On Mon, Jun 10, 2013 at 01:30:19AM -0700, x z wrote: > First of all, I don't feel offended by Jacob's reply to my email at all, > probably because I know and expect his style of wording. So far I think the > discussion is still pretty civil.
I concur. This is what spirited discussion looks like. It's healthy. Let's dig in. > - The PRISM slides do not prove such "direct access" (as we interpret it) > exists. [snip] You're correct. To take your point further, they don't prove *anything*, they...well, for lack of a better word, they "indicate". They point in a general direction, omitting significant details -- which is of course why we're debating just what those details are. But, that said: the NSA (and every other similar agency) has a long history of engineering for their convenience over engineering for due process and safeguards. And certainly "direct access" is far more convenient for them than multistep processes. So I think it's pretty safe to say that the NSA would very much *like* "direct access" if they can get it. Which leaves us with the question of whether or not they have. Yet. > - The firms (Apple, Google, Facebook, etc) do not have any incentive to > participate in such a program to offer "direct access" to NSA. Ahhhh, but I think they do. There's a message I noticed on this list this morning, which was forwarded from Dave Farber's excellent "IP" (Interesting People) mailing list and explains one such incentive: https://mailman.stanford.edu/pipermail/liberationtech/2013-June/008815.html > Then, what kind of power do people think NSA possesses that > can secretly coerce these firms into cooperation?? That kind of power. (see link, just above). To paraphrase an old saying, you can get much more with a kind word and a hide nailed to the wall than you can with just a kind word. > Will these firm's CEO or Chief Legal Officer go to jail, for not providing > "direct access"? Maybe. See above. But jail is not the only possible unhappy outcome. There are other kinds of pressure that can be brought to bear as well. Consider the set S of {all Cxx executives at all the tech companies mentioned so far plus the ones involved but not yet mentioned}. Now consider the number N of members of set S who (a) are in financial difficulty (b) have a monkey on their back (c) have something in their past (d) did something dubious on their tax returns (e) failed to disclose something to the SEC (f) etc. As the size of set S increases, the probability that N=0 decreases. And whatever N is, it provides N opportunities for leverage. I think it's also safe to say that some of those people would do it merely because they're asked: it appeals to their sense of patriotism. We might argue that this is wrong, that it violates the Constitution and thus is about as unpatriotic as it's possible to be; but they would not agree with us. And there's another approach: large companies like this are very sensitive to bad press, or even the possibility of bad press. None of them want any part of this potential future story: "US law enforcement: we could have stopped [name of future attack], but Internet giant Blah, Inc. wouldn't cooperate." Yeah, that's a longshot, but to risk-averse Cxx people, it might be enough of a nonzero probability to convince them. (And there's already a long history of "blame the Internet" narratives, so it would dovetail nicely.) Blah, Inc.'s stock would drop a kazillion points in the minutes after that story broke and thus so would the personal fortunes of many. Then there would follow recriminations and the blame game, board meetings and firings, and in the end, suitably obedient people would be put in place to make sure that it never happened again. > - If all these "participating" firms have built such a system to feed NSA's > request automatically, many people would have got involved. This is not a > trivial task, the executives need to find engineers to make it happen. And > the number of engineers won't be small, given the diversity of data > mentioned here. I think this is the strongest argument in support of your proposition. I've spent some time over the past few days trying to figure out how this could be done and haven't yet figured out a method that would be likely to succeed. On the other hand, the NSA has had years, billions of dollars, and thousands of people to throw at the problem, so if a solution within those constraints exists, they're far more likely to have found it than I'll ever be. But let me requote something you wrote: "[...] the executives need to find engineers to make it happen." Not if the executives weren't involved. The NSA *could* go directly to the NOC engineers, for example, and there are certain advantages to doing so: for one, these are people with a lot less wealth and power, thus perhaps more readily manipulated. For another, these are the people who actually need to do the work -- unlike the Cxx-level people who don't need to be involved. And by leaving the Cxx people out of the loop, their subsequent public denials would be more credible because they'd be sincere. When's the last time Eric Schmidt racked and cabled a router? The NSA could also *be* the NOC engineers: planting their own people would be very useful and I'm certain they have the capability to do so. That alleviates the need to ask anyone: they can simply be ordered. That last is pretty much what I'd do if it were my gig. It would take time, maybe lots of it, but it'd probably be more effective than any of the alternatives. Also cheaper. Annnnd I'd also, by the way, develop custom lookalike hardware. (With the NSA's budget, this could be done with chump change.) Who's going to open up a Cisco router and yank a board and look at it closely enough to figure out that it didn't come from Cisco? Exercise: search the web for "fake cisco hardware" or "counterfeit cisco hardware", i.e., it's already been done. Some of the people doing it have been caught. I doubt they all have. > - I don't know how some people on this list can get the conclusion that the > firms are hiding something from they all having similar "carefully worded > denials". I can't speak for others, but I have a finely-tuned bullshit detector, thanks in part to Mssrs. Haldeman, Erlichman, Libby, Magruder, et.al. who provided much of my early education. ;-) And these denials are setting it off. I wouldn't call it so much a "conclusion" as "a very strong hunch". > They all deny "direct access", that's the most crucial part. Yes, they do. But there is the strong scent of weasel-wording here, of the denial of one precisely-phrased allegation in a particular way. The consistency and specificity of the denials leads me to think that they've been carefully wordsmithed to tell the smaller truth...sort of...mostly...kind of...while scrupulously avoiding telling the larger truth. As in: "A man who tells lies, like me, merely hides the truth. But a man who tells half-lies has forgotten where he put it." --- Mr. Dryden, "Lawrence of Arabia" Maybe I'm wrong. Could be. (This is one of the cases where I'd be happy to be proven wrong -- that is, I hope you're right even though I think you're not.) Maybe we'll find out. I dunno. ---rsk -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech