How Big Companies Can Hamper the Surveillance Infrastructure

Trailrunner7 writes "Buried underneath the ever-growing pile of information about the mass surveillance methods of the NSA is a small but significant undercurrent of change that's being driven by the anger and resentment of the large tech companies that the agency has used as tools in its collection programs. The changes have been happening since almost the minute the first documents began leaking out of Fort Meade in June. When the NSA's PRISM program was revealed this summer, it implicated some of the larger companies in the industry as apparently willing partners in a system that gave the agency 'direct access' to their servers. Officials at Google, Yahoo and others quickly denied that this was the case, saying they knew of no such program and didn't provide access to their servers to anyone and only complied with court orders. More recent revelations have shown that the NSA has been tapping the links between the data centers run by Google and Yahoo, links that were unencrypted. That revelation led a pair of Google security engineers to post some rather emphatic thoughts on the NSA's infiltration of their networks. It also spurred Google to accelerate projects to encrypt the data flowing between its data centers. These are some of the clearer signs yet that these companies have reached a point where they're no longer willing to be participants, witting or otherwise, in the NSA's surveillance programs."

Outsource freedom

If you want large companies to not perform surveillance, move them to a country where the government cant secretly compel them to do what every they want.

Due to US cryptography export restrictions, its likely easier to actually provide some security if you leave the US too.

Outsource freedom: because losing the jobs isn't enough anymore.

Re:Outsource freedom

[erikkemperman]

The famous Swiss banking privacy isn't what it used to be.

The US Gov. (and others) has had teams of people working on special "Switzerland policies" for decades.

Which, as I understood it, might be part of the reason they apparently want to branch out from banking. Still backed by some of the same strict privacy laws which allowed anonymous banking to flourish, even if that is now drying up slightly, they might well succeed in setting up what amounts to a data haven.

Of course it won't be very long until the various spooks will try and eventually no doubt succeed at infiltrating and subverting that in the same they have been doing to Swiss banks.

It was one of these operations (CIA, I believe, getting a banker drunk behind the wheel with the aim of blackmail) that appalled Snowden in particular while he was stationed thereabouts.

In a weird way we'll have come full circle if one result of all this would be a data haven in Switzerland.

Re:Outsource freedom

[contrapunctus]

Can't remember quote exactly or who said it: "I want to leave the US but I'm afraid to be a victim of its foreign policy"

They should be much more paranoid.

[ameline]

They aren't getting *nearly* paranoid enough. They should be encrypting the data on disk, on network connections between machines in the *same* data center, not just between centers. In fact the data should remain encrypted at all times unless absolutely necessary to have in clear-text to process it -- and that should never leave the CPU. It should remain clear-text only for the absolutely minimum time required.

They should assume that hostile agencies (foreign *and* domestic) have tapped every last network link they own. As well as most routers and processing machines. They should also assume that some small percentage of their workforce are working on behalf of one of these adversaries. Given these assumptions they should design a system that can remain as secure as possible given these circumstances.

Merely encrypting the network links between their data centers is not nearly enough to thwart the likes of the NSA, CSEC, GCHQ or other nameless agencies.

Re:They should be much more paranoid.

[Mitreya]

They should assume that hostile agencies (foreign *and* domestic) have tapped every last network link they own.

I am sure they knew all along. They were fine with it

Everyone is making noise now, because it became public and there is some concern over backlash from the users.

Re:They should be much more paranoid.

[0123456]

Oh come on, you expect them to drastically increase costs to encrypt everything everywhere and thus make every machine that works with the data have decryption keys?

Setting up IPSEC tunnels between the machines is easy[*], and pretty close to free. Encrypting the drives should also be pretty much trivial, though not necessarily much help if the attacker already has access to the machine.

[*] - as in, once you've spent days working out how to configure that monstrosity the first time, you can set it up easily on any other machines.

Re:They should be much more paranoid.

[Silentknyght]

They should assume that hostile agencies (foreign *and* domestic) have tapped every last network link they own.

I am sure they knew all along. They were fine with it

Everyone is making noise now, because it became public and there is some concern over backlash from the users.

Let's be honest here. "They" in these cases are companies staffed by 1,000's of people. It seems highly implausible that all of those people, or even just all of the 100's that matter with respect to IT & infrastructure security, would have "known it all along," even less so been "fine with it." I find it more likely that the outrage is 99+% genuine, with 1% reserved for the dozen or fewer people who would have actually (or theoretically, if it's just a conspiracy theory) been in the know on something this big.

Re:They should be much more paranoid.

[swillden]

Dude, I really wish I could give you a point by point response. Actually, I typed one out, and then realized that I went too far. I personally think Google is making a big mistake by not being more open about its security policies, procedures and technologies -- because they're awesome -- but the fact is that a lot of it is confidential, and I like my job.

What I will tell you is this: Google's general solution to cross-DC traffic wasn't to add link-level encryption to the cross-DC links, and there is so much cross-DC traffic that it would be a nightmare to try to identify the cross-DC connections and encrypt just them. Further, stuff gets shifted around between DCs a lot, so any such solution would be beyond brittle. I'll let you extrapolate from there.

The other thing I'll say is just to give you a testimonial of sorts. You take it with however much salt you want... and I guarantee I'm going to get a bunch of foul-mouthed ACs (and maybe even non-anonymous cowards) calling me all sorts of variations of "liar". Whatever.

I was an IBM security consultant for many years. I spent a lot of time working in the bowels of the security infrastructure of a lot of big companies, and even some governmental organizations -- including some military organizations. I was also a security policeman in the US Air Force in a previous life (long story), so I have a pretty solid grounding in physical security, not just infosec. One of my degrees is in mathematics, and I was fascinated with cryptography from an early age, so much of my independent study during my degree was around crypto, and I continued my self-education and practical education afterward (which is how I ended up as a security consultant).

My point? I know more than a little about security, and I've seen a lot of what passes for security in both government and industry, including in organizations that handle a lot of sensitive data and really should know how to secure it.

Google is better at it than any of them. Head and shoulders.

Perfect? No. Nothing is perfect. But Google has world-class security talent, a lot of it, and Google's engineers have always cared a lot about security... and are now angry as well.

Anyway, take that for whatever you want, but it's my absolutely honest opinion. Google can do a hell of a lot to obstruct the NSA's illicit snooping, and intends to do everything feasible.

(Disclaimer: I work for Google, but I don't speak for them and they don't speak for me.)

Re:They should be much more paranoid.

[swillden]

Encrypting is useful, but then comes the very nasty thing that comes with it: Key management.

Google has an outstanding key management infrastructure. That problem was actually already thoroughly solved a while ago. Actually, it's pretty well-solved outside of Google as well, for point-to-point links within an enterprise. Kerberos (though Google's solution is more robust than Kerberos).

Oh, the CA keys. Are they stashed in an armored HSM

Google has a great answer there, too. I wish I could share it.

No longer willing

[gmuslera]

Too bad secret laws exist to force you, even if you don't want, and to not say that you are doing it. And a lot could want anyway, as could be incentives to make it desirable (like obtained secrets of competitors, "friendly" judges and so on). In any case, American companies can't be trusted, and big enough from other countries on line with this (UK, Australia, Sweden, Israel, maybe whoever signs the TPP, etc) probably should be avoided too.

Too little too late

[JoeyRox]

The genie is out of the bottle. Users, particularly non-USA users, will never again trust American internet service providers. I expect far-reaching ramifications, the extent of which wont be fully known for a couple years.

Mass surveillance is their business model.

Mass surveillance and data collection is the business model at companies like Google and Yahoo. If their frustrations are genuine it is only that they are angry that their data is being taken without being properly paid for it.

Even Kubuntuforums has gone https

[Teun]

Not only the big boys beef up their security, even Kubuntuforums.org has today enabled https access.

Encrypting by the big players is significant, the data streams between their centers effectively mirrors all they have, from the POV of the government sanctioned goons it is about as good as you're going to get without the need to physically enter the server rooms.

A small forum is obviously not using a secure connection to hide their data but instead it's meant to secure the login process.
Yet it shows not only the big enterprises are able to improve security and especially the privacy of their users

Appearances

[Tony+Isaac]

The big tech companies want to appear to be unwilling to cooperate with spying. But what's to keep them from secretly cooperating all the same?

Microsoft helping NSA to hack your Windows

Microsoft helping NSA to hack your Windows

According to a new report from the corporate press (as corporate as it can get, being Bloomberg), Microsoft tells NSA staff about universal unpatched holes before they are being addressed:

        Microsoft Corp. (MSFT), the worldâ(TM)s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

        Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesnâ(TM)t ask and canâ(TM)t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

        Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to be give government âoean early startâ on risk assessment and mitigation.

Glyn Moody asked, âoewhy would anyone ever trust Microsoft againâ¦?â

Frank Shaw is not a technical man. His job is to lie, e.g. about sales of Vista 8 (quite famously and most recently). He came from Waggener Edstrom, a lying and AstroTurfing company. The above should be read as follows: when new holes exist which permit remote hijacking the unaccountable, cracking-happy NSA is being notified. What can possibly go wrong now that we have proof that the NSA is cracking PCs abroad with impunity?

Some of the back and forth is innocuous, such as Microsoft revealing ahead of time the nature of its exposed bugs (ostensibly providing the government with a back door into any system using a Microsoft OS, but since itâ(TM)s donâ(TM)t ask, dontâ(TM) tell, nobody really knows). However the bulk of the interaction is steeped in secrecy: âoeMost of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.â(TM)s major spy agencies, the people familiar with those programs said.â

Re:Wrong question

[icebike]

Disobey WHAT?

Taping into data links between corporate data centers was not done with a warrant or a court order.
There is nothing to Obey. It was simply unreasonable search and seizure.