Slashdot Mirror
How Big Companies Can Hamper the Surveillance Infrastructure
Trailrunner7 writes "Buried underneath the ever-growing pile of information about the mass surveillance methods of the NSA is a small but significant undercurrent of change that's being driven by the anger and resentment of the large tech companies that the agency has used as tools in its collection programs. The changes have been happening since almost the minute the first documents began leaking out of Fort Meade in June. When the NSA's PRISM program was revealed this summer, it implicated some of the larger companies in the industry as apparently willing partners in a system that gave the agency 'direct access' to their servers. Officials at Google, Yahoo and others quickly denied that this was the case, saying they knew of no such program and didn't provide access to their servers to anyone and only complied with court orders. More recent revelations have shown that the NSA has been tapping the links between the data centers run by Google and Yahoo, links that were unencrypted. That revelation led a pair of Google security engineers to post some rather emphatic thoughts on the NSA's infiltration of their networks. It also spurred Google to accelerate projects to encrypt the data flowing between its data centers. These are some of the clearer signs yet that these companies have reached a point where they're no longer willing to be participants, witting or otherwise, in the NSA's surveillance programs."
If you want large companies to not perform surveillance, move them to a country where the government cant secretly compel them to do what every they want.
Due to US cryptography export restrictions, its likely easier to actually provide some security if you leave the US too.
Outsource freedom: because losing the jobs isn't enough anymore.
They aren't getting *nearly* paranoid enough. They should be encrypting the data on disk, on network connections between machines in the *same* data center, not just between centers. In fact the data should remain encrypted at all times unless absolutely necessary to have in clear-text to process it -- and that should never leave the CPU. It should remain clear-text only for the absolutely minimum time required.
They should assume that hostile agencies (foreign *and* domestic) have tapped every last network link they own. As well as most routers and processing machines. They should also assume that some small percentage of their workforce are working on behalf of one of these adversaries. Given these assumptions they should design a system that can remain as secure as possible given these circumstances.
Merely encrypting the network links between their data centers is not nearly enough to thwart the likes of the NSA, CSEC, GCHQ or other nameless agencies.
Ian Ameline
But there's a long way to go yet.
Just another veil of secrecy, big company internals - The NSA++ sub-state in a state supposedly in cahoots with big companies - or the other way around..
No one on the outside is getting the real story.
The defense against anything is common: First total denial, then admit something and at the same time issue counter-info. What was it? Ah, it defends against terrorism, how many actual cases - 57 as one number came out. The number is not getting into many people's brains, the terrorism-defense does, world OK again...
Anything really changing, with this paid puppet-government?
Too bad secret laws exist to force you, even if you don't want, and to not say that you are doing it. And a lot could want anyway, as could be incentives to make it desirable (like obtained secrets of competitors, "friendly" judges and so on). In any case, American companies can't be trusted, and big enough from other countries on line with this (UK, Australia, Sweden, Israel, maybe whoever signs the TPP, etc) probably should be avoided too.
The genie is out of the bottle. Users, particularly non-USA users, will never again trust American internet service providers. I expect far-reaching ramifications, the extent of which wont be fully known for a couple years.
Mass surveillance and data collection is the business model at companies like Google and Yahoo. If their frustrations are genuine it is only that they are angry that their data is being taken without being properly paid for it.
"If it looks like a duck, ..."
"You probably know that one.
"Please tell me, what is all this drive towards one account, no anonymity, all this cloud ...",
and data storage about?
"You have been convicted of privacy transgressions before, althougn admiitedly minor
compared to the Nefarious Scumbag Assholes".
"Please, Miss Google, get some clue that 'appearances are against you', as they say"
"Why is it that I, a prolific and avid googler, have never seen on your sites, never once
among the many times I pass by on a single day, any statement to the effect that you
despise the NSA, that you will not commit my data to them, that
"well, you know what I mean (actually I suspect you know I'm mean)"
"Dear Google, are you with me or against me".
"Whatever happened to 'Do no evil'. Was that just a hollow PR ploy? An imperative
to the 'other players' and something to pat yourself on the back with now and then?"
"In fact Google --since you started it (the mentioning)-- how do you define evil?"
"it would be nice to get you enlightened insights, preferably with a name under it".
"Nothing personal -- just accountability, you know"
"Thank you".
or maybe their protests and hand-wringing and emphatically blogged thoughts are just business as usual - corporations routinely pay spin doctors to advise them on what to do and how to manipulate opinion whenever they get caught doing stuff they're not supposed to.
to their way of thinking reality is nothing, perception is everything.
Encrypting by the big players is significant, the data streams between their centers effectively mirrors all they have, from the POV of the government sanctioned goons it is about as good as you're going to get without the need to physically enter the server rooms.
A small forum is obviously not using a secure connection to hide their data but instead it's meant to secure the login process.
Yet it shows not only the big enterprises are able to improve security and especially the privacy of their users
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
The big tech companies want to appear to be unwilling to cooperate with spying. But what's to keep them from secretly cooperating all the same?
Distrusted cloud services get abandoned, which costs them money, which costs their stock prices, which costs millions of middle Americans stock price, which drives a stake of fear into the hearts of Congress.
Let the money issue work *for* you.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Microsoft helping NSA to hack your Windows
According to a new report from the corporate press (as corporate as it can get, being Bloomberg), Microsoft tells NSA staff about universal unpatched holes before they are being addressed:
Microsoft Corp. (MSFT), the worldâ(TM)s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.
Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesnâ(TM)t ask and canâ(TM)t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.
Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to be give government âoean early startâ on risk assessment and mitigation.
Glyn Moody asked, âoewhy would anyone ever trust Microsoft againâ¦?â
Frank Shaw is not a technical man. His job is to lie, e.g. about sales of Vista 8 (quite famously and most recently). He came from Waggener Edstrom, a lying and AstroTurfing company. The above should be read as follows: when new holes exist which permit remote hijacking the unaccountable, cracking-happy NSA is being notified. What can possibly go wrong now that we have proof that the NSA is cracking PCs abroad with impunity?
Some of the back and forth is innocuous, such as Microsoft revealing ahead of time the nature of its exposed bugs (ostensibly providing the government with a back door into any system using a Microsoft OS, but since itâ(TM)s donâ(TM)t ask, dontâ(TM) tell, nobody really knows). However the bulk of the interaction is steeped in secrecy: âoeMost of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.â(TM)s major spy agencies, the people familiar with those programs said.â
Which guys does he speak of? In the recently published article, the subject diagram isn't clear on exactly what is going on. My reading of this is that the "SSL Added and removed here!" note with smiley face is pointing directly at the GFE (Google Front End) server, meaning that this activity is occurring on this server (group). Now, in my limited time as a sysadmin, I have yet to see how any outside party can gain ongoing access for such processes without the complicity of the admin. So, perhaps these Google engineers should be looking inwards for someone worthy of their F-bombs.
Actually, the drawing alone doesn't say much. It could simply be a drawing of Google's SSL architecture as it relates to its internal cloud structure. It doesn't say who is adding/removing SSL. The implication made by the Google staff reaction is that this is something nefarious. Could be. Could also be that they don't know how a public SSL gateway on a private Intranet is configured.
Have gnu, will travel.
Companies that don't comply with court orders tend to face severe consequences.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Disobey WHAT?
Taping into data links between corporate data centers was not done with a warrant or a court order.
There is nothing to Obey. It was simply unreasonable search and seizure.
Sig Battery depleted. Reverting to safe mode.
Sure. But. Forget not though, along with the thankless job of being the World's preeminent economic and military power come a few bennys: My guess is the US budget for whatever the black ops require dwarfs 'theirs' by an OOM. American assets are there too, where %there=everywhere% .
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
They seem to have caught on, but not the lesson needs to be made memorable.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Encrypting is useful, but then comes the very nasty thing that comes with it: Key management.
This hits the nail right on the head. Encrypting is an important thing to do but if they hand over the keys (intentionally or not) then all the encryption in the world means nothing. And frankly key management is the most difficult piece of the puzzle because of the human factor. Only one person has to be compromised and all your encryption is for naught. Furthermore under our current legal framework with national security letters, people can probably be compelled to hand over encryption keys and risk jail time if they speak up about it to anyone.
TFA just says tech giants do not want to cooperate with NSA. No real news here. Save your time, skip that one.
businesses were allowed to do anything they wanted, for example Microsoft when it was convicted of lying, cheating, and stealing.
Must be Tough trying to make a point when you contradict yourself in the first sentence.
Sig Battery depleted. Reverting to safe mode.
Totally agree. A few 3am visits from the NSA, IRS, & friends will get those pesky kids back into the fold quickly.
The NSA has been operating with "the key under the mat" and an "attaboy" to the big CEOs involved, they even throw them some honest business. Cross the NSA and they send somebody to harass the CEOs directly... Company policy changes pretty quickly... The "key under the mat" becomes a more overt "moving in" on your turf.
Unless they are big companies, then they just get the laws, adjusted.
Maybe read on.
Is there a remedy to surveillance that can stand up to that 5 dollar wrench called being detained indefinitely as a terrorist?
Companies that don't comply with court orders tend to face severe consequences.
If I were Google I'd set up my corporate headquarters in a country with no extradition treaty with the USA. I'd employ no personnel in the USA, just use contractors there and not trust them with anything sensitive. The less they know, the less access they have the safer they are.
In the free world the media isn't government run; the government is media run.
If they are facing a court order it is already too late for that.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Feel free. Russia is available. Lots of resources. Top technical talent. There are a few problems: active terrorist attacks, active insurgency in Chechnya, problems with corruption and crime. The FSB, formerly the KGB, is using Snowden's stolen documents as a blueprint to upgrade their internal security. While the FSB is required to get a warrant for some actions, it doesn't have to show it to anybody. Plenty more things along those lines. But they have no extradition treaty.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
That's funny that you think national security letters are delivered in the mail. They are delivered in person by an NSA agent, who holds it for you while you read it. No, you don't get a copy. And telling /anyone/ about the visit is a crime. At least Writs of Assistance were public, so people knew who to blame.
Then you don't meet them or they come and visit you in another country where you have your security guards hold them down and you photocopy the letter and have it distributed on the Internet. Then you kick them out.
In the free world the media isn't government run; the government is media run.
I think a lot of this is consumer attitudes.
Look at how the SSN is used in the US. Its a great identifier as there is a direct 1:1 mapping between a person and their SSN.
In the US almost everyone asks for it and they are normally given the number.
In Canada (and i lived in both countries for a while) I think the privacy laws are tougher to protect the privacy of the citizens. Look at all the fighting the Canada privacy commission did with Facebook, or other examples of US based services encountering problems with them.
Privacy commission vs Facebook: http://www.priv.gc.ca/media/nr-c/2009/nr-c_090827_e.asp
In Canada i dont have to give my SIN to anyone other then banks, employers and the government and i they normally cant deny servicing me because of my refusal to provide my SIN.
When I call any US credit card agency one of the first things they ask for is my SSN.
From WIKI:
Through functionality creep, the SIN has become a national identification number, in much the same way that the Social Security Number has in the United States. However, unlike in the US, in Canada there are specific legislated purposes for which a SIN can be requested. Unless an organization can demonstrate that the reason they are requesting a person's SIN is specifically permitted by law, or that no alternative identifiers would suffice to complete the transaction, they cannot deny or refuse a product or service on the grounds of a refusal to provide a SIN. Examples of organizations that legitimately require a SIN include employers, banks and investment companies, and federal government agencies. Giving a SIN when applying for consumer credit, such as buying a car or electronics, or allowing it to be used as a general purpose identification number, such as by your cable company, is strongly discouraged
I am not going to say Canada doesnt spy (we have CSIS, something like the NSA), but we also have a privacy commission with some bite.
A recent foia request by propublica for emails between NSA employees and employees of the National Geographic Channel over a time period that the TV station had aired a friendly documentary on the NSA resulted in the following response from the NSA (the supercomputing powerhouse) "There's no central method to search an email at this time with the way our records are set up, unfortunately.... [the system is] a little antiquated and archaic." A former employee of the department of labor statistics said that the department's entire data set fits on a single hard drive. Note that in the 90’s the IRS was still using vacuum tube technology. The National Security Agency in the last couple of years just started building modern data centers in Utah. There is abundant evidence provided by the Thomas Drake prosecution and the 9-11 commission report that information management is a problem in the intelligence community. Does google have better information management technology than the NSA? If corporations do have better data on the U.S. economy and population than the U.S. government doesn't it make sense to be governed by these corporations, ie government sachs? Is it not true that he who has the information has the power? And of course doesn't that create a clear “moral hazard”and “regulatory capture” situation as the corporations are regulated by the gov? Regulatory capture is basically when the cops and judges are owned, the book "13 bankers" goes over the issue for wall street. Isn’t corporate control of government part of what occupy wall street activists protested?
I thought it's not a cpu penalty to encrypt EVERYTHING. I'm also looking at the ISP's out there like Cox, Comcast, at&t, et al. From the demux at the customer premise to your switching and peering centers should ALL be encrypted. Every last bit of it. Let the NSA chew on that.
You must be looking at the wrong American girls. Piece of advice: don't cross the Russian mafia, either in or out of government.
Why would Snowden want to return? To avoid Pox Russia. Enjoy yourself.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Look what happened to Quest and their CEO after refusing to give up data to the NSA.
You don't have an on-site manager in the USA.
What is so hard to understand about just not operating in the USA?
In the free world the media isn't government run; the government is media run.
Too Dumb; Didn't Read
Anything the industry does to try to hamper surveillance efforts, they can be told to stop doing by secret courts, and prohibited from even letting us know about it.
The only thing the industry can do to hamper surveillance efforts is to spill all the beans, all the time, about all the national security requests. But that would result in a bunch of rich people going to jail. Let us not forget the lesson of Qwest.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The US telcos got retroactive immunity.
The banks pay small fines over their huge 'accounts' of people of interest to US law enforcement.
Severe consequences tend to be used on people to get them to 'turn' - evidence, entrapment or informant.
In the past the NSA/GCHQ would try and shape encryption as an international standard.
Prevent, break, buy out, or pain text any efforts outside the US/UK. That old trick seems to still be working as the willing US brands show via Snowden.
Domestic spying is now "Benign Information Gathering"