×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Nokia Admits Decrypting User Data Claiming It Isn't Looking

Unknown Lamer posted about a year ago | from the we-won't-peek dept.

Privacy 264

judgecorp writes "Nokia has admitted that it routinely decrypts user's HTTPS traffic, but says it is only doing it so it can compress it to improve speed. That doesn't convince security researcher Gaurang Pandya, who accuses the company of spying on customers." From the article, Nokia says: "'Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner. ... Nokia has implemented appropriate organisational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

264 comments

How do they even do that? (0)

Anonymous Coward | about a year ago | (#42545321)

There must be serious flaws in HTTPS if they can decrypt the traffic for hosts that they don't control the certs for.

Re:How do they even do that? (5, Informative)

kasperd (592156) | about a year ago | (#42545437)

There must be serious flaws in HTTPS if they can decrypt the traffic for hosts that they don't control the certs for.

They control the browser. According to the article, the necessary certificate is installed on phones as Nokia ships them.

Re:How do they even do that? (5, Insightful)

jeffmeden (135043) | about a year ago | (#42545481)

There must be serious flaws in HTTPS if they can decrypt the traffic for hosts that they don't control the certs for.

They control the browser. According to the article, the necessary certificate is installed on phones as Nokia ships them.

This is exactly what i was thinking/fearing. This is some scary shit, basically you ought to treat HTTPS on your Nokia device like HTTP, unless you really really trust that Nokia knows what they are doing and how to keep a secret. The striking thing is that users obviously have no idea they are handshaking with Nokia instead of their bank, doctor, etc. Are there at least alternate browsers available?

Any browser publisher is the same way (3, Informative)

tepples (727027) | about a year ago | (#42545839)

This is some scary shit, basically you ought to treat HTTPS on your Nokia device like HTTP, unless you really really trust that Nokia knows what they are doing and how to keep a secret.

Any web page retrieved through HTTPS is parsed into an unencrypted DOM within the web browser. You have to trust that the browser publisher knows what it is doing and how to keep a secret.

Re:Any browser publisher is the same way (4, Insightful)

0123456 (636235) | about a year ago | (#42545953)

Yeah, because having the browser display the page locally is just exactly the same as having a remote server decrypt your connection as a man in the middle.

Re:Any browser publisher is the same way (5, Insightful)

Anonymous Coward | about a year ago | (#42546033)

Nothing stops the browser from transmitting information to a third-party server.

=>

You have to trust that the browser publisher knows what it is doing and how to keep a secret.

Re:Any browser publisher is the same way (1)

tnk1 (899206) | about a year ago | (#42546163)

The point is... you can find a browser that doesn't fuck you over and use that. Yes, they can be bad, but for things like, say, open source browsers, you can read the code and see what it is doing. Or you can find some security researcher who will find all of those vulnerabilities and tell you about them.

You have zero control and little transparency even, when Nokia decides that it would be just great to decrypt your traffic. I understand that faster traffic is good, but a third party decrypting for any reason it completely defeats the purpose of encrypting it to begin with. You might as well not.

Re:Any browser publisher is the same way (4, Interesting)

tepples (727027) | about a year ago | (#42546377)

The point is... you can find a browser that doesn't fuck you over and use that.

And you can find a phone that doesn't take advantage of you and use that. The trouble is, this sort of "doesn't take advantage of you" isn't exactly a selling point among the mass market, which means a product like this won't be produced for a mass-market price.

for things like, say, open source browsers, you can read the code and see what it is doing.

But do most people verify that the binary they download matches the source code? And do they diverse-double-compile [dwheeler.com] their compiler toolchain to make sure it isn't infected with a "Reflections on Trusting Trust"-style virus [bell-labs.com] ? I'm under the impression most end users take this on faith.

Re:Any browser publisher is the same way (0)

mlw4428 (1029576) | about a year ago | (#42546445)

Not true. If it's open source YOU have the power to stop it from doing anything like that, by reviewing the source code and making changes wherever needed. A third-party server run by a multi-national corporation is unlikely to allow the same level of access.

Re:Any browser publisher is the same way (0)

Anonymous Coward | about a year ago | (#42546323)

From what I understand, the browser is not doing HTTPS at all to the bank/docter etc, its doing HTTP or HTTPS to the nokia proxy and proxy is doing the HTTPS to bank/doctor. In this scenario HTTPS is not broken, the phone is. Total fail Nokia

Re:How do they even do that? (0)

Anonymous Coward | about a year ago | (#42545955)

There must be serious flaws in HTTPS if they can decrypt the traffic for hosts that they don't control the certs for.

They control the browser. According to the article, the necessary certificate is installed on phones as Nokia ships them.

This is exactly what i was thinking/fearing. This is some scary shit, basically you ought to treat HTTPS on your Nokia device like HTTP, unless you really really trust that Nokia knows what they are doing and how to keep a secret. The striking thing is that users obviously have no idea they are handshaking with Nokia instead of their bank, doctor, etc. Are there at least alternate browsers available?

"Unless you trust Nokia..."
Why would you use any of their stuff otherwise?
From a trust standpoint, you already got past that by using it in the first place.
Maybe you disagree with them or think it's risky, that's fine, but you have to trust THEM to use the thing anyway.

Re:How do they even do that? (4, Insightful)

erroneus (253617) | about a year ago | (#42546117)

Your trust is extended because of the expectations involved. The user/owner of the device is not informed that, unlike his PC or other smart phone devices, Nokia is handling encyption differently. As https is used primarily for the purpose of securing data traffic between the user and their banks or their other services which need security, the expectation has always been that it would not involve the maker of the device which is being used.

I "trust" my car maker to build a good car. I do not "trust" them not to install cameras in it without my knowledge and then tell me later "there are cameras, but we are not looking at the video feed."

Re:How do they even do that? (2)

tnk1 (899206) | about a year ago | (#42546343)

I don't trust Microsoft in the slightest, but I can use their stuff on my PC because I have the ability to audit and control what comes in and out of my computer. If they try something, either I can discover it myself, or one of a hundred security researchers will be able to find it. Also, the application software encrypting my data is installed by me and under my control and ability to inspect.

The idea with HTTPS is that you know that you *cannot* trust the intervening internet/cellular carrier infrastructure to not be monitored, so you set up an encrypted discussion that can pass through that untrusted domain without being read. Nokia subverting this process for any reason, any reason, renders it pointless because Nokia is now a third party that can read your data, even if they double pinky swear that they won't be evil. I don't want their assurances, I don't want them to even be able to do it, period.

I imagine that most people did not realize that Nokia had subverted the certificates and they think that they are having a more or less safe conversation with their destination... as they would be if Nokia didn't replace the certs.

Re:How do they even do that? (4, Informative)

ledow (319597) | about a year ago | (#42545455)

On their own phones, they just install a browser and their own trusted wildcard cert.

Then anything you browse to, the browser trusts and encrypts but just to the "wrong" destination.

On any decent machine, or decent browser under your own control, you wouldn't let it happen. And if you did, SSL would be similarly "broken".

SSL is a trust mechanism only. If your phone trusts Nokia, the padlock icon means nothing beyond that you're talking to Nokia. If your phone DIDN'T trust Nokia, it wouldn't be an issue and they would have to pass your traffic through unchanged (and still encrypted!) to the destination servers or risk SSL warnings on your browser.

This is why you don't ignore browser certificate warnings, and why you NEVER install a certificate on your computer (or allow software to). I've seen software that installs a trust certificate for the vendor when installed (as administrator), that would be show up and be allowed in the IE certificate store too (so browsing to any site with a cert signed by that cert would let you think you were talking to Google, etc.)

See also Google's TURKTRUST issue lately - if you trusted TURKTRUST, you thought you were talking to Google and weren't. If you didn't, you would just have got an error and still been secure.

Re:How do they even do that? (1)

h4rr4r (612664) | about a year ago | (#42545473)

On their own phones?
Nokia is not selling these devices?

This sort of language that makes it sound as though the OEM is the owner not the purchaser needs to stop.

Re:How do they even do that? (1)

ledow (319597) | about a year ago | (#42545591)

Show me where you can edit the list of trusted SSL certificates and I'll concede and call it a user's phone.

Your idealisms are unfortunately blocked by fact, and that knowledge was reflected in my post.

Re:How do they even do that? (1)

h4rr4r (612664) | about a year ago | (#42545639)

All you are proving is that no one should be buying these.

It is not idealism to expect a sold product to have been sold. That is how things have worked for my whole life. Even my current smartphone, but I made sure to buy one I could own.

Re:How do they even do that? (1)

samkass (174571) | about a year ago | (#42545753)

Show me where you can edit the list of trusted SSL certificates and I'll concede and call it a user's phone.

Your idealisms are unfortunately blocked by fact, and that knowledge was reflected in my post.

Show me a way to allow this without creating a huge potential security hole and I'll concede this should be something that's easy to do.

Re:How do they even do that? (2)

telchine (719345) | about a year ago | (#42545459)

There must be serious flaws in HTTPS if they can decrypt the traffic for hosts that they don't control the certs for.

I guess if Nokia controls both the proxy server and the mobile device then their implementation of HTTPS can be designed so that the mobile device trusts the fake cert on the proxy server.

Re:How do they even do that? (4, Informative)

dririan (1131339) | about a year ago | (#42545715)

The same thing can be (and is) accomplished in normal desktop OSs by adding a CA certificate to the certificate store. It's commonly used in businesses that have an HTTPS proxy as well as an HTTP proxy so they can filter/monitor HTTPS access as well. IIRC there was an Ask Slashdot question about it as well. In any case, no modification of the implementation is needed.

Re:How do they even do that? (3, Interesting)

houstonbofh (602064) | about a year ago | (#42545825)

How is easy, as other have said. How legally? That is another matter. As I read it, they are committing a DMCA violation by breaking a security measure. Should be able to go after them for anticircumvention tools, and force them to remove the cirt.

Re:How do they even do that? (2)

beelsebob (529313) | about a year ago | (#42545863)

HTTPS is only as secure as the implementation. The implementation in their browser deliberately implements it poorly, and accepts Nokia's server saying "yes, I verified the certificate on the remote server" as being valid verification of the cert.

If it was so good then why didn't you tell us? (1, Troll)

kthreadd (1558445) | about a year ago | (#42545323)

Then you would have looked somewhat better. Now you're worse than Dropbox.

Re:If it was so good then why didn't you tell us? (1)

Baloroth (2370816) | about a year ago | (#42545641)

Then you would have looked somewhat better. Now you're worse than Dropbox.

Well, see, they did tell you. It says, on Wikipedia and Nokia's developer page, that the browser in question uses a proxy. Their developer page [nokia.com] and the Wikipedia [wikipedia.org] page.

What? (4, Insightful)

recoiledsnake (879048) | about a year ago | (#42545329)

security researcher Gaurang Pandya

What are this guy's credentials apart from being a guy with a blog?

Amazon Silk browser does the same, Opera mini does the same, what's with this jumping on the Nokia hate bandwagon? Perhaps they should stop proxying HTTPS traffic, but remember in third world countries data comes at a HUGE premium, so these services are a god send, especially with a lot of sites moving to HTTPS by default. I would hope that Opera/Amazon/Nokia are atleast as credible as your ISP though it's an additional point of failure.

Re:What? (1)

kvnslash (2292742) | about a year ago | (#42545483)

Remember, the United States and Britain are not third world countries. I don't see how this behavior is acceptable, even if some other companies are doing it.

Re:What? (3, Insightful)

h4rr4r (612664) | about a year ago | (#42545511)

Your ISP cannot decrypt SSL traffic.
Not everyone lives in a third world nation and surely they should be able to opt out of this.

Re:What? (4, Insightful)

godrik (1287354) | about a year ago | (#42545555)

Amazon Silk and Opera mini clearly states that every single connexion goes through them in clear. I do not think nokia does.

My ISP does not do that. When I negogiate an HTTPS session, my ISP does not intercept it and perform a MITM attack. apparently nokia does.

That's so much not ok.

Re:What? (1, Flamebait)

Rockoon (1252108) | about a year ago | (#42545733)

Amazon Silk and Opera mini clearly states that every single connexion goes through them in clear. I do not think nokia does.

ok, you "do not think"

My ISP does not do that. When I negogiate an HTTPS session, my ISP does not intercept it and perform a MITM attack. apparently nokia does.

Wow.. in two lines you went from "I do not think" to "apparently nokia performs a MITM attack"

Re:What? (3, Insightful)

godrik (1287354) | about a year ago | (#42545963)

I know this is slashdot and we do not read much what people so that we can rant and seem smart. But come on, it is written in TFS and TFT (the F-ing title). "Nokia admits decrypting user data." From their own admission, they are performing a MITM attack, that is to say, they are putting themself in the middle of an encrypted connexion making each party believe they are directly and securely talking to each other.

Whether they clearly explained it to the user, I do not know, but I am sure they are performing MITM.

Re:What? (5, Insightful)

Rockoon (1252108) | about a year ago | (#42546149)

I know this is slashdot and we do not read much what people so that we can rant and seem smart. But come on, it is written in TFS and TFT (the F-ing title). "Nokia admits decrypting user data."

..because they encrypt the users data on the device, and send it to their servers where it must be decrypted in order to know what it is and even where to send it.

Would you rather they didnt encrypt the data and sent it over the air like that instead?

You claim to know that this is slashdot, but dont seem to know to at least make an attempt to understand the technologies that you are talking about? Worthless blabber.

Hint: the phone is not the endpoint of the browsing session - the phone is a remote terminal for a server that is the endpoint of the browsing session

Re:What? (0)

Anonymous Coward | about a year ago | (#42545557)

No matter who is doing this, Nokia, Amazon, or whoever, it is still evil, even if it serves a so called "good cause". The road to hell is paved with good intentions... Don't forget, it is defying the whole purpose of SSL and TLS in the first place. SSL is SUPPOSED to guarantee a private connection between the user and the party he's communicating with. Nokia or whoever has NO business in this and they should stay out of the loop.

Honestly, I don't understand why more people aren't jumping on this. Banks, governments, they should cry foul about those kinds of tactics.

Re:What? (1)

Anonymous Coward | about a year ago | (#42545597)

It doesn't matter what his credentials are, if he's right, which he appears to be based on Nokia's response.

A secure HTTPS connection from your browser to a destination web site doesn't rely on the credibility of your ISP. In fact, your ISP is one of the possible adversaries such a secure connection protects from.

Although, since Nokia built the phone and the software on it, you have already placed a great deal of trust with Nokia for all of your data that flows through it. Therefore, that they are temporarily decrypting your traffic for a period of time, on their network, isn't such a great leap of faith at that point.

At the same time, they have a duty to inform customers that secure connections from the Nokia browser to destination web sites are not completely encrypted end-to-end. It would also be good to allow customers to turn this capability on or off. At the end of the day, this is Nokia's service, and as long as they are upfront with what they are offering, they can provide the service as they please.

Re:What? (2)

girlintraining (1395911) | about a year ago | (#42545599)

What are this guy's credentials apart from being a guy with a blog?

He's a software developer, mostly focusing on database integration. He has no professional security experience beyond what you'd get in that role. source [linkedin.com]

what's with this jumping on the Nokia hate bandwagon?

You can't opt out of it; The platform is locked. Also, it's a cell phone, so there's a strong link between all internet traffic and a realworld identity. This isn't like Opera or Amazon, for which there are anonymizing options available to the enterprising individuals who wish to use said services (or don't, it's their choice).

I would hope that Opera/Amazon/Nokia are atleast as credible as your ISP though it's an additional point of failure.

these services are a god send, especially with a lot of sites moving to HTTPS by default.

HTTP/SSL was originally meant to ensure only the two parties involved in the transaction (your client and the remote website) would be aware of its contents, preventing man in the middle attacks. By adding proxies, redirects, etc., the entire point of the protocol is destroyed. It's like password protecting your wifi connection with "letmein" -- bad security is in some cases worse than no security because people think the connection is secure when it most certainly is not.

I'm not sure what you mean by "credible" in this context, as you mention no specific claims any of these three are making, nor offer any reason why we should (or should not) trust whatever reputations these companies may have with regards to said claim. Can you elaborate?

CORRECTION (3, Insightful)

girlintraining (1395911) | about a year ago | (#42545699)

Wrong profile linked. Correct [linkedin.com] profile. Stupid misclick. Ugh. In other news, his background is not a software developer, but a network admin with some cisco experience. Like many in that area of IT, there is some exposure to security. I wouldn't call him an expert in MIM attacks, but he's not a layperson either.

Re:What? (0)

Rockoon (1252108) | about a year ago | (#42545901)

HTTP/SSL was originally meant to ensure only the two parties involved in the transaction

..and originally no mobile phone had the necessary processing power to render web pages, and originally mobile bandwidth wasnt enough to even receive web page data at acceptable rates.

As a point of fact, originally web browsing on mobile devices didn't work at all without such services as nokia is still providing. Its why opera was still the worlds number one mobile browser maker by a very significant margin right up until this year when androids browser finally overtook them. You sit there in the lap of luxury completely ignorant of your own past, and don't even realize that you are complaining about others being able to browse the web at all because they still do not sit in the lam of luxury like you do.

Re:What? (2)

girlintraining (1395911) | about a year ago | (#42546105)

You sit there in the lap of luxury completely ignorant of your own past, and don't even realize that you are complaining about others being able to browse the web at all because they still do not sit in the lam of luxury like you do.

Listen kiddo, I was on the internet before it was the internet, and I had a computer before the original Nintendo you grew up with was even a gleam in an electrical engineer's eye, so don't tell me I'm ignorant of my own past. I've forgotten more about IT than you're likely to ever know. Don't make me get my old IBM XT keyboard out of storage and beat you with it.

That said, it's in storage for a reason. The world moved on. So did cell phones, which were originally the size of bricks and had an LED readout and the signal washed out whenever you revved your engine. What Nokia has here may have been relevant back when dinosaurs still roamed the Earth, but today I can buy an SOC chip at retail price for under $30 that'll render 1080p video at 30 FPS and has several gigs of ram on it and a helluva lot more storage. There's no reason for this technology to still be in use on a modern cell phone network. And frankly, if your cell phone is really so old that it needs it, go to the effing Walmart down the road and pickup a "go phone". They give them away there and can run a proper web browser.

Re:What? (0)

Rockoon (1252108) | about a year ago | (#42546337)

Listen kiddo, I was on the internet before it was the internet

So you might be older than me, but still probably not.

Blah blah blah. The girl that waved her dick when challenged.

The world moved on. So did cell phones, which were originally the size of bricks and had an LED readout and the signal washed out whenever you revved your engine. What Nokia has here may have been relevant back when dinosaurs still roamed the Earth, but today I can buy an SOC chip at retail price for under $30 that'll render 1080p video at 30 FPS and has several gigs of ram on it and a helluva lot more storage.

See how fucking myopic you are? Nokia makes phones for the entire world, where GSM is still the predominant standard (80%) and $30 is half a years wage for hundreds of millions of people.

The world didn't move on. You did. Don't attribute to the entire world all the luxury that you have.

Re:What? (1)

SecurityGuy (217807) | about a year ago | (#42545653)

What are this guy's credentials apart from being a guy with a blog?

Who cares what his credentials are? He's making a claim that a lot of people can verify. Is his claim false?

I would hope that Opera/Amazon/Nokia are atleast as credible as your ISP though it's an additional point of failure.

They are, which is not at all. My ISP doesn't have certificates installed in my browser, and aren't secretly decrypting my SSL traffic (unless SSL is fundamentally broken in a way which isn't publicly known yet).

Re:What? (-1)

Anonymous Coward | about a year ago | (#42545737)

so in other words, they are all deceivers, not just nokia. and that's your pass for nokia.

and then comes the justification. it's for a good cause. right?

and finally the promise that they won't do bad things.

go fuck yourself.

Re:What? (2)

DarkOx (621550) | about a year ago | (#42545805)

For the most part my 'ISP' can't break into my SSL connections. They don't have a certificate authority my machine will trust, so any kind of MTIM they might do without a herculean effort on their part anyway is going to be impossible. These phone users had essentially no idea.

So the moral of the story is DO NOT DO NOT trust that SSL is secure on any device you don't directly control the CA certificates present, and probably you can't trust and SSL code you can't audit to make sure it trusts only the CAs it claims to and actually does validation correctly.

Re:What? (0)

Anonymous Coward | about a year ago | (#42545809)

Yeah no. I live in a 3rd world country, Data is not a huge premium here, or in country with public internet access, Actually I bet it's better here than most of the advanced country.out there because our internet infrastructure is way newer.

Re:What? (0)

Anonymous Coward | about a year ago | (#42545885)

What are this guy's credentials apart from being a guy with a blog?

The provenance of the information doesn't matter.

Amazon Silk browser does the same, [...]

Even if it did, that wouldn't make it OK. HTTPS was created to make secure end-to-end connections possible, if $entity breaks that without telling anyone, then they are to be mistrusted however good they claim their intentions to have been. See, they're not only implicitly claiming that they would never peek; they are also implicitly claiming that they would never allow themselves to be strong-armed into letting someone else peek, and that they are completely 100% secure and unhackable themselves, as well. At some point they are making implicit guarantees that they can't keep, simply because no-one could keep them.

Re:What? (3, Informative)

Anonymous Coward | about a year ago | (#42546265)

According to Amazon's statement to the EFF Silk does _not_ intercept HTTPS traffic:

SSL Traffic

Amazon does not intercept encrypted traffic, so your communications over HTTPS would not be accelerated or tracked. According to Jon Jenkins, director of Silk development, “secure web page requests (SSL) are routed directly from the Kindle Fire to the origin server and do not pass through Amazon’s EC2 servers.” In other words, no HTTPS requests will ever use cloud acceleration mode. Given the prevalence of web pages served over HTTPS, this gives Amazon good incentive to make Silk fast and usable even when cloud acceleration is off. Turning it off completely should be a viable option for users.

(from https://www.eff.org/2011/october/amazon-fire%E2%80%99s-new-browser-puts-spotlight-privacy-trade-offs [eff.org] )

Re:What? (1)

andy1307 (656570) | about a year ago | (#42546423)

Privacy is more of a concern for users in third world countries...you know..the thing where the government doesn't like what you're reading online and throws you in jail.

No harm = no fowl? (1)

Noctis-Kaban (2758815) | about a year ago | (#42545337)

Big data is caught doing something it shouldn’t. Big data claims “no harm no fowl”. The point is not that it isn’t hurting anyone, nor why they are doing it but the fact that they are creating a security breach in doing so.

Re:No harm = no fowl? (0)

Anonymous Coward | about a year ago | (#42545513)

Big data claims “no harm no fowl”.

gobble gobble, is that the pun you were shooting for?

Listen... (5, Funny)

rickatnight11 (818463) | about a year ago | (#42545341)

Yes, we're opening your mail, but we're not LOOKING at it. We're just making sure you aren't wasting paper and ink.

Re:Listen... (0)

Anonymous Coward | about a year ago | (#42545429)

That's pretty much how it sounds to me.

Fedware (4, Insightful)

Anonymous Coward | about a year ago | (#42545343)

We don't access your personal information with our closed source NSA backdoors, we just plug this strange Narus device into our routers.

Mind Control: Targeted Individuals (TIs) (-1)

Anonymous Coward | about a year ago | (#42545353)

Mind Games

New on the Internet: a community of people who believe the government is beaming voices into their minds. They may be crazy, but the Pentagon has pursued a weapon that can do just that.

By Sharon Weinberger
Sunday, January 14, 2007

IF HARLAN GIRARD IS CRAZY, HE DOESN'T ACT THE PART. He is standing just where he said he would be, below the Philadelphia train station's World War II memorial -- a soaring statue of a winged angel embracing a fallen combatant, as if lifting him to heaven. Girard is wearing pressed khaki pants, expensive-looking leather loafers and a crisp blue button-down. He looks like a local businessman dressed for a casual Friday -- a local businessman with a wickedly dark sense of humor, which had become apparent when he said to look for him beneath "the angel sodomizing a dead soldier." At 70, he appears robust and healthy -- not the slightest bit disheveled or unusual-looking. He is also carrying a bag.

Girard's description of himself is matter-of-fact, until he explains what's in the bag: documents he believes prove that the government is attempting to control his mind. He carries that black, weathered bag everywhere he goes. "Every time I go out, I'm prepared to come home and find everything is stolen," he says.

The bag aside, Girard appears intelligent and coherent. At a table in front of Dunkin' Donuts inside the train station, Girard opens the bag and pulls out a thick stack of documents, carefully labeled and sorted with yellow sticky notes bearing neat block print. The documents are an authentic-looking mix of news stories, articles culled from military journals and even some declassified national security documents that do seem to show that the U.S. government has attempted to develop weapons that send voices into people's heads.

"It's undeniable that the technology exists," Girard says, "but if you go to the police and say, 'I'm hearing voices,' they're going to lock you up for psychiatric evaluation."

The thing that's missing from his bag -- the lack of which makes it hard to prove he isn't crazy -- is even a single document that would buttress the implausible notion that the government is currently targeting a large group of American citizens with mind-control technology. The only direct evidence for that, Girard admits, lies with alleged victims such as himself.

And of those, there are many.

IT'S 9:01 P.M. WHEN THE FIRST PERSON SPEAKS during the Saturday conference call.

Unsure whether anyone else is on the line yet, the female caller throws out the first question: "You got gang stalking or V2K?" she asks no one in particular.

There's a short, uncomfortable pause.

"V2K, really bad. 24-7," a man replies.

"Gang stalking," another woman says.

"Oh, yeah, join the club," yet another man replies.

The members of this confessional "club" are not your usual victims. This isn't a group for alcoholics, drug addicts or survivors of childhood abuse; the people connecting on the call are self-described victims of mind control -- people who believe they have been targeted by a secret government program that tracks them around the clock, using technology to probe and control their minds.

The callers frequently refer to themselves as TIs, which is short for Targeted Individuals, and talk about V2K -- the official military abbreviation stands for "voice to skull" and denotes weapons that beam voices or sounds into the head. In their esoteric lexicon, "gang stalking" refers to the belief that they are being followed and harassed: by neighbors, strangers or colleagues who are agents for the government.

A few more "hellos" are exchanged, interrupted by beeps signaling late arrivals: Bill from Columbus, Barbara from Philadelphia, Jim from California and a dozen or so others.

Derrick Robinson, the conference call moderator, calls order.

"It's five after 9," says Robinson, with the sweetly reasonable intonation of a late-night radio host. "Maybe we should go ahead and start."

THE IDEA OF A GROUP OF PEOPLE CONVINCED THEY ARE TARGETED BY WEAPONS that can invade their minds has become a cultural joke, shorthanded by the image of solitary lunatics wearing tinfoil hats to deflect invisible mind beams. "Tinfoil hat," says Wikipedia, has become "a popular stereotype and term of derision; the phrase serves as a byword for paranoia and is associated with conspiracy theorists."

In 2005, a group of MIT students conducted a formal study using aluminum foil and radio signals. Their surprising finding: Tinfoil hats may actually amplify radio frequency signals. Of course, the tech students meant the study as a joke.

But during the Saturday conference call, the subject of aluminum foil is deadly serious. The MIT study had prompted renewed debate; while a few TIs realized it was a joke at their expense, some saw the findings as an explanation for why tinfoil didn't seem to stop the voices. Others vouched for the material.

"Tinfoil helps tremendously," reports one conference call participant, who describes wrapping it around her body underneath her clothing.

"Where do you put the tinfoil?" a man asks.

"Anywhere, everywhere," she replies. "I even put it in a hat."

A TI in an online mind-control forum recommends a Web site called "Block EMF" (as in electromagnetic frequencies), which advertises a full line of clothing, including aluminum-lined boxer shorts described as a "sheer, comfortable undergarment you can wear over your regular one to shield yourself from power lines and computer electric fields, and microwave, radar, and TV radiation." Similarly, a tinfoil hat disguised as a regular baseball cap is "smart and subtle."

For all the scorn, the ranks of victims -- or people who believe they are victims -- are speaking up. In the course of the evening, there are as many as 40 clicks from people joining the call, and much larger numbers participate in the online forum, which has 143 members. A note there mentioning interest from a journalist prompted more than 200 e-mail responses.

Until recently, people who believe the government is beaming voices into their heads would have added social isolation to their catalogue of woes. But now, many have discovered hundreds, possibly thousands, of others just like them all over the world. Web sites dedicated to electronic harassment and gang stalking have popped up in India, China, Japan, South Korea, the United Kingdom, Russia and elsewhere. Victims have begun to host support meetings in major cities, including Washington. Favorite topics at the meetings include lessons on how to build shields (the proverbial tinfoil hats), media and PR training, and possible legal strategies for outlawing mind control.

The biggest hurdle for TIs is getting people to take their concerns seriously. A proposal made in 2001 by Rep. Dennis Kucinich (D-Ohio) to ban "psychotronic weapons" (another common term for mind-control technology) was hailed by TIs as a great step forward. But the bill was widely derided by bloggers and columnists and quickly dropped.

Doug Gordon, Kucinich's spokesman, would not discuss mind control other than to say the proposal was part of broader legislation outlawing weapons in space. The bill was later reintroduced, minus the mind control. "It was not the concentration of the legislation, which is why it was tightened up and redrafted," was all Gordon would say.

Unable to garner much support from their elected representatives, TIs have started their own PR campaign. And so, last spring, the Saturday conference calls centered on plans to hold a rally in Washington. A 2005 attempt at a rally drew a few dozen people and was ultimately rained out; the TIs were determined to make another go of it. Conversations focused around designing T-shirts, setting up congressional appointments, fundraising, creating a new Web site and formalizing a slogan. After some debate over whether to focus on gang stalking or mind control, the group came up with a compromise slogan that covered both: "Freedom From Covert Surveillance and Electronic Harassment."

Conference call moderator Robinson, who says his gang stalking began when he worked at the National Security Agency in the 1980s, offers his assessment of the group's prospects: Maybe this rally wouldn't produce much press, but it's a first step. "I see this as a movement," he says. "We're picking up people all the time."

HARLAN GIRARD SAYS HIS PROBLEMS BEGAN IN 1983, while he was a real estate developer in Los Angeles. The harassment was subtle at first: One day a woman pulled up in a car, wagged her finger at him, then sped away; he saw people running underneath his window at night; he noticed some of his neighbors seemed to be watching him; he heard someone moving in the crawl space under his apartment at night.

Girard sought advice from this then-girlfriend, a practicing psychologist, whom he declines to identify. He says she told him, "Nobody can become psychotic in their late 40s." She said he didn't seem to manifest other symptoms of psychotic behavior -- he dressed well, paid his bills -- and, besides his claims of surveillance, which sounded paranoid, he behaved normally. "People who are psychotic are socially isolated," he recalls her saying.

After a few months, Girard says, the harassment abruptly stopped. But the respite didn't last. In 1984, appropriately enough, things got seriously weird. He'd left his real estate career to return to school at the University of Pennsylvania, where he was studying for a master's degree in landscape architecture. He harbored dreams of designing parks and public spaces. Then, he says, he began to hear voices. Girard could distinguish several different male voices, which came complete with a mental image of how the voices were being generated: from a recording studio, with "four slops sitting around a card table drinking beer," he says.

The voices were crass but also strangely courteous, addressing him as "Mr. Girard."

They taunted him. They asked him if he thought he was normal; they suggested he was going crazy. They insulted his classmates: When an overweight student showed up for a field trip in a white raincoat, they said, "Hey, Mr. Girard, doesn't she look like a refrigerator?"

Six months after the voices began, they had another question for him: "Mr. Girard, Mr. Girard. Why aren't you dead yet?" At first, he recalls, the voices would speak just two or three times a day, but it escalated into a near-constant cacophony, often accompanied by severe pain all over his body -- which Girard now attributes to directed-energy weapons that can shoot invisible beams.

The voices even suggested how he could figure out what was happening to him. He says they told him to go to the electrical engineering department to "tell them you're writing science fiction and you don't want to write anything inconsistent with physical reality. Then tell them exactly what has happened."

Girard went and got some rudimentary explanations of how technology could explain some of the things he was describing.

"Finally, I said: 'Look, I must come to the point, because I need answers. This is happening to me; it's not science fiction.'" They laughed.

He got the same response from friends, he says. "They regarded me as crazy, which is a humiliating experience."

When asked why he didn't consult a doctor about the voices and the pain, he says, "I don't dare start talking to people because of the potential stigma of it all. I don't want to be treated differently. Here I was in Philadelphia. Something was going on, I don't know any doctors . . . I know somebody's doing something to me."

It was a struggle to graduate, he says, but he was determined, and he persevered. In 1988, the same year he finished his degree, his father died, leaving Girard an inheritance large enough that he did not have to work.

So, instead of becoming a landscape architect, Girard began a full-time investigation of what was happening to him, often traveling to Washington in pursuit of government documents relating to mind control. He put an ad in a magazine seeking other victims. Only a few people responded. But over the years, as he met more and more people like himself, he grew convinced that he was part of what he calls an "electronic concentration camp."

What he was finding on his research trips also buttressed his belief: Girard learned that in the 1950s, the CIA had drugged unwitting victims with LSD as part of a rogue mind-control experiment called MK-ULTRA. He came across references to the CIA seeking to influence the mind with electromagnetic fields. Then he found references in an academic research book to work that military researchers at Walter Reed Army Institute of Research had done in the 1970s with pulsed microwaves to transmit words that a subject would hear in his head. Elsewhere, he came across references to attempts to use electromagnetic energy, sound waves or microwave beams to cause non-lethal pain to the body. For every symptom he experienced, he believed he found references to a weapon that could cause it.

How much of the research Girard cites checks out?

Concerns about microwaves and mind control date to the 1960s, when the U.S. government discovered that its embassy in Moscow was being bombarded by low-level electromagnetic radiation. In 1965, according to declassified Defense Department documents, the Pentagon, at the behest of the White House, launched Project Pandora, top-secret research to explore the behavioral and biological effects of low-level microwaves. For approximately four years, the Pentagon conducted secret research: zapping monkeys; exposing unwitting sailors to microwave radiation; and conducting a host of other unusual experiments (a sub-project of Project Pandora was titled Project Bizarre). The results were mixed, and the program was plagued by disagreements and scientific squabbles. The "Moscow signal," as it was called, was eventually attributed to eavesdropping, not mind control, and Pandora ended in 1970. And with it, the military's research into so-called non-thermal microwave effects seemed to die out, at least in the unclassified realm.

But there are hints of ongoing research: An academic paper written for the Air Force in the mid-1990s mentions the idea of a weapon that would use sound waves to send words into a person's head. "The signal can be a 'message from God' that can warn the enemy of impending doom, or encourage the enemy to surrender," the author concluded.

In 2002, the Air Force Research Laboratory patented precisely such a technology: using microwaves to send words into someone's head. That work is frequently cited on mind-control Web sites. Rich Garcia, a spokesman for the research laboratory's directed energy directorate, declined to discuss that patent or current or related research in the field, citing the lab's policy not to comment on its microwave work.

In response to a Freedom of Information Act request filed for this article, the Air Force released unclassified documents surrounding that 2002 patent -- records that note that the patent was based on human experimentation in October 1994 at the Air Force lab, where scientists were able to transmit phrases into the heads of human subjects, albeit with marginal intelligibility. Research appeared to continue at least through 2002. Where this work has gone since is unclear -- the research laboratory, citing classification, refused to discuss it or release other materials.

The official U.S. Air Force position is that there are no non-thermal effects of microwaves. Yet Dennis Bushnell, chief scientist at NASA's Langley Research Center, tagged microwave attacks against the human brain as part of future warfare in a 2001 presentation to the National Defense Industrial Association about "Future Strategic Issues."

"That work is exceedingly sensitive" and unlikely to be reported in any unclassified documents, he says.

Meanwhile, the military's use of weapons that employ electromagnetic radiation to create pain is well-known, as are some of the limitations of such weapons. In 2001, the Pentagon declassified one element of this research: the Active Denial System, a weapon that uses electromagnetic radiation to heat skin and create an intense burning sensation. So, yes, there is technology designed to beam painful invisible rays at humans, but the weapon seems to fall far short of what could account for many of the TIs' symptoms. While its exact range is classified, Doug Beason, an expert in directed-energy weapons, puts it at about 700 meters, and the beam cannot penetrate a number of materials, such as aluminum. Considering the size of the full-scale weapon, which resembles a satellite dish, and its operational limitations, the ability of the government or anyone else to shoot beams at hundreds of people -- on city streets, into their homes and while they travel in cars and planes -- is beyond improbable.

But, given the history of America's clandestine research, it's reasonable to assume that if the defense establishment could develop mind-control or long-distance ray weapons, it almost certainly would. And, once developed, the possibility that they might be tested on innocent civilians could not be categorically dismissed.

Girard, for his part, believes these weapons were not only developed but were also tested on him more than 20 years ago.

What would the government gain by torturing him? Again, Girard found what he believed to be an explanation, or at least a precedent: During the Cold War, the government conducted radiation experiments on scores of unwitting victims, essentially using them as human guinea pigs. Girard came to believe that he, too, was a walking experiment.

Not that Girard thinks his selection was totally random: He believes he was targeted because of a disparaging remark he made to a Republican fundraiser about George H.W. Bush in the early 1980s. Later, Girard says, the voices confirmed his suspicion.

"One night I was going to bed; the usual drivel was going on," he says. "The constant stream of drivel. I was just about to go to bed, and a voice says: 'Mr. Girard, do you know who was in our studio with us? That was George Bush, vice president of the United States.'"

GIRARD'S STORY, HOWEVER STRANGE, reflects what TIs around the world report: a chance encounter with a government agency or official, followed by surveillance and gang stalking, and then, in many cases, voices, and pain similar to electric shocks. Some in the community have taken it upon themselves to document as many cases as possible. One TI from California conducted about 50 interviews, narrowing the symptoms down to several major areas: "ringing in the ears," "manipulation of body parts," "hearing voices," "piercing sensation on skin," "sinus problems" and "sexual attacks." In fact, the TI continued, "many report the sensation of having their genitalia manipulated."

Both male and female TIs report a variety of "attacks" to their sexual organs. "My testicles became so sore I could barely walk," Girard says of his early experiences. Others, however, report the attacks in the form of sexual stimulation, including one TI who claims he dropped out of the seminary after constant sexual stimulation by directed-energy weapons. Susan Sayler, a TI in San Diego, says many women among the TIs suffer from attacks to their sexual organs but are often embarrassed to talk about it with outsiders.

"It's sporadic, you just never know when it will happen," she says. "A lot of the women say it's as soon as you lay down in bed -- that's when you would get hit the worst. It happened to me as I was driving, at odd times."

What made her think it was an electronic attack and not just in her head? "There was no sexual attraction to a man when it would happen. That's what was wrong. It did not feel like a muscle spasm or whatever," she says. "It's so . . . electronic."

Gloria Naylor, a renowned African American writer, seems to defy many of the stereotypes of someone who believes in mind control. A winner of the National Book Award, Naylor is best known for her acclaimed novel, The Women of Brewster Place, which described a group of women living in a poor urban neighborhood and was later made into a miniseries by Oprah Winfrey.

But in 2005, she published a lesser-known work, 1996, a semi-autobiographical book describing her experience as a TI. "I didn't want to tell this story. It's going to take courage. Perhaps more courage than I possess, but they've left me no alternatives," Naylor writes at the beginning of her book. "I am in a battle for my mind. If I stop now, they'll have won, and I will lose myself." The book is coherent, if hard to believe. It's also marked by disturbing passages describing how Jewish American agents were responsible for Naylor's surveillance. "Of the many cars that kept coming and going down my road, most were driven by Jews," she writes in the book. When asked about that passage in a recent interview, she defended her logic: Being from New York, she claimed, she can recognize Jews.

Naylor lives on a quiet street in Brooklyn in a majestic brownstone with an interior featuring intricate woodwork and tasteful decorations that attest to a successful literary career. She speaks about her situation calmly, occasionally laughing at her own predicament and her struggle with what she originally thought was mental illness. "I would observe myself," she explains. "I would lie in bed while the conversations were going on, and I'd ask: Maybe it is schizophrenia?"

Like Girard, Naylor describes what she calls "street theater" -- incidents that might be dismissed by others as coincidental, but which Naylor believes were set up. She noticed suspicious cars driving by her isolated vacation home. On an airplane, fellow passengers mimicked her every movement -- like mimes on a street.

Voices similar to those in Girard's case followed -- taunting voices cursing her, telling her she was stupid, that she couldn't write. Expletive-laced language filled her head. Naylor sought help from a psychiatrist and received a prescription for an antipsychotic drug. But the medication failed to stop the voices, she says, which only added to her conviction that the harassment was real.

For almost four years, Naylor says, the voices prevented her from writing. In 2000, she says, around the time she discovered the mind-control forums, the voices stopped and the surveillance tapered off. It was then that she began writing 1996 as a "catharsis."

Colleagues urged Naylor not to publish the book, saying she would destroy her reputation. But she did publish, albeit with a small publishing house. The book was generally ignored by critics but embraced by TIs.

Naylor is not the first writer to describe such a personal descent. Evelyn Waugh, one of the great novelists of the 20th century, details similar experiences in The Ordeal of Gilbert Pinfold. Waugh's book, published in 1957, has eerie similarities to Naylor's.

Embarking on a recuperative cruise, Pinfold begins to hear voices on the ship that he believes are part of a wireless system capable of broadcasting into his head; he believes the instigator recruited fellow passengers to act as operatives; and he describes "performances" put on by passengers directed at him yet meant to look innocuous to others.

Waugh wrote his book several years after recovering from a similar episode and realizing that the voices and paranoia were the result of drug-induced hallucinations.

Naylor, who hasn't written a book since 1996, is now back at work on an historical novel she hopes will return her to the literary mainstream. She remains convinced that she was targeted by mind control. The many echoes of her ordeal she sees on the mind-control forums reassure her she's not crazy, she says.

Of course, some of the things she sees on the forum do strike her as crazy. "But who I am to say?" she says. "Maybe I sound crazy to somebody else."

SOME TIS, SUCH AS ED MOORE, A YOUNG MEDICAL DOCTOR, take a slightly more skeptical approach. He criticizes what he calls the "wacky claims" of TIs who blame various government agencies or groups of people without any proof. "I have yet to see a claim of who is behind this that has any data to support it," he writes.

Nonetheless, Moore still believes the voices in his head are the result of mind control and that the U.S. government is the most likely culprit. Moore started hearing voices in 2003, just as he completed his medical residency in anesthesiology; he was pulling an all-nighter studying for board exams when he heard voices coming from a nearby house commenting on him, on his abilities as a doctor, on his sanity. At first, he thought he was simply overhearing conversations through walls (much as Waugh's fictional alter ego first thought), but when no one else could hear the voices, he realized they were in his head. Moore went through a traumatic two years, including hospitalization for depression with auditory hallucinations.

"One tries to convince friends and family that you are being electronically harassed with voices that only you can hear," he writes in an e-mail. "You learn to stop doing that. They don't believe you, and they become sad and concerned, and it amplifies your own depression when you have voices screaming at you and your friends and family looking at you as a helpless, sick, mentally unbalanced wreck."

He says he grew frustrated with anti-psychotic medications meant to stop the voices, both because the treatments didn't work and because psychiatrists showed no interest in what the voices were telling him. He began to look for some other way to cope.

"In March of 2005, I started looking up support groups on the Internet," he wrote. "My wife would cry when she would see these sites, knowing I still heard voices, but I did not know what else to do." In 2006, he says, his wife, who had stood by him for three years, filed for divorce.

Moore, like other TIs, is cautious about sharing details of his life. He worries about looking foolish to friends and colleagues -- but he says that risk is ultimately worthwhile if he can bring attention to the issue.

With his father's financial help, Moore is now studying for an electrical engineering degree at the University of Texas at San Antonio, hoping to prove that V2K, the technology to send voices into people's heads, is real. Being in school, around other people, helps him cope, he writes, but the voices continue to taunt him.

Recently, he says, they told him: "We'll never stop [messing] with you."

A WEEK BEFORE THE TIS RALLY ON THE NATIONAL MALL, John Alexander, one of the people whom Harlan Girard holds personally responsible for the voices in his head, is at a Chili's restaurant in Crystal City explaining over a Philly cheese steak and fries why the United States needs mind-control weapons.

A former Green Beret who served in Vietnam, Alexander went on to a number of national security jobs, and rubbed shoulders with prominent military and political leaders. Long known for taking an interest in exotic weapons, his 1980 article, "The New Mental Battlefield," published in the Army journal Military Review, is cited by self-described victims as proof of his complicity in mind control. Now retired from the government and living in Las Vegas, Alexander continues to advise the military. He is in the Washington area that day for an official meeting.

Beneath a shock of white hair is the mind of a self-styled military thinker. Alexander belongs to a particular set of Pentagon advisers who consider themselves defense intellectuals, focusing on big-picture issues, future threats and new capabilities. Alexander's career led him from work on sticky foam that would stop an enemy in his or her tracks to dalliances in paranormal studies and psychics, which he still defends as operationally useful.

In an earlier phone conversation, Alexander said that in the 1990s, when he took part in briefings at the CIA, there was never any talk of "mind control, or mind-altering drugs or technologies, or anything like that."

According to Alexander, the military and intelligence agencies were still scared by the excesses of MK-ULTRA, the infamous CIA program that involved, in part, slipping LSD to unsuspecting victims. "Until recently, anything that smacked of [mind control] was extremely dangerous" because Congress would simply take the money away, he said.

Alexander acknowledged that "there were some abuses that took place," but added that, on the whole, "I would argue we threw the baby out with the bath water."

But September 11, 2001, changed the mood in Washington, and some in the national security community are again expressing interest in mind control, particularly a younger generation of officials who weren't around for MK-ULTRA. "It's interesting, that it's coming back," Alexander observed.

While Alexander scoffs at the notion that he is somehow part of an elaborate plot to control people's minds, he acknowledges support for learning how to tap into a potential enemy's brain. He gives as an example the possible use of functional magnetic resonance imaging, or fMRI, for lie detection. "Brain mapping" with fMRI theoretically could allow interrogators to know when someone is lying by watching for activity in particular parts of the brain. For interrogating terrorists, fMRI could come in handy, Alexander suggests. But any conceivable use of the technique would fall far short of the kind of mind-reading TIs complain about.

Alexander also is intrigued by the possibility of using electronic means to modify behavior. The dilemma of the war on terrorism, he notes, is that it never ends. So what do you do with enemies, such as those at Guantanamo: keep them there forever? That's impractical. Behavior modification could be an alternative, he says.

"Maybe I can fix you, or electronically neuter you, so it's safe to release you into society, so you won't come back and kill me," Alexander says. It's only a matter of time before technology allows that scenario to come true, he continues. "We're now getting to where we can do that." He pauses for a moment to take a bite of his sandwich. "Where does that fall in the ethics spectrum? That's a really tough question."

When Alexander encounters a query he doesn't want to answer, such as one about the ethics of mind control, he smiles and raises his hands level to his chest, as if balancing two imaginary weights. In one hand is mind control and the sanctity of free thought -- and in the other hand, a tad higher -- is the war on terrorism.

But none of this has anything to do with the TIs, he says. "Just because things are secret, people tend to extrapolate. Common sense does not prevail, and even when you point out huge leaps in logic that just cannot be true, they are not dissuaded."

WHAT IS IT THAT BRINGS SOMEONE, EVEN AN INTELLIGENT PERSON, to ascribe the experience of hearing disembodied voices to government weapons?

In her book, Abducted, Harvard psychologist Susan Clancy examines a group that has striking parallels to the TIs: people who believe they've been kidnapped by aliens. The similarities are often uncanny: Would-be abductees describe strange pains, and feelings of being watched or targeted. And although the alleged abductees don't generally have auditory hallucinations, they do sometimes believe that their thoughts are controlled by aliens, or that they've been implanted with advanced technology.

(On the online forum, some TIs posted vociferous objections to the parallel, concerned that the public finds UFOs even weirder than mind control. "It will keep us all marginalized and discredited," one griped.)

Clancy argues that the main reason people believe they've been abducted by aliens is that it provides them with a compelling narrative to explain their perception that strange things have happened to them, such as marks on their bodies (marks others would simply dismiss as bruises), stimulation to their sexual organs (as the TIs describe) or feelings of paranoia. "It's not just an explanation for your problems; it's a source of meaning for your life," Clancy says.

In the case of TIs, mind-control weapons are an explanation for the voices they hear in their head. Socrates heard a voice and thought it was a demon; Joan of Arc heard voices from God. As one TI noted in an e-mail: "Each person undergoing this harassment is looking for the solution to the problem. Each person analyzes it through his or her own particular spectrum of beliefs. If you are a scientific-minded person, then you will probably analyze the situation from that perspective and conclude it must be done with some kind of electronic devices. If you are a religious person, you will see it as a struggle between the elements of whatever religion you believe in. If you are maybe, perhaps more eccentric, you may think that it is alien in nature."

Or, if you happen to live in the United States in the early 21st century, you may fear the growing power of the NSA, CIA and FBI.

Being a victim of government surveillance is also, arguably, better than being insane. In Waugh's novella based on his own painful experience, when Pinfold concludes that hidden technology is being used to infiltrate his brain, he "felt nothing but gratitude in his discovery." Why? "He might be unpopular; he might be ridiculous; but he was not mad."

Ralph Hoffman, a professor of psychiatry at Yale who has studied auditory hallucinations, regularly sees people who believe the voices are a part of government harassment (others believe they are God, dead relatives or even ex-girlfriends). Not all people who hear voices are schizophrenic, he says, noting that people can hear voices episodically in highly emotional states. What exactly causes these voices is still unknown, but one thing is certain: People who think the voices are caused by some external force are rarely dissuaded from their delusional belief, he says. "These are highly emotional and gripping experiences that are so compelling for them that ordinary reality seems bland."

Perhaps because the experience is so vivid, he says, even some of those who improve through treatment merely decide the medical regimen somehow helped protect their brain from government weapons.

Scott Temple, a professor of psychiatry at Penn State University who has been involved in two recent studies of auditory hallucinations, notes that those who suffer such hallucinations frequently lack insight into their illness. Even among those who do understand they are sick, "that awareness comes and goes," he says. "People feel overwhelmed, and the delusional interpretations return."

BACK AT THE PHILADELPHIA TRAIN STATION, Girard seems more agitated. In a meeting the week before, his "handlers" had spoken to him only briefly -- they weren't in the right position to attack him, Girard surmises, based on the lack of voices. Today, his conversation jumps more rapidly from one subject to the next: victims of radiation experiments, his hatred of George H.W. Bush, MK-ULTRA, his personal experiences.

Asked about his studies at Penn, he replies by talking about his problems with reading: "I told you, everything I write they dictate to me," he says, referring again to the voices. "When I read, they're reading to me. My eyes go across; they're moving my eyes down the line. They're reading it to me. When I close the book, I can't remember a thing I read. That's why they do it."

The week before, Girard had pointed to only one person who appeared suspicious to him -- a young African American man reading a book; this time, however, he hears more voices, which leads him to believe the station is crawling with agents.

"Let's change our location," Girard says after a while. "I'm sure they have 40 or 50 people in here today. I escaped their surveillance last time -- they won't let that happen again."

Asked to explain the connection between mind control and the University of Pennsylvania, which Girard alleges is involved in the conspiracy, he begins to talk about defense contractors located near the Philadelphia campus: "General Electric was right next to the parking garage; General Electric Space Systems occupies a huge building right over there. From that building, you could see into the studio where I was doing my work most of the time. I asked somebody what they were doing there. You know, it had to do with computers. GE Space Systems. They were supposed to be tracking missile debris from this location . . . pardon me. What was your question again?"

Yet many parts of Girard's life seem to reflect that of any affluent 70-year-old bachelor. He travels frequently to France for extended vacations and takes part in French cultural activities in Philadelphia. He has set up a travel scholarship at the Cleveland Institute of Art in the name of his late mother, who attended school there (he changed his last name 27 years ago for "personal reasons"), and he travels to meet the students who benefit from the fund. And while the bulk of his time is spent on his research and writing about mind control, he has other interests. He follows politics and describes outings with friends and family members with whom he doesn't talk about mind control, knowing they would view it skeptically.

Girard acknowledges that some of his experiences mirror symptoms of schizophrenia, but asked if he ever worried that the voices might in fact be caused by mental illness, he answers sharply with one word: "No."

How, then, does he know the voices are real?

"How do you know you know anything?" Girard replies. "How do you know I exist? How do you know this isn't a dream you're having, from which you'll wake up in a few minutes? I suppose that analogy is the closest thing: You know when you have a dream. Sometimes it could be perfectly lucid, but you know it's a dream."

The very "realness" of the voices is the issue -- how do you disbelieve something you perceive as real? That's precisely what Hoffman, the Yale psychiatrist, points out: So lucid are the voices that the sufferers -- regardless of their educational level or self-awareness -- are unable to see them as anything but real. "One thing I can assure you," Hoffman says, "is that for them, it feels real."

IT LOOKS ALMOST LIKE ANY OTHER SMALL POLITICAL RALLY IN WASHINGTON. Posters adorn the gate on the southwest side of the Capitol Reflecting Pool, as attendees set up a table with press materials, while volunteers test a loudspeaker and set out coolers filled with bottled water. The sun is out, the weather is perfect, and an eclectic collection of people from across the country has gathered to protest mind control.

There is not a tinfoil hat to be seen. Only the posters and paraphernalia hint at the unusual. "Stop USA electronic harassment," urges one poster. "Directed Energy Assaults," reads another. Smaller signs in the shape of tombstones say, "RIP MKULTRA." The main display, set in front of the speaker's lectern has a more extended message: "HELP STOP HI-TECH ASSAULT PSYCHOTRONIC TORTURE."

About 35 TIs show up for the June rally, in addition to a few friends and family members. Speakers alternate between giving personal testimonials and descriptions of research into mind-control technology. Most of the gawkers at the rally are foreign tourists. A few hecklers snicker at the signs, but mostly people are either confused or indifferent. The articles on mind control at the table -- from mainstream news magazines -- go untouched.

"How can you expect people to get worked up over this if they don't care about eavesdropping or eminent domain?" one man challenges after stopping to flip through the literature. Mary Ann Stratton, who is manning the table, merely shrugs and smiles sadly. There is no answer: Everyone at the rally acknowledges it is an uphill battle.

In general, the outlook for TIs is not good; many lose their jobs, houses and family. Depression is common. But for many at the rally, experiencing the community of mind-control victims seems to help. One TI, a man who had been a rescue swimmer in the Coast Guard before voices in his head sent him on a downward spiral, expressed the solace he found among fellow TIs in a long e-mail to another TI: "I think that the only people that can help are people going through the same thing. Everyone else will not believe you, or they are possibly involved."

In the end, though, nothing could help him enough. In August 2006, he would commit suicide.

But at least for the day, the rally is boosting TI spirits. Girard, in what for him is an ebullient mood, takes the microphone. A small crowd of tourists gathers at the sidelines, listening with casual interest. With the Capitol looming behind him, he reaches the crescendo of his speech, rallying the attendees to remember an important thing: They are part of a single community.

"I've heard it said, 'We can't get anywhere because everyone's story is different.' We are all the same," Girard booms. "You knew someone with the power to commit you to the electronic concentration camp system."

Several weeks after the rally, Girard shows up for a meeting with a reporter at the stately Mayflower Hotel in Washington, where he has stayed frequently over the two decades he has traveled to the capital to battle mind control. He walks in with a lit cigarette, which he apologetically puts out after a hotel employee tells him smoking isn't allowed anymore. He is half an hour late -- delayed, he says, by a meeting on Capitol Hill. Wearing a monogrammed dress shirt and tie, he looks, as always, serious and professional.

Girard declines to mention whom on Capitol Hill he'd met with, other than to say it was a congressional staffer. Embarrassment is likely a factor: Girard readily acknowledges that most people he meets with, ranging from scholars to politicians, ignore his entreaties or dismiss him as a lunatic.

Lately, his focus is on his Web site, which he sees as the culmination of nearly a quarter-century of research. When completed, it will contain more than 300 pages of documents. What next? Maybe he'll move to France (there are victims there, too), or maybe the U.S. government will finally just kill him, he says.

Meanwhile, he is always searching for absolute proof that the government has decoded the brain. His latest interest is LifeLog, a project once funded by the Pentagon that he read about in Wired News. The article described it this way: "The embryonic LifeLog program would dump everything an individual does into a giant database: every e-mail sent or received, every picture taken, every Web page surfed, every phone call made, every TV show watched, every magazine read. All of this -- and more -- would combine with information gleaned from a variety of sources: a GPS transmitter to keep tabs on where that person went, audiovisual sensors to capture what he or she sees or says, and biomedical monitors to keep track of the individual's health."

Girard suggests that the government, using similar technology, has "catalogued" his life over the past two years -- every sight and sound (Evelyn Waugh, in his mind-control book, writes about his character's similar fear that his harassers were creating a file of his entire life).

Girard thinks the government can control his movements, inject thoughts into his head, cause him pain day and night. He believes that he will die a victim of mind control.

Is there any reason for optimism?

Girard hesitates, then asks a rhetorical question.

"Why, despite all this, why am I the same person? Why am I Harlan Girard?"

For all his anguish, be it the result of mental illness or, as Girard contends, government mind control, the voices haven't managed to conquer the thing that makes him who he is: Call it his consciousness, his intellect or, perhaps, his soul.

"That's what they don't yet have," he says. After 22 years, "I'm still me."

Sharon Weinberger is a Washington writer and author of Imaginary Weapons: A Journey Through the Pentagon's Scientific Underworld. She will be fielding questions and comments about this article Tuesday at washingtonpost.com/liveonline.

© 2007 The Washington Post Company

Source:

http://www.washingtonpost.com/wp-dyn/content/article/2007/01/10/AR2007011001399_pf.html [washingtonpost.com]

The New Zealand Copyright Act 1994 specifies certain circumstances where all or a substantial part of a copyright work may be used without the copyright owner's permission. A "fair dealing" with copyright material does not infringe copyright if it is for the following purposes: research or private study; criticism or review; or reporting current events.

The reason Nokia is able to do this (4, Informative)

kasperd (592156) | about a year ago | (#42545389)

The reason Nokia is able to do this is that they control the browser. According to the article browsers on Nokia phones are delivered with a certificate, that allows Nokia to perform this MITM attack. They call it a feature and provide a plausible explanation of what benefit it has for the users. However enabling such a risky feature without user consent is a really bad move and means users should no longer trust Nokia products as much as they have done in the past.

Re:The reason Nokia is able to do this (0)

Anonymous Coward | about a year ago | (#42545563)

If it's anything like Opera mini then your explanation is missing the trade off.
The issue is that the phone is not good enough to run a real browser. So instead the mini browser get simplified instructions from the servers where the actual HTML parser is.
So basically you are running a remote browser on Nokia's or Opera's servers.
It's not as if there was really another option. I guess they could try to parse full HTML on the mini browser when it's HTTPS but that would probably not work so well...

Re:The reason Nokia is able to do this (2)

kasperd (592156) | about a year ago | (#42545645)

The issue is that the phone is not good enough to run a real browser. So instead the mini browser get simplified instructions from the servers where the actual HTML parser is. So basically you are running a remote browser on Nokia's or Opera's servers.

If that's what Nokia is doing, then the article is totally inaccurate. In the article there is no suggestion the phone isn't capable of running a full browser. The proxies are just used to compress the data better before being sent to the client.

One Court Order (0)

Anonymous Coward | about a year ago | (#42545391)

or subpoena is all it will take and they will be recording all that information without telling anyone.

What countries does Nokia do business in? Do you trust the courts in all of them?

Re:One Court Order (0)

gtirloni (1531285) | about a year ago | (#42545727)

As opposed to a subpoena to your first-world ISP which is always ignored or at least fought hard before being accept, right? Yeah, didn't think so...

Re:One Court Order (2)

0123456 (636235) | about a year ago | (#42545995)

Uh, my ISP can record all the SSL connections they want, because they can't decrypt what I'm sending.

So are Nokia spending their Microsoft billion on astroturfing Slashdot, or does it just look like they are?

Re:One Court Order (0)

gtirloni (1531285) | about a year ago | (#42546249)

1) If that makes you sleep better at night, so be it. I looks like your paranoia is very contained to a few areas.

2) Discrediting the other part in an discussion... not really the best way to win any argument.

3) Feel free to propose technical solutions that don't involve what Nokia, Opera, etc are doing. You might even have a startup idea that will make you rich.

How? (1)

Richard_J_N (631241) | about a year ago | (#42545425)

Isn't that the whole point of HTTPS, to ensure that a man-in-the-middle attack (in this case, a probably benign proxy) is impossible?
Also, why? Doesn't every website now compress html/css/js with mod_gzip?

Re:How? (5, Informative)

Rich0 (548339) | about a year ago | (#42545501)

Isn't that the whole point of HTTPS, to ensure that a man-in-the-middle attack (in this case, a probably benign proxy) is impossible?

It is only impossible without the collusion of a trusted certificate authority. When was the last time you reviewed the list on your browser? Oh, and did YOU do anything to determine if any of those organizations were trustworthy.

If you get a mobile device from your mobile provider, there is a pretty good chance that they stuck their own root CA in there somewhere. Maybe they just use it for SSL connections to their own websites/email/etc. But, trusted is trusted in the world of SSL which means they could just MITM every connection you make.

Ditto for any PC you use at work. Chances are your employer has a trusted CA somewhere in there, which means they can MITM any SSL connection you make to any service on the web.

If they didn't actually modify your browser you can probably spot this by pulling up the certificate info for your connection and noting who issued it.

This is why I believe SSL offers a false sense of security. Moving to certificates distributed over DNSSEC would cut out the middlemen, and it would improve security. Only the domain registrar for google.com could tamper with their certificates, for example. That still isn't perfect, but it is better than any CA anywhere on the globe.

Re:How? (1)

h4rr4r (612664) | about a year ago | (#42545551)

Chances are your employer does not do that. It is such a huge legal minefield most avoid it. The last thing I need is someone claiming that my proxy server was used to steal their bank details.

Re:How? (1)

Greyfox (87712) | about a year ago | (#42546093)

I actually know for a fact that my employer DOES do this, and very explicitly distrust their certificate to insure that any https connection results in a warning. Any https connection going out of the company must trust their certificate to complete. If I claim that their proxy was used to steal my bank details, they'd ask me why I was using company property for personal business. They would probably be doing so while in the process of terminating my employment for violating the "Misuse of company resources" portion of the corporate ethics guidelines that I agreed to follow as a condition of my employment there.

Re:How? (0)

Anonymous Coward | about a year ago | (#42546187)

If you work at International Paper in the U.S. (or one of their subsidiaries), they do, and they probably do many places in the U.S. now. Websense appears to make this easy. They claimed this was put in place to prevent people from visiting transparent proxies over SSL.

Re:How? (1)

Richard_J_N (631241) | about a year ago | (#42545787)

How is that different from an ordinary server cert? I just got a cert for my own domain; that doesn't let me masquerade as a bank. If I get my browser from Mozilla, how do I know that my ISP isn't snooping? If I'm reading you correctly, you're saying that the entire HTTPS spec is a total wreck, and we'd be better off without it than a false illusion of security?

Re:How? (1)

jimicus (737525) | about a year ago | (#42546135)

If I get my browser from Mozilla, how do I know that my ISP isn't snooping?

You trust two things:

1. That Mozilla didn't put the root certificate for an untrustworthy firm into their browser. (Ha! Have you seen the list of root certificates with most browsers these days? Seems everyone and his dog can send their CA certificate in to the browser vendors).
2. That the trustworthy root certificates that are in there will not subsequently be used for nefarious purposes - eg. to sign a wildcard certificate and then hand that over to your ISP.

Re:How? (1)

Anonymous Coward | about a year ago | (#42545517)

Also, why? Doesn't every website now compress html/css/js with mod_gzip?

Talk to an IT related person next time you see one. They'll break it down for you. Gzip compression isn't magic, you need someone to configure it, and most server admins don't bother.

Re:How? (0)

Anonymous Coward | about a year ago | (#42545847)

They all start caring once their servers get overloaded.

Re:How? (1)

robmv (855035) | about a year ago | (#42545831)

True, the point is that if you modify the source of Firefox or Chrome to not show a SSL error when the certificate is yours, then you have the situation of the Nokia browser, but that doesn't means SSL is broken because of that

Re:How? (0)

Anonymous Coward | about a year ago | (#42546287)

True, the point is that if you modify the source of Firefox or Chrome to not show a SSL error when the certificate is yours, then you have the situation of the Nokia browser, but that doesn't means SSL is broken because of that

You don't need to modify any sources. All you need to do is install a certificate and set its trust settings, exactly what Nokia has done to their own browser.

Personally I think the furore is a bit funny. Opera's been doing this for many years, didn't hear anybody complain. If you thought SSL could guarantee security, well, I welcome all your shock and surprise with a patient smile. All SSL can be subverted like this on a whim of a presumably reputable certificate issuer (e.g. Verisign) and a transparent proxy legally or illegally installed anywhere along the way. It's also the mechanism for many corporate gateways, transformation services etc.

No it's not a good idea. It is a spectacularly bad idea, and somebody at Nokia should have known better. But in the grand scheme of things, this is just a gentle reminder that most people don't understand SSL.

Cyanogenmod Tizen or Ubuntu (0)

Anonymous Coward | about a year ago | (#42545465)

All the more reason to use open source software and not buy phones that have opaque software on them. Cyanogenmod is the way to go. Or maybe in a few months Tizen or Ubuntu.

If you don't like it (1, Interesting)

ArhcAngel (247594) | about a year ago | (#42545467)

Get a BlackBerry. [blackberry.com]
Blast them all you want for getting left behind in the app ecosystem but iOS, Android, and WP can't hold a candle to RIM's security. [blackberry.com]

RIM isn't any better (1)

feld (980784) | about a year ago | (#42545611)

except your email goes through RIM's mail servers. You don't download your email from your mail server to your phone directly. RIM could be reading all your email.

Re:RIM isn't any better (5, Informative)

thePowerOfGrayskull (905905) | about a year ago | (#42545791)

If you're using BES, it's all encrypted - it goes through RIM's servers, but RIM can't read it.

Hence the big kerfuffle about governments insisting on access to BES data, and RIM's refusal to give it -- they literally can't.

Consumer email/BIS access is a different story. RIM does have access to that, and presumably government as well (similar to what any other provider gives).

Potential for Exploiting (1)

Striikerr (798526) | about a year ago | (#42545495)

I think a bigger concern with this type of stuff is the potential for someone to gain access to the decrypted streams. They would have access to a treasure trove of personal information. While this type of activity can come from an external source, the biggest vector is from internal staff. I would not be comfortable having something being operated by Nokia etc. having full access to my sessions. How often do we see headlines describing xx number of people's personal information being compromised... by BIG companies who most would have assumed would be experts at security.. Another big problem with this is that people using these devices ASSUME that their sessions are secured between their end and the end point (a bank, online retailer, etc) because this is what they have been told time and again by experts in trying to educate the masses. If a device is going to intercept these historically secured point to point sessions, a warning / disclaimer should pop up for each session explaining (in clear, short terms) what is happening..
I understand and accept the good intentions and reasoning behind this approach but good intentions have so often been the cause for bad results..

This is a disturbing trend (1)

devforhire (2658537) | about a year ago | (#42545507)

I find it disturbing the increasing audacity of large organization who get caught with their hands in the cookie jar and put it off as "I know my hand is in there, but I'm really not going to take a cookie." It reminds me of the Instagram "Sign over the rights for us to sell your pictures, but we're not going to sell your work."

illegal here (0)

Anonymous Coward | about a year ago | (#42545603)

if this were in the UK then this would be illegal under RIPA. Nokia is a third party (i.e. they aren't a network provider) to their interception of this traffic would be illegal without a court order or informed connect.

Re:illegal here (1)

houstonbofh (602064) | about a year ago | (#42545879)

It may be illegal in the US as well, since they are breaking encryption... DMCA

Re:illegal here (1)

ssam (2723487) | about a year ago | (#42546349)

it depends if you count this as breaking encryption.

its more like them running a browser on there server and giving you remote access to this browser. so its not 'breaking' encryption any more than you are when you visit the a HTTPS site.

Pay no attention to the man behind the curtain!! (0)

Anonymous Coward | about a year ago | (#42545605)

If a "browser" does its work inside their remote server then what you have is a remote viewer and they are the ones with the real browser. The problem is that all the security is in the actual browser part, and none in the remote viewer.

Root cause is elsewhere (2)

pysiak (2599565) | about a year ago | (#42545667)

Dear god. Is this what corporations do instead of serious engineering work to debloat the network stacks, drivers and hardware or start implementing things like TCP Fast Open? :-| Another example where fixing bufferbloat needs a strong front because people will start doing the wrong things when trying to fix something. Just as BitTorrent-induced latency was made the culprit of slow networks and caused people to think it's good to go away from Net Neutrality and charge premium for a premium experience. Nonsense!

So, all of you paid astroturfers... (1)

Anonymous Coward | about a year ago | (#42545671)

...who were claiming that this was perfectly innocent and harmless in the last post on the subject. Care to weigh in this time? Seeing as how many of you claimed that Nokia couldn't, or wouldn't, do anything of the sort with SSL traffic out of fear of "jail" and other non-existent threats? Is it still perfectly good and innocent now that they're actively _decrypting_ your SSL traffic?

"In a secure fashion..." (4, Insightful)

eth1 (94901) | about a year ago | (#42545721)

...my ass

Right up until the government shows up and demands that they send all the traffic to them first, and forbids them from notifying their customers.

Big Bro? Iszzat You? (0)

Anonymous Coward | about a year ago | (#42545775)

Looks like Big Brother got caught with his hand in the cookie jar yet again.
This all sounds a lot like Homeland Security snooping to me. I am quite confident that I am not the only one to see it that way,either.
Why else would you have to Actively Decrypt the data, if not for spying purposes?
Compression for speed? Really? You expect us to buy that?

Pointless post (1)

Anonymous Coward | about a year ago | (#42545799)

There is no point to this post. If you don't trust Nokia, then why are you using their phone? The same story could be run for *every* manufacturer of a phone or web browser. You have to trust the manufacturer, otherwise it's game over. Do you think that proxying traffic is the only way that the phone maker can spy on you? Naive.

Dear Nokia... (0)

Anonymous Coward | about a year ago | (#42545829)

Nokia executives:
Please send me all your super sensitive and secret documents. I promise I won't look at them.

Interesting (0)

Anonymous Coward | about a year ago | (#42546091)

Nokia says none of their staff is looking at unencrypted data.

They don't say "no one", my guess is they are handing off that data to other "entities".

Benjamin Franklin (4, Funny)

Frankie70 (803801) | about a year ago | (#42546111)

Wasn't it Benjamin Franklin who said "They who can give up essential security to obtain a little speed increase, deserve neither security nor speed"?

Apple also admits its software has access to data (0)

Anonymous Coward | about a year ago | (#42546131)

... if you have private data on Apple software.

At the risk of rehashing the drowned-out explanations from yesterday, Nokia admits this *on the box*. This isn't like adding a wild card cert into a Web browser: this is exactly the behaviour that Nokia advertises for these devices on their Web site, on the box, in the manual, and in their marketing material. This is the same thing Opera Mini has been doing for about a decade.

This isn't a full-blown on-device browser. This is a viewer for data that is pulled and rendered "in the cloud" as the kids say today, compressed and sent to end user devices in an optimized manner (just like Opera Mini, or Opera in "Turbo" mode iirc). This is a browser included on lower-end (lower spec, lower-developed markets generally) phones by Nokia and designed to reduce costs where bandwidth is poor and expensive. This used to be normal in the first world as well (if you consider Europe/US first-world in mobile telephony).

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...