability, because the threats they are there to stop didn't disappear.

5) ML/LLM/AI has been around for a while, machine learning analysis has been mainstream for over a decade now. All that immense data a human can never wade through can be processed by ML. I would be surprised if they aren't using an LLM to answer questions and query real-time and historical internet data.

6) You know all the concerns regarding Huawei and Tiktok being backdoored by the Chinese government? That's because we're doing it ourselves already.

7) I hope you don't think TAO is less capable than well known notorious spyware companies like the NSO group? dragnet collection is used to find patterns for follow-up tailored access.

[monerozcash]

None of your proposed solutions are stealthy enough to enable bulk collection at a pre-Snowden scale.

Yeah, they can still collect lots of useful metadata.

[notepad0x90]

I don't understand, all they have to do is tap submarine cables, why is that infeasible now? What specific thing do you think they were collecting before that they can't now?

Metadata is extremely valuable!! lots of things can be inferred from it. In other comments I've decried companies like slack including your password reset or login codes in the email subject for example. They can take any packet and trace it back to a specific individual, even if you're on Tor, chaining VPNs,etc.. without decrypting it. They can see what destinations you're visiting. they can build a pattern of life profile you and mine that. The ad industry does much of this without access to global internet traffic captures already lol.

[monerozcash]

That's perfectly feasible. It is not feasible to do the same kind of captures as NSA was doing pre-Snowden, when most of that traffic wasn't encrypted.

> In other comments I've decried companies like slack including your password reset or login codes in the email subject for example

That's still just as encrypted as the email body itself.

[notepad0x90]

I think the disconnect is that you think all they do is passive listening and after the fact decryption.

[monerozcash]

Active listening is very noisy, we can be very confident they're not doing that at scale.

My whole point is that they're no longer able to do passive listening of unencrypted content and massive scale, but instead are forced to rely on much smaller scale active attacks.

[notepad0x90]

You're making assumptions that are not taking into account all the other capabilities revealed in the Snowden leak and several other prior leaks. The name "Tailored Access Operations" alone should tell you something. They still have presence in all the large tech company's networks (with cooperation from them of course), and they are able to access critical servers like MTA's. The shadowbroker leaks are also another glimpse into their historical capabilities.

You're assuming that despite their budget not having changed meaningfully, no repercussions against anyone from the historical leaks, the continued renewal of the patriot act and unchanged mission of the intelligence community orgs that somehow they've wound down. That they've stopped R&D and tailored access ops.

You're also assuming that tailored access is not used to facilitate, correlate and enrich traffic decryption.

You look at things from your perspective where decrypting traffic alone is all too important. If you can see all the metadata, why would you do that? If you hoard 0 days and sophisticated implants what's the advantage? I mean half the time comms alone aren't enough, you want access to internal networks, documents that will never get transmitted over the network,etc.. smartphone telemetry data from a large group of targets. They're not interested in decrypting traffic to grandma visiting facebook, they want to know who's downloading tails, who's using signal, who's committing to interesting git repos, who the source of some journalist is, what people a politician has been messaging on whatsapp. Once targets are identified they can be implanted, or have their traffic selected for decryption.

But I think i get what you're saying, that most of the traffic they capture is encrypted. That much I agree, that has changed. But whether they can decrypt it on-demand, that is tough to speculate, whether they need to? That's what I'm disagreeing with. If their goal was that one-time traffic decryption, perhaps that has been curtailed with the prevalence of TLS and CT logging. But metadata alone is sufficient to select a target, and all the evidence suggests that even if they can't readily implant targets, they can successfully perform targeted MITM attacks, even with typical non-mTLS/non-pinned TLS setups.