[Discussion] Surveillance and the Police State

General observations on surveillance and accrual of police powers.

Jonman wrote:
DanB wrote:
Atras wrote:

but the big ones are to prevent rebellion, prevent crimes, seek out dissidents, and to find political enemies.

Looking back through history dissent and rebellion have frequently been social goods. If you can get rid of them a lot of social progress will stall.

I don't think that Atras' point was that the end-goal that justifies mass surveillance is social progress.

Yeah, thanks Jonman, I thought it was pretty obvious. The idea behind running mass surveillance for security falls pretty firmly on the "those who would give up their liberty for freedom deserve neither" spectrum. I can understand the political peril of saying anything against the mass surveillance system, not everyone can be Winston Churchill or FDR and tell people to be brave, but there really should be a way to talk up the American psyche into buying the link between the land of the brave and the home of the free. It would take a monumental politician, in an ideal situation to take any steps towards dismantling the mechanisms we've got in place now, and while I actually think Trump could get away with it, he clearly has no desire to do so.

Look at how willing people are to subject themselves to bullsh*t security just for the sake of feeling like they are safe: no liquids in the airport, removing shoes, getting body scans. There is no public will to make any strides on this, so it drives me nuts when people point to the two political parties having no measurable difference in their stance on this as a justification of saying they are the same. The modern conservative narrative is that people need to be monitored so that the bad guys can be caught and dealt with before they hurt anyone, and the modern liberal narrative is that only the bad guys have anything to fear with the surveillance in place, so why not have it? The end result is still contrary to what we say we believe, but it's not far from what people expect. If the population actually cared enough to fight back against these problems, I'm pretty sure I know which ideology would be more willing to listen.

Right you are, misread that.

Vault 7: CIA Hacking Tools Revealed

CIA malware targets iPhone, Android, smart TVs'

[....]

The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS. After infestation, Weeping Angel places the target TV in a 'Fake-Off' mode, so that the owner falsely believes the TV is off when it is on. In 'Fake-Off' mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.

[.... lots of discussion about iPhone and Android hacks, but I imagine those probably aren't news to most of us ....]

The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware. This includes multiple local and remote weaponized "zero days", air gap jumping viruses such as "Hammer Drill" which infects software distributed on CD/DVDs, infectors for removable media such as USBs, systems to hide data in images or in covert disk areas ( "Brutal Kangaroo") and to keep its malware infestations going.

[....]

The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac OS X, Solaris, Linux and more, such as EDB's "HIVE" and the related "Cutthroat" and "Swindle" tools, which are described in the examples section below.

CIA 'hoarded' vulnerabilities ("zero days")

In the wake of Edward Snowden's leaks about the NSA, the U.S. technology industry secured a commitment from the Obama administration that the executive would disclose on an ongoing basis — rather than hoard — serious vulnerabilities, exploits, bugs or "zero days" to Apple, Google, Microsoft, and other US-based manufacturers.

Serious vulnerabilities not disclosed to the manufacturers places huge swathes of the population and critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability. If the CIA can discover such vulnerabilities so can others.

The U.S. government's commitment to the Vulnerabilities Equities Process came after significant lobbying by US technology companies, who risk losing their share of the global market over real and perceived hidden vulnerabilities. The government stated that it would disclose all pervasive vulnerabilities discovered after 2010 on an ongoing basis.

"Year Zero" documents show that the CIA breached the Obama administration's commitments. Many of the vulnerabilities used in the CIA's cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.

[....]

Cyber 'weapons' are in fact just computer programs which can be pirated like any other. Since they are entirely comprised of information they can be copied quickly with no marginal cost.

Securing such 'weapons' is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces — sometimes by using the very same 'weapons' against the organizations that contain them.

Who? Who exactly could have imagined that the Internet Of Things would be a total sh*tshow for people's personal privacy?

Snowden's got some great observations:

https://twitter.com/Snowden/status/8...

If you're writing about the CIA/@Wikileaks story, here's the big deal: first public evidence USG secretly paying to keep US software unsafe.
 
The CIA reports show the USG developing vulnerabilities in US products, then intentionally keeping the holes open. Reckless beyond words.

Another interesting observation, from a reddit user:

The CIA can make its malware look like that of a foreign intelligence agency by using known fingerprints of their adversaries. This makes you think twice when you hear cyber security 'experts' claiming to know who the threat actor was based on source IPs and code analysis.. http://i.imgur.com/X22l2Y7.png

In other words: when people claim that the Russians hacked things, now that we're being told that the CIA is both grabbing things written by other governments and repurposing them, as well as deliberately disguising their own malware to look like it comes from others, how do we know for sure that it was actually the Russians?

They make a damn fine catch-all villain.

Not that I think they're good guys, but the CIA is full of literal monsters as well. Secrecy is power, and power destroys morality. And they've been full of neocon-types for decades.

In other words, to put it even more bluntly, Trump might be president because of the CIA, not Putin.

Malor wrote:

In other words: when people claim that the Russians hacked things, now that we're being told that the CIA is both grabbing things written by other governments and repurposing them, as well as deliberately disguising their own malware to look like it comes from others, how do we know for sure that it was actually the Russians?

They make a damn fine catch-all villain.

Not that I think they're good guys, but the CIA is full of literal monsters as well. Secrecy is power, and power destroys morality.

But now they know that we know that they know that we know that they can fake foreign fingerprints so they may fake not faking fake fingerprints just to throw us off.

All that requires is that Obama wanted Trump in place, or that the CIA - an agency Trump abhors and distrusts - worked deliberately to put him in power and advantage Putin using Russian cut-outs, Russian banks, Russian techniques, and in the end created a situation to the great advantage of Putin. So... The CIA is all powerful and incompetent and working for the Russians? That's a far, far worse scenario than just hiding exploits.

Or, things could be as they seem, with the Russians following what is almost a century of influencing elections, practicing dirty tricks and information warfare, things they have been expert at for, again, nearly a century. Which is more likely?

Robear wrote:

All that requires is that Obama wanted Trump in place, or that the CIA - an agency Trump abhors and distrusts - worked deliberately to put him in power and advantage Putin using Russian cut-outs, Russian banks, Russian techniques, and in the end created a situation to the great advantage of Putin. So... The CIA is all powerful and incompetent and working for the Russians? That's a far, far worse scenario than just hiding exploits.

Or, things could be as they seem, with the Russians following what is almost a century of influencing elections, practicing dirty tricks and information warfare, things they have been expert at for, again, nearly a century. Which is more likely?

Zebras, clearly.

an agency Trump abhors and distrusts

But did they know that before the election?

All I'm really saying is this: we have no way to know. The government shouldn't be run that way. The people hiding behind the secrecy, and demonstrably willing to lie to their overseers, are in real charge of the government.

Are they exercising that power yet? They absolutely have it. They're willing to lie about using it already, even to the people that they're supposed to answer to. So we literally cannot know. Not even Congress can really know.

That's why Congress isn't in charge anymore. Neither is the Executive Branch. And they've demosntrated their willingness to lie even to the FISA court, so the Judicial branch has no useful oversight of them either.

Nobody is in charge of the CIA except the CIA. The only actual limit on what they do is what they're willing to authorize themselves to do.

One thing that's universally true about the surveillance state: every time there's a leak, things are always so much worse than "reasonable people" were willing to imagine.

It might be time to consider that maybe things are a lot worse than even the leaks are showing us.

So when we can't be 100% sure of something then anything is possible? I can't prove beyond the shadow of a doubt that the CIA fixed the US election to elect Trump therefore it's equally as likely that Trump is a time traveler from another dimension who came here to destroy our reality. I can't say that both of those options are on the table just because I can't disprove or prove the first scenario.

We should be able to know that can't be true.

Malor wrote:
an agency Trump abhors and distrusts

But did they know that before the election?

So the CIA is an all-seeing, all-powerful cabal who didn't bother to use any of their black-ops magic (or basic common sense) to figure out what the guy they were supposedly trying to illegally install as president thought about them and their dastardly plans (which are what, exactly?)?

And that's overlooking the teeny, tiny issue with your scenario where the CIA was actively working to get someone who was rumored to be compromised by the same foreign government it battled for decades (and that was very likely the cause for a lot of the stars in monument in the CIA's lobby) because...reasons.

Malor, we are not limited to looking *just* at the CIA. In fact, looking at it in isolation is part of what is leading people to conspiracy theories.

We actually have a century of data on how Russia operates its intel, the types of operations it prefers, and the ones that it is best at. They fit the scenario that's been made public. We know that Putin is ex-KGB/FSB, and that he's operated strongly enough in political maneuvering to destroy the effectiveness of opposing parties, in large part by discrediting, blackmailing, browbeating and killing opponents. We know that he uses proxies in other countries, covertly funding opposition parties in Europe, for example. We know that his proxies have supported Wikileaks (cf RT and its close support of anti-Clinton Wikileaks releases. We know that Putin's interests lie in reducing US influence in the Middle East and Eastern Europe, and Trump has both supported that (in discrediting NATO, for example) and openly admired Putin. We know when and how Putin's Russia has affected previous elections and foreign political environments, and we see the same here.

Up against that, we have your correct assertions that intelligence agencies are designed to be secretive and break the law in defense of the country. We know that they need to be reigned in occasionally. This is not news. And considering that the CIA has been around since the '50's, neither does it indicate that they want to take over or break the country, else if they had the inclination, they'd have done it already.

Which is more likely, that Russia is acting as they always have and Trump and company fell for it? Or that the CIA acted against its own and the national interest in setting Trump up to frame him, somehow, in a situation in which he had already willing placed himself?

My general take on this is that the number one thing we can be sure of is that CIA analysis that certain states carried out specific cyber attacks can no longer be trusted/verified. Going beyond all this to Trump/Russia theories is speculative at best and tinfoil-hat conspiracy at worst.

To my mind the more interesting wrinkle in all this is examining the motivation and timing for these leaks. It seems like it is designed to discredit the CIA at a time when Trump is speaking out against the CIA. Who provided these files? Why are wikileaks releasing them right now? What are the criteria through which they choose what and when to release and what to hold back?

Judging by the DNC leak, this leak and their respective timings it seems like one of more actors are working with wikileaks on behalf of Trump. Or at least we should ask serious question about whether or not this is the case. Also is wikileaks is complicit in this or has completely abrogated any journalistic standards and simply doesn't seriously verify and exam the motivations of its whistleblowers. Either of those scenarios are terrible.

If you're actually conspiracy minded, you also have a whole debacle in Oct '16 where Julian Assange loses internet for some time and then a batch of their insurance files are published where the hashes don't match. Which has raised some, still unresolved, questions about whether or not wikileaks is compromised.

Wikileaks has long been compromised by its own actions in support of state actors looking for a deniable outlet for disinformation. Not to mention the ethical weakness of Assange (for instance, in not redacting the names of people in earlier intel dumps, leading most likely to deaths). Not to mention his own history in fleeing charges in his home country.

Malor wrote:
an agency Trump abhors and distrusts

But did they know that before the election?

They did:

http://www.usatoday.com/story/news/p...

http://www.politico.com/story/2016/0...

http://www.businessinsider.com/donal...

Robear wrote:

Wikileaks has long been compromised by its own actions in support of state actors looking for a deniable outlet for disinformation. Not to mention the ethical weakness of Assange (for instance, in not redacting the names of people in earlier intel dumps, leading most likely to deaths). Not to mention his own history in fleeing charges in his home country.

WikiLeaks spread fake stories about Clinton and the Democrats, including the blood libel against Podesta ("spirit cooking"), lying that Bob Beckel was a Clinton strategist so they could use a years-old video against her, even directly linking to a /r/The_Donald thread on reddit. Roger Stone admitted that Trump's team communicated with WikiLeaks through back channels.

Assange lives in his own world. Chaotic Neutral. But yes, he does hate Clinton, and I remember the reaction here when several of us pointed that out during the campaign.

DanB wrote:

My general take on this is that the number one thing we can be sure of is that CIA analysis that certain states carried out specific cyber attacks can no longer be trusted/verified. Going beyond all this to Trump/Russia theories is speculative at best and tinfoil-hat conspiracy at worst.

Does it? I guess that comes down to where you believe the loyalties of the CIA lie. The CIA's analysis of "state X did thing Y" has never been dependent on their ability to fake the digital fingerprints of various states, unless they're showing the evidence they used to come to that conclusion, which is likely classified in most cases. Since you can't see the evidence, and they know you won't see it, they've always been able to lie about who's responsible for something.

What it does let us know is that, if true, the analyses of other country's intelligence services as to the perpetrators of digital attacks is now in question, as the possibility may exist that the CIA may have been responsible.

Really, it comes down to what your level of trust in the CIA is, and where you think their loyalties and motivations truly lie. Frankly, if we're actually in a situation where the CIA has gone rogue, and is no longer acting with the best interest of national security in mind, within the bounds of Constitutional law, we're in a real dark place already.

US spies still won’t tell Congress the number of Americans caught in dragnet

Oversight. There is none.

The reason they won't tell Congress how many Americans are being spied on? Because the answer is "all of them, including you."

I mean, literally, these guys refuse to tell their overseers what they are doing.

Their argument is that telling Congress this information, which they are legally required to provide, would violate the privacy of American citizens.

Yes. That is their actual argument. "We won't tell you how many people are having their privacy violated because that would violate their privacy." They are submitting this argument with a straight face, and refusing to comply with the law.

Oh, and they also use this justification:

Further, searching for U.S. person information would require intelligence agencies to divert scarce analyst time and computing resources away from intelligence activities in order to hunt for the communications of U.S. persons whose information is not related to an authorized intelligence need (and whose information would never be looked at by the government but for this requirement).

Ie, "we're too busy to comply with your pesky oversight. Go away, unimportant people."

Chaz, the Five Eyes agreement means that any such obfuscation by the US intelligence agencies would have to be approved by the other members, or it would very quickly become obvious that we were doing one thing and saying another. That would put the agreement at risk. Countries do react to problems in this; the Canadians stopped sharing at the end of January because an organization at the NSA forgot to remove PII metadata from the files they shared about Canadian citizens.

So in a way, Five Eyes does actually make it harder for intel agencies in those countries to lie to their citizens, because if in doing so they create distrust on the part of the other countries, then the agreement will break down.

Note that I said harder, not impossible. Remember that all the major players have unrelated (and related) avenues of information into each other, so an attribution that does not match the facts could be brought out by both allies and rivals at a later time. Because of the comprehensive nature of modern technical assets, fake digital attributions have to mimic the real ones not just in online tools and "pocket litter", but in all the other myriad minutiae that surround an operation. That's really hard and not something to be done routinely. Consider, too, that the country that it is attributed too will know that it is not true; such actions have diplomatic as well as covert implications and responses, and these can be quite damaging in the future.

I know it *seems* like it's all just technical 'sploits that can be thrown around with abandon, but if you pull back to the big picture, false attributions like this can't be done in isolation without the possibility of severe consequences that surface well beyond the limits of the covert world. That's worth remembering when contemplating conspiracy theories. Intelligence agencies can't just build gigantic, tottering structures of lies and expect other countries not to catch on. We are no longer in the 50's. Just the act of doing that would create new vulnerabilities that would bite us in the ass when we least need that.

Malor wrote:

Their argument is that telling Congress this information, which they are legally required to provide, would violate the privacy of American citizens.

Yes. That is their actual argument. "We won't tell you how many people are having their privacy violated because that would violate their privacy." They are submitting this argument with a straight face, and refusing to comply with the law.

Their argument is that they analyze communication data that has been anonymized.

In order to answer Congress's question they would have to de-anonymize all that communications data, build another massive database with it, and then analyze all that information to figure out if they were looking at the communication data of Americans who lived outside of America in the first place.

So, yeah, answering Congress's question would require the NSA to violate the privacy of American citizens. I don't think many people would be comfortable knowing that their every call, email, and internet activity was being analyzed by the government just so it could give Congress a number. On top of that, building that database would likely violate the law.

And if Congress *really* doesn't like what's happening then they have the ultimate power. They can simply choose not to fund the program anymore.

And if Congress *really* doesn't like what's happening then they have the ultimate power. They can simply choose not to fund the program anymore.

And their re-election campaigns would mysteriously fail to thrive. Funny how that works, when you can sandbag your putative bosses because you know absolutely everything about them.

Uhh. Yeah.

The BGOV Barometer shows that 90 percent of House members and 91 percent of senators who sought re-election in 2012 were successful, exceeding the incumbent re-election rates of 2010, when 85 percent of House members and 84 percent of senators seeking re-election were successful.Dec 13, 2012
Malor wrote:

And their re-election campaigns would mysteriously fail to thrive. Funny how that works, when you can sandbag your putative bosses because you know absolutely everything about them.

Don't attribute things to the machinations of mysterious cabal when there are much simpler answers.

Their reelection campaigns would take a hit because their challenger could paint them as someone who endangered the lives of Americans by refusing give the NSA what it needed to find and take down terrorists.

Malor wrote:

Another interesting observation, from a reddit user:

The CIA can make its malware look like that of a foreign intelligence agency by using known fingerprints of their adversaries. This makes you think twice when you hear cyber security 'experts' claiming to know who the threat actor was based on source IPs and code analysis.. http://i.imgur.com/X22l2Y7.png

I'm going to need a better source for this, that analysis seems dubious.

A lot of what people have been saying about this latest Wikileaks dump appears to be overblown, and that security professionals already knew about the potential of spoofing sources.

I'm not fond of the state of US surveillance against Americans, but let's not exaggerate this into something that it isn't.

Spoofing and more generally misattribution has been used probably since Roman times, or even before. Remember the Polish commandos who attacked the German border posts and occupied nearby towns, killing soldiers and civilians in the process? Yeah... That kicked off the invasion of Poland, "in retaliation".

It's not new, and it's a very dangerous tool to use in a situation like the one we have today. The larger the conspiracy, the harder it is to arrange and the more likely it is to screw up or be betrayed.