While the video and audio feed – routed from Russia through seven proxy servers – was choppy, Snowden’s message was clear.
Edward Snowden is the gift that keeps on giving. I feel like "seven proxies" is the proof of concept for a practice that should be more common. From now on, every statement about technology, especially the intersection of technology with important issues like civil rights, should be watermarked with at least one meme or obviously absurd statement. If a reporter regurgitates the meme as fact, readers are warned about the reporter's lack of general knowledge about the subject and will be primed to read the rest of the article with a more critical eye.
No doubt. I'm sure it was. I just think it was also a genuinely useful indicator of exactly which reporters aren't/ don't have access to people with general knowledge of the subject and that more people should make jokes like it for that reason.
"Truth and heroic goodness through meme knowledge," seems as morally and intellectually bankrupt to me as Ivy leaguers on Mad Men using preppy/main-line subculture as a proxy for ability. Knowing about memes only says something about where you hang out online. It's the same sort of proxy for actual ability or trustworthiness as being a member of the right country club. Such proxies can work, but they depend highly on particular circumstances. The company town residents in Matewan using Bible verse knowledge as an impromptu code uses the same principle. This is not evaluating character from first principles! It's trusting a label! It's knowing that one group has a bit of information that another does not. However, we of the Internet era should know how rapidly and irrevocably this can change.
(Actually, a good test for whether someone has A-lister perception is to see if they can see past their own prejudices.)
I've never seen Mad Men, but your comparison seems at least a little unfair. In this case, knowledge of the particular meme or participation in the culture that created it is not necessary. A complete stranger to internet jokes, who happened to be at least generally acquainted with the technologies being discussed, could very easily identify Snowden's claim as a joke (or at least something very odd and worth investigating) whether or not they had been exposed to the original meme. "Seven proxies" should make your eyebrow raise whether or not you're aware of the original joke.
I've never seen Mad Men, but your comparison seems at least a little unfair..."Seven proxies" should make your eyebrow raise whether or not you're aware of the original joke.
Because, in your words, someone should know on the face of it, that "seven proxies" is implausible? Please explain how I should know that. Would it be worse or better if it were 6 or 8? Please answer from first principles concerning network technology. (The fact that you are not accounting for the fact that there are multiple interpretations to the term "proxy" makes my eyebrows raise.)
Agree completely. As soon as I read that sentence I knew to take this article with a pinch of salt. These very subtle drops of ancient memes are a great way to help raise a warning flag.
The idea is that the location of Snowden's FSB safehouse isn't known publicly, so they probably took some measures to keep it a secret from anyone who could have eavesdropped on the network traffic. They obviously aren't going to tell you explicitly what they've done, so someone just throws out "seven proxies" and that's that.
I was in this session and the biggest take away I had was that the ACLU and Snowden believe a technical solution is possible to end mass surveillance, but they aren't concerned with individual targeted surveillance. I think this was a good way of framing the discussion with actionable steps like PFS, end to end encryption (Snowden name checked Whisper Systems), FDE, SSL everywhere, not storing data forever, etc. The ACLU seemed to think that pressure can be brought on big companies to at the bare minimum require SSL immediately makes mass surveillance more difficult.
SSL only makes mass surveillance difficult for the people who can't lean on a CA. I somehow suspect that if the NSA decided it wanted to, it could get itself an intermediate cert that it could use to MITM SSL sessions.
I don't think they need to get one; Take a look at the CAs are in your browser. Do you implicitly trust all of those organizations and governments? It doesn't matter if you do as your browser already does.
Obviously, if they can install additional Root CAs, they have enough access to do absolutely anything as your user on your maxhine, including installing trojaned versions of all your apps. That isn't the issue gp was discussing.
Is it possible to "double up" on certificates somehow so that a service can offer certificates from 2 or more Certificate Authorities simultaneously. The goal here would be to get a certificate from CA A that might be compromised by global persistent threat X, but not global persistent thread Y, and another certificate from CA B that might be comprimised by global persistant threat Y, but not global persistent threat X. e.g. using a certificate from an American CA and a Russian CA simultaneously would likely only expose you if both the Americans and Russians cooperate to eavesdrop on you.
I kinda see what you're getting at, but that wouldn't fix anything. If I interpret what you want correctly, you basically want a cert that is dual-signed by multiple CAs which would be under different political jurisdictions. It's a clever idea, but it's not really usable. Clients validate that they trust a member in the signing chain, not all members in the signing chain, so as soon as the browser encounters a signing authority that it trusts, it will trust the cert.
Furthermore, this wouldn't really stop a bad actor from getting a cert signed by a third CA which your browser trusts and MITMing it to you, unless you're cert pinning, which practically nobody is because it comes with a tremendous list of user experience issues.
Probably not on a massive scale, given scans, pinning, and pin violation reports.
Real-world MITM attacks involving certificate misissuance have already been caught by these means (mostly by Google, which is putting the most effort into it).
If anything Snowden himself has and will accelerate the erosion he fears.
Even if the UK, France, Germany, etc. can somehow assume that NSA will stop (which is laughable, but let's assume it), they still will have to deal with a resurgent Russia, Iran, and China.
Whatever methods can protect them from China can protect them from NSA, and vice versa. If anything they've been trying for a long time to put up "cyber borders" but policymakers have blown it off as unnecessary when it's just a matter of cyber crime.
Now that Snowden has opened up peoples eyes to the possibilities (quite forcefully, I might add), there is now political cover to build those cyber walls, only under the guise of "blocking the NSA" instead of blocking Chinese hackers.
You're right that this has been obvious too. There are no commons that are not regulated by the nations, and militarized when and if they become a threat. Antarctica is only left alone because it's unimportant. The Arctic is a growing strategic concern, and space itself is only a step away from being militarized.
If the U.S. cannot gain strategic value from cyberspace they will certainly not leave it open as a strategic weakness dragging along a "PLEASE HACK ME" sign, and a similar calculus applies to all of the democracies. Whether it's borders, or a national Internet kill switch, or both or more I don't know, but it won't be the same as it was before.
I wouldn't really agree that Antarctica is "left alone".
Antarctica is protected by international treaty but nations are populating it with "research" missions so they have a presence when that treaty is renegotiated. The continent has massive untapped natural resources.
Internet borders and national kill switches are like killing a mosquito with an H-bomb. There are far more surgical options for defending against cyberattacks, and instead of trying to sound sage by predicting doom and gloom (and claiming we knew it all along), we should be implementing and advocating these more appropriate approaches.
> There are far more surgical options for defending against cyberattacks
We still can't even get our coders to stop using C for security-critical code, and you could effectively throw C++ in that complaint bin too. We can't get people to implement crypto appropriately. The list goes on and on. And with cybersecurity you only have to get one thing wrong, especially on an open Internet, while the attacker gets effectively unlimited time and numbers of attempts (although they don't even need that so far, as long as 0-days can be bought off the shelf).
And all the stuff we can't do in the civilian sector, it's even harder to do right in government and military (and apparently critical industry). There's a whole host of things we can do to be better, but half the reason walls will go up is because they are so much better at dealing with novel threats than the idea of "just design and implement everything perfectly, geez".
But either way, Germany's complaint wasn't just cyberattacks. There was also data privacy, and that complaint is centered entirely around the fact that they can't control whether a German's data gets routed to France, UK, etc. even in the course of entirely .de <-> .de Internet traffic.
But the roots are already here, it's not simply a prediction. After the 2007 Russian cyberattack on Estonia, Estonia was able to adapt and recover very effectively... but they still now have a national cyberborder in place, and are just waiting to hit the button (a useful button to have right now, given the crises in the Crimea).
Ironically things like open source will only make this trend easier I think. It's not hard to imagine governments setting up things like ownCloud with a federated model, with replication channels open to friendly nations' instances of ownCloud and closed otherwise.
or that first world democracies would have actually stood up for the combined good of people everywhere rather than just asserting their own narrow organisational goals.
I'd say the First World businesses, although more indirectly. See the "structural adjustment packages" we impose to enslave those countries (devaluing money, favouring exportation…).
Many people here wish this would all just go away.
Many people here work at companies that are on the PRISM list, or work for core infrastructure gear makers, or telecom network operators.
Some people here work in the "security" industry, which relies on an appearance of security that can be cracked "to catch the bad guys." These people know their tools and services are also used to put dissidents in prison.
The only way forward is to make everyone secure to the highest standards, routinely, for all communications and data storage.
I think this is one area where most of us agree on. Mind you - that doesn't mean we will do anything proactively to curb the NSA but we agree in principle what Snowden is saying and respect him for his actions.
Guys like Snowden, Assange, Stallman, etc are the best fire fighters humanity will ever have. Bitcoin, Bitmessage, Meshnet, Tor, etc are the tools of the rebels.
If we allow the NSA to continue unrestrained, every other government will accept that has green light to do the same.
I think his point, and it's an important and valid one in my opinion, is that those Americans who feel unconcerned about the violation of the rest of the world's rights can expect to see this apparatus turned against them, both by other enemy governments, and by allies in the 5-eyes spying for the NSA on demand and for their own purposes (like GCHQ attacking Google communications).
I don't think he's implying that other countries don't spy and might start (presumably this is what you think is risible), he's pointing out that thinking this mass surveillance is acceptable for others while it is unacceptable for Americans is simply naive and untenable in the world we live in. Either we are all subject to mass surveillance by various unknown state actors, or we can all push back against it for everyone, and restore the original purpose of our intel agencies - to protect the people in the countries they work for from attacks (both on life and information), a purpose which they have subverted and betrayed by becoming the agents of attack themselves, undermining crypto standards etc.
Privacy rights, like human rights, should not depend on the country you come from or where you happen to be, and I agree with his position that targeted surveillance is acceptable in some circumstances, but mass surveillance is not, whoever is doing it; it's just too dangerous.
China might look to what the U.S. is doing once in a while to make sure they are doing it too, but it's weird to expect that they are going to respond to the tone we set. And that's pretty much exactly what the talk of green lights sounds like.
But apparently rhetoric and posture are of great importance in geopolitics and I'm an idiot (because I'm pretty sure most of the rhetoric and posturing that happens in a geopolitical context is aimed domestically).
You can't blame that on the people who wrote the US Constitution, which constitutes the basic law of government in the US. Reading it reveals no distinction between citizens and non-citizens. It relies heavily on the idea of natural rights. It is addressed to the government, not the people. That is, it assumes the people have all the rights, and it carves out a space in which the government is allowed to operate. It is remarkably future-proof. If you hear someone say "They didn't have computers" or similar horseshit you can bet heavily that they are an enemy of freedom.
It is the absolute height of arrogance to assume that other nations will follow the West's lead because we're "right" or "morally superior" or any other bullshit people want to make up.
The implication is that if NSA can engage in mass surveillance, that other nations might think that's acceptable. But the implication is already proven false; NSA wasn't even the first, and the list of countries that do engage in technical surveillance is not just Russia and China.
In the end a nation will or will not use network surveillance because it does or does not help them meet their policy and strategic goals.
After all look at the Russian response to very strongly-held "norms" about the sovereignty of borders in Ukraine. Whatever rhetoric you wish to use to defend their actions, the fact is that they're stepping on one of the few clearly-drawn lines in international law. What's more, the reason that they're doing so isn't because there isn't a "norm" against this behavior, it's because they judged there will be no appreciable penalty for their action. Putin isn't "going rogue" and he's definitely not stupid.
In case you're wondering, that is where the world will be led; power politics instead of wishy-washy Western values, because power politics is what works.
Not to speak for anyone else, but it is plain that some governments will assume a green light to spy on all of their own citizens and residents, and as many citizens and residents of other countries as they can reach, regardless of what the United States does. We have seen this happen more than once.
Maybe he thinks other governments aren't anywhere near having the capability "to do the same", depending on what "the same" is. (Most states could tap cell phone calls off the air or make domestic carriers turn over lots of data, but not tap undersea cables, and probably not extensively compromise commercial telecommunications infrastructure in other countries.)
Maybe he thinks pretty much all governments have been trying to spy on everyone they can for some time now and none of them have so far perceived significant legal, political, economic, or moral deterrents in doing so.
Personally, I think your fingerprinting example is instructive because the practices of one state do have an influence on the practices of another -- though fingerprinting is something that the general public can see directly, unlike most electronic surveillance. After all,the fingerprinting is quite overt. I take Snowden's (and Eben Moglen's) point that states and spooks have talked together for a long time about their deeply shared understanding of spying, and never thought it was necessary to tell or ask the public.
"Maybe he thinks pretty much all governments have been trying to spy on everyone they can for some time now and none of them have so far perceived significant legal, political, economic, or moral deterrents in doing so."
I think that's it. Clearly enough to eject drink from nose
to suggest that something that is essentially a secret activity
will be stopped merely because the US doesn't do it anymore.
Will point out though that in reverse maybe not as true.
In other words it's quite possible that something that you perceive someone as doing
that you hadn't thought of then becomes something that you contemplate.
Let's take an example.
Red light cameras. You see it done in one city and so
you say "hey we can do red light cameras".
A bit later another city (say NYC) decides to remove red light
cameras (assuming they have them I'm using NYC as "well known and large"
for the purposes of this example). Doesn't mean other cities will
stop (once the cat is out of the bag or the genie out of the bottle etc.)
Presumably all governments already consider themselves to have a green light for mass surveillance.
All the same, I do think it's possible for someone to take a lead in allowing their citizens privacy. And even if that isn't possible, surely there's virtue in a democratic discussion about the reasons we all have to be surveilled.
There's also the issue that the US government and other members of the five eyes appear to be egging each other on to ever more elaborate ways round local restrictions.
I agree that the U.S. pioneered terrible rules in both of these areas and then helped spread those rules around the world. The drug war and copyright law, though, have both been spread by treaties:
(Some people have coined the term "policy laundering" to describe creating domestic policy by agreeing to a treaty demanding it, and then pointing to the treaty obligation as a reason that the domestic policy can't be changed -- maybe even within the country whose negotiators first proposed adding it to the treaty!)
I don't think there are many treaties that require states to engage in surveillance. There are civil rights treaties that can be interpreted to restrict it. The closest I can think of is that the Chicago Convention
says that civil air carriers must comply with immigration rules, which might be one legal basis for collecting ever more information in identity documents, and for requiring carriers to verify them and share information about travelers with states. (I guess there are similar rules in treaties about ships, too?)
Treaties don't negotiate themselves into existence.
As far as copyright law, the last two examples, TPP and ACTA, were both essentially negotiated in secret, by large corporate interests. After negotiating a treaty (TRIPS, say) the bueacrats get to propagate the skullduggery.
Wasn't the DMCA an example of policy laundering - raising domestic policies "up to the level required by treat"?
I think one of the big worries with "Intellectual Property" treaties is that they end up (practically) mandating deep packet inspection, which is surveillance by another name.
Why not? See that logo in the upper-right of the page? That's the UN logo. Know who elects its members? ECOSOC, another UN body. Know who nominates at least five of them? The WHO, yet another UN body.
A commission of ECOSOC is also responsible for the scheduling of drugs under the same treaty that set up the INCB.
"Independent" agencies are not unusual in governmental contexts. The FCC, FDA, and FTC are all prominent US examples. "Independent" doesn't mean they're not part of the government, they're just outside the direct control of other parts of the government.
Every time, for example, the FDA bans an import of <whatever>, headlines spring up both inside and outside the US about "the US" banning <whatever>, generally followed within the article by explicit explanation that it's the result of an FDA action. It is not unfair nor even misleading, the FDA is part of the US government, and on the world stage, the US is answerable for its actions.
In theory it's the NSA's job to defend us from foreign intelligence agencies. Instead, their behavior has the effect of equipping those agencies with both motivation and moral authority.
That may have been what tptacek was guffawing at. If so, it's hard to argue with him.
He must have some interest on the NSA continuing their mass surveillance efforts, or something. Juicy federal contracts aren't something you turn your back on when you're a 20 year old kid with a public voice.
I disagree with Tptacek in this particular instance; but to allege a conflict of interest like this is petty. AFAIK his security firm specifically does not do defense contracting.
Edward Snowden is the gift that keeps on giving. I feel like "seven proxies" is the proof of concept for a practice that should be more common. From now on, every statement about technology, especially the intersection of technology with important issues like civil rights, should be watermarked with at least one meme or obviously absurd statement. If a reporter regurgitates the meme as fact, readers are warned about the reporter's lack of general knowledge about the subject and will be primed to read the rest of the article with a more critical eye.