Always strive to learn something useful. --Sophocles

It was called the Terrorist Surveillance Program, and apparently was superseded by PRISM.

Here's my question. I remember a few years ago a person proposed a program, I believe it was a retired Navy Admiral (are there any other kind? the Navy Admiral bit), and it was called the Total Surveillance Program. Both are TSP. It was rumored after the first TSP (Total, not Terrorist) was shut down that there were efforts to break it in to smaller pieces. I wonder if one of them is the Terrorist TSP in whole or in part.

http://www.npr.org/blogs/thetwo-way/2013/12/21/256101601/new-nsa-documents-make-case-for-keeping-programs-secret

This is pretty funny, actually. Lavabit is a secure email provider: the only people with your crypto keys is you with your public and private keys and the recipient with their public and private keys. The way that this encryption works is that everyone gives their public key to anyone who wants it, but keeps their private key a closely-guarded secret. If I want to send you an email, I get your public key and encrypt the message with YOUR PUBLIC key and MY PRIVATE key. When you receive the email, you decrypt it with MY PUBLIC key and YOUR PRIVATE key. This is an automatic process controlled by the software, and it's almost impossible to crack. And don't ask me how it works, it has to do with generating huge prime numbers, but this is how it works in a nutshell. In fact, it is considered utterly secure and unbreakable: basically with sufficiently large keys, which are easy to generate, it would take computer power running until pretty much our sun goes nova to crack it. I never know your private key, the private key is never transmitted across the internet, so unless you machine is compromised with malware, you're pretty darn secure.

That's how Lavabit worked. Apparently the FBI was on to Snowden before he fled the country and they served Lavabit with a subpoena for all of their crypto keys so they could read this email. Lavabit had no choice but to comply, so they did. They provided the FBI with five SSL keys, each of which are 2,560 characters.

They printed them. In four-point type. Eleven pages of extremely small gibberish. And if you get one character wrong, the key is invalid and can't be used to decrypt messages.

The court was not amused and two months later demanded that he hand over the crypto keys in digital form. That was the day that Lavabit announced that it was shutting down, because once the keys were surrendered, the communications of their customers would no longer be secure.


I think what they did was absolutely brilliant. I'm also sure that the FBI will amend their information demands to state "...in DIGITAL form." The article has a sample page of what they keys look like that were given to the FBI.


http://www.npr.org/blogs/thetwo-way/2013/10/03/228878659/how-snowdens-email-provider-tried-to-foil-the-fbi-using-tiny-font?sc=17&f=1001

Basically, the NSA doesn't want to watch communications on a computer-by-computer basis. They tap backbones, the connections where huge amounts of information flows between internet servers. They tap major ISPs. Your computer? Chump change. If they know what you're saying to other people, they don't really need to tap your computer. And the thing that makes this possible?

Weak routers.

A router takes the packets generated from all of the computers on your network, wired or wireless, aggregates them, and sends them upstream across your connection to another router at your ISP that has a faster connection, which sends them upstream to another router with a faster connection, etc. Eventually your traffic gets to your destination and information comes back, and the routers (also known as hops) between your PC and the server/site that you wanted to access, can deconstruct the information and get it back to its origin. The problem is that routers are not easy to configure, it takes some specialized information, and that if you need to patch it, you risk breaking the configuration. And a broken configuration means down-time, a bad thing.

So most of the time, once a router is working well and the configuration is backed up, it's pretty rare that they're upgraded. The upgrades are risky because a vast majority of businesses don't have a duplicate network set up so that router patches can be tested.

And a router that is not upgraded, just like your computer, is vulnerable to being compromised and exploited.

So the NSA's money is best spent compromising and monitoring the routers upstream of your connection, because there is a lot more information present at that point, so it's more efficient.

Which is not to say that they can't compromise your computer and get in and look at things directly.

There is an old maxim about what defines a secure computer: it's not connected to any communication device, it's turned off, buried in 10' of concrete, and in a locked room with an armed guard. It's highly unlikely that a computer thus secure can be compromised.

http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/

I don't find that the least surprising. It's going to take lawsuits and new elections to shut it down, and even then, can we be sure? This started over a decade ago with things like the Total Information Awareness program, and when those were screamed down, quietly got broken in to little unnoticeable pieces and became things like PRISM.

The interesting thing about this particular article is that Wired hired a research agency to break down votes by how much money each representative receives from defense and intelligence contractors. Not terribly surprising, those who received the most money voted against the amendment. Only one person in the top 10 money recipients voted for the amendment.

http://www.wired.com/threatlevel/2013/07/money-nsa-vote/

And I would suggest that you not bother wasting your time with the comments, they rapidly devolved in to 'a new civil war is coming' and it's all white against black. Where race entered in to this problem I do not know, it's more of a poor vs uber-rich.

In 2006, Mark Klein was working for AT&T in San Francisco and learned about a room that only a very small group of techs had access to that all internet lines passed through. He suspected that it was being used to siphon all data on the internet and pass it to the government. He later learned that similar/identical rooms were installed in other major switching centers across the country.

Turns out he was correct, his suspicions were vindicated by Snowden's release of information on PRISM.

Mark Klein, a retired AT&T communications technician, revealed in 2006 that his job duties included connecting internet circuits to a splitting cabinet that led to a secret room in AT&T’s San Francisco office. During the course of that work, he learned from a co-worker that similar cabins were being installed in other cities, including Seattle, San Jose, Los Angeles and San Diego, he said.

The split circuits included traffic from peering links connecting to other internet backbone providers, meaning that AT&T was also diverting traffic routed from its network to or from other domestic and international providers, Klein said.

That’s how the data was being vacuumed to the government, Klein said today.

“This is a complete vindication,” Klein, a San Francisco Bay area retired man, said in a telephone interview.

http://www.wired.com/threatlevel/2013/06/nsa-whistleblower-klein/

A very cogent take from conservatives in another country as to the PRISM et al surveillance state that was slid in to our country with little knowledge of the citizenry.

I especially liked the first comment: "...ONLY credible suspicion should drive surveillance."

http://www.economist.com/news/leaders/21579455-governments-first-job-protect-its-citizens-should-be-based-informed-consent

Excellent article from the former director of application security at Twitter.

It focuses on several points. First, Federal criminal statute is spread over 27,000 pages. Even the Feds don't know how many laws there are, but it's estimated to be in excess of 10,000. For example, it is illegal to poses a lobster under a certain size. Doesn't matter how you got it, and ignorance of the law is no excuse. It also talks about the sometimes necessity of violating the law to encourage change. In Minnesota, sodomy was illegal until 2001, they recently approved same-sex marriage. If we had 100% effective law enforcement, it would be extremely difficult to get such laws changed because everyone who would benefit from that change would be a branded criminal.

Another: manpower. It used to require law enforcement to commit one or more persons to follow someone. Now we all carry our very own tracking devices, and last year cell carrier Sprint, by itself, responded to 8 million tracking requests from law enforcement. That's pretty much the entire city of New York. It's much easier for law enforcement to relax their standards and be profligate in their information requests since they don't have to invest the manpower resources to follow someone. Myself, I've become tempted to put my phone in to airplane mode just to screw up my tracking data. I have no reason to believe that law enforcement would be interested in me, but I also see no reason to make their jobs easier if they do take an interest. Of course, the question then becomes would me turning off their ability to track me pique their interest in me?

She also mentions license plate scanners. I actually saw those in use in El Paso, 100 miles south of me and a place that we visit every couple of months. If I ever see Phoenix or any of the places that I regularly spend time in getting them, I'm buying one of those LED license plate frames.


I especially like two paragraphs in her conclusion: Some will say that it’s necessary to balance privacy against security, and that it’s important to find the right compromise between the two. Even if you believe that, a good negotiator doesn’t begin a conversation with someone whose position is at the exact opposite extreme by leading with concessions.

And that’s exactly what we’re dealing with. Not a balance of forces which are looking for the perfect compromise between security and privacy, but an enormous steam roller built out of careers and billions in revenue from surveillance contracts and technology. To negotiate with that, we can’t lead with concessions, but rather with all the opposition we can muster..


I was recently discussing this topic with a friend, who is part of the "I have nothing to hide" attitude. He surfs porn on the internet. He's also a teacher. I have no idea what flavors of porn he's interested in, and I'm sure they're perfectly kid-safe. But what would happen to his career if that information were released? It could certainly be a career-ending revelation.

I don't have anything in my computers that I'm particularly ashamed of, including browser history, but I don't want it to become public knowledge. The fact that I have nothing in particular to hide doesn't give law enforcement or anyone else the right to stick their nose in it without probable cause and a search warrant. My laptop is encrypted, so is my desktop and all of my backups, also my iPhone backups which do not back up to the cloud. I will not allow my equipment to be casually examined. I will not go gently in to that good night if they take an interest in me, they're going to have to produce a valid search warrant before I unlock anything.


http://www.wired.com/opinion/2013/06/why-i-have-nothing-to-hide-is-the-wrong-way-to-think-about-surveillance/

http://bruce-schneier.livejournal.com/1211785.html

Edward Snowden broke the law by releasing classified information. This isn't under debate; it's something everyone with a security clearance knows. It's written in plain English on the documents you have to sign when you get a security clearance, and it's part of the culture. The law is there for a good reason, and secrecy has an important role in military defense.

But before the Justice Department prosecutes Snowden, there are some other investigations that ought to happen.

We need to determine whether these National Security Agency programs are themselves legal. The administration has successfully barred anyone from bringing a lawsuit challenging these laws, on the grounds of national secrecy. Now that we know those arguments are without merit, it's time for those court challenges. ...

Do I think Schneier's investigations will happen? Sadly, no. I think Snowden will be pilloried and then we'll end up in an extradition tussle, not unlike Julian Asange. It'll take years, and perhaps there will be enough change in politics that such an investigation can happen.