A bit more thorough engagement:

> I don’t think anybody says we’re no longer free because we have checkpoints at airports.

I think there are actually quite a lot of people who do expressly argue that point in nearly those exact words. The point of contention is arguing we are demonstrably less free or more inconvenienced not because of the checkpoints per se, but because of the invasive procedures forced upon the public's expectations of privacy and the protection thereof.

This--invasive violation of public expectations of privacy & protection--is becoming a bit too much of a constant theme.

> [W]e don’t have to sacrifice our freedom in order to achieve security. ... That's a false choice. ... To say there’s a tradeoff doesn’t mean somehow that we’ve abandoned freedom.

The President is an intelligent man with a solid grasp of language and its intricacies of usage. To admit there is a tradeoff is to implicitly assent to the sacrificing of freedom for said tradeoff (this, the achievement of security).

The bit about this being a false choice is interesting. The President invokes the fallacy of the false dilemma, which raises the expectation that there are additional options available--but not considered--where the goal of protecting freedoms and achieving greater security intersect ... and then does not offer any alternatives or exposition on what other options may be (or have been) considered. I'm left quite unsure of how he then considers sacrificing freedom to achieve security a false choice.

Moving on, this statement

> ... the NSA cannot listen to your telephone calls, and the NSA cannot target your emails … and have not.

directly contradicts the followup statement:

> ... if you’re a U.S. person, then NSA is not listening to your phone calls and it’s not targeting your emails unless it’s getting an individualized court order.

This strikes as more talking points rearing their head without substantive difference in an effort to shape public opinion and discourse. If it is said that the NSA cannot target emails and listen to phone calls, that is going to etch itself into the public consciousness that the technological apparatus required is not present. But the follow up clarifies in nearly identical language that the NSA is not listening/targeting "unless it's getting an individualized court order." So now we are at the opposite side--the NSA can target your emails and listen to your phone calls, despite the aforementioned clarification they cannot. The talking points are keeping things intentionally muddled where they could easily make it more plain. So, barring other intricately worded explanations, this pretty much makes it sound like the NSA can indeed listen to your phone calls and target your emails, but only--as long as the existing rules are being followed--if they secure an "individualized court order" after good old-fashioned probable-cause seeking.

Of course, this is an even more bizarre clarification for the President to make when he later turns his attention to the phone records program. The 2015 Program:

> Program number one, called the 2015 Program, what that does is it gets data from the service providers like a Verizon in bulk, and basically you have call pairs. You have my telephone number connecting with your telephone number. There are no names. There is no content in that database. All it is, is the number pairs, when those calls took place, how long they took place.

Okay, so admission that bulk call data is there, as Snowden alleged with his leaks. Once again, the talking points that this is all metadata--without explicitly using that particular word, though. And yet, it is trivial to connect a phone number to its owner. So, your call data is there in the database with all the information required to identify you specifically should intelligence agencies deem necessary.

The President further clarifies the nature of the reporting in that he says "[a]t no point is any content revealed", a perhaps unfortunate, unintended admission that the content is there. I know the President likes to be very clarifying when speaking and interviewing and somewhat sidetracks mid-sentence to clarify a specific phrase or term (note all the em-dashes littered throughout the text of the interview), but this one is particularly interesting because it reads as if he caught himself mid-un-truth when he jumps mid-sentence to say that if the FBI wants content, they then have to go to the FISC to ask for a warrant to get the content.

Any rational person should, therefore, conclude the content is indeed there to be interrogated, regardless of what the policy for such interrogation may be.

His comments on the 702 program are nigh-unintelligible for such a careful speaker as the President usually is. He tries to disqualify concerns about it by saying it "does not apply to any U.S. person", then describes it as a program that produces "essentially [but not actually] a warrant" that compels private companies who hold communications to turn over the content. Then again, the clarifier that this does not apply to U.S. persons and is only in "narrow bands" of criminal/terrorist activity by foreign agents. He further attempts to posit constitutionality and authority by saying "the process has all been approved by the courts"--but these are not publicly accountable courts whose decisions are made available to we the People.

> ... if people are making judgments just based on these slides that have been leaked, they’re not getting the complete story.

Nevermind that we are only getting a partially complete story--being hidden behind curious clarifications and dubious assertions of state secrets privileges--because of leaked slides.

The big kicker:

> It is transparent. That’s why we set up the FISA court ... My concern has always been not that we shouldn’t do intelligence gathering to prevent terrorism, but rather are we setting up a system of checks and balances?

So, on this telephone program, you’ve got a federal court with independent federal judges overseeing the entire program. And you’ve got Congress overseeing the program, not just the intelligence committee and not just the judiciary committee — but all of Congress had available to it before the last reauthorization exactly how this program works.

This is more informative than most everything else in the interview. The President clarifies that--despite much of what campaign rhetoric made people believe he thought--his concern is not whether we should be enacting these intelligence gathering programs that target everyone and attempt to hide behind policy rules, not laws. His concern is the erection of checks and balances that appear good enough, but none of which actually are explicitly in the way of public discourse and notification.

He relies on a "federal court with independent federal judges" that operate in secret and whose decisions are de facto classified, as well as statistically shown to be rubber stamp decisions.

The biggest allegation is that all of Congress had this information available to them before the last reauthorization of the programs, information that told Congress "exactly how this program works".

Either the President is lying, or Congress is putting on a sham of shock when they were already aware of all of this, or the President is throwing them under the bus for not bothering to read and understand the information before reauthorizing--thus making a move to avert public outrage toward their representatives, all of whom allegedly had this information and ignored it when reauthorizing. Or something else.

I still feel like this interview offers a depressing amount of talking points winning over actual disclosure, and yet another advance of creatively assigning words like "transparency" to programs that are clearly not.

[edit: spelling/grammar mistakes. sorry]

This guy is amazing. The thing I love about him is he truly embodies the bravery that goes along with the idea that it's better to live in a free society with a modest threat of terror attacks than to live in an oppressive society where we are supposedly kept "safe" from the terrorists hiding behind every corner.

It takes courage to make such an assertion. The NSA spying route is fundamentally based on cowardice.

Sure.

To start with, take a look at that first clause: "The man who admitted leaking classified documents..." The framing of this is right off the bat aggressive, casting him in the light of a criminal. Were CNN to want to cast him in a positive light they could have chosen to write it something like this: "The man who exposed widespread secret surveillance of American's electronic communications..." Instead CNN chose to emphasize the criminal aspect, rather than the civil liberties/anti-democratic aspect.

Next: "... purportedly went online..." The use of the word "purportedly" here is interesting. Why is that questioned? To associate doubt with him. It's subtle, but nevertheless there it is.

Next: "declare the truth would come out even if he is jailed or killed". Out of all the questions which were answered CNN focused on this one because it most easily supports the "egotistical" narrative they are attempting to paint him with. Implication: "He is setting himself up as some kind of martyr! How arrogant!"

Next: "Obama did not fulfill his promises and expanded several 'abusive' national security initiatives." This one is, to me, the most blatant. The scare quotes around "abusive" are of course the most obvious. But look how the frame it: "national security initiatives". Not "domestic spying programs", or "electronic surveillance mechanisms", or something else. After all, no one who calls themselves reasonable can be opposed to national security!

It's subtle, and of course debatable. But it's certainly present. CNN has their own slant, and it is obviously pro-NSA.

Also note that nowhere to they actually link to the Q&A page.

Let's rewrite it, communicate the same information, but make it skeptical towards the NSA:

"Edward Snowden, the former NSA contractor who exposed widespread secret surveillance of American's electronic communications and online activities, did an online question-and-answer session today, making himself available to provide follow-up answers to questions raised by concerned citizens over the reach and power of the notoriously secretive intelligence agency."

Excuse the prolix comment; I'm not feeling well today.

I think people who follow both me and Colin on HN know that I have a lot of respect both for him and for Tarsnap, the service he runs, which is the only encrypted backup service I have ever recommended to anyone and which is to this day my go-to recommendation for people looking to safely store data in the cloud. Colin has built one of the very few modern cryptosystems I actually trust.

First, let me dodge Colin's whole post. My Twitter post was:

If you’re not learning crypto by coding attacks, you might not actually be learning crypto.

(I was cheerleading people doing our crypto challenges [http://www.matasano.com/articles/crypto-challenges/] and didn't think much of my twerp; I didn't exactly try to nail it to the door of the All Saints Church).

Note the word "might". I specifically chose the word "might" thinking "COLIN PERCIVAL MIGHT READ THIS". Colin, "might" means "unless you're Colin".

Anyways: I think the point Colin is making is valid, but is much more subtle than he thinks it is.

Here's what's challenging about understanding Colin's point: in the real world, there are two different kinds of practical cryptography: cryptographic design and software design. Colin happens to work on both levels. But most people work on one or the other.

In the world of cryptographic design, Colin's point about attacks being irrelevant to understanding modern crypto is clearly valid. Modern cryptosystems were designed not just to account for prior attacks but, as much as possible, to moot them entirely. A modern 2010's-era cryptosystem might for instance be designed to minimize dependencies on randomness, to assume the whole system is encrypt-then-MAC integrity checked, to provide forward secrecy, to avoid leaking innocuous-seeming details like lengths, &c.

While I think it's helpful to understand the attacks on 1990's-era crypto so you can grok what motivates the features of a 2010's-era ("Crypto 3.0") system, Colin is right to point out that no well-designed modern system is going to vulnerable to a (say) padding oracle, or an RSA padding attack (modern cryptosystems avoid RSA anyways), or a hash length extension.

In this sense, learning how to implement a padding oracle attack (which depends both on a side channel leak of error information and on the failure to appropriately authenticate ciphertext, which would never happen in a competent modern design) is a little like learning how to fix a stuck carburator with a pencil shaft.

The deceptive subtlety of Colin's point comes when you see how cryptography is implemented in the real world. In reality, very few people have Colin's qualifications. I don't simply mean that they're unlike Colin in not being able to design their own crypto constructions (although they can't, and Colin can). I mean that they don't have access to the modern algorithms and constructions Colin is working with; in fact, they don't even have intellectual access to those things.

Instead, modern cryptographic software developers work from a grab-bag of '80s-'90s-era primitives. A new cryptosystem implemented in 2013 is, sorry to say, more likely to use ECB mode AES than it is to use an authenticated encryption construction. Most new crypto software doesn't even attempt to authenticate ciphertext; cryptographic software developers share a pervasive misapprehension that encryption provides a form of authentication (because tampering with the ciphertext irretrievably garbles the output).

I think it's telling that Colin breaks this out into '90s-crypto and 2010's-crypto. For instance:

http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-...

This is an AES CTR nonce reuse bug in Colin's software from 2011. Colin knew about this class of bug long before he wrote Tarsnap, but, like all bugs, it took time for him to become aware of it. Perhaps he'd have learned about it sooner had more people learned how cryptography actually works, by coding attacks, rather than reading books and coding crypto tools; after all, Colin circulates the code to Tarsnap so people can find exactly these kinds of bugs. Unfortunately, the population of people who can spot bugs like this in 2010's-era crypto code is very limited, because, again, people don't learn how to implement attacks.

But I'll push my argument further, on two fronts.

First: Colin should account for the fact that there's a significant set of practical attacks that his approach to cryptography doesn't address: side channels. All the proofs in the world don't help you if the branch target buffer on the CPU you share with 10 other anonymous EC2 users is effectively recording traces of your key information.

Second: Colin should account for the new frontiers in implementation attacks. It's easy for Colin to rely on the resilience of "modern" 2010's-era crypto when all he has to consider is AES-CTR, a random number generator, and SHA3. But what about signature systems and public key? Is Colin so sure that the proofs he has available to him account for all the mistakes he could make with elliptic curve? Because 10 years from now, that's what everyone's going to be using to key AES.

So, I disagree with Colin. I think it's easy for him to suggest that attacks aren't worth knowing because (a) he happens to know them all already and (b) he happens to be close enough to the literature to know which constructions have the best theoretical safety margin and (c) he has the luxury of building his own systems from scratch that deliberately minimize his exposure to new crypto attacks, which isn't true of (for instance) anyone using ECC.

But more importantly, I think most people who "learn crypto" aren't Colin. To them, "learning crypto" means understanding what the acronyms mean well enough to get a Java application working that produces ciphertext that looks random and decrypts to plaintext that they can read. Those people, the people designing systems based on what they read in _Applied Cryptography_, badly need to understand crypto attacks before they put code based on their own crypto decisions into production.