538 posts • joined 16 Jan 2011
[A}n organisation that takes mugshots plus fingerprints
In the US that would be every Federal, state, or local government agency, every bank, every hospital, and a great many others. Also included would be military dependents and, at their option, military and civilian retirees.
The time for vigilance, arguably, is past.
Re: Look at this and tell me that Samsung don't copy Apple...
OK, did that.
Samsung don't copy Apple.
And for the things Apple whines about it shouldn't matter if they did. It isn't as if they were counterfeiting Apple's productts.
Re: The real problem is C
The real problem is an implementation design error, compounded by a coding practice error, combined with apparently inadequate source code review and prerelease testing. It appears that the packet was not expected to be inconsistent, so the protocol did not address the issue. In coding, the possibility of an inconsistent packet was overlooked and suitable action (e. g., discard the packet) was not coded. That could have been caught by a code review, and it could have been caught by rudimentary - and automated - testing of the results of invalid conditions like an internal length specifier implying a length greater than the total packet length.
Mistakes happen, and there is no reason I know of to think that they are either more or common with open source than closed source software. They are a result of fallible humans doing demanding work, sometimes under time and money constraints and sometimes coming up short.
Re: OpenSSL is open source, most financial institutions don't use open source encryption.
That you know of. Yet.
Smugness by users of closed source products in this context is as inappropriate as similar smugness by open source users when a Microsoft vulnerability turns up. Bug probability in large or complex programs approaches unity.
On the other hand, this one seems of the sort that good programming hygiene and code review should catch before and during implementation.
- If the protocol or other specification leaves unspecified options (especially unstated ones) for the implementor the action to be taken should be documented before or during coding.
- Implementations should include verification that values are within intended limits and are related to other values (also, of course, verified to be within their intended limits). Nothing should be written off as "won't happen" unless it is physically impossible.
In addition, standard minimal testing protocols ought to have caught the early on.
- test program behavior where numeric variables have extremal or out of bounds values as well as a few in the normal/expected range.
- where several variables have a defined or implicit relation, test cases where the relation fails to hold as well as those in which it does.
These are things that I understood all code hackers should be expected to do before they attain journeyman status.
That this appears not to have been done is on the programmer and OpenSSL foundation. That the vulnerability appears not to have been identified and addressed for two years is a bit of a surprise, yet the evidence of use before public notice and release of corrected code seems to be somewhere between weak and nonexistent.
Re: NSA credibility?
I did indeed "mean that". It comes down to a matter of trust.
Are anonymous spokespersons for the NSA and DNI worthy of trust? Probably not very much.
Is Michael Riley (whom I do not know) paraphrasing two unnamed sources worthy of trust? Again, probably not very much. And the incorrect and misleading description of the Heartbleed flaw in Riley's article, while irrelevant to the claim about the NSA, still does not engender confidence in the diligence of his research or his (or Bloomberg's) fact checking.
Does any of the sources have a reason to lie or shade the truth? You bet they do, and motives are easily guessed.
Is either claim easy to verify? No.
Is "not very worthy of trust" in the first case roughly comparable and independently indistinguishable form "not very worthy of trust" in the second? I think it is, pending availability of actual evidence.
Re: Did the NSA write this bug?
The hole is not "elegant". It is a programming error.
Unless, of course, you consider the OpenSSL maintainers to be the NSA or in the employ of the NSA.
Seems to me at best a draw. Two unidentified informants say one thing and an NSA spokesperson says something to the contrary. It is far from obvious why one source should be considered more credible than the other.
The most likely reason that most US Government were not vulnerable to Heartbleed because they were using OpenSSL versions earlier than 1.0.1 or, in some cases were running Windows-based web servers, which do not use OpenSSL. That would include those associated with DoD or other agencies one might think of as involving national security.
OpenSSL versions 0.9.8 and 1.0.0 (not vulnerable) both appear to be actively maintained and so could be used within the government.
The rule of thumb in use (from Brooks's Mythical Man Month, as I remember) is around 5 debugged lines of code per programmer per day, pretty much irrespective of the language. And although the end code might have been a million lines, some of it probably needed to be written several times: another memorable Brooks item about large programming projects is "plan to throw one away, because you will."
Done with some frequency. In the DoD agency where I worked we had mostly Memorex disks as I remember it, along with various non-IBM as well as IBM tape drives, and later got an STK tape library. Occasionally there were reports of problems where the different manufacturers' CEs would try to shift blame before getting down to the fix.
I particularly remember rooting around in a Syncsort core dump that ran to a couple of cubic feet from a problem eventually tracked down to firmware in a Memorex controller. This highlighted the enormous I/O capacity of these systems, something that seems to have been overlooked in the article. The dump showed mainly long sequences of chained channel programs that allowed the mainframe to transfer huge amounts of data by executing a single instruction to the channel processors, and perform other possibly useful work while awaiting completion of the asynchronous I/O.
After reading the Baker/Applebaum/etc. twitter stuff ...
I conclude the twitter is a really bad way to have a meaningful conversation.
Baker went a bit over the top in the original blog post, but is not alone in that. The "well known fact" that Dual_EC_DRBG has a back door to which NSA has the key might be true, but it also might not be, as far as I have seen reported. Frequent repetition of a statement, by any number of people, does not increase the likelihood that it is true. We know:
the algorithm was developed with NSA technical help (but the details are publicly known)
for any instantiation there is an undisclosed number that could be used by one who knows it to find the internal state and therefore be able to predict future values (a patent was issued for that)
the constants that describe an instance of the DBRG could be produced in a way that discloses the secret number that provides a back door
It is thought to be computationally infeasible to find out the secret number using the public ones that describe a particular instance of the DBRG
the source of the constants specified in the NIST description is unknown and might have been the NSA
These facts establish that the NSA might have compromised Dual_EC_DRBG, but they do not alone establish that they did so in fact. They have been known for about 7 years to those interested in cryptography.
Now we also find out that the NSA provided funding to RSA, and that RSA included Dual_EC_DRBG in the bsafe toolkit. I am not aware that the contract has been published, but it is assumed widely to be a government purchase of action to distribute a compromised cryptographic toolkit. That begs the question of whether Dual_EC_DRBG actually is compromised, which depends critically on a fact that we do not seem to know: whether NSA knows the secret numbers that would compromise it.
And that appears to have been Baker's point.
My $1 says
The NSA (and probably the other iFive Eyes agencies) will do nothing at all to suppress or corrupt this. The documents have been made public and probably every one of them is available at least one other place already; there is no undoing that. Moreover, nearly all of those interested in reading them have done that already, saving a copy where possible just in case.
Re: @Trevor Pott
The description here of the Canadian designated judges' actions is quite different from David Frazier's description on the CBC program I heard, of ex parte hearings, decisions as secret as those of the FISC, and CSEC opinion that it does not need court approval for metadata collection.
As I have no direct knowledge, I shall leave it at that except to note that Mr. Frazier is an attorney specializing in matters relating to the Internet, technology, and privacy.
Re: @Trevor Pott
Canada has "designated judges" who meet in secret (in a bunker, according to the CBC program aired in Utah last Saturday) and issue decisions as secret as those of the US FISC. It appears to me that Canada has pretty much the same types of control on CSEC as we have on the NSA.
and http://www.cbc.ca/day6/popupaudio.html?clipIds=2445314567 for the audio.
The first ~half is about FISA, and the remainder about the Canadian analogue.
Governments will be governments.
Re: Will you read the goddam article?!
"... the new/future MS policy of just allowing the police direct access." This is not the policy announced. From Brad Smith's blog:
"Effective immediately, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property from Microsoft, we will not inspect a customer’s private content ourselves. Instead, we will refer the matter to law enforcement if further action is required."
That is, if they think it's a criminal matter they will file a complaint. The police, constrained by the laws, will obtain subpoenas, as necessary to conduct their investigation, for material from Microsoft and other providers.
I never have thought Microsoft a good ethical example to follow. In this case they stumbled badly and deserved to be criticized, but since have modified their stated practice in ways that make it quite unexceptionable. The only nit to pick here is that they don't say what they will do in case a criminal referral is unnecessary.
Re: What morons
"Nobody cares about your e-mail unless you are a terrorist or cyber crim" or offend the owners or managers of your email provider.
Re: Boy I feel so much better now...
As I stated early on in the comment thread, this has nothing at all to do with the NSA. It has to do with Microsoft quite inappropriately assuming police like authority to conduct searches of data stored on their own service that they would have had to seek court approval for if the data were stored by someone else (like, for example, Google).
If the release of the Windows stuff was illegal, they could go to the police, who could get a proper subpoena. If the release was a civil matter, they probably could obtain a subpoena as part of a civil lawsuit. Whichever case applies would work on any email provider, although with a good deal more difficulty if the provider was not in the US. They took a brain dead shortcut because it was Hotmail and they could.
Bad Microsoft. And better Microsoft for confessing error and promising to be better in future.
Well said, indeed. However, while abandoning the US and US companies may give protection from untrustworthy companies and some protection from legal process, it is unlikely to bring much real protection from the signals intelligence activities of various governments, including yours and mine. Most of the attention has been on the NSA and, somewhat less, the UK GCHQ. However, Canada has the CSEC and its own FISC-like secret courts, and I expect that Australia and New Zealand are not much different. Germany, Iceland, and Switzerland seem like they might offer privacy protection against legal process. No matter where data are stored, however, they are potentially vulnerable to extralegal access - by governments, criminals, administrators (e. g., Edward Snowden), and others. Those connected to the internet are potentially vulnerable from anywhere on earth.
My personal conclusion is that information I wish to keep private is best kept on my premises, on either paper or systems that I maintain, protected by a combination of firewalls that I configure, air gaps, and encryption. And I know that if I become a target much of that may be worthless, whether because I have to choose between giving it up and jail or because someone who wants it badly enough (not necessarily my government or any government) can circumvent my technical protections. I think the same is true for companies.
Microsoft seem now, on the third try, to have arrived at a reasonably correct position they really ought to have been able to figure out on the first.
Re: In other words...
@AC: "The guy who was spied upon was not a Microsoft employee, and did not get fired. He was a blogger who got sent secret information from an ex-Microsoft employee, and happened to have an email account on Hotmail."
True enough, but could Microsoft have done to a gmail account what they did with his hotmail account? I do not think so. The earlier comment was incorrect in detail, but the main point certainly was not.
Company owned and operated email for business purposes is one thing, and the company, as the employer, has the right (confirmed, I think, by court decisions) to examine company supplied email accounts that were established for the conduct of company business. The case in point, however, seems to concern a commercial email service that the company provides to non-employees and employees alike as customers. Microsoft's reported actions went well beyond what an employer is entitled to do: they were equivalent to Microsoft searching the gmail account of an employee or contractor.
"We've entered a 'post-Snowden era' in which people rightly focus on the ways others use their personal information ..."
No. Snowden's activity, whether one thinks it good or bad, has nothing do with this issue. Microsoft's action in this case should, and probably would, have have been considered out of bounds 10, 20, or more years ago. If they had a problem with their employee or contractor releasing proprietary information in a way that violated a law they ought to have filed a complaint and let the authorities get whatever warrants or subpoenas might be needed, against services they operate as well as others. They acted like police, but are not, and so earned whatever opprobrium they receive.
However, I expect Mr. Smith expressed his only true concern in the quote at the end of the article: "... companies now recognize this is a market issue for them."
Catching fire after running over highway rubble and crashing at high speed into concrete walls is not exactly "by itself" (Three cases). One of the other two cases, at least sounds more likely to be a problem with the house wiring or outlet rather than the car and its associated equipment. The cause of the mid-February fire in Toronto seems as yet indeterminate, not known to be associated with damage.
So one unexplained fire, one probably an infrastructure problem not Tesla's responsibility, and three associated with severe mechanical damage.
Re: Head to head
The US DoD (at least theoretically) does not allow computers with unsupported operating systems to be attached to any network. I retired from there a couple of years ago and don't know how things are going now, but at the end of 2011 there appeared to e reason for concern.
Re: Head to head @1Rafayal
"Maybe we should have a poll about OSs."
Agreed. It would be especially interesting, too, to see what is happening with private use in the Munich, Germany metropolitan area since the local government has been using LiMux for business.
Re: Head to head - Windoze upgrade
It is an unfortunate truth that in some organizations there are a great many of these applications hiding in dark corners that were developed without IT department assistance (or documentation), were seen as useful by functional managers, some to the extent of becoming "mission critical", and ultimately abandoned by their developers/maintainers due to promotion, reassignment, or retirement. Following a major reorganization and recognition that Windows XP was sundowned, my previous employer identified more than 500 of these "microapps", with a lot of overlapping function and not a few errors.
Re: Head to head
I always thought of ActiveX as a vulnerability to be avoided wherever and whenever possible.
A few random comments
1. From the abstract, Mylar appears to be designed more to thwart industrial espionage than government intelligence operations - except, of course, where the two overlap. It may be useful to those planning cloud based applications, and cloud application providers should wish to provide it or something similar to support their customers.
2. I am a bit suspicious about security of a crypto setup where a value encrypted using one key can be transformed into values encrypted by other keys.
3. More general use of better encryption is not a bad thing, but is not a complete solution to the problem of data security.
4. This will not thwart subpoenas and warrants, although it could change the target for service, which would depend on who controls the key for decryption.
Re: Handy if you have access to all the Twitter accounts..
When did the output of Twitter qualify even marginally as "private" or reading it as "snooping"? No access to "Twitter accounts" would seem necessary.
Schneier to Rometty: "Have you stopped beating your husband?"
No company is immune to court warrants or subpoenas. That said, the numbers of such disclosed by Google, Yahoo, etc., and the numbers of people affected, are not so large as to be very alarming. Although US federal, state, and local governments combined constitute a large fraction of all such requests, they come from a lot of other countries as well.
No company can guarantee its facilities and products are secure against spies, whether they work for a national government or a competitor. The activities of those spies nearly always are illegal.
No company likes to talk much about any of the above. IBM, other US companies, and companies in other countries, even those with no footprint in the US, are not exceptions.
Re: right - 'what's wrong with white middle aged males?'
I call BS. It is not said that Mozilla limits its hiring or software contributions to preferred groups. It is said that one of its employees, exercising a right under the US constitution, contributed money to a political campaign with which Caitlin and his spouse disagreed. The latter decline to provide any assistance to Mozilla, and advocate implicitly that others do the same. And that is their right.
I doubt it will have a measurable effect on the Mozilla Foundation. If it does, well, the trustees were responsible for appointing Eich as CEO and could have considered the possibility; and they deserve part of whatever blame or credit turns out to be due. Notwithstanding the late moaning about NSA oppression, we in the US retain a good deal of freedom to do what we like.
Re: NSA Deputy Director Richard Ledgett: Go To Jail. Go Directly To Jail…
"On the contrary... a great many people, myself included, are saying loudly and plainly: "Disband the spies, police and military, and by all means, bring on the terrorists!"
That is now. In late 2001 the Patriot Act was passed with votes of 357 of the 435 House members (82%) and 98 of 100 Senators (98%) and contemporary polls measured widespread support. Those of us who opposed it either in part or in its entirety were heavily outnumbered and too often silent.
Re: NSA Deputy Director Richard Ledgett: Go To Jail. Go Directly To Jail…
The seemingly endless paraphrase of Benjamin Franklin's observation would carry more weight if, in fact, there were evidence that NSA surveillance activities had resulted in reduction of freedom. Some people might feel inhibited or even fearful, but it is pretty hard to connect the NSA to any government actions like arrest, or worse, that would justify such feelings.
The accusations, here and elsewhere, that NSA failed to prevent the Boston Marathon bombing, or school or theater shootings are spurious. These events appear to have been hatched within the US, and therefore not to have been legal NSA targets. The FBI might have dropped the ball in the Boston case, but it is far from clear that any evidence available ahead of time would have justified an arrest. Unlike NSA employees, FBI agents are armed with weapons and arrest authority. We do not want them arresting people on suspicion that they are planning something bad or based on warnings from foreign police. The events mentioned, tragic as they are, suggest that the US is not a police state.
As for the TEA Party people: they are citizens exercising their constitutional rights under Article I and the first and other amendments to seek office and influence government action as they consider proper. Of course they are trying to take over the government, the same as those now in office, TEA Party, other Republican, Democrat, or Socialist, have done. They have the same right to compete in the political arena as any others. Some might think them crazy, but some others think Democrats are crazy. The notion implicit in this sorry post that they should be suppressed by government action is as anti-American as the worst the NSA stands accused of doing.
Re: Of course it's military... @Titus Technophobe
In all US government agencies every document that is not a public announcement or press release is classified -at least FOUO - For Official Use Only.
And why would seeking privileged credentials be considered anything but normal behavior if you want information about or from a targeted system user (or in many cases, a number of them)?
Re: The truth at last?
I cannot see this as news to anyone except the hopelessly naive and dense. The NSA (like GCHQ, CSEC, ASD, and GCSB, and many others*) is a foreign intelligence agency, doing what such agencies do. It also should come as no surprise that foreign officials are targets - they were, after all the primary targets for such agencies before the moral panic over terrorism added that to their plates.
Contrary to the opinion of US Secretary of State (and War) Henry Stimson and apparently a great many members of the commentariat establishment, gentlemen do, in fact, read each others' mail. Or, maybe likelier, nearly all heads of state are not gentlemen and employ large numbers of non-gentlemen to assist them.
* Others include Subchefia de Inteligência do Estado-Maior de Defesa (Brazil), Bundesnachrichtendienst (Germany), and Directorate-General for External Security (France), to mention a few.
Re: All better now. Rest easy.
-1 for inappropriate language. Microsoft are not the police, let alone the Gestapo, and those who store documents in public places run a risk. They might be able to mitigate that risk with encryption, maybe at the expense of convenience, but it would be better to store the email on private computers to raise the bar against private actors such as (in this case) Microsoft.
Re: re Lionel Baden
I make it out, on the given assumptions as:
2 bytes/sample, and
so 1.32*10^8 * 6*10^2 * 8*10^3 * 2 * 3*10 = 3.8*10^16 bytes, which my calculators assure me is 34,560 TB, rather larger than the 152 TB given, but less than the 152 petabytes that the calculation shown actually gives. Still doable, though, with about 8600x4TB disks.
The unnamed country probably is not the UK. I can think of a number of likely ones, none of them English speaking, European, or American (either North or South).
For those who didn't read the story: misconfiguration, not software vulns. No default unix/linux installation I ever saw had a privileged default user. For years the default windows install gave the default user admin. As far as I know that is true today, although I seem to recall that Vista generated a lot of complaints by deviating from that.
Windows: insecure by default, by popular demand.
Re: @tom dial
"A better way to state the point would be that a random citizen is far more likely to suffer damage from a criminal than from misuse of information gathered by foreign intelligence agencies." - Clearly related, not to your comment, but the the one you were responding to - I overlooked the quotes. It still is a true statement about US/UK/Canada/Australia/New Zealand and quite a few other countries.
As you state, bulk communication surveillance data is of little use in preventing terrorism or any other crime such as child pornography. It is likely to be useful in the investigation of terrorist acts or other crimes after the fact.
Re: Damned if they do, damned if they don't. @Joe
What I never have seen mentioned is that much, if not all, of the general surveillance data really is useful only for targeted investigation of past events, and probably is used only for that. The notion that the security plods sort and process the bulk data or go through the video camera images with facial recognition algorithms to identify plotters and thereby prevent terrorist attacks is pure rubbish. Once they have a clue from targeted surveillance (whether signals or other) the bulk data has obvious uses in identifying the scope of any plot and rolling it up.
The bulk data allows investigators and analysts to look back into the past and see whom a suspect was in contact with and who, therefore, might also be involved in whatever the suspect is believed to be doing or have done. Without it there is much less capability to do that.
The important question concerns what a suspect is believed to be involved in. Bulk data of the type being collected by the NSA and other Five Eyes agencies, and by whoever collects street camera video, is dual use. Use to identify and prosecute terrorists or other criminals may be beneficial; use to identify and persecute political opponents or those with unorthodox political views is unacceptable in a democratic regime.
Controlling use of this information is a difficult problem, more difficult some places than others. In the Five Eyes countries government misuse of bulk surveillance data appears to be quite rare despite the availability of the data. The same is true in the remainder of the EC and a number of other countries, some of then known to collect a good deal of data. These regimes probably merit their citizens' trust, even in respect of bulk surveillance data. In some other countries, governments routinely prosecute or otherwise make life difficult for those with unorthodox political views. We all know pretty much which they are, and although they have not experienced a Snowden event, we can be fairly sure some of them conduct surveillance at least on a par with the worst imaginings about the NSA, and that they use it in ways the US government does not.
Re: Damned if they do, damned if they don't.
@John Smith 19
A better way to state the point would be that a random citizen is far more likely to suffer damage from a criminal than from misuse of information gathered by foreign intelligence agencies. That is especially true in the US due to the antiquated card systems and POS terminals in use, but I know no reason to thing the intelligence services in Australia, Canada, New Zealand, or the UK pose a measurable risk to randomly chosen citizens.
It is, of course, completely true that foreign intelligence agencies such as NSA are not purposed to reduce child porn or computer fraud. Indeed, the NSA is not tasked with a large role in identifying or preventing domestic terrorism, mainly a job of the FBI. I do not recall seeing it reported, but it would be unsurprising if the FBI could request queries of the NSA metadata databases.
Re: The "Free" Market, Eh?
The actual need for oil change depends greatly on the way the car is driven. City stop and go short trips pollute the oil rather quickly with harmful combustion byproducts; long distance highway trips at high speed contaminate less but may break down the oil more quickly. The type of oil used also has effects. My car (Honda S-2000) advises me when it needs an oil change. The notification appears to be based on a combination of mileage and type of driving, and possibly other factors. The computing capacity of modern automobiles along with the variety of information available on which to compute would allow for fairly sophisticated algorithms.
Most manufacturers do not require maintenance work to be done by a dealer to maintain in-warranty status, although for some failures they might require you to show that appropriate scheduled maintenance was done. That said, for a new car, the dealer may be more likely to have applicable maintenance bulletins, and I have not noted them to be enormously more expensive than independents (Salt Lake City, UT, USA).
Re: right idea
If New Jersey is like a great many states, Tesla purchasers resident in New Jersey will pay the applicable sales tax in the purchase state unless they buy a transfer tag stipulating that they will remove the car to a different state within a limited period. In NJ they probably will pay a "use tax" when they register the car that, curiously, has the same rate as the sales tax.
Re: Allow me to comment on another country's practices
Tesla has a couple of stores in New Jersey where you can look at, examine, arrange a test drive, and order.
The New Jersey government is bending over (on their citizens' behalf) to good old fashioned rent seeking by the dealers' "guild".
Re: Appropriate Legal Authority
The documentation available publicly, including what Snowden released as well as the Church Committee report and various other items, generally supports a claim that the NSA has been operating in much the same way for at least 40 years and probably 75 or more. Some programs, notably SHAMROCK and MINARET, were terminated on NSA initiative based on an understanding that they probably exceeded what the law permitted. This was done before (by two years in the case of MINARET) of the Church Committee hearings that lead to the FISA and FISC. The FISA largely set as legal limits the operational practices then in use at the NSA as to data collection, minimization, and dissemination; rather than the court providing a "rubber stamp", this may explain the very high FISC approval rate for NSA actions.
It is unfortunate that FISC deliberations are mostly classified and therefore unavailable for public analysis, but it also is not obvious how it would be feasible in general to declassify FISC arguments and decisions about classified activities and programs.
While the surprise and shock indeed is a bit difficult to understand or justify, Echelon's present analog appears to be XKeyscore rather than Prism, a facility for use in executing data retrieval based on warrants and subpoenas.
Re: "Everyone knows the NSA can legally eavesdrop on foreigners outside US soil"
Much of what foreign intelligence agencies do is legal in their home countries but illegal in the target countries. This is not news.
Re: @tom dial
1. I did not say it was OK (and reread my post to be sure of that); I stated that it was a fact.
2. The NSA (and GCHQ as far as I know) are not the STASI and have no police power, although some possible recipients of their information might have.
3. I was not aware of the incident you describe, but the description indicates no connection to GCHQ, let alone the NSA, although there might be more that could be said about the "intelligence" source. The primary actors appear to have been ordinary police, and I noticed that Ms. Kuntal Patel was arrested and remanded in custody pending court appearance on February 21, at which time her trial date for attempted murder was set. Irrespective of their information source, the police appear to have been doing their jobs to a degree that satisfies UK criminal law standards. A search for the poison, abrin, might be thought in order as it is a rather nasty one.
4. Drug police in the UK probably have had no more success then the US DEA in squashing illegal drug use. That probably is a lost cause, treatable only by legalization and labeling regulation. There is no indication that assistance from the NSA in pinpointing illegal drug trafficking has been noticeably useful, as cocaine and heroin street prices have been declining for years. That is probably much the same for other types of crime, and for GCHQ in the United Kingdom. These agencies (at least the NSA) were not set up to support domestic police forces, and probably do so only at the margins.
"One final note: while the NSA attempts to deny the alleged activity, there's no word on whether it has the capability to perform such tasks in the near future – kept in reserve, just in case."
Of course they do; the leaked docs said so. On the other hand, one might reasonably ask how an agency employing around 50,000 and perhaps a similar number of contract personnel would be able to effectively monitor millions, especially given that many of those personnel are managers, HR staff, security or system administrators, circuit designers/builders, and the like; and why, if they could, the U. S. government would want them to.
Journalists have been remiss, certainly, in not questioning NSA more sharply based on parsing the public statements. But they also erred significantly in failing to evaluate the plausibility of some of the statements they pass on. In other areas, too, they have shown a lack of perspective, or possibly a herd mentality particular perspective, as exemplified by reporting on the NSA/GCHQ tapping of international fiber. Shocking it may be to some, but it is hardly unprecedented; it is, in fact, the exact equivalent in the early 21st century of what the signals intelligence services were doing with satellite and microwave links and in the late 20th century and with long, medium, and short wave radio transmissions before that, back into the first half of the century. Omitting that fact leads to an appearance that NSA (and associates') activities expanded far more than they actually did, and that their mission grew much more after 2001 than probably was the case. It certainly is true that they are filtering, and thereby examining, a much larger communication stream than 25, 50, or 75 years ago, and that stream unquestionably contains the personal communication data of a far greater fraction of the world's population; but it also may be that they are examining a smaller part of the global communication stream, and that its inclusion of data relating to a billion or two more people is not a goal but a hindrance to attaining their actual objective.
The fact that these activities have been going on for at least three quarters of a century with little in the way of observable oppression suggests that there is not a great emergency. Even the Project MINARET watch list operations, as bad as they were, probably did relatively little damage compared to the actions of the FBI and CIA, and do not seem to have been repeated since. After proper consideration of the facts (and their constituents' wishes) and whatever deliberation they are capable of, the Congress may wish to modify the NSA's mission and authority, or even abolish the agency. Major change seems unlikely, however, given that the 1978 Foreign Intelligence Surveillance Act for the most part enacted into law constraints that the NSA reported as its practice in the 1975 Church Committee hearings, and established the Foreign Intelligence Surveillance Court as an external control.
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip
- Leaked pics show EMBIGGENED iPhone 6 screen
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs