[clug] Offline snooping

Paul Wayper paulway at mabula.net
Sat Feb 1 19:35:04 MST 2014

Hash: SHA1

On 02/02/14 12:23, Scott Ferguson wrote:
> Yes it *is* paranoia [*1.]. It's unlikely 'they' are out to get you. If
> anything what the Snowden revelations have confirmed it that:- ;'they'
> are out to get certain people and organisations (targeted) ;'they' are
> out to get certain hardware (targeted) ;'they' are demonstrably and
> patently *not* doing a very good job of the former

I'd certainly agree that a lot of the NSA's wonderfully named operations and
activities ("EGOTISTICALGIRAFFE", anyone?) are generally targetable -
spyware on computers, intercepts in data centres and on landlines, etc etc
etc that's all capable of being used to get data out of one particular
person under surveillance.

Yet none of that is incapable of being used across wide swathes of
information.  It doesn't matter how many of a suspect's phone calls you
record and how many innocent conversations you listen to, sooner or later
you're going to record the one that describes where the bomb is to be
planted.  So if you just keep those other recordings around, sooner or later
you can go back to them and concoct a bunch of conjecture that makes them
look guilty - I mean, find some more evidence.  Right?

And then there's metadata.  You can find a lot out from metadata.  All sorts
of useful patterns show up:


And, funnily enough, when people start looking for patterns - when people
start looking for suspicious behaviour - surprise surprise they start
finding it:


This leads people with lots of resources and endless suspicion to find moles
and spies where they don't exist, and miss the ones that are not just under
their nose but have gigantic flags attached to them saying "Hey, I'm a spy!".

The NSA, to use the analogy, is building a gigantic haystack.  There's no
way it can search through it using anything but the crudest of tools.  But
there's needles in there somewhere!  They've got to be there.  And all the
NSA needs to do is find enough things that look like needles - thin rocks,
plant stems - to justify its continued acquisition of lots of hay and robots
to sift through looking for anything that's small and thin and harder than a
piece of straw.  If this thing looks enough like a needle, they can probably
make it look enough like one to impress the public, or the senators, or
eachother, or whoever they need to impress.

Statistically, the problem here is due to the base rate fallacy:


Ethically, in my opinion, I call it Pulling A Cardinal Richelieu:


I.e. "If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him."  If you look at
enough information about a person, with the right (suspicious) mindset you
will find enough to find them guilty of something.  Then you start
investigating further and find even more, and so on.

If your tools are automated, so that they just look for correlations, then
it's entirely possible for any one of us to look suspicious enough to
warrant further investigating.  If you went to LCA 2012, your social network
intersects with Jacob Appelbaum (and don't the NSA love watching him).  I'm
sure the CLUG list has people who have ... experimented with network
security systems in a somewhat darker than white hat manner.  MakeHackVoid
is probably seething with malcontents and anarchists :-)  There's a good
chance your phone list contains someone under surveillance (250,000 people
watched by Federal police from memory from Simon Oxwell's statistics from
2012 - out of a population of less than less than 25 million that means one
in a hundred people on average).


To address the original post, and most of what's gone on in this
conversation: yes, most of us have nothing to fear.  We may be looked at in
passing due to our associations with other people, but we aren't involved in
anything fundamentally wrong.  The eye of the security complex passes over
us and moves on.  We need not fear these expensive bugging technologies that
require lots of work to install and maintain - they are not for us.   We
don't need to glue our computers together or encrypt everything or coat our
studies in copper mesh.

We merely add to the vast quantity that the NSA sifts through looking for
something - fundamentally - to justify its existence.  And that's what I fear.

Just play it safe, eh?

Have fun,

Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the linux mailing list