Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Boundless Informant: the NSA's secret tool to track global surveillance data

Rich Kulawiec rsk at gsp.org
Mon Jun 10 06:46:26 PDT 2013


On Mon, Jun 10, 2013 at 01:30:19AM -0700, x z wrote:
> First of all, I don't feel offended by Jacob's reply to my email at all,
> probably because I know and expect his style of wording. So far I think the
> discussion is still pretty civil.

I concur.  This is what spirited discussion looks like.  It's healthy.

Let's dig in.

> - The PRISM slides do not prove such "direct access" (as we interpret it)
> exists.  [snip]

You're correct.   To take your point further, they don't prove *anything*,
they...well, for lack of a better word, they "indicate".  They point in
a general direction, omitting significant details -- which is of course
why we're debating just what those details are.

But, that said: the NSA (and every other similar agency) has a long
history of engineering for their convenience over engineering for due
process and safeguards.  And certainly "direct access" is far more convenient
for them than multistep processes.  So I think it's pretty safe to say
that the NSA would very much *like* "direct access" if they can get it.
Which leaves us with the question of whether or not they have.  Yet.

> - The firms (Apple, Google, Facebook, etc) do not have any incentive to
> participate in such a program to offer "direct access" to NSA.

Ahhhh, but I think they do.  There's a message I noticed on this list
this morning, which was forwarded from Dave Farber's excellent "IP"
(Interesting People) mailing list and explains one such incentive:

	https://mailman.stanford.edu/pipermail/liberationtech/2013-June/008815.html

> Then, what kind of power do people think NSA possesses that
> can secretly coerce these firms into cooperation?? 

That kind of power.  (see link, just above).  To paraphrase an old
saying, you can get much more with a kind word and a hide nailed to
the wall than you can with just a kind word.

> Will these firm's CEO or Chief Legal Officer go to jail, for not providing
> "direct access"?

Maybe.  See above.  But jail is not the only possible unhappy outcome.
There are other kinds of pressure that can be brought to bear as well.

Consider the set S of {all Cxx executives at all the tech companies
mentioned so far plus the ones involved but not yet mentioned}.

Now consider the number N of members of set S who (a) are in financial
difficulty (b) have a monkey on their back (c) have something in their
past (d) did something dubious on their tax returns (e) failed to disclose
something to the SEC (f) etc.

As the size of set S increases, the probability that N=0 decreases.
And whatever N is, it provides N opportunities for leverage.

I think it's also safe to say that some of those people would do it
merely because they're asked: it appeals to their sense of patriotism.
We might argue that this is wrong, that it violates the Constitution and
thus is about as unpatriotic as it's possible to be; but they would not
agree with us.

And there's another approach: large companies like this are very
sensitive to bad press, or even the possibility of bad press.
None of them want any part of this potential future story:

	"US law enforcement: we could have stopped [name of future
	attack], but Internet giant Blah, Inc. wouldn't cooperate."

Yeah, that's a longshot, but to risk-averse Cxx people, it might be
enough of a nonzero probability to convince them.  (And there's
already a long history of "blame the Internet" narratives, so it
would dovetail nicely.)  Blah, Inc.'s stock would drop a kazillion
points in the minutes after that story broke and thus so would the
personal fortunes of many.  Then there would follow recriminations
and the blame game, board meetings and firings, and in the end,
suitably obedient people would be put in place to make sure that
it never happened again.

> - If all these "participating" firms have built such a system to feed NSA's
> request automatically, many people would have got involved. This is not a
> trivial task, the executives need to find engineers to make it happen. And
> the number of engineers won't be small, given the diversity of data
> mentioned here. 

I think this is the strongest argument in support of your proposition.
I've spent some time over the past few days trying to figure out how
this could be done and haven't yet figured out a method that would be
likely to succeed.

On the other hand, the NSA has had years, billions of dollars, and
thousands of people to throw at the problem, so if a solution within
those constraints exists, they're far more likely to have found it
than I'll ever be.

But let me requote something you wrote:

	"[...] the executives need to find engineers to make it happen."

Not if the executives weren't involved.

The NSA *could* go directly to the NOC engineers, for example, and
there are certain advantages to doing so: for one, these are people
with a lot less wealth and power, thus perhaps more readily manipulated.
For another, these are the people who actually need to do the work --
unlike the Cxx-level people who don't need to be involved.  And by
leaving the Cxx people out of the loop, their subsequent public
denials would be more credible because they'd be sincere.

When's the last time Eric Schmidt racked and cabled a router?

The NSA could also *be* the NOC engineers: planting their own people
would be very useful and I'm certain they have the capability to do so.
That alleviates the need to ask anyone: they can simply be ordered.

That last is pretty much what I'd do if it were my gig.  It would
take time, maybe lots of it, but it'd probably be more effective
than any of the alternatives.  Also cheaper.

Annnnd I'd also, by the way, develop custom lookalike hardware.  (With
the NSA's budget, this could be done with chump change.)  Who's going to
open up a Cisco router and yank a board and look at it closely enough
to figure out that it didn't come from Cisco?

Exercise: search the web for "fake cisco hardware" or "counterfeit
cisco hardware", i.e., it's already been done.  Some of the people
doing it have been caught.  I doubt they all have.

> - I don't know how some people on this list can get the conclusion that the
> firms are hiding something from they all having similar "carefully worded
> denials".

I can't speak for others, but I have a finely-tuned bullshit detector,
thanks in part to Mssrs. Haldeman, Erlichman, Libby, Magruder, et.al.
who provided much of my early education. ;-)

And these denials are setting it off.  I wouldn't call it so much
a "conclusion" as "a very strong hunch". 

> They all deny "direct access", that's the most crucial part.

Yes, they do.  But there is the strong scent of weasel-wording
here, of the denial of one precisely-phrased allegation in a
particular way.  The consistency and specificity of the denials
leads me to think that they've been carefully wordsmithed to
tell the smaller truth...sort of...mostly...kind of...while
scrupulously avoiding telling the larger truth.  As in:

	"A man who tells lies, like me, merely hides the truth.
	But a man who tells half-lies has forgotten where he put it."
		--- Mr. Dryden, "Lawrence of Arabia" 

Maybe I'm wrong.  Could be.  (This is one of the cases where I'd
be happy to be proven wrong -- that is, I hope you're right even
though I think you're not.)  Maybe we'll find out.  I dunno.

---rsk



More information about the liberationtech mailing list