Robertson’s Bizarre Screed on Anti-Semitism »« Secret Service Scandal Blamed on Obama and Clinton

NSA Whistleblower: They Have Your Emails

William Binney, who worked at the highest levels of the NSA for thirty years, has blown the whistle on that agency and revealed that the federal government has copies of virtually every email you and I and everyone else has sent for the last few years. Here’s video of him talking about it on Democracy Now:

This shouldn’t be surprising. AT&T whistleblower Mark Klein revealed to the world that the technology to do this was installed in the building where he worked and there is certainly no reason to believe that it hasn’t been installed at other key choke points as well, to split off part of the signal and allow the government to collect every electronic communication of any kind. You can find links to the rest of the discussion with Binney here.

Comments

  1. anandine says

    I thought we had known this for several years. He’s not so much a whistle blower as a reminder.

  2. says

    I think I can have a very small bit of comfort that having a copy of everything doesn’t mean anyone’s read it. Of course that doesn’t diminish the outrageous nature of the whole thing.

  3. says

    I think I can have a very small bit of comfort that having a copy of everything doesn’t mean anyone’s read it.

    You should also google a term “semantic forests” – no, nobody’s reading it with human eyeballs but there are very very sophisticated correlation engines that not only can detect the usual suspicious stuff, but can detect the usual attempts to hide suspicious stuff. (e.g.: using “po-po” as code for “police” is more likely to get you flagged than just using “police”)

    It’s also going to be retroactive – the keywords and combinations are stored. If some day in the future they discover that a certain person of interest used the term “toothpaste” as code for “cocaine” they can run back through and see what falls out and when. You can get a rough feeling for how this sort of system works by looking at google’s word use tracking engine. Imagine a “concept tracking engine” and you’re in the right ballpark.

    And, of course, anything you post on a blog goes in there, too.

  4. RW Ahrens says

    I am much more concerned with the allegation by one of the participants that she is afraid that computers, cell phones, etc., can be used for surveillance without the user’s knowledge.

    How much evidence is there for this? Does anybody have anything besides unfounded allegations? (Besides the use of installed GPS for location data, I’m talking about voice and/or video.)

  5. Kaito says

    Unbound and Richard have the same idea I do. I wonder if I can get those pictures an ex sent me a while back somehow ;P

  6. Reginald Selkirk says

    I guess there’s no point in paying for cloud-based backup service if the NSA is doing it for me for free.

  7. says

    Reginald Selkirk “I guess there’s no point in paying for cloud-based backup service if the NSA is doing it for me for free.”
    And
    they even analyse it for you. That’s added value right there!* They should put an “NSA service fee” on your internet bill.

    * NSA: So much value, not even the Constitution can stand in the way of its bargains!

  8. Janstince says

    MO –

    I was just thinking along those lines. We need more sophisticated spambots that can write euphemisms for drug deals and crimes. They want a taste of power? Let the misinformation begin!

  9. says

    she is afraid that computers, cell phones, etc., can be used for surveillance without the user’s knowledge.

    It depends on the computer, the phone, etc. There have been hacks where “smart phones” are taken over with malware and caused to answer a call then go into conference call mode – effectively making them a remote audio bug into the room where they sit. The same can be done with a desktop or laptop computer if it has a microphone or video camera and a broadband connection.

    The trick with all these attacks is exfiltrating the data without it being obvious. Since I don’t have a lot of bandwidth on my home connection, for example, I’d notice a slowdown if someone was also streaming video out from my iPad (my desktop doesn’t have a camera)

    If you’re worried about NSA or law enforcement, what they’re using is just better spyware than the average hacker can get their hands on. There’s no magical way around the bandwidth problem or being unable to monitor a computer’s audio if it doesn’t have a microphone. For that, there are dedicated audio and video bugs. Those cost more. But there are plenty of incidents where people have found GPS trackers and audio bugs (you can hold a hell of a lot of audio on 32gb usb dongles..) in people’s cars. The fun question is how often the cops/FBI/CIA are smart enough to just use commercial off the shelf bugs, so that if someone finds one they just assume it’s their psycho ex-boyfriend and not the spies…

  10. says

    Hah! So their servers are full of spam! Take that, Police State!

    Nope. When you have a codex that big, spam is really really really easy to filter out. That’s what spamhaus and many of the big services do: let’s say you get the same message 12,000,000 times, and a bayesian classifier says that it’s highly similar to a bunch of other spam in your codex – then it’s spam. But here’s where it gets interesting: you only need to store a given message once – you do compression at the message-level – store the message and “saw this 12,000,000 times sent to (list of targets)”

  11. Scott Simmons says

    Marcus gives me an interesting thought … Let’s add ‘find and prosecute spammers’ to the NSA charter. They can put this data to good use, and maybe stay out of trouble for a while!

  12. says

    I guess the NSA is still depending on the terrorists being unsophisticated in the ways of the Internet. Anyone with half-a-brain can find plenty of ways to communicate via the Internet that are more secure than using code words inside email messages.

    PGP, use of secure message boards, messages embedded inside JPEG images, using some kind of DarkNet, even something as simple as using short links would probably stymie the data mining programs.

    You don’t even need a scheme that is uncrackable. The NSA can’t look everywhere for every possible communication scheme. You just need to come up with one that they aren’t looking for.

  13. Scott Simmons says

    unbound asks: “So who do I contact to get a copy of that one e-mail I lost about 1 1/2 years ago?”
    That’s the beauty of it! You don’t need to contact anyone in particular. Just send an e-mail to any random person asking for your lost e-mail message, and the person you really needed to ask will see it!

  14. says

    Marcus Ranum, so all Al Qaeda has to do is make their emails look like spam?

    That would work but it’d be overkill.

    The technique you’d want to use is “steganography” (the method of hiding communications) typically done atop cryptography. So here’s how you’d do it:
    1) compress your message (removes redundancy)
    2) encrypt your message
    3) encode your message within something else, using things like whitespace, punctuation, line breaks, etc.

    Consider:
    “‘Twas brillig and the slithy toves, did gyre and gimble…”
    versus
    “‘Twas brillig’ and the slight toves did gyre and gimble …”
    A straightforward lexical analysis would miss the whitespace games after “‘Twas” etc. But the downside of that kind of encoding is it’s pretty inefficient. What you’d probably do if you had decent trade-craft would be to encode your compressed, encrypted message in the least significant bits of a JPEG image. That’s what most LOLcats are: spies communicating. You don’t think people really pass those LOLcat images around because they are funny, do you?

  15. John Hinkle says

    Drug companies will be after my emails. They’re very powerful sedatives.

    Now if only they’d pay me royalties…

  16. says

    I guess the NSA is still depending on the terrorists being unsophisticated in the ways of the Internet

    The terrorists could learn a whole lot from the guys who trade kid-porn. I did an investigation a few years ago in which we were looking at some state-of-the art tricks the KP guys are doing. Imagine a server in a rack in some country, that gets broken into by a hacker who uploads a bit of software that sets up a new virtual machine running under the hypervisor, with all its ‘hard drives’ being mapped into the free memory of the server (so it will vanish if the server is powered down) the virtual machine is also running an SSL virtual private network with what appeared to be an additional layer of encryption built in, as well. Then the guy who’s selling the pictures uploads them to the server and sells the password to the mark, who can access the server for as long as it lasts – and, if anyone’s busted, nobody has any incriminating data on their machine unless they’re stupid enough to actually copy it.

    (Oh, I should mention: I have been working as an internet security specialist for 25 years now… Sometimes I run across interesting stuff. Don’t let me get started…)

  17. says

    You don’t need to contact anyone in particular. Just send an e-mail to any random person asking for your lost e-mail message, and the person you really needed to ask will see it!

    Reminds me of the wonderful crack from “Illuminatus”:
    “Put your message in a bottle and bury it under a park bench. One of our underground agents will contact you.”

  18. d cwilson says

    Along with text messaging, email is just about the least secure mode of communication. Just by hitting “send”, you’re running the risk that the recipiants will forward it onto the entire world. Just ask anyone who has ever sent out a racist joke email about Obama. Discussing criminal activity by email is about as stupid as doing it over a phone line that you know is tapped.

    If the NSA thinks they can catch terrorists and drug dealers by wading through all my emails about comics and science fiction movies, good luck to them. I’m sure all the “Fuck George W. Bush” emails I sent out over the past decade has already got me on a list somewhere.

  19. timberwoof says

    Long ago I came up with a long-winded insult: The government keeps a list of people it finds … interesting. Your name is not on that list. The first person I tried it on gave me a look that indicated either boredom or that I was from Mars.

  20. ohioobserver says

    If they’re reading my emails, they’re awfully bloody bored — these jokers need to get a life.

  21. ohioobserver says

    And I’m sure I’ve been on a list since about 1969. Contrary opinions, y’know.

  22. geocatherder says

    Long before I started emailing anyone other than my ISP (to get my account balance), I took a class on networks. (Not the people kind, the technical internet kind.) The first lecture, the instructor wrote on the white board, “An email is a postcard.” He emphasized that all through class. He got through to me. This was years ago, and I’ve never since written an email that could incriminate me were it published on a public forum.

    There are some that might require me to explain something to my spouse: I occasionally write to a friend that “husband did X; AAAAGGGGHHHH!” Friend knows me well enough to know why this frustrates me; it needs explaining to husband. Usually it’s too trivial to bring it up with him. I just need to vent. I vent politely. “AAAAGGGGHHHH!” takes you farther than you’d think.

    An email is a postcard.

  23. gopiballava says

    Is this sort of into useful as a retrospective to analyze who you were talking to before you got smart enough to encrypt and obfuscate?

    I think most serious LOLcat opponents start out by politely requesting that their friends not forward them any more. Then, maybe they exchange a few emails with a friend or two who shares their dislike. Eventually, they realize that direct action is the only solution. And they realize they need steganography.

    If one of them is caught, the NSA can trawl through their email archives and find their friends, and find who 5 years ago shared their mild annoyance at LOLcats. They can investigate those people and determine if they actually became militant as well.

  24. Ichthyic says

    And, of course, anything you post on a blog goes in there, too.

    Well then, these “security” authorities can bit my shiny met…

    *internet connection dropped*

  25. Trebuchet says

    I wonder if they’re still watching me after I sent a letter to Mao Tse-Tung (that’s how it was spelled then) in 1967. Hope they don’t have someone actually reading all my e-mails; we may find out if it’s actually possible to die of boredom.

  26. sithrazer says

    Marcus @21
    I think I actually understood that. It should be possible to write the contents of RAM to hard drives, assuming the server owner or authorities find out which hardware it’s happening on, and from there give investigators something to work with.

  27. says

    @sithrazer:
    It should be possible to write the contents of RAM to hard drives, assuming the server owner or authorities find out which hardware it’s happening on, and from there give investigators something to work with.

    Yes, there are tools for doing that (most notably Encase) The thing is that most of the time, the first thing an administrator does if their server’s acting weird is… reboot it. If an expensive investigation was launched (expensive because they’d have to pull someone like myself into it; the FBI can’t do this kind of stuff, they lack the skills) they’d have to be on the inside of the process and be able to get in front of the bad guy before they came in. When they did, all they’d get was the guy’s IP address and generally they’d find it’s some residence with an unsecured wireless access point. That, by the way, is a biggie: if you have a home wireless access point, turn on WEP. I know a guy who had his door kicked in by a bunch of federal agents who stormed in with guns drawn because they were sure he was the guy distributing kid-porn. Actually, it was just that he had his wireless open, and the kid-porn guy was periodically driving by and using his wifi as a jumpoff.

    When I think of the downsides of getting caught, I think kid-porn and terrorism are about par. Not surprisingly, the kid-porn guys go to some extreme lengths to conceal and obfuscate their actions. Yet the terrorists appear to not be very clever about the Internet. When Khalid Sheik Mohammed was captured, his Dell laptop didn’t even have encryption on the hard drive (since they couldn’t waterboard him for the password, I guess they waterboarded him anyway…) Terrorists’ use of the internet has been relatively unsophisticated except for the Israeli and US efforts aimed at Iran.

  28. llewelly says

    RW Ahrens says:

    I am much more concerned with the allegation by one of the participants that she is afraid that computers, cell phones, etc., can be used for surveillance without the user’s knowledge.

    Of course they can be – it was only a few months ago that Ed blogged about a school which used student’s computers to take pictures of them without their knowledge.

    If you run proprietary software on you computer – Windows, Mac OS X, Office, Photoshop, Adobe Acrobat, Adobe’s flash player (which you use every time you view a youtube video – or most ads), it is doing some things which are unknown to you. This is an unavoidable requirement of its end-user license; you cannot legally reverse engineer it, or try to discover its inner workings.

    Most – perhaps all – of the things said proprietary software does are legitimate, more or less, but from time to time there are incidents like the CarrierIQ incident, in which it is revealed the software does indeed collect information about its users and pass it on.

    But perhaps most importantly – many bills have come before congress, including CISPA, which went on the floor today, which specifically require proprietary software vendors to comply with government requests to monitor people, gather information about it, and provide a means for law enforcement to search it effectively.

    It is notable that the Business Software Alliance has supported every one of these bills. Microsoft has supported most of them as well, and last I checked they were still supporting CISPA. Same for facebook, and many other large software businesses.

    If they are not interested in gathering information about their users, without the users’ knowledge, and passing it on to the government, why are they so interested in supporting laws which require them to do so?

  29. sithrazer says

    Speaking of WEP, I actually had to hack my own wireless router to turn it on. Bug in the javascript form it used for the user interface.

    Anyway, you’re right about the reboot thing, and that goes for pretty much any piece of electronics not just servers. Still, I’d think anything as large as an image server would take up…well, I take that back. I imagine it would hardly register as a blip on the load in a major datacenter.

  30. says

    I wonder if they’re still watching me after I sent a letter to Mao Tse-Tung

    Count on it.

    And now they’re watching me for saying so.

  31. says

    And now they’re watching me for saying so.

    You guys are thinking about this all wrong. They are watching everyone.

    That’s the point. The question is whether you’re selected for attention and that can mean everything from a “random” airport search or IRS audit to being thrown in a hole and tortured without access to a lawyer, like Jose Padilla. And it’s all retroactive: what you say can be used against you, and now what you said can also be recovered.

  32. Uncle Glenny says

    Hah! So their servers are full of spam! Take that, Police State!

    Yeah. I get much more spam than usable email (even though I’m on loads of junk lists) and nearly all of it is filtered out.

    I use a forwarding service which does this, and sends me a summary daily of the stuff it held up. My ISP then fails to send me the summary because it looks like spam.

    Good times!

Leave a Reply