I once took a call with an ex-NSA guy who was a CEO selling email security software- your MX would point to them, they'd scan your incoming email for exploits, then deliver it on to you. When I spoke to the guy, I expressed my concern, having working for a large multinational corporate whose fiber optic lines were tapped by UK intelligence to avoid NSA laws against spying on americans, that if I couldn't inspect his software, I couldn't feel confident of the security and integrity of the scanning system.
I said, in good faith, that I would consider his product if I could inspect the running system and the code.
He said several things:
1) the NSA never did anything illegal
2) the software was too large to audit
3) it was an insult to his employment in the NSA that I was even asking these questions.
The NSA would never do anything illegal; if you have a problem with highly misleading and unethical actions being undertaken with flimsy pretenses established by classified memos citing dubious legal justification- then that’s obviously your problem, not theirs.
Also, didn’t the director of the NSA perjure himself when he lied under oath during his sworn testimony before SSCI? No, sorry, he actually gave the “least untruthful answer” and then changed his answer when contradictory facts became public. I would have called that illegal but obviously the NSA has a legal theory and justification as to when they need to provide “untruthful” “facts” to the institutions exercising oversight.
The difference is that I knew he wasn't on the level when he said it, because the NSA has been sued and it's come out they've done things that were illegal, as found by a court of law, in public. That's just one example that we know of.
Neither is objective. There's no pretense of objectivity in the legal system. This is why you see people say things like "we'll find out if this was legal when they rule on the case".
Found to be illegal at the judicial level:
https://www.nytimes.com/2010/04/01/us/01nsa.html
then overturned by the 9th court. Then Congress stepped in and changed laws to make the situation "clearer".
"In partnership with the British agency known as Government Communications Headquarters, or GCHQ, the N.S.A. has apparently taken advantage of the vast amounts of data stored in and traveling among global data centers, which run all modern online computing, according to a report Wednesday by The Washington Post. N.S.A. collection activities abroad face fewer legal restrictions and less oversight than its actions in the United States."
Note there's a fair amount of speculation on the specific details of how and what data is collected and shared.
There's been public claims about it, and honestly thinking that they wouldnt do it once they have the power to seems naive?
https://www.zdnet.com/article/thatcher-ordered-echelon-surve...
> Ex-spy Mike Frost told the CBS 60 Minutes programme that Thatcher had ordered surveillance on two cabinet colleagues according to excerpts released on Thursday. The allegation comes in the same week that a European Parliament report said Echelon, a surveillance system run by the United States, Canada, Britain, Australia and New Zealand, was used for industrial espionage.
"pushed back"? Like how the director of the NSA "pushed back" on congressional questions of whether the NSA was broadly collecting any data from American citizens?
"Please don't post insinuations about astroturfing, shilling, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email us and we'll look at the data."
No it doesn't (at least not to me or the dictionary). Conspiracy denotes two or more people planning with each other to commit illegal, wrongful, or subversive acts. Whether or not it's hidden doesn't enter into it.
A lot of people are talking about a state of apartheid in Israel, lets not throw every theory in the corner of anti-Semitism. And to be crystal clear I'm saying this from a POV coming from Jewish heritage.
Not "more data than any of the others" - just a specific kind of access that usually comes with much closer intelligence relationships (e.g. Five Eyes), rather than the more wary relationship the Israeli and US intelligence communities generally have with each other.
Since when do spy agencies avoid doing things just because they're "not allowed" to do them? An activity being disallowed only means that they'll avoid telling people that they're doing it.
AUditing is a negotiation between the auditor and the auditee. The auditor rarely gets to dictate absolute terms (and in my experience, will often listen to well-reasoned and prepared arguments and plans from auditees).
Since I was effectively the CTO for a startup that cared about the security of its messaging, I think I made a reasoned judgement about the nature of the security of their product, offered a way that he could help increase my confidence that he wasn't just sending a copy of my unecrypted email (the email has to be unencrypted for their scanner to work) off wherever.
I don't really find that rude. A cloud customer certainly can go to a cloud provider, say "you know, it's possible you have rogue internal actors, I've read articles that said you've fired SREs before who snooped on user data, can I see your audits that show you deal with insider risk properly?"
Yes, he sells himself on that experience (I had already done due diligence on a previous company he founded, sqrrl, which was organized around open source software, but touted the NSA creds):
Oren Falkowitz
CEO and Co-founder
Oren Falkowitz co-founded Area 1 Security to discover and eliminate targeted phishing attacks before they cause damage to organizations. Previously, he held senior positions at the National Security Agency (NSA) and United States Cyber Command (USCYBERCOM), where he focused on Computer Network Operations & Big Data. That’s where he realized the immense need for preemptive cybersecurity.
This post could turn into +5 informative if names and contact details were added for this unidentified "ex-NSA guy" and the "security software."
As-is, this is post is becoming popular because people are replying with random experiences and hate they have for NSA and insecure systems. But instead it could be helpful by damaging the reputation of a specific person that is peddling insecure systems.
I said, in good faith, that I would consider his product if I could inspect the running system and the code.
He said several things: 1) the NSA never did anything illegal 2) the software was too large to audit 3) it was an insult to his employment in the NSA that I was even asking these questions.
Then he hung up.