Once again, I suggest everyone interested read James Bamford's book Shadow Factory.
All these revelations regarding call metadata, PRISM collection (albeit under a different codename at the time), modern fiber taps, and even more are covered.
You'll learn about how they shave fiber optic cables in order to intercept traffic and not be detected. You'll find out about the various facilities already reported, along with others like the NSA Georgia facility. You'll find out exactly where on what beach these fiber lines run in and out of. It's a very well-researched book.
You'll learn a lot more than what's been verified with these leaks.
Was expecting to find comment by tptacek explaining how WP's Craig Timberg has no journalistic integrity because "direct access" clearly doesn't mean the NSA gets whatever data it wants by whatever means necessary. Rather, "direct access" can only imply the NSA administers the credentials of each and every server and database existent, which clearly couldn't be true.
My thoughts exactly. I had assumed that tpateck would have magnified a figure of speech (e.g. full control -> judge can only appoint not remove), ranted about some obtuse point (e.g. which foreign government does not spy), and enjoyed the thread on violation of first/fourth amendment right derail from the issue. And all of his posts are moved to the top by HNers who recognize the name.
It wasn't. I agree there's a little bit of wrongness to that, but I hope his parent post won't mind too much, because there's a lot of truth to his point. Often we get more information like this, a fuller understanding of how Americans have been paying billions of dollars to fund this surveillance weapon that threatens the human race, and find an extremely well-written post by an obviously highly intelligent tptacek at the top, explaining why, strictly speaking, this is all legal -- or something. I'm glad I'm not the only one who finds it annoying.
Oh, I figured I was missing some context. I still hope that's the case. I'm not sure what value there is to replying to imagined posts by people who aren't posting, and hijacking the top rated comment to boot.
Those posts usually have a lot of responses that rise to the challenge though, and without any opposition or advocacy for the devil, much less (or even nothing) is learned. I don't think it's fair to call him out like that, HN is better than this and posts can be dealt with on a one by one basis.
Take off all the nicks, for maximum message resolution.
I think this is a bit of a cheap shot at tptacek so will defend him in his absence.
First, when it comes to programs by US intelligence agencies (both previously known, currently revealed, and yet to be revealed) there are multiple categories of evaluation: namely, ethical, legal, constitutional.
Generally speaking, everything the Feds are doing is legal in the sense that it follows a specific legal process that was setup in the scare over terrorism, which both expanded the powers of the executive branch and created "shadow courts" which presumably provide some checks and balances in the system. Of course, we can't really know how reliably these work since the process for National Security Letters and other aspects itself is secret. Nonetheless, there are specific process in places that seem generally speaking to be followed. How often there are "exceptions" to this process is difficult to ascertain, and has not really been a focus in the present debate.
When it comes to constitutionality, it is a hotly debated topic among Americans partially because it was the bedrock of the American state, but an increasing number of Americans (including justices) either aren't knowledgable or don't care about the specifics of the constitution. This is a huge topic, but it is sufficient to say that something can be unconstitutional (even blatantly so) and nonetheless be legal. In this specific case, it is difficult to know how or whether the protection against "unreasonable" searches includes storage of metadata associated with phonecalls that can be searched by an analyst.
Then, more broadly, there are a wide representation of ethical issues. For example, it is completely legal and constitutional to spy on non US citizens, but are there any boundaries that should be set on what is and is not acceptable behavior? My strongly held view is that, at least when it comes to US hq'ed companies with a large foreign user base that they provisions in places for non US citizens should at the very least be the same as those for US citizens. However, saying that something should exist and implementing it are two different things, and one is considerably more difficult than the other.
So this is all basically to defend tptacek and say that it is important to differentiate when accusing the US government of "crimes." In other words, there are lots of unethical things that you can do that are perfectly legal.
I'm mocking the "direct action" fabricated controversy. I apologize that wasn't more clear.
I fully expected Craig Timberg to be attacked, just like Glenn Greenwald was.
It is unfair that I'm using a nym, whereas tptacek's a real identity.
It may be unfair to single out tptacek out of the mob of people banging the "direct action" drum. He stands out here on HN. Since I'm using a nym, I won't belabor the point.
As I assume tptacek would also say, the specifics of the "direct access" are rather a big deal. If the access is constrained to NSLs approved by judges in regulated quantity, you have a legal process. Perhaps there is no independent oversight or accountability to the public at large, yet you still have legality.
However, if any analyst can at whim look at the info associated with any gmail account / Facebook user / etc. then you have a clearly extra-legal approach with absolutely no accountability.
Also, there is a significant difference between capacity and use. If a analyst or a sys admin for the NSA has capacity to view things but does not actually have permission from the NSA to use that capability absent an NSL, then
To be honest, to date nothing has emerged that makes it seem that the NSA has this sort of capacity, except when it comes to Verizon phone calls, although I don't think we know much if anything about the NSA's downstream capabilities when it comes to major Silicon Valley firms.
In short, I assume that Google, Facebook, etc. are telling an important truth when they say that access is limited to legal processes. Whether or not the NSA also has and uses downstream access to similar data is another question altogether.
In addition to The Shadow Factory he also wrote The Puzzle Palace and Body of Secrets. I'm not sure how much material is shared between the three books, or if they're meant to be read in any certain order, but I'm plowing through The Puzzle Palace now.
OK, good, glad to hear that. I had sort of assumed that that was the case, but wasn't sure. It's a lot of material to slog through, but I find this stuff fascinating for some reason.
Specifically relating to the recent revelations, this book was where I learned of the NSA's "vacuum cleaner" approach, in which all available messages are collected -- in this case, it was trans-Atlantic radio transmissions being monitored by ECHELON. So, an American citizen in the UK calling an American citizen in the US would have their call collected.
The approach (collect everything you can at the trunk line or server farm) is very similar to the e-mail collection strategy that's being documented now.
I don't see why that would be true. This is classical signal transmitted optically, not quantum cryptography. There is no reason you couldn't splice the cable through a machine that recorded the signal and then recreated it. Or a beam splitter that removed just a small fraction of the signal; the effect would be a slight increase in transmission loss.
I had a professor who did optics research sponsored by the NSA. They didn't tell him the intended application, but he suspected it was to tap optical fibers by evanescent wave coupling (see http://en.wikipedia.org/wiki/Evanescent_wave#Evanescent-wave... ). It's as if photons are quantum tunneling out of the fiber, so there is no need to physically cut into it. That would have made the tapping nearly undetectable.
The prevailing theory is that they do the latter; the former would be both easy to detect (at the time of splice) and locate (via TDR).
Getting the signal out of the fiber pales in comparison, though, with the task of getting all of that data back to Maryland/Utah.
Unless they have specific cooperation of the cable owners and can tap/split the fibers at the landings, they must be spending a significant percentage of the cost of the original fiber runs (in parallel cables to return the tapped data). The mind reels.
I don't know much about undersea cables (although it is a fascinating subject), but I imagine there's no need to tap a cable in the middle of the ocean. If instead you tap it a couple miles offshore (even tens of miles), suddenly have a lot less undersea fiber to run. And if multiple cables come ashore at the same place, you can probably disguise it as just another fiber.
Of course, this requires a friendly country at one end of the cable, but that's probably not too big a problem.
I don't believe fibre cables are single length. Between your point of signal origin and the destination are already a number of boxes that act as repeaters. To split the cable, you'd effectively add in another one (or subvert the provider, of course). Or I believe you can tap the cable anyway:
What's to stop a direct packet copy? The line goes in, a digital device sees the packets, copies them bit for bit and sends the original to their destination and a copy to the NSA. Similar to headphone splitting.
I think most of the taps they're referring to involve tapping light directly off the fiber, which reduces the light intensity at the receiving end and can therefore be detected in theory at least
Interfering with existing amplifiers/signal boosters would be fairly hard to hide unless the NSA was solely responsible for that units maintenance, and I suspect that as a general rule they aren't. It's much easier to hide a tap at some random point along the line where nobody has any reason to visit
There are different non-disruptive techniques, two known methods being "shaving" the cable and the other involves bending the fiber optic cable at certain angles.
I wouldn't be surprised if there are other esoteric techniques that somehow allow NSA to monitor emanations through an intact fiber optic cable and its shielding.
No, you have not made it up in your head. It has been widely accepted as a fact but I guess if it was originally true there must have been a few "givens'.
Who said this? It seems obviously false. All you would have to do is insert a detector and another emitter that simply replays everything the detector reads.
While I agree it's certainly false, your implementation idea would almost certainly introduce detectable delay. All you'd need is a beam splitter. You can manufacture them to only take 1% of the beam.
Sure. But "Hey guys, just to let you know, we moved our relay back a couple meters for reorganization" would also introduce detectable delay -- I doubt anyone actually cares about the delay.
In the late 90's, I attended a presentation that described doing just such a fractional-light fiber split at major exchanges (e.g. MAE-West) to collect data for research purposes. [1] While the researchers were probably trustworthy, I remember thinking that such sniffing seemed like it could be pretty scary in the wrong hands.
(The presentation was given by Evi Nemeth, who was sadly in the news recently due to being lost at sea.)
[1] http://www.caida.org/workshops/isma/9808/report.html
"The coral/ocXmon family of monitors use optical splitters to tap fiber, filtering 5-10% of the light signal to interface cards in the coral monitoring host."
These splitter work in the domain of light-pulses transmitted over a fiber. So you get 100% of the messages, but the flashes of light representing the bits will be much weaker. Probably this will mean that you have to put in much more effort to decode the signal than a usual network-device will need, and also probably means that you will have a higher number of errors in your data.
On the other hand, if you'd tap only a short distance downstream of the transmitter (or an inline amplifier), that 1% might be plenty, undisturbed by the distortions introduced further on the line, so probably that's the preferable tapping location anyway.
[I know that I'm oversimplifying a lot here and modern optical communication systems work much different.]
It depends on the power budget of the fiber link. A 3db splitter would tap 50% of the power, but if this was planned for in advance it would be easily integrated in the long haul network.
After seeing this article today, I made a post on Facebook to explain to some of my friends that aren't closely following the PRISM story that this is not compatible with the statements released by Mark Zuckerberg, Marissa Mayer, and Larry Page. I'll reproduce some of my post here--I'd link directly, but my Facebook is set to 'private.'
Remember when Mark Zuckerberg (Facebook), Marissa Mayer (Yahoo!) and Larry Page (Google) all denied "directly" giving the NSA everyone's data?
They claimed that all access was done through national security letters and warrants, because the slides that had leaked at the time supported that. Turns out new slides leaked, and everyone lied!
*snip* (I linked to the WaPo article, and the slide directly)
And for sources on the original denial (each claiming "no direct access"):
They didn't lie - they just made the truth dance with help from legal advisers. I think we already knew that, but the slide just confirms that they knew exactly what they were doing.
EDIT: to clarify, GIVING someone access directly to a server and allowing/knowing about access to the data going in and out of a server are not technically the same thing.
When I saw the Google/Facebook responses, it was obvious that the posts had a lot in common. Both used the phrase "direct access to our servers".
When you see a phrase repeated like that, one of two things has happened. Either one copied the other's phrasing, or someone told them what to say. In either case, the legal department would definitely weigh in on a huge issue like this.
A smart lawyer would never let the company lie outright. They would advise everyone to speak the truth, but "the truth they speak may not be the truth you think you hear." No direct access to servers. Sure. They just had access to the data going in and out of the server. To someone used to reading political and legal documents, "no direct access to servers" almost screams "some form of access to something." Otherwise the denial would have been more
Zuck and Page didn't lie, but they were less than forthcoming. Myers didn't even bother addressing the claim directly.
I suspect a government lawyer fed them phrases they could use that sound like denials without actually lying.
> When I saw the Google/Facebook responses, it was obvious that the posts had a lot in common. Both used the phrase "direct access to our servers".
When you see a phrase repeated like that, one of two things has happened. Either one copied the other's phrasing, or someone told them what to say. In either case, the legal department would definitely weigh in on a huge issue like this.
I totally agree that these organizations used the phrase "direct access" intentionally, surely with legal advice. My point, however, was that at the time that these companies released their responses, the slide that actually said direct access verbatim had not yet leaked. Although it's impossible to tell what actually happened, it looks to me like they decided to deny "direct access" in the hopes that there were no slides indicating that direct access did exist. After all, it's unlikely that these companies had the full slide deck (or anything other than what the media had published).
So, either:
(A) Larry Page and Mark Zuckerberg actually didn't know that they provided "direct" access to data.
(B) NSA actually doesn't have "direct" access as indicated by this slide, meaning that the slide is incorrect or falsified.
(C) Page and Zuckerberg lied in their statements.
I don't see a fourth option regarding direct NSA access to these companies' data.
And you're right regarding Mayer not addressing the claim directly; I was a little bit off there. Still, by saying "well, we received between 12,000 and 13,000 FISA requests," Yahoo! is implying that there isn't any sort of "backdoor" access, which no longer seems to be the case.
> (D) the slide doesn't actually say 'direct access', but says 'collection directly from the servers of', which is different. My browser pulled the comment I'm replying to right now 'directly from the servers of' HN, but I don't have 'direct access' to HN.
Since there's currently no way to "browse" private data on, say, my Google search history or my GMail inbox, the conclusion seems to be that they either have broad backdoor access, or a specific way of directly downloading from these companies.
In a traditional warrant situation, the data would be collected by the companies and sent to the requesting agency that provided a warrant. Police officers that request, say, HTTP access logs do not download those logs directly.
I kind of rambled around the point, but I was trying to say much the same thing.
It's also very possible that the slide traded some simplicity for accuracy because it was being presented to a group of people who didn't really care or understand the details and technicalities.
Also, (E), The companies didn't "give" the government direct access, but were quietly complicit in allowing them to collect data.
However unlikely, it's still possible the NSA had moles or secret legal proceedings against certain employees that directed them to provide the NSA with a direct connection to the servers.
The reason why I say 'unlikely' is that such a setup would also involve data connectivity out of those data centers and additionally would probably trip all sorts of intrusion monitoring systems (if the big companies are doing their jobs right).
There's still a little wiggle room here, just not much very realistically.
I'm fairly sure the differences can largely be put down to the Guardian using OpenOffice[1]. The differences look more like conversion errors, rather than any deliberate change (other than redaction).
* Red PRISM background should probably be rendered as transparent (as in the WaPo version)
* Typesetting on the Guardian version looks incorrect
* Guardian map looks to be misaligned/scaled, rather than changed (notice that the company logos are in America on the WaPo version, and the blue circles overlap fibre connections, but are not on the Guardian version.
This is where my mind jumped to as well. Especially with regards to the images being comprised of vector graphics, which has always been a pain in the ass to get standard among difference office suites.
Also, if you look between the two versions, you'll see that the Guardian's failed to render the transparency behind the PRISM logo. This definitely points towards rendering mishaps, rather than some sort of editing on their part.
Exactly, one or both of these slides has been edited. I doubt that someone went back to the NSA to get "the latest version" that makes me wonder who did the editing and what was their motivation? Did the guardian change the map to make it more relevant to the "global nature" of their coverage? Did someone change it for WaPo to make it seem more credible? And the redacting part, who redacted it and why? Neither slide would have been released as part of a FOIA request it seems, so why the redactions? To make it look more "confidential" ? (there have been suggestions that redactions add 'authenticity' to purported documents from governments). Frankly it raises a lot more questions than it answers.
I would guess WaPo edited the map. For the Guardian's version of slide it seems easy to guess that those are the names of secret programs use to tap fiber-optic cables in certain regions. NSA wanted 2 names of those programs to remain secret. (i have some theory why..). WaPo published the names but edited the map not to give precise locations of those programs. Just my theory ofc.
I think the OO.o/MS Office explanation is perfectly reasonable and applicable in this case. Even I suggested that was what the difference was when PRISM was first leaked, and I've not exactly been on Greenwald's side throughout all of this.
I could be wrong, but I think we are looking at screencaps of documents which have been captured on different screen sizes, where there was word wrapping occuring. I dont see evidence of editing.
Ah, so that's what it is. This morning, we got an e-mail : "If you open this link on any computer, including your home computer, you are required to report this through Security channels as a classified spillage. " I was wondering why the Post was being singled out. (I had not yet had a chance to look at it.)
Hey tomgirl1, welcome to Hacker News. Good to have you here.
It might be a good idea to read up on the guidelines [1] a bit though, since it seems your comments, while generally with good intent, often don't contribute much to the discussion at hand, like the comment I'm replying to here.
Another good way to get a feel for what is appreciated and what not is to check a bit of pg's comments [2]. You'll quickly get a feel of what's considered proper discourse and what isn't.
It's the same picture, but the Guardian one is compressed horizontally to fit, the Post one is not. It's obvious that whoever made that slide used a larger image but positioned it so that only part of it was shown. Post opened it with PowerPoint and it rendered correctly while Guardian opened it with OpenOffice which mangled it (look at the arrows and circles too). Most likely it's the Guardian that redacted the name of the two programs for whatever reason (they said they are curating the leaks to not cause unnecessary damage and not just dumping everything).
It isn't, in some way. PowerPoint let's you "mask" images. That is, bundle the entire image in the PPT but crop and zoom it. Of course, whoever did that slide zoomed into the US. It isn't a purpose-made image, but rather, one illustrating how traffic flows to and from the U.S.
Fits perfectly with the "different software" idea. Pages, Google Docs, OpenOffice and even different versions of Office produce different results with the same PowerPoint.
That would be congruent with the dropshadow displaying on the "You Should Use Both" text in the (presumably) PowerPoint-rendered one that is masked correctly. It doesn't seem to appear in the other.
EDIT: Also, on the US-zoomed/masked one, it makes the ellipses line up correctly with all the cable landings at the coastlines. I'm now sold that these differences are just PowerPoint-specific renderings.
These come from the NSA originally - so it's probably SOP to make slight changes to every page of every document each time it is released to someone, so that they can track the exact source and path of any leaks.
I don't doubt they version things like this, but I do doubt the watermark is easily found. A bit here, a bit there and you can bury a lot of info in a graphic with no one the wiser.
On the US-map one, the ellipses line up correctly with the cable landings, and the PRISM-partner logos are over the US, not floating in the ocean. Also, the arrowheads on the cable-bundle ellipses aren't all distorted, and the drop shadow on the "You Should Use Both" text displays correctly.
I'm marking this one down to PowerPoint-specific rendering (vs, say, OpenOffice).
So either Snowden has incorrect slides, the slides are falsified, or everyone has been lying. Actual evidence of direct access would be better than these slides. I would like someone from Google, Facebook, et al to testify under oath that there is no direct access. Or maybe even the NSA, but we know they share inaccuracies under oath, so maybe that isn't worth so much.
They're getting the info directly from Google et al., but they don't have root on Google's servers. Google is required by law (CALEA, the Communications Assistance for Law Enforcement Act) to provide the ability for law enforcement to get information from them. This includes - required by law - the ability both to get stored data and to make real-time intercepts of new communications. Google is paid a fee to provide these services as well.
Google et al. have fully complied with this law. The FBI manages the government-end of the CALEA tapping capabilities. The NSA makes requests to the FBI, which passes them on to Google, which flips a switch and enables the tapping of user "xyzzy123". From then on, xyzzy123's stored data and new communications get sent to the FBI through the CALEA connection, which forwards them to the NSA. CALEA also requires the service provider to provide all sorts of metadata about the user.
This IS "direct access" to Google's servers. The denials about this have been carefully worded things that all access is supported by some sort of legal process, etc. The denials are non-denial denials. Yes, GOOGLE (et al.), not the NSA, flips the final switch which sends the data. But Google is required by law to do so, so....... And once the switch is flipped, all of the data is flowing automatically to the NSA.
This is close but wrong in some very important ways.
CALEA does not apply to Google (except Google fiber and perhaps Google Voice). Google does have to comply with FBI requests for emails and stored data, but they do not have to comply with CALEA (which mandates technical standards for the wiretapping of the phone network and most internet networks). Google does NOT have to build real-time domestic spying tools for the government, though it is arguable whether the 702 program (which PRISM is part of) does.
The FBI would LOVE to extend CALEA to Facebook and Google, etc, but this has not happened yet.
That said, it is likely that the FBI's backbone spying network (DCSNET), which was built for CALEA, is being used for PRISM.
Even without CALEA, if I'm reading the press coverage right, the FISA orders to which Google comply once they check that they were issued by FISC can be very broad, including "give me ALL the metadata you have" in a single order. Because "taking all metadata an storing it indefinitely is nothing to be worried about" in NSA interpretations.
Well all metadata wouldn't work as that could be used to intercept U.S. persons' data. The warrant/NSL would have to list by name/UID at the very least, but once it's established that the UID in question is foreign and a part of an investigation then you are right that the warrant/NSL can be very broad.
Actually, yes, the feds are using Section 215 of the Patriot Act to get FISC orders on all metadata of Americans' domestic phone and internet communications from ISPs and phone companies. The feds are leveraging a theory that you have no privacy interest in your metadata, thus no 4th Amendment violation.
It's not clear at all that this is legal, especially given the Supreme Court's recent ruling in Jones, requiring warrants for GPS tracking of automobiles.
CALEA does not apply to Google, so this isn't correct. The reason they are required "by law" is that they get FISAs, which can be served on anyone and is unrelated to those specific laws.
Correct me if I'm wrong, but you left out the step where a judge reviews the request to make sure it's not overly broad or based on flimsy reasoning.
Aside from that I'd say it's a very clear, and it's sad that there seems to be a pervasive inference that these companies are something something beyond what our elected law makers have forced them to do. Why isn't more angst directed at the politicians responsible for this?
A judge does review the request. Whether that judge "makes sure it's not overly broad or based on flimsy reasoning" is far from clear. The judge has been hand-picked by John Roberts and only hears the government's side of the case. The FISA court has rejected 0.03 percent of the government's requests. Now, maybe that's just an indication that 99.97% of the government's requests are reasonable, but here's the problem: we have no way of knowing, because it's all secret. THAT is the problem IMHO, more than the surveillance itself.
No, a judge does not see an individual request in a 702 order. This is the entire point of the 702 and PRISM -- NSA analysts no longer have to fill out paperwork to get data from Google/Facebook/Etc, so long as they are 51% sure the target is a foreigner. There is one court order per company per year. After that, it's "direct access" - e.g. analyst sends request directly to the company.
I see where it says in the caption "The supervisor must endorse the analyst's "reasonable belief," defined as 51 percent confidence, that the specified target is a foreign national who is overseas at the time of collection." But that's a caption written by the Post. What I don't see is any support for that statement in the actual slide itself, nor any of the other slides on that page.
But these companies do more than what is required by law. They do not by law have to provide API access, only to provide the data in some form. None of the smaller webmail hosts cooperate in PRISM.
And as for warrants, no they do not always need a warrant. They only need that if both parties in the communication are US citizens. If none of them are no warrant is needed at all and if just one party is US then they (according to the Wikipedia article on PRISM) can wiretap for up to a week without getting a warrant.
The real problem is that "direct access to servers" is not a specific term. Given the various definitions it could have, everyone could be being truthful.
Some would interpret "direct access" to mean root level access to their entire infrastructure, which sounds absurd to me, yet some people seem to believe that's what's happening. And it's my understanding that this is what Google, facebook, etc. have been denying. They could instead be giving "direct access" to an FTP server or some other portal set up to provide the requested data, meaning that Snowden and these slides are being truthful in that context.
I also think it could be argued that we all gain "direct access" to Google's servers every time we type "www.google.com" into a browser's address bar. It is just not a useful term, and should be replaced with something more specific in all these instances.
> It is just not a useful term, and should be replaced with something more specific in all these instances
How about "collection directly from the server of..." just like it appeared in the actual slide, instead of 'direct access' as everyone else misquotes it?
But it seems like that still has all the ambiguity I mentioned. It could still be construed as root level access, or an FTP server, or anything in between.
Also realize that Glenn Greenwald shares a good amount of blame for this misquote. The first line in the first article about PRISM is "The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants." (http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-n...)
The problem is with Greenwald / Snowden - they needed to provide indisputable evidence regarding their most garish claims; or `direct access` to a representation of the evidence
> Also realize that Glenn Greenwald shares a good amount of blame for this misquote
I agree, and have said as much multiple times.
But that's no reason to continue to perpetuate the usage of a semantically-different variant of the original quote, especially with all the other data we have on PRISM now that can help disambiguate what the original quote could reasonably be construed as.
Compared to data intercepted from "upstream", any data sent in response to a FISA request would be "directly from company X's servers". That doesn't necessarily imply that the NSA has direct access to the servers.
I think it's also worth noting that the intended audience of these slides wasn't the general public/press. It's possible the purpose of using wording like "directly from the servers" was simply to delineate the origin of the data from the data pulled off the wire, not the mechanism of retrieval (e.g. some backdoor outside of the existing legal procedure for acquiring such data). I just picture the person who wrote these slides and chose those words either laughing their ass off, or face-palming right now. The companies involved have been pretty explicit (at great risk I might add by putting their founders' names on the denials) that there isn't "direct access" or anything like it.
The real story here is the "Upstream" collection. Just horribly irresponsible behavior for a steward of much of the Internet's infrastructure. Shameful.
Yes, either the slides are wrong, and they don't mean "direct access" the way we're thinking about it, and they may be referring to those "lock boxes" or those "secure FTP" connections that the companies use to send them the requested data - or they've managed to hack these companies somehow, and they just aren't aware of it. This is assuming the companies didn't allow them to put backdoors on their servers.
So, if you're under oath, you're not allowed to lie.
And if you're read into an SCI program that controls the disclosure of the existence of such access, you're most definitely not allowed to say anything about it (or, in many cases, even acknowledge that such a thing exists).
There is no way someone would risk perjuring themselves OR disclosing classified information under oath.
I wonder if it could be construed as disclosing classified info by taking the 5th when asked. You didn't say anything, but did you say anything without saying anything?
I wonder if anyone would be brave enough to test this, i.e. use TLS 1.2/forward security to one of sites mentioned, send a message to a "friend" (dumby account) that says you are planning an attack, and see what happens (i.e. it's only viewable by facebook/google whatever, not in transit)
I suggested that on a forum 10 years ago (though about unencrypted emails) to see if the spooks were really monitoring email, and no one seems to want to take up that offer.
If clapper was outright lying to congress about the data collection... what makes you think getting Zuck under "oath" is going to do any better. After all, he thinks we're all a bunch of "dumb fucks" and it would appear he happily sold all global user data to the USG without even a second thought.
In have to tell you, it warms my skeptic heart to see HN so damn discerning over all this info regarding the true state of the world; HN has really surprised me at how many people here are really paying attention!!
From my limited understanding, the slides are unlikely to be 'incorrect' as Snowden worked there so he would know what was actually going on.
It's possible Snowden is making the whole thing up but the government haven't denied anything is going on. It should also be possible for at least some of Snowdens claims to be verified. For example he has claimed that the government was hacking Universities it might be possible to see evidence of that. Or he claimed people have been wiretapped, maybe he knows some of the conversations.
It's possible the government won't deny due to a policy of denial and are sticking to it despite the huge PR issues. Or maybe they want people to think they are watching. Or maybe the people in positions to deny stuff want the current government to look bad.
Maybe the government will deny later and it's taken a while due to bureaucracy. But by that time it will be to late since if there was anything they will have had time to clean house.
Only Google have so for made a post saying the whole thing is fake.
Or the slides use shortened terminology, because it's sorta equivalent in that the processes seem very streamlined.
It's not direct from the servers, but to the analysts it might as well could be the same. These slides might have been meant for tech-illiterate people, saying that might be clearer.
Last time this came up I realized that Google is denies overspecificly everything that is not wiretapping. So my take is, that Google is saying "no direct access to the Google servers," as in no access to the actual boxes, while NSA and Guardian use servers in a somewhat looser sense. So my speculation is, that the NSA sits between the TLS reverse proxy and the actual servers.
Are we agreed that the Washington Post has had access to the full set of slides all along and are choosing to dribble them out, one by one?
If so I feel that there's a certain lack of ethics involved in this. We now have a slide recommending "direct access", after weeks of denials and pointless discussion about it that would have been much clarified and bolstered if this slide had been released. On the other hand, we still don't know the full context of the slides. Perhaps the next one says "But we don't have direct access yet, we are still working on that". Or perhaps it says "for direct access, get a warrant". We just don't know.
I understand the motives of the WP in releasing these slides one by one. It will undoubtably be maximizing the publicity and traffic they get from it. But I am not at all sure it is serving the public interest.
On the contrary, we've caught a lot of people in a lot of lies. It's worth noting that the Guardian published this slide weeks ago, except they redacted some information. We most likely wouldn't still be talking about this if the Washington Post and Guardian played all their cards at once.
Is it possible that the CEOs are in fact telling the truth, but are unaware/ignorant that at the carrier level (before reaching the ingress points), data headed to their respective networks/server farms is being "copied"?
Does Google, Apple, Skype, etc. physically own Internet infrastructure, or are they all leased lines from carriers?
If they owned any physical "lines", and the gov was tapping into these lines, then they would be lying about the direct access claim.
But if they don't own these lines, it seems the companies can't do anything about it, and that the telcos are the villains.
Before the safeguards were installed, the kiss was performed with real risk to life and limb, as participants were grasped by the ankles and dangled bodily from the height.
I can reliably inform you that this is indeed as scary as it sounds.
Been there, done that. I've only kissed the Blarney Stone with the safeguards, but it was still pretty freaky leaning down for the kiss. Everyone should do it at least once. :)
I don't mean to brag, but as I was writing a story about surveillance on my home computer today, the NSA director called and said, "I really love where you're going with this."
If we are going to rely and trust the slide, it mentions "You Should Use Both". That might mean, they are still not using the two of them, or one of them.
For those with security clearances, clicking on a random HN link is risking your job and livelihood. It's easy to see a link to WikiLeaks and avoid that but when it's the WP posting it, not so much.
These articles really need to be flagged/tagged by HN and by the newspapers that publish them. I don't want to see a TS/SCI-classified document and I don't want to be seen as seeking them out.
I love the technical stories on HN (95% of what we read here) but it bothers me that I'm risking my clearance when I read this site.
Listening to Democracy Now this morning, one of the defense witnesses in the Manning trial explained that many, many of classified documented Manning is accused of leaking are also publicly available via government websites or in the media. For instance, personal details of detainees at gitmo.
I'm struggling to understand how information which is in the public domain can be classified.
AFAIK this is primarily for the purposes of avoiding the court system. Things that are classified seem to be dealt with by the rubber-stamp FISA courts instead of the actual judicial system so they can avoid being challenged in the light of day.
Using separate accounts for reading unsafe links and commenting safe ones can avoid detection based on writing style analysis.
Since Tor exit nodes can be compromised easily and HTTPS is vulnerable to attackers powerful enough to have the private keys of major certificate authorities, the passwords used should not be reused for other services.
Okay, thanks for the teenage-level politics. What do you suggest as an actual alternative? How do you personally know those alternatives are safer or more secure? How would you construct a recommendation for a small or medium company that relies on Skype/MS Office/Google to use alternatives and how would you train non-tech savvy employees? With what time and money?
That's why people are downvoting you. Not because they disagree but because your comment provides no actual information.
I'll say it again, because I was immediately downvoted into invisibility:
You CAN NOT continue to use products and services by NSA companies like Microsoft - Yahoo - Google - Facebook - PalTalk - AOL - Skype - YouTube - or Apple and THEN turn around and BITCH AND CRY ABOUT LOSING YOUR RIGHTS AND PRIVACY.
This is completely INSANE, you NEED TO WAKE UP!
EDIT: Yeah, let the censuring begin again. You know what? When I look at the people here on HackerNews, I'm beginning to see a SOCIETY THAT ACTUALLY WANTS TO BE FUCKED - DEEPLY EVEN.
You were downvoted into invisibility because this type of discourse is not appropriate for Hacker News. Please, no shouting. No vague pronouncements to "wake up".
We try to have a reasoned, intelligent discourse here. There are many services provided by companies which may collaborate with the NSA or law enforcement which are pretty much unavoidable in modern society; the telephone network, the internet, and so on. Telling people that they need to completely disconnect from modern society or they shouldn't complain is unproductive.
Rather, we should be discussing realistic solutions. Pervasive end-to-end cryptography for everyday tasks would help. Better laws and legal oversight of both the government and of corporations would help. Protocols that encourage federated or decentralized use, rather than central storage that everything passes through unencrypted would help.
You're being down voted because your comment is entirely non-constructive.
1) Calling people insane won't win you any favors.
2) "WAKE UP" is an entirely useless platitude.
3) Simply not using "NSA companies" is completely impractical. Not everyone can afford to be a recluse eccentric by ignoring the largest software providers on the planet. Never mind the fact that switching to an alternative in mass would simply produce a new "NSA company". These companies aren't at fault, our government is.
Do you have any concrete proposals? Do you have anything new to share? It doesn't seem that you do.
These companies aren't at fault, our government is
I think the companies are also at fault. If instead of illegal surveillance the companies were being asked to illicitly expose employees to potentially harmful radiation, the moral culpability would be more obvious, regardless of the letter of the FISC laws their corporate counsel was shown.
There was clearly a decision on the part of the employees of the companies involved not to risk their own livelihoods by simply going along with what the government wanted.
I'd argue that major atrocities are possible via the combined impact of institutionally diffused acts of moral depravity such as those committed by our beloved tech companies.
Not to mention they're completely tapping the cables too…
Guess it's time to find the resources to buy thousands of miles of fiber optics and hope the NSA, GCHQ, and the rest of the global surveillance state doesn't tap those! :D
I do NOT give a fuck about any favors. I don't care about any fucking karma points - we're turning into a turn-key totalitarian system, and people act like nothing has changed.
You CAN NOT continue to use products and services by NSA companies like Microsoft - Yahoo - Google - Facebook - PalTalk - AOL - Skype - YouTube - or Apple and THEN turn around and BITCH AND CRY ABOUT LOSING YOUR RIGHTS AND PRIVACY.
So is it by coincidence the products that have the most users are the ones watched by the NSA? Any product/service that will reach such a huge audience will be a target.
Not using the product is not a solution. Getting the NSA to respect the law is what we need.
Please stop. This adds nothing to the conversation. Don't worry, it's not your personal mission from saving the world from NSA spying, and if you want to do something relevant, talk to people individually in a open minded conversation, where you'll be able to calmly expose your facts.
So instead of repeating what was made invisible, make it a constructive comment. Instead of carrying a Windows Phone, Android or iPhone, which smartphone should I carry? How can I start getting my friends off Facebook so I can close my account without losing those connections?
I'm not trying to make the argument to stay, but without viable alternatives, people won't leave.
blackberry for phones, not sure about facebook alternatives.
edit: also bbm is going cross platform soon, so that may give an encrypted social network alternative, haven't used it though. also I think they gave india/dubai a backdoor a couple years ago? so who's to say, whether they would be compelled to cough up to the nsa as well.
With "Upstream" mentioned in the slide, it doesn't matter what company you use. As long as your data goes trough a cable that's monitored, everything is owned.
All these revelations regarding call metadata, PRISM collection (albeit under a different codename at the time), modern fiber taps, and even more are covered.
You'll learn about how they shave fiber optic cables in order to intercept traffic and not be detected. You'll find out about the various facilities already reported, along with others like the NSA Georgia facility. You'll find out exactly where on what beach these fiber lines run in and out of. It's a very well-researched book.
You'll learn a lot more than what's been verified with these leaks.
http://www.amazon.com/The-Shadow-Factory-Eavesdropping-Ameri...