One thing I see people saying on here is that people should care....and I do...but I don't know _what_ to do with it!
Can someone show/tell me what I, an average person, can do? It feels a bit overwhelming and things like this point out how powerless we really are. I hope I'm wrong and there are things we can do...I just don't know what they are.
EDIT -
Asking two more specific questions:
1. What can we do technically to be safe?
2. What can we do to fight this? Petition Government? Support EFF? Other? Very much at a loss on #2
The problem with making yourself 'technically safe' is that it realistically leaves most non-technical people exposed.
then lets make everybody safe technically. it's hard, but doable. if everyone ran tor and 10% of users ran tor relay, that should be a hell to track, no?
I think you missed the point of my comment. Though running tor or other technical solutions are possible, getting penetration into the non-techie world is very difficult.
You're proposing a technical solution to a legislative problem. Working with the law (constitutional or otherwise) creates the environment where you aren't trying to work around the issue or 'hide' from anybody.
Privacy laws are there for your protection. As another commenter mentioned, you wouldn't accept the gov't or private corporations reading your mail, e-mail shouldn't be any different.
Whenever I mention libertarian principles on HN I get a mixed response, but this is one situation where we must demand individual rights. We need to elect politicians like Ron Paul who oppose big government intrusions into our privacy. This country is supposed to be a bastion of liberty and we go to war to "protect freedom" and "democracy" and yet we are less and less free every day. When we see articles about Chinese "human rights abuses" many are quick to condemn them and other countries perceived as less free than ourselves. Yet I have observed that the US has been headed in a very totalitarian direction for at least the past decade while China has been headed the opposite way, towards more and more freedom. Yes, the Chinese have filtered Internet today, but in the last century they've moved from Feudalism to Communism to a mixed economy. We have gone from having the most freedom in the world to having a Department of Homeland Security, TSA, NSA, Patriot Act, full-body X-Rays, and country-tapping.
The flip side of course being that libertarians generally oppose the kind of government regulation that could stop this heinous merger from further destroying an already non-classical market.
Ran Paul has a pretty safe seat in the house. It is not practical to expect Americans to elect him president. I believe the OP asked for practical advice.
It is clear from the context what Paul is saying and I don't think anyone who hears him speak for more than 2 minutes will believe he's a racist:
PAUL: Well, I think what you've done is you bring up something that really is not an issue, nothing I've ever spoken about or have any indication that I`m interested in any legislation concerning. So, what you bring up is sort of a red herring or something that you want to pit. It's a political ploy. I mean, it's brought up as an attack weapon from the other side, and that's the way it will be used.
But, you know, I think a lot of times these attacks fall back on themselves, and I don't think it will have any effect because the thing is, is that every fiber of my being doesn't believe in discrimination, doesn't believe that we should have that in our society. And to imply otherwise is just dishonest.
Now you have an excellent opportunity, AT&T wants to merge with T-Mobile. Start a campaign saying that the merger will expose T-Mobile customers to NSA wiretapping. Buy some facebook ads and start something.
Do you think T-Mobile's spokesperson is going to make a factual correction to that claim, something along the lines of 'don't worry all our customers are already wiretapped?'. Since this will never happen the argument is valid.
Besides using SSH and VPN more, the only thing I can do is avoid ATT.
I was on T-Mobile for years (out of ATT spite) until Verizon got the iPhone and I jumped within the week. I also spent a lot more money on internet using alternatives to ATT DSL (although I doubt my information was more secure from that choice).
I feel the same. What we would need is a telecommunication company that puts the respect of privacy as one of its core goals (think Zappos), and not just in the boilerplate license agreements. Although entering that arena has high entry costs, it seems like a huge demand for such a service exists.
A lot of time has passed, and they have a new CEO. I wonder if they have continued to hold out, or have quietly installed the black-room...
EDIT: I see they were just acquired last year by CenturyLink. I have to doubt that they have now not rolled over (call me a pessimist).
Very sad that corporations are so willing to forsake the privacy of the entire country's citizens (on the level of a constitutional breach) in order to make a dime or curry favor. Beyond sad, it is terrifying that the government then used warrantless wiretapping to specifically target our journalists:
Try doing a trace route to several different sites on the internet, you'll find that -- so long as your traffic is hitting the US at some point -- your information is crossing AT&T's networks.
This applies to a large majority of traffic in and to, and even through, the United States. Because of the way traffic 'finds the quickest (or best) route possible' you're almost guaranteed to pass through one of their points of presence.
Since this article was published it's likely that other providers were pushed into doing the same thing. If I'm not mistaken, there was even an exec. shake-up at Verizon as a result of them not wanting to concede to the NSA's demands.
If any of the major webmail providers, with millions of active users, offered "brain dead" PGP (i.e., PGP signatures by default, and automatic PGP encryption and decryption whenever possible), many of the others would follow suit and a lot could be done to counter this kind of program ...
... and, furthermore, it would take a huge bite out of spammers and phishers while allowing you to, e.g., talk to your doctor and banker over email without needing to sign in to some other closed service.
For a while, I've liked the idea of a client-side PGP plugin for Gmail. Essentially, you have a greasemonkey (or bookmarklet, whatever) script which performs the encode on send and save draft, and the decode on receive.
Of course, it kills Gmail's big feature, which is search. But for that, I figure you could take the wordlist from the email, hash each one individually, and then paste that at the bottom of the message. So your searches would still find matching messages, they'd just be a garbled mess to Google or any interceptor.
This doesn't seem like it'd be terribly complicated, but I don't think anyone's done it.
We could use GPG for normal e-mail correspondence. But I really don't know if this would do anything more than delay any problems.
In a similar vein, I've deleted all the trusted root CA certs from my computer, and am now marking individual certs trusted as I hit them. Not fail-safe, but safer, I think.
I don't understand what you're doing. When you get an individual cert, are you adding another trusted authority to verify that cert? If you're just trusting the individual cert, you're exposed to MITM.
Yes, you're exposed to MITM. But if you permantly mark the cert as trusted, and the MITM goes away, you'll know somethings has changed. You'll be blind as to which way things changed, but at least you'll know to investigate.
Great question! Unfortunately, I don't think you can.
If you use CA certs to trust site certs, the site certs can change on the fly (i.e. be replaced with an NSA interloper) without you knowing.
If you kill your CA certs, and mark individual sites trusted, than at least your browser will notify you if the site's cert has changed since you lasted trusted it. Theoretically. I haven't actually tested this yet. :(
>In a similar vein, I've deleted all the trusted root CA certs from my computer, and am now marking individual certs trusted as I hit them. Not fail-safe, but safer, I think.
Excuse my ignorance, could you tell why it's useful to remove the certs from a PC. I've heard about root certs a couple of times already but don't understand what they really are.
Basically if you see a certificate on the interwebs, it goes through and says:
"This particular website is X". And it can back this up with all sorts of fancy math.
The problem then, is how do you know that the particular certificate is correct? I can go through and make a certificate saying that i'm santa clause. How you get around that is by using another certificate that you already have, and using that to certify the websites certificate. Ie. if you trust godaddy (or the hong kong post office), and I have a certificate saying that i'm me, signed by godaddy, then you can trust that i'm me.
The collection of certificates that you trust are then called the "root ca", and having random certificates there is a problem because if one of them was to produce a forged certificate, you'd never know about it. ie. by adding in untrusted certificates to your root ca, you lose trust in the whole certificate chain of trust process.
Thanks for the explanation. After taking a look at the certificates that come with Windows, I can see that there are dozens of trusted root certificates, issued by some organizations that I've never heard of. Can I really trust those "root ca"? especially that I noticed some differences between the two PCs that I've checked!
Usually the OS or browser vendor chose them, so it is normal that they differ between computers. But the CA trust chain really sucks, as one compromized CA compromizes everything (the security of the system relies on the security of the weakest root CA).
Can someone show/tell me what I, an average person, can do?
Get personally involved with your representatives and senators. Write paper letters, call, and show up in person.
Be friendly and talk with other voters at the events you show up to. Educate them on this issue. Abandon party affiliation, work with both Democrats and Republicans.
Is there anything private on HN? The packet headers will still say that you went to HN, and when. The only thing it's blocking directly is knowing your username. That's pretty straightforward to figure out from correlating POSTs to the comment timestamps.
That could be construed as a denial of service attack and would be illegal (or at least in a very murky legal grey area).
Also you seem to have forgot that most AT&T customers have bandwidth caps in place that would make it difficult for them to run this attack in the first place.
The idea isn't to spew data at AT&T like a DoS, just taint all your boring communication to make them have to sift through more junk. For example, add extra "scary" keywords in your outgoing HTTP headers.
X-Spook: Hamas subversive War on Terrorism Kosovo Delta Force
I am pretty sure it doesn't bother them. They don't actually go through the data, otherwise encryption would defeat the surveillance.
There are many other more useful signals (and the fact that you use encryption is probably one). The goal is to find outliers, not people using scary words
Furthermore it would be probably quite easy for them to filter that kind of "DoS", it is just too simplistic. If you come up with something more clever they probably are interested about knowing more about you anyway.
2. Encrypt everything. Or at least something randomly. Even the NSA will have a hard time cracking AES 256 when large amounts of traffic are encrypted.
So after applying to YC today (worried that I borked my app) I had the following idea - which is an evolutionary idea from the one I applied to YC with, I dont know if this is possible - but I want to throw it out to HN:
I would like to see mobile end-to-end secure communications apps that allow for users to have completely encrypted message passing.
I had the following idea - please tell me if this would work:
You have a distributed truecrypt file system with a client that the users run on their device, and intermediate cloud storage.
Each user device is a "folder" on the file system - messages are effectively truecrypt encrypted files that gave saved out to the remote folder that == the recipient.
The system would notify you that you have a new file that has been pushed to your folder - you can then decrypt and read it.
However - I feel that the weakness would be in the required key/passwd to open the files -- this might not be securable.
It may require that folders between two users have a known password on each eand - and that for every contact/recipient you would have to have a separate key (they could be the same value, but still separate) thus a communication looks like this
I think you're trying too hard. There are existing protocols (S/MIME, PGP, Jabber, etc.) for transferring messages in a secure manner. I'd pick the one that fits your scenario and wrap it up in a shiny app.
AFAIK, there are several IM apps that could support encryption, but I don't think they are actually doing so (and if they are, they aren't advertising it). As it is, end-end secure communications is not (I think) on anyone's feature bullet-list.
eh, there exist plenty of things that are nice and shiny.
I can take pidgin and OTR and with about three minutes worth of "You should click here", have it set up easily enough that even a complete non techy can use it.
The problem is 1) It requires installation and 2) People don't know it exists. (Strangely enough, once it's installed i've never had anybody move back, mostly as pidgin is a fair amount nicer to use then MSN)
You may be right, however one advantage of this method is that any messages and files are seen as exactly the same: a secure truecrypt encrypted file transfer.
Truecrypt is a container for storing a collection of files. Unless you're interested in the deniability aspects of Truecrypt where an alternate passphrase yields decoy data, off-the-shelf SSL with sufficiently large keys is more than adequate to secure the transport layer. I suspect your biggest challenge there would revolve around key authentication to prevent MITM attacks.
In the context of this discussion, you are talking about creating a crypto solution that prevents the NSA from sniffing your customers. Not a casual packet sniffer, the NSA. This is not the time to be running off and implementing your own crypto!
How do you know that the NSA isn't listening to those? It would seem more appropriate to make public-key encryption easier to use. There are already well-defined ways to use it with email, and there's OTR for IM that could be applied to multiple protocols. Granted, only the contents of the communications are hidden in these cases, but that's a big step forwards.
I know of Freenet and Tor, but haven't heard of Phantom. Because the word 'phantom' returns a huge number of irrelevant Google results, I haven't been able to find the project. Care to throw us a pointer?
This phone doesn't exist because there's not a market for it. I definitely wouldn't buy that. I, like a lot of others, don't have anything to hide from the government so even though I oppose the wire-tapping i'm not going to inconvenience myself to keep arbitrary data and idle chat secure.
> do you ever wonder why there is no consumer hardware PGP telephone?
Not on the analogue phone. But you can easily get a TLS-enabled or ZRTP-enabled hardware or software VoIP phone. Many vpbx providers will also provide you with a vpn tunnel endpoint if you ask about it often enough.
Also, since the analogue phone PSTN interface is pretty trivial to handle, there are multitude of analogue encryption boxes which work as an adapter to the line. Plug & play. You could even use a pc to compress the voice on one side, encrypt, send over an established modem connection and decrypt on the other side.
You don't need the analogue phone itself to do that at all.
> But you can easily get a TLS-enabled or ZRTP-enabled hardware or software VoIP phone.
In theory, arbitrarily strong/usable encryption products can be marketed within the USA.
In practice, from this list:
A) Usable by non-experts (requires no software fiddling, hardware mix-and-match, or other wastes of time)
B) Based on uncrackable/de-facto uncrackable cryptosystem (One-time pad, Public Key - respectively)
C) Affordable by / marketed to ordinary people
We are permitted to choose only TWO.
>...the analogue phone PSTN interface is pretty trivial to handle, there are multitude of analogue encryption boxes which work as an adapter to the line.
Analog "scramblers" are a joke. Any seriously-interested party can crack any and all of them without breaking a sweat.
>...use a pc to compress the voice on one side, encrypt, send over an established modem connection...
Sure, you can use a PC. But if you package this up as a pure-hardware solution usable by anyone who already knows how to use a telephone, certain people will take steps to ensure that your product does not stay on the market.
I do not know what the penalty is for violating the "gentleman's agreement" between the NSA and the electronics industry. But I would not care to find out.
Example of a system doing A+B+C -> Skype. You can claim that they have some way to clone the traffic for NSA use - maybe they do, but from the technical point of view - they satisfy the requirements. It also relies on Skype doing proper authentication / identity presentation.
Hardware-only plug & play box will never work here. You actually have to know something about the connection - information provided out of band. And I don't think most people would accept pressing ~150 digits on the pad as an easy solution.
Analog encryption does not end on scramblers and they don't have to be a joke. As mentioned before, put 2 modems together, apply gsm encoding and any digital encryption you want.
There's a lot of FUD here. If you come up with a proper system, black vans will take you away; NSA has gentelman's agreement; your product will disappear from the market; etc. etc. I don't think you can prove any of it and I can't disprove it either, so I'd rather stay with things we can be sure about.
If it doesn't have backdoors now, it will soon. The remote-intercept capability mandate for land line phones is in the process of being extended to all commercial VOIP.
> Hardware-only plug & play box will never work here.
> But the absence of any easy-to-use/uncrackable/provably non-backdoored secure voice phone on the market is proof enough for me.
If you have to worry about being monitored by government, a super secret phone will not help you anyways. If it's worth doing, your room / furniture / clothes / windows are already bugged and all you say will be recorded before it hits the phone. I really think a provably secure phone is a non-issue.
If it's worth doing, you will be caught and tortured. "Extraordinary Rendition."
The worth of the phone is to prevent you from turning into someone who ought to worry in the first place.
Bugging room / furniture / clothes / windows is expensive.
The NSA is known to use voice recognition and keyword search. It is no longer necessary to already be a target in order to be extensively and intelligently eavesdropped on.
How would a phone use an OTP? Would you send the key by carrier pidgeon to the guy every time you wanted to make a phone call?
There's absolutely no way to get security without some sort of verification by the user. At the very least, you need someone to verify that the keys are correct "can you read me your phone's security serial?". It shouldn't be too hard to create affordable, usable phones based on PKC. The problem is that nobody cares who listens to their conversations, because it's all "where are we meeting tonight/that movie was shit/i can't believe X did Y".
Public key cryptography seems like the wrong choice for phones, because it's relatively computationally intensive, and you'd want a phone to use the cheapest hardware imaginable. However, there is an alternative that would work.
You can use a symmetric cipher (AES is the current standard), and exchange keys via Diffie-Hellman key exchange, which is a method of securely generating a shared private cipher key over a public channel.
As I understand it, the primary advantage of public key cryptography is that it makes encryption and decryption asymmetric processes - i.e. everyone can encrypt something using your public key, but only you can decrypt it, because only you know your private key. In the phone case, the asymmetry would actually be annoying, because both parties want to send encrypted messages to each other, so you'd have to deal with two key pairs for each phone conversation.
That's how most encryption protocols work now, by exchanging symmetric encryption keys at the start. There are protocols to do this, PGPfone was written in the 90s.
Not sure what your point is, here. I listened to it, and it was very interesting, but the speaker has actually implemented encrypted communications on Android, so he clearly isn't too worried about it being poisoned.
I confess i wasn't living in the US during the last elections, so i only followed the elections from international news sources.
and i have no idea what those names means (paul i may have heard about while reading slash dot)
That also reminds me of that simpsons episode where the aliens take place of the democrat and republican candidates, and when they discover they are aliens trying to take over earth, someone shouts that he will vote for somebody else. the alien just says "go ahead, waste your vote" and the guy agrees and feels defeated.
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and Warrants shall not be issued, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Am I missing something? Of course the problem is that it's near impossible get something like this to the SCOTUS. The only real possibility is more whistle blowing.
That is written for you to learn in 5th grade civics class and feel good about your country and your government. But is not for those printing & spending hundreds of billions of dollars.
Oh? I thought it was written by a bunch of guys (these days we'd probably call them "insurgents" or somesuch) who had recently been fed up with a government that was unreasonably searching them, etc., and didn't want it to happen again.
I'm not sure why people are upvoting your comment.
Actually, I do know why. It's a depressing disenchantment with government.
They don't understand that government is not going anywhere, and that government can be as good as it can be bad.
The quote zmblum posted is brilliant, and it is an example of what Good Government is capable of. It is not just for your 5th grade civics class. It's for RIGHT NOW. Read the quote, understand and respect it and its authors, and take action. The government is not just them, it's also you, and sitting on the sidelines being cynical is supporting them.
>The government is not just them, it's also you, and sitting on the sidelines being cynical is supporting them.
One can be cynical without being resigned. Cynicism is recognition of the depth and breadth of corruption and not necessarily equivalent to apathy.
But you're right that the corruption we see in the government is a reflection of our own corruption. The mess we now find ourselves in wouldn't be possible without generations of self-deception, apathy, and twisted values. We let ourselves be conned into building the world that the founding fathers warned us against. We'll likely only wake up when survival itself is at stake.
I think the point is government that is not necessarily led by a single person. Though the president of the US is the 'leader,' he does share power with the Supreme Court and Congress. Just because everyone likes to point to the president when things go wrong doesn't mean there aren't others that share in the blame...
The current problem with the system is that: 1) the Federal government has grown too large, and 2) the US is ruled by only two political parties that are both (at their core) about the status quo and not all that different from each other.
Big government has more chance for corruption because the system ends up growing ever-more complex. Parts the of the system that are useless never get culled, they just keep finding ways to retain minimal amounts of relevance, while attempting to maintain or increase their funding levels.
It's harder to have 'good government' when there are more ways for it to fail.
Which is great and fine in a theoretical world. You guys just had your economy blow up. IT doesn't matter if its big or small. It matters if it works. Ignore size.
Ok, so you determine that it isn't working. Then you try to figure out how and why so that you can fix the problem and you find out that it's death by a thousand cuts.
I'm not so delusional to think that there will be some magical shrinking of the government, but you seem to be telling me that it isn't a worthy goal, which I disagree with. You can have the goal of making the government work now while at the same time trying to trim away the useless pieces.
I have no issue with a smaller government. I just don't see how smaller or bigger government are worthy goals IN and OF themselves. It just needs to be working government.
The debate about big vs small govt. is one of many, pointless hand-wavy, ideas used to harm your debate.
Is it wrong to point out that something is being used to obfuscate discussion, polarize opinion, and detract from getting a solution?
Joe's Good Governance is Bob's Bad Governance. People fundamentally differ on what the government should do; there's no "right answer" that everyone could agree on if only they'd sit down and discuss it reasonably.
True for debates on Governance, but it can't be completely true for specifics and tactical matters. Matter of fact its pretty much the only way you can bring intelligence, experience, vision and ability to bear. True, some things are not clear cut, at which point you can debate.
Besides, even what you said is a sensible start, yet most of America seems far from having a sensible debate about Governance. From outside, every thing that happens is twisted into some sort of attack vector for ... I don't know what.
Yes, you're missing something (actually I'm sure you're not). The government has evolved to a state where they've decided they can do anything, anything they want, in the name of whatever they want to use for justification, in the rare case where they deign to justify.
They're not afraid of terror or drugs, they aren't afraid of anything.
The authors of the Federalist Papers were against a specific enumeration of rights because they feared that those would become the only rights that citizens had. They now seem prescient in retrospect.
The Bill of Rights was horrible for America. It turned the Constitution from something where the people tells the government what it can and can't do, into something where the government tells people what bones they get thrown.
I don't think that's fair. Sure, the Constitution is in tatters but without the Bill of Rights I think we'd have lost even more freedom. At least folks have rallied around and protected some elements (guns, religious freedom, free speech to some degree).
In some sense, the Bill of Rights could be considered a premature optimization. Rather than waste time having the people and the government come to an agreement in an agile way, through multiple iterations, on the things the first 10 amendments cover, they just decided to preempt all that debate and bill-making and bill-overturning and list the things that were off-limits. Didn't turn out that way though.
And like all premature optimizations, maybe it wasn't such a good idea.
The problem with the Bill of Rights is that it refocuses grievances from "where do you, the government derive the power to do such things?" to "what fundamental citizen right is being violated in this case?" Which sounds OK but it's just wrong.
The latter question is relevant in terms of inter-citizen disputes like theft, but in terms of government intervention the former is the appropriate one. Unfortunately it's usually the latter that gets asked.
Lets look into the precedents. Modern interpretation used by courts is that automated weapons didn't exist when 2nd Amendment was written.
The same way it will be with email didn't exist back then.
It doesn't matter that rifles of the time were the assault weapons of the time and the meaning of "papers" of the time can be extended to email.
It doesn't say a thing about "electronic communications". Which gives prosecutors, the FBI, and the national security state a large opportunity to blow smoke.
The key here is that the data is obtained via a 3rd party. Once you as an individual share any information with a 3rd party you lose any expectation of privacy. In the digital world there are specific carve outs for email, but not much else.
No big surprise here really. So when are we all going to get serious and start using public key cryptography on a mass scale, even if we "don't have anything to hide"?
Well, we have that to the degree most people need it with SSL. Private correspondence doesn't work that way yet because webmail clients don't support it.
What you can do:
1. Support the EFF, CDT and other orgs that work on technology and civil liberties.
2. For truly private data and activity get religion with PGP, TrueCrypt, Tor and other tools. For the non-private stuff, take some sensible measures (see below)
3. Consider sandboxing/compartmentalizing your online activity across disparate ids, browsers, machines, phones and locations. Definitely run Ad Blockers/Filters.
4. Stay current with EFF/CDT and related twitter feeds. There will be another privacy debate at a policy level. Get educated, push for the good guys.
Get with the programme ;) The new hotness in european wiretapping is called the INDECT project. Here's a presentation from CCC where a representative of one of the firms contracted to build it gets into an argument with the assembled hackers during the Q&A. It's pretty entertaining.
The argument that there is some steady march toward tyranny and erosion in our freedoms would make sense if it weren't for the fact that these programs have existed in one form or another since WWII (e.g. http://en.wikipedia.org/wiki/Echelon_(signals_intelligence)).
Furthermore, when, exactly, were the good ol' days, those days from which we are presumably descending into tyranny, when we (all, not just white folk) were truly "free"?
Question: which major carrier(s) are not known (or known not) to do this? T-Mobile supposedly had little evidence against them, but they're being assimilated.
I was walking past the building wondering why they had .mil style no windows for such a large building. Other exchanges I had visited had windows. If we had collectively given the NSA rights to check our data, this would be ok. We didn't give them the rights. Think of the insider trading, that could be occurring by corrupt NSA officials.
So? This isn't the equivalent to papers secured in your household, it's data sent over someone else's network. I'm not a huge fan, but saying it's the same as the government walking into your house and examining all your documents is ridiculous.
Either way, call me when someone finds out they can decrypt and examine all the SSL traffic in real-time.
You're somewhat correct in principle (I agree with the major thesis) but largely off-base in the details. Maybe 20/80. Here's why:
Since this is a mirrored copy of their entire backbone, they're also catching traffic to and from peering points. In Mark Klein's deposition[1], he testifies:
Starting in February 2003, the "splitter cabinet" split (and diverted to the SG3 Secure Room) the light signals that contained the communications in transit to and from AT&T's Peering Links with the following Internet networks and Internet exchange points: ConXion, Verio, XO, Genuity, Qwest, PAIX, Allegiance, Abovenet, Global Crossing, C&W, UUNET, Level 3, Sprint, Telia, PSINet, and MAE-West.
Even if you're completely awesome and use SSL everything (like, say, Gmail), eventually that e-mail you sent is going to find its way from Google's servers to its final destination. That, with almost no exception, is plaintext. If the final destination's MX lives on AT&T's backbone and transits those peers (there might even be more possible scenarios I haven't thought of, such as AT&T selling transit), they are able to copy that e-mail in flight. All of the public information about this case is dated; I can't imagine that the NSA hasn't improved the facilities since.
This is a very specific example, but you get the idea. There are a lot more examples of why this sucks. It's not just your browsing they're catching; there's a shitload of traffic going into that room.
Aside: I'm really surprised this is coming up again. FISAAA mostly and grudgingly killed this story for me in what, 2008? 2009?
>Even if you're completely awesome and use SSL everything (like, say, Gmail), eventually that e-mail you sent is going to find its way from Google's servers to its final destination. That, with almost no exception, is plaintext.
Gmail sends mail out using TLS where available (though I agree with your point).
That's only even a problem if they target you. Danger comes when they can target everyone simultaneously and use automated means to find those who match their profile as enemies of an agenda.
Yes, but that's largely useless unless they target you. If they target you, it's likely they have the means to decrypt your traffic. They also have many other means if you are targeted.
The real danger would come if they didn't have to target you and could just mass mine every single encrypted packet.
There were a series of disruptions to fiber coming out of the middle east and north africa a few years ago that is probably connected to the same program. (http://goo.gl/apasy)
I'm willing to bet that any anti-trust issues that are brought up will be quietly squashed in the name of (A) campaign contributions and (B) increasing the size of the AT&T dragnet.
The NSA are drowning in data. They have a constantly changing target list from the other intelligence agencies, and whatever crisis is, or will soon be in the news is keeping them quite busy.
They really have more important things to do than monitor the geeks. Unless you come up with some nifty new crypto.
This is literally years-old information. I was aware of and hollering about this at people as a highschooler at debate and speech tournaments. Same thing then as now, no one cares, or those that do care don't care enough.
Besides, who cares if you have nothing to hide. Right?
My father-in-law said exactly that to me. I wanted to reach out and smack him. Unfortunately, it isn't just a "mental copout", either. He is a very intelligent person who has arrived at a conclusion that the government oversight is OK because he has nothing to hide and (I have inferred) he is very afraid of those who do have something to hide.
Ask him if he or someone ever had an issue with someone with power in a company or government. Then ask what does the person have in arsenal when the people with power have a ton of information combined with power?
Although none of us are enamored with North Korea, there was a fair share of atrocities that were committed by UN forces on the NK population and the South Korean government against communist sympathizers in their own country. The Wiki article goes into it in some detail. (No, it doesn't make it OK because "they were doing it".)
(As an aside, I sometimes bitterly contemplate how many great Korean minds were lost in that war because of their personal politics)
War is still war, there were deaths, veterans who weren't the same, etc etc. I'm a child of the 80s, so I can't say I remember the details, but war isn't always a pretty thing. Going by what Wikipedia says (yes, I know it's a single source), the US wasn't exactly smart about how it was handled leading up to the Korean war.
I bet your father-in-law wouldn't take too kindly to Government workers taking a look at his wife naked when they felt like it or recording (if you'll forgive me) their ahem marital moments.
Privacy is a human requirement, as evidenced by the deprivation of privacy as a punishment in prisons, and is much more than protection of those with something to hide.
Privacy seems more like a cultural thing... that doesn't mean that being deprived of it can't be effective as a punishment. In any case, we'd better hope it's a cultural need and not a human need, since it's essentially going away, and I can't think of anything short of the collapse of civilization that could prevent that.
I knew about it too and I am always baffled at the general population's indifference to it.
I guess when you are in debt, about to lose your house, your job, your health insurance, you don't really give a crap if Uncle Sam looks through your emails ... ?
Actually I think it might be when you start to care. When everything's going great you generally don't rock the boat. If everything's going down the tubes though, people get uppity. I.e. We start to examine what it is we love so much about our country and maybe even demand change (ok, maybe I'm getting a little carried away with the whole demand change thing).
Understand that a lack of privacy isn't a problem until it's a problem, e.g. someone has something against you and needs something to wield against you. The government & large corps. will happily use propaganda against you, and it's easier for them to find dirt on you with little to no privacy.
Think of it this way, the average person has something in their past they're probably not happy about that could be misused against them in a political way, if say, they ever wanted to be involved in politics. Enemies will use this, and enemies now have all of the data they want.
Honest question: do you really think they store every piece of communication that flows through the internet, just waiting for some random teenager they spied on to run for president? The way I imagine it the data runs through a lot of filters that look for evil words/phrases/whatever. Those few emails/sms/etc will be stored and sent to NSA analysts. I doubt they care about the usual type of "dirt" you use against people.
I am against the illegal spying, but what you're saying seems like a conspiracy theory.
You say that as if because AT&T was the only bunch of idiots dumb enough to get caught that it's safe or reasonable to assume the VZW and others aren't doing the same.
I used T-Mobile for years because they were the only ones that there wasn't much evidence against, plus I thought the parent company was a bit more credible, but it's all a black box from the user's perspective.
In principal it's quite wrong and scary, but in reality I have to believe the government is too incompetent to actually do anything with their mountains of AT&T collected data.
According to paperwork leaked by Mark Klein, they have/had a "Narus STA 6400" in the room. It's described as a supercomputer that sounds, to my ears, similar to Carnivore. I doubt that they even try to collect (too much data), and instead specifically look for things to grab from the firehose.
Or, according to TIA, compile giant banks of information on every user based on their traffic & purchasing habits. Combine this with your other online data & there's quite a bit on every person.
Yet.
But WE will create the tools that help the government go through reams of data, collate different pieces of information. I think its actually inevitable that the government reaches that stage.
An even scarier thought is that what if they get access to data 30 years down the line, with vastly more computing power?
(Heck, what happens if someone gets a hold of old tossed out ISP hard drives with logs on them?)
Go rent the movie Brazil. It's a movie about what would happen in a society with strongly defined elites and suffocating bureaucracy, dominated by a fear of terrorism, practicing torture in secret. The information professional class is relatively privileged, although oppressed at the workplace like everyone else. For fun some can snoop on citizens at will. Yeah I know, it's science fiction, but it could happen some day.
The entire plot is set in motion when a fly falls into a mechanical typewriter and causes the government agents to break into the house of Archibald Buttle (instead of Tuttle).
As the problem lies often not in the data leaking out but in the conclusions someone else draws from it, I'm convinced that incompetence and stupidity only can make matter worse.
As for the mountains of data: how many HN'ers for instance would love to climb them for no other reason than to use some BigData tools on them without questioning that cause?
I remember reading that long time ago.
It actually made me quit AT&T and every time someone called me, I tend to ask or check their number and tell them you calling me from AT&T do you know about "the room"? Couple times my friends quit it for the same reason; others don't care. I guess the answer is switch to a different career.
I had a good laugh when I read (think it was Wikipedia) about that room. AT&T was sued over it... they defends themselves by 1) the room does not exist AND 2) this lawsuit should not be proceed due to Act of National Security setting aside lawsuit frames. LOOL! I dont know about you -- but to me first contradicts the second one :)) the judge only decided on count 2) -- that it is indeed NSA involved - so it was dismissed, but if there is NSA then the room exists, hahahaha!!
I think it's reasonable to assume that every North American (and European, etc) carrier does this, so quitting AT&T won't help much. I'm sure there are many other good reasons to leave them, though.
Not the first time US gov has violated US Constitution to spy on citizens..
People forget that the US President that first set a policy for this type of illegal behavior was Roosevelt leading up to WWII. Cable/Wireless companies were pressured by US Gov to record and copy cables sent by US citizens and to send those copies to the US government.
Did not stop terrorism than will not stop it now..and yet 70 years later and no one has learned.
It doesn't even matter that a company is involved. AT&T could go out of business tomorrow, and the government would lean on someone else to give them what they want.
It's actually the opposite: 1) massive corporate abuse, 2) "Look, over there, the GOVERNMENT!" (which received its direction from behemoth corporations).
AT&T will not go out of business tomorrow. "The government", as you know it, will go. At least it's made of elected officials. Peons don't elect or have any control over large corporations.
AT&T isn't the only one to do this. So long as it isn't used against citizens in criminal trials/etc I don't really care all that much if it helps make intelligence people more efficient.
How would you know that it isn't being used that way? Even if the evidence isn't being used directly at trial, it could sure be used to help 'guess' when a good time to stake out someone's house might be.
Yeah, but if most of the world is doing this wouldn't we be losing a vital ability to "protect and insure interests" of country? In the real honest way and not patriot act bs.
Maybe you guys are just clueless about us having real enemies out there or something. No fucking way is FBI or local law enforcement going to be granted anything from NSA for shit. Because it's unlawful.
Your liberties and freedoms, especially as they relate to the digital medium and AT&T in particular is very relevant for everyone, including hackers, designers and entrepreneurs.
Can someone show/tell me what I, an average person, can do? It feels a bit overwhelming and things like this point out how powerless we really are. I hope I'm wrong and there are things we can do...I just don't know what they are.
EDIT -
Asking two more specific questions:
1. What can we do technically to be safe?
2. What can we do to fight this? Petition Government? Support EFF? Other? Very much at a loss on #2