<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div align="center"><img alt="<interesting twitter conversation
image goes here>"
src="cid:part1.08030806.07060308@immunityinc.com" height="390"
width="532"><br>
<br>
<div align="left">Ok, so I wanted to add some of that whole
"reality" thing to the latest breathless exposé from The
Intercept. It's not a bad thing that there's a "newspaper"
writing about how force feeding prisoners is maybe wrong, or
maybe how the Govt isn't telling the whole truth and nothing but
the truth. But that's only effective if you haven't krazy glued
your newspaper's stun-beam of Righteous Indignation to 11. So,
without further ado, please get <a
href="http://pre14.deviantart.net/72e9/th/pre/i/2012/084/3/7/scottsman_in_tactical_kilt_with_ak47_by_jackryan224-d4tx899.jpg">your
tactical kilt</a> on, click through, and read the article, and
then let's talk about SIGINT.<br>
<a
href="https://firstlook.org/theintercept/2015/07/09/spying-internet-orders-magnitude-invasive-phone-metadata/">https://firstlook.org/theintercept/2015/07/09/spying-internet-orders-magnitude-invasive-phone-metadata/</a><br>
<br>
Micah's Twitter question (for those of you using HTML compliant
mail readers, you can see it above) is pertinent. I said he got
some facts wrong. Maybe he got the facts right, but his
interpretative dance of outrage was wrong? Regardless, I think
he probably missed out on an important section in the regulation
which he could have been more breathless about, which I will
paste below:<br>
<small><br>
C2.3.3. Foreign Intelligence. Subject to the special
limitation contained in section
C2.5., below, information may be collected about a United
States person if the
information constitutes foreign intelligence, provided the
intentional collection of
foreign intelligence about United States persons shall be
limited to persons who are:<br>
C2.3.3.5. Corporations or other commercial organizations
believed to have
some relationship with foreign powers, organizations, or
persons.
</small><br>
<br>
Hey, that's a pretty big door! Nevertheless, ignoring that for
now, let's talk about "collection". Micah complains that when
the intelligence community uses the word "collection" they do so
in a special way. And that's true, because <i>SIGINT collection</i>
is not the same as <i>seashell collection</i> the exact way
that <i>prime numbers</i> are not the same as <i>prime rib</i>.
Those words are similar, but used in a different context they
can mean different things. This is upsetting, but a fact of our
language and our life. <br>
<br>
Let me tell you how it really works in the head of the IC: "US
data is like toddler poo. It's icky and gross and all over the
place and if I absolutely have to I will touch it with a paper
towel and throw it in the trash, but mostly I just want to avoid
stepping in it or smearing it on reports that I send to people
who wear suits for a living." That's the full direct meaning of
<i>minimization</i>. <br>
<br>
To be more technical: There are good operational security
reasons that I am imagining as a non-Lawyer or IC member for
gathering a whole mailspool, and then, on a computer that you
control, filtering out the data that you are not legally allowed
to store or have your analysts look at to create reports. Let's
take the top few reasons and just chew on them, like the fat
Cuban cigar I imagine every Intercept employee is issued upon
hiring, but never allowed to light until Snowden returns to the
Homeland on the back of a giant bald eagle to save us all.
Here's some scenarios and let's see what issues they're trying
to solve with their definition of <i>collection</i>, from a
hacker's perspective:<br>
<ol>
<li>If you don't grab US Data from a mail server, you are
obviously the Americans. This may have some pretty bad
follow-on effects. For example, if you are the Americans
using a stolen Chinese RAT to pretend to be the Chinese
while hacking a Russian system, now the Chinese AND Russians
know that you have stolen that RAT and toolchain, and can go
find out when and where, and you are losing sources and
methods in a big way all over the place.</li>
<li>Filtering out American data can take some time and CPU
cycles, and may be impossible on un-intelligible data (which
is why that whole clause about the data being intelligible
is in there). So, as an example, you are downloading a 5 gig
<i>personaldata.tar.bz2</i> that has some emails from
Americans on a SparcStation last updated in 2001 when Sun
was a company that sold computers. You are not going to
untar that bad boy on the target system, because BZ2 was
written by trolls who hated spare CPU cycles, and designed
their algorithm to use as many as possible and if that
SparcStation was to do so it would overheat and send an
alert to the bored Russian private trying to watch porn on
it. So you bring the file down, decompress it locally,
filter things out, then move on with life. </li>
<li>The list of "Americans" you know about might be private.
Best to filter things out privately then, rather than trying
to push that list out to random machines, eh?</li>
</ol>
<p>In addition, let's break it down with some some additional
fun facts!<br>
</p>
<ol>
<li>If your mom sends you unencrypted email and it happens to
be going over a fiber cable or sat link unencrypted, it's
going to be stored and read by the Chinese and Russians and
so forth. They don't do minimization at all. Sometimes they
like to edit the data "in transit" to add funny videos to
unencrypted emails and web pages which is why the whole
"RickRoll" thing happens. Americans never do that.<br>
</li>
<li><a
href="http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties">http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties</a>
<--read here to see how the US is the only country with
an official minimization policy that applies to foreign
nationals. It ain't much, but let's just say you could in
subjective time watch all the Nicholas Sparks movies and
still be waiting for any policy whatsoever from China,
Russian, or France when it comes to non-citizens. <br>
</li>
</ol>
<p>Hopefully this email provided some food for thought, because
to be honest, you don't have to dress the USG's position on
stuff up to find things that maybe should be changed. It
actually weakens your position. Anyways,<br>
</p>
<p>-dave<br>
<br>
</p>
<br>
</div>
</div>
<br>
<br>
</body>
</html>