Forgot your password?
typodupeerror
Communications Your Rights Online

NSA Scraping Buddy Lists and Address Books From Live Internet Traffic 188

Posted by Unknown Lamer
from the deep-packet-inspection-for-fun-and-profit dept.
Charliemopps writes that the Washington Post reports "The NSA is collecting hundreds of millions of contact lists from all over the world, many of them belonging to Americans. The intercept them from instant messaging services as they move across global data links. The NSA is gathering contact lists in large numbers that amount to a sizable fraction of the world's e-mail and instant messaging accounts." According to the leaked document (original as a PDF), the NSA is intercepting some chat protocols and at least IMAP, and then analyzing the data for buddy list information and inbox contents.
This discussion has been archived. No new comments can be posted.

NSA Scraping Buddy Lists and Address Books From Live Internet Traffic

Comments Filter:
  • by Noryungi (70322) on Tuesday October 15, 2013 @08:09AM (#45130735) Homepage Journal

    Host your own email server on a Pi. Encrypt everything. Go back to Fidonet or even to snail mail.

    I am in the process of doing just that.

    • I do not even know if the Fidonet infrastructure is still working or not.

      Yes, I was a sysop back then.

    • by oobayly (1056050)

      It's not a bad idea - I'm pondering doing the same (albeit with a more powerful machine) for a range of domains I have. The reason being it's a bitch to migrate the email when changing providers rather than NSA monitoring.

      However, it's a problem when you ISP implements carrier-grade NAT or doesn't allow incoming connections on TCP 25.You could use their MX server and then use something like fetchmail to pull down new mail (we used to do that before hosting our own MX server), but that of course leaves you r

      • by Fjandr (66656)

        Then use submission ports if your ISP blocks 25. Most ISPs I've found don't block them, even if they block port 25.

        • by oobayly (1056050)

          I was under the impression that to receive inbound public mail, TCP 25 had to be used.

          • In theory you could use name@server.com:port, but I don't imagine most mail software would be happy to parse that.

    • by Sockatume (732728)

      Why would that help when they're intercepting the email traffic itself?

    • by rasmusbr (2186518) on Tuesday October 15, 2013 @08:49AM (#45131057)

      Great idea, now all we need is to found a nation based on Raspberry Pi ownership and/or the ability to host your own servers for email and other communication, outlaw communication with foreigners, and then we should be all set!

      The world could really use someone or some corporation with lots of resources and no ties to government to fund, and fund indefinitely, an effort at remaking the internet from the ground up. I just can't think of who or what that someone is.

      Trying to do it yourself is pointless.

      • Won't help. The data still traverses the NSA monitored infrastructure. Unless you are laying your own cable, your data's being intercepted.
      • by Wycliffe (116160)

        I agree that doing it yourself is pointless but not hopeless. The internet has lost it's goal
        of routing around failures. We should try to move to a decentralized internet. The simplest
        and easiest way to do this is with sharing wifi routers. Most people in a city can see
        multiple wifi routers. If the routers all talked to each other and shared bandwidth then you
        have dozens of paths to the internet. This could even be expanded to cars. While
        driving on the highway there is typically a string of cars stre

        • Mesh networking. It's good, but doesn't scale infinitely. If you're looking at re-decentralising the internet, it's going to have to be part of the solution, but not everything.

          I hold some hope for content-addressible networks and distributed caches. They could handle the bulk distribution of data very effectively, greatly reducing the demand on any mesh network and rendering it more practical.

        • It's a great idea, but can it be done? Even if connections over the large number of hops inherent in such a system were acceptable, is existing consumer-grade hardware capable of running BGP with reasonable performance and storing the (extra large!) routing tables necessary?

          In fact, given that routing tables grow exponentially, is it even theoretically possible for a full peer-to-peer Internet scale mesh to work?

          • by Wycliffe (116160) on Tuesday October 15, 2013 @03:15PM (#45135291) Homepage

            >
            > In fact, given that routing tables grow exponentially, is it even theoretically possible for a full peer-to-peer Internet scale mesh to work?
            >

            If current routing tables can't scale then maybe a different type of routing table or a different solution entirely is needed.
            For instance if every router was location aware and knew it's geographic location and the geographic location of the place it was
            trying to reach it could send the encrypted packet in the general direction with the knowledge that each node would get it
            one step physically closer to it's destination. Large hops is still a problem but large hops is really only a problem with stuff
            that needs to be close to real-time. For email this isn't really much of a problem as even a 5-10 minute delay or longer isn't
            really a big deal.

      • True. But ten thousand bedroom tinkerers and enthusiast coders working together could be a force of some capability.

        I'm not a good enough coder to make much, so I do my part by shamelessly plugging Retroshare to everyone. It's a really nice program. Encrypted IM software, fully decentralised. Crypto that, while the NSA might get through, will certainly make them work for it. Plus a good file-sharing capability, mail, even distributed forums. All based on public-key authentication of your contacts, and never

        • by rasmusbr (2186518)

          Enthusiasm is a great start, but enthusiasm alone has a divisive effect on groups of intelligent and creative people. You get lots of little groups going off and inventing incompatible stuff.

          Cash has a cohesive effect on groups of intelligent and creative people. With cash you can get people to work in the same direction even though they'd prefer to work on their pet projects.

          There are probably some exceptions to the rule where people stick together and focus on a single project, but I bet most of them also

    • Go back to Fidonet...

      Riiight! Because the NSA can't decode modem traffic.

    • by sl4shd0rk (755837)

      Encrypt everything.

      Indeed. Self-signed SSL certs are going to take on a whole new purpose now since the NSA doesn't hold your CA cert.

      • And yet Firefox will still scream blue murder if you so much as attempt to open a https page with a self signed cert.

        More and more, I wonder about the real reasons behinds Mozilla's decision to declare an encrypted web off bounds.

        • Just add your self-signed root CA to the browser. I have a root CA I use to sign all my certs, and I add the root to my laptop, servers, and mobile devices. That way they validate.

    • For one thing, your email domain is unlikely to be taken seriously by existing email providers if you run a server from your home (and consumer ISP plans won't let you do this anyway); running it from a hosting provider would hardly improve privacy even with encryption. The call to "encrypt everything" would, for email, imply using PGP which leaves the 'who' and subject parts of the messages unencrypted.

      If you want to run something really effective against corporate-state mass surveillance, then go for this [geti2p.net]

      • Can't send mail from a domestic connection. Those IP ranges are on every spam blacklist, as most mail sent from them is the work of spam-sending malware. You can recieve, but not send.

    • I'm sure uucp is still around. My earliest "Internet" feed was new and mail and news feeds over UUCap. Bring back bang paths and modems!

    • Guess what everyone who these bozos should be spying on is already doing. Has been for a long time.

      What sucks and blows about the whole deal is that their whole effort not only invades the lives of millions, if not billions, of innocent people, it doesn't even come close to accomplishing its alleged goal.

      If you think terrorists are by definition dumb, think again. Terrorists work like any kind of decentralized, illegal groups. There is not "THE terrorists", rather think of them like you would of, say, drug

    • by tlhIngan (30335)

      Go back to Fidonet

      That's actually a viable option.

      In a lot of places where the internet is firewalled, monitored, etc (basically everywhere), a lot of people used fidonet to send messages out because the censors never investigated that traffic - they monitor your email, but not your modem.

      So for a lot of people (and journalists and all that), fidonet really is the network of freedom because it's the only valid way out.

  • Foreigners (Score:5, Insightful)

    by Anonymous Coward on Tuesday October 15, 2013 @08:09AM (#45130741)

    I am so sick of hearing this idea that just because I am not a citizen of the USA then somehow I have less rights to privacy.

    • Re:Foreigners (Score:4, Insightful)

      by Noryungi (70322) on Tuesday October 15, 2013 @08:11AM (#45130751) Homepage Journal

      Then do something about it and stop using US-based web services.

      • Re:Foreigners (Score:5, Insightful)

        by Aguazul2 (2591049) on Tuesday October 15, 2013 @08:26AM (#45130851)

        Then do something about it and stop using US-based web services.

        Also European and Australian ones, in fact any web services that are in a country where there is an NSA-affiliated tap point, or where your traffic crosses one of those countries. In fact, if you are a 'foreigner' best disconnect completely and go live in a cave -- but not one dug by the CIA because then you're a terrorist and we will send drones.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Then do something about it and stop using US-based web services.

          Also European and Australian ones, in fact any web services that are in a country where there is an NSA-affiliated tap point, or where your traffic crosses one of those countries. In fact, if you are a 'foreigner' best disconnect completely and go live in a cave -- but not one dug by the CIA because then you're a terrorist and we will send drones.

          "European" is much too broad stroke here, there are major differences between the countries. If you host online services in Norway fx law enforcement have to go through normal official court proceedings and get a specific court order for a provider to have to give them any information on the customer covered by the court order. No blanket access, they have to go through normal due process in each case, there are no special laws that circumvent this. They/NSA could of course still tap at the network level at

      • Re: (Score:2, Insightful)

        by Sockatume (732728)

        They're not snooping on one, specific service at a point in the US. They're looking at any appropriate traffic that happens to pass through the US. Any information that passes through the US must be considered compromised by the NSA.

      • Re:Foreigners (Score:5, Informative)

        by IamTheRealMike (537420) <mike@plan99.net> on Tuesday October 15, 2013 @08:36AM (#45130933) Homepage

        The article explicitly says this does not appear to be based on the co-operation of US providers but rather international fibre taps - presumably placed or operated by compliant intelligence agencies that are merely extensions of the NSA. The US might be a ringleader in this activity, but other countries have out of control security services as well. After a long period of political silence in the UK we finally got some discussion this week, after senior cabinet members who served on the national security committees admitted they had no clue anything like that was happening. Cameron's response was priceless, he said the agencies would have told them about it if they'd asked!

      • by gl4ss (559668)

        doesn't help when US has taken the liberty of acting like it's legal for them to hack and intercept services that are abroad(even if they themselves declared such actions as comparable to war/terrorism).

        personally I think the rest of the world should just declare US services as free targets for hacking(and subsequently deny any extradition requests or information requests for such activities). oh and don't pretend there's not economic impact from hacking ceo's and politicians - and thanks to piss poor insid

      • There are already ads for local email and web services based on recently revealed truth about USA.

        Don't want 'friends' to read your communication?
        Use {local brand name}.

        Of course if you use them, things will be still read by your country's services, but at least they are your compatriotes, not foreigners, they fall under your law, not USA twisted law (except where some corporation long hands will reach for you), and you might be arrested by friendlies, not by illegally invading Seals or Rabbits.

    • Re:Foreigners (Score:4, Insightful)

      by MickyTheIdiot (1032226) on Tuesday October 15, 2013 @08:11AM (#45130757) Homepage Journal

      You have *less* rights to privacy than a USA citizen? In this case of privacy is there a number less than zero?

      The USA citizen that has no special associations is a peon, pal. We're in the same boat.

      • Re:Foreigners (Score:4, Insightful)

        by Noryungi (70322) on Tuesday October 15, 2013 @08:16AM (#45130779) Homepage Journal

        I guess your privacy zero when the Secret Police comes up to your door to arrest you in the middle of the night.

        This has happened before, in Europe and in many other countries around the globe.

        Funny thing is, the Secret Police was often financed, equipped and trained by the CIA.

      • by aclarke (307017) <spamNO@SPAMclarke.ca> on Tuesday October 15, 2013 @11:06AM (#45132349) Homepage
        If this is the case, why is it that most of these articles use phrases like "many of them belonging to Americans"? If it doesn't matter, why is the point made? The answer, of course, is that it does matter. That is, it matters to American law. For reference, see https://www.aclu.org/nsa-surveillance-procedures [aclu.org] and highlight the word "Americans".

        Speaking as a non-American, I think it shouldn't matter whether I'm American, Austrian, or Azerbaijani. We're all human and we all have the same rights. I find it offensive when I read these articles and there's always the "including Americans" tagged onto the article headline, like somehow it's OK if it's done to non-Americans. I realize it wouldn't be much different if any other country had been caught with their pants down. It's just that in this case it's the US (again).
      • by gsslay (807818)

        Then why do practically all US based news sources emphasise that this snooping may also be happening to Americans? As if that's where the line is getting crossed?

        Either they think their readers need it to be happening to them before they'll give a shit. Or they think their readers are entirely OK with snooping on innocent foreigners, but not innocent Americans. Either way, that's worrying.

    • Well...from a realpolitik viewpoint...you do. Countries are only interested in protecting their own (f*ck the world...and their allies), and even then, only so much as is necessary to stay in power.

      Allow me to explain this to you in more pragmatic terms: if your country could, with reasonable effort, turn everyone outside its borders into slaves, sell them and their children on the open market, as well as anyone inside its own borders (up to 50% + 1 to keep itself in power 'democratically), it totally would

    • by s122604 (1018036) on Tuesday October 15, 2013 @08:30AM (#45130895)
      You sound angry. I'm glad my NSA is keeping tabs on you, who knows what you are capable of.
    • by AHuxley (892839)
      As a Foreigner, load up your IM with US citizens. 100's of them :) Sit back, be politically active and as you make watch lists, your IM list follows you.
    • It's because your a user of technology. Non-citizens are just the excuse used by the US government when we know full well we're all losing our rights to privacy. In fact, I'd suggests non-citizens have more privacy. You're country may not subject you to constant government forced data collection in the form of "insurance" - medical, home, auto, etc. or law enforcement...whatever no privacy exists anywhere anymore.
    • Agree to delay the individual mandate, in exchange for a repeal of the debt-ceiling laws.

      From US Government Agencies? You certainly do!

      Just like *I* have no reasonable expectation of privacy from the GCHQ, the German spy agency, the Russian one, or any other foreign government's espionage apparat.

      Or do you really believe that foreigners in foreign countries are bound by YOUR laws?

    • by SirGarlon (845873)
      As a citizen of the USA, I am at least as sick of hearing that as you are. It ain't true, and the US Supreme Court has said so several times.
    • by sjames (1099)

      It's not that you have no right to privacy, it's just that where the NSA is concerned, it's actions against U.S. Citizens is the most clear and incontrovertible evidence that it is out of control and acting beyond it's charter and authority.

      In the same way, when protesting your own government's involvement, actively cooperating and allowing the NSA to have an active tap in your country is a more clear violation of trust than simply failing to protest the NSA in the U.N. would be.

  • by mrthoughtful (466814) on Tuesday October 15, 2013 @08:28AM (#45130871) Journal

    Yes. Posting all your contacts on the Internet is open to breaches of privacy (regardless of zero-day exploits).

    Amazon, Apple, Google, Microsoft - all of them kowtow to the NSA, the CIA, the FBI. Why?
    Because in return their lobbyists get to bend the ears of the legislators.

    Why is anyone surprised by any of this?

  • by GoChickenFat (743372) on Tuesday October 15, 2013 @08:38AM (#45130969)
    I guess "most transparent" actually referred to us and not the government.
  • It's been an open secret for years now that the branches of the federal government tend to "bury" their budget inside of other allocations to hide them from outsiders, supposedly explaining the existence of $500 hammers and $1,000 toilets. Is the NSA also doing this, but with bandwidth rather than dollars? It might explain how suddenly the various ISPs are up in arms about bandwidth hogs and how a small percent are using up the majority of the bandwidth available on the network....

    • by AHuxley (892839)
      The NSA grew and shaped digital thinking on US domestic telco networks and world wide interconnects. There are no historical usage "bumps" for the NSA inside its own network - the USA.
      The only unhappy time for the US and UK was a very short period in the 1950's when the Soviet Union strangely used onetime pads and kept its communications chatter down.
      Apart of the odd break down or political issues with NZ or the UK the US has always seemed to keep pace by setting telco standards before bandwidth issues b
  • Clapper... (Score:4, Interesting)

    by surfdaddy (930829) on Tuesday October 15, 2013 @08:59AM (#45131141)
    Clapper was the guy who lied to Congress, saying that the NSA was NOT collecting data or spying on US citizens.

    What the FUCK has happened to this country?

  • by Gothmolly (148874) on Tuesday October 15, 2013 @09:09AM (#45131213)

    But they're only tracking who is talking to whom, so that's ok right? Right?

  • What the hell is the NSA being paid to do? Right now they're spending money, manpower and resources on trolling the internet for people's buddy lists and address books. For what? Because some terrorist might spill the beans on his super plans over AIM?

    This is getting ridiculous. The NSA has clearly become a giant black hole of money which can and will hire an office full of people, a warehouse of computer equipment, and a 20 year maintenance plan just to keep tabs on who is sending instant messages to who -

    • Just another example of the stupidity of dragnetting. Now, think of the size of the graph produced by analyzing all of these buddy lists. Now, think about the resources they've spent maintaining and developing the ability to scrub all of this internet traffic. Now think about all the potential "suspects" they'll end up with when 2 guys get busted with pipe bombs at the airport.

      They didn't have the resources to follow the Boston bomber or keep tabs on what he was up to because they've adopted some predict

  • Don't use unencrypted sevices.

    Use encryption supplied by 3rd parties that uses proveable algorithms.

    Don't store your data on 3rd party sites.

    Use open source software.

"The value of marriage is not that adults produce children, but that children produce adults." -- Peter De Vries

Working...