I wonder if anyone has ever sent a fake National Security Letter. The inability to speak about or verify these letters is concerning to me.
Seems like you could cause a lot of damage by sending a fake NSL ordering a company to send you private data. At minimum it would cost the company several thousand dollars in legal fees to determine its fake.
I doubt that these are simply sent through the mail - they may be called 'letters' but they're the kind of thing that would likely be delivered by Men In Suits with ID cards, or at the very least accompanied by a phone call if they're frequent enough that the parties would be familiar with the forms and process.
True, but who knows what a real MIB ID looks like? And do they have a phone line that you're allowed to call to verify these? Big companies might deal with the real guys regularly but not the smaller ones.
Trying to set up a situation where one could gain something (even just laughs) from attempting to send a fake NSL seems like a great way to end up in prison for the rest of your life. Not sure what laws that would violate (aside from impersonating), but I'd bet they'd find them.
One of John Le Carre's spy novels was build around this idea [0]. His novel happens to revolve around an anti-israeli activist tricked into spying for israeli intelligence, but at the core it's a study in the difficulties an individual faces trying to reliably validate the identity behind a well-funded "social engineering" attack.
NSLs aren't signed by "The FBI", but rather some Agent of the FBI, which includes their case number and contact information. Even if one had to cold call the FBI operator, they could probably ask for the investigator in charge of case "X1234" and get whomever they needed that had clearance to discuss the issue.
If someone forged an NSL, it would be arguably trivial to verify it's authenticity by doing a number of things, including walking into a local FBI office and asking to speak to someone about the case number, which is public enough information within the confines of the agency to get you someone who can talk about the case without having to describe the specifics of the letter over a phone to someone who might leak that information resulting in your arrest.
> speak to someone about the case number, which is public enough information within the confines of the agency
I have absolutely NO idea how you reach that conclusion. I know that legal arguments have been made for suppressing every single word of a NSL, and that even admitting the existence of the NSL is specifically prohibited by the law.
What makes you think that this query would not be a violation of the law?
Well, the WP article on NSLs has an EFF-sourced minimally blacked-out example of an NSL, which explicitly states "[blacked out communication details] or through use of a delivery service or secure fax...", and while there is an entreaty to not disclose it through routine mail or phone, it would seem there are mechanisms (including, presumably, asking your attorney to file paperwork about it and seeing if it gets sealed so fast your head spins) to communicate about it.
Imagine delivering a fake NSL that's forged using a random case-number that happens to correspond to a real, active, and classified investigation, though. (Not even necessarily one that ever issued an NSL.) You'd ask them to talk to you about the case number, and then they'd completely clam up, because it is a case but it's one that doesn't involve you at all, so they don't want to admit of its existence to you. Kafka-esque results.
Since we don't know the actual method for verification this is speculation, but people put too much faith in phone calls, and telecom CPE security is often lax. You might be able to spoof verification of an NSL by hacking the DOSA capability of the FBI's PBX and setting up an extension to forward to your phone. The recipient feels confident they called the real FBI. The attendant thinks they forwarded the call to an extension, but your phone gets the call.
Much easier to put the POTS equivalent of a proxy on the person's line (e.g. an LTE picocell hidden near their home, configured in a Stingray-like mode, running its own internal call-switching logic) than to hack the FBI's PBX, I'd think.
That requires equipment! Seriously though, the only picocells I know of that are "open" enough to turn into a poor man's stingray are 2g-only, and that will show up in the phone's connectivity status icon, and it assumes cell phone use. How very 21st c.
Now that most people have forgotten their desk phone, weak security in passwords and feature access is probably worse than it has ever been in enterprise CPE. DISA/DOSA is an end-user feature, so it's not as if you are hacking the PBX configuration. It's more like hacking an individual user's voicemail. Plus it has that retro cache of "what we were hacking before we had computers to hack."
might work for a small shop, but the bigger companies have legal departments who've already been served with warrants and met with feds. And who knows, maybe NSL's start with a conventional subpoena to appear at your local court room or FBI office for a meeting you cant refuse. In fact, I'd wager that they would be served in a federal courthouse before a judge informing the recipient of their (lack of any) rights.
I wish that were true... But there are actually no judges involved in this process, and trying to get them involved may end up with you on the wrong side of the court room.
"FBI office" at an address where no (real) FBI office exists (with a slightly obfuscated address that doesn't mention FBI by name, but something that sounds like a department in FBI but isn't, so that the postal service doesn't get suspicious).
The insane thing about this is that it is wholly unnecessary. Why can't the feds go court and get a search warrant if they really have anything more than a "hunch". And if that's all they have, do we really want them issuing secret orders with no public oversight at all? That's exactly where you need scrutiny.
The current and previous administration is going to find out in a hurry why checks and balances are important if Trump gets into office. He's exactly the kind of chief executive who will be terrible to behold with that kind of power.
When a Three Letter Agency wants information, they get it. The current United States government is the most powerful single entity to exist in human history (insofar as it can be called a single entity). Especially those who frequent HN should be well aware of that at this point.
Dear God I am depressed about our chances at this point. Reigning in who I would call traitors seems impossible.
The former, because it wont get you extradited, the later, well, that would be telling.
lets just say there are a lot more organisations than a few analysts in Maryland monitoring the internet and our communications, and they are interested in much more than unhappy muslims. Then leave it at that.
This is sadly true, but I think we also need to reject that this is the new normal. We need to continue to push back firmly on secret government request without oversight.
You can't put the genie back into the bottle. It has already escaped. In our days, surveillance is being performed by all governments and many private companies. For US to be the only country that doesn't do it, it would be uncompetitive. We have to accept the new reality - ever since digital cameras became popular (year 2000) and ever since cell phones became packed with sensors and always on connectivity (and continuous auto-updates), hard drives cheap and large, face recognition software efficient - there has been no way to stop surveillance. It is an emergent situation based on a confluence of technologies.
We need AI to protect privacy, capable of detecting information leaks and unintended exposures right in the browser and OS, similar to an antivirus that is always scanning the data flowing in the system. We need to have software educating people about consequences and making it really easy to remain private. It won't solve the problem fully, it's impossible to do that today.
In our days, surveillance is being performed by all governments and many private companies. For US to be the only country that doesn't do it, it would be uncompetitive.
Governments spy on other nations businesses, then pass the information back to their companies who process to undercut the competition (because they have all the information)
'According to the indictment, five hackers “stole trade secrets” which allowed Chinese companies to undercut their American competitors, or gave them “insight into [their] strategy and vulnerabilities”. '
It's a false equivalence to say that "everyone does it".
1. It's unclear how surveillance does anything for a countries competitiveness. If we're talking security, the US's competitive edge in technology should have enabled them to completely reshape world affairs to their liking long ago. If they can be duped bit some sadistic middle-eastern ophthalmologist in the way they have, it shows how useless those skills are.
Economically, the benefits of surveillance are especially limiting. You may be able to support a few "national heroes" like Boeing here and there, or win a few tenders with your knowledge of some interior ministers passion for really strange pornography, but the economic effects are negligible.
2. "Everyone does it" is a really really bad excuse for something morally repugnant. When did we start measuring morality on scale relative to others?
3. Not everyone does. In fact, barely anyone does it, and even fewer use it for economic competitiveness. Even discounting places like Luxemburg or Qatar because they use non-replicable features for their success, I'd point at the Netherlands, Austria, Canada or Denmark as countries that are successful even though they almost certainly lack the ability to play that game on any level comparable to the US.
4. Even you think it's naive to expect moral leadership in a world of race-to-the-bottom competition, there are long-established processes to avoid playing the prisoner's dilemma with the rights of everyone on earth: cooperation, embodied in the WTO, the ICC, the Oxford Manual of Style, START 1-3, RFC 2616, or actually anything else that is collectively called "international law". I know americans hate the concept because they really don't get a foreigner, of all people, could disagree with them but just underneath the surface these systems have worked extremely well for everyone.
5. It may be right to try to solve these issues technologically. Such solutions may even be preferable because they don't require trust, or the expectation of mora; behavior from everyone. But I'd still prefer a political solution because there is a universe of problems that cannot be solved technologically and I fear a world where we've given up on expecting people's behavior to be limited by anything but feasibility.
So yes, if you can create a protocol or an AI that gives people power over their data do publish it, if you can teach people to use technology, do so. But don't join the cynical masses that don't expect anything from their leaders, or declare ruthless competition as the only "rational" choice, or deny humanity's ability to give shape to their fate in the face of the downward pressure of game theory.
Well, new in the sense that, post Snowden, there was an immense increase in the number of mostly-facsimile files documenting the mass surveillance. I don't remember earlier programs like Carnivore getting the same level of public documentation and confirmation.
I think at this point you have to assume that chinese, american and russian intelligence if not organized crime have their fingers in all the major email providers.
I'm starting to think that these giant email providers are too much of a juicy target and we need to start moving towards a more decentralized model, or even move away from email entirely.
Email is great, and there is no reason to give it up
If you want full control, just publish an MX record in DNS, and run you own email server. The TCP session will be established directly between you and the sender. Encryption options are available and evolving, thanks to IETF and other bodies. All you have to pay is just a couple of hours of your time for setting it all up, and $15/yr for the DNS.
No, the TCP session will be established between your mail server and the sender's. And since the other party's mail server often happens to belong to Google, Yahoo or <insert big mail provider>, this doesn't increase security at all. (As long as you don't use end-to-end encryption but even then they still see your social network.)
I totally agree. That's why I'm running my own mail server, as well. That doesn't change the fact, though, that email is fundamentally broken these days.
I started running my own mail server recently and spam hasn't been much of a problem with postscreen + spamassassin (with pyzor and razor).
Also, if you are worried about deliverability of your own e-mail: worry less. I am running my mail server on a VPS and the only place I've had any trouble delivering mail to so far is hotmail. They were blocking my IP, so I requested that they investigate the block and it was removed within hours.
Dear x
Please note that your ticket number is in the subject line of this mail.
x.x.x.x
Note: Errors are unlikely, however, if an error is indicated, please resubmit the specific IP or IP range.
Thank you,
Outlook.com Deliverability Support
Please do not reply to this message as it is from an unattended mailbox.
Any replies to this email will not be responded to or forwarded.
This service is used for outgoing emails only and cannot respond to inquiries.
About an hour later I got another e-mail from them informing me that my IP address had been "conditionally mitigated", and I was then able to send e-mails to Hotmail.
The basic idea of of the gag order and not being able to reveal the details has pretty sound roots in not tipping off the people being investigated. The issue is they're incredibly broad so companies receiving them can't usually even reveal the exact number received.
The only reason this continues to go on is that no one is brave enough to risk arrest and just publicly read the full contents of these NSLs when they get them. Gag orders have only been declared constitutional when they are used to protect someones right to a fair trial. No one has ever challenged a gag order that protects a police investigation. It is much easier to challenge these gag laws when you have been personally charged with violating them, then you have a criminal trial you can appeal and escalate through to federal appeals and the supreme court. Otherwise it is just civil suits that can be thrown out easily as you cant justify why you need to take this to trial because you are not suffering any monetary damages.
One of the solutions is to move to a model where all data that companies like google have in their servers is encrypted by a key that only the user has in his device.
The side effects are:
-No server side analysis/logging/sharing/selling to advertisers of the user's data
-All decryption takes place at the client side
-Targeting ads/content becomes impossible
-gag orders are rendered useless to seek user data from service providers
Not only for chat apps and email services, literally all user data on servers should be encrypted with the decryption key only on the user's devices. It should basically be impossible to identify a user based on the data that a service provider has.
The idea is similar to that of ZeroDB, but it extends beyond databases to everything related to a user such as files related to a user.
I started using Protonmail 2 weeks ago and I am quite satisfied (planning to migrate all my communication from Gmail to Protonmail). It does feel slower than Gmail (because of the decryption, but that's not that much of a problem). Also, you have to use their own app, it cannot be connected to a mail client, that's a bit of a downside, but I suppose I will be willing to make that compromise.
Seems like you could cause a lot of damage by sending a fake NSL ordering a company to send you private data. At minimum it would cost the company several thousand dollars in legal fees to determine its fake.