It's interesting to think about where the NSA will be going with this technologically too. If they're moving towards processing of not only internet data passing through US shores but data from drones, video cameras, microphones, and other sensors world wide, they would need a hell of a lot of processing power to deal with that data. The data center in Utah would be the tip of the iceberg.
As a nod to fiction like Eureka and the revelations like Los Alamos testing quantum communication for years [1], it's interesting to think what else the NSA is working on for (inter)national surveillance.
Rather than parsing the meaning of the term "direct access", this is what makes the most sense to me: that the NSA did this to Silicon Valley companies without their knowledge or consent by wiretapping the backbone in bulk via abuse of private keys for SSL certificates.
I think the backlash is going to be greater than the USG anticipates. One thing that engineers can do is to simply refuse to work for the US government, or leave if they already work there. Deprive them of talent. Stop them from recruiting on college campuses.
There's a precedent: the campus campaigns against Don't Ask, Don't Tell. The NSA of course has its own very unique interpretation of "Don't Ask (for permission), Don't Tell (what you're recording)". But it's probably just as worthy of censure.
The presentation made it seem as if each company was not participating passively. Specifically the stored intelligence "varies by provider" and there are "special requests available." Interestingly, there is no mechanism described which captures all content of a certain type i.e. email; it seems to be apparent that only content from the providers is available. Surely, if you can intercept email from google without their help you can grab ALL email traffic as well.
The slides also show that providers join over time. If they were just intercepting you would expect all email providers to join at once; that doesn't appear to be the case.
There are also stuff like "online social networking detail" and "login notifications" which make it seem like facebook has given access to their systems.
Honestly it could be as simple as a "Law Enforcement API", that's configured with a company-run interface to NSA.
The NSA analyst gets intel on such-and-such an account ID/phone number/email/etc., uses PRISM to send a request (probably something stupid like SOAP, it's the govt after all).
The company computer verifies a valid warrant ID, valid request type, "hoovers up" the data requested and spits it back to NSA.
Technically not direct access. Certainly not a direct wiretap into the entire company database. But NSA is able to get the "special source data" they need for correlation on their end (possibly using tools as provided by Palantir).
They figure out whatever network of conspirators they're researching, develop "actionable intel", good guys win (note: depends on your interpretation of good guys, obviously :P).
Zuck and Page are still right in this scenario. I just wish someone would speak up about what the hell is actually going on!
I think that you are broadly right. The government can already get access to Google, facebook etc so PRISM could be just a friendlier user interface around the whole process.
So instead of:
1)investigate
2) get warrant
3) send warrant to companies with data request
4)companies send data back
5) repeat 3-4 until investigation complete
PRISM allows an analyst to load up a warrant and start exploring data immediately without having to wait for the company to verify it and then do a ETL operation back to the NSA.
What if "provider" is a euphemism? If they're intercepting and decrypting all traffic to and from the "providers", they have to write code to actually extract the data from those streams. Such code would "vary by provider", and an analyst could make "special requests" for code to parse a certain kind of data from the stream. The timeline of providers entering the program could be a timeline of when the NSA wrote the code to extract that company's data.
Also, the published slides are just three out of forty-something. The bottom of the slide that lists the capabilities says "complete list and details on PRISM web page." I agree that if they're doing this, they probably are already intercepting all unencrypted SMTP traffic.
Remember that there are plenty of people that think this is a good thing. Lots of people work in the government doing all sorts of terribly unethical things that they think is right. Elite hackers don't have a stranglehold on intelligence and technical prowess.
Even then, how much more do you have to pay someone? After all, it'll get done one way or another. There are plenty of intelligent people that will decide they might as well make a lot of money at it, and perhaps protest on the inside.
And it's not like private sector jobs are necessarily much less repugnant... There are plenty of stories about Silicon Valley excesses, creepy big data projects, etc.
I understand that. The previously linked quora answer (from the co-author of Firesheep) says that even in that case one can't launch a passive man in the middle attack against SSL if perfect forward secrecy is used.
Google uses Diffie–Hellman key exchange which provides perfect forward secrecy.
So... If I understand everything correctly, it should be impossible to decrypt passively captured SSL-encrypted communication to/from google.com.
Lots of fun things can happen if you control peering points. Putting on my tin foil hat for a minute: trivially place yourself in the middle. The client connects to you, you impersonate Google by spoofing their IP (which you can do becase you control the peering point and routing tables), and using their certificate. Connect to Google simultaneously, spoofing the client's IP. Use EDH to establish independent sessions to both the client and Google, with your (now essentially useless) perfect forward secrecy, MITM away.
Edit: replying to the poster below, it doesn't have to be a passive attack, and I'm not sure what you mean about checksums. The scenario above would look exactly like normal Internet traffic. You're not mutating packets, you're sending entirely new ones.
In that case it's not a passive attack. If the NSA was routinely actively mutating nearly all SSL traffic to Google, I'd expect someone might have eventually noticed that the TCP segments are received with a different checksum than with they were sent.
An attack like that would also mess up the flow of the data.
Me in Europe ------200 ms------- MITM magic --1 ms-- Google
For the attacker not to introduce huge extra latency, it would need to complete the handshake with Google almost instantly. Someone would eventually notice instantaneous TLS handshakes.
Also 2 separate TLS connections would contribute to bufferbloat pretty badly, and someone would also eventually investigate that.
Perfect forward secrecy only works if identities can be verified. If impostor certs for Google.com exist, you can't be sure you're talking with Google.com
"I realized that the U.S. government loves the "PRISM" acronym. There are literally dozens of projects and applications named PRISM at the state and federal level, many with delightfully goofy logos."
What if it's the trusted Root CAs who are giving state agencies copies of their signing keys thus allowing them to sign valid certificates to impersonate anyone?
That would likely work for targeted attacks against browsers other than Chrome (and maybe recent FF, I'm not sure) but not for large scale dragnet attacks.
"In addition in Chromium 13, only a very small subset of CAs have the authority to vouch for Gmail (and the Google Accounts login page). This can protect against recent incidents where a CA has its authority abused, and generally protects against the proliferation of signing authority."
(disclaimer: I work for Chrome but not on these features.)
That hinges on browser support for DHE for key exchange (or some other method that provides PFS, like the elliptic curve optimized ones), which is not supported on all browsers. Notably IE and older Chrome/FF, though this could've improved since last time I checked.
But yes, if PFS key exchange is used in TLS then having the private key alone would not help with decrypting previously gathered packet data. In that case the only thing I can think of for NSA to read the data is if they successfully created (in secret of course) a practical quantum computer which then renders RSA and DHE (anything that relies on integer factorization or discrete logs for that matter) completely broken.
a) "We did hold back quite a bit from this story." "There are some things that we looked at on our own, and said we're not going to publish that, and there are other things we talked to the government about." What does that mean? We saw three slides of a very limited nature.
b) "This source believes that exposure was inevitable and is prepared to face that consequence." "He thinks what the NSA is doing exceeds all reasonable boundaries of privacy or necessity." This wasn't over mundane FISA court ordered data releases.
c) In response to the question, "Why do these companies authorize this?" Response: "There is a pretty complicated set of incentives and compulsions. The law does provide that they can give access and a secret surveillance court can make them give access, but in a situation that you have a clandestine program and a very rich and powerful component ... They don't want to litigate this with Facebook, they don't want a chance of it leaking ... Facebook also being a highly regulated industry, having all kinds of issues with privacy and whatever else doesn't want to antagonize the government, so they negotiate it. Now Apple took .. 5 years .. I don't know what happened, but Microsoft joined in 2007 and Apple didn't do it until the end of 2012."
So, the author, who saw all of the slides and talked to the source says that they they left great amounts out of the story, but absolutely confirms & goes in to detail that the companies were complicit with the NSA and that it went beyond what the legally mandated options.
If the denials issued by Facebook, Google, and their respective executives are not an outright lies, and this story is not a hoax (I am assuming it is real since Obama had an opportunity to deny its existence) then there is a compromise in the traffic streams entering and exiting these services provider's platforms, very possibly like the infamous AT&T Room 641A.
This may be more disturbing than we initially believed.
Imagine if the NSA has a copy of these companies' (Google and Facebook's) traffic, and has perhaps subpoena'd the TLS keys. Having the TLS keys is still not having "direct access" to their network, since the NSA at no point accesses internals of their network. But the NSA gets all the data and decrypts it.
Next, NSA engineers spend time reverse-engineering the company's protocols. Or maybe the companies hand over the specs. Anyway, the NSA can now recognize a request to Facebook representing posting a message; or it can recognize in Google's traffic someone reading or sending an email. It can tell when a file is stored into iDrive.
It saves copies of all of this - the date and time of the request to Facebook, the message, etc.; for Google, the entire copy of the email, or search query.
NSA stores all of this data into a searchable, queryable database, that is capable of looking up a person's activity in those systems. And retrieve the same Facebook message, Google meail, or iDrive file that the user had sent.
This is a version of events that seems to fit the data I've seen.
In another thread, someone suggested that PRISM records information without "tapping" the companies lines. Perhaps that is true, and the tapping happens at the Internet backbone level, without awareness by these companies (beyond giving up their TLS keys).
I think the question we need to ask Google, et al., is: did you divulge your SSL/TLS keys to any government, agent of the government, or any other entity?
This sounds about right in the context of William Binney interviews given last year. I would really like to hear opinions on this from people who know a whole lot more about SSL and certificate issuance than I do. I think given a little more time the blanket denials will sink in and people will start to figure out what the very ugly alternatives are.
The leaked slide with inter-continental bandwidths has to be off by many orders of magnitude, if it's intended to be total bandwidth (this is the first infographic I found[1]; interestingly it's graphically the same as the one on the leaked slide).
Instead could it be describing intercepted bandwidth, leeching off of those pipes?
Various well informed parties (https://twitter.com/ioerror/status/66237140035579904) have been advocating DHE ciphersuites for some time... but they aren't widely used. (Though Google is— now— a major counterexample)
35 comments
[ 4.0 ms ] story [ 74.2 ms ] threadAs a nod to fiction like Eureka and the revelations like Los Alamos testing quantum communication for years [1], it's interesting to think what else the NSA is working on for (inter)national surveillance.
[1] http://arxiv.org/abs/1305.0305
I think the backlash is going to be greater than the USG anticipates. One thing that engineers can do is to simply refuse to work for the US government, or leave if they already work there. Deprive them of talent. Stop them from recruiting on college campuses.
There's a precedent: the campus campaigns against Don't Ask, Don't Tell. The NSA of course has its own very unique interpretation of "Don't Ask (for permission), Don't Tell (what you're recording)". But it's probably just as worthy of censure.
The slides also show that providers join over time. If they were just intercepting you would expect all email providers to join at once; that doesn't appear to be the case.
There are also stuff like "online social networking detail" and "login notifications" which make it seem like facebook has given access to their systems.
The NSA analyst gets intel on such-and-such an account ID/phone number/email/etc., uses PRISM to send a request (probably something stupid like SOAP, it's the govt after all).
The company computer verifies a valid warrant ID, valid request type, "hoovers up" the data requested and spits it back to NSA.
Technically not direct access. Certainly not a direct wiretap into the entire company database. But NSA is able to get the "special source data" they need for correlation on their end (possibly using tools as provided by Palantir).
They figure out whatever network of conspirators they're researching, develop "actionable intel", good guys win (note: depends on your interpretation of good guys, obviously :P).
Zuck and Page are still right in this scenario. I just wish someone would speak up about what the hell is actually going on!
PRISM allows an analyst to load up a warrant and start exploring data immediately without having to wait for the company to verify it and then do a ETL operation back to the NSA.
Also, the published slides are just three out of forty-something. The bottom of the slide that lists the capabilities says "complete list and details on PRISM web page." I agree that if they're doing this, they probably are already intercepting all unencrypted SMTP traffic.
Even then, how much more do you have to pay someone? After all, it'll get done one way or another. There are plenty of intelligent people that will decide they might as well make a lot of money at it, and perhaps protest on the inside.
False, one can't passively mitm SSL when perfect-forward-secrecy is used. I just checked, and google seems to be using it.
http://www.quora.com/SSL-Secure-Sockets-Layer/Is-it-ever-pos...
Google uses Diffie–Hellman key exchange which provides perfect forward secrecy.
So... If I understand everything correctly, it should be impossible to decrypt passively captured SSL-encrypted communication to/from google.com.
Edit: replying to the poster below, it doesn't have to be a passive attack, and I'm not sure what you mean about checksums. The scenario above would look exactly like normal Internet traffic. You're not mutating packets, you're sending entirely new ones.
Me in Europe ------200 ms------- MITM magic --1 ms-- Google
For the attacker not to introduce huge extra latency, it would need to complete the handshake with Google almost instantly. Someone would eventually notice instantaneous TLS handshakes.
Also 2 separate TLS connections would contribute to bufferbloat pretty badly, and someone would also eventually investigate that.
then there are 2 endpoints that are decrypted separately
"I realized that the U.S. government loves the "PRISM" acronym. There are literally dozens of projects and applications named PRISM at the state and federal level, many with delightfully goofy logos."
http://waxy.org/2013/06/these_arent_the_prisms_youre_looking...;
"In addition in Chromium 13, only a very small subset of CAs have the authority to vouch for Gmail (and the Google Accounts login page). This can protect against recent incidents where a CA has its authority abused, and generally protects against the proliferation of signing authority."
(disclaimer: I work for Chrome but not on these features.)
But yes, if PFS key exchange is used in TLS then having the private key alone would not help with decrypting previously gathered packet data. In that case the only thing I can think of for NSA to read the data is if they successfully created (in secret of course) a practical quantum computer which then renders RSA and DHE (anything that relies on integer factorization or discrete logs for that matter) completely broken.
http://igraph.wikidot.com/community-detection-in-python
a) "We did hold back quite a bit from this story." "There are some things that we looked at on our own, and said we're not going to publish that, and there are other things we talked to the government about." What does that mean? We saw three slides of a very limited nature.
b) "This source believes that exposure was inevitable and is prepared to face that consequence." "He thinks what the NSA is doing exceeds all reasonable boundaries of privacy or necessity." This wasn't over mundane FISA court ordered data releases.
c) In response to the question, "Why do these companies authorize this?" Response: "There is a pretty complicated set of incentives and compulsions. The law does provide that they can give access and a secret surveillance court can make them give access, but in a situation that you have a clandestine program and a very rich and powerful component ... They don't want to litigate this with Facebook, they don't want a chance of it leaking ... Facebook also being a highly regulated industry, having all kinds of issues with privacy and whatever else doesn't want to antagonize the government, so they negotiate it. Now Apple took .. 5 years .. I don't know what happened, but Microsoft joined in 2007 and Apple didn't do it until the end of 2012."
So, the author, who saw all of the slides and talked to the source says that they they left great amounts out of the story, but absolutely confirms & goes in to detail that the companies were complicit with the NSA and that it went beyond what the legally mandated options.
If the denials issued by Facebook, Google, and their respective executives are not an outright lies, and this story is not a hoax (I am assuming it is real since Obama had an opportunity to deny its existence) then there is a compromise in the traffic streams entering and exiting these services provider's platforms, very possibly like the infamous AT&T Room 641A.
This may be more disturbing than we initially believed.
Imagine if the NSA has a copy of these companies' (Google and Facebook's) traffic, and has perhaps subpoena'd the TLS keys. Having the TLS keys is still not having "direct access" to their network, since the NSA at no point accesses internals of their network. But the NSA gets all the data and decrypts it.
Next, NSA engineers spend time reverse-engineering the company's protocols. Or maybe the companies hand over the specs. Anyway, the NSA can now recognize a request to Facebook representing posting a message; or it can recognize in Google's traffic someone reading or sending an email. It can tell when a file is stored into iDrive.
It saves copies of all of this - the date and time of the request to Facebook, the message, etc.; for Google, the entire copy of the email, or search query.
NSA stores all of this data into a searchable, queryable database, that is capable of looking up a person's activity in those systems. And retrieve the same Facebook message, Google meail, or iDrive file that the user had sent.
This is a version of events that seems to fit the data I've seen.
In another thread, someone suggested that PRISM records information without "tapping" the companies lines. Perhaps that is true, and the tapping happens at the Internet backbone level, without awareness by these companies (beyond giving up their TLS keys).
I think the question we need to ask Google, et al., is: did you divulge your SSL/TLS keys to any government, agent of the government, or any other entity?
Instead could it be describing intercepted bandwidth, leeching off of those pipes?
http://2.bp.blogspot.com/_F8MQ-8DbBQc/R7gSdBOntyI/AAAAAAAAAS...