I’ve been writing about surveillance, the NSA, cyber warfare, and U.S. intelligence for many years. I’m the author of two books, most recently @War: The Rise of the Military-Internet Complex, and in 2010, ]The Watchers: The Rise of America’s Surveillance State](http://www.amazon.com/The-Watchers-Americas-Surveillance-State/dp/0143118900). I’m a senior correspondent at the Daily Beast in Washington, DC. Lately, I’ve been writing about the crisis in Yemen, ISIS, Chinese cyber spying, and North Korea's hack of Sony. I also host a podcast called Rational Security.

I'm looking forward to answering as many of your questions as possible. AMA!


Ok, everyone. I think that brings us to the end of the AMA. I really enjoyed the discussion, and I'm grateful for your questions! If you'd like to keep up with what I'm writing, you can follow me on Twitter @shaneharris, and read my work at The Daily Beast. Thank you again, and I hope you enjoyed the session and that it was helpful. --Shane

Comments: 224 • Responses: 79  • Date: 

courtiebabe42023 karma

What do you think is the number one thing American citizens should be concerned about in regards to their privacy and security here at home? What can we do to alleviate those concerns?

sharrisgov36 karma

As formidable as the government's capabilities are to gather information about billions of people, I think Americans should be most concerned about private companies collecting their information without permission, as well as criminals who steal personal information. I think people need to take their cyber security as seriously as they do the physical security of their home or their person when walking on the street. That means using smart password security, being careful about the Web sites you visit, and just generally getting better informed on some of the basic rules of the road in cyberspace.

Frajer14 karma

How much of our information does Google have?

sharrisgov23 karma

A lot. And the more you use Google, the more they have. It's not a surprise that the company is so important to the NSA's surveillance operations. I write in my book @War that Google and the NSA a few years back formed an arrangement, which is still classified, that allows Google to share information with the NSA about cyber threats. And yes, that does sound very vague. We also know from the Snowden leaks that Google is one of the companies that the FBI/NSA serve with court orders to gather information on the company's users. Again, not surprising, given Google's reach and the data it has. If the NSA couldn't obtain company's data, it'd be a much less powerful intelligence agency.

mahaanus11 karma

Do you think the NSA does more good than harm?

sharrisgov20 karma


Thereminz10 karma

Something that bothers me is how advertising seemingly uses data i know i did not enter into my phone to come up with ads.

On my computer I use adblock but not on my phone...

A recent example is that i was working with clorox bleach in the past few days...I or people around me probably said either clorox or bleach loud enough to be picked up by my phone's mic...I'm fairly certain I did not enter either of those words in my phone until just now

Yesterday or the day before I saw an ad on my phone for clorox bleach ... It just seems like way too much of a coincidence

They must have used some data I didn't enter

However it's not just this one instance and I feel like it's a bit intrusive

I also feel like if companies are able to do this then there's just a blatant disregard for privacy and any data you can possibly create is being sold

In some instances the data mining is ok...like how google determines traffic

But in most other cases it feels like the phone companies are selling your personal data

Could this also be a potential threat? Could a company or organization buy data that would endanger people? Ex: listen in on important people's conversations. ..track the position of troops etc.

sharrisgov7 karma

This is a great question that gets to my point above about how our definitions and expectations of privacy are changing. Perfect example you give here (though I can't speak to why you're seeing bleach ads). But you're talking about companies using data in ways that you might never have imagined and that, if you had, you might not have condoned. My mother actually founded a direct mail marketing company. Her entire business was gathering huge amounts of data on cluster of people--by zip code--to understand what products they're likely to buy, and then helping companies figure out how to sell to them. But you know what? She refuses to use Facebook. It's going too far for her.

ioscoding10 karma

If you could meet Edward Snowden, what would be one thing you would ask him?

sharrisgov20 karma

Where do you get the best caviar?

No, actually, I would ask him: How many times a day do you think about going home?

beernerd8 karma

Any theories as to who is The Jester?

sharrisgov7 karma

Hmmm. I think he's probably an American. Ex-military. But as to who he really is and where, I just don't know. Could be ex-NSA.

beernerd2 karma

All totally plausible and equally fascinating. I hope someday we'll get the whole story. Is there any organization within the US government that engages in similar activity? Like taking down ISIS websites?

sharrisgov7 karma

Yes. The NSA. There's also a group in the agency called Tailored Access Operations that does a lot of the very high-end offensive cyber work. I write in @War about how the NSA took down Al Qaeda Web sites during the Iraq war in 2007.

thenotlowone5 karma

When do you expect to be killed in a completely coincidental freak car explosion accident?

sharrisgov9 karma

Well one never expects such things, does one? But I'll say Tuesday.

designdude11205 karma

What's your take on fund-sharing software like Venmo and Paypal? Are the users at risk in any capacity, and if so does that risk stem from what Venmo or Paypal could do with the information you sign away to them or would the software being hacked be the concern?

sharrisgov7 karma

PayPal actually is a good subject for this question. It didn't become successful by become a payments processor, but rather a SECURE payments processor. The founders invested very heavily in anti-fraud protection. That said, there's always a risk when you conduct financial transactions online. If you're using a credit card, your'e going to be covered by your card issuer for any fraud. As for what companies are doing with your data, I think you have far less protection.

threatresearch4 karma

What's your default response to people who shrug off the concerns of privacy advocates with trite reponses like "if you've got nothing to hide, you've got nothing to fear?"

sharrisgov9 karma

I say, That's not the way our constitutional system works.

ioscoding3 karma

What's the best piece of advice you've ever been given?

sharrisgov11 karma

It came from my professor Maya Angelou when I was her student at Wake Forest: "When people show you who they are, believe them."

patanwilson3 karma

Do you think Public Key Cryptography can currently be cracked by the NSA?

I read in "The Code Book" that public key cryptography was developed decades before the 70's by British spy agencies. I can only imagine what the NSA has developed, maybe even quantum computing?

Any thoughts?

EDIT: deleted irrelevant info

sharrisgov11 karma

I think anytime someone claims a code is unbreakable, the NSA sees that as a challenge. :) I'm not sure about Public Key. But you raise a great point here. The NSA has gotten a lot of press and public attention for how it collects communications (signals intelligence) and breaks into computer systems. But at its core, it's a code making and code breaking agency. It invests extraordinary amounts of money into developing new codes, breaking codes, and building super computers to aid in that mission. NSA is beyond the cutting edge in computer science, and in the development of quantum computing. It employs more mathematicians than any single organization in the United States. Cryptography is the NSA's DNA. If there's a code, they're going to try and break it.

patanwilson5 karma

Thanks for your answer

sharrisgov5 karma

You're welcome. Thanks for your question.

ioscoding3 karma

What has been the greatest mistake of U.S. intelligence in regards to intelligence gathering, cyber warfare, or cyber security?

sharrisgov5 karma

Underestimating the capacity of the American people to have a public debate about what our intelligence agencies should and shouldn't do.

ikidd1 karma

Would that debate have come about in current force without Snowden?

sharrisgov4 karma

I think probably not. I've been writing about these issues for years, as have other journalists, but Snowden's disclosures ignited the most significant and broad debate about these issues since 9/11.

ExtraAndroid3 karma

What do you think about data security and where we're headed?

sharrisgov7 karma

It's generally pretty weak. I think companies are starting to wake up to the fact that if they don't have a strong cyber security program in place, they're going to pay financial and reputation consequences. We're going to see a lot more high-profile breaches (think Home Depot, Target, Anthem, JP Morgan). The director of the NSA, Mike Rogers, said he thinks that within his tenure at the agency, there will be a major attack on some kind of critical infrastructure in the United States--by which we usually mean the power grid or a utility or a banking system.

no-relation3 karma

Successful major attack, or "just" an attack that will make front-page news?

sharrisgov1 karma

I think he meant both. A successful attack that would be significant and visible.

dc333343 karma

How much of our privacy is being infringed upon?

sharrisgov10 karma

That's a great question, and a hard one to answer. If you mean to what extent are government agencies and companies collecting information about us, the answer is, a lot. As to wether that violates your privacy, and to what degree, I think there are two ways to look at that. One is through the legal lens. In terms of government surveillance, which I cover, there are a number of important legal challenges to thinks like NSA collection of metadata that have been brought in recent years, arguing that the government is violating our fundamental privacy rights in its collection of all this information. And I think there's a very good chance that the Supreme Court will consider whether 4th Amendment protections need to be extended to things like phone records. These would arguably tighten privacy laws in the United States. But I think there's a second, and maybe even more important lens through which we should view this question. And that is, what do people today really mean when they say "privacy?" Because different people have different definitions and understandings of what is private, and about the expectations we should have in a digital age. Very broadly speaking, if you're over 60 years of age, the word "privacy" connotes many more expectations than if you're under 25. Many intelligence officials I've talked to have argued that privacy isn't a "one size fits all solution" (their words). And they've been pushing to change laws and operate within existing laws in a way that isn't always transparent, and makes a lot of people nervous. But they've still hit upon the fact that what we mean by "privacy" today isn't at all what we meant 30 years ago. Not across the board, anyway.

MLA13963 karma

1) What is your opinion regarding the proposed CISA and PNCA and do you think either one will pass?

2) If either does pass - do you think they will be challenged in the judicial system?

sharrisgov3 karma

I don't have an opinion per se on either law. I think they both face an uphill climb in terms of opposition from privacy and civil liberties groups. That said, in the past few weeks we've heard members of Congress talking in pretty positive language about the chances of reconciling House and Senate bills and passing a law. Congress has been trying for years to get this done. Will they be challenged in the courts? I think that's highly likely. Will the be successfully challenged? Much harder to say. But generally, the courts show a lot of deference to the executive branch on matters of national security.

ForeignPolicyCarol3 karma

Please comment on what you know about the CIA high up who was portrayed as "The Wolf" in "Zero Dark Thirty." Also, how do you rate that film?

sharrisgov4 karma

He's achieved something rare in the intelligence business--a public profile. You usually don't hear about the people working at Langley, and you certainly don't hear about their ominous nicknames, or their personal habits, or their reputation within the agency. A lore has built up around this individual. And of course, he's now leaving his job as the head of the counterterrorism center--which, as an aside, doesn't seem all the surprising, since he's been doing it for so long and because his boss, John Brennan, wants to reorganize the agency. I hope that the Wolf comes out from the shadows when he leaves the CIA and talks to more people like me.

I liked ZDT. I thought it was very well shot, very compelling. My only gripe with it was that I thought amid all the controversy, the filmmakers tried to backpedal from their argument about whether torture produced valuable intelligence. To my view, they clearly argued in the film that it did. I don't think they were taking a moral position on torture, but it seemed to me that they were saying it not only worked, but it helped find Osama bin Laden. But publicly they backed away from this position.

ioscoding3 karma

What's one piece of information regarding the NSA, cyber warfare, or U.S. intelligence that much of the American people don't know, but should?

sharrisgov5 karma

That many of the NSA's actions taken in the name of protecting cyberspace--and by extension, the nation--could be making it more vulnerable. I write a lot in @War about the agency's collection of zero day exploits. These are, more or less, "cyber weapons," worms and viruses that take advantage of flaws in software or computer operating systems that haven't been discovered by their manufacturers. The NSA is the single largest procurer of ZDs. If the agency wants to promote cyber security, however, there is a powerful argument that they should DISCLOSE these vulnerabilities rather than hoard them. And don't take my word for it: The panel of bi-partisan experts that President Obama convened after the Snowden leaks to recommend changes in NSA policy said the agency should disclose more than it hides.

gnomeshell3 karma

Have you been threatened, either directly or indirectly, by authorities because of the topic you are reporting on?

sharrisgov2 karma


cmro73 karma

Has any of your colleagues been pushed in front of a moving train because they were being too snoopy?

sharrisgov2 karma

I couldn't possibly comment.

StudioAero3 karma

What will it take to finally motivate the US public to put a stop to spying on innocent Americans? It feels like we are close to a tipping point, but what kind of event will need to occur before it finally happens?

sharrisgov4 karma

I think if the NSA or another gov't agency were proven to be spying on people for purely political purposes, like with the COINTELPRO scandals of the 60s-70s, then there'd be radical change in the system.

3oclockinthemorning2 karma

Think someone with a Computer Science degree and a background in penetration testing/software security, would find it difficult to get a job for a news outfit in these cypher/cyber times?

sharrisgov1 karma

No, I think you'd find lots of people who want to hire you. Lots of news organizations want people who can help protect their information and also help report stories on these topics.

3oclockinthemorning2 karma

Thanks, I love your work. If you don't already, you should look at OWASP and follow members of the OpSec community on Twitter, crazy stuff like possible zero-day exploits for Tor show up.

sharrisgov1 karma

Thanks! Will do.

ShaneSaw342 karma

Well I don't know much about you but we have the same first and last name, so I have that going for me...... What are some things we can do in our every day life that will help protect our privacy? Should I run Tor all the time, avoid the major search engines, avoid the Internet all together. It just seems kind of impossible to stay off the radar.

sharrisgov3 karma

Hi, Shane! Nice name.

No, you shouldn't stay off the Internet. You don't even have to do drastic things to give yourself a good deal more personal security. Try using a password locker, which will generate random passwords for you and make it a lot harder for someone to break into your accounts. You could also encrypt your hard drive if you want to be very careful about controlling data on your machine. Don't open attachments in email from people you don't know. These are some pretty straighrforward things you can do and, while maybe a bit of a hassle sometimes, you'll get used to it.

wagger3012 karma

Hi Shane. Do you think biometric identification (perhaps just a fingerprint) would be an adequate way to secure financial transactions/sign into accounts over the internet?

sharrisgov2 karma

I think most experts agree that biometrics would be a lot better than using passwords. But I"m not sure fingerprints are foolproof. There may be better biometrics, though the tech to read them isn't as advanced. Face scanning, for instance.

tumberry2 karma

If we are just normal people with nothing to hide, living like an open book and don't use social media very frequent ,? In our case should we still be protective on Internet ? I mean I'm not rich , not famous ? Why should I be worried about people stealing my privacy and private information ?

sharrisgov2 karma

You may not be rich or famous, but you probably have a credit card and a bank account that you'd like to protect. You want to keep this information safe. It's your money!

andys1231 karma

Do you think the NSA has managed to "crack" TOR in the sense that they are able to track users through it (relay nodes)? Also, do you think TOR is as anonymous as it is made out to be?

sharrisgov3 karma

Good question. From what we've seen in the files disclosed by Edward Snowden, it looks like the NSA hasn't been able to crack Tor--unless they've made more recent advances. I wrote about this a while back. http://foreignpolicy.com/2013/10/04/not-even-the-nsa-can-crack-the-state-depts-favorite-anonymous-network/

no-relation1 karma

Do you use Google, for searching, or Gmail? Do you have a personal Facebook page? Do you use Tor?

sharrisgov2 karma

I do use Google, and Gmail. And I'm on Facebook. And I have used Tor. I'm just very judicious about how I use them.

no-relation1 karma

What do you mean by judicious? Like, nothing work-related? No banking info? What's the cutoff, in your mind?

sharrisgov1 karma

I don't reveal too much personal information via social media. I adjust my privacy settings on Facebook. I don't send financial information in emails. I also don't let people tag me in photos w/out permission.

eganist1 karma

Ever make it out to any of the DC security meetups, e.g. OWASP NOVA/DC, ISSA, etc?

sharrisgov1 karma

I've been to some. Happy to come again! My contact info is on my Web site. shaneharris.com

speedytech71 karma

What in your opinion is the easiest way one can protect their online freedom?

sharrisgov2 karma

Do you mean your personal security? I want to make sure I know what you mean when you say freedom. Do you mean freedom from gov't surveillance? something else?

speedytech71 karma

Sorry about the vagueness, I meant from gov't surveillance.

sharrisgov1 karma

Well, again, I think you have to be smart about how you behave online. Use multiple passwords, use encryption where appropriate, be careful about opening attachments. But as far as protecting yourself from, say, the NSA collecting phone metadata, there's not much you can do. These are legal programs, and no one is really immune from them.

asir07421 karma

Do you think adblock is a tool to help prevent people from visiting the wrong websites? Also do you use adblock yourself?

sharrisgov1 karma

To your first question, I'm not sure. But I've used it.

Viking_Civics1 karma


sharrisgov1 karma

Sure. I used a password locker. I also use encryption for email and other forms of communication. I have an encrypted phone service, for example. I'm also just generally careful about not giving away too much information about myself. I also don't answer phone surveys.

daphan1 karma

With the impending arrival of the "internet of things", everything becoming wireless, what are cyber security experts doing to prepare for the eventual possibility someone is going to try hacking our wireless microwaves, cars, and even our refridgerators?

sharrisgov1 karma

They're cowering in fear. Ok, only a little bit. The advent of the IOT is probably one of the most discussed and fretted over topics in cyber security right now, and understandably so. If you haven't seen it, check out the 60 Minutes episode featuring DARPA's Dan Kauffman, aka DARPA Dan, who is working on this very problem.

publicWIFI-1 karma

Do you think the FCC classifying broadband provides as telco carriers is a bad thing? I found this article about legislation that was put in to effect in the Clinton administration that pretty much said that companies have to build back doors in to their network for government surveillance. The article, if I'm reading correctly, says that for that kind of thing to be legal under the constituion, the companies need to be regulated as "telecommunications carriers"

Sorry if this isn't organized well, I tried to get what I was thiniking down on here and I'm not sure I did the best job.

sharrisgov2 karma

No, I think I understand the question and what your'e getting at. So, there is a law, called CALEA, that requires telecommunications companies to build their devices in such a way that the government can tap into them, when it has a lawful order--like a warrant issued by a court. Now, whether that's a "backdoor" per se is a kind of semantic question, because people use backdoors also in other contexts. But...suffice to say that this law does apply to telecoms, but it hasn't been applied to ALL tech companies. The law was passed back in the mid-90s, and it essentially left the Internet and Internet companies untouched.

Now as to the FCC and the Obama administration's position on treating the Internet more like a utility, what I find really interesting is that if we are going to treat the Internet that way, then it opens the door to the government imposing security standards on companies. That's not something the gov't has said it's going to do, but I think the door is opening there.

no-relation1 karma

If they do impose security standards, what would that entail, you think? What would be the fallout for, for example, advertising on the web?

sharrisgov1 karma

I should clarify that when I say security standards, I mean minimum cyber security standards that companies would have to have on their networks. I'm not talking here about restrictions on what companies can do with people's data. That's a different subject, and certainly one that a lot of lawmakers are focusing on.

casamundo1 karma

Have you read Marc Goodman's book Future Crimes? Where in near future (next 3-5 years) do you see the NSA and cyber warfare going/doing? And what about the more distant future (15+ years)? Any advice for things we can do immediately to arm ourselves against cyber warfare and the nosy NSA? Haha. Thanks :)

sharrisgov1 karma

I haven't read the book. Is it "future crime" as in that Tom Cruise movie? The one where we have skyscrapers in Washignton? Because THAT is fantasy. :) In the next 3-5 years, I think the U.S. military is going to integrate cyber offense and defense more into the ways it fights. And so are other countries. The Defense Department says that 60 countries are setting up military cyber units. 15 years from now? Really hard to say. As for what you can personally do, use different, ideally random passwords, use encryption where appropriate. Make it harder for people to get your information, including by not giving away too much of it voluntarily.

sharrisgov1 karma


trai_dep1 karma

What do you think of newer muckraking ventures, such as The Intercept, to break stories critical of government abuses, versus traditional media? Broadcast journalism?

If there is a difference, is it due to their being more "wired", their sometimes non-traditional funding structure, their not being part of the Beltway circuit, their being part of vast conglomerates, other factors or a combination?

Is there any hope for the traditional media to comfort the afflicted and afflict the comfortable, or has that ship sailed?

sharrisgov2 karma

Well, to your last point, I think there's not only hope, but that the traditional media--lets take that to mean newspapers and broadcasters--are achieving that journalistic mission. I'm really not so doom and gloom on the state of American journalism. I think we're actually in a very bright period. We've (mostly) gotten over this idea that the Internet meant we had to fundamentally change our tradecraft. I see very interesting, innovative, exciting online publications doing great work and adhering to the same core standards as newspapers and broadcasters have. I think that we at the Daily Beast are doing quality journalism every day. In our news room, the standards are just as rigorous as they've been in some much older places I've worked.

Ultimately, journalism is a craft. The means by which we distribute journalism are less important than the work itself.

M4ST3R_BL4ST3R1 karma

Which of the following do you think is the greatest threat to our nation today and why:

(1) The continuing growth in scope of the surveillance state at home and abroad

(2) The terrorist threat the surveillance state is supposed to be protecting us from

Other Questions:

Are our sacrifices in privacy and freedom justified based on the results they're driving in stopping/impeding terrorists and/or cyber attacks/spying from foreign nations?

Based on what I've read, it seems like much of our cyber "warfare" efforts are actually means of maintaining our global economic dominance. The US seems to have made a point of calling out China over cyber-snooping our private sector and government to steal economic secrets, yet many sources say we're doing the exact same thing on a much larger scale. Would you say this is accurate? if so, how effective have these efforts been?

sharrisgov2 karma


As to the sacrifices and stopping attacks, this is a hard one. I know many intelligence officials, whom I trust and find credible, who say they know of specific attacks that were stopped thanks to surveillance tools and programs the government uses. That's hard to verify, of course, but take that how you will.

We definitely spy on foreign corporations. I think the difference is that our intelligence agencies don't give that information over to private companies to benefit their bottom line. But there's a lot of wiggle room here. I would refer you to this post by Jack Goldsmith on the subject. http://www.lawfareblog.com/2015/03/the-precise-and-narrow-limits-on-u-s-economic-espionage/

M4ST3R_BL4ST3R1 karma

Thanks for your answers and linking me to further reading material!

sharrisgov1 karma

You're welcome.

lordfaramir131 karma

I try to explain to my family about how everyone from the government to Google and the sites it finds are collecting data to build a profile of us; each for their own reasons. They look at me as if I had 2 heads with tinfoil.

Is this a natural reaction to not want to know truth? How do you go about informing others what they need?

sharrisgov2 karma

I think a lot of people find it hard to believe, and I understand the reaction. I just write in as straightforward a way as possible, not trying to scare people.

Scatter_Stash1 karma

What can the average American do to stop the Orwellian ways of the NSA and big business?

sharrisgov1 karma

I've written above about things you can do to keep your personal information safe. As for stopping the NSA--not much.

mattyd141 karma

Any advice for an aspiring journalist graduating from college next year?

sharrisgov2 karma

Get an internship or a fellowship at a publication, and get some clips under your belt. Once you're in the profession, it's easier to get another gig and move up. And be patient! It's a craft, and you have to learn it. As a good friend of mine who's an actor in Los Angeles said, "You're not in a race to get famous."

[deleted]1 karma


sharrisgov1 karma

Lee Beckmann.

WinstonWonders1 karma

What are some quick tips to help people in our daily life understand this subject?

sharrisgov3 karma

Follow me on twitter. @shaneharris :)

There are a lot of great journalists covering this topic and explaining it in ways that are not only clear, but clear in how they apply to your every day life. Read Brian Krebs, Kim Zetter, Andy Greenberg, Kashmir Hill. And pay attention to really smart policy folks like Julian Sanchez and Chris Soghoian. Jack Goldsmith on Lawfare writes very thoughtfully on the legal aspects of cyber security.

WinstonWonders1 karma

Will do. Thank you for your advice. Have a great weekend!

sharrisgov2 karma

You're welcome. You too.

XXXEndGameXXX1 karma

Are we living in a cyber Cold War with Russia and China?

sharrisgov1 karma

In many respects, though there are "hot" aspects of the conflict, too. But if by Cold War we're talking aggressive actions towards each other, mostly spying, that don't result in full-fledged war? Yes.

Jamie3beers1 karma

At this point, if you type something on an internet connected device, you have given that information away to potentially be used against you. This is something that I have assumed has been happening well before there was any real media attention about it.

My question is this, since we can assume that we are being electronically tracked/watched/listened to, what do you feel we can do as citizens of the free world to bring real change to our governments to prevent this?


sharrisgov1 karma

Well, let's be more specific here. Anything you write online, such as in a forum like this, can be read by lots of people, not just the government, and there are plenty of reasons you might want that to happen. When we're talking about what the gov't can do with our communications, we're talking about matters of law--what they're allowed to collect, what they're allowed to do with that information. And there's where any of us as citizens can get involved. Be vocal about what you want to see changed. Support groups and lawmakers that support your positions.

madrupe1 karma

Mr Harris, What are your thoughts on governments cataloging zero day vulnerabilities for later exploitation? Doesn't this create unnecessary risk in the cyber domain? How are cost/benefit decisions made with respect to maintaining vulnerabilities as opposed to giving them to companies to patch?

sharrisgov2 karma

Thanks for your question. Someone asked about this earlier, so I'll repost my response. This is an issue that I think hasn't gotten a lot of attention.

I write a lot in @War about the agency's collection of zero day exploits. These are, more or less, "cyber weapons," worms and viruses that take advantage of flaws in software or computer operating systems that haven't been discovered by their manufacturers. The NSA is the single largest procurer of ZDs. If the agency wants to promote cyber security, however, there is a powerful argument that they should DISCLOSE these vulnerabilities rather than hoard them. And don't take my word for it: The panel of bi-partisan experts that President Obama convened after the Snowden leaks to recommend changes in NSA policy said the agency should disclose more than it hides.

xr1chardx1 karma

Which country would you say is ranked highest as far as a cyber threat? Is there any country/group of people that are being overlooked as far as a cyber threat?

sharrisgov2 karma

In terms of the threat they pose to the Internet? I make an argument in the book that the United States government is doing things in the name of security that make the Internet a lot less safe for everyone. China is certainly a source of large-scale espionage and theft. And Russia is a nexus of organized crime. (We have a lot of cyber crime in the US too.)

bmaz1 karma

Do you miss the submarine show? Have you started watching Last Ship yet?

Also, did you consider Ben Wittes drone smack down strategy to be cheating??

sharrisgov2 karma

Dude. You KNOW how much I miss that show. That was a simple injustice that it was canceled, pure and simple. I started Last Ship, but didn't finish it. I will. But Eric Dane is no Scott Speedman.

Sorry, I just saw that I didn't answer your second question. I was the judge in the Drone Smackdown, so I closely studied the rules. And I determined that Ben was not cheating. But his competitors will not be fooled again.

Dnl267321 karma

If you had your way, what are some services that everyone should use to secure themselves online? Such as VPN, TOR, some sort of private messenger or email service?

sharrisgov2 karma

Password lockers and encryption. They're not that hard to use, and if I had my way, everyone would know how.

NSD23271 karma

Why aren't we doing more to support the Kurds/Peshmerga?

For a group so openly pro-western, one would think we'd be throwing our entire weight behind them in the form of equipment, intelligence sharing, etc.

sharrisgov2 karma

It's a good question. I may have some answers in the near future...

stoopidemu1 karma

I'm in the middle of reading Legacy of Ashes, which is a comprehensive and very critical history of the CIA. I'm sure it is written with a bias against the CIA but it really paints them as an incompetent agency that backs into their few wins and has no accountability for their loses (I was particularly struck by an incident in I think Indonesia where the CIA was backing one side of a conflict and the Pentagon was backing the other). Now I'm only up to Kennedy so I'm no where near the modern age, however: Have you read this book? Do you think it is a fair assessment of the CIA and its capabilities/limitations? Is the CIA still like this today? How does the NSA compare with the CIA in these terms?

sharrisgov2 karma

I've read the book. I don't have quite the same view of the CIA as the author. There have been failures, of course, but I don't think the entire history of the CIA is one of failure.

stoopidemu1 karma

Thanks for the honest answer. This AMA has been very informative!

sharrisgov2 karma

Great! I'm glad you enjoyed it. Thanks.

stoopidemu1 karma

Sorry, a follow up: could you recommend any books that paint a more realistic view of the CIA? Or even a positive view as a counterpoint?

@War will probably be my next read so this would be for after that.

sharrisgov2 karma

There are so many good books about the CIA. And LoA is very good, too. I don't want to denigrate it in any way. Check out The Very Best Men by Evan Thomas and the biography of Wild Bill Donovan by Douglas Waller. I hope you like @War!

ForeignPolicyCarol1 karma

I hope all commenters buy your book. What is your next project?

sharrisgov1 karma

Thanks! I'm not sure yet. But I think I want to write a novel. Maybe on these topics.

rmagritte1 karma


sharrisgov1 karma

Go, Deacs!

I don't know if public opinion is decisively on one side or the other on this. But I think that if he came back, he would certainly face a prosecution and almost certainly a very significant prison sentence. The government will not let him off lightly. I'm not offering an opinion on what they should do, but I think this is just a fact.

EgonIsGod1 karma

Can you suggest a book or two that would appraise a layman of the mechanics of modern-day cyberwarfare (both large and small-scale) and explain some of the broader politics motivating it?

sharrisgov1 karma

Well, that's what I did in @War, so I'll recommend you check it out. http://www.amazon.com/War-The-Rise-Military-Internet-Complex/dp/0544251792

Freelance_JIDF_Shill1 karma

What are some good podcasts/audiobooks on the topic?

sharrisgov2 karma

Check out my podcast Rational Security. http://spaghettionthewallproductions.com/rational-security/ The Diane Rehm show also does good work on cyber security. And Steptoe and Johnson has an entire podcast devoted to the topic. http://www.steptoe.com/resources-area-107-145.html

STEVEtheSTOVE1 karma

So I heard that the NSA has access to everything your phone's microphone picks up, even when it's off (unless the battery is taken out). Is this entirely accurate? Also is all of this data just stored and can it be accessed whenever or will it ever get deleted?

sharrisgov1 karma

The NSA has the capability to track a phone when it's turned off. I write about this in my book. And hackers have actually shown how they can turn on your phone's microphone. But it's not accurate to say the NSA has access to everything your phone picks up. Having the capability to gather something doesn't give them the legal right. If you're a U.S. person--defined as a U.S. citizen or legal resident--then the government (any agency) needs a warrant to access the contents of your communications. And what you say that's picked up by a microphone is certainly content.

nojihad1 karma

Are these really a thing?

sharrisgov1 karma


unarmedgoatwithsword1 karma

How much information does the NSA have on you?

sharrisgov1 karma

Personally? No idea. Other than any phone records from my landline. But they have that on all of us.

Salty_Scrimshander1 karma

What do you think about H.R.1466 - Surveillance State Repeal Act? I wrote my congressman an email last night telling him that he should support it.

sharrisgov3 karma

I think the chances of it passing are near zero. Congress has historically been very reluctant to pull back even portions of the Patriot Act, much less the whole bill. That said, members of Congress standing up and making bold proposals as a way of focusing, or starting, a debate is, I think, a good thing. And if this bill gets you to learn more about these issues and write your lawmaker to share your view, then some piece of our system is clearly working.

Salty_Scrimshander1 karma

Thanks for the response! I think you're sadly right, but at least it's a step in the right direction.

sharrisgov2 karma

Keep pushing!

HydrolyzedSoy1 karma

What is your opinion of the "Third Party Doctrine?" As well as ways to cut down on unwanted internet surveillance by advertisement companies?

sharrisgov2 karma

I never go to more than two parties in a night. (I forgot to mention I used to do sketch comedy.)

I think that third-party doctrine is being tested in a big, big way, mainly through the government's collection of telephone metadata. The Supreme Court has signaled an interest in considering whether or not the Fourth Amendment should apply to this kind of information. Smith v. Maryland is the operative case here. I thought it was fascinating that, last year, the former AG of Maryland (I think it was the AG) came out and said he NEVER thought third-party doctrine would be applied as broadly as it is today. As for cutting down on ads and the like, I wish I had a better solution. I get flooded every day.

drewpasttenseofdraw1 karma

can you list the names of companies that collect our personal information? what techniques do these companies use to collect our information? how many data points do these companies keep track? in the future when we are all dead and these data sets are public domained what unobvious knowledge we be extracted?

sharrisgov1 karma

Axiom, ChoicePoint, Nexis, Google, Facebook, almost any magazine you subscribe to... The list is very long. If you're talking about big data aggregators, like ChoicePoint, say, they're collecting public records. A lot of this is stuff collected by gov't agencies--like your address, or what you paid for your home--that are publicly available. If we're talking about companies like Google and Facebook, you're voluntarily giving them a lot of information about yourself just in the course of using their services. As for what information could be extracted after your demise, these companies will have a great deal of historic information that they will be able to use to, perhaps, predict future trends, assess risk, go back and figure out what kinds of sales strategies worked in the past. Just use your imagination, really.

basegodop1 karma

Do you take precautions for the government spying on you and if so what are they?

sharrisgov1 karma

Most of the precautions I take are aimed at protecting my sources. I don't want to say too much about how I do that. But in general, just for my personal protection, I use a password locker and aliases to better secure my accounts and my information.

MLA13961 karma

If The Kingdom of Saudi Arabia decides to deploy ground forces in Yemen with or without the other members of Peninsula Shield or other regional military forces:

1) What is your opinion whether or not the U.S. will participate in a ground war in Yemen openly & directly?

2) What do think Iran's reaction will be - not just in terms of publicly but considering that Al Quds are on the ground in Iraq?

sharrisgov1 karma

If for the sake of argument we're taking a ground invasion by KSA as a given--and I think there are a lot of reasons why they won't invade, namely that they sent in troops before and got clocked--then I do not think the U.S. would also send troops into Yemen. Indeed, this week we pulled out the last 100 special ops forces we had in the country. (I actually think we're more likely to put boots on the ground in Syria than in Yemen, because the buildup of terrorist forces in Syria presents a more direct threat to U.S. homeland security.) As to your second question, I think Iran would escalate--send weapons to the Houthis, more money, and ramp up either the use of irregular forces or maybe even send ground troops. But that's down the road a piece.