"The case raises questions about whether government agencies, even covert ones, should carry some responsibility for informing citizens of weaknesses they've unearthed in devices, operating systems and online infrastructure"
It should be legislation that any government agency discovers a security issue that it must be disclosed, promptly to software vendors, then after patched, it must also disclose to the public. Accountability is the keyword here. A major security agency must be accountable to security issues it finds, crazy right? After all, these agencies are suppose to be protecting their own citizens, or one would hope so...
Duh. They do. Not doing that is the same as not revealing, say, a microbe that would be useful for wiping out some disfavored population, or, worse still, genetically engineering such a microbe. The people who make and sell exploits to governments are no better than freelance biologists weaponizing microbes.
It is hypocritical of them to rattle on about "cyber terror" and conduct their own cyber war with the same weapons.
Sometimes I feel we miss the wood for the trees. Spy agencies implant SPYware, not that surprising.
Surely the real story, the original Snowden story, was about PRISM the way large corporations do the bidding for spy agencies letting them tap information at the source. This was quickly drowned in a sea of other stories, and is hardly ever mentioned any more.
The real story is that our spy agencies are indiscriminately spying on us with no oversight, despite the fact that they are not supposed to, and that they tell people who should give oversight (eg Congress) that they aren't.
All of the variations and permutations of that are part of the same story.
PRISM was a particularly egregious example. And US companies are now losing billions/year because people in other countries won't trust data to them. Furthermore it was shocking to me that it was carried out in such a way that the people in charge of the companies were not allowed to know about what was happening inside of their own companies.
That said, nobody has been shouting from the rooftops what I consider the most disturbing part of what I understand about it. And that is that any NSA analyst who wishes to get involved in politics can simply start digging up information on what is happening inside campaigns they don't like, and then can feed it to campaigns they do like. Nobody has to know about it. The campaigns already hire people to follow other campaigns, and those people already get tips. So you've just got a really good anonymous tipster. Think of it as a version of Watergate on steroids with plausible deniability and no physical burglary to leave traces.
But it gets better. According to the interpretation of the Constitution that the NSA operates under, deliberately attempting to find out which NSA agents were looking at Americans is a search of said Americans, which is prevented by the 4th. This is why they could not, by their own rules, tell Congress how many Americans had been accidentally searched.
If my understanding of this policy is correct, then the NSA is operating under rules that mean that they cannot even try to monitor for rogue agents who are doing what I just suggested.
Now let's suppose that we trust 99.9% of NSA agents to be good people, following the internal rules and operating in good faith.
It just takes ONE acting in bad faith to distort our political system. And enough thousands of people have access that I consider it guaranteed that this nightmare scenario is actually happening.
I'd say mass-surveillance (dragnet as you say) is always a bad thing, making distinctions based on the location of people isn't much protection since they already have a way around it: we do it to your people, you do it to us and we can "share" intel.
My personal take from the whole Snowden saga was the degree of collusion with "do no evil" tech corporations, something which their PR teams have obviously effectively suppressed.
That's bullshit imho, Snowden's documents showed that GCHQ spied on American citizens & NSA spied on British citizens so that they could bypass the whole "don't spy on nationals" rule.
I clipped the next three words since they didn't seem relevant but maybe they are. "the document suggests." so some snowden documents are bullshit and some aren't?
Every Snowden document is authentically what someone in a large and complex organization said. That someone may or may not have had accurate information.
If you've ever talked to 2 co-workers who have a different understanding of a particular decision, then you know the phenomena.
That said, it would be perfectly plausible that spy agencies could have maintained a policy of, "We will passively collect and analyze all transmissions, including our own citizens" along with one of, "We will actively infect devices, but make an attempt not to be attacking our own citizens in the process."
So it is possible that both documents were completely correct.
All true. Mostly I'm just entertained by how HN resolves apparent conflicts between documents, and which bullet points trump which other bullet points.
Is it acceptable behavior that spy agencies spread malwares? I do find that attitude a bit surprising as sabotage and other active attacks in peace time was considered outside the spy agencies operation scope in the past. I do want spies that spies, police and police, and tax collector that collect taxes. I do not want them however to overstep their bounds in the chase of those goals, and I object when they target innocents with military weapons.
Spy agencies should SPY, but spreading malware in the name of spying goes a step beyond spying. A line need to be drawn somewhere, and what better place than where sabotage begin?
The rhetorical dodge is to say of Facebook (or whoever, doesn't matter), A) pretend that the data they collect is necessary to provide their user facing features and B) a private company that blah blah blah you know where this goes and all sides of the arguments for / against.
I largely agree with where you're coming from. Any cultrual shift to bring back to data privacy will have to apply to government and indivudials/companies. You can't really have "but it's different when I do it" in a moral standard.
> it appears they didn't alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments' agencies, hackers or criminals.
I don't care if the bug finder is a white hat researcher or a spy working for NSA: It's the writer of the bug who puts the user in danger, not the finder of it.
Are journalists dripfeeding us Snowden revelations? Why are these revelations news now, long after the initial disclosure? The same question could apply to any new disclosure.
Because this leak wasn't a "publish everything at once" leak. Snowden wanted the journalists to decide what to release, and that requires work, which takes time.
It's like they're trying to release them just slowly enough so that public outrage never quite reaches critical mass. They can still trickle all they want, but I would appreciate it if they released these stories a bit more regularly and closer together.
You say that like there is a flow rate that would make public outrage reach critical mass.
I'll contend that if the initial revelations weren't enough to reach critical mass, no rate will. The collective mass of self-serious commentators and politicians triangulate towards citizen apathy.
FFS we now know without a doubt we tortured people and it didn't reach critical mass. What happened? No war crimes trails, just some blowhards on TV defending the practice to this day.
I suspect it's the other way around - as long as people are not hungry or suffering, critical mass in (most of) the west is impossible; so they drip it slowly to keep it from dying.
When Greenwald started publishing, he said something to the effect of "there's enough publishable material here for the next 10 years or so". Still a long way to go, I guess.
I'm not sure I know anyone using the UC Browser; are most users in China?
According to Wikipedia, it routes all data through a proxy which modifies the data in order to improve performance on mobile platforms (e.g., by using compression). I think that proxy is a much more likely target for attacks than 500 million individual phones.
Is anyone else struck by the "banality of evil" aspect to all these internal powerpoint style presentations? These documents are interchangeable with some plumbing and heating supply chain company marketing presentation, except they are spying on the planet.
This sort of thing was lampshaded to hell and back in the Portal games.
On the surface it's a hilarious first person shooter with a gun that harmlessly puts holes in things in almost exactly the way normal guns don't. Yet it's actually a place where human life and safety is meaningless, where unconciable acts of terror and horror happen everyday (or at least did). And their PowerPoint slides are just awful. It's clear there's a systemic problem in the facility with sustainable testing. Aperature Science may be the most evil corporation ever, and it ends up being funny simply because they're so incompetently banal about it.
It's helpful to remember that giant machines chewing through our world and wreaking havoc on our lives are just side effects of lots of like-minded people working together for a common cause. Teamwork can bring you Star Trek or it can bring you Aperature Science.
There's a moral to be had there, but I'll be damned if I know what it is...
Absolutely. TVTropes has a real danger of adding its crazy vocabulary to your everyday life, especially on things unrelated to entertainment. (See also Idiot Ball, Fridge Logic, and Forensic Phlebotinum, which may be on topic.)
Really, someone should write up some of these political stories in terms of TVTropes so I can know how I feel about how the plot's progressing. So far it seems like we're in a poorly written mockumentary.
Tvtropes tends to drain the specialness from an entertainment product and reveal the generic components. Applying the same lens to politics results in something like "Yes Minister", where we realize government actions aren't caused by "good" or "bad" actors, but the inherent structure.
Most current crises have a referent in "Yes Minister", including this one - when the PM denied the bugging of an MP's phone. ("He should not have denied something of which he had no knowledge.")
This indicates how few fundamental situations or tensions exist in modern government, and how often they reoccur.
I think you're right on each count. But I also think that there's a lot of benefit from having a vocabulary - even a goofy one - that allows these things to be broken down and understood. On some level it certainly does remove that je ne sais quoi from the topic, but on the other hand it illuminates it somewhat (so long as the terminology isn't too slanted). Even a mild bias isn't bad, since we naturally adjust for rhetorical tone, and it can add a bit of levity to an otherwise tedious discussion (see Phabricator for a nice case study in that).
At any rate, I really like the idea that there really isn't bad people conspiring but just a badly formed/tuned system. (I'm a process engineer, so I suppose that gives me hope where others wouldn't see any.)
Banality of Evil? Come on. Equating SIGINT programs to protect America's interest with the Nazi party is really shrill. I'm no NSA defender, but I believe nations have the right to SIGINT programs to protect their interests. The real question is what implementations and limitations are acceptable.
>These documents are interchangeable with some plumbing and heating supply chain company
Efficiency is universal. Powerpoint-like presentations work in the corporate structure. Memos, emails, etc are used for a reason. Look at Al Qaeda's job application form, its bizarrely corporate. Or how Osama Bin Laden's bookshelf is straight out of a HN reading list. Or how drug dealers hire Ivy League finance guys to run operations that, if you didn't know the product, would assume it was some boring commodity widget being sold.
There's no James Bond-ish school of super technology or unique processes. Whatever management fads are popular in the business world work their way into government, and that includes intelligence, military, space programs, etc. I'm always a little surprised at how cheap looking every NASA press conference is and how many technical issues they always seem to have (mic issues, streaming issues, etc). If there's really a balality of evil, I'd say that's just a subset of the banality of all bureaucracies.
If anything, unique organizations that are successful tend to be extremely rare. Startup culture and other 'progressive organizations' just end up being 'office lite' until they go mainstream/IPO/whatever then they fully embrace becoming a regular office. The only non-trivial organization I can think that is successful and has a unique structure is probably Valve, with its fascinating flat management style.
edit: downvotes for suggesting that maybe the NSA shouldn't be compared to the party that gassed 6 million people solely for their ethnicity? Grow up, HN.
> Banality of Evil? Come on. Equating SIGINT programs to protect America's interest with the Nazi party is really shrill.
Comparisons based on common themes are not the same as holding that the things being compared are equal. The source material for the quote is a general comment upon evil, drawn from a reflection upon Eichmann. It is not a specific comment upon the Nazis, but that normal people doing things that seem perfectly normal (indeed right) to them can perpetuate terrible crimes. The observation goes something like this:
"The trouble with Eichmann was precisely that so many were like him, and that many were neither perverted nor sadistic, that they were, and still are, terribly and terrifyingly normal. From the viewpoint of our legal institutions and our moral standards of judgement, this normality was much more terrifying than all the atrocities put together, for it implied… This new type of criminal… Commits his crimes under circumstances that make it well-nigh impossible for him to know or feel that he is doing wrong" (s.276)
"It was as though in those last minutes [of Eichmann's life] he was summing up the lesson that this long course in human wickedness taught us – the lesson of the fearsome, word-and-thought-defying banality of evil." (s.252)
- Eichmann in Jerusalem: A report on the Banality of Evil. Hannah Arendt.
Remember when the idea of having your communications sifted through by the government you elected was restricted to the actions of the Stasi or KGB in the minds of Americans?
> Equating SIGINT programs to protect America's interest with the Nazi party is really shrill.
Totally agree. Please stop me if I ever do that. Those other kind of SIGINT programs, the ones that attempt to collect every single email and phone call and GPS location and internet search in my life and store it indefinitely, are a little more of a direct comparison though, don't you think?
> Efficiency is universal.
Efficiency is actually fairly hard to come by I think. It's terribly designed presentations with bad clip art, illegible diagrams, and meaningless and redundant process slides that seem to be universal as far as I can tell.
I don't think powerpoint is bad as much as meetings and presentations, in general are bad. Powerpoint is just a tool for that social convention. The real question is why do we continue to have low information events like meetings and presetnations? I think the answer is something the typical INTJ male wouldn't like: because its how organizations work on a social and political level. The guy running the meeting, if he does a good job, can impress brass, raise his prestige, etc. Its not a productive event in itself, though it may lead to productivity and efficiency if the ideas are sound. Usually though, they are social events to benefit the careers of certain stakeholders.
The powerpoint bashing seems silly to me. You guys should be bashing meetings. There's a real forest for the trees aspect here. Amazon bans it, and instead they have everyone read a 6 page memo. Both are terrible if you ask me. 90% of meetings and presentations shouldn't exist. Stop-gap measures to "fix" useless meetings will just re-invent the next Powerpoint.
tldr; the culture of meetings is broken, not the tools
I have been to plenty of productive meetings and plenty of meetings with PowerPoint; however, none of the productive meetings used PowerPoint. So, saying it's directly unproductive seems reasonable.
PS: I would suggest flat out banning it from your meetings. If you want to get your point across send a document with your presentation in it, and then open up the meeting for question and answers about that document. Another huge win is to ban 1 hour meetings 30 minutes or the whole day is fine, but 1 hour blocks tend to become a wasteful default.
>Banality of Evil? Come on. Equating SIGINT programs to protect America's interest with the Nazi party is really shrill.
"America's interests" (an insignificant 4% of the global population) are not the same as the world's interests, and in many cases are directly opposed to them. They also historically involve tons of bloodshed and lots of support for dictatorships and friendly lackeys in power worldwide.
>downvotes for suggesting that maybe the NSA shouldn't be compared to the party that gassed 6 million people solely for their ethnicity?
No, but US did spray poisonous gas to several million people for other reasons, like "strategic interests" -- and that's 10.000 miles away from their soil. As to what they did on their own soil, this includes the Native American's genocide and concentration camps (which Hitler admired), and the black slavery.
For the millions victims of such interventions, including the 200.000 men, women and children vaporized in Nagashaki and Hiroshima, it makes little difference if "Nazis" did it or not. It is, however, a nice scheme, to hold up a picture of "pure evil" to make everything else OK by comparison.
>edit: downvotes for suggesting that maybe the NSA shouldn't be compared to the party that gassed 6 million people solely for their ethnicity? Grow up, HN.
I really liked your comment, but I downvoted you, let me explain why. I did so because your first sentience is likely to derail the conversation rather than further it. Yes, the phase Banality of Evil comes from a book on the Holocaust, but CPLX was using it in a more general sense. You seem to agree with this usage when you say:
>If there's really a banality of evil, I'd say that's just a subset of the banality of all bureaucracies.
This is what I understand the banality of evil to mean.
It should be legislation that any government agency discovers a security issue that it must be disclosed, promptly to software vendors, then after patched, it must also disclose to the public. Accountability is the keyword here. A major security agency must be accountable to security issues it finds, crazy right? After all, these agencies are suppose to be protecting their own citizens, or one would hope so...