The obvious explanation here is that the USPS fucked up. As the tweet says, you'd think the NSA program would be more subtle. Further, there isn't much in the way of intelligence presence in Alexandria. So what's more likely: that the NSA does this program in a secret location that's still right next to all the non-secret stuff, and they can't cover up the tracking data, or that the USPS accidentally sent a package to the wrong place?
Edit: I want to emphasize how incredibly stupid the article is when analyzing the tracking data. Key quote:
"From Dulles, it moved another four times around the military and intelligence belt in suburban Washington DC, finally landing in Alexandria at 11:03 am on January 23."
First of all, there is nothing significant to Dulles. It's the largest airport in the area, and this makes it the arrival point for any packages coming in by air. 90% of my packages have a "Dulles, VA" tracking entry on them by the time they get to me.
Second, it didn't move "four times". It went from Dulles to a carrier facility in Alexandria, then it went out for delivery and got delivered. That's two moves. And how many times do you expect it to move? That's how air-based package delivery works. It goes to an airport. Then it goes to a local sorting facility. Then it goes out for delivery.
Third, the phrase "military and intelligence belt" is ridiculous. Especially so when the only two locations involved are Dulles and Alexandria, neither of which has much in the way of either military nor intelligence.
The article tries way too hard to make its case, and uses a great deal of purple prose to state what comes down to, "the package got delivered to Alexandria, VA which is close to a lot of government agencies". That would actually be more convincing than the insanity they wrote, although still not very convincing. But at least it would be honest.
At this point aren't we all just guessing? Reading this thread I'm surprised how strongly many folks I respect (like you - viva FQ&A!) are insisting this could not be an NSA screw up. The truth is we don't know, so why rush to conclusions (even benign conclusions) instead of waiting to learn more?
And imagine if you were Andrea and you develop software that dissidents around the world depend on with their life, while also knowing the NSA has simultaneously tried to weaken it. If the laptop does get rerouted to her with an apology from USPS and you were her, are you saying you wouldn't hesitate even a little before accepting it and transferring your data onto it?
Ultimately, I think that's the real story here. The biggest problem with having a government that watches its citizens isn't the watching per se, it's the loss of trust.
And I think you misunderstand. I am not arguing that it "could not be" the NSA. And I haven't see anyone say that. I am simply arguing that it is extremely unlikely.
It's a guess, yes, but it's an informed guess. It's a matter of looking at probabilities and seeing what's more likely. Shippers screw up all the time. Packages make crazy detours because somebody tossed a box in the wrong truck. A label falls off and a mixup occurs. Somebody typos a tracking number.
On the other hand, for this to be the NSA, several unlikely things would have to be true:
1. The NSA would need to be intercepting computer equipment destined for certain people and modifying it to spy on them.
2. The NSA would need to be targeting the person in question for this program.
3. The NSA would need to have set up this program in such a boneheaded way that it shows up on a package tracker. (If I were in charge of this program, I'd just set it up in FedEx's sorting facility in Memphis and then ensure all the relevant equipment uses FedEx. Simple, fast, and no chance of the target finding out.)
4. The NSA would need to have set up this program in Alexandria, even though it has little to recommend it for such a thing.
Now, we know that #1 is actually true. So that's one requirement fulfilled, out of several. But what about the rest?
I'm somewhat skeptical on #2. It's possible, but it seems unlikely. Why would the NSA target Tor developers? The security of Tor falls apart in the presence of an adversary that is able to monitor the entire internet, because you can just correlate traffic that enters with traffic that exits. The NSA can presumably monitor enough of the internet to defeat Tor right now. So why bother spying on Tor developers? It's possible as a belt-and-suspenders maneuver, but this person just doesn't strike me as a likely target.
I'm really skeptical on #3. It's about as believable as having the FBI spy on me by parking a van outside my house that says "Flowers By Irene". It's possible, but really unlikely.
And #4 doesn't make a whole lot of sense to me. Again, possible, but unlikely.
So we have one thing that's true, and then several other things that are individually unlikely, and combine to be really unlikely. It looks to me that people are committing the basic fallacy of thinking that the truth of #1, since it's unlikely, somehow makes the rest more likely too.
It comes down to this: is it a screwup by USPS or Amazon or a third-party reseller, or is it the NSA screwing up royally while trying to plant a bug? In the absence of evidence, we are stuck guessing, but we can guess intelligently by realizing that one is vastly more likely than the others.
"When you hear hoofbeats, think of horses not zebras."
That doesn't mean zebras are impossible. But it means you should prefer the more obvious explanation unless there's evidence to the contrary.
Fair enough, and thanks for the thoughtful reply. I didn't mean to misrepresent your position -- I took "The obvious explanation here is that the USPS fucked up" to mean you belived it couldn't be otherwise, rather than when weighing the evidence the more obvious [simpler] explanation is that USPS screwed up.
Like you, I'm also a big proponent of Occam's razor. (Having been a med student, you don't know how many times I heard that "think horses not zebras" analogy from attendings.) I guess it just comes down to the degree of faith each of us has in the NSA and their corporate partners. Some of us are more willing to doubt their actions and/or believe it's possible they could screw up this way. But at this point we can only wait and see if we learn anything more in the coming days -- though probably not. One would hope the NSA is competent enough to cover this up, even if it was their screw up.
Added: BTW, there is another explanation that no one has mentioned. Leaving the Alexandria issue aside, the NSA interception program obviously relies on participation from one or more corporate partners. And just as we've seen at the telcos, it's reasonable to assume that there are staff at those partners who aren't particularly enthusiastic about the program. So it's possible someone decided to "accidentally" bypass/skip an important step that would have obscured this. It's not a huge leap to imagine a motivated techie realizing that this particular delivery would be an ideal opportunity to direct a lot of attention to the interception program -- if they felt compelled to take the risk. I'm definitely not saying this is the (or even a) likely possibility, but it's probably the only way we'll ever know if it was in fact the NSA.
Would you care to refute that instead of just shouting? Like, point out something that contradicts it? Because I can't think of any, and I lived in Alexandria for seven years.
Edit: I want to emphasize how incredibly stupid the article is when analyzing the tracking data. Key quote:
"From Dulles, it moved another four times around the military and intelligence belt in suburban Washington DC, finally landing in Alexandria at 11:03 am on January 23."
First of all, there is nothing significant to Dulles. It's the largest airport in the area, and this makes it the arrival point for any packages coming in by air. 90% of my packages have a "Dulles, VA" tracking entry on them by the time they get to me.
Second, it didn't move "four times". It went from Dulles to a carrier facility in Alexandria, then it went out for delivery and got delivered. That's two moves. And how many times do you expect it to move? That's how air-based package delivery works. It goes to an airport. Then it goes to a local sorting facility. Then it goes out for delivery.
Third, the phrase "military and intelligence belt" is ridiculous. Especially so when the only two locations involved are Dulles and Alexandria, neither of which has much in the way of either military nor intelligence.
The article tries way too hard to make its case, and uses a great deal of purple prose to state what comes down to, "the package got delivered to Alexandria, VA which is close to a lot of government agencies". That would actually be more convincing than the insanity they wrote, although still not very convincing. But at least it would be honest.