Prism

News & Cars

Moderators: Ice Cream Jonsey, AArdvark

Post Reply
Lysander
Posts: 1694
Joined: Tue Jul 08, 2003 12:39 pm
Location: East Bay, California.

Prism

Post by Lysander » Sat Jun 08, 2013 6:04 pm

http://www.washingtonpost.com/investiga ... story.html
The Washington Post wrote:The National Security Agency and the FBI are [...] extracting audio and video chats, photographs, e-mails, documents, and connection logs[. ...A]ccording to the document: “Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.”
First, I'm intrigued by the fact that WaPo is doing this. It's been fairly well established that WP prints whatever the administration wants, and even were that not the case I never trust redacted "leaks." Obviously these slides were prepared beforehand for media decemination; otherwise, there would not be blacked out portions. That combined with the Administration's heavy-handed nature in punishing whistleblowers in the past (as bad as Nixon, if not worse) and their previous habbit of "official leaks" (see: drone program memo) and I am convinced that this was a pre-planned move orchestrated by the white house. Everyone certainly had their scripts rolled out and ready to go:
In a statement issue late Thursday, Director of National Intelligence James R. Clapper said “information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”
Clearly, Citizen Ashcroft needs to make a reappearance.
“We do not provide any government organization with direct access to Facebook servers,” said Joe Sullivan, chief security officer for Facebook. “When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.”
“We have never heard of PRISM,” said Steve Dowling, a spokesman for Apple. “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”
This one's my favorite. "We've never heard of Prism." As if that's how the NSA works, you get a call from some midlevel aid to someone "Hey, you remember that thing I was telling you about, last Thursday, at golf? Yeah, Prism! That thing. We all set and ready to go on that HIGHLY SECRET PLAN to spy on everybody? ACES!" "we do not provide any government agency with direct access to our servers; instead, we put everything up on mediafire." But here's what, in my mind, counts as a straight adminition of guilt rather than teh denial it's meant to look like: any government agency requesting customer data must get a court order.”
In four new orders, which remain classified, the court defined massive data sets as “facilities” and agreed to certify periodically that the government had reasonable procedures in place to minimize collection of “U.S. persons” data without a warrant.
You mean that order, Apple? That's right, I think you do! Speaking of Apple:
Apple demonstrated that resistance is possible when it held out for more than five years, for reasons unknown
Anyone who can't figure that one out is a complete fool, but I will give you a hint: it starts with the letter S, and ends with the letters teeve Jobbs. It doesn't say it in the article anymore but Apple joined in October 2012, clearly coinciding with their CEO getting cancered. Skype, meanwhile, joined in 2011, which would be about the time Microsoft acquired them. I would assume that until then, either it lacked the infrastructure to make it work or eBay didn't want to go along with the program. As for why they're classifying Google and Youtube as separate companies, and why youtube only got added in 2010, I have no idea.
the arrangement is described as allowing “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers.
This brings to mind two possibilities. The most obvious one is that the FBI/NSA have a device that they install, with or without the knowledge of service providers, in or near the physical company HQ. The NSA could also have gone to companies like Qualcom and Intel and convinced them to program access directly into the hardware. My guess is that it's the second option but you're supposed to think it's the first so that privacy advocates will tire themselves out trying to find bugs that aren't there and look ridiculous. It's kind of a moot point though because:
Government officials and the document itself made clear that the NSA regarded the identities of its private partners as PRISM’s most sensitive secret, fearing that the companies would withdraw from the program if exposed.
That implies that it is in fact possible to withdraw from the program.
“98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources,”
This flatly contradicts the Microsoft statement, below:
"[W]e only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”

So are they just lying? If so, they're headed straight for an ugly court fight with civil rights advocates and putting the NSA right in the middle. Unwise, to say the least.

Anyway, the real question is whether or not this database is used to used as a blackmail tool, or in connection with crimes not specifically related to foreign spying or acts of terrorism. This is not exactly reassuring:
Wyden repeatedly asked the NSA to estimate the number of Americans whose communications had been incidentally collected, and the agency’s director, Lt. Gen. Keith B. Alexander, insisted there was no way to find out. Eventually Inspector General I. Charles McCullough III wrote Wyden a letter stating that it would violate the privacy of Americans in NSA data banks to try to estimate their number.
Interesting how when you have secrets, you shouldn't have them unless you're hiding something, but when the government keeps secrets, you shouldn't know them because it might reveal others' secrets, which they shouldn't have anyway if they're not hiding anything but LA LA LA LA LALAAAAA! Hurray for circular logic.
Analysts who use the system from a Web portal at Fort Meade, Md., key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by The Post instruct new analysts to make quarterly reports of any accidental collection of U.S. content, but add that “it’s nothing to worry about.”
Call me paranoid, but I interpret that to mean, "Be sure to give us your quarterly reports on any time you 'accidentally' dob an American into the database. That way we can review it , determine there was no malicious intent for the courts, then file it to dev/nul because we are INCAPABLE of retaining that information, remember?" In other words, it trivializes the sweeping in of American contacts as long as it's reported, in order to encourage doing it in a deliberate, targetted way without telling anyone. Because if you don't do it at all, *that* would be strange and suspicious and have you filed your TPS report on time?
paidforbythegivedrewbetterblowjobsfundandthelibertyconventionforastupidfreeamerica

User avatar
Flack
Posts: 6088
Joined: Tue Nov 18, 2008 3:02 pm
Location: Oklahoma
Contact:

Post by Flack » Sat Jun 08, 2013 7:37 pm

The most logical interpretation of PRISM that I have read is that the NSA has tapped into a "Tier 1" internet pipe, which may be related to the Verizon filing that leaked earlier this week. The prevailing theory is, by tapping an internet pipe at that level they wouldn't need their fingers into individual clients or servers. All they would need is "filters" to sort out the traffic and reassemble it into their gigantic database. The one part I don't understand is how they would be able to sniff HTTPS traffic without ties into the backend somehow.

At this point... I mean, doesn't this mean game over? Assuming that the NSA is sniffing everything Google, Microsoft, Apple, Facebook... I mean, isn't that pretty much all of it?

No one has even mentioned yet the fact that if they are sniffing Microsoft and Apple data centers, what is embedded in their operating systems?
"Jack Flack always escapes." -Davey Osborne

Lysander
Posts: 1694
Joined: Tue Jul 08, 2003 12:39 pm
Location: East Bay, California.

Post by Lysander » Sat Jun 08, 2013 9:06 pm

Indeed, that's the most likely explanation; but then, why even tell the companies about it? They obviously need to compell the specific companies they are reading data from to consent, but to what? I had the same thought regarding the OSes, particularly givven recent scandals like Carrier IQ, and not-so-recent http://www.cnn.com/TECH/computing/9909/ ... .02/]this. What they're doing now is way easier though as it means fewer people have to know about it and even fewer are in a position to do anything to stop it.

BTW, I missed the official FACCCCT! sheet regarding the program (caution: PDF):
http://www.dni.gov/files/documents/Fact ... %20702.pdf

This is some highly dense legaleese that really brings up more questions than it answers, as it is designed to, but I draw your attention to this:
 The Government cannot target anyone under the court-approved procedures for Section 702 collection unless there is an appropriate, and documented, foreign intelligence purpose for the acquisition (such as for the prevention of terrorism, hostile cyber activities, or nuclear proliferation) and the foreign target is reasonably believed to be outside the United States.
Is that a legally defined term, 'hostile cyber activity?' Because if not then this shuts down, like, all of 4Chan. But here is the really alarming bit:
the dissemination of information about U.S. persons is expressly prohibited unless it is necessary to understand foreign intelligence or assess its importance, is evidence of a crime, or indicates a threat of death or serious bodily harm.
Understand, this is how legislation is written these days: not "this contravercial statute will go into effect when:", but "this contravercial statute shall never be used, unless" because the latter gives the illusion of tight controls when the actually binding language is after the unless. The important bit is the second one, "is evidence of a crime." I don't see any way to interpret this accept that it explicitly allows the NSA to share data from the Prism program to other agencies if it is evidence of criminal activity. Consider the following scenario: the IRA executes an attack on America for reasons of <fill> The NSA starts reviewing the inboxes of all foreign IRA members, and then through the chaining process we already know takes place, they come to NY representative and DHS committee chairman Peter King, who was once a member of the IRA. (seriously. Look it up) He is not guilty of any terrorism, however in reviewing his information they do find evidence of other crimes. Let's say file sharing, because everyone does it and the evidence of it is literally right there in Google's archives. Google, after all, stores a majority of the government's nonclassified data and also tends to retain emails even after they have been deleted. Under the rules of the program, this information is retained. They can now use it as blackmail to make sure he tows the "national security" line forever, because if he doesn't, ICE gets a memo. Which, by the way, he pretty much does. That's an extreme example, but not an implausible one; the main point is that as long as you happen to be associated in some vague way with a violent extremist group (how many celebrities and government officials met with the dictators of Libya, Syria, and even Osama Bin Laden before being put on the bad list?) and ever run afowel of the authorities, said authorities can just search for whatever evidence they need to build a case against you for whatever they want, and all without you even knowing you're being investigated. At least, that's how I read the document. And if I can read it that way, lawyers certainly can.
paidforbythegivedrewbetterblowjobsfundandthelibertyconventionforastupidfreeamerica

Lysander
Posts: 1694
Joined: Tue Jul 08, 2003 12:39 pm
Location: East Bay, California.

Post by Lysander » Sun Jun 09, 2013 6:06 am

Flack wrote:At this point... I mean, doesn't this mean game over? Assuming that the NSA is sniffing everything Google, Microsoft, Apple, Facebook... I mean, isn't that pretty much all of it?
Depends on what you're doing, really. If you believe that Prism is the extent of the internet spying done, which you shouldn't but we have to for this discussion, there are plenty of ways to slip the net. According to the reports it only applies to net services; all of facebook and skype, but "only" search and IM for Yahoo and Microsoft; lots of google stuff but not any part of their phone market. If you trust the report. There are secure alternatives to all of these services; you just might lose contact with those who won't or can't switch. At that point it becomes a value judgement of how much you care about them reading your stuff VS. the amount of effort it will take to get out from under the lens. The internet is waaaaayy bigger than just the web or any particular dime-a-dozen service that anyone can provide.
paidforbythegivedrewbetterblowjobsfundandthelibertyconventionforastupidfreeamerica

User avatar
Flack
Posts: 6088
Joined: Tue Nov 18, 2008 3:02 pm
Location: Oklahoma
Contact:

Post by Flack » Sun Jun 09, 2013 7:46 am

I agree and that was essentially my point -- I was just too lazy to spell it out. Assuming that those are the only companies that are being captured by PRISM, one would only have to avoid using the services of those seven companies to avoid being, uh, PRISMed? So tomorrow I could smash my iPhone and iPads up, delete my Gmail account, stop using Google for searches and Google Docs to store things, never use AT&T or Verizon for my cell phone service, avoid anything that says Microsoft on it, forget about Skype, and so on. It would take some work and some getting used to, but you could do it. The argument becomes though, are those really the only companies involved in PRISM, or are those just the ones that happened to be listed on that slide? If the NSA is really slurping data from a tier 1 pipe, who's to say that pretty much everything isn't being sifted through at this point? If everybody drops Apple's free e-mail and Microsoft's free e-mail and Google's free e-mail and moves to whatever new free e-mail pops up next, don't you think PRISM would stick their stinky pinky into whatever the next big thing becomes?

And, as you alluded to, it's not just your end. If you want to fly under the radar, not only do YOU have to stop using Gmail, but you can't send e-mail to other people who use Gmail as well! Or Hotmail, or Apple mail, yadda yadda.

At some point I think by simply being off the radar you will attract attention to yourself. Let's say those Boston bombing suspects weren't morons and actually pulled off that bombing and disappeared into the crowd undetected. The first thing you do is go pull up internet traffic from everybody in Boston. Then you go find college age students who are using the internet to talk overseas, or better yet, are sending encrypted e-mails and/or using Tor. Or maybe you target people 18-25 with no internet presence at all. Seems suspicious to me!

I honestly don't believe anything that gets said in the public forum by these companies simply because we have been lied to so many times. All day, every day, we hear from politicians sayings "I did NOT do that!" only to find out that they DID in fact do that. It happens all the time. On TMZ every day we hear people denying they did drugs or had an affair or made a porn tape or whatever only to discover a week later that the did (and they have the video to prove it!) Clinton stood up and said "I did NOT have sexual relations with that woman!" but then we all found out he did and he was like, "Oooooooh, THOSE kind of sexual relations!" So sure, Apple can stand up and say, "we've never HEARD of PRISM!" because maybe the name changed, and they can say "we would NEVER give up your data without a court order!" because maybe the NSA handed them a court order to install PRISM. Maybe I read between the lines too much but I don't believe any of these people denying the existence of this program. And just because the figurehead didn't know about it doesn't mean that the guys in the basement didn't. All this stuff revolves around creating plausible deniability, trust me.
"Jack Flack always escapes." -Davey Osborne

User avatar
Flack
Posts: 6088
Joined: Tue Nov 18, 2008 3:02 pm
Location: Oklahoma
Contact:

Post by Flack » Sun Jun 09, 2013 7:56 am

So next up is, "how do we stay out of PRISM's grasp?"

You mentioned IRC. IRC is plain, unencrypted text. Just by the nature of IRC, anyone between points A and B can sniff the text. It works by "security through obscurity," which means if they don't know what server you're on and can't compromise it and nobody hacks a bot that's been sitting in the channel capturing text, then yeah, maybe you're good. That's a lot of if's though.

I'm guessing for real secret stuff people are using FTP and dropping encrypted files off at random FTP sites and picking them up. That, or on random websites and downloading them. A little but of obfuscation goes a long way; name a file "NVIDIA Driver x.x.xxx", zip it up and encrypt it and drop it off at some random place and no one would think twice about it.

I have been reading up on wifi drop spots lately. The first one I read about was a hacked router firmware, but the newest one I saw was just running on a Raspberry Pi and an SD card. Essentially it's a little hot spot with a web server and ftp site built in. Drop it off somewhere and someone would have to know where it is to connect to it and exchange files with it. I'm thinking about running on at the next video game convention I attend -- maybe put some music to disseminate (or hey, Robb's games!) and turning it loose and see what people do. In the old spy days people had drop offs and meeting points and such -- I don't see this as any different, except the exchange is electronic once you get to the right physical location.
"Jack Flack always escapes." -Davey Osborne

lethargic
Posts: 548
Joined: Wed May 08, 2013 11:35 am
Contact:

Post by lethargic » Sun Jun 09, 2013 8:01 pm

It's simple. We just gotta rip off a little piece of our tin foil hats and wrap our fingers in tin foil while we type. Problem solved.

Lysander
Posts: 1694
Joined: Tue Jul 08, 2003 12:39 pm
Location: East Bay, California.

Post by Lysander » Sun Jun 09, 2013 11:06 pm

Like you said, a lot of this relies on stuff going through in plaintext, and when it doesn't, there's a problem. Facebook's a great example: if they do in fact intercept data at the ISP level (feeding into room 601A at AT&T which feeds back into my "why is anyone surprised by this?" mantra) then all you'd have to do to bypass the snooping is use https://facebook.com to connect... UNLESS. You contract with facebook and get their trusted certificate. That would allow you to decrypt everything facebook that passes through that choke point, but would mean that anything else encrypted that isn't on their list of "compromised" companies would remain unreadable. This also explains all the statements made by the various companies; "We dont' give any agency direct access to our servers, nor do we share customer data. We do, on the other hand, share our SSL certificate, which could be used to read traffic they're getting from another location... But sshhh!" If that holds true, there are a number of ways to ensure that your protocol or service can never be sniffed. One is to base it outside the US. Another is to open-source it. IRC, for example, is plaintaext by default but you can run an SSL-ized connection that should be free from interfeerance. Or, you can use an encrypted Jabber server that anyone can set up and use. Similarly, for voicechatting, you don't HAVE to use skype, you can use Mumble, which is open source, or TeamTalk, which is ludicrously obscure. The only issue is other people; facebook, google, etc. only has influence because they have such a high marketshare for whatever reason. That can go away at any time, myspace has prooven this. It's just a question of when.

I agree that doing so draws greater scrutany, which at the moment is a problem. However, all it will take is one example of the technology being used impropperly--AKA a jealous boyfriend who happens to work at the NSA using his trusted access to ruin someone's life--to serve as plausible deniability for anyone who asks what you have to hide.
paidforbythegivedrewbetterblowjobsfundandthelibertyconventionforastupidfreeamerica

User avatar
AArdvark
Posts: 8000
Joined: Tue May 14, 2002 6:12 pm
Location: Rochester, NY

Post by AArdvark » Mon Jun 10, 2013 3:05 am

Wouldn't it be really easy to circumvent all this intrusion by simply talking in code? Like, 'birthday party' or 'lima bean' could mean any sort of planned public terror event. Seems like the bad guys that plan these things would be smart enough not to actually use the words the Gov't is listening for.


THE
VERY OBSCURE
AARDVARK

User avatar
Flack
Posts: 6088
Joined: Tue Nov 18, 2008 3:02 pm
Location: Oklahoma
Contact:

Post by Flack » Mon Jun 10, 2013 7:45 pm

Yes, and that's exactly what the Boston bombers did. Only afterwards when looking back did people find out they were talking about setting off "fireworks" at the finish line of the marathon. Of course the key is to agree as to what those keywords are going to be offline, else it won't work too well.
"Jack Flack always escapes." -Davey Osborne

Lysander
Posts: 1694
Joined: Tue Jul 08, 2003 12:39 pm
Location: East Bay, California.

Post by Lysander » Mon Jun 10, 2013 10:36 pm

Here's some real tin foil hat stuff, thanks to the best podcast in the universe. If you want to hide something, do it in plane sight. Adobe's CEO basically bankrolls Salon, because his daughter is its President, despite their average $of 0.11 per share and bleeding millions yearly. (this is relevent because Glenn Greenwald, who broke the Prism story, was until recently one of their more outspoken contributors.) Their black-box document solution makes it easy to not only redact stuff but is also loaded with DRM, content tracking, e-signature verification and other 'management' tools that justifies the program to phone home at odd times and allows interested parties to track a specific PDF's journy through an organization, if desired. More importantly, they also own Flash. Flash is somewhat notorious for being everpresent, invasive, difficult to remove, and liked by no one--especially not by Steve Jobbs, who was dead set against Flash ever making its way into IOS. Until, well, cancer. (and since we're going full tinfoil hat mode, when's the last time a rich person died of cancer?) Now we have the Adobe CTO, a Flash guy since before the Macromedia acquisition, going to work at Apple: http://www.theregister.co.uk/2013/03/21 ... ins_apple/

Flash, as we know, can access pretty much any part of your PC if it wants including the webcam and microphone, without specifically telling you it's doing so. Of course, it isn't supposed to phone home, and anyone could notice it doing so at any time and blow the whistle on it. Unless, of course, you give it a reason to do so. And cue link: http://readwrite.com/2009/09/16/adobe-a ... ure-its-al
Adobe is instead coughing up $1.8 billion for analytics leader Omniture. This is the largest acquisition by Adobe since the purchase of Macromedia for $3 billion in 2005.
The acquisition has puzzled many, since Adobe and Omniture products really have no natural cooperation.
Go look in your cookies folder right now and I guaranty you'll find an Omniture one in there. Omniture, by the way, was started by a Mormon, who possess the largest known database of people. If anyone can tie the "unique identifier" to real people, it would be them. But it's okay; Flash is a dying technology, thanks in no small part to APple's intractability and the rise of HTML5. So it'll be a non-issue in a couple of years! Right? Well...

http://eon.businesswire.com/news/eon/20 ... Sports/NAB
Ecosystem partners include Akamai, Amazon Web Services, Cisco Systems, Elemental Technologies, Envivio, Harmonic, iStreamPlanet, RGB Networks, thePlatform and others. Comcast Cable and NBC Sports Group have signed on as first Adobe Primetime launch partners. [...] The Adobe Primetime Player is available for Windows, Mac OS, Android, iOS, and will support connected TVs as well as gaming platforms such as Roku and Xbox in 2013.
That's right, even the xBox1. You know, that device that sits in your living room with a microphone and camera that can't be turned off, and will brick itself if you leave it unplugged from the internet for longer than a day? Think about that for a while.
paidforbythegivedrewbetterblowjobsfundandthelibertyconventionforastupidfreeamerica

User avatar
pinback
Posts: 13343
Joined: Sat Apr 27, 2002 3:00 pm
Contact:

Post by pinback » Mon Jun 10, 2013 11:24 pm

If someone had told me that all along everything I did would be monitored at all times, my life would have turned out way better.

/religion'd
Above all else... We shall go on... And continue!

RetroRomper
Posts: 1321
Joined: Mon Jun 21, 2010 7:35 am
Location: No where loved.

Post by RetroRomper » Tue Jan 07, 2014 7:21 am

I'm somewhat shocked about how fast PRISM made it off the news of every outlet, as the program is still up and running with no successful legislation to curb it. Seriously, no direct oversight from either chamber of Government and a clandestine court with a layer of National Security over its body of law.

Post Reply