Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Governments Turn to Commercial Spyware to Intimidate Dissidents (nytimes.com)
160 points by hvo on May 30, 2016 | hide | past | favorite | 81 comments


Do other HN readers find themselves on the receiving end of ridicule by their fam & friends for taking this privacy stuff seriously? I'm constantly being told I'm unreasonably worried, borderline tin-hat wearing paranoid, for being concerned by the surveillance capabilities built into our modern consumer electronics which are available to governments and business alike.

But if someone my parents know have their identity stolen by stealing credit card bills and applications from their mailbox and then find themselves on the hook for $30,000 in fraudulent charges, well then it's all my parents talk about for the next 2 days.

That I understand the technology and they do not, seems to keep them from taking the issue seriously.


Yup. I actively work in security consultancy. Everyone outside of tech thinks and treats me like some sort of tinfoil hat salesperson. I get sent all sorts of crazy conspiracy theory links because "that's the stuff you're really into." on a daily basis.

Even when people read about Snowden, they just don't get it. This past weekend, he came up and the response was, yeah, but Snowden was saying the spying is only on terrorists, they don't collect any information on people who are not terrorists because that would be way more information than they want. Trying to explain that is the opposite of what Snowden was saying was pointless and futile because it just made me sound like the crazy one.

The NSA must be rolling around laughing as they listen in to peoples naive conversations about Snowden.

edit: oops, removed link added on the wrong posting. Sorry. And a typo. Sorry again.


I get the same from most, including a couple in tech who really should know better.

I've heard all the variations on "if you have nothing to hide..." through "well we have to catch the terrorists".

Every time a story comes up that some killing or terrorist act happened and one of the perpetrators made a post on twitter, or was already known to security services, the opinion always seems to be along the lines of "well I guess we need to monitor more". Never once have I heard a variation on "if they're known to security already why wasn't something done to arrest or prevent".

Meanwhile there is some belief in chemtrails amongst a few of the younger people I know going on FB group posts I see them share.

I've given up trying to explain either security things or humidity, dew points and the basics of flying.

I don't have the energy to fight a battle that feels like Canute vs the Ocean. I wish I knew something that would make people care.


> Meanwhile there is some belief in chemtrails amongst a few of the younger people I know going on FB group posts I see them share.

Reminds me of a thing I learned here on HN recently. The US was in fact intentionally spraying germs on unsuspecting civilians in San Francisco, among other places, as a part of research related to biological warfare. Turns out there's some grain of truth even in the chemtrails crackpottery.


Could you name some reference for the fact please?


https://en.wikipedia.org/wiki/Operation_Sea-Spray

http://www.wsj.com/articles/SB1003703226697496080

http://blogs.discovermagazine.com/bodyhorrors/2015/06/28/san...

There was a story with some discussion here on HN that I can't sadly track down via Algolia now. It told about a person that tracked down information about those tests, motivated by death of some relative who was undergoing surgery at the time, and got infected with a germ that shouldn't even be there.


When the Snowden leaks initially came up, my mom thought that he was spy selling secrets to the Chinese (because he was in Hong Kong at the time). When I tried to explain what it was actually about she rolled her eyes on me.


> but Snowden was saying the spying is only on terrorists

Yet another reason Snowden shouldn't have published anything unrelated to domestic spying.


Can you explain your thinking? That makes absolutely no sense to me


Thanks for asking. I confess my comment was a vent rather than a reasoned argument. I've been annoyed with Snowden's leaks ever since they came out.

I believe leaks about domestic spying on the American people are thoroughly justified (and utterly necessary), and I believe leaks about spying on foreign goverments and foreign nationals are thoroughly unjustified (and frankly, verging on traitorous). pascalmemories seems to be saying that the issue of spying on foreign nationals ("terroists") has completely overshadowed the issue of domestic spying in the popular consciousness to the extent that his associates don't even realise that domestic spying is happening. This is yet another nail in my personal coffin for Snowden.


I'll reply since you've specifically referenced me.

I don't think people are distinguishing between 'domestic' or 'foreign' spying. For most people, it's way too complex to have an understanding of domestic US laws on agencies spying powers. Also remember, it's not just the US either. Remember the UK is probably the most prolific gatherer (they have a much more strategic point on internet routing than the US does).

People reduce a complex and difficult to understand story into something they think they understand. In this case, Snowden is 'about spies' and 'spies track[/kill] terrorists' combined with 'I'm not a terrorist, so they won't be interested in tracking me' hence the whole story is irrelevant and only conspiracy nuts think the Government spies on them.

Any attempt to counter this and say, actually it is important because in 5, 10, 20 or more years, an agency can take a dislike to you (or some relative/connection) and then start to revisit things you have long since forgotten, and target you for some throw away comment, just sounds so far fetched as to be lunacy.

But, as the submitted article shows, it's exactly what is happening in other countries and there is no reason why 'our country' [insert name of wherever you live - not just the US] won't do the same. For domestic US readers, imagine a future President Trump issuing an executive order to track down those who insulted him, even in private personal e-mail conversations - it may be a crazy scenario, but the NSA database allows such a thing to happen.

The mass collection and storage of data is a real risk to any democratic society, because of the threat of misuse. Don't fool yourself that some official will say no when asked to carry out some heinous act made possible by access to the stored communications.

Getting tied up in whether Snowden is a traitor or a hero is missing the point. It's also where the NSA has focused on steering the conversation at every opportunity.


Or imagine a future President Clinton using the collected data agains her eternal enemy, the "vast right-wing conspiracy." I know which scenario I think is more likely....


I have to kind of disagree. I think that the whole release was necessary to put it all in context. The capabilities to spy on terrorists is what made it all to easy to spy on our own folks.

Where I completely agree with you is presentation of topics. If he had focused only on domestic spying in the beginning, the conversation could have focused on that first and foremost, and then later the other stuff could be brought in without clouding the issues.

But this is only because I think that indiscriminate spying is wrong, no matter what your nationality. And I say this coming from a military spy background where I know that spying is completely necessary.

But shit, choose your targets, and choose them for a reason.


If you mind answering, why do you think that passive spying from the gov is wrong?

Asking the government to choose their target for a reason sounds like requiring the gov to follow a longer path to do something wrong -- such that it'll be harder to abuse that power.


Alt view:

By engaging in illegal activity, the agency undermined it's legitimate spying of targets outside the country. If there were no illegal activity, there would be no need for whistleblowing. I'd chalk up any damage to the legitimate spying as a collateral damage and put the people who authorized the illegal activity responsible for such damage.


Thanks for elaborating a bit. I still have to disagree.

I find the argument that Snowden's actions didnt justify the consequences to our agents or relationships with other nations just short-sighted.

Although it may not feel like it to those of us immersed in tech as a culture and as an industry, we are still in the very early days of the Internet. We're still setting precedents that are going to be in place for lifetimes. That America has to patch some relationships, that a couple events may escape our gov'ts control, are small prices to pay to ensure that future generations are able to freely and safely explore and express themselves on the internet without fear of prosecution or persecution.

Sucks in the short term, but these are important issues to get resolved for the long term.


Snowden (and the world) would have been much better off if the only thing he took with him was about the illegal domestic spying, but of course he didn't have the time to analyze the data, he just took it all and ran and let journalists publish parts of it. Because some of the data was about legitimate US intelligence work overseas, people could accuse him of harming US interests on top of whistleblowing.

Some people got their information about Snowden from a "news source" that told them "this traitor / Russian spy leaked the details of the US intelligence work overseas", and did not tell them about the warrantless domestic wiretapping.


For my family, definitely yes. Though it may just be that non-technical people are going to take longer to understand the gravity of technical problems, and I think that's compounded by most people's latent contempt for software / IT people.

My family initially decided Edward Snowden was a traitor and coward for 'fleeing' to Russia. They threw every stale argument at me, from "I have nothing to hide" to "everyone is spying on everyone, what's the big deal?"

They've started to backtrack from these positions. I'm not sure why or how, but I suspect they just needed people they trust (e.g. some columnist in the NY Times) to tell them they're wrong.


I've come up with a response to this which seems to drive the point home. I simply say something along the lines of:

You think I'm paranoid? You have nothing to hide? How about you give me all your passwords (Gmail, Facebook, your laptop, etc). I'll download everything about you, and I'll post it online for the world to see.

Oh, you wouldn't want that to happen? Well that is the risk I am talking about. Governments can be hacked, too (and have been many times, recently). Hence if they have access to your data, all your data could potentially be leaked on the open internet.

Government surveillance and hacking can affect everybody!


This reminds me of an old piece of advice I heard along time ago:

Never write down something you don't want to be read aloud in a court of law.

I apply this to what I do online, and so far, it has treated me well.


Never write if you can speak; never speak if you can nod; never nod if you can wink.


It's very easy, if that person say he/she doesn't have anything important on their phones, they have a GPS.



I feel you; I talk about it quite a bit because it is of interest, and well it affects us all. I even tried to get my sister to read the book "Data and Goliath" by Peter Schneier and she only read about 5 pages book marked it and had it sitting for a month. . .it is futile; Once I got an unusual call about someone being in jail. . .etc etc. I was concerned it may be a friend; anyways the call did not go through and I was running a reverse lookup on the tel-#. Well, two buddies of mine were there with me and one of them remarked "yeah, aren't you like paranoid that the government is spying on you" I looked at him furiously because this person I call my buddy just made a stupid stupid comment. Stupid comment because he obviously misinterpreted my previous conversations about NSA spying into me being personally paranoid about government spying on me; it is not about government spying on me it is about government spying on the people! and most people are plain ignorant and careless! it is unfortunate! they need an 8th grade level NY-Times paper to tell them their news. . .yes that is an ad-hominin. “Government is not reason, it is not eloquence—it is force! Like fire, it is a dangerous servant and a fearful master; never for a moment should it be left to irresponsible action” (Washington 6)


So I've been thinking about this, and I think the main reason why non-technical people get flustered when talking about privacy and anonymity online is because they might feel guilty about doing nothing about it.


Computers are incredibly complicated to use and full of stupid bullshit rules.

The average person is barely staying above water trying to use computers and not get fucked (I.e. Losing their work due to a keyboard mispress), that it's very overwhelming to consider security and privacy on top.


I've always thought it's more a matter of ignorance. Most infosec risks are fairly abstract and difficult to grasp for non-technical folks. Many don't understand why what they are doing is bad.

I really think that the infosec needs to do a much better job educating the public.


> Peter Schneier

Bruce Schneier


Sometimes yes, but luckily I have taken the time to understand the arguments so that I can rebut them and counter rebut their rebuttals.

Almost everyone around now makes off the cuff jokes about my paranoia, but in serious discussion they mostly understand now.

For me, as former military, I always try to bring it back to the Constitution and the rule of law, which tends to have more weight with most Americans than you might expect.

Things like this have made me think though, that what I would like to see is a site that takes a controversial topic such as this, and just lays out all the evidence, arguments, counter argument, etc, along with citations and logical analysis to lower the barrier to entry in a way.

Come to think of it, I get more pushback on HN than just about anywhere on these topics, which is extremely dissapointing.

As a sysadmin, it's part of my job description to be paranoid. Hell, does anyone remember the Snowden file with the title, "we hunt sysadmins"!?


Unfortunately, it's not a website, and you can't presently see it, but I saw an exhibit by the Tactical Tech collective in Berlin called Nervous Systems. It was a really accessible discussion of these issues. It was also especially effective because much of it was more artistic and presented with less commentary, allowing the viewer/reader/listener to draw their own conclusions.

If you know a space which can host them, and you can raise the cash, I'd recommend getting them to come to your locale and invite your friends.

https://tacticaltech.org/projects/nervoussystems


> site that takes a controversial topic such as this, and just lays out all the evidence

I would also like that site.

Recently I've been thinking about another way to educate people about these issues: a video game that simulates practical examples of data security and privacy. Interactive games offer different tools[1] to the storyteller, and I like the idea of letting people discover concepts on their own. Unfortunately, a project like this is way outside my area of expertise. /sigh/

[1] https://www.youtube.com/watch?v=IyhrKPLDCyY&list=PLJA_jUddXv...


Yup. I told some people about Facebook's silent background audio and the CIA's fake phone shutdowns. I felt like I was telling them about government mind control programs.


>CIA's fake phone shutdowns

Can you expand on this?


They can send a signal to your phone telling it to fake any attempted shutdowns so that they can still use it as a bug.


It's critical to understand that 9/10 of people simply don't want to believe. It's easier that way.


To quote the guy who goes turncloak in the first Matrix movie: "... And you know what I've realized? Ignorance is bliss."


I've found that recently, I've gotten people to understand the issues more by paraphrasing (what I think was Snowden's) the main point:

The people doing this are not evil, nor do they have evil intentions. But they are setting up a turn-key system - and who knows who the next person in power will be.

And relating it to the current situation vis a vis Donald Trump:

Now, imagine Trump gets into power. He can quickly turn around and say "Find me all the people who do or say X so I can round them up and get them out of here!"

Fill in X for whatever thing is innocuous now, but may not be under a future administration.


>We've arranged a global civilization in which the most crucial elements — transportation, communications, and all other industries; agriculture, medicine, education, entertainment, protecting the environment; and even the key democratic institution of voting, profoundly depend on science and technology. We have also arranged things so that almost no one understands science and technology. This is a prescription for disaster. We might get away with it for a while, but sooner or later this combustible mixture of ignorance and power is going to blow up in our faces.

-Carl Sagan


Nice quote! Ty


I feel like the problem is that people outside of tech don't have a sense of how much data is collected, and they also don't really see negative consequences of it.

First, there aren't really any negative consequences to government surveillance. People don't regularly disappear in the middle of the night for a comment on a blog post, and there haven't been any major security leaks yet. This could easily change in the future of course, but so far it's easy to ignore.

Second, there's no cool dashboard showing what info the NSA has on you. If individuals could see the scope of info stored on them, they would probably feel differently. For example, many people feel creeped out when they view Google's map of their location history. This is an opt-in choice and the map exists for your benefit, but it still makes people uncomfortable to see their lives so plainly visible on a screen.


You're not alone. Everyone thinks I'm crazy and tells me this, "I have nothing to hide, why should I care?" It makes my blood boil.


In a way, it's for the same reason people don't think EVs or solar power will dominate. They look too much at what is currently happening or has happened in the (recent) past, and think that's how things will always be.

The HN types tend to be more informed about what's currently possible with technology and have a better understanding of where this can lead to in the future. "Normal" people don't have that going for them, so for them it's "strange" that you would say such things.


Not a good example, because the actual barriers to EVs and solar power are that they depend too _much_ on what's happening now, i.e. existing fossil-fuel-powered industrial infrastructure.


Just to play devil's advocate, or perhaps help you understand how these people think, consider illegal immigration. Many people, using the exact same logic as you, consider it to be a serious issue, whereas others would say such beliefs are baseless (to put it nicely) as any facts supporting any concern are "outliers".


Essentially not thinking beyond stage one. (The self destruction of a welfare state and open borders, to use the immigration example)


Correct, but how many people in this thread who are shocked and disappointed at the lack of concern regarding privacy, hypocritically do not support increased control of the southern border of the US? It's not a completely analogous comparison, but there are many similarities.


Is it all you talk about?

That's why I see getting people ridiculed about things that are actually real concerns- it's practically all they talk about.

I take privacy & security measures, but you wouldn't really know it, talking with me over a drink.

Also, a fundamental beleif that everyone is out to get you (true or not), will turn most people off.


Actually I can mention the use of TOR in more and more casual conversations now

"Just use TOR"

"don't send an anonymous message to your ex on clearnet"

etc


My friend worked for / with the government on city surveilance for a short stint after his time with the army. He described an example of his work as follows:

An activism group was meeting in a city center and was to walk to another part of the city for a demonstration.

My friend's team had video surveilance feeds all over the city to track the activism group as they walked from their meeting place to the demonstration.

As the group began to walk, my friend's team was able to delay the group with Don't Walk signals. The delay was long enough for a police barricade to permanently get in the activism group's way and stop the demonstration for the day.

I may have some of the details wrong or his recount may not have fully been 100% honest, but it feels as this situation is very achievable with current technology.

The most worrying piece of this story is the activists are not being confronted with a human who can talk to them. They're being thwarted by a faceless group without the chance ever discuss their reasons for demonstrating. The government in this situation was able to get what they wanted in the near term, but at the expense of frustration of their citizens in the long term.


In that particular story, I'd say the level of centralised power evidenced by the ability to manipulate individual traffic signals is as frightening as the quantity of information fed into it. That's not just surveillance, that's top-down control of the functioning of a city.


From technological standpoint it's not that big of a deal. But from civil rights it's horrible, if it was a reported demonstration and the demonstrators were calm.


Modern traffic systems are managed by a centralized hub these days. For example of why, suppose a major accident on a major road. The system can adjust light patterns to help route traffic around the accident, keeping the roads operating as sanely as possible.


The Middle East gets the headlines on this topic. But it's happening other places, too. https://news.ycombinator.com/item?id=11801325


But _of course_ nothing like that ever happens in the United States or any of our close allies. Because this country is the exception to everything bad that has happened in _other_ countries and nothing that bad could ever be done by our government. We don't have dissidents in the US. We just have freedom and truth all the way through that we sometimes need to carefully spread to other countries.


"In many cases these tools are able to circumvent security measures like encryption."

To me this quote from the article, with out any qualification is just fear mongering. People need to know that strong crypto, when implemented correctly does work.

I recently tried to get a number of my friends to install Signal on their phones. I was quite surprised that most of them, even the technically minded ones, refused to install it. Their reasons ranged from not trusting the software to worrying that using it would draw government attention. And this in California.

Encrypted SMS, email and phone calls should have been standard tech from the beginning. Everyone should use crypto in their day-to-day lives, not because they have something to hide, but so that free speech and privacy are protected.


What good is strong crypto if your endpoint is compromised? If I can take screenshots and keystroke logs of you in Signal, all the crypto in the world won't help. That's the kind of spyware this article is talking about - full endpoint compromise.


Of course, but just because my car could get stolen in my garage does not mean I'm not going to lock it when I go downtown. Strong crypto can protect your data while it's in transit and people should use it, try to break it and make it better.


"Their reasons ranged from not trusting the software to worrying that using it would draw government attention. And this in California."

Yes, surprising that they are not skeptical enough of secure messaging on a rooted, owned platform that contains at least two full-blown computers (SIM card and baseband) that they have no control over or access to.

Your carrier/manufacturer owns you. Depending on the SoC/platform, they may have DMA access to your application processor.

The only question is, how much do they own you, and using which vector. There is no escaping this until we can manage an open baseband and SIM platform.


Strong crypto doesn't help at all if you have the sort of spyware discussed in the article installed on your computer. It knows everything you do.


>People need to know that strong crypto, when implemented correctly does work.

*Assuming the end points have 0 vulnerabilities, which is the elephant in the room.


I guess this is not a surprise to anyone here. The techniques are well known and cheap. Now the question is - what can we do? We probably cannot get privacy back when there are internet connected sensors everywhere. The data is there and governments will find a way to get it.

On the other hand it seems that for some time the world power have been becoming more and more fragile and limited: http://moisesnaim.com/books/the-end-of-power/. Has the tide turned now? Or maybe we are heading back to some kind of village life - where everyone knows about everyone so there are no such imbalances as we have today?


What can we do? Get activist types to stop using Windows. That removes about 99% of the attack surface. I'd like to see the UAE successfully remote root a desktop running debian-testing amd64 and an xorg/xfce desktop. Yes, there's myriad security problems with Firefox and other things.... But every single state-paid RAT tool ivr seen is targeted at Windows.

education is important too. If you can successfully trick people into running a binary you gave them with sudo (or the equivalent) all bets are off.


Yes something like that. Because once sensors are connected everywhere, it isn't the government that you have to worry about. Because everybody will be able to get the data. And it will be used ruthlessly by individuals for personal gain. At least with the government, you have some hope that it will be regulated and reined in. Not so with the mafia etc.


But if we outlaw spyware, only outlaws will utilize spyware!


Edit: op explained his intentions in comment below.


Apparently my point was too obtuse. What I am trying to say is that most surveillance is done legally, or just outside the lines enough to be forgiven by the blue line (in whatever country). My presumption is that the populous (us) _should be voting for spying like this to simply be illegal_, which is a topic that hardly ever comes up.

Let me try again: Spying from government to its citizens should be flatly illegal, and until we demand as much, we are failing our own democratic system and sliding per notch into turnkey totalitarianism.*

*not intended as hyperbole -- we are a long way from it, but the notches are undeniable


Hey, I really appreciate the elaboration, and I think I am in agreement with you on this point. I have to admit perhaps it was a bit over the top because I thought you were sarcastically using the pro rights gun statement and somehow trying to apply it to this topic.


Relying simply on voting and politicians to solve the problem of mass surveillance is just passing the buck.

The problem is more technical than political. It is a problem of internet architecture and design which must be addressed from within by technologists.

Currently, only a handful of ISPs and Internet Gatekeepers (i.e. Google, Facebook) have ultimate control over the majority of information flow.

If all you have to do is tap a few wires at key choke points (i.e. Room 641a) or hack into a server at FB or Google to own billions of users then that is like marching rank and file into machine gun fire on a global scale.


A solid point; would that more people thought like you. One minor grammar-nazi nitpick, though: "populous" is an adjective describing the size of a population; "populace" is a noun describing the population itself.


This argument seems the same as the firearms argument. ie If we outlaw firearms then only criminals (and police) will have firearms.


Compounding this injustice is the fact that the executors of this surveillance are private contractors, not a wing of the government. What's worse, these cyber mercenaries, such as Hacking Team, are contracted out by the individual ruling families of the Emirates. The abundance of technology is making the blending of sovereign and personal power extraordinarily dangerous. The voice of the demos is totally absent from all of this. Which is why modern autocracies are more dangerous than they ever have been.

Bereft of popular sovereignty, nations stand poised to allow powerful individuals to agglomerate a huge arsenal for the holding and maintaining of power. We in America need to do a better job of exercising whatever power we have in order to forestall the creeping technologically based grip on our freedoms.


do people developing such spyware ever read hn? May be time to bring a ethics promise to software development!


do people developing such spyware ever read hn? May be time to bring a ethics promise to software development!

I think the field of software, writ large, is already too morally bankrupt for any system of ethics to take hold.

People have a hard time seeing the evil in their products, and their possible unintended uses. Or they do, and don't think it's bad enough to forgo getting paid for it.

Even if you don't agree with the reasons, it's not hard to imagine what developers at Fin Fisher or Hacking Team told themselves to sleep well at night. Easy example: they might think they're doing a moral positive by focusing on the use cases of western governments in taking down organized crime.

So forget about the Hacking Teams of the world. Look closer to home. We're wrestling control over computing systems further and further out of the end user's grasp, monitoring them more pervasively, and processing that data like never before. We're building digital toys to fill people's leisure time up with digital junk food in hopes of monetizing them. And if the dollars don't come quick enough, we turn to "gamification" (read: psychological manipulation).

Sure, there is a difference of scale. But it's not a difference in kind. We may think it should be legal to insult the Emirate rulers. But that doesn't matter. The point is, they thought they were justified. Just like we think we're justified. All the way down to highlighting false choices so we can tell ourselves the victims did it to themselves.


Don't most schools have a code of moral conduct to sign before graduation?


That's the beauty of paper - it allows anything to be put on it but does absolutely nothing to actually make you do whatever you promised. Those promises are, quite literally, not worth the paper they are written on.

If a Government (or TLA or whoever in power) wants some Evil Thing, a piece of paper from somewhere promising not to do Evil Things will not be a hindrance to either asking [or, depending on where, compelling] you to take part. If you have the option to decline, they will keep asking people (and increasing the financial reward) until someone agrees.


Wouldn't many programmers object to being coerced into signing a "code of moral conduct" to begin with?


Without a broader background, programmers don't all understand the implications of their actions...

Doctors are generally quite proud to be take part in the Hippocratic oath which connects their actions to something much larger thsn themselves


Why would that matter?


Would the Internet exist if software developers had something akin to First, do no harm? It was a Defense project after all.


Since almost any fun project is unethical, I can't see that getting a lot of traction.


Examples?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: