Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Scraping Buddy Lists and Address Books From Live Internet Traffic

Posted by Unknown on from the deep-packet-inspection-for-fun-and-profit dept.

Charliemopps writes that the Washington Post reports "The NSA is collecting hundreds of millions of contact lists from all over the world, many of them belonging to Americans. The intercept them from instant messaging services as they move across global data links. The NSA is gathering contact lists in large numbers that amount to a sizable fraction of the world's e-mail and instant messaging accounts." According to the leaked document (original as a PDF), the NSA is intercepting some chat protocols and at least IMAP, and then analyzing the data for buddy list information and inbox contents.

38 of 188 comments (clear)

  1. Raspberry Pi to the rescue! by Noryungi · · Score: 4, Insightful

    Host your own email server on a Pi. Encrypt everything. Go back to Fidonet or even to snail mail.

    I am in the process of doing just that.

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    1. Re:Raspberry Pi to the rescue! by rasmusbr · · Score: 3, Insightful

      Great idea, now all we need is to found a nation based on Raspberry Pi ownership and/or the ability to host your own servers for email and other communication, outlaw communication with foreigners, and then we should be all set!

      The world could really use someone or some corporation with lots of resources and no ties to government to fund, and fund indefinitely, an effort at remaking the internet from the ground up. I just can't think of who or what that someone is.

      Trying to do it yourself is pointless.

    2. Re:Raspberry Pi to the rescue! by camperdave · · Score: 2

      Go back to Fidonet...

      Riiight! Because the NSA can't decode modem traffic.

      --
      When our name is on the back of your car, we're behind you all the way!
    3. Re:Raspberry Pi to the rescue! by Wycliffe · · Score: 2

      I agree that doing it yourself is pointless but not hopeless. The internet has lost it's goal
      of routing around failures. We should try to move to a decentralized internet. The simplest
      and easiest way to do this is with sharing wifi routers. Most people in a city can see
      multiple wifi routers. If the routers all talked to each other and shared bandwidth then you
      have dozens of paths to the internet. This could even be expanded to cars. While
      driving on the highway there is typically a string of cars stretching from your car all the way
      back to your house. If each of these cars had a router in it you could just hop from car to
      car all the way back to your house or all the way across the nation on any major highway.
      We need to work on decentralized grid routers to completely remove the internet from any
      one entity's control.

    4. Re:Raspberry Pi to the rescue! by sl4shd0rk · · Score: 2

      Encrypt everything.

      Indeed. Self-signed SSL certs are going to take on a whole new purpose now since the NSA doesn't hold your CA cert.

      --
      Join the Slashcott! Feb 10 thru Feb 17!
    5. Re:Raspberry Pi to the rescue! by N0Man74 · · Score: 3, Informative

      As long as you don't transfer your data through sneakernet stored on your phone in the 44 states that allow this without a warrant...

      http://truth-out.org/opinion/item/18983-police-can-search-your-phone-without-a-warrant

    6. Re:Raspberry Pi to the rescue! by SuricouRaven · · Score: 2

      True. But ten thousand bedroom tinkerers and enthusiast coders working together could be a force of some capability.

      I'm not a good enough coder to make much, so I do my part by shamelessly plugging Retroshare to everyone. It's a really nice program. Encrypted IM software, fully decentralised. Crypto that, while the NSA might get through, will certainly make them work for it. Plus a good file-sharing capability, mail, even distributed forums. All based on public-key authentication of your contacts, and never communicating with anyone you havn't swapped keys with.

      There are other hopeful projects. The Piratebox people could really use some more work, and if you can get enough physically-local friends together there is a lot of potential in mesh networking if only there were enough of a population density of enthusiasts to get more started.

    7. Re:Raspberry Pi to the rescue! by Wycliffe · · Score: 3, Interesting

      >
      > In fact, given that routing tables grow exponentially, is it even theoretically possible for a full peer-to-peer Internet scale mesh to work?
      >

      If current routing tables can't scale then maybe a different type of routing table or a different solution entirely is needed.
      For instance if every router was location aware and knew it's geographic location and the geographic location of the place it was
      trying to reach it could send the encrypted packet in the general direction with the knowledge that each node would get it
      one step physically closer to it's destination. Large hops is still a problem but large hops is really only a problem with stuff
      that needs to be close to real-time. For email this isn't really much of a problem as even a 5-10 minute delay or longer isn't
      really a big deal.

    8. Re:Raspberry Pi to the rescue! by matthewv789 · · Score: 2

      This is an excellent point.

      The browser vendors are operating on the assumption that when you want https, you want to trust that you know who you're talking to, and so they warn the heck out of you when they deem your connection susceptible to a man-in-the-middle attack. They also assume that a certificate properly signed for the exact domain name by a CA is good, and anything else is bad. And overall this is a good idea. Sort of.

      But there are a few problems with this theory:

      1. 1. Most people really do not notice or understand the difference between http and https, and even if they do, they don't clearly switch from thinking "I'm broadcasting everything I do over the web for anyone to see and hear so I'm very careful about what I say or do" to "cool, I'm secure, I can do whatever I want and nobody will ever know". Giving warnings for https connections with certain certificate problems gives the impression that those connections are akin to the "malware sites" your browser also warns you away from, and far worse than a regular old non-encrypted http connection. Which leads us to...
      2. 2. Gives a false sense of security when using the LEAST secure mode of browsing the web: regular old unencrypted HTTP. No warnings there.
      3. 3. 99+% of the time, a site with a certificate problem is just sloppily run, not a sign of an actual MITM attack. Getting content from images.mydomain.com but certificate singed for www.mydomain.com? This should not be getting such a huge warning, if any. Even a totally different domain is usually a sign of a CDN, hosting provider certificate, parent or affiliated company name, etc. Certificate expired last week? Um, sure, why a big warning about this? Even a self-signed certificate is almost never actually a sign of MITM. In addition, these dire warnings are so apocalyptic that they steer both users and site owners away from https unless it's really necessary, because it can be kind of a pain to get everything right (and renew the certificate on time every year, etc.), so they'd rather just avoid the hassle.
      4. 4. Gives a false sense of security even when the certificate IS properly signed... the NSA/FBI/etc. can make legit signed certificates with US Government intermediate signing certificates, courtesy of VeriSign (as can thousands of other entities around the world who hold intermediate signing certificates, of which there is no public registry saying who they all are...). That is, if they haven't stolen/cajoled the site's actual certificates already...

      I have no problem with them clearly communicating that some certificates are much more prone to MITM attacks than others, but I have a serious problem with making it seem like those certificate problems are worse than regular old plaintext HTTP, or akin to trying to visit a malware-laden site.

  2. Foreigners by Anonymous Coward · · Score: 5, Insightful

    I am so sick of hearing this idea that just because I am not a citizen of the USA then somehow I have less rights to privacy.

    1. Re:Foreigners by Noryungi · · Score: 3, Insightful

      Then do something about it and stop using US-based web services.

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    2. Re:Foreigners by MickyTheIdiot · · Score: 3, Insightful

      You have *less* rights to privacy than a USA citizen? In this case of privacy is there a number less than zero?

      The USA citizen that has no special associations is a peon, pal. We're in the same boat.

    3. Re:Foreigners by Noryungi · · Score: 3, Insightful

      I guess your privacy zero when the Secret Police comes up to your door to arrest you in the middle of the night.

      This has happened before, in Europe and in many other countries around the globe.

      Funny thing is, the Secret Police was often financed, equipped and trained by the CIA.

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    4. Re:Foreigners by Aguazul2 · · Score: 5, Insightful

      Then do something about it and stop using US-based web services.

      Also European and Australian ones, in fact any web services that are in a country where there is an NSA-affiliated tap point, or where your traffic crosses one of those countries. In fact, if you are a 'foreigner' best disconnect completely and go live in a cave -- but not one dug by the CIA because then you're a terrorist and we will send drones.

    5. Re:Foreigners by s122604 · · Score: 5, Funny

      You sound angry. I'm glad my NSA is keeping tabs on you, who knows what you are capable of.

    6. Re:Foreigners by IamTheRealMike · · Score: 4, Informative

      The article explicitly says this does not appear to be based on the co-operation of US providers but rather international fibre taps - presumably placed or operated by compliant intelligence agencies that are merely extensions of the NSA. The US might be a ringleader in this activity, but other countries have out of control security services as well. After a long period of political silence in the UK we finally got some discussion this week, after senior cabinet members who served on the national security committees admitted they had no clue anything like that was happening. Cameron's response was priceless, he said the agencies would have told them about it if they'd asked!

    7. Re:Foreigners by gl4ss · · Score: 2

      doesn't help when US has taken the liberty of acting like it's legal for them to hack and intercept services that are abroad(even if they themselves declared such actions as comparable to war/terrorism).

      personally I think the rest of the world should just declare US services as free targets for hacking(and subsequently deny any extradition requests or information requests for such activities). oh and don't pretend there's not economic impact from hacking ceo's and politicians - and thanks to piss poor inside security and audits inside NSA the NSA operatives are free to play with that information on the stock market or sell it so others can play with it.

      --
      world was created 5 seconds before this post as it is.
    8. Re:Foreigners by Anonymous Coward · · Score: 2, Informative

      Then do something about it and stop using US-based web services.

      Also European and Australian ones, in fact any web services that are in a country where there is an NSA-affiliated tap point, or where your traffic crosses one of those countries. In fact, if you are a 'foreigner' best disconnect completely and go live in a cave -- but not one dug by the CIA because then you're a terrorist and we will send drones.

      "European" is much too broad stroke here, there are major differences between the countries. If you host online services in Norway fx law enforcement have to go through normal official court proceedings and get a specific court order for a provider to have to give them any information on the customer covered by the court order. No blanket access, they have to go through normal due process in each case, there are no special laws that circumvent this. They/NSA could of course still tap at the network level at some point, but use services that use encryption and that is much less likely.

    9. Re:Foreigners by Sockatume · · Score: 3, Interesting

      The US government doesn't have any special obligations with regards to not stabbing every non-American in the world with a pencil, but that doesn't mean that it's acceptable for them to do so.

      --
      No kidding!!! What do you say at this point?
    10. Re:Foreigners by gsslay · · Score: 2

      Then why do practically all US based news sources emphasise that this snooping may also be happening to Americans? As if that's where the line is getting crossed?

      Either they think their readers need it to be happening to them before they'll give a shit. Or they think their readers are entirely OK with snooping on innocent foreigners, but not innocent Americans. Either way, that's worrying.

  3. Fidonet by Taco+Cowboy · · Score: 2

    I do not even know if the Fidonet infrastructure is still working or not.

    Yes, I was a sysop back then.

    --
    Muchas Gracias, Señor Edward Snowden !
  4. Cloud Service Security = Oxymoron by mrthoughtful · · Score: 2

    Yes. Posting all your contacts on the Internet is open to breaches of privacy (regardless of zero-day exploits).

    Amazon, Apple, Google, Microsoft - all of them kowtow to the NSA, the CIA, the FBI. Why?
    Because in return their lobbyists get to bend the ears of the legislators.

    Why is anyone surprised by any of this?

    --
    This comment was written with the intention to opt out of advertising.
  5. Re:Isn't it ironic by durin · · Score: 4, Insightful

    "I want the good guys to win."

    And you think the NSA and the US government are the good guys?

    Agh! The stupid! It burns!

    --
    Why, yes! I AM new here.
  6. Re:Isn't it ironic by lightknight · · Score: 4, Insightful

    You seem to assume that the choices are mutually exclusive: Soviet KGB-style interrogations and intelligence, or total Anarchy.

    I ask you, why did we even fight the Cold War, and win it, if we were just going to embrace everything at a later time?

    --
    I am John Hurt.
  7. Most transparent administration ever by GoChickenFat · · Score: 5, Insightful

    I guess "most transparent" actually referred to us and not the government.

  8. Re:Isn't it ironic by jigawatt · · Score: 5, Insightful

    I'm a Canadian, but I support the NSA, and the job it does to protect American (and indirectly) Canadian interests.

    "But it was all right, everything was all right, the struggle was finished. He had won the victory over himself. He loved Big Brother."

  9. Clapper... by surfdaddy · · Score: 3, Interesting
    Clapper was the guy who lied to Congress, saying that the NSA was NOT collecting data or spying on US citizens.

    What the FUCK has happened to this country?

    1. Re:Clapper... by bigtrike · · Score: 4, Informative

      For people who aren't aware:
      "I responded in what I thought was the most truthful, or least untruthful manner by saying no."

      http://www.nbcumv.com/mediavillage/networks/nbcnews/pressreleases?pr=contents/press-releases/2013/06/09/nbcnewsexclusiv1370799482417.xml

    2. Re:Clapper... by Sockatume · · Score: 2

      Under his programming it was the most truthful response available:

      The First Law of Polticians: A politician must obey the will of the the agencies under his oversight.
      The Second Law: A politician must obey the will of his lobbyists, except where this conflicts with the first law.
      The Third Law: A politican must obey the will of the people he represents, except where this conflicts with the first and second laws.

      --
      No kidding!!! What do you say at this point?
    3. Re:Clapper... by Impy+the+Impiuos+Imp · · Score: 2

      "least untruthful"

      He should go to jail. When testifying publicly before Congress on something that touches secret issues, you get to say two things only:

      1. The truth
      2. "This involves secret issues that should be discussed behind closed doors."

      That is it. Assuming you aren't a crook pleading the Fifth.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    4. Re:Clapper... by SuricouRaven · · Score: 2

      The Zeroth Law of politicians: A politician must above all act to retain their own position.

  10. But it's only the metadata! by Gothmolly · · Score: 2

    But they're only tracking who is talking to whom, so that's ok right? Right?

    --
    I want to delete my account but Slashdot doesn't allow it.
  11. Re:We caused it. by Bucc5062 · · Score: 2

    No, I don't hire a lunatic to clean up a mess. The Tea Party (as I see them separate from the Republican Party) carries a lot of weight for what has happened in our recent political environment. The RNC would be best served by forcing a split or not recognizing members that associate with the Tea Party. Let them attempt to stand outside the power structure the RNC has built.

    As to the Democratic response, it has always been the case that the Democratic party was more fractious, less prone to lock step voting then the republican party members. When the Democrats held power, it was Blue Dog Democrats that stopped the ability of the DP to fully implement their programs. Single payer may have made it through, but for southern dixiecrats that would not support such a bill. Such is democratic politics.

    Still, I'd rather a party who attempts to represent their people, then one who primarily represents their backers and cannot have independent voting on issues. At times I was close to supporting some republicans (John McCain in 2000 for example). Later I am glad I listened to my gut for he, like most of his colleagues were blowing smoke to hid their true nature...opportunists.

    --
    Life is a great ride, the vehicle doesn't matter
  12. Re:Isn't it ironic by ATMAvatar · · Score: 2

    Maybe the goal was to put the KGB out of business so we could hire its agents as consultants on the cheap.

    --
    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
  13. Re:Isn't it ironic by Ogi_UnixNut · · Score: 4, Interesting

    I ask you, why did we even fight the Cold War, and win it, if we were just going to embrace everything at a later time?

    You are making the mistake of assuming that the cold war was fought between lovers of freedom, democracy and individual rights, vs totalitarian all controlling power hungry nut jobs.

    Truth of the matter is, both sides were all controlling power-hungry nut jobs, and the cold war was a fight over who gets to be the all-controlling big-daddy of the world.

    The problems with the Soviets is that they laid their system bare, they didn't bullshit. This is how life is, these are your rights, if you're a party member, or if you work to benefit the system, you will be rewarded with perks (Nicer houses, cushy jobs , nice car, sometimes even nice German/American ones).
    If you don't work for the system, but not actively against it, you are pretty much left to your own devices, live and let live, and all that.
    If you work against the system, directly or indirectly (or you piss off someone in power), then you can be arrested, tried, stuck in prison/work camp, or otherwise disappear.

    Now the western system, that was far more subtle. They told you you were free, they gave you the impression you were, that you could choose who ruled you, but fundamentally I don't think the systems were different, like so:
    If you work for the system, or to its benefits, you are rewarded with more tokens than most (currency) with which you can spend on bigger/nicer houses, or a nice foreign car, etc...
    If you ignore the system and go about your daily life, you are pretty much left alone. You earn your keeps, pay your dues, and you live you life.
    If you work against the system, directly or indirectly (or just piss off someone high up and well connected), you can be arrested, tried, put in a prison/work camp, or disappeared (via drone or otherwise). For minor misdemeanors they can just destroy you financially, which is another, less radical lever they have against you.

    Turns out, when push comes to shove, people are more willing to serve you if you give them the illusion of freedom, choice and power. One ideology was in your face, the other was in the background. Turns out this worked well for a long time, until the internet came around and made knowledge dissipation so easy, that people began to realise what their world really looks like.

    For some the revelations were not a surprise, for others it was a confirmation of what they suspected, but some are in shock about it all, and more are in denial about it.

  14. It shouldn't matter, but it does. by aclarke · · Score: 3, Insightful

    If this is the case, why is it that most of these articles use phrases like "many of them belonging to Americans"? If it doesn't matter, why is the point made? The answer, of course, is that it does matter. That is, it matters to American law. For reference, see https://www.aclu.org/nsa-surveillance-procedures and highlight the word "Americans".

    Speaking as a non-American, I think it shouldn't matter whether I'm American, Austrian, or Azerbaijani. We're all human and we all have the same rights. I find it offensive when I read these articles and there's always the "including Americans" tagged onto the article headline, like somehow it's OK if it's done to non-Americans. I realize it wouldn't be much different if any other country had been caught with their pants down. It's just that in this case it's the US (again).

    --

    www.clarke.ca
  15. Re:Those are pitiful suggestions by SuricouRaven · · Score: 2

    Can't send mail from a domestic connection. Those IP ranges are on every spam blacklist, as most mail sent from them is the work of spam-sending malware. You can recieve, but not send.

  16. Re:Isn't it ironic by SuricouRaven · · Score: 2

    Should a distinction be made between 'spying on the American government' and 'spying on the American people?' It makes perfect sense that another country would want to know what US military capabilities and diplomatic ambitions might be, but it's another thing altogether when they are reading the emails of people with no involvement in international affairs just on the off-chance that something interesting might turn up.