It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
That aside, let me re-make a point I keep making:
Google had no knowledge of NSA's physical compromise of their data centers. But still, they pushed harder than anyone on the whole Internet for the adoption of modern TLS with forward-secrecy; they are the world's foremost deployers of ephemeral-keyed elliptic curve cryptography and of certificate pinning, both of which ensure not only the security of the traffic running over the network cables into their data centers, but also minimize the impact of a compromised long-term encryption key or the compromise of the CA system by a state actor.
Not only that, but Google launched a high-profile effort to encrypt the communications inside and between their data centers.
I hope a couple years hindsight will put the importance of Adam Langley's work (and that of the rest of his team; he's just the best-known member of that team) at Google into sharper relief.
> It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons.
Even were a court somewhere to find that this interpretation is incorrect, there are numerous "good faith reliance" doctrines that prevent any prosecution or even civil consequences.
The government outright tortured people for years, and nothing has come of it. No prosecutions. No damages for victims. No cases dismissed for outrageous government conduct. Not even very many harsh words from judges. The only people for whom there were any consequences were the low level regular army people who got in on the torture train without first getting official blessing.
It'll be the same thing here. If some low level employee went out on his own to hack into Google servers, something might come of it. But by all appearances these programs were deliberate, planned, and vetted. In those circumstances the bad actors have long since learned to cover their own asses. There will be no consequences for them.
I am at a loss for words. Arrogant, self-righteous, disrespectful, ignorant, mendacious...nothing cuts it. It is illegal in the US but who cares about the rest of the world? I can not remember when something similar made me that angry as the current conduct of the US does. If I would not know better that this would negatively affect the whole world and innocent US citizens and that emotional reactions are usually not good - I would just cut all cables to the US, stop all trades of oil, raw material and goods, deny US citizens to enter any foreign country and then just do your shit over there and get happy with it.
EDIT: Just to clarify it a bit more, I am not primarily angry because of the spying - read my mails if it makes you happy. What really pisses me of is this sentiment of thinking of non-US citizens as second class humans. We are not spying at US citizens, only at this other guys across the ocean. And sadly this sentiment is also present in part of the media coverage. Especially when the story broke there was a lot of outrage about (accidentally) spying at US citizens, but spying at non-US citizens and breaking foreign law in peacetime is deemed acceptable.
> The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons.
More to the point of the article here, the government takes the position that their agents are completely unconstrianed by law when it comes to using information shared by foreign intelligence services that their agents had no part in collecting, and the collection here is done by the GCHQ -- a British intelligence agency -- who simply provides NSA the privilege of submitting search terms and getting matching data from the collection GCHQ does from their taps.
"The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons.
"
It's worse than this.
You also generally can't sue the US government civilly unless they allow you to.
US has abrogated sovereign immunity in certain situations for certain types of torts, but ..
I'm sure the other branches of US government would be delighted if NSA would share with them - not the secret data, but their data processing tools.
I mean, it appears that NSA has the ability to separate the retrieved gmail data into citizens and non-citizens, so they can legally use the non-citizen part of data and throw the 'forbidden' US-citizen data away. Think of the wonders that we could do with such technology! We wouldn't need passports anymore, when arriving from another country, you just provide your gmail account, TSA systems check that you're a citizen and lets you right in with a smile...
> The government outright tortured people for years, and nothing has come of it.
I am not saying it's OK, but in that case, most US citizens aren't even affected. In the case of surveillance, data from US citizens is being directly compromised. Their attempt to do what they want to foreign individuals with surveillance actually causes some collateral damage to US citizens.
Think about that for a second. Most people on HN wouldn't send a single file to their own backup provider in the clear. Google was sending gushing torrents of data, presumably including email, IMs, etc, over long distances that way.
That's very nice that the company that encouraged all of us to put all our email and documents in its data centers "pushed harder than anyone on the whole internet" for some basic security well after the NSA compromised their shit, but it doesn't excuse their irresponsible practices.
In the first week that I was managing IT/Ops at our company, our security architect, msj, approached me and said that our approach towards security would be to encrypt everything at rest, and everything in flight. Even the 18" of ethernet cord hanging outside of the servers would be considered an attack vector.
I thought he was loopy at the time. Amazing how wrong I was.
Obama should be impeached. Both Obama and Bush should be tried for criminal conduct. Both should be put in prison for decades for treason. Of course on top of that are the war crimes and general crimes against humanity both committed (torture, war, murder of thousands of civilians, and so on).
> Google had no knowledge of NSA's physical compromise of their data centers.
How do you know this is the case? In the diagram submitted within the article, the box highlighted with the smiley face is labeled "GFE" for Google Front-End [1], which means it's a Google controlled server. It seems more plausible to me that the NSA compromised this target with a FISA court order rather than hacking it. And if that is true, then someone at Google did know about it, they just weren't willing to discuss it because of a legal threat.
> How do you know this is the case? In the diagram submitted within the article, the box highlighted with the smiley face is labeled "GFE" for Google Front-End [1], which means it's a Google controlled server.
Yeah, its the external facing server that is the boundary between Google's (encrypted) communication with outside systems and its internal network which doesn't use encryption.
> It seems more plausible to me that the NSA compromised this target with a FISA court order rather than hacking it.
If you read the article, the leak of documents that included the diagram indicates that:
1. The GFE server itself wasn't compromised, whether by a court order or hacking -- the unsecured communications which occur "behind" the GFE server were compromised, and
2. The entity which compromised the unsecured communications wasn't the NSA, but Britain's GCHQ. The NSA gets information from the compromised system because GCHQ allows NSA to submit search terms ("selectors") which are matched against the data GCHQ collects from tapping Google (and Yahoo!) unsecured internal comms, and then feeds the data matching the selectors back to the NSA.
I'm hoping Google ends up buying the ECC patents from Blackberry and then make them public domain or at least say they will allow everyone to use them for free and with no consequences. I know they want to buy some stuff from Blackberry right now, but not sure if they are considering buying the ECC patents, too, or not.
I'd feel a lot better if Google bought them than say Microsoft or some other company, who'd just try to collect royalties from anyone using them, and I feel that will make things a lot worse for security on the web in the future, especially with Microsoft's long-standing relationship with the NSA.
That being said, I'm very disappointed in Larry Page's statement about encryption and quantum computers:
> Lloyd made his pitch, proposing a quantum version of Google’s search engine whereby users could make queries and receive results without Google knowing which questions were asked. The men were intrigued. But after conferring with their business manager the next day, Brin and Page informed Lloyd that his scheme went against their business plan. “They want to know everything about everybody who uses their products and services,” he joked.
It bothers me a lot that the leaders of Google would think like that, even though I knew they would because of the incentives in their business. But I just wish they found way for their business to work, so they do not have to think like that, and be more on the side of users on this issue, than they are right now.
Unless their thinking about user-privacy and security changes, we should never fully trust Google (even if they are better than the rest right now). That sort of thinking means they will never go the all the way to protect their users, which probably why you will never see OTR or ZRTP in Google's chat services. All the data collection they do will also become increasingly more irresistible to governments, especially if they keep it forever.
I don't trust Google more than anyone else out there. They are in the business of making money and don't much of a damn about their users. The only reason the NSA spying is a problem for them (imo) is that it may affect their bottom line due to user concerns and therefore affect their products. NSA has direct line to Google Cloud, guess I'm better hosting my own servers rather than pay for business Google Mail and Drive. I'm not sure Google would give it away for free, they now own Motorola remember, in the fight against all the phone giants, patents are king!
The 2nd part makes no sense at all. Why would Google not want to know everything about you. That just goes completely against their business model. There is no such thing as a free lunch.
"Google had no knowledge of NSA's physical compromise of their data centers. But still, they pushed harder than anyone on the whole Internet for the adoption of modern TLS with forward-secrecy..."
You're talking about security only. What about privacy? Security and privacy are not the same thing (although they overlap).
No other company has such a rapacious appetite to track and record online behaviour in one form or another - whether it's signing into your Chromebook to print to your desktop printer or using Google Analytics, Google wants to capture it all. Their vaguely-worded privacy statements tell you nothing about how they use this data, who sees it, or just how personally identifiable it is.
Take ChromeOS, the fact that you have to sign-in in with your Gmail account means potentially every activity you perform while in the OS is tracked by Google. I'm amazed at how little discussion is made of this. (I would never run ChromeOS for this reason alone.)
I've no doubt that Google takes security matters seriously. I'm not at all convinced they take privacy seriously.
I don't think pushed hard enough for the adoption of TLS. It's only finally THIS YEAR that they made available their ubiquitous AdSense code for SSL/TSL. Because many websites derive their full livelihood from AdSense, Google has effectively been stalling the widespread adoption of SSL on the web. If you were a news website and you used AdSense, then forget about ever implementing SSL; it would kill our site.
Although I'm glad they have finally started serving AdSense in SSL, Google need to take ownership in their big role in keeping the internet unencrypted. If they have had a had a change of heart, that's great. But I don't trust them any more.
> Google had no knowledge of NSA's physical compromise of their data centers.
You speak of Google as if it were a single person and not 46,000 people, or as if the threat of a long-term federal prison sentence isn't enough to make most members of society keep absolutely quiet.
Which, going by their (this administration's) record at disavowing, initiating investigations into, and demanding accountability from our various security agencies for their widely known, and far more egregious abuses they've been indulging in since late 2001 -- torture, extrajudicial killings, and the cavalier attitude of our armed forces toward civilian populations, generally -- we can be virtual certain that not only will they "fail" to do, they won't even make a credibly sincere effort at it.
I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable.
The political class is still more scared of being on the wrong side of security in the event of another terrorist attack. On a long enough timeline there certainly is bound to be another attack, and no one wants to be the one who weakened the intelligence community's toolset. No one seems to understand the tradeoffs they are making.
> It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
Well, the article makes the point exceptionally well; it's unclear why MUSCULAR is needed when PRISM already exists.
However as long as the interception was exclusively between overseas Google and Yahoo data centers I'm not actually sure it's even clearly criminal.
Instead I think it shows a rather stunning 'loophole' in current U.S. law and case law when you intersect a globalized Internet with laws meant to deal with national-level communications.
Frankly, this is the same feeling I experienced when it became clear how global companies are able to "nation shop" for maximum tax advantage. I didn't like seeing it then, and I don't like it here.
But although the behavior might be technically legal (thanks to the platoon of lawyers) it's certainly not in keeping with the spirit. It seems to me that oversight much become much, much more intrusive than it used to be.
Instead of writing the law and then letting NSA squirm for years until it finds loopholes that work for it, it's time to force effective oversight deep into every level.
Because what's most striking to me is that I'm not sure that even the law as it stood before 2001 would have made this behavior technically illegal. MUSCULAR couldn't have happened then, of course, but now that American data is being farmed automatically to data centers around the world....
> Not only that, but Google launched a high-profile effort to encrypt the communications inside and between their data centers.
When exactly was that announced? Before or after Snowden went rogue? If after, the agency had to tell the PRISM partners that they were going to be exposed if they were willing participants in hosting a back-door.
Otherwise, they only got paranoid after that fact?
I'm wondering if there is a state with a particularly restrictive privacy law that can drag Larry or Sergei to the witness stand and find out if participation is willing or unwilling.
Technically, it's impossible to prove a negative. That said, what more evidence do you want than everything Google has done to combat this, including preemptively working to encrypt cross-dc traffic?
What Google knew when, and how Google co operated with the NSA and other agencies is something we will probably never know. Or at least not for a long time.
The first files that came out seemed to speak of direct access for the NSA into the datacenters done with the support of Google.
These speak of even more intrusive surveillance.
Personally I dont believe for a second that Google has not been fully cooperative with the needs of the American Intelligence community all the time. However Google needs a bit of good PR to ensure that they are not hit too hard with a backlash. As long as Google can maintain plausible deniability they are fine.
I dont see anything criminal that the NSA does as far as US law goes, unless they are spying on American citizens (which they are doing).
Spying in any way possible on other countries is not only legal but a bit reason for the existence of NSA, CIA etc.
There is an understanding in the international community that
spying may occur.
However there is also a long tradition that if someone is caught with their hand in the cookie jar, a harsh response is expected. The expulsion of diplomats, dropping trade deals, dropping mutual agreements (think US/USSR) and so on.
Also the criminal persecution and interrogation of enemy agents discovered.
A couple of points to make
1) Europe has so far not really reacted much to the news.
Some blabbing in the press, a bit of travel, but aside from
that little has changed.
2) the biggest threat over this for Europe is not so much the disposition of troops, where and how bombs are kept etc, its industrial espionage and leverage for getting EU countries to sign deals to buy American. A good recent example is the sale of JSF. The embassies were very heavily involved in ensuring that nations in Europe bought JSF. I find it impossible to think that intelligence gathering was not offered to ensure that this took place.
In light of the criticisms leveled against these strategies in from 2002 - 2004 its difficult for intelligence policy makers to argue the risks were unknown. The indifference to risk, public opinion and constitutional issues is jaw dropping.
I wonder if many of these 'Chinese infiltration' events that did lead to Gmail HTTPS/TLS were actually spy agencies of various nationalities, even looking like Chinese hackers when in actuality it is something else.
Defend them against what? How could one seriously blame them for this, how are they not a victim, just as their users are? Yeah, they could have encrypted their internal network sooner. Just like someone who got robbed could have learned martial arts or taken a different route.
Of course, all this applies to all cloudhosted services including Skydrive, Exchange Online, etc. but out of all companies, Google is the one that has most at stake if people become fearful of their data leaking on the way to the cloud and decide to keep their data inhouse instead of going to the cloud.
To me, the big surprise was that Google wasn't encrypting the links between it's own datacenters before these revelations.
As usual, Stallman is proven right again. If your data is under someone else's control, it's not yours.
Which, going by their (this administration's) record at disavowing, initiating investigations into, and demanding accountability from our various security agencies for their widely known, and far more egregious abuses they've been indulging in since late 2001 -- torture, extrajudicial killings, and the cavalier attitude of our armed forces toward civilian populations, generally -- we can be virtual certain that not only will they "fail" at, they won't even make a credibly serious effort at it.
I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable.
Why didn't they release these documents a long time ago when everyone was racing to judgement that Google, Yahoo, et al were secretly in cahoots with the NSA helping to build drag-net surveillance extranet stuff for them? These are very important revelations!
I mean, when Greenwald/Snowden/Guardian released the original PRISM accusations, these slides would have provided a much much more important set of evidence, instead of months of speculation and parsing of meanings of "backdoor", "frontdoor", "side door", in the corporate communications of the tech companies who were struggling to say "we've never heard of PRISM, da fuq is this shit?"
Is the slow dripping out of these slides because they are trying to be responsible in not releasing stuff that is too damaging (e.g. not trying to be a Bradley Manning dump), or is it to preserve traffic by keeping the click-gravy-train going?
By releasing the documents in this order, they give government officials just enough rope to hang themselves by prompting them to defend themselves by making statements about what they do and do not do, and then releasing new documents directly contradicting those statements.
In a weird way, it actually motivates them to tell the "whole truth" because they don't know what documents will be released later so they don't know what lies to tell.
People are probably missing the idea. In the past, like with the WikiLeaks cables, they released all at once and it didn't have that much effect, after one week most countries were already on some other matter. The slow dripping allows this case to continue being discussed after six months. Can't remember this ever happening before with any other subject like the fake article on Saddam's WMD, the CIA flights and torture cases, etc.
Given what we currently know about the human mind and how people react to news I expect this to be the future way of releasing highly critical information.
Who knows how many thousands of pages they need to read and understand? Also, don't underestimate the difficulty of a reporter understanding these thousands of documents sufficiently to recognize when one is really important.
If they don't understand what's going on, wouldn't that argue in favor of doing more detailed research and analysis before writing claims? The original assumptions/claims in the Guardian story on PRISM are now shown to be false. This caused a lot of negative blowback on the companies involved.
Don't we expect our investigative journalists, to well, actually investigate things, instead of rushing to print?
I have no internal knowledge about this, but influenced by this Twitter thread[0] I would speculate that Greenwald and friends gave Google (and whoever else) advance notice and the opportunity to react to it before publishing. Responsible disclosure, and all that (not that it really applies in this case, but still).
The "taps foreign heads of state" et. al. really due blood, e.g. DiFi shocked the intelligence community for doing a public about face.
Presumably because monitoring us proles is just fine with her, but other members of the international elite? That's beyond the pale, and I don't assume her call for a "top-to-bottom review of U.S. spy programs" is to do anything more than find out other such elite embarrassments.
BUT, to the extent the above is not true, or is making this Total Surveillance State toxic, now's a good time to drop this tidbit.
At this point I suspect Snowden has become a bit of an Emmanuel Goldstein. Any leakers who want to get their stuff out with some modicum of safety just need to get it to one of the usual suspects in the media, if the latter are willing to play the game (this does violate normal journalist ethics, then again this is not a normal situation). The leak can then be ascribed to "Snowden".
Imagine you come into possession of tens of thousands of documents covering material and terminology that you barely understand. That is going to take months to work through, even before you consider that you would want to keep access to the documents/information limited to a small group of people that could help you work through it.
Here's an argument: assuming the worst suspicions, Google and the others are complicit in PRISM, so they deserve our scrutiny here. If this one were dumped at the same time, since Google was blindsided by this, people might forget to scrutinize Google for a while.
Probably because there was just too much information to make sense of all at once. So they just let out little at a time of what they understood to be verifiably and properly true.
Of course the cynical view that they held on to it to make some ad-money is not altogether wrong either, just unlikely to be accurate.
Years ago, I remember reading Richard Stallman's "How I do my computing"[1], an essay in which he explains why he usually does not connect to any websites from his own machine, downloads web pages from a headless browser running in some server, does not have any user accounts for any web applications, does not buy anything over the Internet ever, does not use any social networking sites, and otherwise abstains from using the Internet like most normal human beings.
"Jeez, that's way too paranoid," I remember thinking.
It turns out Stallman was just (far) ahead of his time -- as usual.
> It turns out Stallman was just (far) ahead of his time -- as usual.
Indeed, and it was always obvious if you took security seriously instead of regarding it as a game of probabilities and trade-offs where convenience wins.
As we are being pulled very strongly towards a future where everything and everyone is connected all the time, we should really consider such radical approaches again and how to make them more convenient for "normal" people.
Any amount of paranoid ridiculousness can be justified after the fact by some sort of big incident. It's how we justify the PATRIOT act after 9/11 and how one might justify Stallman's actions after the NSA leaks. That doesn't make it any less ridiculous to go to such radical measures.
We could just shut off the Internet entirely and force everyone to walk around naked lest they strap a bomb to themselves.
As for not believing intelligence services attempted to monitor the Internet prior to that story -- that would have been just silly. If they didn't they wouldn't be doing their (illegal) job.
Of course it is, it's ridiculous. What the NSA is doing is despicable but why would that keep you from creating a user account or viewing a webpage from your computer?
Because some users do not have the privilege of doing even such rudimentary tasks, without the danger of being persecuted, prosecuted or worse by the tyrant regime they happen to be living under.
If that graphic - that taunting smiley face, drawn when it was assumed that no one was watching - isn't enough to outrage the general public, I don't know what it will take. This is not super technical - it's easily explained and should be easily understood by the masses. And it should cause outrage.
You know what would outrage the public? ESPN being shut down. Most people do not actually care about their privacy. Even if everyone had the technical chops needed to understand what has been happening, most people never spend much time contemplating the importance of privacy rights.
This is 100% accurate, I've attempted to aggressively promote privacy tools well before the NSA/Snowden stuff among the people I know. They still don't care to use simple things like OTR with IM. They might use it for one week, and switch back.
Journalists/tech sites love making this seem like the biggest deal in society right now, but hardly the case in reality.
I'm not sure if it's an intellectual/knowledge gap (lack of technical knowledge), laziness, lack of good design in crypto tools, or just generally not caring about their privacy (until it becomes to hit them in the face).
> You know what would outrage the public? ESPN being shut down.
No better way to state it. Our government is fucking us with our pants on but we're too distracted (by people getting paid hundreds of millions of dollars to throw a fucking ball around) to care.
People deal with risk every single day in various forms. How can you expect a person to care about the risks a lack of privacy theoretically provides, when they're already not caring about the risks texting and driving pose? It takes laws to get people to stop texting while driving, and even then they don't really stop.
But the smiley is particularly infuriating, because it embodies the mindset behind this domestic spying: "we're better than you, we're smarter than you, and you can't do a damn thing about it, peons."
>"we're better than you, we're smarter than you, and you can't do a damn thing about it, peons."
What if that is actually true? I know it's a repulsive angle to think about, but is it possible? Maybe we've hit on a fundamental flaw in democracy and democratic-like political systems here. Maybe Plato was more correct than we'd like to think.
If people were going to get outraged about that, they would have burned the country to the ground when they learned that several NSA operations were given Civil War battles for codenames. You know, the only war where Americans have ever been our own enemy.
His abhorrent project. This is not something to be proud of. Being a professional means answering to a set of ethics before acting like a kindergartner who's proud of his macaroni picture.
Makes me think about the guys who built the atomic bomb -- people doing [potentially] amoral things because they find the problems they're solving more fascinating than the practical implications.
I actually assumed and tried to verify really hard that that was the original slide and not "artists concept". I just can't believe someone would present that. Beyond the hubris (which is literally unbelievable ref first sentence for my disbelief), it's just unprofessional and childish.
Periodically, especially when a new report like this one comes out, I like to go back and watch the original Snowden interview (http://www.youtube.com/watch?v=5yB3n9fu-rM) and reflect on the differences between what we knew vs what we now know. When I first watched the video, it brought tears to my eyes and I try to remember that so I don't get desensitized to the magnitude of these revelations. I respect the man more and more everyday.
Meta remark, somewhat snarky: I would like to know at what point do all the HN'ers making fun of those libertarians among us concerned with security -- I believe over a period of months we were called "tinfoil hat types" and worse -- come back and offer us an apology.
I am not holding my breath.
(Although it's a snarky comment, I didn't make the comment just to snark. The point was to point out that over and over again, the folks who are concerned about government encroachment are made fun of, put down, and lampooned to a great degree. More often than not, these concerns turn out to be true. In most cases this happens long after the debate has died down. This is an important lesson from history that we all would do well to learn. This story has a lot more facets to it than just the NSA/USA angle)
As someone who routinely makes fun of libertarians, let me assure you this is not what we (or I) make fun of libertarians for. Lots of progressive-oriented folks I know are at the forefront protesting these things. Hell, Richard Stallman -- the man who's been all about resisting the cloud even before a lot of us were born -- is a self-alleged Green Party affiliate.
It matters not that you were right, but why you were right. If someone says they knew about the NSA taps because they were in cahoots with aliens, obviously they don't get credit.
I don't know what your politics are in general, so I can't criticize them.
But, in my experience, American capitalist libertarians are - in general - united not by a love of liberty, but a hatred of government. And that narrative, I think, does not have much predictive power. It vaguely fits the NSA case, but is harder to sustain when it comes to things like socialized medicine.
P.S. That said, I've learned a lot from libertarians, especially in their skepticism; sometimes doing nothing is the best strategy and sometimes the existence of a government agency is the problem. And it's inspired me to read authors like Hayek, who I respect a lot. But the modern movements seem to be more inspired by Rand than Hayek. Rand's narrative is that government is a conspiracy by the weak to oppress the strong, which I find ludicrous.
Gen. Keith Alexander, asked about it at a Bloomberg event, denied the accusations.
"I don't know what the report is," Alexander cautioned, adding the NSA does not "have access to Google servers, Yahoo servers." He said the NSA is "not authorized" to do this, and instead, must "go through a court process."
That's a potentially perfectly accurate statement that doesn't in any way refute the story. The leak indicates they have access to the fiber lines between datacenters, not the servers themselves.
Since he seems to be a pathological liar, how about some waterboarding to help his memory? I'm sure we could clear up any misconceptions about the NSA's activities quickly with this officially-sanctioned (at least by former officials) method of "interrogation", which the US has applied many times in the past (allegedly with great success and little regret).
Don't waterboard him, and he'll tell you whatever he wants you to hear. Waterboard him, and he'll tell you whatever you want to hear.
Questioning him, under any circumstances, is useless. We need to get rid of him instead, and perform an independent investigation. However the circumstances under which such an independent investigation would be useful are limited. When East Germany started to fall, the Stasi started shredding everything they could get their hands on; organizations like this don't allow evidence to survive.
Specifically, he denies direct NSA access to the systems, and says that NSA would need to use a court process to gain such access, but the report is that the UK's GCHQ is actually tapping the systems and the GCHQ is sharing the captured data with NSA.
while they might not have access to the "Google servers", it now is almost certain they have access to the "Google network" (i.e. fiber cable access). as seen in previous reports, intercepting sea fiber optic traffic between continents seems something the NSA has mastered...
> while they might not have access to the "Google servers", it now is almost certain they have access to the "Google network" (i.e. fiber cable access).
If the article is correct, the NSA does not have that. What they have is an agreement that they can submit search terms and get matching data from a system operated by their British counterpart, GCHQ.
It is GCHQ who, per the article, has a direct tap somewhere inside Google's unencrypted datacenter-to-datacenter communications network.
A lot hinges on the definition of "servers" being used. And how the question was put to Alexander. If there's even one alternate interpretation he can say No. Another non-denial denial. He is talking at lawyer-level now. This level of detail is not present in the Politico story.
Not that he would say Yes if we asked in the right way!
I hope that this finally convinces everyone that it doesn't matter whether Google is "Evil" or Yahoo is more evil or whatever. What matters is that large cloud systems are fundamentally incapable of protecting data.
Even the most goodhearted and the most talented teams can't reliably defend against a massively funded adversary.
> What matters is that large cloud systems are fundamentally incapable of protecting data.
I don't believe that's true.
1. Google (and others?) is already aggressively increasing the amount of encryption it does on traffic between its datacenters. So they have been addressing this problem before it was even brought to light.
2. We easily have the encryption abilities to do many more things than we do with secure cloud data; we'd just have to pay more for it. For instance, I can encrypt everything the minute it leaves my laptop, store it in the cloud, and not decrypt until it hits my laptop again. Nobody but me ever gets the secret key (heck, it could be a one-time-pad and thus unbreakable). If I trust the cloud computers themselves, then I can store different secret keys on each and use strong public-key encryption to protect all traffic between different machines in the cloud, and between my machine. Breaking the system requires compromising a machine, and even then you only get the key for that machine.
3. In theory, fully homomorphic encryption could allow the best of both worlds above. I completely encrypt my data on my machine --- nobody else has the key --- then send it into the cloud where cloud companies can do operations for me like searching, sorting, filtering, etc, all without ever decrypting the data or learning what it is. They send me back the results (securely), then I decrypt. Of course, right now this would be massively slow and expensive, but progress is being made.
Naturally all of the above are subject to the "5-dollar wrench" rule or the "secret court/FISA/warrants" rule. You cannot protect your data from the people making a law that says "give up your data". But it is technologically possible and even feasible to secure data from the NSA's snooping. The tradeoff is cost and time.
If you would use one-time-pad before storing to the cloud you'd either need to store the very same pad on the cloud, then effectively not needing encryption, or you wouldn't need the cloud, as the amount of the encrypted data would match the amount of the pad data one to one.
And homomorphic encryption is still far from being practical.
>In theory, fully homomorphic encryption could allow the best of both worlds above. I completely encrypt my data on my machine --- nobody else has the key --- then send it into the cloud where cloud companies can do operations for me like searching, sorting, filtering, etc, all without ever decrypting the data or learning what it is.
Can you explain this to me? I don't understand how you can search encrypted data.
If the NSA wanted your data, they could get into your network probably easier than they could get into Google's networks. Companies like Google have way smarter people (and working full time) securing data than most businesses.
For us to secure our networks as much as someone like Google would, we'd have to have a team of the best hackers around.
And by definition, the best hackers around are scarce. They're already working for Google, etc, and X Y Z security company.
Google may have better security, but they're also a much, much larger target. Wiretapping Google gives you access to the private data of Google's millions and millions of users, whereas gaining access to my network gets you access to… me. As long as there's a non-trivial fixed cost to attacking a host or a network, there's an advantage to hosting your own data.
While it's possible that the NSA has a system to automatically detect and wiretap hosts and private networks connected to the internet, it seems unlikely to not have been detected so far. I've taken to assuming that every packet send and received from my servers is being monitored, but that, barring specific interest in me by the NSA, the servers themselves are reasonably private.
Not exactly. Think of this analogy: the NSA built an enormously expensive sieve net to fish the entire Pacific Ocean (Google). While the Pacific may be deeper and wider than your innocuous little lagoon, that lagoon probably hasn't attracted the attention of the NSA. If you think the attention of the NSA is going to be a problem for your dealings, hiring very expensive security talent is necessary to your business plan.
You'd think that but that's not actually true. Google's infrastructure is way too big to be completely secure. There are several ways to penetrate Google's network.
I know some of the people in the security team and they are pretty good, but arrogance will be their undoing.
Google has an internal team called the Orange Team that performs security audits and, so far, they have always been successful in penetrating Google's network. If they can, what makes you think the NSA hasn't done that already?
.. and then google gets a letter with a request from the government, opens its data-centers and lies to its customers. It's not that easy your way, either..
I think this is of endgame for network security, I don't see a way out -- the Sony Rootkit[1] should have been the point where I realized but it is just sinking in for me now since the Snowden NSA leak.
Any network connected computer will be running an OS+Applications which are typically a gigabyte or more. This is produced by companies which are beholden to a nation state, and the companies can be coerced[2] or compelled[3] to use the software against the user. The software is also constantly being probed for vulnerabilities, which can also be exploited by law-enforcement / military [4][5].
So, if you turn on auto-update you have to trust the software maker is not being coerced by someone, or being compelled by a secret court to trojan you. If you don't turn on auto-update you can still get trojaned by any vulnerability. Lose-Lose.
> The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.
1. Spy on whatever the hell you want without benefit of warrant.
2. Discover something interesting.
3. "Parallel construct" a way that the information could have been legally obtained.
4. Get a warrant based on the parallel construction.
It's parallel construction all the way down. Discover via extralegal, point mass-capture in that direction, sniff out and send to 'legal' 702 or 215 databases, hint to FBI/DEA buddies, get normal warrant, and now you've got your criminals!
In that way, killing the 702 or 215 powers really wouldn't do that much, because they can just derive their parallel construction from elsewhere.
I don't see how the pretense that the NSA actively avoids snooping on U.S. citizens can be seriously maintained after this revelation. It's becoming increasingly clear that intelligence agencies want the ability to access all data created directly or indirectly by an arbitrary cyberspace target on demand and will shop around for the "best" (e.g. weakest link in technology and/or legislature) nook of the net to snoop at.
This seems like a good time to remember that Google has been storing wifi access passwords in plain text on its servers, and (presumably) passing them between its data centers.
It can be assumed that as a consequence of google's decision to store passwords in plaintext, the NSA now have access to every wifi access point that has been used by an android device.
This is a massive security breach. I sincerely hope google notifies android users of the problem.
The more I see stories like this, the more I wonder why there aren't tools out there that complement something like 1Password, LastPass or KeyPass by rotating passwords for all your devices programmatically. More devices should support SSHing into them for password rotation or some API for frequent password rotation.
e.g.
Here's the password for this router, rotate this key every X days, upon rotation, connect to the computers of friends X, Y and Z to notify them of the password update.
I imagine such a system would require two passwords, one to change the password so only one device is responsible for rotation and a second to share with others so they can access the computing resource in question.
Alternatively, every device should function with individual passwords for every user. I still get frustrated that wifi only offers one password and doesn't give you the option to give out one password per user. Future wifi protocols should permit a user to try to connect to a wifi and wait until someone approves their access. Approval could be done by visiting the routers IP address and granting access through some form that shows which clients are requesting access at that point in time. Furthermore, the way in which a computer requests access to wifi could be accomplished by having that computer submit it's SSH public key to the router.
People will no doubt come on this thread and remind everyone that of course the government always had access - you must have been a fool not to think so. But I just can not get over how angry it makes me. Honestly I thought that using google products with some exploitation of the contents for advertising was an acceptable exchange. This is just a total betrayal and I cannot believe that the Google board is not aware of this! and if it is not it is because they choose to be!
This might be a good time to go back and look at what you said to all those cypherpunks who kept talking about the need to build security into Internet protocols from day 1. Whitefield Diffie had pointed out this problem -- that online services could violate user privacy without any technical barriers -- in the 1970s and pointed to it to motivate public key cryptography. Throughout the 90s and 00s people were saying that we should be deploying cryptography more widely, yet these arguments were largely ignored or dismissed.
So really, this is not about the government. Rather it is about the inherently insecure design of today's email, IM, payment, and social networking systems. While the cryptography research community and the hacker community have proposed numerous solutions, few have worked to deploy such solutions. Worse, many hackers and computer scientists have actively worked against such deployment by building businesses that are monetized by violating user privacy.
Before talking about your anger, take a moment to think about what you were saying to people 5, 10, or 20 years ago when this topic came up (I am speaking to everyone now, not just jimparkins).
"You cannot acquire experience by making experiments. You cannot create experience. You must undergo it." - Albert Camus
The cypherpunk "2.0" generation is here. The adversaries are definitely way more resourceful and ten steps ahead now. So there may be some value in looking back with regret. But it's never too late.
This question implies they know what they're doing is wrong.
If they think they're protecting their country---including their families and friends---then it's easy to imagine how they wouldn't have a problem with this.
It's not just that either. They seem to enjoy it and think that this is a game. If you're going to violate our basic rights, at least take it seriously, guys.
This presumes that those developers are building these systems to go after "our basic rights", instead of believing that they are helping to target terrorists and enemy states.
What gets lost in a lot of the (justifiable) NSA outrage is the fact that they want all of this technology to enable surveillance of terrorists who use the Internet just like ordinary Americans do. There is really no evidence so far that this massive surveillance apparatus is being used in a widespread way to abusively target Americans.
Being able to intercept online communication between terrorists and foreign governments in a way that collects zero communications of Americans seems like a really, really hard task.
Because people compartmentalise and so for engineers this is most probably not a political thing but just an interesting difficult problem that is fun to work hard on.
It's the "professional" designation that's the problem. Once you say someone is a "professional," that means that they are part of a "profession," and that they answer to the ethical standards of that profession.
Sadly, we have doctors force-feeding people at Gitmo, so it's not terribly surprising that there are counter-professionals at the NSA.
It's kind of shocking that they haven't been encrypting all internal inter-datacentre connections to begin with. Even if they didn't suspect NSA snooping, there's enough companies and criminals out there that'd conceivably have a lot of reasons to want to try to find ways to tap Googles links.
You know, one thing I'm sure (hope) will come out of this is that enough people in the public should be sufficiently outraged at this that we start making some private sector headway in the data security race and perhaps we'll end up with some actual secure products by companies that aren't under the "jurisdiction" of U.S. policy, instead of those that just say they're secure but fall flat on their face when it comes to something as trivial as an NSL or an order for a pen register. If they were really secure, then these things wouldn't make the slightest difference.
Offtopic, but there's a problem on this site with this kind of story now. I'm not sure if it's the flamewar detection, or flagging, or some other automated system, but stories like this which are very popular and not remotely a flamewar, but an interesting discussion, are disappearing off the home page too fast in my opinion. This is a topic that will define a generation's attitude to technology and the internet, and is particularly pertinent to silicone valley.
Yet this morning this story went from top of the page:
14. NSA infiltrates links to Yahoo, Google data centers worldwide (washingtonpost.com)
1395 points by nqureshi 15 hours ago | flag | 533 comments
To behind stories like this:
12. Java Virtual Machine in pure Node.js (github.com)
232 points by binarymax 16 hours ago | flag | 129 comments
I'd be interested to know the reason, and perhaps whatever algorithm is voting this down could be adjusted, because it's clearly not working?
Going out on a limb here because this does not make sense to me either. But maybe this has something to do with the fact that the valley built all of the software used to support this, quietly invested in it all in 2010 for undisclosed amounts at least in the tens of billions and approaching or exceeding 100 billion, and the money doesn't want it on the front page of one of the most popular news sites?
I came here and read some comments because I was wondering the same. Previously when something got >1k points, it would stay on the homepage at least a full day. Now it's almost off the front page with ~1.5k points in 22 hours.
So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?
If this is true my next question would be does NSA have access to the keys or are they removing encryption in some other more technically involved way?
> So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?
Well, yes, if you are Google. The removal of SSL is done by Google's own front end servers at the boundary between the public internet and Google's own network, and Google's own network (including its private datacenter-to-datacenter fiber connections) are apparently not encrypted (which saves compute overhead.)
The revelation in the article (assuming it is correct) is that the GCHQ is taking advantage of this fact to evade Google's move to encrypt user-to-Google connections by simply tapping Google's datacenter-to-datacenter connections and (as well as whatever use GCHQ itself makes of the captured data) providing the NSA the ability to provide search terms that are matched against the captured data, with matching data fed from GCHQ to the NSA.
(This neatly also avoids any US legal limits on domestic electronic surveillance by the NSA, since, first, the surveillance isn't conducted by the NSA or any other US agency, and, second, its presumably not physically conducted in the US at all.)
Tell me if I understand this right: Google thought it was okay to not encrypt that 'internal' traffic, because even when trans-continental, that traffic was on 'private' Google fiber carrying only Google traffic, not the public internet. It was theoretically on a network that only Google had access to.
That's why it seemed okay not to encrypt it, right? (Otherwise, I don't know why Google would have thought it didn't have to encrypt it).
But the NSA managed to tap into this 'private' fiber anyway, perhaps with the cooperation of the actual telecoms that run it?
The spies tap the side where there's no encryption. SSL encryption is by Google's design removed by Google at the point marked with the smiley face.
The trick is that Google has to move a lot of data between their own servers on the different locations (even different continents) and that traffic is not encrypted. That's why "Two engineers with close ties to Google exploded in profanity when they saw the drawing." It was that easy.
Few people said you can't fight google with NSL or force them to do anything because it has $50B in cash.
Easy: Just start an anti-trust investigation - a fed lawyer can drag Larry Page and Google's top level managers into federal court every week for the next 5-10 years. Go thru every emails about iphone, android, bing in the past, and force monitor every single biz decision Google will try to make for the next 10 years.
Apple, Samsung, Microsoft, Facebook would love to help out the government(s) in this.
Larry will get so sick of it that he would think give out billions to kill Mosquitoes in Africa/India is a lot more fun. - Remember Bill Gates?
Google will never do it, but they should drown the NSA in bullshit data. So much so it literally chokes the NSA's ability to spy on Google's services.
Google is one of the few companies that could pull it off. They have $56 billion in cash and nothing to do with it apparently. They generate $12 billion in profit annually and growing.
They have more financial resources, computing power, and brain power than the NSA does, and they're one of the few companies on earth that can say that (the only?).
A billion a year thrown at choking the NSA with a flood of data, I'd argue, would work extraordinarily well.
The NSA has a substantial budget (but how much spare budget?), but I don't believe they could afford the processing and storage costs that can be generated from a billion dollar per year effort of bogus data spewing (particularly if Google matches it with a dramatic effort put toward encryption R&D to multiply the cost the NSA suffers significantly more than just basic processing & storage costs).
The NSA's grand new data center in Utah cost billions and will have taken years to build. Google could probably force them to attempt to build a new one every single year forever, particularly given how bloated every effort by the government is and easy Google could generate 'infinite' volumes of data. Google should pro-actively help Yahoo, Facebook and others out in teaming up to drown the NSA.
The biggest threat to Google is the NSA. Google should act accordingly. Just as they would react with financial investments to any other competitive threat.
A better use of all that money would be to play the lobbying game the enemies of freedom so effectively play.
This is the the thing I completely fail to understand. If all these huge tech firms with all this cash really care about privacy, people, US reputation, etc, then why are they not pouring their money in to politics like, say, the weapons manufacturers do? Why aren't they "buying" politicians?
I think a more sensible use of the money would be to 'fix' the ability to buy whatever legislation you want. Its really not a democracy any more when those wealthy enough can buy whatever legislation they want.
The portion of google's operation that NSA is tapping is already tiny. This article claims they got 181 million "records" of all kinds in a month. That's nothing! Google claims that gmail has half a billion active accounts. You think each of those active accounts only sends and receives one mail every other month? of course not.
The NSA is clearly already drowning, or being selective about what they are getting.
It would never happen, as Google shares would drop like a bomb and give credence to the argument that the cloud isn't secure enough, but at least it would show that someone at Google cares.
It would create a landmark moment though; something that would spark more debate in both the media and with American politicians.
Do you have evidence that Larry Page or Google knew about this? How is the CEO of Google stepping down an adequate reaction to a something that Google doesn't seem to be behind?
I'm not putting any responsibility on Google's CEO that he didn't ask for when he became CEO - he is ultimately responsible for the company's actions. Leaving that amount of user data open to attack is unforgivable, regardless of who is "behind this" or how much he knew.
Secondly, the alleged attack, however it happened, is not the reason he should step down. Larry Page stepping down is going to be really bad for Google, he is one of the finest entrepreneurs of our time, and a great technologist.
He should do it to send a message.
Will their ever be more evidence about what actually happened? Probably not, but a resignation by one of the most powerful CEOs in the world will get some serious attention in the wider debate on privacy.
But like I said, the share price probably comes first...
Everyone in Silicon Valley is talking about this and the media has painted a picture of criminal undertaking by the NSA. A lot of this is just speculation that has been blown out of proportion. The only way the NSA could compromise private data centers without placing moles in their respective ops teams, is to sniff the traffic on the private DC to DC lines leased by the companies. Assuming they did this by overpowering the ISPs, they are still left with a ton of TCP/UDP packets which they need to reconstruct, decipher and schematize. Although DC to DC traffic is typically not encrypted, it is often compressed or transmitted as binary streams. There is absolutely no way they NSA would be able to make sense of the data without reverse engineering the innumerable communication protocols used and then using that protocol to decipher the packets. It is a lot more feasible to force a company to hand over data on specific users than it is to piece together user data using this packet sniffing technique. If the NSA really is wiretapping DC-DC communication, it's not because they are trying to build profiles on individuals. It's likely that they are using this raw data for keyword lookups. And, although I question its effectiveness, that is a level of surveillance I'm comfortable with.
I think you over-estimate the complexity of the data being exchanged between data centres and underestimate the capabilities of these well-funded agencies that can afford top-notch PhDs, developers, engineers, mathematicians.
The article seems clear on the fact that they are able to reconstruct the data streams. It's not difficult to assume that most of the data-exchange protocols used are pretty standard or at least pretty stable, for instance Google use protobuf[1] for efficient binary exchanges, it's open source and well documented.
Data is meant to be moved efficiently between data-centres and these companies had no reason to add any obfuscation (if that was the case, they would have already used encryption). There is no reason to assume that adversaries with deep pockets would not have the technology or know-how to reverse engineer these unprotected data communication flows.
What makes me downright angry is the vehemence with which Google's Chief Legal officer David Drummond denounces siphoning Google's own data. Secretly take our users' personal data, that's okay, but secretly take our data, which we make our billions off of, now that is unamerican. Class, man. Real class.
Can anybody trust Google services anymore? It seems like it's pretty much a no-go at this point. Even if Google hands over select data from within their systems, it appears we cannot even trust that it makes it that far without being compromised.
Every business that can should be ditching their Google services right now.
For what, the magical service that can't compromised by the NSA if it wants? At least Google has more resources to throw at the problem than a lot of other companies -- but really you can't trust anyone.
“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,”
Interesting how agencies, corporations and alike have the collective maturity of children. A grown up will say to a kid "you can't play with fire with your friend" and the kid immediately will think "he didn't say I can't play with fire with my other friend".
As a software engineer just about to graduate from college. When I see drawings like that I just can't believe that people who know enough to draw something like that can actually do it without feeling like they are the definition of evil.
Why is it so hard to understand that there are intelligent people that honestly believe they're doing something that will ultimately benefit their country? People have done far worse in the name of a country or ideal.
For people outraged over the apparent happiness of the people that tapped Google, I imagine they've never broken a system. A breakthrough on a project is extremely enjoyable. Finding that Google removed SSL is like testing an app and finding it doesn't sanitize inputs it passes to a shell script as root.
It sounds like the problem there is you are conflating the mostly unrelated ideas of how much technical knowledge someone has with how much their values will align with yours.
If I scroll the Reddit frontpage (without being logged in), I am not seeing any NSA stories, despite being on the top of /r/WorldNews, /r/news, etc. Anyone know the story behind that?
Reddit has been compromised. Just look at what happened on r/worldnews with the u/douglasmacarther and the RT censorship thing, or how the NSA-Israel Memorandum submissions were purposely 'buried'
Funny thing is how many articles have been written about Chinese crackers, possibly funded by the Chinese government, trying to hack into big companies.
It means that the Google Front End (GFE) server is where encryption/decryption of SSL happens, and that communication outside the GFE (e.g., Google->Client) is encrypted, while communication behind the GFE (internal to the Google Cloud) is clear text.
Yes. It would be considered a private datacenter environment. Someone with DC access or in this case the ability to tap a closed fiber network can still attack it. This mostly applies to state actors.
[Edit: apparently, the decryption does not happen real time. Instead, the encyrpted traffic is stored and decrypted later. Either NSA/GCHQ think the latency introduced by doing a full mitm with the private key would blow their cover, or they're using some algorithm that isn't fast enough for full mitm. The below is a bad interpretation.]
My interpretation is that they've acquired - either via bag job or by unpublished algorithm - Google private keys, and are decrypting and copying traffic immediately before the Google Front End, then impersonating the client to the Google Front End. Presumably, the Google Front End is on Google premises, and Google would be aware of the warrant that let NSA install such a device behind the Google Front End, whereas the peering point in front of the Google Front End (or on the fiber to the Google Front End) would be on Telco premises, and we've seen the Telco's be all to eager to cooperate. Oh, except Qwest, where the CEO found himself in jail.
"Two engineers with close ties to Google exploded in profanity when they saw the drawing." seems hyperbolic. What does it even add to the article? Is it used to try and establish some credibility?
I don't understand why this is shocking (the photo- not the alleged spying)?
I would even let them get away with that argument, but if they do use that argument, that means they should also be pissed off about these revelations, and realize that NSA has gone fully rogue, and they need to drastically rein in on it. At least that's the logical conclusion from their argument.
The problem is they want their cake and eat it, too. They want to get away with it themselves, but also protect NSA and their powers. We should call them out on their hypocrisy, and ask them to restrain NSA's powers if it's really a surprise for them, too.
More promises to keep your information private, from people who already showed they are not competent to keep your information private. There is no reason Lavabit should have ever been able to disclose enough information to the government to get customers' messages
Google is so good. Such a great concept. So much fun to use. A romper room. Such a bastion of talent and good people. Which is why this whole business is such a crappy disappointment. A guy sitting in a renovated girl's bathroom in London told us some time back that this was the case, that Google had dropped its original stance against "evil," but nobody took him seriously.
Reaction of Google’s chief legal officer, David Drummond on the news. Sounds a lot more sincere then their previous denials (which proved to be lies forced by the law anyway).
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide. We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform." [0]
SMTP (mail protocol) between providers is unencrypted anyway. So, if I send email from gmail to ycombinator, it goes to ycombinator SMTP server unencrypted and can be tapped by anyone with access to the wire. Still, clear traffic between Google's own data centers is inexcusable. They are exposing my data to more risk.
I thought you were wrong about that, but when I went looking for a source, I found out you're right. As of June, major email providers other than Google did not support encryption for inbound emails[1]. That's disappointing.
Note there's no technical reason they couldn't. Also, Fastmail.fm, while arguably not really a major player, is an exception, supporting encryption on inbound emails since 2009[2].
I just verified this via http://www.checktls.com. A later blog post in 2010 says Fastmail enabled it for outbound email as well. So mail sent from Gmail to Fastmail or vice versa is encrypted between the two providers.
It's a start. I really thought I had read something about Microsoft enabling this on their email service, too, but I must be misremembering. All we can do is hope more big providers turn it on.
Aside from the indignation, I'd like to see proof that Google wasn't aware of this stuff. My guess is that it was approved as long as there was plausible deniability.
I'd need to see proof that the exploit (and operation to support it) was so sophisticated that Google reasonably could not have known.
Since Google has been complicit in a good portion of Snowden's revelations, the burden of proof is on Google to satisfy its customers that it in fact drew the line at the earlier revealed level of complicity rather than the most recent one.
What strikes me most reading NSA related articles, that for Americans the problem here is not the global surveillance itself, but the domestic spying. Wtf? Is my anonymity and freedom less valuable just because I don't have a USA signed piece of paper? It's a serious problem that touches everyone who uses digital communications (pretty much every human being on the word nowadays)and such data collection should be illegal on anyone unless he's under a warrant or belongs to opposite forces during war times. I'm very sad and disappointed that EU leaders don't have balls to stand up for this.
I agree that non-US-citizens are endowed with the same fundamental human rights, including the right to privacy, as US citizens.
However:
1) US citizens alone control the US government's actions, at least indirectly and in theory. NSA's domestic spying presents a threat to our democratic processes. NSA spying on US citizens is more dangerous than if they spied only on non-citizens, because it provides the NSA the means to control their ostensible masters--making any reforms to NSA's foreign surveillance operations impossible.
2) In realpolitik terms, most Americans simply do not think or care about foreigners. Any bill that ends NSA's authority to conduct warrantless surveillance on foreigners is a non-starter in our current Congress. By first ending NSA's domestic surveillance programs, we actually have a shot at eventually ending NSA's unethical foreign dragnet surveillance programs. In other words: baby steps.
This degrades into comic book villain territory. Every admin and developer professional wet dream is to be able to capture log and analyze every byte. To have unlimited processing power and storage.
It's interesting that there's been little attention paid to what this genre of backbone/infrastructure tapping means for companies using content accelerators (or whatever they're called).
Considering what we now know about tailored access operations, I find it hard to imagine they've not used these abilities to subvert the auto-update functionality of virtually every product there is out there.
Ie. client requests auto-update from front-end server, update is switched and replaced before hitting the front-end server & being delivered.
That would seem to be a harder problem for the NSA. First, it has to be an active attack, modifying data in transit rather than merely siphoning it off — probably tougher to cover their tracks in that case. Second, automatic updates are presumably cryptographically signed by the publisher, so the NSA also has to steal or crack the private signing key. Third, how do you target the backdoored version of the software so certain groups/people get it and others don't? CDNs don't work that way.
In the end, it seems much more practical to sneak a backdoor into the software at the source.
Given all those are used, I find it hard to believe the update vector isn't exploited. Sure you'd need to compromise the signing key first, but that's a single target allowing you the ability to subvert many more without the need for any breaking & entering or social engineering alerting intending targets/victims.
USSID18 is what should be talked about regarding these violations. The sooner people become more familiar with the laws in place to prevent this the better the outcome for all involved.
The denials over Prism never squared with the size and capability of the system that were outlined in the documents, unless I'm missing something here. Is it not possible that the court-ordered data releases were just one small part of the Prism program, with MUSCULAR and others filling the data that could not be obtained through the legal system? Prism is just the query interface, which is not necessarily tied to one dataset.
Would anyone else be interested in inserting a private version of a tracking pixel into each of their e-mails, so that you'd get a list of IP addresses where the mail was viewed back?
It would be interesting to see where mail was read versus where it is simply passed in plain text. Crowd-sourcing anonymous data might also allow us to determine which IP addresses belong to the NSA's systems.
"vice president for security engineering Eric Grosse announced that the company is racing to encrypt the links between its data centers. "
Isn't this useless?
They can serve Google NSL and the court can force the company to release the SSL keys for the encryptions - just like Lavabit. Google CEO/Board can not shutdown the company like Lavabit.
What can they do, get out of USA like how they got out of China?
> They can serve Google NSL and the court can force the company to release the SSL keys for the encryptions - just like Lavabit.
They can't do that without Google knowing about it, knowing what data is covered by the NSL and having the opportunity to challenge the request, or to factor the fact of the requests and the extent of information covered by it in evaluating Google's lobbying priorities.
> Google CEO/Board can not shutdown the company like Lavabit.
Well, it could (or, at least, it could recommend that course of action to the shareholders), but its true that Google is differently situated than Lavabit -- specifically, Lavabit doesn't have ~$50 billion in cash it doesn't know what to do with that it could pull from for political action to address government policy that it felt severely threatened the way it prefers to do business, whereas Google does, which gives it options to address known actions by a government agency that it doesn't like.
> What can they do, get out of USA like how they got out of China?
Well, its too big of a market for that to be a good first choice, but its not impossible. Moving the headquarters, etc., would be easy, the hard part would be moving all their existing data centers and similar operations out of the US.
If they wanted to do that with minimal disruption, they'd either need to build duplicate datacenters somewhere else and switch operations to those -- or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
I find it funny how many people say "x is going to move out of the US!". Upon doing so, x isn't protected from spying bye the NSA at _all_, not even the flimsy toothless protections we have as US citizens under US law. Ostensibly, the entire _job_ of the NSA is to spy on foreigners, which you become when you leave.
BTW, a much simpler way to get the SSL keys is to send someone (or teams) to be employed by Google. (Like another big country probably did a while back.)
Once inside, put a few webcam, physical/virtual key logger, a few line of code, (checkin code with extra ",", "=" instead of "==" in the right place - just like a post about Linux security Kernel hack a while back.) and the jobs are done.
> or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
That must be what they're building in SF bay right now! It all makes sense now. Get Apple involved with their cash hoard and you could put the datacenters in space.
>or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
Or, they could build data centers on barges and float them out of difficult jurisdictions. ;)
No it's not. The court system, even if it is rumber stamp-y, provides way more visibility and accountibility than secret and total access to Google's data via tapping data links.
The FISC is not visible or accountable to the public. NSLs must be kept secret by law. In other words, all courts do is provide the NSA with a minor speed bump when it wants to wiretap everyone.
Lavabit is small. Who did their shutdown directly affect? Imagine Google going down for a full day, even homeless people will raise pitch forks and match down to DC to protest.
I see it as just simple power struggle between companies and government - China won the round against Google a few year back by kicking googe out completely.
The power in US government would love the same leverage.
They will get it eventually - start with NSA in secret, but slowly congress can pass the law and bit by bit....
That's why FB and google are implanting the notions of "no privacy" in everyone's mind. Good for their business and also makes it easier to hand over the data to whoever governments/agencies in the future.
If you want to fight for freedom, but are too busy, take some of your startup lottery money and hire some underemployed folks to raise pitchforks and march on DC.
Note that the article makes the point that while the NSA can't compel companies to cooperate if they're not in the US, if they (or their data or data centres) are not in the US, NSA has much freer reign to use covert means to just take what they want.
So getting out of the US would be insufficient (not that it would be a viable option anyway) - if moving out of the US, they'd also need to actually know their countermeasures are sufficient to prevent the NSA from just taking what they want.
I love how every quote from the NSA stresses that "we don't have access to their servers. Fine. Let's say they don't. But that means nothing in this context. If they can see every piece of data that is sent between servers at various google data centers, they don't need access to the servers to gather a ton of information
As of 1:41pm PST, there is no mention of this news anywhere on the front page of the NY Times website. There have been similar ...time lags... in the past when covering Snowden related news at the NYT. It's a shame one of the most important news sources in the US is so slow in their coverage, either intentionally or not.
The NY Times is not Reddit. They will check the story through their own sources before publishing. They're not just going to repost the Washington Post story.
They're slow on Snowden stores because they do not have direct access to the Snowden documents, like the Guardian and WashPo do.
Of course the NY Times are not Reddit. Why are you even bringing that up?
The AP, Fox News, NPR, PBS, CNN, LA Times, ... all have reported on the story in the Washington Post. The NY Times has not, and that's unfortunate. It's a major news event.
I get the feeling that people are outraged by this not necessarily for the fact that spy agencies spy on everyone they can, but that they do it in such a blatant, efficient, and all encompassing way.
I know I feel a bad gut reaction to the mass collection of data, but when you think about it that is exactly what a country wants from its spy agency, to know others' secrets. Hence they're doing the most optimal thing from the countries point of view. Therefore it is just the brazen scale, the automation of the whole operation, and the fact that it is now officially public that gives me (and us in general) the sick feeling.
Like the breakdown of forgetting (anything on the Internet is there forever), and the rapid dissemination of information through the social network (Facebook status etc), an adjustment needs to be made either in us or the system.
Why is this on the second page of news right now? Older stories with way fewer points are currently ranked higher. This story is 22 hours old with 1495 points. There are stories with 264 and 305 points that are older but are currently ranked just higher than this story, moving it to the second page of news
“We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” he [google's clo] said.
You can always encrypt on the client, yes. But it is surprising that an entity such as Google doesn't understand that links between datacenters have multiple points out of Google's control where traffic can be intercepted.
Any institution responsible for maintaining a nations safety should be something to be proud about, but apparently with each news NSA sounds more like a virus.
I get the feeling I'm going to take a karma hit for this, but here goes...
By tapping those links, the agency has positioned itself to collect at will from hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.
There's a problem with this. The Post goes into a good amount of detail regarding how the NSA/GCHQ is collecting, but leaves nothing but speculation as to who they're targeting or why. It even goes so far as to suggest that NSA/GCHQ is targeting millions upon millions of ordinary citizens without giving evidence to back up that assertion. I would argue that these media outlets are doing us a disservice by not providing this information. All they're doing is generating hype and fear. I'm scrolling through the comments here and seeing calls for the imprisonment (or worse) of Obama administration officials and NSA personnel based not on solid evidence that the public at large is being spied upon, but based on our fear that the public is being spied upon. Some hypothetical headlines as an analogy:
A: "SWAT team guns down local residents"
B: "SWAT team guns down unarmed retirement home residents"
C: "SWAT team guns down pair of local gunmen; ends killing spree"
Headline A is vague and misleading. If that was the entirety of the information put out, the public would be outraged. If the actual story was closer to headline B, they'd be rightfully outraged, and all trust in the police force would be rightfully gone. The outrage wouldn't be justified if the actual story was closer to headline C. With regards to today's story, I don't want see something like "NSA spies on Google traffic" - there's not enough context. I want to see evidence showing who they're targeting and why. If it turns out that they're spying on US Congressmen, major business executives or just ordinary Americans with the intent to blackmail/bribe/manipulate/etc. - that's the reason to call for these people to stand trial. If it turns out that they're spying on the unencrypted internet traffic of valid intelligence targets like foreign government officials/foreign spies/terrorists/etc., what has the public gained by telling us all how they're doing it?
The media needs to show us that there's a good reason to be afraid/outraged of a vast, covert Orwellian apparatus, then show us how to protect ourselves against it. Show us that the NSA is determined to undermine the public good for its own benefit. Unless there is no vast, hidden Orwellian state. Every Snowden document that gets released without showing evidence that the NSA is pursuing anyone besides those it has been tasked to pursue leads me to believe more and more that there is no such evidence, and the media is riding high on all of this fear and outrage to gather advertising dollars.
Are people seriously surprised? After all of the other stuff we've heard the NSA has done, I am surprised that people are surprised by something we all but already knew.
How would not using their products resolve the issue with the NSA? If people switched to other providers than other providers will get accessed like Google.
I'm sure the NSA likes having a one-stop shop. More nodes means more leaks, and if we've learned one thing through this, it's that the NSA would really rather do their work without oversight, which, as we've also learned, only happens as a result of leaks.
> How would not using their products resolve the issue with the NSA?
One point would be: Google might feel a change in their bottom line and might actually start thinking about banding together with the other tech giants to be able to actively fight the NSA, instead of staying complicit.
The writing has been on the wall about the true nature of "the cloud" for at least 15 years. I tried to tell people, they preferred to put their faith and trust in the major magazines, which were all propagandizing about it constantly. Most people (including the developers who write this software) allow themselves to be herded, and if you try to tell them what's really going on they write you off as a crackpot.
What most people don't realize is that all the value offered by "the cloud" can be created with much higher quality on a different architecture, one that gives all the benefits of the cloud, but without sacrificing privacy.
It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
That aside, let me re-make a point I keep making:
Google had no knowledge of NSA's physical compromise of their data centers. But still, they pushed harder than anyone on the whole Internet for the adoption of modern TLS with forward-secrecy; they are the world's foremost deployers of ephemeral-keyed elliptic curve cryptography and of certificate pinning, both of which ensure not only the security of the traffic running over the network cables into their data centers, but also minimize the impact of a compromised long-term encryption key or the compromise of the CA system by a state actor.
Not only that, but Google launched a high-profile effort to encrypt the communications inside and between their data centers.
I hope a couple years hindsight will put the importance of Adam Langley's work (and that of the rest of his team; he's just the best-known member of that team) at Google into sharper relief.
> It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons.
Even were a court somewhere to find that this interpretation is incorrect, there are numerous "good faith reliance" doctrines that prevent any prosecution or even civil consequences.
The government outright tortured people for years, and nothing has come of it. No prosecutions. No damages for victims. No cases dismissed for outrageous government conduct. Not even very many harsh words from judges. The only people for whom there were any consequences were the low level regular army people who got in on the torture train without first getting official blessing.
It'll be the same thing here. If some low level employee went out on his own to hack into Google servers, something might come of it. But by all appearances these programs were deliberate, planned, and vetted. In those circumstances the bad actors have long since learned to cover their own asses. There will be no consequences for them.
I am at a loss for words. Arrogant, self-righteous, disrespectful, ignorant, mendacious...nothing cuts it. It is illegal in the US but who cares about the rest of the world? I can not remember when something similar made me that angry as the current conduct of the US does. If I would not know better that this would negatively affect the whole world and innocent US citizens and that emotional reactions are usually not good - I would just cut all cables to the US, stop all trades of oil, raw material and goods, deny US citizens to enter any foreign country and then just do your shit over there and get happy with it.
EDIT: Just to clarify it a bit more, I am not primarily angry because of the spying - read my mails if it makes you happy. What really pisses me of is this sentiment of thinking of non-US citizens as second class humans. We are not spying at US citizens, only at this other guys across the ocean. And sadly this sentiment is also present in part of the media coverage. Especially when the story broke there was a lot of outrage about (accidentally) spying at US citizens, but spying at non-US citizens and breaking foreign law in peacetime is deemed acceptable.
149 replies →
> actions taken abroad aimed at non-US persons.
And there is an interesting counterpoint to that, e.g.
> "If the Americans eavesdropped on cellphones in Germany, they broke German law on German soil, and those responsible must be held accountable."
http://www.japantimes.co.jp/news/2013/10/28/world/obama-unaw...
22 replies →
> The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons.
More to the point of the article here, the government takes the position that their agents are completely unconstrianed by law when it comes to using information shared by foreign intelligence services that their agents had no part in collecting, and the collection here is done by the GCHQ -- a British intelligence agency -- who simply provides NSA the privilege of submitting search terms and getting matching data from the collection GCHQ does from their taps.
1 reply →
"The government takes the position that their agents are almost completely unconstrained by law when it comes to actions taken abroad aimed at non-US persons. "
It's worse than this. You also generally can't sue the US government civilly unless they allow you to. US has abrogated sovereign immunity in certain situations for certain types of torts, but ..
2 replies →
> actions taken abroad aimed at non-US persons.
Aren't Google and Yahoo US persons?
http://en.wikipedia.org/wiki/Corporate_personhood#Corporatio...
4 replies →
I'm sure the other branches of US government would be delighted if NSA would share with them - not the secret data, but their data processing tools.
I mean, it appears that NSA has the ability to separate the retrieved gmail data into citizens and non-citizens, so they can legally use the non-citizen part of data and throw the 'forbidden' US-citizen data away. Think of the wonders that we could do with such technology! We wouldn't need passports anymore, when arriving from another country, you just provide your gmail account, TSA systems check that you're a citizen and lets you right in with a smile...
> The government outright tortured people for years, and nothing has come of it.
I am not saying it's OK, but in that case, most US citizens aren't even affected. In the case of surveillance, data from US citizens is being directly compromised. Their attempt to do what they want to foreign individuals with surveillance actually causes some collateral damage to US citizens.
5 replies →
Monroe Doctrine 2.0
Google was letting information flow between its data centers completely unencrypted until last month. http://www.washingtonpost.com/business/technology/google-enc... Last month!
Think about that for a second. Most people on HN wouldn't send a single file to their own backup provider in the clear. Google was sending gushing torrents of data, presumably including email, IMs, etc, over long distances that way.
That's very nice that the company that encouraged all of us to put all our email and documents in its data centers "pushed harder than anyone on the whole internet" for some basic security well after the NSA compromised their shit, but it doesn't excuse their irresponsible practices.
> Google was letting information flow between its data center completely unencrypted until last month. http://www.washingtonpost.com/business/technology/google-enc.... Last month!
Over their own private WAN. The analogy would be sending things in the clear over your LAN. [Citation: http://www.eecs.berkeley.edu/~rcs/research/google-onrc-slide...]
24 replies →
inter-datacentre communication most likely happens on dedicated networks "outside" the internet
In the first week that I was managing IT/Ops at our company, our security architect, msj, approached me and said that our approach towards security would be to encrypt everything at rest, and everything in flight. Even the 18" of ethernet cord hanging outside of the servers would be considered an attack vector.
I thought he was loopy at the time. Amazing how wrong I was.
It's far beyond special investigator time.
Obama should be impeached. Both Obama and Bush should be tried for criminal conduct. Both should be put in prison for decades for treason. Of course on top of that are the war crimes and general crimes against humanity both committed (torture, war, murder of thousands of civilians, and so on).
By the same reasoning you should impeach the majority of Congress (the same people who would vote for such an impeachment of the President).
1 reply →
It wasn't too long ago that Obama himself said Ed Snowden was not a patriot. Said it then, will say it again. The hypocrisy just reeks.
5 replies →
Can you lay out the charges, special prosecutor?
4 replies →
Even with everything you say, Google was still defeated by the NSA. Will Google ever catch up in this arms race? "95% encrypted" == "100% compromised"
Google appears to have been so on the ball with this stuff that the NSA literally had to send bag men to their cages in order to retain access.
26 replies →
Google might have an easier time recruiting edge producing developers than the NSA after the leaks.
29 replies →
> Even with everything you say, Google was still defeated by the NSA.
Well, actually, per the article, by GCHQ. Who, as well as using the data themselves, also allows the NSA access to it.
> Google had no knowledge of NSA's physical compromise of their data centers.
How do you know this is the case? In the diagram submitted within the article, the box highlighted with the smiley face is labeled "GFE" for Google Front-End [1], which means it's a Google controlled server. It seems more plausible to me that the NSA compromised this target with a FISA court order rather than hacking it. And if that is true, then someone at Google did know about it, they just weren't willing to discuss it because of a legal threat.
[1] Google server names: http://googlesystem.blogspot.com/2007/09/googles-server-name...
> How do you know this is the case? In the diagram submitted within the article, the box highlighted with the smiley face is labeled "GFE" for Google Front-End [1], which means it's a Google controlled server.
Yeah, its the external facing server that is the boundary between Google's (encrypted) communication with outside systems and its internal network which doesn't use encryption.
> It seems more plausible to me that the NSA compromised this target with a FISA court order rather than hacking it.
If you read the article, the leak of documents that included the diagram indicates that:
1. The GFE server itself wasn't compromised, whether by a court order or hacking -- the unsecured communications which occur "behind" the GFE server were compromised, and
2. The entity which compromised the unsecured communications wasn't the NSA, but Britain's GCHQ. The NSA gets information from the compromised system because GCHQ allows NSA to submit search terms ("selectors") which are matched against the data GCHQ collects from tapping Google (and Yahoo!) unsecured internal comms, and then feeds the data matching the selectors back to the NSA.
1 reply →
See also, "Google speeding up end-to-end crypto between data centers worldwide."
https://news.ycombinator.com/item?id=6351741
I'm hoping Google ends up buying the ECC patents from Blackberry and then make them public domain or at least say they will allow everyone to use them for free and with no consequences. I know they want to buy some stuff from Blackberry right now, but not sure if they are considering buying the ECC patents, too, or not.
I'd feel a lot better if Google bought them than say Microsoft or some other company, who'd just try to collect royalties from anyone using them, and I feel that will make things a lot worse for security on the web in the future, especially with Microsoft's long-standing relationship with the NSA.
http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-c...
That being said, I'm very disappointed in Larry Page's statement about encryption and quantum computers:
> Lloyd made his pitch, proposing a quantum version of Google’s search engine whereby users could make queries and receive results without Google knowing which questions were asked. The men were intrigued. But after conferring with their business manager the next day, Brin and Page informed Lloyd that his scheme went against their business plan. “They want to know everything about everybody who uses their products and services,” he joked.
It bothers me a lot that the leaders of Google would think like that, even though I knew they would because of the incentives in their business. But I just wish they found way for their business to work, so they do not have to think like that, and be more on the side of users on this issue, than they are right now.
Unless their thinking about user-privacy and security changes, we should never fully trust Google (even if they are better than the rest right now). That sort of thinking means they will never go the all the way to protect their users, which probably why you will never see OTR or ZRTP in Google's chat services. All the data collection they do will also become increasingly more irresistible to governments, especially if they keep it forever.
http://www.wired.com/wiredscience/2013/10/computers-big-data...
I don't trust Google more than anyone else out there. They are in the business of making money and don't much of a damn about their users. The only reason the NSA spying is a problem for them (imo) is that it may affect their bottom line due to user concerns and therefore affect their products. NSA has direct line to Google Cloud, guess I'm better hosting my own servers rather than pay for business Google Mail and Drive. I'm not sure Google would give it away for free, they now own Motorola remember, in the fight against all the phone giants, patents are king!
The 2nd part makes no sense at all. Why would Google not want to know everything about you. That just goes completely against their business model. There is no such thing as a free lunch.
"Google had no knowledge of NSA's physical compromise of their data centers. But still, they pushed harder than anyone on the whole Internet for the adoption of modern TLS with forward-secrecy..."
You're talking about security only. What about privacy? Security and privacy are not the same thing (although they overlap).
No other company has such a rapacious appetite to track and record online behaviour in one form or another - whether it's signing into your Chromebook to print to your desktop printer or using Google Analytics, Google wants to capture it all. Their vaguely-worded privacy statements tell you nothing about how they use this data, who sees it, or just how personally identifiable it is.
Take ChromeOS, the fact that you have to sign-in in with your Gmail account means potentially every activity you perform while in the OS is tracked by Google. I'm amazed at how little discussion is made of this. (I would never run ChromeOS for this reason alone.)
I've no doubt that Google takes security matters seriously. I'm not at all convinced they take privacy seriously.
I don't think pushed hard enough for the adoption of TLS. It's only finally THIS YEAR that they made available their ubiquitous AdSense code for SSL/TSL. Because many websites derive their full livelihood from AdSense, Google has effectively been stalling the widespread adoption of SSL on the web. If you were a news website and you used AdSense, then forget about ever implementing SSL; it would kill our site.
Although I'm glad they have finally started serving AdSense in SSL, Google need to take ownership in their big role in keeping the internet unencrypted. If they have had a had a change of heart, that's great. But I don't trust them any more.
> Google had no knowledge of NSA's physical compromise of their data centers.
Are we sure about that?
I think we have enough information for Google to plausibly deny involvement.
4 replies →
> Google had no knowledge of NSA's physical compromise of their data centers.
You speak of Google as if it were a single person and not 46,000 people, or as if the threat of a long-term federal prison sentence isn't enough to make most members of society keep absolutely quiet.
Which, going by their (this administration's) record at disavowing, initiating investigations into, and demanding accountability from our various security agencies for their widely known, and far more egregious abuses they've been indulging in since late 2001 -- torture, extrajudicial killings, and the cavalier attitude of our armed forces toward civilian populations, generally -- we can be virtual certain that not only will they "fail" to do, they won't even make a credibly sincere effort at it.
I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable.
The stage is being set for a giant conflict between the intelligence community and the political class in DC.
The political class is still more scared of being on the wrong side of security in the event of another terrorist attack. On a long enough timeline there certainly is bound to be another attack, and no one wants to be the one who weakened the intelligence community's toolset. No one seems to understand the tradeoffs they are making.
> It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.
Well, the article makes the point exceptionally well; it's unclear why MUSCULAR is needed when PRISM already exists.
However as long as the interception was exclusively between overseas Google and Yahoo data centers I'm not actually sure it's even clearly criminal.
Instead I think it shows a rather stunning 'loophole' in current U.S. law and case law when you intersect a globalized Internet with laws meant to deal with national-level communications.
Frankly, this is the same feeling I experienced when it became clear how global companies are able to "nation shop" for maximum tax advantage. I didn't like seeing it then, and I don't like it here.
But although the behavior might be technically legal (thanks to the platoon of lawyers) it's certainly not in keeping with the spirit. It seems to me that oversight much become much, much more intrusive than it used to be.
Instead of writing the law and then letting NSA squirm for years until it finds loopholes that work for it, it's time to force effective oversight deep into every level.
Because what's most striking to me is that I'm not sure that even the law as it stood before 2001 would have made this behavior technically illegal. MUSCULAR couldn't have happened then, of course, but now that American data is being farmed automatically to data centers around the world....
> Google had no knowledge
Citation required.
> Not only that, but Google launched a high-profile effort to encrypt the communications inside and between their data centers.
When exactly was that announced? Before or after Snowden went rogue? If after, the agency had to tell the PRISM partners that they were going to be exposed if they were willing participants in hosting a back-door.
Otherwise, they only got paranoid after that fact?
I'm wondering if there is a state with a particularly restrictive privacy law that can drag Larry or Sergei to the witness stand and find out if participation is willing or unwilling.
Technically, it's impossible to prove a negative. That said, what more evidence do you want than everything Google has done to combat this, including preemptively working to encrypt cross-dc traffic?
1 reply →
What Google knew when, and how Google co operated with the NSA and other agencies is something we will probably never know. Or at least not for a long time.
The first files that came out seemed to speak of direct access for the NSA into the datacenters done with the support of Google.
These speak of even more intrusive surveillance.
Personally I dont believe for a second that Google has not been fully cooperative with the needs of the American Intelligence community all the time. However Google needs a bit of good PR to ensure that they are not hit too hard with a backlash. As long as Google can maintain plausible deniability they are fine.
I dont see anything criminal that the NSA does as far as US law goes, unless they are spying on American citizens (which they are doing).
Spying in any way possible on other countries is not only legal but a bit reason for the existence of NSA, CIA etc. There is an understanding in the international community that spying may occur.
However there is also a long tradition that if someone is caught with their hand in the cookie jar, a harsh response is expected. The expulsion of diplomats, dropping trade deals, dropping mutual agreements (think US/USSR) and so on. Also the criminal persecution and interrogation of enemy agents discovered.
A couple of points to make
1) Europe has so far not really reacted much to the news. Some blabbing in the press, a bit of travel, but aside from that little has changed.
2) the biggest threat over this for Europe is not so much the disposition of troops, where and how bombs are kept etc, its industrial espionage and leverage for getting EU countries to sign deals to buy American. A good recent example is the sale of JSF. The embassies were very heavily involved in ensuring that nations in Europe bought JSF. I find it impossible to think that intelligence gathering was not offered to ensure that this took place.
In light of the criticisms leveled against these strategies in from 2002 - 2004 its difficult for intelligence policy makers to argue the risks were unknown. The indifference to risk, public opinion and constitutional issues is jaw dropping.
I wonder if many of these 'Chinese infiltration' events that did lead to Gmail HTTPS/TLS were actually spy agencies of various nationalities, even looking like Chinese hackers when in actuality it is something else.
Yet, with such emphasis on security, how did they manage to "back up" Wi-Fi passwords on Android as clear text on their servers?
That all sounds very impressive, but in the end it didn't work and all our emails are belong to them.
Oh nice, tptacek defending Google again, no matter what.
Defend them against what? How could one seriously blame them for this, how are they not a victim, just as their users are? Yeah, they could have encrypted their internal network sooner. Just like someone who got robbed could have learned martial arts or taken a different route.
You make it sound as if Google is being altruistic here. Security is essential to the direction they are heavily pushing.
Chromebooks vs. Macs/Windows/Linux
Gmail vs. Exchange(not Exchange Online)
Google Apps/Drive vs. Office/LibreOffice
"Why the NSA loves Google’s Chromebook"
http://arstechnica.com/information-technology/2013/09/why-th...
Of course, all this applies to all cloudhosted services including Skydrive, Exchange Online, etc. but out of all companies, Google is the one that has most at stake if people become fearful of their data leaking on the way to the cloud and decide to keep their data inhouse instead of going to the cloud.
To me, the big surprise was that Google wasn't encrypting the links between it's own datacenters before these revelations.
As usual, Stallman is proven right again. If your data is under someone else's control, it's not yours.
"Cloud computing is a trap, warns GNU founder Richard Stallman" http://www.theguardian.com/technology/2008/sep/29/cloud.comp...
Which, going by their (this administration's) record at disavowing, initiating investigations into, and demanding accountability from our various security agencies for their widely known, and far more egregious abuses they've been indulging in since late 2001 -- torture, extrajudicial killings, and the cavalier attitude of our armed forces toward civilian populations, generally -- we can be virtual certain that not only will they "fail" at, they won't even make a credibly serious effort at it.
I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable.
Why didn't they release these documents a long time ago when everyone was racing to judgement that Google, Yahoo, et al were secretly in cahoots with the NSA helping to build drag-net surveillance extranet stuff for them? These are very important revelations!
I mean, when Greenwald/Snowden/Guardian released the original PRISM accusations, these slides would have provided a much much more important set of evidence, instead of months of speculation and parsing of meanings of "backdoor", "frontdoor", "side door", in the corporate communications of the tech companies who were struggling to say "we've never heard of PRISM, da fuq is this shit?"
Is the slow dripping out of these slides because they are trying to be responsible in not releasing stuff that is too damaging (e.g. not trying to be a Bradley Manning dump), or is it to preserve traffic by keeping the click-gravy-train going?
By releasing the documents in this order, they give government officials just enough rope to hang themselves by prompting them to defend themselves by making statements about what they do and do not do, and then releasing new documents directly contradicting those statements.
In a weird way, it actually motivates them to tell the "whole truth" because they don't know what documents will be released later so they don't know what lies to tell.
Yea, but as collateral damage, the rope hung the tech companies and damaged their brands by who knows how much.
18 replies →
People are probably missing the idea. In the past, like with the WikiLeaks cables, they released all at once and it didn't have that much effect, after one week most countries were already on some other matter. The slow dripping allows this case to continue being discussed after six months. Can't remember this ever happening before with any other subject like the fake article on Saddam's WMD, the CIA flights and torture cases, etc.
Given what we currently know about the human mind and how people react to news I expect this to be the future way of releasing highly critical information.
Who knows how many thousands of pages they need to read and understand? Also, don't underestimate the difficulty of a reporter understanding these thousands of documents sufficiently to recognize when one is really important.
If they don't understand what's going on, wouldn't that argue in favor of doing more detailed research and analysis before writing claims? The original assumptions/claims in the Guardian story on PRISM are now shown to be false. This caused a lot of negative blowback on the companies involved.
Don't we expect our investigative journalists, to well, actually investigate things, instead of rushing to print?
5 replies →
I have no internal knowledge about this, but influenced by this Twitter thread[0] I would speculate that Greenwald and friends gave Google (and whoever else) advance notice and the opportunity to react to it before publishing. Responsible disclosure, and all that (not that it really applies in this case, but still).
[0] https://twitter.com/ioerror/status/395636984313413632
It sure looks like it could be strategic.
The "taps foreign heads of state" et. al. really due blood, e.g. DiFi shocked the intelligence community for doing a public about face.
Presumably because monitoring us proles is just fine with her, but other members of the international elite? That's beyond the pale, and I don't assume her call for a "top-to-bottom review of U.S. spy programs" is to do anything more than find out other such elite embarrassments.
BUT, to the extent the above is not true, or is making this Total Surveillance State toxic, now's a good time to drop this tidbit.
We're still talking about Snowden. This is the reason.
At this point I suspect Snowden has become a bit of an Emmanuel Goldstein. Any leakers who want to get their stuff out with some modicum of safety just need to get it to one of the usual suspects in the media, if the latter are willing to play the game (this does violate normal journalist ethics, then again this is not a normal situation). The leak can then be ascribed to "Snowden".
3 replies →
Imagine you come into possession of tens of thousands of documents covering material and terminology that you barely understand. That is going to take months to work through, even before you consider that you would want to keep access to the documents/information limited to a small group of people that could help you work through it.
Here's an argument: assuming the worst suspicions, Google and the others are complicit in PRISM, so they deserve our scrutiny here. If this one were dumped at the same time, since Google was blindsided by this, people might forget to scrutinize Google for a while.
There's a difference between assuming the worst, and having evidence on your desk that refutes your own assumptions.
2 replies →
Probably because there was just too much information to make sense of all at once. So they just let out little at a time of what they understood to be verifiably and properly true.
Of course the cynical view that they held on to it to make some ad-money is not altogether wrong either, just unlikely to be accurate.
> is it to preserve traffic by keeping the click-gravy-train going?
If that were their intent, I would expect them to release slightly faster, at least one significant document per week.
click-gravy-train; almost certainly.
Wow.
Years ago, I remember reading Richard Stallman's "How I do my computing"[1], an essay in which he explains why he usually does not connect to any websites from his own machine, downloads web pages from a headless browser running in some server, does not have any user accounts for any web applications, does not buy anything over the Internet ever, does not use any social networking sites, and otherwise abstains from using the Internet like most normal human beings.
"Jeez, that's way too paranoid," I remember thinking.
It turns out Stallman was just (far) ahead of his time -- as usual.
--
[1] http://stallman.org/stallman-computing.html
> It turns out Stallman was just (far) ahead of his time -- as usual.
Indeed, and it was always obvious if you took security seriously instead of regarding it as a game of probabilities and trade-offs where convenience wins.
As we are being pulled very strongly towards a future where everything and everyone is connected all the time, we should really consider such radical approaches again and how to make them more convenient for "normal" people.
"game of probabilities and trade-offs where convenience wins" that is it in a nutshell, well said.
Any amount of paranoid ridiculousness can be justified after the fact by some sort of big incident. It's how we justify the PATRIOT act after 9/11 and how one might justify Stallman's actions after the NSA leaks. That doesn't make it any less ridiculous to go to such radical measures.
We could just shut off the Internet entirely and force everyone to walk around naked lest they strap a bomb to themselves.
Well, that Stallman page is copyright 2006, which is after the Stellar Wind story broke: http://www.nytimes.com/2005/12/16/politics/16program.html?pa...
As for not believing intelligence services attempted to monitor the Internet prior to that story -- that would have been just silly. If they didn't they wouldn't be doing their (illegal) job.
> Jeez, that's way too paranoid
Of course it is, it's ridiculous. What the NSA is doing is despicable but why would that keep you from creating a user account or viewing a webpage from your computer?
Because some users do not have the privilege of doing even such rudimentary tasks, without the danger of being persecuted, prosecuted or worse by the tyrant regime they happen to be living under.
2 replies →
> It turns out Stallman was just (far) ahead of his time -- as usual.
Indeed, maybe moreso then we think. I remember hearing he didn't have a cell phone either.
If that graphic - that taunting smiley face, drawn when it was assumed that no one was watching - isn't enough to outrage the general public, I don't know what it will take. This is not super technical - it's easily explained and should be easily understood by the masses. And it should cause outrage.
You know what would outrage the public? ESPN being shut down. Most people do not actually care about their privacy. Even if everyone had the technical chops needed to understand what has been happening, most people never spend much time contemplating the importance of privacy rights.
> people do not actually care about their privacy
This is 100% accurate, I've attempted to aggressively promote privacy tools well before the NSA/Snowden stuff among the people I know. They still don't care to use simple things like OTR with IM. They might use it for one week, and switch back.
Journalists/tech sites love making this seem like the biggest deal in society right now, but hardly the case in reality.
I'm not sure if it's an intellectual/knowledge gap (lack of technical knowledge), laziness, lack of good design in crypto tools, or just generally not caring about their privacy (until it becomes to hit them in the face).
9 replies →
> You know what would outrage the public? ESPN being shut down.
No better way to state it. Our government is fucking us with our pants on but we're too distracted (by people getting paid hundreds of millions of dollars to throw a fucking ball around) to care.
8 replies →
You know what would outrage the public? Having any of this affect them directly in any tangible way. It doesn't. So they don't care.
People deal with risk every single day in various forms. How can you expect a person to care about the risks a lack of privacy theoretically provides, when they're already not caring about the risks texting and driving pose? It takes laws to get people to stop texting while driving, and even then they don't really stop.
It should, but it probably won't.
But the smiley is particularly infuriating, because it embodies the mindset behind this domestic spying: "we're better than you, we're smarter than you, and you can't do a damn thing about it, peons."
>"we're better than you, we're smarter than you, and you can't do a damn thing about it, peons."
What if that is actually true? I know it's a repulsive angle to think about, but is it possible? Maybe we've hit on a fundamental flaw in democracy and democratic-like political systems here. Maybe Plato was more correct than we'd like to think.
1 reply →
If people were going to get outraged about that, they would have burned the country to the ground when they learned that several NSA operations were given Civil War battles for codenames. You know, the only war where Americans have ever been our own enemy.
Where you see a taunting smiley, I see a developer who's just happy to have made a breakthrough on his project.
His abhorrent project. This is not something to be proud of. Being a professional means answering to a set of ethics before acting like a kindergartner who's proud of his macaroni picture.
1 reply →
Makes me think about the guys who built the atomic bomb -- people doing [potentially] amoral things because they find the problems they're solving more fascinating than the practical implications.
I actually assumed and tried to verify really hard that that was the original slide and not "artists concept". I just can't believe someone would present that. Beyond the hubris (which is literally unbelievable ref first sentence for my disbelief), it's just unprofessional and childish.
Periodically, especially when a new report like this one comes out, I like to go back and watch the original Snowden interview (http://www.youtube.com/watch?v=5yB3n9fu-rM) and reflect on the differences between what we knew vs what we now know. When I first watched the video, it brought tears to my eyes and I try to remember that so I don't get desensitized to the magnitude of these revelations. I respect the man more and more everyday.
Meta remark, somewhat snarky: I would like to know at what point do all the HN'ers making fun of those libertarians among us concerned with security -- I believe over a period of months we were called "tinfoil hat types" and worse -- come back and offer us an apology.
I am not holding my breath.
(Although it's a snarky comment, I didn't make the comment just to snark. The point was to point out that over and over again, the folks who are concerned about government encroachment are made fun of, put down, and lampooned to a great degree. More often than not, these concerns turn out to be true. In most cases this happens long after the debate has died down. This is an important lesson from history that we all would do well to learn. This story has a lot more facets to it than just the NSA/USA angle)
As someone who routinely makes fun of libertarians, let me assure you this is not what we (or I) make fun of libertarians for. Lots of progressive-oriented folks I know are at the forefront protesting these things. Hell, Richard Stallman -- the man who's been all about resisting the cloud even before a lot of us were born -- is a self-alleged Green Party affiliate.
It matters not that you were right, but why you were right. If someone says they knew about the NSA taps because they were in cahoots with aliens, obviously they don't get credit.
I don't know what your politics are in general, so I can't criticize them.
But, in my experience, American capitalist libertarians are - in general - united not by a love of liberty, but a hatred of government. And that narrative, I think, does not have much predictive power. It vaguely fits the NSA case, but is harder to sustain when it comes to things like socialized medicine.
P.S. That said, I've learned a lot from libertarians, especially in their skepticism; sometimes doing nothing is the best strategy and sometimes the existence of a government agency is the problem. And it's inspired me to read authors like Hayek, who I respect a lot. But the modern movements seem to be more inspired by Rand than Hayek. Rand's narrative is that government is a conspiracy by the weak to oppress the strong, which I find ludicrous.
From the article: "Two engineers with close ties to Google exploded in profanity when they saw the drawing."
That about sums up my reaction as well.
Yup. Google got royally screwed by the NSA.
Gen. Keith Alexander, asked about it at a Bloomberg event, denied the accusations.
"I don't know what the report is," Alexander cautioned, adding the NSA does not "have access to Google servers, Yahoo servers." He said the NSA is "not authorized" to do this, and instead, must "go through a court process."
http://www.politico.com/story/2013/10/keith-alexander-nsa-re...
That's a potentially perfectly accurate statement that doesn't in any way refute the story. The leak indicates they have access to the fiber lines between datacenters, not the servers themselves.
Also, it's GCHQ that broke in, no?
Since he seems to be a pathological liar, how about some waterboarding to help his memory? I'm sure we could clear up any misconceptions about the NSA's activities quickly with this officially-sanctioned (at least by former officials) method of "interrogation", which the US has applied many times in the past (allegedly with great success and little regret).
Don't waterboard him, and he'll tell you whatever he wants you to hear. Waterboard him, and he'll tell you whatever you want to hear.
Questioning him, under any circumstances, is useless. We need to get rid of him instead, and perform an independent investigation. However the circumstances under which such an independent investigation would be useful are limited. When East Germany started to fall, the Stasi started shredding everything they could get their hands on; organizations like this don't allow evidence to survive.
Well given how many times he has been found lying, ...
Nothing he said actually responds to the allegations.
Specifically, he denies direct NSA access to the systems, and says that NSA would need to use a court process to gain such access, but the report is that the UK's GCHQ is actually tapping the systems and the GCHQ is sharing the captured data with NSA.
1 reply →
while they might not have access to the "Google servers", it now is almost certain they have access to the "Google network" (i.e. fiber cable access). as seen in previous reports, intercepting sea fiber optic traffic between continents seems something the NSA has mastered...
> while they might not have access to the "Google servers", it now is almost certain they have access to the "Google network" (i.e. fiber cable access).
If the article is correct, the NSA does not have that. What they have is an agreement that they can submit search terms and get matching data from a system operated by their British counterpart, GCHQ.
It is GCHQ who, per the article, has a direct tap somewhere inside Google's unencrypted datacenter-to-datacenter communications network.
1 reply →
A lot hinges on the definition of "servers" being used. And how the question was put to Alexander. If there's even one alternate interpretation he can say No. Another non-denial denial. He is talking at lawyer-level now. This level of detail is not present in the Politico story.
Not that he would say Yes if we asked in the right way!
Alexander is but one of many Wormtongues striving to bring down Rohan.
I hope that this finally convinces everyone that it doesn't matter whether Google is "Evil" or Yahoo is more evil or whatever. What matters is that large cloud systems are fundamentally incapable of protecting data.
Even the most goodhearted and the most talented teams can't reliably defend against a massively funded adversary.
Secrets are for keeping, not sharing.
> What matters is that large cloud systems are fundamentally incapable of protecting data.
I don't believe that's true.
1. Google (and others?) is already aggressively increasing the amount of encryption it does on traffic between its datacenters. So they have been addressing this problem before it was even brought to light.
2. We easily have the encryption abilities to do many more things than we do with secure cloud data; we'd just have to pay more for it. For instance, I can encrypt everything the minute it leaves my laptop, store it in the cloud, and not decrypt until it hits my laptop again. Nobody but me ever gets the secret key (heck, it could be a one-time-pad and thus unbreakable). If I trust the cloud computers themselves, then I can store different secret keys on each and use strong public-key encryption to protect all traffic between different machines in the cloud, and between my machine. Breaking the system requires compromising a machine, and even then you only get the key for that machine.
3. In theory, fully homomorphic encryption could allow the best of both worlds above. I completely encrypt my data on my machine --- nobody else has the key --- then send it into the cloud where cloud companies can do operations for me like searching, sorting, filtering, etc, all without ever decrypting the data or learning what it is. They send me back the results (securely), then I decrypt. Of course, right now this would be massively slow and expensive, but progress is being made.
Naturally all of the above are subject to the "5-dollar wrench" rule or the "secret court/FISA/warrants" rule. You cannot protect your data from the people making a law that says "give up your data". But it is technologically possible and even feasible to secure data from the NSA's snooping. The tradeoff is cost and time.
If you would use one-time-pad before storing to the cloud you'd either need to store the very same pad on the cloud, then effectively not needing encryption, or you wouldn't need the cloud, as the amount of the encrypted data would match the amount of the pad data one to one.
And homomorphic encryption is still far from being practical.
5 replies →
>In theory, fully homomorphic encryption could allow the best of both worlds above. I completely encrypt my data on my machine --- nobody else has the key --- then send it into the cloud where cloud companies can do operations for me like searching, sorting, filtering, etc, all without ever decrypting the data or learning what it is.
Can you explain this to me? I don't understand how you can search encrypted data.
5 replies →
Well, I don't think it's that easy.
If the NSA wanted your data, they could get into your network probably easier than they could get into Google's networks. Companies like Google have way smarter people (and working full time) securing data than most businesses.
For us to secure our networks as much as someone like Google would, we'd have to have a team of the best hackers around.
And by definition, the best hackers around are scarce. They're already working for Google, etc, and X Y Z security company.
Google may have better security, but they're also a much, much larger target. Wiretapping Google gives you access to the private data of Google's millions and millions of users, whereas gaining access to my network gets you access to… me. As long as there's a non-trivial fixed cost to attacking a host or a network, there's an advantage to hosting your own data.
While it's possible that the NSA has a system to automatically detect and wiretap hosts and private networks connected to the internet, it seems unlikely to not have been detected so far. I've taken to assuming that every packet send and received from my servers is being monitored, but that, barring specific interest in me by the NSA, the servers themselves are reasonably private.
Not exactly. Think of this analogy: the NSA built an enormously expensive sieve net to fish the entire Pacific Ocean (Google). While the Pacific may be deeper and wider than your innocuous little lagoon, that lagoon probably hasn't attracted the attention of the NSA. If you think the attention of the NSA is going to be a problem for your dealings, hiring very expensive security talent is necessary to your business plan.
1 reply →
You'd think that but that's not actually true. Google's infrastructure is way too big to be completely secure. There are several ways to penetrate Google's network.
I know some of the people in the security team and they are pretty good, but arrogance will be their undoing.
Google has an internal team called the Orange Team that performs security audits and, so far, they have always been successful in penetrating Google's network. If they can, what makes you think the NSA hasn't done that already?
.. and then google gets a letter with a request from the government, opens its data-centers and lies to its customers. It's not that easy your way, either..
"They're already working for Google, etc, and X Y Z security company."
And the NSA, apparently.
I think this is of endgame for network security, I don't see a way out -- the Sony Rootkit[1] should have been the point where I realized but it is just sinking in for me now since the Snowden NSA leak.
Any network connected computer will be running an OS+Applications which are typically a gigabyte or more. This is produced by companies which are beholden to a nation state, and the companies can be coerced[2] or compelled[3] to use the software against the user. The software is also constantly being probed for vulnerabilities, which can also be exploited by law-enforcement / military [4][5].
So, if you turn on auto-update you have to trust the software maker is not being coerced by someone, or being compelled by a secret court to trojan you. If you don't turn on auto-update you can still get trojaned by any vulnerability. Lose-Lose.
[1] Sony Rootkit: http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...
[2] Qwest CEO Nacchio's claims: http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/30...
[3] FISA court
[4] German Govt. Trojan from 2011: http://www.spiegel.de/international/germany/the-world-from-b...
[5] FBI's TOR trojan injection: http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi...
Agreed. What's funny is we're wondering why people who still buy stuff from Sony don't seem to get outraged about the NSA.
Nobody ever cares about this stuff until it is way too late.
> The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.
1. Spy on whatever the hell you want without benefit of warrant.
2. Discover something interesting.
3. "Parallel construct" a way that the information could have been legally obtained.
4. Get a warrant based on the parallel construction.
5. Profit.
It's parallel construction all the way down. Discover via extralegal, point mass-capture in that direction, sniff out and send to 'legal' 702 or 215 databases, hint to FBI/DEA buddies, get normal warrant, and now you've got your criminals!
In that way, killing the 702 or 215 powers really wouldn't do that much, because they can just derive their parallel construction from elsewhere.
I don't see how the pretense that the NSA actively avoids snooping on U.S. citizens can be seriously maintained after this revelation. It's becoming increasingly clear that intelligence agencies want the ability to access all data created directly or indirectly by an arbitrary cyberspace target on demand and will shop around for the "best" (e.g. weakest link in technology and/or legislature) nook of the net to snoop at.
This seems like a good time to remember that Google has been storing wifi access passwords in plain text on its servers, and (presumably) passing them between its data centers.
It can be assumed that as a consequence of google's decision to store passwords in plaintext, the NSA now have access to every wifi access point that has been used by an android device.
This is a massive security breach. I sincerely hope google notifies android users of the problem.
The more I see stories like this, the more I wonder why there aren't tools out there that complement something like 1Password, LastPass or KeyPass by rotating passwords for all your devices programmatically. More devices should support SSHing into them for password rotation or some API for frequent password rotation.
e.g.
Here's the password for this router, rotate this key every X days, upon rotation, connect to the computers of friends X, Y and Z to notify them of the password update.
I imagine such a system would require two passwords, one to change the password so only one device is responsible for rotation and a second to share with others so they can access the computing resource in question.
Alternatively, every device should function with individual passwords for every user. I still get frustrated that wifi only offers one password and doesn't give you the option to give out one password per user. Future wifi protocols should permit a user to try to connect to a wifi and wait until someone approves their access. Approval could be done by visiting the routers IP address and granting access through some form that shows which clients are requesting access at that point in time. Furthermore, the way in which a computer requests access to wifi could be accomplished by having that computer submit it's SSH public key to the router.
People will no doubt come on this thread and remind everyone that of course the government always had access - you must have been a fool not to think so. But I just can not get over how angry it makes me. Honestly I thought that using google products with some exploitation of the contents for advertising was an acceptable exchange. This is just a total betrayal and I cannot believe that the Google board is not aware of this! and if it is not it is because they choose to be!
This might be a good time to go back and look at what you said to all those cypherpunks who kept talking about the need to build security into Internet protocols from day 1. Whitefield Diffie had pointed out this problem -- that online services could violate user privacy without any technical barriers -- in the 1970s and pointed to it to motivate public key cryptography. Throughout the 90s and 00s people were saying that we should be deploying cryptography more widely, yet these arguments were largely ignored or dismissed.
So really, this is not about the government. Rather it is about the inherently insecure design of today's email, IM, payment, and social networking systems. While the cryptography research community and the hacker community have proposed numerous solutions, few have worked to deploy such solutions. Worse, many hackers and computer scientists have actively worked against such deployment by building businesses that are monetized by violating user privacy.
Before talking about your anger, take a moment to think about what you were saying to people 5, 10, or 20 years ago when this topic came up (I am speaking to everyone now, not just jimparkins).
"You cannot acquire experience by making experiments. You cannot create experience. You must undergo it." - Albert Camus
The cypherpunk "2.0" generation is here. The adversaries are definitely way more resourceful and ten steps ahead now. So there may be some value in looking back with regret. But it's never too late.
1 reply →
Very good point; very well made. Thank you, good sir.
Is that an official document with an actual smiley face?
What ever happened to the admins / programmers standing up for what is right, or do they just gobble down a paycheck and turn the other way?
This question implies they know what they're doing is wrong.
If they think they're protecting their country---including their families and friends---then it's easy to imagine how they wouldn't have a problem with this.
It's not just that either. They seem to enjoy it and think that this is a game. If you're going to violate our basic rights, at least take it seriously, guys.
This presumes that those developers are building these systems to go after "our basic rights", instead of believing that they are helping to target terrorists and enemy states.
What gets lost in a lot of the (justifiable) NSA outrage is the fact that they want all of this technology to enable surveillance of terrorists who use the Internet just like ordinary Americans do. There is really no evidence so far that this massive surveillance apparatus is being used in a widespread way to abusively target Americans.
Being able to intercept online communication between terrorists and foreign governments in a way that collects zero communications of Americans seems like a really, really hard task.
5 replies →
I wouldn't be surprised if it's just a coping mechanism.
Because people compartmentalise and so for engineers this is most probably not a political thing but just an interesting difficult problem that is fun to work hard on.
Privacy issues aside, getting paid to hack into big important systems sounds like it could be a job many people would enjoy.
>Is that an official document with an actual smiley face?
It's only HN that pretends there is no feeling in professional work.
Apparently those guys felt good about what they did. That's what's upsetting people.
1 reply →
It's the "professional" designation that's the problem. Once you say someone is a "professional," that means that they are part of a "profession," and that they answer to the ethical standards of that profession.
Sadly, we have doctors force-feeding people at Gitmo, so it's not terribly surprising that there are counter-professionals at the NSA.
`cat /dev/internet0 | grep -i 'Terrorists'` and then it doesn't sound so bad.
It's kind of shocking that they haven't been encrypting all internal inter-datacentre connections to begin with. Even if they didn't suspect NSA snooping, there's enough companies and criminals out there that'd conceivably have a lot of reasons to want to try to find ways to tap Googles links.
You know, one thing I'm sure (hope) will come out of this is that enough people in the public should be sufficiently outraged at this that we start making some private sector headway in the data security race and perhaps we'll end up with some actual secure products by companies that aren't under the "jurisdiction" of U.S. policy, instead of those that just say they're secure but fall flat on their face when it comes to something as trivial as an NSL or an order for a pen register. If they were really secure, then these things wouldn't make the slightest difference.
Offtopic, but there's a problem on this site with this kind of story now. I'm not sure if it's the flamewar detection, or flagging, or some other automated system, but stories like this which are very popular and not remotely a flamewar, but an interesting discussion, are disappearing off the home page too fast in my opinion. This is a topic that will define a generation's attitude to technology and the internet, and is particularly pertinent to silicone valley.
Yet this morning this story went from top of the page:
14. NSA infiltrates links to Yahoo, Google data centers worldwide (washingtonpost.com) 1395 points by nqureshi 15 hours ago | flag | 533 comments
To behind stories like this:
12. Java Virtual Machine in pure Node.js (github.com) 232 points by binarymax 16 hours ago | flag | 129 comments
I'd be interested to know the reason, and perhaps whatever algorithm is voting this down could be adjusted, because it's clearly not working?
Going out on a limb here because this does not make sense to me either. But maybe this has something to do with the fact that the valley built all of the software used to support this, quietly invested in it all in 2010 for undisclosed amounts at least in the tens of billions and approaching or exceeding 100 billion, and the money doesn't want it on the front page of one of the most popular news sites?
By money i mean this money that keeps its actions shadier than the NSA: https://angel.co/emc https://angel.co/emc-ventures
I came here and read some comments because I was wondering the same. Previously when something got >1k points, it would stay on the homepage at least a full day. Now it's almost off the front page with ~1.5k points in 22 hours.
So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?
If this is true my next question would be does NSA have access to the keys or are they removing encryption in some other more technically involved way?
> So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?
Well, yes, if you are Google. The removal of SSL is done by Google's own front end servers at the boundary between the public internet and Google's own network, and Google's own network (including its private datacenter-to-datacenter fiber connections) are apparently not encrypted (which saves compute overhead.)
The revelation in the article (assuming it is correct) is that the GCHQ is taking advantage of this fact to evade Google's move to encrypt user-to-Google connections by simply tapping Google's datacenter-to-datacenter connections and (as well as whatever use GCHQ itself makes of the captured data) providing the NSA the ability to provide search terms that are matched against the captured data, with matching data fed from GCHQ to the NSA.
(This neatly also avoids any US legal limits on domestic electronic surveillance by the NSA, since, first, the surveillance isn't conducted by the NSA or any other US agency, and, second, its presumably not physically conducted in the US at all.)
Tell me if I understand this right: Google thought it was okay to not encrypt that 'internal' traffic, because even when trans-continental, that traffic was on 'private' Google fiber carrying only Google traffic, not the public internet. It was theoretically on a network that only Google had access to.
That's why it seemed okay not to encrypt it, right? (Otherwise, I don't know why Google would have thought it didn't have to encrypt it).
But the NSA managed to tap into this 'private' fiber anyway, perhaps with the cooperation of the actual telecoms that run it?
Do I have that right?
1 reply →
The spies tap the side where there's no encryption. SSL encryption is by Google's design removed by Google at the point marked with the smiley face.
The trick is that Google has to move a lot of data between their own servers on the different locations (even different continents) and that traffic is not encrypted. That's why "Two engineers with close ties to Google exploded in profanity when they saw the drawing." It was that easy.
Few people said you can't fight google with NSL or force them to do anything because it has $50B in cash.
Easy: Just start an anti-trust investigation - a fed lawyer can drag Larry Page and Google's top level managers into federal court every week for the next 5-10 years. Go thru every emails about iphone, android, bing in the past, and force monitor every single biz decision Google will try to make for the next 10 years.
Apple, Samsung, Microsoft, Facebook would love to help out the government(s) in this.
Larry will get so sick of it that he would think give out billions to kill Mosquitoes in Africa/India is a lot more fun. - Remember Bill Gates?
Google will never do it, but they should drown the NSA in bullshit data. So much so it literally chokes the NSA's ability to spy on Google's services.
Google is one of the few companies that could pull it off. They have $56 billion in cash and nothing to do with it apparently. They generate $12 billion in profit annually and growing.
They have more financial resources, computing power, and brain power than the NSA does, and they're one of the few companies on earth that can say that (the only?).
A billion a year thrown at choking the NSA with a flood of data, I'd argue, would work extraordinarily well.
The NSA has a substantial budget (but how much spare budget?), but I don't believe they could afford the processing and storage costs that can be generated from a billion dollar per year effort of bogus data spewing (particularly if Google matches it with a dramatic effort put toward encryption R&D to multiply the cost the NSA suffers significantly more than just basic processing & storage costs).
The NSA's grand new data center in Utah cost billions and will have taken years to build. Google could probably force them to attempt to build a new one every single year forever, particularly given how bloated every effort by the government is and easy Google could generate 'infinite' volumes of data. Google should pro-actively help Yahoo, Facebook and others out in teaming up to drown the NSA.
The biggest threat to Google is the NSA. Google should act accordingly. Just as they would react with financial investments to any other competitive threat.
A better use of all that money would be to play the lobbying game the enemies of freedom so effectively play.
This is the the thing I completely fail to understand. If all these huge tech firms with all this cash really care about privacy, people, US reputation, etc, then why are they not pouring their money in to politics like, say, the weapons manufacturers do? Why aren't they "buying" politicians?
I think a more sensible use of the money would be to 'fix' the ability to buy whatever legislation you want. Its really not a democracy any more when those wealthy enough can buy whatever legislation they want.
1 reply →
The NSA could, however, get a law passed for like $1M that makes this practice illegal, if it isn't already.
The portion of google's operation that NSA is tapping is already tiny. This article claims they got 181 million "records" of all kinds in a month. That's nothing! Google claims that gmail has half a billion active accounts. You think each of those active accounts only sends and receives one mail every other month? of course not.
The NSA is clearly already drowning, or being selective about what they are getting.
Larry Page should step down as CEO.
It would never happen, as Google shares would drop like a bomb and give credence to the argument that the cloud isn't secure enough, but at least it would show that someone at Google cares.
It would create a landmark moment though; something that would spark more debate in both the media and with American politicians.
Do you have evidence that Larry Page or Google knew about this? How is the CEO of Google stepping down an adequate reaction to a something that Google doesn't seem to be behind?
I'm not putting any responsibility on Google's CEO that he didn't ask for when he became CEO - he is ultimately responsible for the company's actions. Leaving that amount of user data open to attack is unforgivable, regardless of who is "behind this" or how much he knew.
Secondly, the alleged attack, however it happened, is not the reason he should step down. Larry Page stepping down is going to be really bad for Google, he is one of the finest entrepreneurs of our time, and a great technologist.
He should do it to send a message.
Will their ever be more evidence about what actually happened? Probably not, but a resignation by one of the most powerful CEOs in the world will get some serious attention in the wider debate on privacy.
But like I said, the share price probably comes first...
Better yet: appoint a goat to be CEO and then ritually sacrifice it. Maybe write "Google Cares" on the side of the goat before killing it.
I guarantee that would spark some interesting debate!
"Google: Don't be evil, to goats"
Except that one we just killed. I think you're on to something.
Everyone in Silicon Valley is talking about this and the media has painted a picture of criminal undertaking by the NSA. A lot of this is just speculation that has been blown out of proportion. The only way the NSA could compromise private data centers without placing moles in their respective ops teams, is to sniff the traffic on the private DC to DC lines leased by the companies. Assuming they did this by overpowering the ISPs, they are still left with a ton of TCP/UDP packets which they need to reconstruct, decipher and schematize. Although DC to DC traffic is typically not encrypted, it is often compressed or transmitted as binary streams. There is absolutely no way they NSA would be able to make sense of the data without reverse engineering the innumerable communication protocols used and then using that protocol to decipher the packets. It is a lot more feasible to force a company to hand over data on specific users than it is to piece together user data using this packet sniffing technique. If the NSA really is wiretapping DC-DC communication, it's not because they are trying to build profiles on individuals. It's likely that they are using this raw data for keyword lookups. And, although I question its effectiveness, that is a level of surveillance I'm comfortable with.
I think you over-estimate the complexity of the data being exchanged between data centres and underestimate the capabilities of these well-funded agencies that can afford top-notch PhDs, developers, engineers, mathematicians.
The article seems clear on the fact that they are able to reconstruct the data streams. It's not difficult to assume that most of the data-exchange protocols used are pretty standard or at least pretty stable, for instance Google use protobuf[1] for efficient binary exchanges, it's open source and well documented.
Data is meant to be moved efficiently between data-centres and these companies had no reason to add any obfuscation (if that was the case, they would have already used encryption). There is no reason to assume that adversaries with deep pockets would not have the technology or know-how to reverse engineer these unprotected data communication flows.
[1]:https://code.google.com/p/protobuf/
What makes me downright angry is the vehemence with which Google's Chief Legal officer David Drummond denounces siphoning Google's own data. Secretly take our users' personal data, that's okay, but secretly take our data, which we make our billions off of, now that is unamerican. Class, man. Real class.
Can anybody trust Google services anymore? It seems like it's pretty much a no-go at this point. Even if Google hands over select data from within their systems, it appears we cannot even trust that it makes it that far without being compromised.
Every business that can should be ditching their Google services right now.
For what, the magical service that can't compromised by the NSA if it wants? At least Google has more resources to throw at the problem than a lot of other companies -- but really you can't trust anyone.
> you can't trust anyone
That's become quite apparent. I just wonder if there's any solution, or if it's a mathematical certainty that communications are insecure.
2 replies →
“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,”
Interesting how agencies, corporations and alike have the collective maturity of children. A grown up will say to a kid "you can't play with fire with your friend" and the kid immediately will think "he didn't say I can't play with fire with my other friend".
organizations are not ma-turing complete
As a software engineer just about to graduate from college. When I see drawings like that I just can't believe that people who know enough to draw something like that can actually do it without feeling like they are the definition of evil.
Why is it so hard to understand that there are intelligent people that honestly believe they're doing something that will ultimately benefit their country? People have done far worse in the name of a country or ideal.
For people outraged over the apparent happiness of the people that tapped Google, I imagine they've never broken a system. A breakthrough on a project is extremely enjoyable. Finding that Google removed SSL is like testing an app and finding it doesn't sanitize inputs it passes to a shell script as root.
They still deserve to be skinned alive though. As feminists are fond of saying "intent isn't magic".
1 reply →
It sounds like the problem there is you are conflating the mostly unrelated ideas of how much technical knowledge someone has with how much their values will align with yours.
If I scroll the Reddit frontpage (without being logged in), I am not seeing any NSA stories, despite being on the top of /r/WorldNews, /r/news, etc. Anyone know the story behind that?
Reddit has been compromised. Just look at what happened on r/worldnews with the u/douglasmacarther and the RT censorship thing, or how the NSA-Israel Memorandum submissions were purposely 'buried'
http://rt.com/news/rt-reddit-ban-censorship-169/
It's currently at #10 on the frontpage. http://imgur.com/ZuIUSGl.png
And it's now at the #1 spot.
http://i.imgur.com/ljVc1ga.png
Sometimes news takes awhile to reach the front page.
It's a conspiracy of course to try and hide this information from the public. That's the answer you were looking for, right?
Here, I did your own research for you:
http://www.guardian.co.uk/technology/2011/mar/17/us-spy-oper...
> Most addicted city (over 100k visits total) > Eglin Air Force Base, FL
http://blog.reddit.com/2013/05/get-ready-for-global-reddit-m...
You joke but if you don't think subtle censorship tools have already been deployed you're mad.
/r/worldnews is no longer a default sub, so none of its posts appear on logged-out frontpage anyways.
The posters above apparently show me to be wrong, so I guess /r/worldnews is still a default.
Funny thing is how many articles have been written about Chinese crackers, possibly funded by the Chinese government, trying to hack into big companies.
It's also funny how all these "anonymous government sources" suddenly became available when the subject was about someone else.
Can anyone explain what exactly is meant by "SSL added and removed here! :-)"?
It means that the Google Front End (GFE) server is where encryption/decryption of SSL happens, and that communication outside the GFE (e.g., Google->Client) is encrypted, while communication behind the GFE (internal to the Google Cloud) is clear text.
The implication is that there is no SSL from the front end web server to the back end data center, thus it is susceptible to snooping at that point.
Yes. It would be considered a private datacenter environment. Someone with DC access or in this case the ability to tap a closed fiber network can still attack it. This mostly applies to state actors.
[Edit: apparently, the decryption does not happen real time. Instead, the encyrpted traffic is stored and decrypted later. Either NSA/GCHQ think the latency introduced by doing a full mitm with the private key would blow their cover, or they're using some algorithm that isn't fast enough for full mitm. The below is a bad interpretation.]
My interpretation is that they've acquired - either via bag job or by unpublished algorithm - Google private keys, and are decrypting and copying traffic immediately before the Google Front End, then impersonating the client to the Google Front End. Presumably, the Google Front End is on Google premises, and Google would be aware of the warrant that let NSA install such a device behind the Google Front End, whereas the peering point in front of the Google Front End (or on the fiber to the Google Front End) would be on Telco premises, and we've seen the Telco's be all to eager to cooperate. Oh, except Qwest, where the CEO found himself in jail.
Your interpretation is completely wrong.
"Two engineers with close ties to Google exploded in profanity when they saw the drawing." seems hyperbolic. What does it even add to the article? Is it used to try and establish some credibility?
I don't understand why this is shocking (the photo- not the alleged spying)?
How are all of our elected officials "just finding out" about this stuff? Bullshit!
Our congressmen, senators, and POTUS are all "as surprised as you are!"(TM) about these allegations that keep coming out.
Obama doesn't know anything. Feinstein (who heads the Senate intelligence committee, and is briefed on the NSA's activity) knows nothing.
What's the difference between extreme incompetence and maliciously lying? I can't tell the difference.
I would even let them get away with that argument, but if they do use that argument, that means they should also be pissed off about these revelations, and realize that NSA has gone fully rogue, and they need to drastically rein in on it. At least that's the logical conclusion from their argument.
The problem is they want their cake and eat it, too. They want to get away with it themselves, but also protect NSA and their powers. We should call them out on their hypocrisy, and ask them to restrain NSA's powers if it's really a surprise for them, too.
Here, Google - show us how much you care about user privacy and security, and join Lavabit and Silent Circle's alliance for the "Dark Mail" protocol:
http://www.forbes.com/sites/kashmirhill/2013/10/30/lavabit-a...
Meanwhile I'll be waiting impatiently.
Actually, the real test will be whether Google and Yahoo file amicus briefs in Lavabit's appeal.
More promises to keep your information private, from people who already showed they are not competent to keep your information private. There is no reason Lavabit should have ever been able to disclose enough information to the government to get customers' messages
Google is so good. Such a great concept. So much fun to use. A romper room. Such a bastion of talent and good people. Which is why this whole business is such a crappy disappointment. A guy sitting in a renovated girl's bathroom in London told us some time back that this was the case, that Google had dropped its original stance against "evil," but nobody took him seriously.
Reaction of Google’s chief legal officer, David Drummond on the news. Sounds a lot more sincere then their previous denials (which proved to be lies forced by the law anyway).
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide. We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform." [0]
[0]http://www.washingtonpost.com/world/national-security/google...
SMTP (mail protocol) between providers is unencrypted anyway. So, if I send email from gmail to ycombinator, it goes to ycombinator SMTP server unencrypted and can be tapped by anyone with access to the wire. Still, clear traffic between Google's own data centers is inexcusable. They are exposing my data to more risk.
I thought you were wrong about that, but when I went looking for a source, I found out you're right. As of June, major email providers other than Google did not support encryption for inbound emails[1]. That's disappointing.
Note there's no technical reason they couldn't. Also, Fastmail.fm, while arguably not really a major player, is an exception, supporting encryption on inbound emails since 2009[2].
I just verified this via http://www.checktls.com. A later blog post in 2010 says Fastmail enabled it for outbound email as well. So mail sent from Gmail to Fastmail or vice versa is encrypted between the two providers.
It's a start. I really thought I had read something about Microsoft enabling this on their email service, too, but I must be misremembering. All we can do is hope more big providers turn it on.
1. http://news.cnet.com/8301-13578_3-57590389-38/how-web-mail-p...
2. http://blog.fastmail.fm/2009/04/16/opportunistic-ssltls-encr...
Aside from the indignation, I'd like to see proof that Google wasn't aware of this stuff. My guess is that it was approved as long as there was plausible deniability.
What proof would satisfy you? It seems like you're asking for something impossible to provide.
I'd need to see proof that the exploit (and operation to support it) was so sophisticated that Google reasonably could not have known.
Since Google has been complicit in a good portion of Snowden's revelations, the burden of proof is on Google to satisfy its customers that it in fact drew the line at the earlier revealed level of complicity rather than the most recent one.
What strikes me most reading NSA related articles, that for Americans the problem here is not the global surveillance itself, but the domestic spying. Wtf? Is my anonymity and freedom less valuable just because I don't have a USA signed piece of paper? It's a serious problem that touches everyone who uses digital communications (pretty much every human being on the word nowadays)and such data collection should be illegal on anyone unless he's under a warrant or belongs to opposite forces during war times. I'm very sad and disappointed that EU leaders don't have balls to stand up for this.
I agree that non-US-citizens are endowed with the same fundamental human rights, including the right to privacy, as US citizens.
However: 1) US citizens alone control the US government's actions, at least indirectly and in theory. NSA's domestic spying presents a threat to our democratic processes. NSA spying on US citizens is more dangerous than if they spied only on non-citizens, because it provides the NSA the means to control their ostensible masters--making any reforms to NSA's foreign surveillance operations impossible.
2) In realpolitik terms, most Americans simply do not think or care about foreigners. Any bill that ends NSA's authority to conduct warrantless surveillance on foreigners is a non-starter in our current Congress. By first ending NSA's domestic surveillance programs, we actually have a shot at eventually ending NSA's unethical foreign dragnet surveillance programs. In other words: baby steps.
It seems the rest of the world is coming to the realization that they are merely conquered provinces in the US empire.
This degrades into comic book villain territory. Every admin and developer professional wet dream is to be able to capture log and analyze every byte. To have unlimited processing power and storage.
And these people lived it ...
> And these people lived it ...
And, as it turns out, it's completely useless.
It's interesting that there's been little attention paid to what this genre of backbone/infrastructure tapping means for companies using content accelerators (or whatever they're called).
Considering what we now know about tailored access operations, I find it hard to imagine they've not used these abilities to subvert the auto-update functionality of virtually every product there is out there.
Ie. client requests auto-update from front-end server, update is switched and replaced before hitting the front-end server & being delivered.
That would seem to be a harder problem for the NSA. First, it has to be an active attack, modifying data in transit rather than merely siphoning it off — probably tougher to cover their tracks in that case. Second, automatic updates are presumably cryptographically signed by the publisher, so the NSA also has to steal or crack the private signing key. Third, how do you target the backdoored version of the software so certain groups/people get it and others don't? CDNs don't work that way.
In the end, it seems much more practical to sneak a backdoor into the software at the source.
Whilst I agree with your point, I think an important question to ask is "harder compared to what exactly?"
Cracking SSL? Weaking crypto standards? Tapping undersea fiber? MITM attacks?
Given all those are used, I find it hard to believe the update vector isn't exploited. Sure you'd need to compromise the signing key first, but that's a single target allowing you the ability to subvert many more without the need for any breaking & entering or social engineering alerting intending targets/victims.
I'll take my tinfoil hat off now.
USSID18 is what should be talked about regarding these violations. The sooner people become more familiar with the laws in place to prevent this the better the outcome for all involved.
Gonna be a very interesting fundraising season in Silicon Valley.
The denials over Prism never squared with the size and capability of the system that were outlined in the documents, unless I'm missing something here. Is it not possible that the court-ordered data releases were just one small part of the Prism program, with MUSCULAR and others filling the data that could not be obtained through the legal system? Prism is just the query interface, which is not necessarily tied to one dataset.
This makes the recent warning atop my personal gmail that "State sponsored actors may be trying to access your account" particularly ironic.
Would anyone else be interested in inserting a private version of a tracking pixel into each of their e-mails, so that you'd get a list of IP addresses where the mail was viewed back?
It would be interesting to see where mail was read versus where it is simply passed in plain text. Crowd-sourcing anonymous data might also allow us to determine which IP addresses belong to the NSA's systems.
I doubt the NSA is foolish enough to make external requests to load images in the emails they read.
And yet they accidentally hired at least one contractor with a conscience!
If it's passed in plain text the tracking pixel wont load.
"vice president for security engineering Eric Grosse announced that the company is racing to encrypt the links between its data centers. "
Isn't this useless?
They can serve Google NSL and the court can force the company to release the SSL keys for the encryptions - just like Lavabit. Google CEO/Board can not shutdown the company like Lavabit.
What can they do, get out of USA like how they got out of China?
> Isn't this useless?
No.
> They can serve Google NSL and the court can force the company to release the SSL keys for the encryptions - just like Lavabit.
They can't do that without Google knowing about it, knowing what data is covered by the NSL and having the opportunity to challenge the request, or to factor the fact of the requests and the extent of information covered by it in evaluating Google's lobbying priorities.
> Google CEO/Board can not shutdown the company like Lavabit.
Well, it could (or, at least, it could recommend that course of action to the shareholders), but its true that Google is differently situated than Lavabit -- specifically, Lavabit doesn't have ~$50 billion in cash it doesn't know what to do with that it could pull from for political action to address government policy that it felt severely threatened the way it prefers to do business, whereas Google does, which gives it options to address known actions by a government agency that it doesn't like.
> What can they do, get out of USA like how they got out of China?
Well, its too big of a market for that to be a good first choice, but its not impossible. Moving the headquarters, etc., would be easy, the hard part would be moving all their existing data centers and similar operations out of the US.
If they wanted to do that with minimal disruption, they'd either need to build duplicate datacenters somewhere else and switch operations to those -- or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
I find it funny how many people say "x is going to move out of the US!". Upon doing so, x isn't protected from spying bye the NSA at _all_, not even the flimsy toothless protections we have as US citizens under US law. Ostensibly, the entire _job_ of the NSA is to spy on foreigners, which you become when you leave.
BTW, a much simpler way to get the SSL keys is to send someone (or teams) to be employed by Google. (Like another big country probably did a while back.)
Once inside, put a few webcam, physical/virtual key logger, a few line of code, (checkin code with extra ",", "=" instead of "==" in the right place - just like a post about Linux security Kernel hack a while back.) and the jobs are done.
1 reply →
> or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
That must be what they're building in SF bay right now! It all makes sense now. Get Apple involved with their cash hoard and you could put the datacenters in space.
>or, for less duplication, build a fleet of transport vehicles that could hold data centers, and piece by piece transfer their existing US datacenters into those transports.
Or, they could build data centers on barges and float them out of difficult jurisdictions. ;)
No it's not. The court system, even if it is rumber stamp-y, provides way more visibility and accountibility than secret and total access to Google's data via tapping data links.
The FISC is not visible or accountable to the public. NSLs must be kept secret by law. In other words, all courts do is provide the NSA with a minor speed bump when it wants to wiretap everyone.
1 reply →
Lavabit is small. Who did their shutdown directly affect? Imagine Google going down for a full day, even homeless people will raise pitch forks and match down to DC to protest.
I see it as just simple power struggle between companies and government - China won the round against Google a few year back by kicking googe out completely.
The power in US government would love the same leverage.
They will get it eventually - start with NSA in secret, but slowly congress can pass the law and bit by bit....
That's why FB and google are implanting the notions of "no privacy" in everyone's mind. Good for their business and also makes it easier to hand over the data to whoever governments/agencies in the future.
If you want to fight for freedom, but are too busy, take some of your startup lottery money and hire some underemployed folks to raise pitchforks and march on DC.
Note that the article makes the point that while the NSA can't compel companies to cooperate if they're not in the US, if they (or their data or data centres) are not in the US, NSA has much freer reign to use covert means to just take what they want.
So getting out of the US would be insufficient (not that it would be a viable option anyway) - if moving out of the US, they'd also need to actually know their countermeasures are sufficient to prevent the NSA from just taking what they want.
I love how every quote from the NSA stresses that "we don't have access to their servers. Fine. Let's say they don't. But that means nothing in this context. If they can see every piece of data that is sent between servers at various google data centers, they don't need access to the servers to gather a ton of information
As of 1:41pm PST, there is no mention of this news anywhere on the front page of the NY Times website. There have been similar ...time lags... in the past when covering Snowden related news at the NYT. It's a shame one of the most important news sources in the US is so slow in their coverage, either intentionally or not.
The NY Times is not Reddit. They will check the story through their own sources before publishing. They're not just going to repost the Washington Post story.
They're slow on Snowden stores because they do not have direct access to the Snowden documents, like the Guardian and WashPo do.
Of course the NY Times are not Reddit. Why are you even bringing that up?
The AP, Fox News, NPR, PBS, CNN, LA Times, ... all have reported on the story in the Washington Post. The NY Times has not, and that's unfortunate. It's a major news event.
I get the feeling that people are outraged by this not necessarily for the fact that spy agencies spy on everyone they can, but that they do it in such a blatant, efficient, and all encompassing way.
I know I feel a bad gut reaction to the mass collection of data, but when you think about it that is exactly what a country wants from its spy agency, to know others' secrets. Hence they're doing the most optimal thing from the countries point of view. Therefore it is just the brazen scale, the automation of the whole operation, and the fact that it is now officially public that gives me (and us in general) the sick feeling.
Like the breakdown of forgetting (anything on the Internet is there forever), and the rapid dissemination of information through the social network (Facebook status etc), an adjustment needs to be made either in us or the system.
Why is this on the second page of news right now? Older stories with way fewer points are currently ranked higher. This story is 22 hours old with 1495 points. There are stories with 264 and 305 points that are older but are currently ranked just higher than this story, moving it to the second page of news
“We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” he [google's clo] said.
reform... ha!
There's worse leaks to come. There are hardware-based backdoors in 90+% of the Tier1 routers. The whole Internet is basically bugged.
Now wait... It isn't surprising that inside the datacenters most traffic flows unencrypted, but not encrypting links between datacenters?
Well...
You can always encrypt on the client, so the Google data centers are just pushing encrypted blobs around.
It makes like a bit more complex, but PGP can be used for mail and here's how to protect GDrive files: https://news.ycombinator.com/item?id=6644888
Remember these revelations date from a year or two ago, who knows what they're up to now?
You can always encrypt on the client, yes. But it is surprising that an entity such as Google doesn't understand that links between datacenters have multiple points out of Google's control where traffic can be intercepted.
Is there anything in the world that the US Government cannot rationalize?
Are there literally no limits worldwide to their power at this point?
It is my current assumption that everything now is being logged.
Any institution responsible for maintaining a nations safety should be something to be proud about, but apparently with each news NSA sounds more like a virus.
That sounds like a rather interesting and large integration project that most engineers would salivate over.
I get the feeling I'm going to take a karma hit for this, but here goes...
By tapping those links, the agency has positioned itself to collect at will from hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.
There's a problem with this. The Post goes into a good amount of detail regarding how the NSA/GCHQ is collecting, but leaves nothing but speculation as to who they're targeting or why. It even goes so far as to suggest that NSA/GCHQ is targeting millions upon millions of ordinary citizens without giving evidence to back up that assertion. I would argue that these media outlets are doing us a disservice by not providing this information. All they're doing is generating hype and fear. I'm scrolling through the comments here and seeing calls for the imprisonment (or worse) of Obama administration officials and NSA personnel based not on solid evidence that the public at large is being spied upon, but based on our fear that the public is being spied upon. Some hypothetical headlines as an analogy:
A: "SWAT team guns down local residents"
B: "SWAT team guns down unarmed retirement home residents"
C: "SWAT team guns down pair of local gunmen; ends killing spree"
Headline A is vague and misleading. If that was the entirety of the information put out, the public would be outraged. If the actual story was closer to headline B, they'd be rightfully outraged, and all trust in the police force would be rightfully gone. The outrage wouldn't be justified if the actual story was closer to headline C. With regards to today's story, I don't want see something like "NSA spies on Google traffic" - there's not enough context. I want to see evidence showing who they're targeting and why. If it turns out that they're spying on US Congressmen, major business executives or just ordinary Americans with the intent to blackmail/bribe/manipulate/etc. - that's the reason to call for these people to stand trial. If it turns out that they're spying on the unencrypted internet traffic of valid intelligence targets like foreign government officials/foreign spies/terrorists/etc., what has the public gained by telling us all how they're doing it?
The media needs to show us that there's a good reason to be afraid/outraged of a vast, covert Orwellian apparatus, then show us how to protect ourselves against it. Show us that the NSA is determined to undermine the public good for its own benefit. Unless there is no vast, hidden Orwellian state. Every Snowden document that gets released without showing evidence that the NSA is pursuing anyone besides those it has been tasked to pursue leads me to believe more and more that there is no such evidence, and the media is riding high on all of this fear and outrage to gather advertising dollars.
Are people seriously surprised? After all of the other stuff we've heard the NSA has done, I am surprised that people are surprised by something we all but already knew.
Curious to see who will continue to still use their products...
How would not using their products resolve the issue with the NSA? If people switched to other providers than other providers will get accessed like Google.
I'm sure the NSA likes having a one-stop shop. More nodes means more leaks, and if we've learned one thing through this, it's that the NSA would really rather do their work without oversight, which, as we've also learned, only happens as a result of leaks.
> How would not using their products resolve the issue with the NSA?
One point would be: Google might feel a change in their bottom line and might actually start thinking about banding together with the other tech giants to be able to actively fight the NSA, instead of staying complicit.
Test reply.
The writing has been on the wall about the true nature of "the cloud" for at least 15 years. I tried to tell people, they preferred to put their faith and trust in the major magazines, which were all propagandizing about it constantly. Most people (including the developers who write this software) allow themselves to be herded, and if you try to tell them what's really going on they write you off as a crackpot.
What most people don't realize is that all the value offered by "the cloud" can be created with much higher quality on a different architecture, one that gives all the benefits of the cloud, but without sacrificing privacy.
China's Lanxiang vocational school is innocent . 蓝翔技校是清白的 http://www.theguardian.com/technology/2011/jun/02/chinese-sc...
Thank you Snowden.
fucking wow ..... that is all i have to say