Moon of Alabama Brecht quote
March 09, 2017

Snake-Oil Alert - Encryption Does Not Prevent Mass-Snooping

The WikiLeaks stash of CIA hacking documents shows tools used by the CIA to hack individual cell-phones and devices. There are no documents yet that suggest mass snooping efforts on a very large scale. Unlike the NSA which has a "collect it all" attitude towards internet traffic and content the CIA seems to be more interested in individual hacking.

This suggests that the CIA can not decipher the modern encrypted communication it adversaries use. It  therefore has to attack their individual devices.

But it does not mean that the CIA can not engage in mass snooping.

The New York Times description is wrong:

Some technical experts pointed out that while the documents suggest that the C.I.A. might be able to compromise individual smartphones, there was no evidence that the agency could break the encryption that many phone and messaging apps use.

If the C.I.A. or the National Security Agency could routinely break the encryption used on such apps as Signal, Confide, Telegram and WhatsApp, then the government might be able to intercept such communications on a large scale and search for names or keywords of interest. But nothing in the leaked C.I.A. documents suggests that is possible.

Instead, the documents indicate that because of encryption, the agency must target an individual phone and then can intercept only the calls and messages that pass through that phone. Instead of casting a net for a big catch, in other words, C.I.A. spies essentially cast a single fishing line at a specific target, and do not try to troll an entire population.

“The difference between wholesale surveillance and targeted surveillance is huge,” said Dan Guido, a director at Hack/Secure, a cybersecurity investment firm. “Instead of sifting through a sea of information, they’re forced to look at devices one at a time.”

Snake-oil alert: Right diagnosis, wrong conclusion and therapy.

If the CIA breaks into an individual Samsung Galaxy 7 it can record what is typed on the screen, and whatever gets transferred via the microphone, camera and loudspeaker. No encryption can protect against that. But why should the CIA break into only one Galaxy 7?

It is wrong to conclude that the CIA can therefore not "intercept such communications on a large scale". It can. Easily.

If you can break into one individual Samsung Galaxy 7 you can break into all of them. This can be automated.

The CIA also breaks into internet routers and network infrastructure systems. By watching the network traffic flowing by the CIA (and NSA) systems can "see" who uses encrypted communication. They can then launch programs to silently take over the communicating devices. Then the communication can be recorded from the devices and read in the clear. There is nothing at all that prohibits this to take place on a massive scale.

The reaction to the Snowden leaks about gigantic NSA snooping on internet lines led to an increased use of encryption. Suddenly everyone used HTTPS for web traffic and the user numbers of Signal, Telegram, WhatsApp and other encrypting communication applications exploded.

But encrypted traffic still sticks out. One can detect an encrypted skype call by watching the network traffic on this or that telecom network. One can detect what kind of end-devices are taking part in a specific call. With a library of attack tools for each of the usual end-devices (Iphone, Android, Windows, Mac) the involved end-devices can be silently captured and the call can be recorded without encryption.

The Times writes: "Instead of casting a net for a big catch, in other words, C.I.A. spies essentially cast a single fishing line at a specific target, and do not try to troll an entire population."

It is right in one sense. There is not one central point in the river of traffic where one casts the net. But it is wrong in to conclude that the CIA or other services would then use "a single fishing line". What hinders them from using hundreds of fishing lines? Thousands? Hundred-thousands?

Wide use on encryption simply moves the snooping efforts from the networks towards the end-devices. It might be a little more expensive to snoop on hundred-thousands of end-devices than on a few network backbones but budget or manpower restriction are not a problem the NSA and CIA have had in recent decades.

To tell users that it encryption really restricts the CIA and NSA is nonsense. Indeed it is irresponsible.

The sellers of encryption are peddling snake-oil. The dude from "a cybersecurity investment firm" the Times quotes is just selling his rancid wares.

Your neighbor snoops on your open WLAN traffic? Yes, chat encryption might prevent him from copying your session with that hot Brazilian boy or girl. But it does not prevent professionals from reading it. For that you would need secure devices on both ends of the communication. Good luck finding such.

Posted by b on March 9, 2017 at 19:28 UTC | Permalink

Comments

Bravo b. Very accessible piece.

Similar scenario/circumstance in previous thread.

Re:

For that you would need secure devices on both ends of the communication. Good luck finding such.

For many documented examples re nation States needing, 'Good luck finding such', see:

Crypto AG

Crypto AG is a long established Swiss manufacturer of encryption machines and cypher devices that are allegedly rigged enabling decryption by the US National Security Agency (NSA) and other Western intelligence agencies.

In July 2015, UN Secretary-General Ban Ki-moon endorsed a newly-published report by a UN Panel of Experts into the 1961 plane crash in which Dag Hammarskjöld was killed, and called for a fresh inquiry. The report said the panel had learned that the cryptographic machine used by UN Secretary-General Hammarskjöld had been “intentionally designed” to allow the NSA and “other select intelligence agencies” to listen in...


Posted by: Outraged | Mar 9 2017 20:03 utc | 1

Nice job on rendering the status of this establishment stenography to 'infomercial'. The NYT has to keep it's revenue stream up somehow.

Posted by: MadMax2 | Mar 9 2017 20:29 utc | 2

thanks b... excellent info... i have never bought into the encryption software protecting anything.. this is further proof of it.. 'privacy of info' or the 'freedom of privacy' are a joke to these folks.. never thought the gov't under it's agencies would drop to such a low level, absent any ethics or morality..

Posted by: james | Mar 9 2017 20:33 utc | 3

Encryption is VERY hard to implement correctly. Those who are good at it will be protected. The rest of us? F#(

Posted by: Dr. Wellington Yueh | Mar 9 2017 20:47 utc | 4

though the headline bugged me for some reason, once i actually read the piece i agreed 100%. the newest "buzz word" in IT is "devops" and a big part of that is automation. it's also a big part of AI and "machine learning" which would make the mentioned "wide net" attacks more feasible.

also worth noting: the "cellebrite" company has listed most major phone models under its umbrella of "forensically feasible" targets. some of this is simple reverse engineering (think of geohotz and his first-ever jailbreaking of an iphone in his garage) and some could be actual collusion between the private and public sector. siemens was involved in the (limited) success of stuxnet and both the US and china have supposedly installed firmware "tools" in routers before they even hit the market.

anyhoo...good work as usual.

Posted by: the pair | Mar 9 2017 21:50 utc | 5

anyway, nothing really important goes through the internet.

Posted by: alain b | Mar 9 2017 21:56 utc | 6

Remedies?

What did the internet security firms know, and when did they know it? Billions of dollars have been spent by unwitting home and business users on internet security? A few enterprising lawyers should file a few class action lawsuits.

And US software firms have no doubt taken another 'hit'. Can investors sue the government for the loss of business opportunities? How can 'sovereign immunity' apply when the government is acting against the interest of millions of its own citizens?

Posted by: Jackrabbit | Mar 9 2017 21:56 utc | 7

We have a technical solution to this if we could get backing by a hardware company here is the relevant proposal
http://strathprints.strath.ac.uk/59291/

Posted by: Paul Cockshott | Mar 9 2017 21:59 utc | 8

Jackrabbit @7--

"... when the government is acting against the interest of millions of its own citizens" It's high time to revolt, overthrow said government and establish one that works in the interest of its citizenry--not just the elite fraction.

The proof regarding the need for such an action keeps growing daily. Proven beyond all doubt is the fact that the Executive branch of the US federal government has zero regard for the law of the land--NONE whatsoever. Likewise, no major media outlet is providing any such message or documenting and informing its audience.

Posted by: karlof1 | Mar 9 2017 22:31 utc | 9

Unsurprisingly we got no UK govt funding for this research so we were pursuing it with German colleagues who might be thought to have a better chance of having EU govts take the problem seriously, but Brexit has made such collaboration harder.

Posted by: Paul Cockshott | Mar 9 2017 22:32 utc | 10

link

[link corrected - learn formatting HTML- the URL does NOT belong into the link-text field - b.]

Posted by: Paul Cockshott | Mar 9 2017 22:36 utc | 11

Encryption is still better than no encryption. That's the bottom line.

Sure, if the CIA is targeting you - or large numbers of people of whom you might be one - and they break into your phone's OS, then, yeah, encryption won't save you.

But for all the OTHER situations where encryption can save you, i.e., where your adversary isn't a nation-state hacking group, it's worth it.

But the real secret, of course, is not to keep anything you want secret on a phone. Keep it on a computer which is air-gapped from the Internet (and make sure the various air-gap bypasses can't be done in your environment.) And even more importantly, make sure the CIA has no reason to surveill you in the first place, either as an individual or a member of a group they might be interested in.

Posted by: Richard Steven Hack | Mar 9 2017 22:50 utc | 12

Wikileaks press conference released today:
https://www.youtube.com/watch?v=W8FkAm-1E1w

See also:
Congress Created a Monster
by Andrew P. Napolitano, March 09, 2017
http://original.antiwar.com/andrew-p-napolitano/2017/03/08/congress-created-a-monster/

Posted by: Krollchem | Mar 9 2017 22:55 utc | 13

@9 Damn right. Now if we can just get students to stop texting for 5 minutes.

Posted by: dh | Mar 9 2017 23:05 utc | 14

FBI Director Comey talks strong Crypto, silent on Wikileaks (Mar0817-Threatpost Blog)

CHESTNUT HILL, Ma.—FBI director James B. Comey today revived the Going Dark discussion during a keynote address at the Boston Conference on Cyber Security, saying it’s time for an adult conversation on the prevalence of strong encryption and how it hinders criminal and national security investigations...

An interesting comment on the piece:

Mr. Comey starts out by asking for an adult conversation…and then reverts to the puerile and disingenuous argument that encryption is somehow a magic bullet that makes all other investigative means infeasible and grants “absolute” privacy. No, someone does not have an “absolute” right to privacy…in fact, no rights are “absolute.” But while a person has no absolute right to not being killed by their government…say, if they were holding hostages and were shot by a sniper to save other lives…that does not mean that law enforcement should be able to kill randomly and with impunity either.

Crypto does not grant absolute privacy, and it’s time that law enforcement stopped lying to us with the pretense that it does. in fact, the increasingly digital nature of our society has given them better and faster ways of doing their jobs than ever before; everyone with a smartphone has a tracking device that leaves a trail of their movement, for example. License plate readers track the location of cars in every metropolitan area. Crypto does not obviate any of this; it’s nothing more than a slight limiter on one aspect of investigations.

Comey, like others in his profession, needs to stop stomping his feet and whining that he’s not having his cake and eating it too.

Also, Anonymization, TOR, Encryption, hoarding instead of responsibly divulging 'hacks':

DOJ dismisses Playpen case to keep TOR Hack private (Mar0617)

Intent on keeping details private about how it hacked the Tor browser, prosecutors with the U.S. Department of Justice on Friday asked to dismiss a case involving a suspect who visited the Playpen dark web child pornography site in 2015.

“The government must now choose between disclosure of classified information and dismissal of its indictment,” Annette Hayes, a US attorney, wrote in a court filing (.PDF) on Friday. “Disclosure is not currently an option.”...

The vulnerability, which existed on Windows, MacOS, and Linux, was patched in both browsers through an emergency update.

Developers with Tor are readying a sandboxed version of the browser, something that should help thwart future de-anonymization attempts, be it by attackers or the government, going forward.

Posted by: Outraged | Mar 9 2017 23:18 utc | 15

Damn It! Paul Cockshott #11

You screwed up the formatting for the rest of this thread with your long URL posted as is.

This makes reading through the comments extremely difficult if not next to impossible.

Read and learn to use Allowed HTML Tags: b has conveniently posted on
the right hand side of the Post a comment located at the end of every thread.
You can link using (< A HREF="http://www.aclu.org/">Link to ACLU → Link to ACLU ) Tag.
Just substitute the URL with yours and the "Link to ACLU" with whatever title you prefer.

Try it with a test and then you'll know it for future reference.

Thank you.

Posted by: juannie | Mar 9 2017 23:24 utc | 16

So it's probably unrealistic to think that the mass of internet users could or would use encryption
but if that mass movement got started and kept educating users couldn't it eventually overwhelm
the surveillance organizations?

Posted by: juannie | Mar 9 2017 23:36 utc | 17

@ They would just hire more anti-encryption specialists. Must be plenty of keen young IT guys and gals happy to do the job. It looks like we already have half the population spying on the other half.

Posted by: dh | Mar 9 2017 23:48 utc | 18

Messages are only encrypted while they are being transmitted. They have to be composed in unencrypted form. They have to be read in decrypted form. All that the intel agencies have to do is intercept the message with the sender before it has been encrypted or with the recipient after it has been decrypted.

Posted by: lysias | Mar 9 2017 23:54 utc | 19

True. You could, however, use a second device to do the actual decrypting which is itself not connected to a network. It would only have to know the key, right? Think photographing a QR code from the screen of a networked machine, and then displaying the message.

Posted by: persiflo | Mar 10 2017 0:23 utc | 20

Somehow I doubt the poster claiming to be Paul Cockshott, the co-author of one of the papers the poster linked to is anything more than some half-witted 10 cents a line industry sock-puppet; otherwise he would have had enough tech nous not to have screwed up the link posting.
All that remains to discover is what the real motive for the postings is. Probably placatory, a cheap attempt to assuage the masses with promises of some pie in the sky fix for stick beak intrusion at an unspecified later date. Fuck off spammer.

Posted by: Debsisdead | Mar 10 2017 0:26 utc | 21

@ Posted by: lysias | Mar 9, 2017 6:54:46 PM | 19

Spot-on. Especially in a domestic/consumer scenario, if either endpoint node (device) is itself compromised, then the encryption algorithm, methodology, re a secure channel, etc becomes entirely mute/irrelevant.

@ Posted by: Debsisdead | Mar 9, 2017 7:26:22 PM | 21

Alas, 'FOS' indeed ... has done it numerous times in the past :(

Posted by: Outraged | Mar 10 2017 0:35 utc | 22

Posted by: juannie | Mar 9, 2017 6:24:03 PM | 16
(Allowed HTML Tags blah blah blah)

Ppl who don't PREVIEW don't care...

Posted by: Hoarsewhisperer | Mar 10 2017 0:47 utc | 23

dh @14--

That's the rub isn't it: Getting people to stop their selfishness and act together for the much Greater Good. Somehow, people need to be convinced that the federal government does indeed have a virtual gun pointed at their heads, must be forced to surrender it, and disciplined so it can never again have such power.

Outraged @15--

Comey reminds me of Reagan's warning: I'm the head of the FBI, and I'm here to help. He's utterly worthless from my citizen's viewpoint and ought to redeem himself by picking lettuce the rest of his life.

Posted by: karlof1 | Mar 10 2017 1:01 utc | 24

@dh.. always enjoy your sense of humour, and for the truth in it too..

@19 lysias.. 20 debsisdead... 2 bingos..

Posted by: james | Mar 10 2017 1:18 utc | 25

@24 & 25 I wish I could be more optimistic but I've seen this movie before. Wikileaks releases a bunch of stuff. The MSM tells everybody it's nothing to worry about. Nothing changes.

Posted by: dh | Mar 10 2017 1:34 utc | 26

And from my brainwashed friends I get the BS joke that maybe the CIA are in her computer to help.......the brainwashing runs deep in places.

My CIA story is from 2004 when I got an order through my 800 line from a guy who, as part of his order, gave me a working CIA email address. At the end of our conversation he told me I shouldn't say bad things about our then president on international phone calls.......yes, I had.

I am not dead yet and still spewing my anti private finance evolutionary goal here so maybe they have bigger fish to fry these days.

Back to the first line of my comment. In America, the populace is starting to raise an eyebrow over the public circus in evidence since January 20th. That said, when one mentions that Hillary might be a war criminal and perhaps our country is committing war crimes the pearl clutching begins and the subject gets changed. The evidence of moral bankruptcy needs to keep piling on and the economy bubble needs to be perceived as popped for real instead of the "everything is swell" optics being fed to the public today as more and more suffer.

Posted by: psychohistorian | Mar 10 2017 1:51 utc | 27

@12 rhs, 'make sure the CIA has no reason to surveill you in the first place, either as an individual or a member of a group they might be interested in.'

admit they've won, are in control, roll over and die. you sound like eric schmidt.

the nsa / google will still have everything you've sent over the internet, mined, analysed, ready to go.

@16 juannie, i have no problem with the formatting on this page, but i believe you when you say that you do. it is clear that b has asked, since site inception, that people show the common courtesy of wrapping their machine instructions in human readable text. but that's too much trouble for most .. all in the interests of advertizing his product in this case, too.

he's a techie? if he can't master html tags ... what chance is there of his having mastered encryption?

@18 dh, 'Must be plenty of keen young IT guys and gals happy to do the job. It looks like we already have half the population spying on the other half.'

that seems to be exactly the case to me. the folks who take the dough and those who don't.

i'd put the entire workforce at google in the same category as the booz allen, nsa, dnc clique. they're the ones who think the economy is excellent, are doing better today, and are enthusiastic about the government's direction.

@26 dh, ' I wish I could be more optimistic ... '

no you don't :)

@24 karlof, 'Somehow, people need to be convinced that the federal government does indeed have a virtual gun pointed at their heads ...'
@27 psycho, 'The evidence of moral bankruptcy needs to keep piling on ... '

everyone knows what's up. it's those in collusion with the government (with the tncs) and their plans vs. the rest of us, their victims. worldwide to an even greater degree. but the buck starts / stops here. the 'progressives' are never going to be 'understand' ...


It is difficult to get a man to understand something, when his salary depends upon his not understanding it!

... it's up to us deplorables in the us, and our fellows worldwide, to rearrange things.

Posted by: jfl | Mar 10 2017 2:57 utc | 28

Apologies for being so OT, but when I woke this am (about 10 hours ago) a news-story was playing about the pentagon having fessed up to landing several hundred more troops in Northern Syria.

Apparently many of the new 'boots on the ground' are for manning M777 howitzer batteries. The same model of howitzer which implemented the infamous 'shake n bake' of Fallujah responsible for the deaths of many tens of thousands maybe even hundreds of thousands of Iraqi civilian deaths. The same units most likely since these 'boots' are marines too.

In the last couple of days there have been a considerable number of Mosul refugees reporting that USAF bombing raids have been completely out of order resulting in many civilian deaths, given amerika's track record with artillery and bombing raids the future seems pretty dim for the citizens of Raqqa who are likely to be 'saved' by being destroyed.

Since Dr Assad or any other suitably delegated member of Syria's government has not invited the amerikans in, this invasion is illegal - an act of war instigated with trump's approval.

So much for 'draining the swamp' eh donnie.

Question - is Russia a party to this travesty - have they tacitly agreed to let amerika have Raqqa?

Posted by: Debsisdead | Mar 10 2017 3:21 utc | 29

@ jfl who wrote: "... it's up to us deplorables in the us, and our fellows worldwide, to rearrange things."

This deplorable has the ONE demand of ending private finance that, if supported by global deplorables, would eliminate the worst of social incentives.

One voice. One demand. End private finance globally.

Posted by: psychohistorian | Mar 10 2017 3:21 utc | 30

on encryption ...

https is great ... if you believe issuers of certificates don't dutifully hand over their keys to the nsa ... or that the nsa /cia hasn't stolen them from the recalcitrant ones. even (if) when it works your browser checking the 'authenticity' of the certificate is calling home and checking-in at every https website you visit ... and when it gets there, it's in the clear. 'all right, mr demille, i'm ready for my close-up.' analysed, categorized, stored forever. all for our own good : google, cloudflare, ...

end to end ... where are the ends? who's there, seen or unseen, at the ends ... as b and others point out above. the cia / nsa are, in at least hundreds of thousands / millions of cases, and counting.

the 'black arts' of 'custom hacks' of individual devices and the wholesale dragnet are converging. the intent is to 'sweep it all up' and then, like god, to sort 'em out later. the tech companies and the government are a single fabric.

what can be done. right now smash your spiPhone. that's exactly what it is. and soon it will replace your credit card, and cash. if you let it. and your every transaction will become a 'marketing opportunity', for sale from google's database. full commidification. just as the drone operators target spiPhones, so too will the marketeers. you'll just be the meat attached that pays the bill.

in future ... after the revolution ... re-engineer the ip protocol. make it end-to-end encrypted and secure from the get-go. why was ipsec left out at the very beginning? we don't really have to ask that question, do we? who built the internet? the Defense Advanced Research Projects Administration. the 'D' i'm sure of, the 'DAR', actually. the 'PA' i'm winging on. the operation enclosing the nsa as it's vile 'little' kernel.

and when the internet is secure, we can give ourselves all a free internet 'dial-tone', as secure and natural as the air we breathe. we'll have to teardown and rebuild the epa at that point, of course.

Posted by: jfl | Mar 10 2017 3:30 utc | 31

@30 psycho, 'One voice. One demand. End private finance globally.'

i appreciate your constant focus psycho. discipline. but ... 'demand' ... you're looking for the bearded man in the sky to hear you, see the justice of your cause, solve your paramount problem. the ptb will never, ever, meet any demand. you cannot petition the lord with prayer.

i think it's democracy that's our only chance. we have just to do it. keep an eye on the ptp, try to avoid any bullets they send your way. but there will never, ever be any help from the rulers ... unless and until they are us.

but you knew that. just as i, and i'm sure all the rest of us, know of your focus on 'private finance'.

Posted by: jfl | Mar 10 2017 3:40 utc | 32

Question - is Russia a party to this travesty - have they tacitly agreed to let amerika have Raqqa?
Debsisdead | Mar 9, 2017 10:21:11 PM | 29

Very little Russia can do to stop it. Waddaya think they should do? nuke the yanks? Pat Lang at SST thinks Putin is fuckin over Syria/Assad in not taking Idlib, to try and take some ground off the Yanks in heading to Raqqa. Looks like the shit will be flying in blog land if not Syria.

Posted by: Peter AU | Mar 10 2017 3:43 utc | 33

@29 Did,

no need to apologize, head over to the open thread where your revelation has been / is being discussed in depth, while you sleep.

Posted by: jfl | Mar 10 2017 3:44 utc | 34

@ jfl who "questions" my focus

Have you read The Foundation Trilogy by Isaac Asimov from where I draw my screen name?

My early reading of that, my eclectic education and experience have brought me to believing that structural change needs to happen to our methods of social organization. That same background also leads me to believe that the only way that structural change occurs is if it simple in common understanding, key to the badness inherent in the current arrangement of methods and, if implemented, would jerk the social incentives to a pluralistic focus.

I believe that ending private finance globally fits the bill and can only hope that concept is considered by the folks that decide who writes what history at the end of this war.

I am Asimov's Mule........

Posted by: psychohistorian | Mar 10 2017 4:03 utc | 35

Encryption: Beyond my pay grade b. I'd really be happy if the youth of my nation just put down their devices, and drove their damn cars with-out the distraction.

24/7 input, without a proper amount of introspection, is turning people into tech-zombies.

Posted by: ben | Mar 10 2017 4:06 utc | 36

psychohistorian 30

Private finance. Tokens for goods. Trading. Not sure how long tokens have been around for, but trading has been around for a long time. One mans trash, another mans treasure? Glass beads for furs ect... ???

Posted by: Peter AU | Mar 10 2017 4:10 utc | 37

@37 peter au.. to give just one example.. the derivatives and futures markets have totally changed this idealistic idea of 'money for trading', if anyone thought they could entertain that idea anymore... if anyone looks more closely at the financial world - i call it a giant ponzi scheme - they will be very afraid... it is a giant house of cards always waiting to come down, with the bankers being at the front of the line when the shit hits the fan - just like 2008 fiasco over again, but on a bigger scale.. boom and bust cycle is built into the system we have at present..

Posted by: james | Mar 10 2017 4:25 utc | 38

physo 35

Being the uneducated unwashed type, I had to look up the mule at wikipedia

"This gives the Mule the capacity to disrupt Seldon's plan by invalidating Seldon's assumption that no single individual could have a measurable effect on galactic socio-historical trends on their own, due to the plan relying on the predictability of the actions of very large numbers of people."

One question - have you ever mustered sheep? People are very much like sheep. Send out a dog that knows his job and the sheep run as a mob. Seldon wins.
At the moment the US is acting like a mongrel that will split the mob.

If the US dog were acting in a more rational manner the mob would not be splitting. On top of that, Russia/China is starting to provide some greener grass.

Posted by: Peter AU | Mar 10 2017 4:25 utc | 39

For the literate:
http://www.paulcraigroberts.org/2017/03/09/age-folly-paul-craig-roberts/

And for serious readers, here is a synopsis with reviews:
https://www.versobooks.com/books/2233-age-of-folly

For the rest of you ... http://marvel.com/comics/

Posted by: rg the lg | Mar 10 2017 4:28 utc | 40

@ myself and Peter AU who asked about alternatives to private finance

The last line of my last comment is snark for all those that can't figure it out.

Peter AU ---- The issue here is to stay with most of the core functions we have now but make it totally sovereign and not allowing private finance to exist. This changes how big ticket risk assessment items (like nuclear anything) are/aren't developed. And it scales down to communities making local development decisions. The profits, if that are any above operating expenses, go to the public commons instead of a private entity. The solution I posit is a gordian knot cutter and much more needs to be done beyond that. The uber rich have much of their holdings in things and not the debt their private finance tools created and so a rebalancing needs to occur to bail out the engineered public holders of bad debt, IMO.

The Gordian knot needs to be cut in our form of social organization or we are for sure extinct acting out our bad incentives.

Posted by: psychohistorian | Mar 10 2017 4:30 utc | 41

james | Mar 9, 2017 11:25:28 PM | 38

A ponzi scheme it is james. I guess a bit different to trading beads for furs. Indians got to keep the beads, traders kept the firs.

I guess trading gold for goods or labour would be better. Latter day tokens have the tendency to shrivel up to dust - or zeros on a computer screen.
I remember reading something about Jesus driving money lenders from the temple with a whip. I guess they have always been bad news.

Posted by: Peter AU | Mar 10 2017 4:39 utc | 42

If the CIA had device level root access to your device they HAZ your dataz if they want. Whether it's worth decrypting is another issue. But the BIG burning question for me is whether that root access the CIA has allows them to run a keylogger pre-encryption, and glean plaintext.

Besides, a lot of what happens really depends on your communication's 'value' to them, and I still suggest everyone encrypt, clogging the fedz datacenters with terrabytes of encrypted lulzcats stored, as promised, for perpetuity (Not kidding... :>).

Bottom line ... If you're a high enough value target that the full s*ithammer of the combined US intel agencies come down on you, you bet your sweet ax they can decrypt your messages. You also have to realize the reading level of the average American is 7th grade and they're technologically illiterate, so ALL of these apps need to warn all those 'appliance users' upfront in BIG LETTERS that no comms are 'bulletproof' if the fedz want your dataz bad enough. Just to indemnify themselves. Right now the warning is 'tiny', so to speak. Same with torbrowser. Torproject Need to inform the 'appliance operators' upfornt that unless they set up their own .torrc who knows who pwns the entrance and exit nodes where all their plaintext is exposed.

Posted by: Razer Ray | Mar 10 2017 4:40 utc | 43

rg the lg @ 40: The piece on L. Lapham, a giant in the literary world, is wonderful, and so very true. Thanks!

Should be required reading for every American...

Posted by: ben | Mar 10 2017 4:52 utc | 44

In the interest of those trying to read the thread with the wide-page anomaly triggered by @11;
I suggest that people try to write shorter lines instead of letting them wrap and hit return like
I'm doing here.

@27, 30

I have a question for you. Is the following entity an example of what you consider private
banking/finance
?

https://en.wikipedia.org/wiki/Alfa-Bank

If I'm not mistaken, the owners of this bank are either Ukrainian or Russian oligarchs
and two of them also have Israeli citizenship.

BTW, this is also the bank that is in the news contacting a Trump server with 2800 look-ups over 90 days.
Who knows, maybe CIA operatives were trying to leave Russian fingerprints on Trump’s server,
while they infiltrated DNC computers to hack emails with Russian fingerprints that they then
turned over to the friend of Roger Stone who tipped him off before anyone else knew about this that
Wikileaks was going to dump emails in October that would be very bad for Hillary and very good for
Trump and therefore the CIA would be responsible for tipping the election.

Anyway who can keep up with this spy yarn? However, is Alfa's business the type of banking you believe is
responsible for a large part of the world's problems?

What about Goldman Sachs? Don't expect Trump to get rid of private banking.

Posted by: Circe | Mar 10 2017 4:55 utc | 45

Regarding computer security. If you are just commenting on blogs and whatever, windows7 and I guess others, paired down to basics will keep operating. Any Microsoft updates = no amount of problems. If brother wants to know what you are doing, and you zap him, burglars will hit you and you have to buy a new computer. When push comes to shove in the cyber world, nothin beats a burglary. Fuck the encryption and all the rest. Internet is a public place. Treat it as such.

Posted by: Peter AU | Mar 10 2017 5:06 utc | 46

@ Circe who asked about a couple of examples of private banking

Yes, they both are private but being private in Russia is different that being private in the USA......

Yes, the motto of private banking is privatize the profits and socialize the losses.

I have commented here multiple times that Trump is the "Don't throw me in the Briar patch" private finance rabbit and so i don't expect him to get rid of private banking....just a little consolidation amongst his buddies.

Posted by: psychohistorian | Mar 10 2017 5:21 utc | 47

@27 Dead Kennedys came to mind with Vault 7
I AM THE OWL
https://www.youtube.com/watch?v=0Lu0G1xCjEM

Posted by: aaaa | Mar 10 2017 5:46 utc | 48

Forgive a naïve/ignorant question, but outside of developing one's own encryption scheme, is there such thing as a 'safe' way to use any kind of modern electronic device to keep it free from prying (five) eyes or ears?

Posted by: Almand | Mar 10 2017 6:02 utc | 49

@ aaaa with the Vault 7 connection and the link to music that missed me but sure was on the mark for 1982.

It is sad to think about the waste of human effort that goes into making money (HFT, derivatives, R2P 3rd world countries, etc.)

Think about what humanity could do if much of the IC community expend their efforts on more humanistic endeavors.

Another example of what I believe would go away by killing the God of Mammon/private finance.

Posted by: psychohistorian | Mar 10 2017 6:06 utc | 50

psychohistorian | Mar 9, 2017 11:30:27 PM | 41

Often I think of the term constant revolution. I don't see a balancing. Rather one group, say finance getting the upper hand, then as the bulk of people, humanity get pissed of, a turn over of power, violent or otherwise, until those leaders themselves become corrupted, then the balance will shift back to finance. People will never change. We accumulate knowledge, but our character remains the same.

Posted by: Peter AU | Mar 10 2017 6:06 utc | 51

Further to above commenters, if one obtains physical access or remote root/privileged access (or less), 'Game Over'. If a nation State actor identifies you as 'of interest' or intentionally targets you as a potential 'threat' as an individual, 'Game Over'. Where the threat is non-nation State actors, one can reduce/limit the risks, though never entirely, IMHO.

Air-Gaps, Sneaker-nets & full spectrum comms isolated networks & devices, work, as long as cross contamination & physical access is ruthlessly, effectively controlled. Anything connected to the 'Net/Comms, then only the 'degree' of risk can be 'attempted' to be addressed/reduced.

Perhaps we all could please try to stay relatively 'On-Topic', if just at least until we flip the page ?
Pretty please ? There is an 'Open Thread' for 'Off-Topic' discussions, don't ya'know ;) (Dons heat/flame retardant protective PJs ... off to chase zzz's)

Posted by: Outraged | Mar 10 2017 6:14 utc | 52

@ Almand who asked; "is there such thing as a 'safe' way to use any kind of modern electronic device to keep it free from prying (five) eyes or ears?"

No is the short answer. But it is not impossible. One could develop a computer based on something like a 6 bit word, which is what I first learned on in 1969, and create languages and utilities like what their is now for the industry, then develop your own software and never connect to the internet.....grin

@ Peter AU who says that people never change.

I disagree. I believe in evolution, not revolution. It is what got us here and what will propel us forward if we are to survive. We can try and ride the waves of human progress much better than we are doing. We build institutions of architectures that don't include adaptation at the core but we can do better. And I think we will, given a chance.

Posted by: psychohistorian | Mar 10 2017 6:19 utc | 53

@ Outraged who is asking about staying on topic.

I plead guilty in this instance but try, as history shows, to stay on thread topic.....sometimes rapport gets in the way.

Posted by: psychohistorian | Mar 10 2017 6:22 utc | 54

is there such thing as a 'safe' way to use any kind of modern electronic device to keep it free from prying (five) eyes or ears?
Posted by: Almand | Mar 10, 2017 1:02:49 AM | 49

Sure is. Just imagine there are 5+Isreal ears listening to it then say what you are game to say.

Posted by: Peter AU | Mar 10 2017 6:26 utc | 55

And the latest Open Thread has 351...oops 354 and becoming quite the tome of comments.

The only information I would add to what b wrote is an update to his ending words: "....For that you would need secure devices on both ends of the communication. Good luck finding such."

I would posit that my solution stated in a previous comment would get you the computers on both ends but if you connect to a communication device/network of any sort you have to use their protocols. Once you are forced to package your "data" into their structures they can access, accumulate and analyze it.....and eventually likely figure it out.

Posted by: psychohistorian | Mar 10 2017 6:36 utc | 56

Almand@49: If you're running Windows or even Mac you should consider moving to Linux.
Any of the hundreds of Linux distros are far more secure.
Most of the user friendly ones behave like WinXP, so they're easy to learn.
A side benefit is that they're free of bloatware, thus rehabilitating older machines.
The processor and RAM requirements are trivial compared to Windows.
You can even install them side by side with the old operating system,
so if you don't like it you can revert, except you won't.
Absolutely a must, unless you're running a dedicated app that has no Linux analogue.
Check it out.

Posted by: Mr Toad | Mar 10 2017 7:07 utc | 57

Ps, there are many reasons why the vast majority
of the world's servers, supercomputers and military
systems run on Linux, but one of them most definitely
is its inherent security.

Posted by: Mr Toad | Mar 10 2017 7:28 utc | 58

I guess terrorists are more busy with buying anonymous simcards than with the latest developments and updates of all these softwares. The bomb maker of the Paris nov 13th attacks managed to return to syria 3 days after his job was finish. The berlin christmas market guy took buses and trains over germany, netherlands, france and italy before being caught in a simple id control. Imo, all the surveillance programme is mainly industrial spying and geopolitically related, for the tired murricans to keep a bit of leverage in negociations

http://www.rfi.fr/moyen-orient/20170308-terrorisme-artificier-identifie-attentats-paris-bruxelles-13-novembre

Posted by: Mina | Mar 10 2017 8:38 utc | 59

@12

The problem comes when your non-nation state adversary has the capacity to subvert the functions of a nation state to its own ends through bribery, blackmail etc.

Posted by: TJ | Mar 10 2017 8:42 utc | 60

There's a massive amount of information (SIGINT) that can be extracted by monitoring a single device whether or not it is transmitted in encrypted form. End-points of encrypted calls can be determined and from that a network of related entities. In fact encryption of certain types of traffic makes the determination of a network of related entities very easy.

Posted by: Jolly Jumbuk | Mar 10 2017 9:51 utc | 61

@Mina 59
"... The bomb maker of the Paris nov 13th attacks managed to return to syria 3 days after his job was finish. The berlin christmas market guy took buses and trains over germany, netherlands, france and italy before being caught in a simple id control. Imo, all the surveillance programme is mainly industrial spying and geopolitically related, ..."

And when the shit hits the fan and civillians die, the fishwrap narrative is "We need more money to improve security" and not "what the f__k is our billions of taxpayer funds doing for us lately...?" Pretty big scam. Oh yeah, my phone is pretty smart, it listens to me, thinks about me and later targets me with adverts based upon my conversations. The commercial aspect of fascism can never be discounted either.

A little OT, but on the economic trend in this thread... The elephant in the room was stated by Jack Ma of Alibaba after his meeting with Trump mid January:

"It's not that other countries steal jobs from you guys," Ma said. "It's your strategy. Distribute the money and things in a proper way."

According to Ma, the US wasted over $14 trillion in fighting wars over the past 30 years rather than investing in infrastructure at home. Ma named this as the main reason that the US economy is weakening.

"You're supposed to spend money on your own people," Ma said.

Judging by the incredible pushback against Trump, it is much too late for the U.S. to transform itself from governing a global military capitalism to a more mercantile based form of leadership. There is no U.S. generation alive that hasn't been conditioned to accept war as normal...and so, the U.S. needs another good head kicking, preferably not from a minnow nation Vietnam...a nation of a more kind calibre perhaps.

Posted by: MadMax2 | Mar 10 2017 10:08 utc | 62

Posted by: Mr Toad | Mar 10, 2017 2:07:31 AM | 57


Still have my W7 but the majority of my computer time is Linux....

Posted by: notlurking | Mar 10 2017 11:33 utc | 63

Mm62
There is no british generation alive that doesnt see war as profitable

Posted by: Mina | Mar 10 2017 13:14 utc | 64

@mm2, ' "You're supposed to spend money on your own people," Ma said. '

ain't that the simple truth ...


We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.

- That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed,
- That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness.


tom jefferson didn't walk what he talked, but he wrote well. 'whenever' is right now. has been so for some time. democracy precedes government.

in an effort to get back on topic i'll cite the madison / hamilton constitution ...

Article. I. Section. 8. Clause 7:


The Congress shall have Power ... To establish Post Offices and post Roads;

... these days the post is email and the post roads are the internet, and our government needs to provide us with secure, end-to-end encrypted communications. take it away from darpa and the nsa and give it to the post office. all open source. no secrets.

we democrats who precede government are going to need to exercise ourselves to effect that ... to effect anything of any benefit to ourselves, and to put an end to all the monstrous and dysfunctional waste expended in support of a fictitious open-ended system on a finite planet.

Posted by: jfl | Mar 10 2017 13:57 utc | 65

It is only common sense, and has been for many years long before a Snowden, to think that everything one does over the internet is potentially being viewed by the authorities. Any new privacy tools will be simultaneously circumvented by the spook agencies as a matter of fact. The question I have is how many technological development levels the authorities are ahead of what the public has access to? It is my belief without any doubt that the spook agencies have the entire western population, everyone, categorized as to the level of their individual 'awareness' and threat level taken largely from their on line and purchasing 'finger prints.' We already live within an Orwellian brave new world so act accordingly and don't forget to wreck the State.

Posted by: BRF | Mar 10 2017 15:55 utc | 66

Secret Documents Reveal N.S.A. Campaign Against Encryption (TS/SI/TK/NF) (2013)

Documents show that the N.S.A. has been waging a war against encryption using a battery of methods that include working with industry to weaken encryption standards, making design changes to cryptographic software, and pushing international encryption standards it knows it can break.

This excerpt from the N.S.A.’s 2013 budget request outlines the ways in which the agency circumvents the encryption protection of everyday Internet communications. The Sigint Enabling Project involves industry relationships, clandestine changes to commercial software to weaken encryption, and lobbying for encryption standards it can crack...

The N.S.A.'s Sigint Enabling Project is a $250 million-a-year program that works with Internet companies to weaken privacy by inserting back doors into encryption products. This excerpt from a 2013 budget proposal outlines some methods the agency uses to undermine encryption used by the public.

The agency works with companies to insert back doors into the commercial products. These back doors allow the agency, and in theory only the agency, to gain access to scrambled information that it would not be able to view otherwise.

Because the N.S.A. has long been considered the world's top authority on encryption, it has dual, sometimes competing, roles. One responsibility of the agency is to safeguard United States communications by promoting encryption standards, and the other is to break codes protecting foreign communications. Part of the Sigint Enabling Project's goal is to influence these standards — which are often used by American companies — and weaken them...

Includes actual scanned images of the classified docu and further links/articles (NYT)

Posted by: Outraged | Mar 10 2017 17:46 utc | 67

Slightly off-topic, but watch Fox News contributor (and supposedly thoughtful and deliberative columnist) Charles Krauthamer urge "let's hope we are interfering in the Ecuadorian election". His rationale is as follows: the Ecuadorian opposition has pledged that, should they win, Assange will be ejected from their London embassy. Krauthamer suggests that Assange may then be "snatched" in order to stand trial in the USA. He urges for interference in a sovereign country's election with not even the slightest hint of irony. The same Krauthamer who deplores alleged Russian interference in his own country's election.

here is the link; the conversation on "Vault7" starts at 06:51 and the Krauthamer "money" comment starts at 09:46

https://www.youtube.com/watch?v=NbWKj8EuiXs

Posted by: etienne marais | Mar 10 2017 18:51 utc | 68

jackrabbit 7
I've wondered this for years. Instead of EU and others going after microsoft for monopolistic and anti-competitive practices, go after them for selling high priced systems that are so vulnerable. The governments who bought these systems should also sue or be sued or both.

thnx etienne 67
Krauthamer and some of the other Fox propagandists like Kristol are disgusting. The audience/fans eat the stuff up even if it is empty corrupted calories.

Snake Oil.
In an online video about our healthcare system, Corbett reported that papa (Avery) Rockefeller sold "patent medicine."

Posted by: Curtis | Mar 10 2017 19:25 utc | 69

@68 etienne
For they are 'Exceptional'...

Posted by: MadMax2 | Mar 10 2017 20:33 utc | 70

Sorry if the raw url had adverse effect on format. Having to revert to raw html these days is a bit dated, but if that is all the system supports so be it. The technical argument we are making is that monocultures are susceptible to infection. This is true both in biology and in computer networks. There are two instructionsets that completely dominate, effectively two species, making the spread of malware very easy.

Posted by: Paul Cockshott | Mar 12 2017 0:33 utc | 71

Years ago I realized the folks who sell antivirus software were the same who created the viruses to begin with, then they started demanding I pay annual subscription fees for the priviledge of being speid upon. LOL. Haven't paid a dime for Norton or McAfee b.s. for more than a decade. Of course they install their spyware crap anyway. One way or another they always stay on top of the interwebs because the purpose of it has and always will be spying. The Chinese and Russians are perfectly aware.

Speaking of McAfee, remember the psyops promo they were doing for him several years back? James was whoring and drug running for the CIA in Latin America, or some such thing. Everything you see, hear or read is a tell. These folks can't contain themselves cuz they think they're so brilliant.

Posted by: C I eh? | Mar 12 2017 1:04 utc | 72

Interesting Samsumg announces 2 days later it's moving some manufacturing to the US. Does that mean cheaper Big Brother units?

People pay for this?!! It goes on and on...

Yeah, The Guardian did a piece, they always begin like this "Spying, Here's What You Should Know" when you see that you know you're about to be re-programmed to accept the snooping EU style. How far The Guardian has fallen with Katherine Viner, the twat, and the days of the Snowden revelations.

Posted by: Gravatomic | Mar 12 2017 12:06 utc | 73

The ability to crack one phone does not translate into mass attacks.
For one thing, the exploits used simply permit the installation of keyloggers and screen monitors - they're not themselves magical.
And the mass installation of such software *will* get detected sooner rather than later.
That's why even telecom operator level snoopware like SS8 gets detected pretty quickly when used en mass.
The impact of such keyloggers and screen monitors - particularly the exfiltration part and impact on battery life - is also very high and easily detectable.
So to answer your assertion that zero days allowing attacks on one phone are easily morphed into mass attacks: no.

Posted by: c1ue | Mar 17 2017 15:25 utc | 74

Your outlook is too fatalistic. The first trick of spookery is convincing you 'we are invincible' and 'resistance is futile.' It's straight Art of War to defeat your enemy psychologically. Look, the CIA is just yet another bloated lumbering bureaucracy that the nimble can defeat.

Spooks are actually hanging by a thread after Wikileaks and those leaks came from inside. Why do you think the good guys leaked? To tip us off what to do.

To source secure devices stop buying corporateware from Microsoft, Dell, Google, Apple. Apple is really bad. Companies so big get bribed and threatened into submission. Use free software. Buy off the shelf or used, not Amazon/NewEgg to avoid interdiction. Or at least have a friend order in his/her name to his/her house.

All you need to really protect is firmware. Buy blank hardware, no OS preinstalled. If your first OS install is Linux or OpenBSD, then the CIA has no hooks to hijack firmware. Firmware means BIOS, harddrives, ethernet cards; but that's nearly it. Usually you can download OEM firmware and flash it yourself.

Your printer is a likely target. Disallow it network connections or WiFi. Use a firewall with its MAC address stopped, too.

Ditch the smartphone, buy a dumb flip phone or landline. And stop using PRISM apps like Skype. Try retroshare, tox, OTP, etc. There are dozens of secure communication apps. You can even create your own SecureDrop!

There are efforts underway to make 'libre' laptops if a bit too pricey right now. You can however get a dirt cheap Raspberry Pi and put linux on it. Assuming you reflash the firmware yourself with a known-trusted blob, it's secure.

Defeating evil is easy, you just need a warrior-victory mentality.

Posted by: Pete Shimura | Mar 29 2017 1:57 utc | 75

that's good advice pete ... the procedure and attitude are the essentials. i'm looking for a source for banana pi, any tips? i'm in thailand. haven't found one here. australia ... have to find and lean on a friend there, i suppose, to buy one and ship it ...

Posted by: jfl | Mar 29 2017 8:35 utc | 76

nay idea why i get a 403 when i go to distrowatch ?

Posted by: jfl | Mar 29 2017 8:40 utc | 77

jfl 75

Experience tells me that keeping the system out of your computer is worthless unless you can physically keep the system out.
Have you installed the protection required to prevent state sponsored burglaries that target computer equipment?

Posted by: Peter AU | Mar 29 2017 8:52 utc | 78

@78 p au

you're such a fatalist. resistance is not futile. there is an alternative. snowden lives.

it's true that it's very hard to keep them at bay if they want us, but they don't want most of us badly enough to actually come and get us if we don't let them.

Posted by: jfl | Mar 29 2017 10:15 utc | 79

@78 p au 'Experience tells me ...'

care to share ... ?

Posted by: jfl | Mar 29 2017 10:18 utc | 80

The comments to this entry are closed.