Slashdot Mirror
How Big Companies Can Hamper the Surveillance Infrastructure
Trailrunner7 writes "Buried underneath the ever-growing pile of information about the mass surveillance methods of the NSA is a small but significant undercurrent of change that's being driven by the anger and resentment of the large tech companies that the agency has used as tools in its collection programs. The changes have been happening since almost the minute the first documents began leaking out of Fort Meade in June. When the NSA's PRISM program was revealed this summer, it implicated some of the larger companies in the industry as apparently willing partners in a system that gave the agency 'direct access' to their servers. Officials at Google, Yahoo and others quickly denied that this was the case, saying they knew of no such program and didn't provide access to their servers to anyone and only complied with court orders. More recent revelations have shown that the NSA has been tapping the links between the data centers run by Google and Yahoo, links that were unencrypted. That revelation led a pair of Google security engineers to post some rather emphatic thoughts on the NSA's infiltration of their networks. It also spurred Google to accelerate projects to encrypt the data flowing between its data centers. These are some of the clearer signs yet that these companies have reached a point where they're no longer willing to be participants, witting or otherwise, in the NSA's surveillance programs."
Until Larry and Sergy get sat down and given the "your a grown up now stop acting like a sub " - should have hired some real adult supervision instead of "creepy uncle" Eric
If you want large companies to not perform surveillance, move them to a country where the government cant secretly compel them to do what every they want.
Due to US cryptography export restrictions, its likely easier to actually provide some security if you leave the US too.
Outsource freedom: because losing the jobs isn't enough anymore.
This is not a technological problem, technology is (as far as we know) robust if implemented properly. The question is are they willing to implement it, and are they allowed to disobey.
They aren't getting *nearly* paranoid enough. They should be encrypting the data on disk, on network connections between machines in the *same* data center, not just between centers. In fact the data should remain encrypted at all times unless absolutely necessary to have in clear-text to process it -- and that should never leave the CPU. It should remain clear-text only for the absolutely minimum time required.
They should assume that hostile agencies (foreign *and* domestic) have tapped every last network link they own. As well as most routers and processing machines. They should also assume that some small percentage of their workforce are working on behalf of one of these adversaries. Given these assumptions they should design a system that can remain as secure as possible given these circumstances.
Merely encrypting the network links between their data centers is not nearly enough to thwart the likes of the NSA, CSEC, GCHQ or other nameless agencies.
Ian Ameline
These are some of the clearer signs yet that these companies have reached a point where they're no longer willing to be participants
Or, before they were willing to hide their complicity, but now they're willing to both hide it and lie loudly about it.
Hypocritical Google engineers probably wouldn't have their job if their company hadn't been so compliant, as Google wouldn't have grown to the behemoth it is today.
But there's a long way to go yet.
Just another veil of secrecy, big company internals - The NSA++ sub-state in a state supposedly in cahoots with big companies - or the other way around..
No one on the outside is getting the real story.
The defense against anything is common: First total denial, then admit something and at the same time issue counter-info. What was it? Ah, it defends against terrorism, how many actual cases - 57 as one number came out. The number is not getting into many people's brains, the terrorism-defense does, world OK again...
Anything really changing, with this paid puppet-government?
Too bad secret laws exist to force you, even if you don't want, and to not say that you are doing it. And a lot could want anyway, as could be incentives to make it desirable (like obtained secrets of competitors, "friendly" judges and so on). In any case, American companies can't be trusted, and big enough from other countries on line with this (UK, Australia, Sweden, Israel, maybe whoever signs the TPP, etc) probably should be avoided too.
The genie is out of the bottle. Users, particularly non-USA users, will never again trust American internet service providers. I expect far-reaching ramifications, the extent of which wont be fully known for a couple years.
Mass surveillance and data collection is the business model at companies like Google and Yahoo. If their frustrations are genuine it is only that they are angry that their data is being taken without being properly paid for it.
"If it looks like a duck, ..."
"You probably know that one.
"Please tell me, what is all this drive towards one account, no anonymity, all this cloud ...",
and data storage about?
"You have been convicted of privacy transgressions before, althougn admiitedly minor
compared to the Nefarious Scumbag Assholes".
"Please, Miss Google, get some clue that 'appearances are against you', as they say"
"Why is it that I, a prolific and avid googler, have never seen on your sites, never once
among the many times I pass by on a single day, any statement to the effect that you
despise the NSA, that you will not commit my data to them, that
"well, you know what I mean (actually I suspect you know I'm mean)"
"Dear Google, are you with me or against me".
"Whatever happened to 'Do no evil'. Was that just a hollow PR ploy? An imperative
to the 'other players' and something to pat yourself on the back with now and then?"
"In fact Google --since you started it (the mentioning)-- how do you define evil?"
"it would be nice to get you enlightened insights, preferably with a name under it".
"Nothing personal -- just accountability, you know"
"Thank you".
or maybe their protests and hand-wringing and emphatically blogged thoughts are just business as usual - corporations routinely pay spin doctors to advise them on what to do and how to manipulate opinion whenever they get caught doing stuff they're not supposed to.
to their way of thinking reality is nothing, perception is everything.
Encrypting by the big players is significant, the data streams between their centers effectively mirrors all they have, from the POV of the government sanctioned goons it is about as good as you're going to get without the need to physically enter the server rooms.
A small forum is obviously not using a secure connection to hide their data but instead it's meant to secure the login process.
Yet it shows not only the big enterprises are able to improve security and especially the privacy of their users
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
The moment the government threatens their bottom line profits it will be well we didn't want to comply but they got a court order.
That is the only reason they want to be able to publish the 'meta' data on how many requests they get. It allows them to shift the blame
The big tech companies want to appear to be unwilling to cooperate with spying. But what's to keep them from secretly cooperating all the same?
Distrusted cloud services get abandoned, which costs them money, which costs their stock prices, which costs millions of middle Americans stock price, which drives a stake of fear into the hearts of Congress.
Let the money issue work *for* you.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Microsoft helping NSA to hack your Windows
According to a new report from the corporate press (as corporate as it can get, being Bloomberg), Microsoft tells NSA staff about universal unpatched holes before they are being addressed:
Microsoft Corp. (MSFT), the worldâ(TM)s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesnâ(TM)t ask and canâ(TM)t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.
Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to be give government âoean early startâ on risk assessment and mitigation.
Glyn Moody asked, âoewhy would anyone ever trust Microsoft againâ¦?â
Frank Shaw is not a technical man. His job is to lie, e.g. about sales of Vista 8 (quite famously and most recently). He came from Waggener Edstrom, a lying and AstroTurfing company. The above should be read as follows: when new holes exist which permit remote hijacking the unaccountable, cracking-happy NSA is being notified. What can possibly go wrong now that we have proof that the NSA is cracking PCs abroad with impunity?
Some of the back and forth is innocuous, such as Microsoft revealing ahead of time the nature of its exposed bugs (ostensibly providing the government with a back door into any system using a Microsoft OS, but since itâ(TM)s donâ(TM)t ask, dontâ(TM) tell, nobody really knows). However the bulk of the interaction is steeped in secrecy: âoeMost of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.â(TM)s major spy agencies, the people familiar with those programs said.â
Which guys does he speak of? In the recently published article, the subject diagram isn't clear on exactly what is going on. My reading of this is that the "SSL Added and removed here!" note with smiley face is pointing directly at the GFE (Google Front End) server, meaning that this activity is occurring on this server (group). Now, in my limited time as a sysadmin, I have yet to see how any outside party can gain ongoing access for such processes without the complicity of the admin. So, perhaps these Google engineers should be looking inwards for someone worthy of their F-bombs.
Actually, the drawing alone doesn't say much. It could simply be a drawing of Google's SSL architecture as it relates to its internal cloud structure. It doesn't say who is adding/removing SSL. The implication made by the Google staff reaction is that this is something nefarious. Could be. Could also be that they don't know how a public SSL gateway on a private Intranet is configured.
Have gnu, will travel.
The NSA compromises our infrastructure, and adversaries get access to exactly the kind of intel we don't won't them to have.
And.. If Snowden was there, they are (or were) too.
When the government lets you keep BILLIONS in profit by allowing you to offshore your revenue through several shelter companies, you got to expect they want something in return. Surprise! We hear YOU!
They seem to have caught on, but not the lesson needs to be made memorable.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Encrypting is useful, but then comes the very nasty thing that comes with it: Key management.
This hits the nail right on the head. Encrypting is an important thing to do but if they hand over the keys (intentionally or not) then all the encryption in the world means nothing. And frankly key management is the most difficult piece of the puzzle because of the human factor. Only one person has to be compromised and all your encryption is for naught. Furthermore under our current legal framework with national security letters, people can probably be compelled to hand over encryption keys and risk jail time if they speak up about it to anyone.
TFA just says tech giants do not want to cooperate with NSA. No real news here. Save your time, skip that one.
I understand why Google or Yahoo would be upset. They obeyed the law, complied with the NSA, and got screwed by them anyway.
My argument is with the phone companies, Verizon and AT&T, who went way beyond what they were legally required to do in terms of providing information to the NSA. I wonder what goodies they received from that relationship: better relationships with the FCC? Special access to spectrum auctions? More allowances from the government on how they could pursue union negotiations?
While Google could easily be cast as a good company forced into a tight spot, it seems Verizon et al are intent on slowing innovation, making the internet slower and more expensive, subjugating their workforce, and illegally spying on their customers.
Is there a remedy to surveillance that can stand up to that 5 dollar wrench called being detained indefinitely as a terrorist?
Of course the relevant people at Google, Yahoo and M$FT (up to and including Brin, Page, Meyer. Schmidt) knew that transmitting customer data in the clear was making customer data extremely vulnerable. Encryption would have cost thumb change, relative to the billions of profits they rake in.
But you know what ? That was the confidential "gentlemen's agreement" with the government. Read what Mr Schmidt said and wrote. These guys want to be part of World Government. Their entry token into this circle is information. YOUR INFORMATION.
All these large corporations are in bed with government and NY finance.
What can YOU do ? Run your own little server 365/24 in your basement. Use a Raspberry PI for that. Encrypt everything, Avoid Google, Facebook, Yahoo, Hotmail like the plague. Most of the software is already there. You just need to set it up on the RPI. Then make it accessible via a Dynamic DNS service (there is more than DynDNS).
Freedom is work, Convenience is Slavery !
"Google is to be respected there"
For what exactly ? For transmitting your gmail inbox IN THE CLEAR from (say) San Diego to Dublin ? So that GCHQ, DGSE, Irish Intelligence, Unit 8200 and probably also the North Koreans could read it ?
That's funny that you think national security letters are delivered in the mail. They are delivered in person by an NSA agent, who holds it for you while you read it. No, you don't get a copy. And telling /anyone/ about the visit is a crime. At least Writs of Assistance were public, so people knew who to blame.
That's funny that you think national security letters are delivered in the mail. They are delivered in person by an NSA agent, who holds it for you while you read it. No, you don't get a copy. And telling /anyone/ about the visit is a crime. At least Writs of Assistance were public, so people knew who to blame.
Then you don't meet them or they come and visit you in another country where you have your security guards hold them down and you photocopy the letter and have it distributed on the Internet. Then you kick them out.
In the free world the media isn't government run; the government is media run.
Sure as hell Google is cooperating: They first give users a sense of security "all https-encrypted", then they shift data between Singapore and San Francisco data centers IN PLAINTEXT back and forth.
That counts as "cooperation" to me. Of course nothing is documented, all is done by means of some senior people talking to each other. You know, National Security Council man Cohen meeting CEO Schmidt: "you have too much security from that nasty https stuff. We need you to move everything periodically back and forth of our and Australia's collection system. Can't you help us somehow ?" Schmidt: "Wait. I need a cover story. Gimme five minutes". A coffee later: Schmidt: "We will tell the plebs that we 'regularly optimize our data center usage' and to that end we move millions of inboxes around the globe on a regular basis." Cohen: "Schmitty, you are one of the boys ! Let me know if you ever need some help from my friend General Alexander The Great or Unit 8200 !".
Of course this conversation will never be recorded, so that Schmitty can "plausibly deny". But of course Schmitty will ensure that every single fucking gmail inbox is being shifted between data centers every couple of weeks. Over that plaintext link, of course.
Switzerland does indeed have an independent military, not part of NATO. But alas, they are definitely America's bitch wherever it truly matters and have been for decades. Read up on "Crypto AG".
I think a lot of this is consumer attitudes.
Look at how the SSN is used in the US. Its a great identifier as there is a direct 1:1 mapping between a person and their SSN.
In the US almost everyone asks for it and they are normally given the number.
In Canada (and i lived in both countries for a while) I think the privacy laws are tougher to protect the privacy of the citizens. Look at all the fighting the Canada privacy commission did with Facebook, or other examples of US based services encountering problems with them.
Privacy commission vs Facebook: http://www.priv.gc.ca/media/nr-c/2009/nr-c_090827_e.asp
In Canada i dont have to give my SIN to anyone other then banks, employers and the government and i they normally cant deny servicing me because of my refusal to provide my SIN.
When I call any US credit card agency one of the first things they ask for is my SSN.
From WIKI:
Through functionality creep, the SIN has become a national identification number, in much the same way that the Social Security Number has in the United States. However, unlike in the US, in Canada there are specific legislated purposes for which a SIN can be requested. Unless an organization can demonstrate that the reason they are requesting a person's SIN is specifically permitted by law, or that no alternative identifiers would suffice to complete the transaction, they cannot deny or refuse a product or service on the grounds of a refusal to provide a SIN. Examples of organizations that legitimately require a SIN include employers, banks and investment companies, and federal government agencies. Giving a SIN when applying for consumer credit, such as buying a car or electronics, or allowing it to be used as a general purpose identification number, such as by your cable company, is strongly discouraged
I am not going to say Canada doesnt spy (we have CSIS, something like the NSA), but we also have a privacy commission with some bite.
Then you don't meet them
That's not how that works. If you refuse then an arrest warrant will be issued, and the federal SWAT will be breaking down the door and dragging you off to jail with a "material assistance to terrorism"[*] charge.
or they come and visit you in another country
The person who is on-site manager will be the one getting the visit. You have very strange ideas about how the legal system works.
[*] I love this name, check out the code. That is so ridiculously over-broad that you could be arrested for giving detailed street directions to someone on a terrorist list even if you had no way of knowing that.
A recent foia request by propublica for emails between NSA employees and employees of the National Geographic Channel over a time period that the TV station had aired a friendly documentary on the NSA resulted in the following response from the NSA (the supercomputing powerhouse) "There's no central method to search an email at this time with the way our records are set up, unfortunately.... [the system is] a little antiquated and archaic." A former employee of the department of labor statistics said that the department's entire data set fits on a single hard drive. Note that in the 90’s the IRS was still using vacuum tube technology. The National Security Agency in the last couple of years just started building modern data centers in Utah. There is abundant evidence provided by the Thomas Drake prosecution and the 9-11 commission report that information management is a problem in the intelligence community. Does google have better information management technology than the NSA? If corporations do have better data on the U.S. economy and population than the U.S. government doesn't it make sense to be governed by these corporations, ie government sachs? Is it not true that he who has the information has the power? And of course doesn't that create a clear “moral hazard”and “regulatory capture” situation as the corporations are regulated by the gov? Regulatory capture is basically when the cops and judges are owned, the book "13 bankers" goes over the issue for wall street. Isn’t corporate control of government part of what occupy wall street activists protested?
Back in 2003 the bank I worked for went through a fairly painful process of setting up encryption across all of its WAN links. At the time I was less than convinced that there was any point to it - I can say now that I was completely wrong.
I thought it's not a cpu penalty to encrypt EVERYTHING. I'm also looking at the ISP's out there like Cox, Comcast, at&t, et al. From the demux at the customer premise to your switching and peering centers should ALL be encrypted. Every last bit of it. Let the NSA chew on that.
and not involved with the NSA, why have no lawsuits been filed yet?
The person who is on-site manager will be the one getting the visit. You have very strange ideas about how the legal system works.
I think you'll find out that if said country is hostile to USA relations, that they would be considered fairgame as per what the OP said about having armed guards, you can even kill them right there and you can deny it ever happened.
You (as a company) won't even have any repercussions as long as you have no offices in the USA.
Now, predator missiles and the like are another matter completely.
You don't have an on-site manager in the USA.
What is so hard to understand about just not operating in the USA?
In the free world the media isn't government run; the government is media run.
Too Dumb; Didn't Read
Anything the industry does to try to hamper surveillance efforts, they can be told to stop doing by secret courts, and prohibited from even letting us know about it.
The only thing the industry can do to hamper surveillance efforts is to spill all the beans, all the time, about all the national security requests. But that would result in a bunch of rich people going to jail. Let us not forget the lesson of Qwest.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"