Posts by tom dial 2187 publicly visible posts • joined 16 Jan 2011
Indeed we do, since there also is precious little difference between either of the things mention and scanning for porn, links to copyrighted material, or indications of terrorist activity. My inclination is to think that my privacy is something I had best look after myself. Trusting the ISP or other email provider might work out, but it also might not.
Or, to state it more succinctly, there are plenty of other official political parties, but mostly they have nothing to say that anyone much cares to hear, most people don't know they exist, and fewer yet vote for their candidates. That's not to say that the deck isn't stacked against them - in most states it is, and badly so. But if they had a reasonable amount of support they would have supporters to campaign door to door, host meetings, and the like, could gain ballot status, raise a bit of money, and occasionally win a few elections. The fatal problem, of course, is that when a splinter party raises a point that gets a bit of traction, one of the main stream parties will adopt the idea and divert the new party's support to their candidate.
When I worked for them, individual employees issued US Government credit cards were personally responsible to repay the full amount when due. This was a definite incentive to file timely travel and per diem claims. Failure to pay on time was made known to the employer, however and could result in disciplinary action, as could use for any purpose not related to official travel. I do not think there would have been any chance of the government covering employee charges for anything.
There also were credit cards issued to certain managers for use in small acquisitions, with credit limits dependent on the manager's rank. The government would have been on the hook for these, but allowable expenditures required extensive documentation ahead of time. I can imagine unauthorized use of such an account winding up in court, probably after the responsible manager's demotion or dismissal.
Reporting on NSA activities increasingly seems to be based on what amounts to hearsay. This article is an example, in that it reports that The Hindu claims to have obtained a top secret document showing certain spying activities targeted on India and Indian citizens. Neither the linked article nor the Register report appears to provide access to even a redacted version of the document that is claimed to exist, so there is no obvious way to judge the accuracy of the description given or even whether the document exists. The Guardian, Washington Post, New York Times, and Spiegel (to name some) have many times provided such access, allowing interested readers to examine the document (although usually a redacted version) and form their own judgments.
This isn't a criticism of The Register, who have done their duty by citing The Hindu (in this case) and other publications as appropriate. However, when the citation trail leads to a dead end, the claim has roughly the same verifiable truth value as NSA statements that they are acting properly - not a very high standard. Judging comes down to a matter of who is more trustworthy, and I have no reason to trust Shobhan Saxena or The Hindu more or less than various US government officials when it comes to describing what the NSA does.
It may be time to mention that the USNSA and its Five Eyes associates and others are agencies within their respective countries' defense establishment and are concerned with a much wider range of activities than terrorism. Terrorism gets a lot of headlines, but probably represents a rather small part of overall signals intelligence activity, although it likely has been used to support enlargement of data collection and analysis capabilities, especially over the last 12 years.
Governments seek and use various kinds of intelligence products for purposes ranging from estimating and anticipating other countries' treaty negotiating objectives to identifying conditions likely to result in wars that may or may not involve them to formulation of military contingency plans for action under a variety of circumstances -- and identifying external or internal threats such as terrorist attacks.
And yes, allies spy on each other; only the clueless think otherwise.
I seem to recall that the rotation of the Earth is not quite uniform, perhaps due to sloshing of oceans and the Moon's orbit not being quite a perfect circle. If so, and if that is not fully predictable, it would seem the uniform clock also might need occasional resetting. I'm OK with NTP and a leap second now and then, along with occasional resetting of my pendulum clocks.
NSA advice about cryptography surely is potentially problematic, and the results of accepting it or not are uncertain. I seem to recall that they critiqued and made specific suggestions to NIST about DES that had no known basis at the time but later were found to have strengthened the algorithm. The Dual_EC_DRBG initialization values the NSA recommended are obscure as to their origin. It is possible that NSA knows something about them that we do not, something that makes it easy for them to predict the PRG output and therefore to decrypt messages that used it. However, the pseudorandom generator appears to be flawed based on its biased output and should not be used for that reason alone.
http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html
But one assumes the Apple Marketing Department overlooked this inconvenient, yet fairly obvious, little detail. Fingerprint, among possible biometrics, has the advantage of being quite easy to obtain and the disadvantage of being also quite easy to forge. I suspect that some others, like iris or retina scans, are a bit better but also possible to forge. For all its defects, a reasonably constrained password probably is about as good in practice.
I cannot imagine why anyone would think an agency such as GCHQ that is tasked specifically with information collection and intelligence production would refrain from carrying out its mission. Nothing in the story or slides except possibly the detailed target names should be a surprise. Those who carried out the exploits did what they were supposed to, apparently with fair success, and are not, at least in the UK (and US, Canada, Australia, and New Zealand) guilty of any crime for that, although they might be advised not to visit Belgium. As for whether allies spy on each other, it may be worthwhile to consider the case of the Israeli spy Jonathan Pollard, who will be eligible for parole from a US Federal prison in 2015.
If I am going to the bother of compiling the binaries, why would I not simply use them, as in Gentoo? If I did either, could I be confident that nothing was missed in my code examination? What about the compiler, the linker, and so on? If I compared results to the distributor's, how would I decide whether a difference indicated a fault in the distributed binary, the source, or simply noise introduced by differences in the two Make environments?
The question ultimately resolves to one of trust: how far shall I trust the kernel and other developers, knowing that they are fallible and conceivably corruptible humans not all that different from me? Should I reckon them more or less trustworthy than those of Microsoft, Apple, or Google? Why?
For that matter, why should I consider as The Guardian, Spiegel, The New York Times, the Washington Post, or even The Register more trustworthy than the US and UK governments and their accomplices in Canada, Australia and New Zealand? I have little personal knowledge of any of them, and all of them, whether government or press, may have motives for shading or spinning the truth. The documents I have seen are worrisome for sure, but are open to a range of interpretations not all of which support a claim that the governments are much interested in imposing a totalitarian regime. But are these documents to be considered trustworthy as given, inasmuch as they have an unverified history that depends on the questionable trustworthiness of a single individual?
So why does Google "hold" a monopoly? They certainly do not force people to type "google" into their web browser or select it as their default home page. My experience, tested every 1 - 2 months, is that search results on Google are never inferior to those on Bing and generally just a bit more precise, and are noticably better than those of Yahoo.
And however much the price comparison sites may whine, I have not found them to be useful and generally avoid or ignore them.
The complaints in both Europe and the US about Google's alleged monopoly abuse amount to classical rent seeking by their less successful competitors.
The referenced article describe things that improve NSA' s and GCHQ's ability to perform their officially stated missions. The fact that they could be used wrongly is not evidence that they are being misused in fact. While I do not doubt that there have been instances of abuse, there seems to be a lack of evidence that it is either common or a matter of government policy.
So yes, it may be time to tune down the hysteria and address the question of how controls are to be put in place to ensure against improper use, since it is most unlikely that either NSA or GCHQ (or any of their counterparts in most or all other countries) will be shut down or have their basic activities constrained in any major way.
For now, I plan to generally follow Bruce Schneier's advice at
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
Do not tell the British who lived through the bombings of London, Coventry, and other places that they were not fighting about freedom and defending a way of life. Or those who fought in the French Resistance, or even the Russians who fought on the outskirts of Moscow.
The WW II victors understandably tried to resume their prior colonial roles, but it didn't work out too well on the whole.
Describing systematic killing as a form of democracy is simply incorrect. Assassination and terror may be used, and sometimes have been, by those seeking a democratic regime, but more often have been used by minorities` aiming to impose other types of regime. Regime changes are rarely peaceful and often follow internal or external war, but they do not often reflect anything that can reasonably be described as the "will of the people".
As terrible as they are, I do not think white phosphorus, napalm, or depleted uranium are properly considered chemical weapons. But again, the exact manner of death may not matter much to the victims, and there is great reason to doubt that anyone's intervention in Syria will matter much in the long run - say over a ten year period. Iraq and Afghanistan, Egypt and Libya all suggest that in large parts of the area there are issues that cannot yet be settled politically, and there is not a lot of evidence that US or other foreign intervention is likely to change that.
Didn't mean to suggest totalitarianism as a long term solution. It isn't, and not only because people get numb. And you are correct: in the end, a People is likely to wind up with the type of regime they earn.
However, systematic killing of government officials and supporters, as practiced by various Southeast and South Asian, and Latin American guerrilla insurgencies over the last half century or more is terrorism just as surely as blowing up a car full of explosives in a crowded market. The fact that it may be somewhat differently targeted does not change that.
Those who were caught will be prosecuted for their acts, and if they have a good enough lawyer may be able to argue their way out based on inadmissibility of some evidence. That does seem a stretch, though, since the intercepted data is likely to have been to a non-US person and therefore much less a Fourth Amendment issue. The obvious reason for NSA to insist on parallel construction is to attempt to keep the data collection secret. Now that's no longer an issue, it conceivably could change.
"Why hasn't every paedophile who uses the internet for their twisted pleasure been arrested?"
Maybe because they really are not spying on their own citizens. They say they aren't, and Snowden and his promoters say they are. Is there any reason to believe either group over the other?
Wherever the truth lies, pretty much everyone agrees that NSA should not be "spying" on US residents and GCHQ should not be "spying" on those in the UK. Yet you seem to take the position that since they are presumed to have the capability, they should use it for what you consider good purposes. Paedos now, a huge majority would agree on that, and in the US, there is evidence that there may have been hints given to DEA based on NSA data collection, although the legality of that is somewhat arguable and conceivably could abort some prosecutions.
Despite the clamor about spying on citizens there is not really much evidence of it. The real problem lies in the temptation to use the technical capabilities that NSA (and GCHQ) have developed for an ever expanding "public good". Because the technology is not going to go away, there is a need to ensure that there are appropriate controls on its use.
I am not too sure it matters who, if anyone, used poison gas in Syria. While poison gas is reprehensible and long contrary to the rules of war, it is not entirely obvious, once a victim is dead, that there are b etter or worse ways to arrive at that point. The US has now about a dozen years of hands on military experience in the Middle East and Southwest Asia, and it can be said reasonably that the results are on the best interpretation equivocal. Further stirring the pot in that area seems a bad idea. We didn't when Saddam gassed the Iranians, and we didn't when the previous Assad gassed the Syrians, and I see no reason to go after the new Assad now. Eventually the Syrians will settle their differences, and they (and their neighbors) can pick up the pieces as necessary. It won't be pretty, but war never is, and it isn't clear that US (or NATO, or even UN) action can do much to prettify it.
Terrorism is not either stupid or negative sum. On balance it seems to be working moderately well at the moment to undermine governments in Pakistan, Afghanistan, and Iraq, not to mention various parts of Northern Africa. But there is no requirement that a terrorist commit suicide - that is only a particular tactic. Guerrilla warfare as in Southeast Asia and South and Central America also had significant terrorist components. Governments often will overreact at terrorist acts and further degrade whatever legitimacy they have.
When practiced by an oppressive regime (e. g., the USSR and its East European allies through most of the last half of the 20th century) terrorism also can be a very effective way to keep control.
That said, governments' effectiveness in preventing terrorist acts is doubtful in the extreme, whether with street cameras or communication collection and analysis. In practice, there will be too much noise and too few analysts/too little time to prevent all successful terrorist attacks. Americans would be safer if the War on Drugs were ramped down, a reasonable immigration policy were adopted, and the freed resources were used for ordinary police work, infrastructure maintenance, or other things. It also would help if the US backed off the notion that it can contribute to resolution of every conflict in the world.
It does not violate the First Amendment. Nothing in what has been revealed establishes or affects free exercise of religion, or abridges the freedom of the press, or prevents peaceable assembly to petition the Government. The fact that some people might self censor out of fear that an NSA analyst will see their activities in no way prevents those activities.
It does not violate the Fifth Amendment. What the NSA is doing does not result in holding a person for a capital or infamous crime; it could influence a grand jury toward issue of an indictment, but that's at least one remove from the collection and analysis of data. It does not subject an accused to double jeopardy (although other Federal actions arguably do so), and it surely does not compel any degree of self incrimination. Taking private property for public use also seems a nonstarter.
The weak point seems to be the Fourth Amendment. Things may be a bit less clear, but established law, for about 40 years, has it that telephone metadata such as has been compelled by subpoena from Verizon does not constitute unreasonable search under the Fourth Amendment. The government could be expected to argue that (a) internet metadata collection is not meaningfully different from telephone billing data. There may be issues with collecting all metadata rather than that of a particular group of named individuals, and there may be issues with probable cause; these issues seem not to have been determined yet by courts. As things stand, the best that can be said is that some people feel strongly that this collection exceeds Fourth Amendment limits.
As for the collected content (e. g., email bodies), the government doubtless will argue that collecting and storing the content does not constitute searching or seizure, but that search is done only when the stored data is retrieved for examination by an analyst. They might be able to persuade the courts of that, or in the event they cannot, that the efforts described to ensure exclusion of data that does not have at least one endpoint outside the US are adequate (possibly with further tightening).
Without knowledge of the sites to which posts were attempted, no comment about the claimed censorship is in order. As to the potential damage of potential smear tactics I will offer a couple of observations.
First, allegations of the type suggested are fairly commonplace in U. S. election campaigns going back at least a century. They probably have affected some elections, and occasionally have resulted in resignations of elected officials (e. g., Eliot Spitzer in New York).
Second, it is not completely unreasonable to argue that someone who will cheat on a spouse might also cheat on those who elected him or her, so such claims, if true, address a candidate's character and the question of whether we wish to elect him to a position of public trust and responsibility. It's worth noting that the results of campaign smears have been mixed. Eliot Spitzer is running again for public office, and Anthony Wiener, until faulting again, and again, was a leading candidate for Mayor of New York City.
The NSA and GCHQ (and corresponding Russian, Chinese, and others, of course) probably will lose very little. If they have secret certificate keys that they should not, the additional decryption will not be overly costly; if they have to try to brute force the encryption keys for the data they will, as they doubtless are, direct their efforts based on the metadata. To pull a number out of the air, I suggest it will cost them an additional 10%.
Those who use Tor and email encryption concurrently could draw attention to themselves, however.
Nonetheless, without improvements in decryption technology - algorithms - by many orders of magnitude, they still will be able to decrypt only a tiny sample of encrypted data. Unless, of course, they are able to obtain the private keys that can be used to find out the data encryption key.
In practice, archiving data "forever" will be of no great use, since any actionable intelligence it contains will grow stale. The encrypted data probably will be discarded when "enough" time has passed to guarantee it is "unlikely" to be useful or interesting. I would expect any data that can be tied to Osama bin Laden or participants in major events like 9/11, the Spanish train bombing, or the London underground bombing would be kept forever, and possibly declassified when and if decrypted. Other data likely would be discarded, at least from online query databases, within a few years unless they became "interesting".
As storage costs decline, though, the definitions of "enough", "unlikely", and "interesting" might change in obvious ways.
Exactly why is it "ridiculously high"? The value to a spy of employment at CIA, DIA, NSA, FBI, DHS or others, whether alQaida or other, would be extremely high, and numerous attempts should not be a surprise. Other matters such as poor financial habits and undisclosed sexual activities and preferences that could lead to blackmail possibilities presumably would account for many questionable cases, but a great many of them would self-select out. The attempted moles would not, and therefore would be greatly overrepresented.
Methods a and b (degaussing) render many or most server disks unusable as it also erases the nonrwritable timing; method m (physical destruction) also destroys reusability. As for method d, I believe the DoD instruction (d/l version dated 1997) has been superseded. I seem to recall one that involved 7 overwrites, beginning with all zeroes and followed by all ones, then two pairs of a pattern and its complement, ending with a final overwrite of all zeroes. I think verification of each overwrite also was required. Each bit was changed at least four times, and it took a while on a disk of reasonable size.
Of course, since the disks contained top secret information, the real requirement would be to destroy the disks.
None of the items listed contributes materially to world peace.
* The typical U. S. officeholder or candidate is practically incapable of experiencing embarrassment - e. g., Anthony Weiner. The great revelations doubtless will bring some change, but the degree of such change is not likely to be large, nor is the defense budget likely to be measurably smaller based on shortening NSA's leash. Any shrinkage will result from continuing withdrawal from Afghanistan and general budget negotiations.
* It is well known that one way some governments under stress handle internal problems is by foreign adventurism, as described humorously in the movie "Wag the Dog". The principle is pertinent also the final two items offered as evidence. Not that the US ever would do that, of course.
* It is not obvious whether, or to what degree, non-US clients actually can do better unless they and their data are contained entirely within an area that does not include the US, Canada, Great Britain, Australia, and New Zealand, all of whom participate to a greater or lesser degree in XKeystore data capture; and unless their solution does not involve in any significant way a US company subject to US laws. What are the remaining alternatives? Is China an alternative, or Russia? Switzerland might be a reasonable choice, or Iceland, but can anyone say for sure that NSA or GCHQ don't have taps on the lines there? I don't have a lot of respect for management that thinks placing data outside the US assures them of its integrity.
When I worked a U. S Government agency we had many contractors intermixed with civil service personnel. The contractor staff were, on the whole, as capable and reliable as the civil service employees. Indeed, some felt that because contractor staff could be removed pretty much at will they were likely to be more diligent and careful on average. Civil service personnel are quite difficult to remove for reasons short of criminal activity or insubordination.
There is no valid argument for insisting that only employees can be system administrators. There is, though, a valid argument for insisting that background checks be done by employees, and be done carefully and thoroughly before allowing anyone elevated privileges, especially in a sensitive system. If Booz-Allen performed Snowden's background check, as I have seen reported, it is a management error of the first magnitude, first that the function should be contracted out at all, and second that it should be done by his employer, whose interest in the matter is, to say the least, impure.
Whether Snowden is or is not "brilliant" (my assessment based on what has been shown inclines to the latter), the NSA have been shown to have lapsed seriously in the matter of basic information assurance. Whether that constitutes overall incompetence is uncertain, but it certainly indicates that not enough people were sufficiently attentive, and there doubtless are quite a few who should suffer reassignment or retirement (civilian and military employees), or dismissal (contractor staff).
.
Expose U. S. war awfulness, and diplomatic and NSA activities ... "slows down American Big Brother invasion"
There seem to be quite a few missing steps here; it would be nice if you provided a bit more detail as to just how that follows, or indeed if it does. Bashar al-Assad might be inclined to doubt it.
Most people who paid attention to such matters were completely unsurprised by either set of revelations. And just which invasion would that be?
No dispute about giving it to Barack Obama, though; it ought to be awarded for accomplisments, not speculation based on campaign messages.
So which country's companies to trust? UK (or Canada, New Zealand, Australia, all of them cognizant of XKeystore)? China? Russia? Or do you follow Lars's hint an maintain your own data on site with encrypted offsite storage for DR (and you control the encryption yourself). A possible use of the commercial cloud might be storage of those encrypted files; anything else is more risk than I care for.
Of course they also were Catholic (Maryland) and various flavors of Protestant (Rhode Island, Massachusetts), merchants, artisans, and tradesmen as well as plantation owners. Some were quite opposed to chattel slavery (leading to several anomalous provisions). Who could vote was left to the states, and at the time I think the pressure to extend voting to women was quite limited. And while the upper middle class white males and their issue did fairly well going forward, they had placed no legal restrictions on others and not a few of the well-off in later decades and centuries had humble origins, and not a few of those who immigrated without much in the way of resources have done well also.
The framers (and many others) fought a war between 1776 and 1783 to rid themselves of the colonial tax collectors and oversight, and established the U. S. Constitution as a second attempt at setting up a flexible and extensible framework for governing a large and varied nation. Imperfect, as all things are, it has served most of us well for more than two centuries and I expect it will continue to do so for some time ahead. We'll get by the present problem with government intrusiveness, and probably Larry Ellison too.
That, and also the fact that perfectly good high grade encryption became widely available outside the U. S. The paranoid among us might conclude that export regulations were relaxed to allow weak or backdoor trapped algorithms to swamp the good ones, but that's doubtful.
I think a more accurate description would be that the government is capturing the data, and holding it for a period of uncertain length, that would enable spying on everyone. The entire federal security establishment does not employ enough civil servants and contractors to effectively spy on the entire remainder of the world, or even the U. S. only.
While I am not aware of any significant misuse, the very fact that potentially abusable data is being collected requires that we examine the real controls and possible (but yet publicly unproved) utility of the various programs and modify them accordingly. The potential for misuse is enormous, and police agencies have long been known to exceed proper bounds on occasion.
Email is not secure: Check.
Legal field, on the internet, and don't know that: Check.
Looking at emails, via the NSA, if they feel like: not proved, and the leaked evidence does not support that it is done on anything like a routine basis. The rules say to not do that, and bureaucrats tend to follow the rules. However, it is afer to assume someone will overstep.
Any administrator in an ISP who feels like it: Check.
Encryption is indicated for messages that wouldn't be good on a postcard.
But: mykolab.com does not provide encryption any more than gmail or yahoo do. Encrypt and put the real subject at the top of the body. I use my ISP's email service, encrypt when I think it useful, and hope that a 512 byte key will provide security for as long as I need it. I've had issues sending email while travelling due to ISP restrictions, but never in downloading.
It will be a loss if PJ refuses to allow someone else to pick up Groklaw, although it's hard to imagine anyone doing a better job.
That would be 2776 errors out of how many queries? For an overall error rate of what? The Post inconveniently does not mention that, so the number is effectively meaningless. That number is undesirable, to be sure, but it certainly be more meaningful if put in a suitable context.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
