> Assume your adversary is capable of one trillion guesses per second
Jesus, one trillion passphrase checks a second.
Well I know what I'm changing this afternoon.
> My personal desire is that you paint the target directly on my back. No one, not even my most trusted confidant, is aware of my intentions and it would not be fair for them to fall under suspicion for my actions.
Snowden has always had my respect but the more I read the more he has my admiration as a person.
I think it's entirely fascinating how they've been unable to successfully assault Snowden's character. It's like the second go-to move after denying everything, and they still haven't been able to paint him a villain. He's just so damn heroic.
I'm a little skeptical of a survey on Snowden that was commissioned by a cloud storage company.
Pew Research Center & USA Today did a study in January that paints a more nuanced picture: http://www.pewresearch.org/fact-tank/2014/01/22/most-young-a... For example, he's got a lot of support among young people, but a wide majority of Americans believe he should return to the US and face trial.
> For example, a wide majority of Americans believe he should return to the US and face trial.
More than 80% of Americans thought that the invasion of Iraq was the right thing to do, when questioned back in May 2003, and that Saddam had access to WMD. My point is that it doesn't matter what the majority thinks, it matters what's the right thing to do. And speaking about "facing trial" and the US justice system in general, all I can see is that Keith Alexander has not had to answer for his fault of perjury (I've never been to the States, if it matters).
>My point is that it doesn't matter what the majority thinks, it matters what's the right thing to do.
Democracy naturally conflates the two and assumes that what the majority thinks, as expressed through their elected representatives and filtered through some of the Republican checks on raw democratic power, is synonymous with the right thing, or at least the legal thing. It does matter what the majority thinks in the US, because our system is predicated on the belief that majority thought should become law.
Maybe it's worth the risk that the majority will choose something wrong, as long as the majority is allowed to self-govern. After all, it's still government for, by, and of the people if the people codify a law that violates absolute moral expectations, but is widely believed to be the appropriate solution intrinsically.
There is a list of whistleblowers who "went through the right channels" for blowing the whistle. Notice that we don't hear about many (if any) of them in the main-stream media. Sibel Edmond (one of these whistleblowers for the FBI) had some very apropos comments about him.
Legally the case is a slam dunk. Exposing the NSA illegally spying on Americans is noble but only a Presidential pardon will see him back on US soil as a free man.
I'm not convinced that "legally a slam dunk" equates to "fair trial." For example, part of what makes it a slam dunk is that a leaker's reasons for leaking aren't allowed to be introduced as evidence for the jury to consider. It's all perfectly legal, but a lot of people don't consider it fair. The potential distinction between the legal and the fair is one reason we have juries in the first place.
Considering john the ripper has a plugin that can churn out 50k c/s on a gpg key with a mid-tier GPU without specific optimizations, I'd guess a dedicated team of NSA researchers could get the cost for off-the-shelf hardware down to 5000 c/s/$ (based on a $100 GPU running 50k c/s + 10x speedup from engineering effort and specific optimizations), which makes the cost of the raw GPU hardware for a 1 trillion passphrase GPU cluster a smooth $200 million for a civilian assembling in his basement.
Wanna bet the NSA gets volume discounts from nVidia/AMD?
When I saw 1 trillion guesses per second I immediately wondered what algorithm was being referenced. My single GTX 780 hash performance varies wildly by algorithm. A few numbers:
1 trillion hashes/sec on a key stretching algorithm like bcrypt would be pretty horrific and might require quantum computing, while the same performance on MD5 might be achieved with <50k in hardware (very rough estimates).
I've heard rumors of storage technology that can store thousands of petabytes in a home appliance form factor. With that can kind of storage it would make sense to just start making salted rainbow tables. Even without fabled hardware, the Bluffdale NSA facility might have the capacity for it. I haven't even done napkin-based calculations yet to see if this is possible, so if anyone has some idea please speak up :-)
There are several symmetric encryption algorithms to choose from, the default is CAST5 (according to this[1] random mail post). This would only be used to encrypt the private key on disk.
Now I'm curious of the methods of decrypting data in transit. Does the NSA have the tools to break PKI based encryption at 1 trillion guesses/sec? I have some wild guesses, but if anyone knows I'd love to hear it.
>Wanna bet the NSA gets volume discounts from nVidia/AMD?
So you think they're actually using off-the-shelf GPUs for their password breaking? I would assume any operation with a budget like theirs would create their own ASIC chips specifically targeting the algorithms they need to run. We've seen this happen for Bitcoin hashing, so I'm sure the NSA is way ahead of them.
* Sun Microsystems put special instruction into their CPUs to aid in faster decryption efforts.
If I was designing such a system I'd stick a bunch of GOST, AES, SHA256, Blowfish ... brute forcing cores embedded in a small reconfigurable mesh. It would make a very effective multipurpose brute forcing device.
Antminer S2-b4 can do 2 trillion hashes a second and costs 1200 USD[0]. Imagine you are the NSA with tens of billions of dollars to spend on rigs, access to major fabs and you've been attacking crypto for the last 60 years.
Why FPGAs? I though they were much slower, and if you're building out a berjillion nodes you probably don't require the reconfigurability because the problem is known.
NSA has no budget limits with taxpayer dollars - they have a secret budget so the public can never review - what congressional secret hearing is going to turn down a request for more money by them?
1 trillion was TWO years ago. Assume they doubled that by now.
This is incorrect. The entirety of the NSA's budget has to fit "within" the existing government budget. And other departments do use money. So it is not unlimited. Defense and International security assistance is $643B this year [1] not a trillion dollars, and certainly not two trillion.
> If you think you can pinpoint secret project costs in budgets, go find the the X-37B expenditures as an example.
It is in the Air Force budget. It may or may not be a line item. If it is, it uses an unclassified code name. The revenue for the contractors works the same way; the exact revenues for the program are hidden in totals.
With the information they have, what is to stop them from "taxing" the global economy indirectly via the capital markets.
Seems like they could easily set up investment companies anywhere in the world, trading on all sorts of information and funnel those proceeds back to fund more NSA activities.
There's the classic movie plot of the person who devices a virus to skim fractions of a penny off many transactions, which in aggregate is significant. Now take an organization, whose mandate is to collect as much information as they can, has operated for 60 years, and has had the benefit of being attached to the country with the greatest global and political reach ever seen. The possibility to embed themselves in the economic fabric of every country and market in the world is well in the realm of possible.
It's not like funding humint and sigint activities from capitalistic activities is without precedent. Air America was one example [0]. That one mechanism only blew up and became know because it was beyond egregious. Too many average people had knowledge to keep such activities a secret.
Now imagine you have the largest surveillance apparatus in the World and it's the late 1980s. Do you not think that the NSA and CIA took some notice of the incredible amount of money that could be made on money in those days. Pretty much all the activities we have learned the NSA and CIA have been involved with are harder to justify (surveillance, torture, propping up bad governments, etc.) from the perspective of American ideology than making money from capitalistic activities based on information asymmetries.
These are the types of activities that we will only see a whistleblower for if they are finance focused (accountant/auditor/investor) and have broad access to information. Unfortunately, people with intimate awareness of the financial operations of the NSA are far more rare than a security and surveillance analyst like Edward Snowden (since that is the core business of the NSA)
At Enron, a massive multinational organization, the number of people who were truly aware of the shenanigans going only were a tiny fraction of a fraction of the employees. It's safe to assume that when ever any organization gets large enough they invest in financial professionals of great capacity and task them with being creative. Why would would we expect any different from the NSA or CIA?
It would be especially interesting if Laura Poitras and Glenn Greenwald were to connect with and involve freedom-loving financial forensic professionals who have the skills to comb through their trove and uncover questionable financial operations practices (assuming the archives that Snowden had access to were broad enough to include financial details, especially those that concern revenue and not just expenditures.
Even if cost ever became a problem, at some point the value of the information they're able to unveil would pay for itself. Think of the raw value of having advanced knowledge of confidential business and political dealings. What could that be worth?
Makes you wonder how many black ops they could fund through insider trading. Even without specific encryption breaking hardware the scope of NSA's programs would serve equally well to front run essentially any major market move.
How easy do you think it would be to scrape a little cream off the top of the HFT latte when/if you could see everyones source code and/or tap the ingress points on the exchanges?
Even precluding outright "cheats" like above, I can't imagine it'd be hard to beat wall street at it's own games. Prop firms like to buy satellite images of Walmart parking lots and count cars to extrapolate earnings, sounds like a technique the NSA would be in a position to improve upon.
To be fair, that might not be an exact description of the government's capabilities. If I were in Snowden's shoes, I'd provide a benchmark at least an order of magnitude or two greater than I thought was necessary, just out of an abundance of caution.
When ever people talk about password/passphrase checks per seconds, remember that this is heavily depended on what kind of encryption software that you are using and if it is using key stretching algorithms.
For example, luks when creating encrypted partions, checks the cpu in order to stretch the time it takes to decrypt the master key. The faster the CPU, the stronger the key becomes against brute force attacks.
You should still assume it's futile in the end, to be honest; the ultimate surveillance system that may be going on right now is that all encrypted communication and data right now is being stored and catalogued, waiting for technology to be able to do even more calculations. It's said that once quantum computers become usable, a lot of encryption of today is pretty much useless. Even without that, computing power will increase exponentially - what's one trillion passphrases now will be a quadrillion passphrases within the next ten years, maybe in less time given certain advancements or discovered weaknesses in encryption technologies.
I personally don't really care if the NSA gets to look at my private documents, communications and photo's (for example), but if you're privacy-conscious, it's something to keep in mind.
> I personally don't really care if the NSA gets to look at my private documents,
This isn't about you. Do you have a preference of living in a society where the people in power have nearly total thought-level-control over the population? Allowing the state into your privacy may not bother you as an individual, that's fine - but you have to understand that your attitude allows them into all of our thoughts and minds, not just yours if you extrapolate this out into the decades you're talking about.
The total surveillance society is much worse when discussed at a real scale, a societal scale. Not caring about your own privacy means you don't care about others, and that's a dangerous line of thinking.
We form our society and laws around privacy - we're creating new standards and new expectations of rules for the next generations, and I'd rather not create rules that set baseline population control as normal.
Yes. Lots of people seem to miss this point. It's not about your individual privacy, it's about one entity having access to massive amounts of private data. Big Brother has never been more real than it is now. Maybe so far they haven't done anything really malicious with this data, but they could.
> so far they haven't done anything really malicious with this data
... that we know of. Remember J. Edgar Hoover's FBI? He controlled the most powerful politicians in the country, because he knew intimate details about their lives. And that was based mostly on tapping phones. Who knows what kind of control these government agencies are able to exert on representatives with the surveillance apparatus they command today.
Remember, the panopticon works... People grow to fear even considering certain actions when -- right or wrong -- they feel them hopeless. That's thought control right there.
I disagree that it's "a bit much". Maybe in 2014, but we're also talking about the world in 2024... and even today in 2014 I don't think it's a bit much. I think it's normal, day-to-day interactions between populations and those in power.
And that study we know about because they published it. There are many ways for this to happen without us knowing, and clearly the technology and the science is knocking on the door.
There are already things I won't post (or even take!) digital pictures of: my kids in the bathtub. Growing up, all my friends' families had photos of the kids in the bathroom, etc, but now .... I am fearful that such things would be taken out of context as part of a witch-hunt.
The surveillance state, coupled with the Justice Machine (which has no empathy or accountability, it sometimes seems), makes me very fearful to post anything political. We've seen how J. Edgar Hoover persecuted people __because he could__. Imagine if the keepers of secrets were not just patriotic, but actively villainous? There's no way we would know, or be able to hold them accountable for it.
I can't speak to what the poster meant, I just want to emphasize the point that misquoting simply isn't a good practice when people desire a healthy discussion. And yes I do not doubt that you are missing some nuance.
> I personally don't really care if the NSA gets to look at my private documents, communications and photo's (for example), but if you're privacy-conscious, it's something to keep in mind.
Your example, which is absolutely rephrensible in its own right, doesn't really have anything to do with the NSA. I could impersonate you with some pictures and knowledge about your life, and I wouldn't need a FISC court order to do it
this hypothetical me would probably do a lot more research on you beforhand
I just meant to point out that the comment " I personally don't really care if..." is crazy. Of course he would care if anybody started using private, encrypted, documents for purposes he did not approve of.
Whenever Bruce Schneier gets an "I have nothing to hide" from a radio/TV interviewer, he always asks them on-air "What's your salary?". No one ever answers.
"One thing we should all understand is that we are brutally honest with search engines. You show me your search history, and I'll find something incriminating or something embarrassing there in five minutes." -- Mikko Hyppönen
Every time someone says "I have nothing to hide" the downvotes pour in, and it's unnecessary.
"I have nothing to hide" is a perfectly valid and reasonable response to privacy concerns. A lot of people feel that way, because the a lot of people live very boring lives. They legitimately do not believe that they have any secrets that will warrant the attention of the most powerful intelligence apparatus to ever exist. 99% of Americans will never do anything in their lives that holds the attention of any federal agency of any kind. We're all unique, like snowflakes, but very few of us will ever matter at the national level. The numbers just don't work out.
There's very little evidence that the intelligence community has done anything to harm the average citizen with information gained through any kind of surveillance. Some people are going to feel that they have nothing to hide until the government's actions make them feel otherwise. It's a practical and pragmatic point of view for people who aren't interested in the philosophical or the hypothetical.
Commenters who use the phrase aren't saying anything about what level of privacy is right for you, but stating what they feel is right for them. There's nothing wrong or offensive about that, it's a matter of preference not a matter of fact. There are two sides to this issue, and a one sided discussion isn't going to do anyone any good.
"I have nothing to hide" is a perfectly valid and reasonable response to privacy concerns.
No, it really isn't, because we're discussing government policy, something that impacts "we", not "I".
Saying that "you have nothing to hide" is at the very least tremendously selfish, because it carries the implication that policy should be made based on that stance. We're talking about what the NSA is doing to everyone, in contravention of the supreme law of the land. What one person does or does not want is a red herring and not part of the discussion.
So, you assert that you are not and have never committed unpunished felonies and misdemeanors? And you also assert that you not break future laws with current/past data?
Fuck if I know if I committed breaking laws. I don't murder or steal, or any of the common law obvious stuff. But how do I know the age of the girl in that Internet advert that was in a sexual pose: that's a felony under the letter of the law. Or I was given a laptop by a family member. Whoops it was stolen. Misdemeanor.
I'm not a lawyer, and I cannot navigate what is legal or not. And I have to keep track of county, city, state, and federal laws, along with jurisdictional changes ( how dare I go on vacation...).
When something as mundane as breaking a EULA turns into a federal hacking case, you DAMN straight I want my privacy.
Accepting full-scale information collection on every individual also means accepting that any future use of that information may be used to harm you. Things that you do now may not be illegal, problematic or even embarrassing, but if they become any of that in 10 years' time, you now have to face a cache of (originally benign) evidence that can be retroactively applied against you.
You may not care because you feel you have nothing to hide. Fine, most of us don't. You _should_ care because the Government is overreaching their authority.
> I personally don't really care if the NSA gets to look at my private documents, communications and photo's (for example)
When I hear that sort of argument/opinion, I like to reformulate it as follow:
"I personally don't really care if the NSA gets to look at/record my thoughts"
I have a hard time believing anybody would find this acceptable, and yet this is essentially the same as and a logical consequence of the original statement.
Let's not act like Risen is some sort of hero. He publicly railroaded a Chinese-American nuclear scientist (playing up racial fears given tensions with China), publishing false information that led to the scientist's arrest and detainment under 59 counts of crimes against the government, most notably espionage. None of these aside from "improper handling" were found to be true.
What Obama's administration is doing to Risen is horrible, but let's make sure context is clear. Risen is not a good person.
EDIT: I should note there is really no evidence that the improper handling charge was "true." He merely pled guilty to it as part of a plea bargain, probably to appease the prosecutor.
Can you clarify? Both of them took a principled stand and leaked a large amount of sensitive information to journalists they trusted at great personal risk. Both of them had a huge influence on public debate. They are at least comparable.
The argument that I've commonly heard is twofold. One, Manning was in the Army, so lots of his actions fall under military jurisdiction, where the primary concern is not the rights of the accused.
Secondly, Manning dumped a lot of info without knowing what he dumped. Snowden knew what was in the docs he leaked, and he made sure to protect human lives.
That's what I've heard, at least. It seems to make sense to me, but I'm open to having my mind changed if you have a different perspective.
For the life of me, whenever I hear someone call Manning a whistleblower, I cannot ever get the person to articulate exactly what he was blowing the whistle against. It's my understanding that most of what was released was nothing more than embarrassing personal cables that harmed diplomatic relations. Snowden revealed legitimate privacy concerns that the American people had not yet been privy to.
I couldn't off-hand recall anything, either. But a cursory search reveals: "There were hundreds of classified reports of torture, that continued even after the Abu Ghraib scandal."[0]
The diplomatic embarrassment is what made the news, but whose fault is it that -- and who stands to gain from it? People like a good embarrassing story. And I'm sure governments prefer you think of them as having their diary exposed to the public as opposed to the guys paying thugs to torture people.
But that 99.9% (assuming your figure is accurate - I have no idea the proportion of damning vs. embarrassing vs. irrelevant information that was leaked) doesn't make Manning not a whistle-blower.
Unrelated transgender protocol question... When referring to events in the past, do you use the gender the party identifies as now, or the gender they (at least publicly) identified as at the point in time the events occurred? I suspect that might vary from person to person, but in most cases, I expect they would prefer the former...
In this case at least, Manning always felt feminine. It just took a long time to personally work that out. The reason she joined the army in the first place was to make herself more manly, because she already didn't feel like a man at the time.
Snowden was careful and calculating with what he leaked. Manning just grabbed everything she could and released it without regard for the safety of folks involved.
I disagree. Manning gave everything to wikileaks and they (Assange) and the chosen publishers curated it (somewhat badly). Snowden leaked to Poitras and Greenwald and they seem to be curating with much more care.
This is smart because Snowden can't have access to the archive because it isn't safe for him to have a copy whilst in Russia. It is also smart of Greenwald because the USG are looking for any tiny chink in the armour to be able to descredit Greenwald and by association, Snowden. That's why Greenwald has still only released and estimated 1% of the archive. Each release needs to be analysed, reviewed and judged for release before carefully timing the release for maximum impact. Any damage to the safety of US personel on the ground is going to become a propaganda coup for the USG. Greenwald only has his integrity. Once he loses that it is very hard to get it back, which is why I hope he hasn't made a mistake choosing his FirstLook backers.
There was a reason that Snowden chose Poitras and Greenwald over Assange. Firstly he did his research well. He hoped that these two in particular were noble enough for the task. He knew that both were somewhat ostracised from the US and certainly targets for sigint, and both were living outside the US.
Snowden also let slip his opinion of Assange in the NZ-Dotcom presentation. He said:
"I think its wrong of any politician to
take away the public seat at the table
of government and say you'll simply have
to trust us and you know what, its not
in the public interest to know about
these programmes, unless it threatens my
reputation, in which case I'm going to
throw documents in the air like I'm
Julian Assange. No offence there Julian"
Assange and Poitras/Greenwald are substantially different beasts. What is impressive is that Assange would have been Snowden's easy route. Instead he chose two people who had zero knowledge about sigint and no history of dealing with such a leak. What they did have was class and integrity and luckily that won him over.
They don't throw documents in the air like Julian Assange (for personal reasons). The documents should transcend personal issues.
IMO: the snowden documents have shined a spotlight on methodologies, and were released to established journalists. Manning, in contrast, released docs and lists naming names of men and women in the field, a major threat to the wellbeing of an active operative.
I am all for transparent dealings and in principle i agree with both of their actions, but snowden was inarguably more meticulous and conscious of his actions.
In Manning's case those journalists removed the names before publication.
Snowden released a lot of sensitive information to the exact same organisation who decided what to publish. It was essentially just an internal Wiki dump. He didn't personally curate it.
You'll have to cite cases where Manning published the names of people directly which put them at risk. Last I heard everything went through third parties before publication.
Don't need to excuse yourself, obviously the first commenter doesn't know how to hold conversation without being annoying by correcting people with little facts.
The person's gender doesn't matter at all in this case.
You do realize the Obama administration pursued him so hard it pushed the issue all the way to the supreme court which refused to take the case.
Which is why when he refuses to give the name in January after there are no more elections or opinions to matter, he will be put in prison as an example.
After all these years you really think they aren't going to do that to him?
The press will cover it for a week and then something else will come up and he will never be mentioned again.
The press will cover it for a week and then something else will come up and he will never be mentioned again.
A group of news agencies should create a scoreboard of unresolved or forgotten stories of great importance. This scoreboard should be mirrored in different places, and have competing scoreboards hosted by different groups, to prevent ninja editing of its contents. The scoreboard history could be tracked and shared in Git with signatures on every change.
This way, even if the front page forgets and the headlines change, there is an ongoing reminder of everything we should still be concerned about.
I think that kinda ignores the fact that the guy in question is star reporter at the NY Times. There are many media big shots who know this guy personally and aren't going to just let it go.
Somehow these emails were more powerful, personal, and meaningful than all the previous coverage. It's you they are watching and it's you they are watching all the time. Reading these emails I imagine they were addressed to me and there's no way to avoid feeling like you're under a microscope. Even when you snap out of it and remember the emails aren't addressed to you, you then have to remember they apply to you, they could have been addressed to you, and yes, you really are being watched.
I wonder how they "confirm[ed] out of email that the keys we exchanged were not intercepted and replaced by your surveillants." Key exchange is the hardest part.
"The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights that prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause."
Fourth Estate seems very plausible. The idea of the 'Fourth Estate' is that the media (the fourth estate) keeps an eye on the government. Whether this is the intention or the 4th Amendment is the intention, the other of the two is a nice coincidence.
When written as one word, "Citizenfour" as in the movie's title (not sure if he actually used it like that), my first thought was possibly a connection to "carrefour," which is French for a road intersection. The 4th amendment theory seems more plausible, but a crossroads provides some interesting imagery in ralation to Snowden's intentions vs the current course of mass surveillance.
Jesus, one trillion passphrase checks a second.
Well I know what I'm changing this afternoon.
> My personal desire is that you paint the target directly on my back. No one, not even my most trusted confidant, is aware of my intentions and it would not be fair for them to fall under suspicion for my actions.
Snowden has always had my respect but the more I read the more he has my admiration as a person.