Slashdot Mirror
WA Post Publishes 4 More Slides On Data Collection From Google, Et Al
anagama writes "Lots of new program names, flowcharts, and detail in four previously unreleased PRISM slides published by the Washington Post today. These slides provide some additional detail about PRISM and outline how the NSA gets information from those nine well known internet companies. Apparently, the collection is done by the FBI using its own equipment on the various companies' premises and then passed to the NSA where it is filtered and sorted."
I've already quit Google. Now how about you?
leaking single slides is causing confusion on what exactly is taking place. They need to stop.
The FBI equipment is for CALEA and is on site in ISP's, not content providers such as google and yahoo. Misinformation on this is getting old. Yes it's scary and yes it's illegal and yes it needs to change. But lets fucking understand it properly then raise our arms and yell bs.
Google et al. said something, IIRC, like 'we do not collect and pass on any info to the NSA'. Technically true, but also completely irrelevant to whether or not the NSA was actually collecting data.
Asking corps or government about what they do and don't collect is like asking a genie for a wish: one must phrase the question perfectly, or they'll twist it any way they can in order to answer what you asked, but not what you really wanted to know.
This is an unconstitutional power that the USA federal government usurped from the people, it doesn't actually matter how they grab most of it, however what does matter is that they do and it looks like it's not going to stop until the system crashes and there is no more money to run it.
Encrypt your communications, encrypt everything you can. Use self signed certificates, by the way, avoid Certificate Authorities, AFAIC they only make it easier to create a MITM attack, not harder. They can confirm to your device that a certificate is valid even if it is not the certificate that you want to use. Of-course if you use CAs do not let them generate your keys for you.
At this point the behaviour of browsers to treat self-signed certificates as worse than plain text should be suspect to everybody, there is no rational explanation to that sort of attitude except: we don't want you to use certificates that authorities can't revoke and replace.
You can't handle the truth.
Quoted company may have or may not have used weasel words. We await conformation of this rolling news headline.
It would be pretty easy to create PowerPoint with the requisite markings, logos, etc, on it and then peddle it to various newspapers.
And sometimes, like when you ask if they "collect any information on millions of Americans," they just lie.
The current hot question in the executive conference room is, what can we do to get on the list of SSO's?
... and to the person that said the devices were in ISPs, it's unlikely because of the prevalence of SSL. The equipment would need to be behind the company firewalls.
Lies, Facebook in particular lied about this, even as Obama was confirming it and claiming a [non-existent] warrant is needed to access this data:
"The search request, known as a “tasking,” can be sent to multiple sources — for example, to a private company and to an NSA access point that taps into the Internet’s main gateway switches. A tasking for Google, Yahoo, Microsoft, Apple and other providers is routed to equipment installed at each company. This equipment, maintained by the FBI, passes the NSA request to a private company’s system. Depending on the company, a tasking may return e-mails, attachments, address books, calendars, files stored in the cloud, text or audio or video chats and “metadata” that identify the locations, devices used and other information about a target."
I don't care about the pathetic protections put in place for Americams, I'm not American. I care that these services hand my data to a military structure that works against me. Worse they inevitably turn America into a dictatorship.
"Before an analyst may conduct live surveillance using PRISM, a second analyst in his subject area must concur. "
So any boss that oversees 2 analysts can spy on Americans, simply because he can order 2 of them to concur. And the big boss, General Alexander can even waive this, because its HIS policy not law, i.e. no protections at all.
You want to fix this? Well try running for President and sacking the NSA chief. He'll have record of every mistake you've made, detailed knowledge of who backs you, the campaign team, private communications, strategies, everything. They've made a dictator and people like Dianne Feinstein are so stupid and incompetent they can't see why they've done so much damage.
Completely flipping the system in secret, the system that's kept the US a democracy for the longest time any democracy has survived so far. Those little shits just threw it away.
They are technically correct. The best kind of correct. The FBI is the one doing the collection and passing on.
So, by statute the NSA is not allowed to spy on American citizens on American soil (since that's the FBI's job). But because of all the Intelligence-sharing laws that passed in the early and mid 2000s, that's been totally neutered. It's an offshoot of the outsourcing mindset - we're not allowed to do it, but we can ask someone else who IS allowed to and share the results.
And sometimes, like when you ask if they "collect any information on millions of Americans," they just lie.
Oh, that's so harsh. It's just that you need to get them to precisely define the words "collect", "any", "information", "millions", and "Americans". I'm sure that if you did, you'd reach a point where you thought "oh, 'no' doesn't mean what I thought it meant". (The words "on" and "of" are probably safe, though you never know). It's like how the word "sex" can mean different things depending on who's talking.
I'm just a dumb Canadian... Is WA ever used for Washington DC?
Google is correct. They do not pass data to the NSA, the FBI does it for them. Everybody in the spy industry is just playing silly buggers and thinks that all citizens are morons.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Oh, be fair. These infamous 9 have a lot of data centers, and you can't expect the CEO to know which equipment from whom is in every corner there? I mean, just walk up to one of their data centers with a router in your hand, and tell them that you need an Internet connection. I'm sure that they'll let you waltz in and connect wherever equipment you want . . .
. . . when monkeys fly out of my ass.
The FBI probably has technical offices and agents in each data center, to maintain all this stuff. Ask them about that!
To give them the benefit of the doubt, they could claim that the FBI installed the stuff clandestinely. You know, a rack in a corner, with a note taped to it: "Do NOT touch. This rack does something important!" Of course, these companies might perform audits once in a blue moon on their data centers . . . but, naw, why bother . . . ?
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Google et al. said something, IIRC, like 'we do not collect and pass on any info to the NSA'. Technically true, but also completely irrelevant to whether or not the NSA was actually collecting data.
They didn't mention the NSA: http://googleblog.blogspot.com/2013/06/what.html That post is unequivocal, and is in direct contradiction to statements by the post like:
The Foreign Intelligence Surveillance Court does not review any individual collection request.
and
The FBI uses government equipment on private company property to retrieve matching information from a participating company
Which directly contradicts a statement here: http://www.wired.com/threatlevel/2013/06/google-uses-secure-ftp-to-feds/ Unfortunately, all such statements in the Post's article aren't on the slides; they are the Post's annotations on the slides, and the author doesn't provide any evidence to support them. Take from that what you will.
I can say with absolute certainty, that the NSA workers were never collecting information while sitting ON millions of Americans. Number one, they sit on chairs, not people. Number two, some of them may be chubby but nobody is fat enough to sit ON even 1000 Americans at once, let alone millions.
What changed under Obama? Nothing Good
Because the NSA couldn't possibly have their private keys...
We don't have a state-run media we have a media-run state.
If you think Assange is "untouchable" then the past 100 years of fascist history, and even the vaguest grasp of what your government has done and is doing, have passed you by.
you had me at #!
now I get the crusade against self signed certs !
I'm a little disappointed that the elite hackers at the NSA had not learned the lessons of Y2K and are still using 2 digits to denote years in the case notations.
Google may not even have been aware that the FBI was passing information on to the NSA.
I honestly don't know, but I thought it was illegal for the FBI to spy on U.S. citizens as well?
"To stop the terrorists."
WA is the abbreviation typically associated with Washington State, not the city of Washington, D.C.
Wash. Post is the more commonly accepted abbreviation of the newspaper based in Washington, D.C.
Very few people actually read the test groups. There's so much kiddeporn on today's news that a few slashbots posting encrypted messages to alt.test won't make a substantial difference.
Also, note that there'a big difference between a cipher and a code. A cipher replaces a number with another in such a way that it's difficult to get that first number back, but it does so by a fixed set of rules. The best way to crack the best ciphers is brute force, but if it's not the best cipher, there may be an easier way such as chosen plaintext.
Consider that the US won the World War II battle of Midway by convincing the Japanese Navy to send some ciphertext whose plaintext was chosen by the US:
"Please use our weakest cipher to encrypt a message to the Pentagon to let them know our desalination plant is broken, so we need a new one."
"But admiral, our desalinization plant is working just fine!"
"That's a direct order son."
"SIR YES SIR!"
You see we had cracked the Japanese Naval cipher but we did not know the Japanese Naval code. All we knew was that they were about to attack an island in the Pacific but we did not know which one, as they used a codeword for that. After they intercepted the above message, they themselves then sent a message back to Tokyo that said something like "CowboyNeal's desalination plant is broken. They asked for another one." Now you know "CowboyNeal" means "Midway Island".
The best thing to do is to combine codes and ciphers, so that if the cipher is cracked, they still won't know the code unless they can get the codebook. That's what CIA "Black Bag Jobs" are for, you know when they sneak into an embassy, find the codebook then photograph it.
I expect that lots of cyber-espionage on the part of everyone is looking for codebooks, secret keys from key pairs, as well as planting keystroke recorders so you can get passphrases.
... binladen@alqaeda.org | /bin/mail binladen@alqaeda.org
Possibly better would be to encrypt real text that doesn't mean anything useful. For example use wget to rip a website, encrypt each page then send it to all your buddies.
They don't pass it along to the NSA they pass it to the FBI who passes it to the NSA.... So while technically correct was a part of the big lie that the NSA is not spying on Americans...
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
I honestly don't know, but I thought it was illegal for the FBI to spy on U.S. citizens as well?
Spy=collect data on/aka Investigate. Who did you think the Federal Bureau of Investigation investigated? Or did you think they really were a Flowers By Ingrid florist?
No, they explicitly can investigate, across state lines (federally). Here's a non-link to IMDB for Public Enemies that explains why (in the back story) with some fun:
http://www.imdb.com/title/tt1152836/
With each new iteration it is clear that the NSA is bullshitting congress (partly under oath), and congress is bullshitting the public by well-chosen weasel-wording.
What those criminals don't understand is that stating technical truths with the explicit intent of causing false beliefs in the recipient is lying. The intent to deceive and mislead is not ameliorated by some technical truth to a statement.
What is intended to convey wrong information is a lie. The bitter truth is that the NSA is trying to test with how little truthful information they can get away with congress and public, and congress and government are trying to test with how little truthful information they can get away with the citizens.
As long as their is no intention to actually and truthfully communicate, the respective entities need to get dissolved. They are out of control, and they like being out of control.
That was the first thing I noticed. All the bullshit that contradicts the public statements of the companies involved is in the annotations
I've only seen it a few times -- on Poynter.org, who report on journalism, and they seem to have standards on how they form abbreviations. I don't know that I've seen it in other places -- most people reporting try to cater to a wide audience and don't tend to slip in jargon.
And when I've seen it on Poynter, I've always seen it as mixed case 'WaPo' not "WAPO'. I've also seen it abbrreviated 'WashPost', but this is the first that I've ever seen it as 'WA Post'. (and I don't think I might've over looked it previously ... it was so glaringly bad that my first response was to check the comments to see if anyone else thought it was completely horrible).
Oh ... and I've lived in the DC metro area for 30+ years. And just because Google knows enough to expand jargon doesn't mean that it's good to use if you want people to actually understand you.
Build it, and they will come^Hplain.
Actually in this context a self signed cert would maybe be more safe, although not really. If the proxy device has a root signing cert it can just sign one for the sight it is proxiing to on the fly and then re-encrypt chances are you would never notice.
Having a copy of the private key doesn't help you when using Perfect Forward Secrecy through ephemeral Diffie-Hellman session keys.
Though I suppose that if you disable everything but the EDH and DHE ciphers in your browser, many sites will not work.
I think it's pretty clear that the US government simply does not have the manpower to read every single online communication in the world and if they can't read it it is useless. So is there some way we can fuck up their automated filters? It would be great if Snowden had information on the actual keywords that PRISM searches for to bump the communication over to a human.
How about an application that intentionally comes up with suspicous sounding emails that spam all of the NSA keywords. If each of us ran such a program and sent hundreds of such decoys per day their system would become useless for anything practical. Unfortunately this doesn't really work for voice communication.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
Number two, some of them may be chubby but nobody is fat enough to sit ON even 1000 Americans at once, let alone millions.
Roseanne Barr comes pretty close.
Scruting the inscrutable for over 50 years.
One thing Steve Gibson of TWiT Network's "Security Now" mentioned was that the NSA essentially tapped critical points in the Internet backbone to get all the data--they don't need to be directly accessing the servers of Amazon.com, Apple, Facebook, Google, Microsoft, and so on to get all the data from these companies. And I bet every intelligence agency worldwide has done this a long time ago.
In short, blame the Tier 1 backbone providers for allowing such free access to the Internet by the government intelligence agencies.
WaPo is undermined by being American. On The other hand, ... about time.
we now have the Germans and the French being "really fcuking angry"
which is
John Eadie [JE46] http://www.c-art.com `one of these days the dogs aren't going to eat the dog food' - Bill Joy
Keep in mind, a dumbfuck with a fancy calculator is still a dumbfuck.
A system that's smat enough to infer belief and future actions from one billion phone calls per day
is
also smart enough to turn on its creator.
which is pretty much what's happened.
Not normally but in this case, AC is clear winner
I have never seen Washington Post referred to as 'WA Post' before. Mainly because there are 2 Washingtons in the USA - both very very far away from each other. WA is Washington State which is where Seattle & Redmond are. The Washington which Washington Post is based of is Washington, DC.
So either Washington Post or WaPo or Wa Post - but surely not WA Post.
I can't publicly comment on this issue, but I work for one of the very large corporations listed in the report, I sit in a nice office and tell people what to do in the data centers, specifically anything to do with tapping network connections.
The scope of the collection being reported is *laughable* at best. This whole thing is the biggest steaming pile of non-sense. The U.S. government is one of the most inept and disorganized institutions on the face of the planet. They do *not* have anything close to the wide spread "at your finger tips" crap the post reports. They *do* tap the hell out of the carrier networks and *do* subpoena information under the pretext of existing laws, most of which were established under the Patriot ACt. This grandiose idea that they have "direct access" to any corporations servers in the report is misguided at best and most likely a complete lie from the beginning to make someones presentation look important, or maybe, could it be, just another smear job to make the president look bad?
But is she an NSA employee or just a contractor?
I often think that Congress, Bankers and Industrialists in the US are a Triad of Evil.
10,000 more suicides per year, "post-recession"
20,000 more deaths from lack of healthcare, "post-recession".
That's 30,000 more people dead.
John Kerry can claim that Snowden endangered lives
but he and his crew are actually murdering almost 3,000 per month.
I though WA stood for Washington state, not Washington DC. (I'm Australian, so I could be wrong.)
Or did someone get confused by "WaPo", a common abbreviation for The Washington Post?
Credit Card Companies. Imagine the amount of analysis used for fraud protection... very similar.
You can't do anything aside from living in a cave without a credit report and rating.
Mind that the credit card companies scan every purchase made, analyze every transaction in its system (whether it's bank owned: your cold cash, internet owned: paypal, even bitcoin, or even the black market: laundering. Sure, use cash, which are paper with serial numbers.
Closest you can get is drugs, gold, or weapons, but that's another story and the 1% has the market on this limited resources.
This is not America It really isn't. At one time we actually stood for something. A principle. An ideal. To live free or die trying. 1984 was never intended as an instruction manual.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
It leaves the viewer thinking everything is perfect and any errors were mistakes... rather than say any real reporting was ever done in the first place.
Freedom is only freedom if it includes the freedom to make the wrong decisions including all sorts of crimes and anti-social behaviour..
I run I2P, I get encrypted data I do not know what is and I send encrypted data I do not know what is. I can not control other people's freedom, I can only control my own freedom and whatever use I myself put I2P to if I use it for anything at all.
I refuse to be your slave and you should refuse being a slave unto yourself as well, because that is the actual content of what you wrote: you refuse freedom because of the potential actions of others.
I am a human. I deserve and demand freedom simply because I am sentient. If you try to take freedom away I will fight you and if necessary kill you with a clean conscience. Others will too, because they're human.
Move your sites over to I2P where everything is encrypted, self-host without expenditure, you do not store other peoples content.
If enough move it will make a huge impact.
Create the sites you want in the I2P network. The Slashdot community belongs there, not on the plaintext "telnet internet". Technical communities belong there.
Rebuild. Route. Retake.
Exactly! Every time I read about this story, the worst parts of the surveillance is not supported by the evidence shown either on the slides, and look like sloppy, extraordinary claims. I'd love to see the evidence that supports the claims that FISC doesn't review individual collection requests, which could mean each incident of collection (event) or "I"ndividual collection requests, meaning that a FISA warrant could grab a group of people based on FISC approved criteria.
I really do want to see this evidence, but the more I read of this story the more I think that most of the claims that the Post and Guardian are making are a misunderstanding of what their sources are actually telling them.
Whether or not there is some sort of god, I'm not supposed to say/god is a word and the argument ends there-Smog
I honestly don't know, but I thought it was illegal for the FBI to spy on U.S. citizens as well?
Depends on the case law - but basically the 4th Amendment was supposed to protect everyone from this sort of thing - every gov't entity is supposed to get a warrant before spying. The fact that every gov't entity isn't disavowing this program, but instead saying "we get a warrant to look at the results" is really disingenuous. They shouldn't be collecting the information in the first place.
It is never called "The WA Post." It's "The Washington Post." WA is a state on the Pacific coast.
Kriston