Hacker News new | ask | show | jobs
by anologwintermut 4131 days ago
Personally, the biggest take away to this is the invasive targeting of completely innocent and ordinary people simply as a means to get access to things the NSA needed (sim Card keys). We have concrete evidence they nailed peoples personal email accounts and social networks merely as a means to an get crypto keys in mass. Sure, the potential mass surveillance is exceedingly problematic, but thats mainly problematic because of the potential for abuse. Abuse that we either assumed would happen or already had, but as far as I know there was little direct evidence of.

The absolute lowest bar for surveillance seems to be that a government doesn't use it to intentionally target innocent people/ those not in the game (hell, lets lower it even further to be only people the government themselves believe are innocent).[0]

That potentially allows dragnet collection of data if no one looks at it. It might allow hacking just a company's servers to get access to third party data. It probably allows you to spy on foreign heads of state (even if it's a boneheaded move). But it damn well doesn't allow you to go through the personal communications of people who you know have done nothing wrong and aren't even working for someone who has.

[0] This is precisely the woefully low bar Obama has been espousing : “The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security and that we take their privacy concerns into account in our policies and procedures,”
6 comments
bigiain 4131 days ago
I wonder how many years with of jail time Aaron Schwartz's prosecutors would be talking about if this'd been done by a mouthy kid instead of the NSA?

I wonder which non-US country, where the NSA's actions aren't made "legal" by secret FISA courts or acts of (US) Congress, will be the first to start throwing that kind of legal threat at NSA staff responsible for this?</wishful-thinking>

link
socceroos 4130 days ago
When you hold the Poisoned Chalice of Power you get to decide who is legally justified and who isn't. "Morals" doesn't even factor into things....unfortunately.
link
bigiain 4130 days ago
Only in a limited way though, the NSA can decide (or at least exert considerable influence over) what's legal in the US - but criminal actions in, say, The Netherlands or any other (non five eyes) country, cannot be "justified" or "excused" legally by another except those countries.

I guess a _lot_ of what goes in in state sponsored espionage happens outside the civilian legal system - at least in "major" countries - but surely there's scope for a criminal trial and civil damages case against NSA/GHCQ operatives when their espionage involves widespread network exploitation and privacy violation of corporate networks and staff. Crimes which would _clearly_ be aggressively prosecuted if committed by Anonymous Skript Kiddies or criminal credit card fraud gangs. Why shouldn't NSA agents be held just as accountable in this case by non US legal systems? Sure, root the embassy network and expect to be held diplomatically responsible if you get caught. Private companies and citizens though? Go to jail just like anybody else.

link
beagle3 4130 days ago
But if you've been following the Firstlook disclosures, and the response to it from different governments, you'll notice that they don't really want to hold anyone accountable - likely, they are all on it some way or another.

Ireland rushed to retroactively OK british spying. Germany ignored it (with some theatrical "I'm insulted" remarks from Merkel, but no real action).

The assumption that any government out there actually wants to enforce its laws with respect to mass spying against its people is not supported by facts.

link
strictnein 4130 days ago
Germany's investigation found that it likely didn't happen and that the documents saying it did were possibly forgeries.

http://mobile.reuters.com/article/idUSKBN0JP1QG20141211?irpc...

> "the document presented in public as proof of an actual tapping of the mobile phone is not an authentic surveillance order by the NSA. It does not come from the NSA database.

> "There is no proof at the moment which could lead to charges that Chancellor Merkel's phone connection data was collected or her calls tapped."

link
throwaway150219 4130 days ago
Did you RTFA?
link
testguy34 4130 days ago
Plenty of spies on all sides have been killed and jailed over the years. If a country can prove a specific person committed a crime. But that's a lot harder to do with tech crimes.
link
Tepix 4130 days ago
But how do you identify an anonymous NSA hacker?
link
socceroos 4127 days ago
You send them all to Guantanamo Bay and beat a confession out of them?
link
testguy34 4130 days ago
What do you think spying is? By definition it is illegal. Other countries won't do anything but cry a bit because their hands aren't much cleaner.
link
gcb0 4130 days ago
...they will probably cry a bit and up their game. by a lot. Until someone stops just crying and boom.
link
dogma1138 4130 days ago
How do you think the world actually works? Do you think that any other intelligence operation this past century didn't target similar people?

Take a look at the cold war, most of the directly tasked targets of US and Soviet intelligence efforts were "small fish" with the right access, anything from a hotel employee to a secretary or a cook or even your hair dresses.

At least with this NSA thing they don't end up with 2 bullet holes at their back of the head at the bottom of a trash chute.

Spy agencies always have and always will operate in such manner really not sure why people still act in any sort of shock this is the most basic trade craft.

link
istvan__ 4130 days ago
No they didn't. There are intelligence operation that you haven't heard of, and this is not an accident. Just because NSA is using brute force and does not care about the collateral damage it does not mean that all of the secret agencies should do the same or doing the same.
link
dogma1138 4130 days ago
So they just decided to declassify or screw up all the intelligence operations that did just that to give them selves a bad rep?
link
istvan__ 4130 days ago
I am not concerned about that. It is bad practice to damage security for all because of few. This is all I am saying. It seems like a pretty bad idea to me.
link
dogma1138 4130 days ago
Damage security? They didn't damage the security of the products because of this, if anything you should take of is just how easily these products can be compromised in such manner.

All the NSA did is to steal keys which they can then use to interdict cellular communications, it's not like they put in a weakness by design and then exploited it (which they might have done in other operations but that's a completely different story).

This thing is no different than the digital signatures on the driver used by Stuxnet ("oddly enough" both companies which were compromised were in the same industrial park just a across of a shared parking lot from each other ;)).

Sadly this level of operation is plausible to be committed not only by private intelligence agencies (which we had too many off already) but by crime organizations as well. I've seen case of corporate espionage which were more complex than this one.

Instead of huffing and puffing at the NSA the proper lesson to learn from this is that cellphone carriers should stop relying on SIM card manufacturers in China and India for their encryption.

Heck if the NSA can interdict equipment in transit to tamper with it, how hard would you think does the Chinese intelligence service has to work to go down the street and just demand the keys straight from the source?

It's about a good damn time that people start asking questions on who has access to the private keys which are used in so many day to day operations from the keys used to authenticate your cable modem to the keys in the card reader you swiped your card trough at your local coffee shop. The answer to this should force quite a few people to live in a hunting lodge in Montana for sure.

I in fact would be very surprised to find a single mass used commercial cryptosystem which is actually secure. Because which each and everyone of those the keys to the castle end up being in the hands of the lowest paid employees out there and business practices will always force availability and serviceability over security.

link
istvan__ 4125 days ago
Everything can be compromised. It is just a matter of enough resources(money really). Finding a security bug and actively using it and do not expose it publicly is kind of damaging security because the bug can be used by other organizations as well. Writing Stuxnet is an entire different level. Actively deploying backdoors and compromise entire networks just to get to the target is a lot of collateral damage. Isn't it?

Actually there were certain projects got pushed back like the IDEA from ETH Zurich or ECC from University of Washington and other potentially vulnerable alternatives were promoted. ECC btw. is pretty strong for a very long time, even today, if you don't use the backdoored version...

http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A...

link
chinathrow 4131 days ago
"Personally, the biggest take away to this is the invasive targeting of completely innocent and ordinary people"

Nothing new here - as the Belgacom hack has shown already.

link
anologwintermut 4131 days ago
So I may have missed the details. I thought we knew they hacked Belgacom, but no one mentioned going through employee's personal email and social networks (though in light of this, we can assume they did). If they did mention it and I missed it, sure, nothing new. But the same entire thing then just applies to that instance too.
link
llimllib 4131 days ago
> While working to assess the extent of the infection at Belgacom, the team of investigators realized that the damage was far more extensive than they first thought. The [ed: NSA] malware had not only compromised Belgacom’s email servers, it had infected more than 120 computer systems operated by the company, including up to 70 personal computers.

https://firstlook.org/theintercept/2014/12/13/belgacom-hack-...

link
sehugg 4131 days ago
I don't remember the reporting on the Belgacom hack mentioning that they were casually querying X-KEYSCORE as they reportedly did here to identify potential targets.
link
chinathrow 4130 days ago
See the comment below in this subthread. You are right, no mentioning of XKEYSCORE but they pretty much owned their whole mail server(s).
link
joe_the_user 4130 days ago
Indeed,

It is gradually recursing backward to "invasive targeting of completely innocent and ordinary people simply as a means to get access more innocent and ordinary people in order to ...etc"

link
nooneelse 4127 days ago
Look, if your uncle's boss doesn't have anything to hide, you have nothing to fear.

Alternate version: If you aren't three or fewer connections away from anyone with something to hide, you have nothing to fear.

link
Kalium 4131 days ago
Preface: this is not a defense.

It's worth remembering that some tools are only useful with lots of data about innocent people. Some forms of network analysis fall into this category, I believe.

link
anologwintermut 4131 days ago
Sure.

Lets suppose it actually was a valid defense. But what does that have to do with going through the Facebook and personal email of individual employees to know who to target. That was done up close, in personal, by hand. By any definition, those people had their privacy specifically and intentionally violated by actual human analysts.

link
Kalium 4131 days ago
Intelligence is one of the few rare fields based wholly upon the idea that the ends justify the means. There are no easy answers there.
link
delluminatus 4131 days ago
The end in this case being the ability to decrypt cellphone traffic. And what will that capacity be used for? Spying on foreign nations? Halting nonexistent terrorist plots? Further secret surveillance of American citizens?

If we judge the means by the ends, I do not believe that their end provides sufficient justification for their means. They appear to believe otherwise, however they fail to offer any evidence for their perspective; as an American, I am feeling ever more alienated from the organizations which were theoretically founded for our benefit.

link
Kalium 4131 days ago
Decrypting cellphone traffic is also a means. It's a means towards information and human connections and so on. That's the sort of stuff that can make or break an operation.

Did it? Has it? Unknown.

The trouble with intelligence is that it's only effective when done with secrecy and fairly broad latitude to operate. There are few easy answers here.

link
delluminatus 4130 days ago
A fairly broad latitude? If the ends justify the means and yet the ends themselves are kept completely hidden, then the latitude, as you put it, is completely unconstrained. An intelligence agency operating under those principles can literally do anything claiming that it is for the greater good.

In short, it sounds like you are advocating for an agency which can take arbitrary extralegal action at its own discretion, without providing reason or explanation, and without providing any demonstrable benefit to anybody, because it's secret.

Frankly, I find the idea terrifying. I understand that intelligence agencies need some quantity of secrecy and some degree of latitude. Like you have repeatedly stated, there are no easy answers. But that doesn't mean we shouldn't ask the question. What the hell are these people doing, and should we let them continue? What is growing in our intelligence sector -- is it an institution that will be found to have brought the world benefit, like Bletchley Park, or will it be seen to have become a thin facade over a malignant, self-interested organization, potentially culminating in something like a secret police?

link
un1xl0ser 4131 days ago
Can you please provide your definition of intelligence?

I would argue that theoretically, a government (or other entity) could use intelligence but use it within a set of moral and/or ethical guidelines that uses a system of checks and balances.

link
Kalium 4131 days ago
Intelligence is the dirty-but-necessary stuff that makes it possible to accurately guide diplomacy, economic policy, trade, and military action to achieve the desired goals of a nation-state for a minimum of cost. It includes internal security.

Generally, intelligence cannot operate openly, even under a strict set of guidelines. Further, there will always be situations where efficacy runs into guidelines and something has to give. Would you be willing to violate the privacy of one person to prevent an attack that would kill five thousand? How about a dozen people's privacy? A hundred? A thousand? A million?

As I understand it, those aren't purely theoretical questions in the world of intelligence.

link
moe 4130 days ago
Would you be willing to violate the privacy of one person to prevent an attack that would kill five thousand?

Why don't we skip the suggestive "thought experiments" and look at some facts instead.

A grand total of 3467 people in the USA have been killed by terror attacks since 1970[1].

In the same timeframe 2091 americans were killed by lightning strike[2] and roughly 102.000.000 died of old age.

Please explain how these numbers justify the NSA's yearly budget of $75 billion dollars, and their documented, ongoing violation of millions of people's privacy.

[1] http://www.start.umd.edu/gtd/search/Results.aspx?chart=fatal...

[2] http://en.wikipedia.org/wiki/Lightning_strike#Epidemiology

[3] http://money.cnn.com/2013/06/07/news/economy/nsa-surveillanc...

[4] https://firstlook.org/theintercept/2014/08/25/icreach-nsa-ci...

link
nitrogen 4130 days ago
Generally, intelligence cannot operate openly, even under a strict set of guidelines.

Can this claim be substantiated with evidence?

link
throwaway150219 4130 days ago
Would you be willing to violate the privacy of 6 million people to commit genocide?
link
higherpurpose 4131 days ago
It's interesting because last I checked Obama/NSA were saying they don't collect content, only metadata (that harmless, harmless metadata [1]). If that's the case, why were they so interested in the SIM key?!

[1] - http://justsecurity.org/10311/michael-hayden-kill-people-bas...

link
anologwintermut 4131 days ago
Because they were useful for targeted surveillance? Not that I agree with the means or the scope, but there's an above board explanation for the desire to get the keys . Suppose you have a handful of phones in Pakistan or Iran you need access to very covertly (e.g. some rogue guy in the ISI where getting caught snooping has major consequences). The least risky way to access his communications is to get the keys. The least risky way to do that is to get them from the broadest source possible(to obscure who you're really interest in) and the one most removed from your target. So there's a legit reason to want the keys, even if your only targeting a few legit targets.

But the means of doing so is truly questionable, even given all their assertions about trust us and we don't look at everyones stuff.

link
maxerickson 4131 days ago
The metadata qualifier is about U.S. domestic data gathering.

There's no such limitation on their activities outside of the U.S.

(Hence there is no reason to make an inference about what capabilities they would attempt to build out)

link
kushti 4131 days ago
Strange to see anyone still believing to american officials.
link