419 comments

[ 3.3 ms ] story [ 495 ms ] thread
Note that this is a separate story from today's furor about the NSA obtaining American phone call metadata.
Publication today may have been stimulated by yesterday's news.

  The National Security Agency and the FBI
  are tapping directly into the central servers
and then they're

  extracting audio, video, photographs, e-mails, 
  documents and connection logs
from...

  Microsoft, Yahoo, Google, Facebook, PalTalk,
  AOL, Skype, YouTube, Apple.
and it gets better

  Dropbox, the cloud storage and synchronization
  service, is described as “coming soon.”
How does this stuff work? Would someone at the NSA contact dropbox and ask them to build in a backdoor or are they just able to access whatever the fuck they want and simply do?
I don't believe they need backdoors, they probably just ask for the data and it's provided to them by those companies to comply with the current laws (or at least their interpretation of it.)

I'm pretty sure dropbox can reverse any encryption they use for the files they store. Or do they even encrypt the data?

I think there was an article here that described how dropbox at the very least keeps hashes of every file.
Dropbox has every encryption key used with Dropbox, so they can decrypt any file. Both transport keys and storage keys. Dropbox does at least (allegedly) encrypt stuff for storage, so they can RMA hard drives without having to destroy them first, but that's pretty meaningless.

There are some (flimsy) reasons for Dropbox to have copies of all storage keys (a web UI, which only some users use). Dropbox has done a good job of misrepresenting how their security worked for the past ~4 years to mislead people into trusting it, though.

This is mostly why I don't use Dropbox whenever I have a choice.

What alternative do you suggest?
MEGA?
The file hoster with server side de-dublication?
wouldn't know, don't use it or dropbox. id prefer encrypted externals for sensitive things that have no need for the internet.
Private server with sync software of your choice. Sparkleshare is a quite Dropbox-like git front end. Con: Uses Mono. Pro: Uses Mono.
It's trivial for desktops. I personally like AeroFS the best, but you could use anything and layer crypto on top of it, or use something with a painful UI like tarsnap, or build your own, or really whatever. Wuala/SpiderOak are fine too, but kind of suck for non-security reasons in my limited experience with them, compared to Dropbox or AeroFS. (I personally just use rsync and NFS over VPN, though.)

The problem is mobile. Due to some questionable decisions made by especially Apple but also earlier with Google, you really need every single app to write to your cloud storage provider's API. Dropbox is unquestionably the leader there; iCloud on iOS seems to do ok for newer apps. Neither provides meaningful encryption. Requiring every app developer to figure out encryption and manage keys on his own and then handle that on top of the Dropbox API is also insane.

Arguably Apple has a lot of ways to pwn iOS users already, so I'd consider trusting Apple and iCloud to not be that much worse than just trusting iOS, but it is still bad (and most of the bad things Apple can do to you either involve signing bad things, then requiring an active step by the user or MITM, or doing things like retaining device keys at manufacture time and subsequently seizing the devices, or having some deeply-buried backdoors which probably require physical access or are exceedingly infrequently used.)

There's really no good solution for mobile now. You could probably build something fairly non-shitty in the Android world, although I don't know enough about how applications share files and interoperate to know if it would need to be a per-user-app integration. On non-jailbroken iOS, it's pretty clear you'd need to develop a new API which did client-side crypto, key management, etc., on top of file sharing. It would be a pain, and even more of a pain if you wanted to avoid fully trusting Apple in the process.

The best solution right now is "no data lives on the phone", rather than trying to sync; use some kind of web or app which just uses transport crypto to interact with a server but never stores anything locally. If you trust the OS a lot, you could do something like what Good Technologies does and try to sandbox your data within a specialized app like that.

If only there was a provider that respected your privacy and allowed you to use basic unix primitives to interface with your cloud storage...

If only...

http://www.rsync.net/resources/notices/canary.txt

Do something for mobile please? You're one of the most trustworthy providers, particularly if you build things on mobile so we don't necessarily need to trust you...
We're genuinely interested in what you mean by this ...

Android devices are unix devices, and (I assume) either have ssh/scp/sftp/rsync in their userland or it can easily be placed there...

If I had a modern phone, which I do not[1], I would probably just load duplicity[2] on it ? But now that I think about it, in the same way that I have zero data on my laptop, I assume I would also have zero data on my phone ?

Please do elaborate.

[1] Motorola F3 ("MOTO FONE")

[2] http://duplicity.nongnu.org/

I mostly meant build an API for iOS and get people to use it. I don't know much about android internals.
The day you become popular and stop updating that file, what do you propose we do?
Use Bit Torrent sync
When it's out of beta, maybe.
This is a reply to gknoy:

I would suggest Spider Oak, however, their support is not timely and there's currently a bug in the Windows 8 client that doesn't let it work. But if they get those issues sorted it could be a decent service.

Could someone please tell me why I can't reply to any comments that are below the third level? The reply link simply disappears!

Edit: Now that I've made this statement there's a reply to gknoy, but not the ones below him or to o0-0o. This is really weird.

Edit 2: Upon refreshing, there's now a reply link to o0-0o but not the other ones below gknoy.

Reply links don't appear until a few minutes after a comment is made. It's intended to have a dampening effect on flame wars.
You can just click on the "link" link and then reply from there, instantly.

(I kind of hate the feature, since most of the time "you suck" "no, you do" "no, you do" only goes on a few levels, so the exponential delay isn't an issue, but an actual technical discussion goes deeper. False positives and false negatives. :( )

Dropbox doesn't RMA drives, everything is de-duped then stored on S3. (or at least that is what they told me when I interviewed with them)
They were on S3 at one point in time (and pretty widely known as the biggest S3 customer). I'm not sure if they are on S3 today. This may depend on when you interviewed.
From the caliber of engineers I talked to, I can't imagine them bringing storage in house without some major churn. It is a sea of fresh CS grads with no real world operational experience.
Sad panda that you do not seem to have any contact info in your profile :(
They only encrypt it in a meaningless way. Otherwise, their deduplication wouldn't work.
It's described for a couple of the cooperating corporations in the article.

For example, for Facebook, the analyst goes to a special webpage/site at Facebook, then they simply clicks through a "Yep, this person is a terrorist" EULA and they have full access to Facebook's database (eg. full access to user content). I bet they rejoiced when Facebook Graph opened shop.

Move fast and break the Constitution.
How is Facebook sharing their database with the government breaking the constitution?
It may be their database, but it's our lives.
People can put their lives on Facebook's database, it's still Facebook's database. The problem is not that Facebook is sharing this information, it is that people are sharing it with Facebook.
I'm aware of the distinction, but the average person out there doesn't think of themselves as sharing with Facebook the company, they think they are sharing with their friends.
The law doesn't care what the average person thinks nor does reality. It's the persons responsibility to maintain his own privacy by not posting private information on a public website. If you post something on the Internet, it's going to get out there; people should know this by now and if they don't it's their own damn fault.
According to this comment by a self-proclaimed lawyer (in training?), the law does care what the average person thinks:

https://news.ycombinator.com/item?id=5833747

If people don't know something by now it's equally the fault of the services they use for not educating them about the real implications of what they do online.

> the law does care what the average person thinks

In regards to battery; please do stop now, you've resorted to using nonsense as argument.

Which you voluntarily shared with Facebook and not a violation of the constitution. If you want privacy, don't share it on the Internet.
This argument is weak because everything is "shared on the internet" at this point - including phone calls.

How is this different than saying "if you want privacy don't share over the postal system" or "if you want privacy don't share over the phone"?

(comment deleted)
> How is this different than saying "if you want privacy don't share over the postal system" or "if you want privacy don't share over the phone"?

Posting something on a website is vastly different than direct person to person communication over the phone or mailing something. Phone calls and snail mail are transient things, the post office and phone company don't keep copies of your conversations and mail for later investigation whereas posting something on a website is communicating through a third party who stores everything in a database for later display, it's not transient, you'd be a fool to post something you want to remain private on Facebook, or any internet website. Phones and mail also enjoy legal protection that the Internet doesn't and Facebook isn't a carrier of transient information, it's a database that stores things possibly forever. They are nothing alike.

Not my life. Fuck Facebook I never joined. I did join Google though, and now I regret it. So it is a personal shortcoming.

I am not good/disciplined enough to maintain my own mail server.

The 4th ammendment protects us from unreasonable searches and seizures, so I suppose if they were just searching randomly, which you might draw the conclusion they are doing.
Bullshit.

LE requests to FB simply do not work that way. They can make a request online, which is checked for proper authority, etc. The guidelines FB follows can be viewed at https://www.facebook.com/safety/groups/law/guidelines/ and the idea that FB just randomly hands out full read access to user data is either a paranoid delusion or calculated deception. Maybe you can tell us which one you were aiming for.

He's referring to the linked article, so your personal attack is misdirected.

'With a few clicks and an affirmation that the subject is believed to be engaged in terrorism, espionage or nuclear proliferation, an analyst obtains full access to Facebook’s “extensive search and surveillance capabilities against the variety of online social networking services.”'

But that's not a personal attack. The comment also mentions speculations about "rejoice" when they opened the Facebook graph, after believing what the article says about FB's methods of data sharing without further questioning.

Again: Questioning the motives behind an attempt of persuasion argument isn't a personal attack.

(comment deleted)
(comment deleted)
The spineless, reprehensible CEOs are doing it willingly.
This is unsubstantiated speculation.
I think the CEOs knew.
Three letter agencies approach the executive team directly. A decision to participate has to be made at the exec team/board level. If the CEO doesn't know about it, then the company has some serious communication issues.
"Willingly" is the point of contention. The CEOs complied. Whether they felt like they had a choice in the matter is another question entirely.
Twitter isn't on the list. Obviously someone put up a fight.
Or wasn't asked because nearly all of the content is public already. Or is going to cave after some unknown amount of resistance in the future like Apple, Facebook, and Google did. Or dozens of other possibilities.
Maybe they noticed what happened to Joe Nacchio?
From the 2nd page of the article :

“Google cares deeply about the security of our users’ data,” a company spokesman said. “We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”

They are legally required, personally and individually, to lie about the existence of these programs, or go to prison instantly. These orders are gag-ordered by default.
I doubt that Steve Jobs or Ballmer would "go to prison instantly" if they had disclosed the existence of these programs. Yes, they might have been prosecuted under statute, but they wouldn't vanish. In fact, the high visibility of Brin, Jobs, Ballmer etc would probably have been a deterrent against prosecution. Can you imagine the outrage if Jobs came out with a statement saying that the NSA was requiring that Apple grant access to all user data, and he was then incarcerated?
Jobs was an elitist, knows-better-than-you prick. AFAICT he was fine with this kind of "trust us" nanny state bullshit. Apple does the same "we'll decide for you" stuff by policy as a matter of course.

We can assume that Cook, who appeared behind Obama during The State of the Union, is probably on the same page. Highly powerful people know they can't fight the tide; and truly, why should they? The normal rules could never apply to them.

If you're going to build something like PRISM because the ends justify the means, is prison really going to be the only thing you threaten people with?
Simply not true. They are forbidden from disclosing individual cases. Google files Transparency Reports all the time announcing that the government compels them to release user data unwillingly.
My guess? These companies setup the data-equivalent of the CIA 'black sites' ... Out of the country duplicate databases that the NSA has access to beyond the laws of this nation.

Watch this video and listen how many times 'in the United States' is mentioned.

So if I'm using a US based hosting provider for my customers websites, their data will be extracted ?
US or else, I wouldn't trust other governments either, even if you trust governments, your cloud provider could still get hacked and even if it doesn't get hacked you still have to trust a third party: your cloud provider. If you're storing stuff on the cloud, encrypting it on the client first is probably the only way to get (pretty good) privacy.
Probably slightly safer using a US hosting company. At least some civil rights apply but I don't think there are any rules against the NSA spying on people outside the US.
The story that the CIA sold cocaine is pretty much outside of the realm of conspiracy theories. The idea that spying agencies care about laws is ridiculous. Why should they? If they are doing their job right no one will ever know.
The only way to ensure your data will not be (easily) extracted is to encrypt it.
I would be surprised if it hasn't already been extracted and added to the governments collection.
Would be time for a call on VCs and Incubators that a sustainable future for the web would mean fostering startups that rise the convenience of privacy tools.
Note link at the bottom to the powerpoint slides in question:

http://www.washingtonpost.com/wp-srv/special/politics/prism-...

What sort of threats does the NSA give to these companies so they participated without any leaks? Just curious what the penalty would be if the NSA approached me about sucking down my user data and I refused.
I've been on the receiving end and posted a couple times trying to explain how it happens. In short, the NSA doesn't typically appear directly. Instead they use the courts and subpoenas to induce compliance for what seem like mundane court cases.

See a previous post: https://news.ycombinator.com/item?id=5754641

I suspect just getting a request from a three letter agency is enough to make most CTOs and CEOs wet themselves and roll over. (Standing up against the government is not usually part of the business plan.)
That's the point of CISPA. They didn't want to fight the government, but they pushed back asking for more legal protections, especially after the AT&T warantless spying scandal broke. So, they've been trying hard to pass CISPA in order to give these CEOs more peace of mind.
They hand out these: http://en.wikipedia.org/wiki/National_security_letter

You're not even supposed to reveal that you are complying (gag order). Google has been in the news recently about fighting one in court.

We have been fighting this US policy since 2006:

http://www.rsync.net/resources/notices/canary.txt

Very clever. Nice hackaround.
"Although signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce rsync.net to produce false declarations."

That's kind of the point. They say, "Keep sending those updates. Otherwise you will go to federal prison." You say, "OK."

How does any government action work? It may start clever and/or subtle, but the fundamental threat is that of violence. You will either be compelled to pay fines, have your equipment confiscated, be thrown in jail, or some combination of the three.
Many many years ago I worked at an ISP and I remember getting emails of the form:

  From: manager@corp.com
  To: minimax@corp.com

  Subject: When you get a minute

  We got a subpoena to provide information about 
  <identifying information>. When you get a second 
  can you grep through the logs and provide any 
  connection details if he was online from <start> 
  to <end>. Thanks.
I didn't even think about it. Maybe the people in legal did? Once or twice I heard that the guy we helped track down was a legitimate bad guy (like a murderer or something), but in general I just remember it being just like any other day-to-day task. I'm not saying I actually handled any of these NSA requests. I have no idea if I did. I never actually saw any of the subpoenas.
Sounds like some one (or many) are blowing whistles. A lot of documents leaking.
Some people are going to prison for a long time.
Fortunately, the government that would put them into prison is our government. If we don't want them to go to jail, it's up to us to ensure that their rights are upheld.
Edit: Just saw the portion markings (the stuff on the slides that says their classification level), and I'm going to change my judgement to "this was pretty classified." And whoever released these slides to the public is going to jail for violating the NDA they signed. Jail for quite a few years for knowingly revealing TS information. I'll leave my previous comment below so you won't think I erased anything.

My problem is how they portray this. Direct from the article:

"The highly classified program, code-named PRISM, "

and also:

"The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley."

If you have numerous (non-government contractor type) companies knowingly participating in the program, then it isn't "highly classified." And if you thought that your communications were private then you were fooling yourself. Even Tor, the darling of the EFF, was initially developed by the Navy. It's very tough for people to communicate electronically these days without the government being able to listen in.

>Even Tor, the darling of the EFF, was initially developed by the Navy.

Tor is open source. Are you suggesting there is some secret backdoor inserted by the Navy which is not apparent in the public code?

No, I was suggesting that the government has touched things that many people don't realize. There might not be an explicit backdoor in the code, but it's quite possible there is a vulnerability that the government can exploit. I'm not saying that there is, but if there was it wouldn't be publicized and they'd be milking it for all it was worth before someone else discovers the hole and fixes it.
Perhaps whomever leaked it regarded it as essential to upholding an oath of office. 'preserve, protect, and defend the Constitution of the United States.... '
That could certainly be the case. The only two plausible reasons for leaking classified information are moral convictions or personal gain (selling it to the news or a foreign country). Edit: Maybe three reasons. Blackmail/extortion is a possibility that doesn't quite fall into the personal gain category.

However noble the intention, it doesn't change the fact that everyone who has access to that information has signed an NDA and been through a security indoctrination (indoc used without the negative connotation in this case). They knew exactly what the punishment is for what they did. The jury that would nullify that would be a rare find in the US. It's basically zero probability if it was a military member subject to the UCMJ.

I just emailed Tim Cook that imho iCloud is dead.

He is welcome to add options to use my own cloud storage while using clientside encryption, and I might reconsider.

You're welcome to send him your opinion as well. It's tcook@youknowntherest.

Be serious. This is Apple. How on earth does clientside encryption fit into easy-to-use? Lost your password? Lost your files. That's entirely against the scenario Apple wants to sell.

Clientside crypto will only possibly be mass-adopted when there's some easy system for common folks to store their keys.

I'm not asking for exclusive client-side encryption. I'm asking to have it as an option. Which is a totally legit wish.

If the common forgetful folks like to trade ease-of-use with being spied upon, I'm fine with that.

But me, I'm not willing to do that trade-off.

They build that feature into their desktop OS (FileVault), I don't see why it couldn't be an option for their sync service. It shouldn't be the default, but it should absolutely be an option.
(comment deleted)
Apple demonstrated that resistance is possible, for reasons unknown, when it held out for more than five years

I'm pretty sure that unknown reason was Steve Jobs. Apple became a participant 1 year after Tim Cook took the helm.

Almost makes you want to question the "liver cancer" story.
It's quite strange that list doesn't include iMessages (and BBMs!)
At least we know beyond a shadow of a doubt that Skype has a backdoor now. Not really surprising although they did have some security people analyze the protocol and state that it was e2e secure.

FTA: "According to a separate “User’s Guide for PRISM Skype Collection,” that service can be monitored for audio when one end of the call is a conventional telephone and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms."

I'm not sure when the security people you are talking about did their audit, but when Microsoft bought Skype a few years ago they changed it from P2P communications to routing everything through a central server. After that it would be child's play to put in a backdoor.
Not to be too conspiracy theorist but maybe just maybe this was why Skype was bought by Microsoft in the first place? The thought crossed my mind at the time of purchase but I sent it away skuttling because I deemed it too tinfoil hatty. My main regret at the time as a Linux enthusiast was that Skype's Linux offering was sure to suffer, so I had that angle more on my mind than government aiding and abetting.
Why would Microsoft buy Skype to make government easedropping easier?
Just guessing, but maybe tax breaks or some government contracts.
This is widely misunderstood; it's possible that Skype is end-to-end secure and everything flows through MS servers. It's possible that there were backdoors in the old pre-MS versions. One really has little to do with the other.
It has been claimed by many smart people that skype is still p2p and e2e (for the record I disagree with them). Skype does claim to be p2p sometimes for some values of p2p http://liliputing.com/2012/05/skype-abandons-peer-to-peer-te...

>I'm not sure when the security people you are talking about did their audit

The security audit was done in 2005 by Tom Berson of Anagram Laboratories. This was well before Skype was bought by microsoft but Skype links to it off their home page http://www.skype.com/en/security/#review

Microsoft now runs the supernodes instead of them being random high bandwidth Skype users. Your computer uses a supernode to find the address of the user you want to reach, but you still connect directly to that user to communicate. People misunderstood this change to mean that call traffic traversed Microsoft servers.

That said, it has been shown that at the minimum China has keys to decrypt peer to peer communications, likey the NSA does as well. The NSA doesn't need Microsoft to route call traffic via their servers, because they already have taps at all the major exchange points.

How does Skype's key exchange work? If the supernode hands out an address for a server that intercepts the call, would the Skype client still accept it and connect?
The protocol itself is highly obfuscated, but from my understanding of what has been published it works something like this: (lots of disclaimers here that nobody outside of Microsoft/Skype really knows for sure)

When logging in an RSA public/private key pair is generated and the public key is sent up to the server. The username to public key mapping is seeded to supernodes and inserted into the global address book.

A calling party looks up the username on a supernode and receives the public key of the answerer as well as some magic to help them establish a direct connection even if both are behind NAT.

The caller generates a single use AES256 key for the session, encrypts it N times where N is the number of other parties on the call plus a number of built-in "observer" certificates. These encrypted keys are all sent over the wire to the other parties, whom are each able to decrypt 1 of the N encrypted payloads.

Each party encrypts traffic to the others using the session specific AES key.

If you are a government agency with a private key that matches one of the observer public keys (Russia, China, and India have openly claimed to have these), and you are able to record the setup for the call, you are effectively another party in the group chat and have access to the session key.

Can you provide a source for the statement:

>If you are a government agency with a private key that matches one of the observer public keys (Russia, China, and India have openly claimed to have these

I am not calling bullshit, I just want to know more.

Can you provide a source for the statement:

>If you are a government agency with a private key that matches one of the observer public keys (Russia, China, and India have openly claimed to have these

I am not calling bullshit, I just want to know more.

Can you provide a source for the statement:

>If you are a government agency with a private key that matches one of the observer public keys (Russia, China, and India have openly claimed to have these

Can you provide a source for the statement:

>If you are a government agency with a private key that matches one of the observer public keys (Russia, China, and India have openly claimed to have these

will be exciting to see how soon these servers become compromised and massive amounts of private information leaked. I would give it a year tops!
There's no upside to this happening. Governments will still collect data. Your personal details, however, will be publicly available.
(comment deleted)
Any data shared with hosted services really needs to be seen as postcards ie open for any agency to read.
Yes, this is bad. Yes, you are right to be upset. Yes you (not not really me, I'm not American and i avoid american hosting and hosting companies like amazon for exactly this reason) should change that.

But honestly, are you surprised? Are you really?

Government agencies have be building large datacenters, the EU loves data retention. There was no tin foil head required to see this.

When people wanted to talk about this kind of massive wiretapping program years ago, they were called paranoid nutcases. Now that the truth is coming out, people who want to talk about it are called out for belaboring the obvious.

I see this "are you so naive as to be surprised?" reaction in almost every thread about this. It's some kind of defense mechanism.

I think it depends on who your talking about. If your a decently educated person who follows political developments at least minimally, and to boot you're a developer - I really agree with the OP, should anyone be surprised here? Haven't you been acting all along like all data that major corps are collecting on you was public anyway? On the other hand, if your talking about an everyday citizen with a "normal" job, I think your criticisms are more in place.
>I see this "are you so naive as to be surprised?" reaction in almost every thread about this. It's some kind of defense mechanism.

That's why I'm saying you are right to be upset.

I like the saying "being paranoid does not mean they are not after you". And being paranoid turned out to be realistic.

Well then try this on for size. Getting data through requesting it is only one way to get data. Another way to get data is to hack into the source. Consider that a number of governments, including the US, have active hacking teams. What are they hacking in to, exactly? I leave that up to you for speculation.
No, but now there is proof, which should make a difference. How are all of these not cases for impeachment? If Fox News thought Obama should be impeached over Benghazi, they should love this.
Funny thing though... if Fox goes after Obama over this, it's tacitly admitting that Bush was evil too. I doubt they'll do that.
That's suggesting that they have even the slightest compulsion to not be hypocritical. I'd expect them to hit him hard on this (and good for them, even if their reasons for doing so might be dishonest).
It's entirely possible to have disliked Obama AND GWB.
I hope you're right. FWIW, if they plan to cover this, they are biding their time. I just spent an hour watching Fox News, and saw: A car run into a Taco Bell, a sea-lion get onboard a boat, Holder testifying before congress about leak investigations and prosecuting journalists, and some other random crap... and not one word about PRISM, or even the earlier reveal about the phone call logs.
Oh I dunno. Having watched The Daily Show for years, Fox have no problem with some incredible contradictions and saying the exact opposite of what they one said. If they can label Obama as a Muslim communist traitor, they will forget that Bush ever existed.
This point, more than any other, is what gives me the most concern about all of this. This is an epic level news story. This should be hitting the front page and leading every news cycle on all newspapers and news networks. I mean, the story is concrete and the headlines are a century in the making: "Orwell Arrives: U.S. Government Spys on Every American."

In fact, with all of the "scandals" right now, there's an even greater motivation to run this story.

So what's the motivation that's holding this story back?

Well this story did break 2 or 3 hours ago ...
Im not sure being not American saves us. Do you use any of those US services? If so, I assume they have your data.

If you are British, as I am, I assume our government is shovelling off all our data to the US too.

As far as I am concerned, the internet is now pretty much like having our lives bugged. Might as well go the whole hog and have CCTV in all house holds. Heh, for all I know they access out webcams, etc. So, we might already be there.

I'm afraid the US has essentially infected the internet with a cancer what will only spread. Freedom, privacy, liberty, on the internet is officially gone. Sure we all "knew" about the likes of echelon for years, but it was officially dismissed as loony conspiracy talk. Now we know it basically true.

Sad thing is, this is under the watch of a Democrat, started by a Republican. Who is going to dare to reverse this?

> Im not sure being not American saves us. Do you use any of those US services? If so, I assume they have your data.

No, it does not, that is the sick part. But as a non american it's not (or should not) be my business how the usa organizes itself and what kind of politics they make. And yet I'm sure they are infringing my rights.

Point is, I didn't vote for Obama. Nor is it my job to get rid of him.

Not only that, but Microsoft and Apple? The same companies who make the most popular OS's and phone OS's in the world?

It's not much of a leap to think that the NSA has backdoors into each of these OS's, too.

I assumed this was already happening and surprised it's news.
I was under the same impression. I tried digging up some old news on the subject, to see where I got the impression from, but Google is only returning results from this latest news cycle.

Wasn't there a number of news stories in the past about the NSA collecting data from telecom companies and such. How is this time different?

EDIT: Found this, from May 2006: http://usatoday30.usatoday.com/news/washington/2006-05-10-ns...

Dropbox.... “coming soon.” Time to look at Bittorrent Sync again?

Or other open source alternatives?

My thoughts exactly. I'm certainly going to be looking at other options, including BitTorrent Sync. As useful as Dropbox may be, it's something I'd be willing to do without if this is true.
"Is BitTorrent Sync open-source? BitTorrent Sync isn't open source software, and no announcements have been made to indicate that this will likely change."[1]

[1]http://forum.bittorrent.com/topic/17782-bittorrent-sync-faq-...

I know they are not open source currently, but for now they are not on the list.

It would be awesome if they did open source it, or at least allow for third party (EFF?) review of source.

What really saddens me is that this confirms all the conspiracy rumors.

Wasn't it always just a rumor going around that the U.S. Government "made" Microsoft buy Skype for spying purposes?

Well: "10 May 2011, Microsoft Corporation acquired Skype Communications"

and on 2/6/11 Skype was added to the US spy program [1]

They were so eager to spy on Skype users that they implemented that "feature" even before the deal was officially done. Considering that Skype had been around since 2003 the events don't appear very accidental.

Wouldn't surprise to find out one day that the Skype acquisition was indirectly tax-payer funded.

[1] http://www.washingtonpost.com/wp-srv/special/politics/prism-...

Not to detract from the concerns surrounding this program, or to defend Microsoft, but from the dates for Google, YouTube, and AOL one can see that Skype joined on February 6, not June 2.
It seems reasonable to suspect that for matters of urgency the transition process might have started earlier than the actual acquisition was publicly announced. Plus I am not quite sure if the dates on the slide indicate the starting or finishing date of the implementation process.
(comment deleted)
(comment deleted)
(comment deleted)
I'm saddened to see Dropbox on the list. Did they choose to participate or is it mandatory?

In any case, we've moved several projects to BTSync recently from Dropbox (for no other reason than to free up space on Dropbox for our personal files) and have been enjoying the service.

As a p2p encrypted protocol, I imagine it's much more difficult to eavesdrop on your files and would actually require a warrant to obtain.

I presume that's true for AeroFS as well.

I've read somewhere that it's voluntary edit: read it here http://mobile.theverge.com/2013/6/6/4403868/nsa-fbi-mine-dat...
The Verge is just summarizing the Washingon Post; they don't know any more than you would after having read the Post's scoop.
Is there an open source dropbox-style app that I can install on my own server?
Git and Sparkleshare offer something that is IMO much close to dropbox than owncloud.
Try git-annex and git-annex-assistant; it doesn't even require a central server.
Other people have offered some more "modern" options, but SFTP and WebDAV over SSL still work very well.
Thanks for pointing out BTSync. Will have to set it up on a VM and a few places I have dropbox. May well be replacing Dropbox for a lot of uses.
BTSync cannot handle conflicting changes. It will destroy data if a file is modified in both places, and will proceed to overwrite something when it propagates the update.

And, if you're concerned about spying - well, it is closed source.

The government's theory is that a national security letter is sufficient to get access to your data. No warrant required. And Dropbox is not allowed to tell you that it happened.

And yes, they can give your data to the government. Communications to/from Dropbox are encrypted. But it is unencrypted on the back end. See http://paranoia.dubfire.net/2011/04/how-dropbox-sacrifices-u... for how we can know that.

(comment deleted)
That proof is very confused.

The ability to detect duplication in no way proves the files are unencrypted (indeed this should be obvious from the fact that there is only negligible network traffic to confirm a duplicate! The bits can't be compared if they're not transmitted.)

It's the ability to serve deduplicated files that brings the service into question. Yet I wouldn't be surprised if there exists an asymmetric encryption method which permits decryption with one of several private keys – if so, secure deduplication is trivial: confirm the duplicate using a hash or comparing public-key encrypted versions; re-encrypt using both original and duplicate keys.

(And let's not even forget the ability to reset a forgotten password…)

This is fucking atrocious. How much money do we allocate to national security in a year and this is the kind of amateurish PowerPoint slide their analysts come up with?

http://www.washingtonpost.com/wp-srv/special/politics/prism-...

I wonder which cub analyst got the job of putting together a collage of logos for that final slide?

(comment deleted)
This is why've were trying to make it legal lately. They were already doing it. The same thing happened with the Patriot Act.

It seems FBI/NSA "test-drive" a new illegal spying program first, and then lobby Congress to pass a law to make it legal (regardless of its constitutionality, as we've seen so far).

I bet they would've wanted retroactive immunity, too, in these new laws. Also, let's see how those supporters of FISA, like Dianne Feinstein, try to spin this one as "they already knew about it" (which makes it that much worse) and that it's nothing new.

Also let me see them say with a straight face that this is constitutional and doesn't violate the 4th Amendment. But seeing how cynical these people have become, I don't think it would be too hard for them to do it.

NSA: "Look, I know that this was illegal, and we were not supposed to be doing this, but you have just got to look at the data. Just look at all the crazy terrorists out there. They've been organizing over FB, keeping their data on Dropbox and Drive and talking over skype. Here's our proof! You MUST make this activity legal... the FREEDOM of the US depends on it!!"

Congress: "ok"

---

But we are not fooling anyone. There is not a single worthy human being in congress. Every single last one of them is a corporate shill and they are all opportunistic criminals.

(comment deleted)
> retroactive immunity,

Fuck everything about that. _That_ was what revealed Obama as a wolf in sheep's clothing. He voted for retroactive immunity of telecom companies spying on Americans. That is all I needed to know about him. Not saying Romney was better. But vis-a-vis the propaganda, the fans, the ass kissing, change, hope, etc etc it was even more so disgusting.

Seeing Obama's track record compared to what people believed he was is a very sad "I told you so" for many of my friends and relatives. Yes I know he didn't promise to be open about this and he can't _create_ legislation but I am talking about the qualities people saw in him.

Jesus Christ. Shit just got real.
I am so happy this is finally getting media coverage. I'm sick and tired of being called 'paranoid' whenever I say it's obvious this is what the NSA is doing with their enormous data centers.

This is STILL just the tip of the iceberg. I really hope the whistle blowers continue to release details of more and more of these secret programs. If people think this is as bad as it gets they're in for quite a shock. Call metadata, all your private files, and the people you stalk on Facebook are nothing.

How about access to your laptop's webcam and microphone? How about the two cameras and the microphone on the smartphone you carry with you everywhere? How about the exact GPS location of your phone every minute of the day? How about aggregating the CCTV and traffic camera footage with facial recognition to give a full video/audio recording of you everywhere you go every day? How about all of your credit card purchases aggregated, plotted on map, used to determine your habits?