And I think you misunderstand. I am not arguing that it "could not be" the NSA. And I haven't see anyone say that. I am simply arguing that it is extremely unlikely.
It's a guess, yes, but it's an informed guess. It's a matter of looking at probabilities and seeing what's more likely. Shippers screw up all the time. Packages make crazy detours because somebody tossed a box in the wrong truck. A label falls off and a mixup occurs. Somebody typos a tracking number.
On the other hand, for this to be the NSA, several unlikely things would have to be true:
1. The NSA would need to be intercepting computer equipment destined for certain people and modifying it to spy on them.
2. The NSA would need to be targeting the person in question for this program.
3. The NSA would need to have set up this program in such a boneheaded way that it shows up on a package tracker. (If I were in charge of this program, I'd just set it up in FedEx's sorting facility in Memphis and then ensure all the relevant equipment uses FedEx. Simple, fast, and no chance of the target finding out.)
4. The NSA would need to have set up this program in Alexandria, even though it has little to recommend it for such a thing.
Now, we know that #1 is actually true. So that's one requirement fulfilled, out of several. But what about the rest?
I'm somewhat skeptical on #2. It's possible, but it seems unlikely. Why would the NSA target Tor developers? The security of Tor falls apart in the presence of an adversary that is able to monitor the entire internet, because you can just correlate traffic that enters with traffic that exits. The NSA can presumably monitor enough of the internet to defeat Tor right now. So why bother spying on Tor developers? It's possible as a belt-and-suspenders maneuver, but this person just doesn't strike me as a likely target.
I'm really skeptical on #3. It's about as believable as having the FBI spy on me by parking a van outside my house that says "Flowers By Irene". It's possible, but really unlikely.
And #4 doesn't make a whole lot of sense to me. Again, possible, but unlikely.
So we have one thing that's true, and then several other things that are individually unlikely, and combine to be really unlikely. It looks to me that people are committing the basic fallacy of thinking that the truth of #1, since it's unlikely, somehow makes the rest more likely too.
It comes down to this: is it a screwup by USPS or Amazon or a third-party reseller, or is it the NSA screwing up royally while trying to plant a bug? In the absence of evidence, we are stuck guessing, but we can guess intelligently by realizing that one is vastly more likely than the others.
"When you hear hoofbeats, think of horses not zebras."
That doesn't mean zebras are impossible. But it means you should prefer the more obvious explanation unless there's evidence to the contrary.
Fair enough, and thanks for the thoughtful reply. I didn't mean to misrepresent your position -- I took "The obvious explanation here is that the USPS fucked up" to mean you belived it couldn't be otherwise, rather than when weighing the evidence the more obvious [simpler] explanation is that USPS screwed up.
Like you, I'm also a big proponent of Occam's razor. (Having been a med student, you don't know how many times I heard that "think horses not zebras" analogy from attendings.) I guess it just comes down to the degree of faith each of us has in the NSA and their corporate partners. Some of us are more willing to doubt their actions and/or believe it's possible they could screw up this way. But at this point we can only wait and see if we learn anything more in the coming days -- though probably not. One would hope the NSA is competent enough to cover this up, even if it was their screw up.
Added: BTW, there is another explanation that no one has mentioned. Leaving the Alexandria issue aside, the NSA interception program obviously relies on participation from one or more corporate partners. And just as we've seen at the telcos, it's reasonable to assume that there are staff at those partners who aren't particularly enthusiastic about the program. So it's possible someone decided to "accidentally" bypass/skip an important step that would have obscured this. It's not a huge leap to imagine a motivated techie realizing that this particular delivery would be an ideal opportunity to direct a lot of attention to the interception program -- if they felt compelled to take the risk. I'm definitely not saying this is the (or even a) likely possibility, but it's probably the only way we'll ever know if it was in fact the NSA.
And I think you misunderstand. I am not arguing that it "could not be" the NSA. And I haven't see anyone say that. I am simply arguing that it is extremely unlikely.
It's a guess, yes, but it's an informed guess. It's a matter of looking at probabilities and seeing what's more likely. Shippers screw up all the time. Packages make crazy detours because somebody tossed a box in the wrong truck. A label falls off and a mixup occurs. Somebody typos a tracking number.
On the other hand, for this to be the NSA, several unlikely things would have to be true:
1. The NSA would need to be intercepting computer equipment destined for certain people and modifying it to spy on them.
2. The NSA would need to be targeting the person in question for this program.
3. The NSA would need to have set up this program in such a boneheaded way that it shows up on a package tracker. (If I were in charge of this program, I'd just set it up in FedEx's sorting facility in Memphis and then ensure all the relevant equipment uses FedEx. Simple, fast, and no chance of the target finding out.)
4. The NSA would need to have set up this program in Alexandria, even though it has little to recommend it for such a thing.
Now, we know that #1 is actually true. So that's one requirement fulfilled, out of several. But what about the rest?
I'm somewhat skeptical on #2. It's possible, but it seems unlikely. Why would the NSA target Tor developers? The security of Tor falls apart in the presence of an adversary that is able to monitor the entire internet, because you can just correlate traffic that enters with traffic that exits. The NSA can presumably monitor enough of the internet to defeat Tor right now. So why bother spying on Tor developers? It's possible as a belt-and-suspenders maneuver, but this person just doesn't strike me as a likely target.
I'm really skeptical on #3. It's about as believable as having the FBI spy on me by parking a van outside my house that says "Flowers By Irene". It's possible, but really unlikely.
And #4 doesn't make a whole lot of sense to me. Again, possible, but unlikely.
So we have one thing that's true, and then several other things that are individually unlikely, and combine to be really unlikely. It looks to me that people are committing the basic fallacy of thinking that the truth of #1, since it's unlikely, somehow makes the rest more likely too.
It comes down to this: is it a screwup by USPS or Amazon or a third-party reseller, or is it the NSA screwing up royally while trying to plant a bug? In the absence of evidence, we are stuck guessing, but we can guess intelligently by realizing that one is vastly more likely than the others.
"When you hear hoofbeats, think of horses not zebras."
That doesn't mean zebras are impossible. But it means you should prefer the more obvious explanation unless there's evidence to the contrary.