> worrying is that the SSA has said that such surveillance and data collection is "common practice" globally
I think if you believe that any major country is not intercepting all undersea fibre cable traffic within their reach or even beyond it then you’re being very naive. I can’t understand how this news would surprise anyone.
Same as climate change, no info is real... I'm not sure it is because we humans grow stupid or we grow so tired and sceptical that accept nothing what our own eyes see...
While still billions of people believe in Allah, God or whatever without any evidence. I dont know how this can happen...
>While still billions of people believe in Allah, God or whatever without any evidence. I dont know how this can happen...
Isn't it obvious? In both cases people do the smart thing (which is not necessarily the "objectively correct" thing).
Faith in Allah, God etc, is a good social glue, and is personally comforting, helping regulate emotions, etc.
Similarly, not believing the Snowden story helps them fit with their social group (e.g. republicans), relaxes their mind from a whole lot of worries and concerns, helps re-enforce their personal beliefs (e.g. in good government), etc -- and most importantly, has no real disadvantage in their day to day life and work...
Pascal's wager suffer from the fact that it can be any of the myrriads of religions that are correct. The chance of picking the correct one is infinitely small (assuming there are aliens that also have religions). Only a subset of the religions have anything like hell/heaven, further diminishing the risk.
I think the main issue with Pascal's wager is that it puts all its eggs in the basket of some afterlife being a certainty.
You can very well waste all your life in pointless prayer, like the monk who basically imprinted his feet on the wooden floor by praying several hours a day for decades.
Even getting out of that room to help someone in a trivial task would have been much more useful than the praying.
Not to mention the huge amount of censorship over your own thoughts that some religions impose on your life.
So, IMO, if you get the wrong end of Pascal's wager, you can waste your only life, every infinitely valuable second of it (because there's no afterlife), over a non-existent afterlife.
You should show them the reactions of elected representatives to hearing about it. (I know of only a few clear verifications, if anyone more knowledgeable wants to chime in with a list that would be welcome.)
What did you think was in the leaks? In my experience, when people say their parents or friends didn't believe what they said was in the leaks, the parents and friends were usually right.
It means that people think the leaks say what Greenwald claimed they said instead of what they actually said, and when those people tell their parents what Greenwald said, they sound like lunatics. https://news.ycombinator.com/item?id=20456352
The added hop means that the NSA can't request anything they want from the Internet messaging companies. They can only see foreigner data from the specific users the FBI has already wiretapped via court order. There are no leaked documents that say otherwise and plenty of documents that corroborate my assertions.
This is why it hasn't been ruled illegal. Do people actually believe that phone metadata collection is illegal but the crazy thing Greenwald misread PRISM to be is not? That's going to trip grecy's university-educated family's bullshit detector.
Someone makes this exact same comment every time there is a privacy story - not realising there is a very big gap between speculating on what a governments capability is and having it confirmed
Sure - people in privacy circles may suspect this and sneer at the general public for thinking it is news, but it is a big deal to have it confirmed, to raise awareness of it and actually do something about it
I think the Trump tweet from the other day confirms that this speculation is not at all unfounded. I think 20cm resolution from satellite images is even better than most people speculated.
From what I can tell that image was pretty much in line with what everyone watching the US spy satellite program expected and wasn't hugely far off what's commercially available now. For instance, this was the first article I found when looking for information about the resolution of commercial satellite images (up to 30cm apparently), and it puts Keyhole spy satellites in the 7-10cm resolution ballpark: https://www.washingtonpost.com/news/politics/wp/2017/04/21/h...
The significance of that release was overblown because it helped support a narrative about Trump damaging national security that the media and people on social media liked. In reality it doesn't seem to have revealed anything about the US satellite imaging capabilities that wasn't already known.
It surprises me as a South African because I didn't know our government had the technical capability or capacity to store and process so much data, let alone splice undersea cables without detection.
Fellow South African here, you'd be very surprised then with the capabilities of our spy agency. Very secretive by hugely funded. The former apartheid spies went on to consult for the current government, and they were all very highly trained. In fact one of the precursors to the mass surveillance tech made famous by Snowden, was actually developed at a firm in Stellenbosch in the late 90's to early 00's. That was then sold on to various other state intel agencies, of which SA got a cut of the profit.
We've been developing very high level intelligence tools for years in private/public partnerships. It's all just highly secretive, and one of the areas that really does work, so it doesn't get any attention. Most of us, like yourself, just assume that because other areas here are awful, that our intel community must be to, but nothing could be further from the truth.
Lastly don't forget JZ himself was Head of Intelligence, so he always held it in high regard, and gave it the funding it required.
Not so secretive, in recent history VASTech (based in Stellenbosch's Technopark) were known to be supplying Gadaffi's Libya with telephone surveillance tech. [0]
Didn't know about the precursor tech being developed in Stellenbosch as well, do you have any sources on that? I'd be interested to see who was involved.
Agreed on the intel community generally being in a grey area as far as the law is concerned, it's a struggle enough keeping them impartial and not meddling in domestic affairs - talking about JZ being head of the ANC's intelligence in exile brings back memories of his ultimate succession of Thabo Mbeki and former spy chief Billy Masetlha's role in that.
Often at exorbitant cost in our case. The SSA is an unaccountable financial black hole. Our former president send to have also used them for his political gain, this Fraser chap is responsible for many misdeeds.
Now parts of our country are literally burning, yet there's no crime intelligence about the very threats to the state that SSA should be monitoring for. There was an act of terror that was nearly committed 2 days ago, but we're seeing poor leadership from those involved.
1. Its not uniformlly distributed.
2. China has GDP/person of ~$9,600
3. South Africa merrilly mines 4km below ground
4. Previous efforts included a nuclear weapons programme
5. Whole parts of Amazon's infa a built in CT
Apologies, you seem to have taken this a bit more personally intended. All I was intending to suggest was that the SA gov budget would be somewhat constraining its ambitions, not that its people are technologically behind, or whatever else you seem to be implying here.
I strongly doubt they spliced the cables. From the article it sounds like they got a court order (probably unconstitutional), allowing them to intercept the data. So they probably just needed to install a couple of big servers at the landing sites.
I can imagine a sustainable business could be made operating a fleet of ships in international waters that pick up undersea cables, taps them, and uplinks the data in real time to whichever .gov subscribes to it.
The company taking the risk gets a big fat government check every month, and the governments get to deny they're tapping anyone's data.
The return of Privateers (independent naval vessels commissioned to engage in hostile acts against enemy states, often in murky legal territory, and often blamed for the rise of piracy (successful privateering companies, when war was over, would be primed to simply become pirates))
That's great until another country declares you a hostile non-state actor and starts sinking your ships.
It's not easy to tap submarine fibre optic cables. The US Navy has a Nuclear Sub dedicated to the task. You can't just pick them up and stick a tap in them.
> it also covers information about organised crime
Let's just pause a bit here. In South Africa, if your phone gets stolen and you go to the police, they may well respond with: "Yes we know the guy, but we're not going to do anything." [1]
I think that surveillance doesn't have the same twang in South Africa that it has in the US and EU. Organised crime and unorganised violent crime for that matter in one thing that a lot of South Africans would like to see better monitored or "surveilled" if you will.
South Africa has this sort of dichotomy between illiteracy and high level tech that I think many people outside of Africa are not aware of. There is 60% youth unemployment [2] and at the same time it's the most developed African country. I heard a story that some of the surveillance tech that Muammar Gaddafi used was built by a company in Stellenbosch.
Most middle class people will have some form of armed response and cities especially are pro-surveillance for crime prevention, many of it by 3rd party security companies. I think that there is some kind of common sense notion of how to differentiate between security and privacy that the CIA or NSA could only dream of. Security means not being robbed; privacy means leave my life out of yours.
As mentioned in some of the comments, surveillance is not new at all in South Africa and in fact is much less than under the previous, non-democratic government.
But to summarise, South Africa is from a "freedom" point of view a really great country. You can pretty much do things and live the way you want. The level of crime and incompetency of the police is, however, too much to live with for some people.
"surveillance is not new at all in South Africa and in fact is much less than under the previous, non-democratic government."
This is a sort of sad irony of our day. It turns out that technology/accessibility are more important than ideology in determining how much surveillance happens. Non democratic surveillance states like apartheid SA or stazi East Germany might have been ideologically in favour of using surveillance to depress democracy but even ostensibly liberal-democratic regimes today do more of it.. because it's cheap, easy and "standard practice around the world."
To think of surveillance as a solution against violent crime is fantasy anyway. It wasn't a requirement at least for all other countries getting it to manageable levels.
Sure, you might catch some guys but as you yourself reported, it may not even matter if there is evidence.
But the incentive to abuse surveillance is certainly something western nations have readily helped with their active approval that couldn't even net results besides more civil resistance.
So I am not pointing the finger on South Africa here.
I think you are right, but I think it's more about people's sentiment. It's like saying in Washington's time people respected politicians. The question is then did people's perception change or did policians change?
In terms of surveillance, I don't think people are "pro" surveillance, I think it's just not a priority.
Wasn't it 6 years ago when Snowden made public his revelations and Google said 'nope' and encrypted the lot? Who now sends traffic over these links and doesn't encrypt them?
So, what value do the SA government have in intercepting these links now?
There were plenty of small samples in the various Snowden powerpoint slides of stuff NSA incepted from the pipes.
It seems a ton of mobile apps are sending information with identifiers over HTTP (the ID is a key part for them legally to pick it up and store it in a DB, forever). I notified one developer that was sending real-time GPS data + an email address highlighted in one of the PPT slide's (just a screenshot of a spreadsheet-like table) and never got a response from the developer. It was a small Canadian company with an app with a few million downloads, so I told Citizenlab about it (don't remember the name, had something to do with sports IIRC).
This is a chart of TLS traffic sent via Chrome and across Google:
2019 = 94% of traffic encrypted for Chrome users which is great.
Linux users currently have the lowest when using Chrome with 86%. I'm curious why this is.
Again mobile apps seem to be the biggest problem right now and there was no red HTTPS sign when they sent your sensitive information over cleartext:
> Mobile devices account for the vast majority of unencrypted end user traffic that originates from a given set of surveyed Google services. Some older devices cannot support modern encryption, standards, or protocols.
Maybe Google PlayStore should start punishing apps for not using HTTPS? Just like how Google is trying to make the internet faster by ranking performant/mobile friendly sites higher.
The app testers should put fake identifying information in the various app forms + automatically measure the outbound HTTP traffic for cleartext versions of the IDs.
>> Linux users currently have the lowest when using Chrome with 86%. I'm curious why the is.
They probably browse quite a few old sites for documentation and tooling that are just not updated for HTTPS. A forum I post on to this day is still served over plain ole HTTP and they have no interest in changing.
Not always true, if you message them directly and ask them nicely they'll switch to https. I've even messaged a few to switch from TLS 1.0 to 1.2 as it will be soon obsolete.
About 80% of those I asked switched so I am calling it a success, especially compared to companies, I barely get a positive/any response there.
Android is separate from Linux in the report. Developers and tech people make up a significant (if not majority) share of Linux users.
A lot of popular Linux and developer related pages are HTTP only. I did a quick Google search for some Linux related tasks, and found plenty of sites that don't use HTTPS. e.g. man7.org, linuxhowtos.org, linuxcommand.org
The report does break down HTTPS traffic by country, and you're right that lower income countries do have a lower share of HTTPS traffic.
> Linux users currently have the lowest when using Chrome with 86%. I'm curious why this is.
This doesn't surprise me when you consider that package management over HTTP is considered ok since it's separately authenticated and verified is a very common view
That this view would also spread to not requiring HTTPS on documentation and other sites would also not be surprising
The Linux world really needs to get it's act together with providing confidentiality via SSL/TLS
I'm curious about stats for iOS, with its app transport security being enforced for store submissions. There are exceptions, but I certainly hope that Apple is verifying that those are actually necessary before allowing them. I'd love it if Apple took a step forward and warned periodically for http use (similar to how it periodically reminds you that apps have location permissions).
Aside: I know at least for some orgs, ATS was helpful in convincing the older 'why isn't http good enough?' folks to finally get their act together. It may be shocking, but some people are quite resistant to typing in that extra 's'.
If I develop web endpoints, I usually use http until I know the target domain and have acquired the needed certs. In a lot of cases this is one of the last steps in deployment.
>Modern IRC servers tend to support TLS on port 6697 and SASL for authentication.
The OC's point was by default, meaning/inferring clear-text is still the modus operandi for generally getting onto IRC services.
>Many applications still aren't encrypted by default, like IRC.
SSL and SASL aren't, precisely, user-friendly implementations with some clients (e.g.: IRSSI[0] - but if you're using IRSSI, you don't want a user-friendly GUI to begin with, so...).
SASL has less to do with the actual encryption mechanism and more to do with the authentication mechanism (think NTLM)[1].
If IRC services dropped clear-text, today, that would go a lot further to standardising (e.g.: making default) encryption but, back to the OC's original point, it is not the default today.
This is mostly irrelevant; users using Web IRC gateways, services like IRCCloud or clients like HexChat[1] do not have to configure the server unless it isn’t already present in the list. If they do, they already will have to manually configure either TLS or plaintext. There is no “default.”
I mention SASL because it is relevant to security posture, especially if the user wasn’t connecting via TLS. Although of course the server could allow PLAINTEXT in practice there’s no point in supporting that because IRC already had native plaintext server authentication.
Majority of email traffic is by now for sure use s2s encrypted. Also considering how big major players are most of mail never leave Google / Microsoft / etc servers anyway and connections between them always only ever go over TLS.
Almost all of the SMTP over TLS will be opportunistically encrypted only and usually with pretty bad protocol / cipher choices.
It probably means your email to your aunt isn't intercepted and shoved onto an enormous pile of decrypted email to be parsed for keywords. Probably. But that's about all.
Against an adversary determined to intercept:
- They can probably just strip STARTTLS, so that everything happens in plaintext
- Even if they can't do that because of MTA-STS or similar, they can probably just present self-signed certs and it'll pass the mandatory checks
- If they can't do /that/ either (no idea what proportion of email but it may well be in the minority) they can downgrade because unlike in HTTPS nobody is just saying "Old garbage bad, never do that or we'll scream" and so people keep doing it. SSLv3 may even work with a lot of mail servers.
Still, what we have now with opportunistic SMTP encryption is equivalent to what you get with snail mail. The spooks CAN read anybody's mail, but it's a hassle so they mostly don't read yours.
They're a lot better than I thought! (over 90% in each direction, although no data here about certificate verification and the presence or absence of backbone downgrade attacks)
If you run your own mail service, check out my colleague's project at
I was just about to post the same link. Outside the US the numbers are a lot lower. Outbound to some countries is 0%. South Africa wasn’t in the report though.
Who now sends traffic over these links and doesn't encrypt them?
Remember that the intelligence agencies don't only want today's data, they want yesterday's data. You get yesterday's data by storing it today. Then you can decrypt it at your leisure, or when computers become powerful enough to break through.
I know a lot of people on HN earn a living making sure internet traffic is encrypted. But honestly, I really believe there are multiple TLA's that can decrypt whatever they want in real time. Maybe not en masse, but certainly targeted streams.
How do you think they're decrypting in real time? Do you think there are backdoors in the crypto/protocols? Severe accidental flaws? How many times a speedup are you imagining?
State of the non-TLA art is that modern https is completely impractical to break, even with enormous server farms working for years, let alone in real time.
I have no idea how they're doing it. But I believe it can be done simply because the intelligence agencies have the best, largest, fastest, most advanced machines that money can buy. Machines that none of us have even heard of, that are years ahead of anything any of us will ever touch in our lifetimes.
Back of the envelope, to see scale: to brute force SHA-256 you need to try about 2^255 combinations, so you'd need to have 2^194x (1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000x) the hashpower of the Bitcoin network (80 EH/s).
If you told me you thought they had cracked a common algorithm so they could do it in only 2^60 time that would at least be plausible. But the idea that they have hardware to straight up brute force it, though, is just impossibly wrong.
You literally can't brute force SHA-256, there's a very tiny physical limit on the amount of energy it costs to flip a bit of information. Turns out that, summed over all the possibilities, that adds up to way more energy than is in the entire solar system.
That image is a shows an NSA diagram of Google's network, with the links on the "public internet" side labeled "SSL" and on the "Google cloud" side labeled "clear text". You don't have to steal keys to exploit that, you just need physical attacks against the fiber links between Google's datacenters. Google had been working on encrypting that traffic, which was then massively accelerated when they learned it was being actively exploited: https://arstechnica.com/information-technology/2013/11/googl...
My pet conspiracy theory is that at least some large governments have quantum computers of useful strength.
It's probably more likely that they're just trudging along with side-channel attacks, CA fuckery, breaking into servers, and doing targeted attacks though. Cheaper and likely works well enough.
Yeah, zero days, phishing and coopting servers to send exploits to specific targets are what I meant by targeted attacks (and some of those overlap).
You're probably right on the quantum computers of course, but I like comparing it against what was publicly know about say cryptanalysis vs what the NSA knew in the DES days, and also similar situations in the ww2 days.
> Machines that none of us have even heard of, that are years ahead of anything any of us will ever touch in our lifetimes.
That's a pretty bizarre thing to believe. Who is building these machines? Intel? No other organization within the US has the lithography capabilities to manufacture cutting-edge computing hardware, much less "years ahead of anything any of us will ever touch in our lifetimes". Perhaps it's aliens?
In addition to what the other replies are saying, there's a lot to be gathered from metadata alone, even when the bulk of the data is encrypted. Knowing who is talking to who and at what time is difficult to mask and quite valuable information.
It took well over a decade for this acceptance to go from "conspiracy theory" to common sense in the tech community, and patches of cognitive dissonance still remain. What makes you think that opsec has adjusted so quickly, especially with nowhere straightforward to go? Consider that metadata-spewing HTTPS still passes for security.
2008 was when there were numerous undersea cable disruptions[1]. I wrote about them when it happened from the best sources I could find at the time[2].
It isn’t surprising to see that surveillance may have occurred as a result.
If there’s any comfort to be had, South Africa’s intelligence agencies are a shambles, and unable to deal with real-life threats right under their noses. The idea that they’d be able to do anything actionable with bulk—collected electronic intel is laughable.
The way things are going, wouldn’t be surprising if whole thing is a corrupt scheme linked to procurement of storage media.
> If there’s any comfort to be had, South Africa’s intelligence agencies are a shambles, and unable to deal with real-life threats right under their noses. The idea that they’d be able to do anything actionable with bulk—collected electronic intel is laughable.
> The way things are going, wouldn’t be surprising if whole thing is a corrupt scheme linked to procurement of storage media.
If anything, this is _more_ alarming because they are probably not securing the data they intercept all too well.
wouldn’t be surprising if whole thing is a corrupt scheme linked to procurement of storage media.
Reminds me a little bit of a guy I knew in the late 90's who repeatedly set off fire alarms at his company in order to convince management to allocate money for off-site backups.
Surveillance is nothing new in South Africa. It is not even a secret. We have a regulation with a name that fully disclose that your communications can be intercepted. It is called RICA, which is short for Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 [1].
When you buy a new SIM card, you have to register it using your identification document and proof of residence. Every legally obtained SIM card is accountable. That way they wil know they are intercepting communication of the right person.
To forward a lot of it to the NSA [0], the same NSA that also messed with Germanys G10 laws to "legalize" these kinds of practices in the very first place [1] for exactly that reason.
edit: UK is pretty much also NSA, because unlike the German BND they are at least part of FiveEyes [2] because real global surveillance is a rather exclusive club.
The possibility of wiretapping will always exist, even if not carried out wholesale by the government itself. And so will commercial services touting convenience in exchange for being MITMed.
If it's not state-run intelligence agencies, it's private actors (whether legally or not). Everyone's snooping, and we have to act accordingly in how we communicate.
Full end-to-end encryption, with occasional onion routing, is maybe the best path ahead.
The benefit is that it does not require any argumentation with other people, noone needs to be convinced or won over, and that it makes sense. It costs nearly nothing to deploy cryptographic solutions.
It's worrying that developing countries can buy off-the-shelf solutions to surveil its citizens without going through the decades of cultural and social change other countries have. We asked questions like "Is this ethical?" before the technology became possible. For them, the tech is here and the social discussions were never started.
Maybe this is the same thing. We haven't upheld our ideals on privacy anyway.
Nobody said the downsides were over HTTP. When talking about state sponsored espionage, the glaring downside of HTTPS is PKI and buying into the CA model.
Other than what the sibling posted, which is true, there's an extra round trip for the TLS handshake, which makes a real difference when you're on a horrible 3G connection in a poor country (thankfully HTTP 2.0 fixes a lot of this, but again - complexity). Infra will catch up hopefully but it is a pain point for those who are less well off.
Given South Africa is a member of BRICS, it's not likely.
> In addition to commercial motivations, the new fiber optic Silk Road could also have geopolitical and strategic implications. Russia and China evidently share a desire to shield themselves from U.S. and other Western intelligence agencies and probably believe that their own communications – both with one another and to and from Europe – will be better protected if cables run across their own territory rather than through the Indian Ocean or the U.S. The same motivation explains the announced Telebras cable, which will connect Brazil to Portugal without any U.S. technology, and the BRICS cable project, which will link Vladivostok to Brazil, via China, India and South Africa.
While interception is common and probably ubiquitous, I think we overestimate the governments' ability and wherewithal to use all this data. At the end of the day, only the worst hackers work for government.
I think if you believe that any major country is not intercepting all undersea fibre cable traffic within their reach or even beyond it then you’re being very naive. I can’t understand how this news would surprise anyone.