Friday, June 7, 2013

Brainstorming a Few Hypotheses About Prism

So executives at major tech companies are doubling down on the denials that they know anything about PRISM, including Larry Page and Mark Zuckerberg.  My first assumption was that the denials were legally compelled by the very orders under which they provided the data.  However, after the Obama administration had confirmed the program's existence, there would be little incentive for CEOs to personally continue to dispute the facts.  So what's going on here?  I don't know, but here's all the hypotheses I can come up with:
  • The tech executives do know about PRISM (in fact if not by name) but are continuing to deny it in the hopes of muddying the waters and limiting the damage to their company's brands internationally (this doesn't seem like it would be very smart given that more revelations seem likely, but it's at least a logical possibility).
  • The tech companies have employees with clearances who have implemented PRISM at the behest of the government, and non-cleared executives, including CEOs, genuinely don't know what's occurring.  If so, they are going to be outraged, and with every right.
  • The NSA has gained access to company's internal data via some third party (eg a telco provider to the tech companies, or a hardware or operating system vendor who has provided equipment with a backdoor).
  • The NSA has used technical means to break into the tech companies and install monitoring systems without their knowledge or permission (much as China has been trying to do).
  • The reporting by the Washington Post and the Guardian mischaracterized PRISM, and for some hard-to-imagine reason, the administration has decided to confirm it rather than correct it or deny it.
I have to say that any of these would be fairly breath-taking.  I await further revelations with great interest.  I have a feeling there are a lot more shoes still to drop here.

Oh, in an aside, the Guardian is reporting from a supposedly knowledgeable US intelligence source that "We hack everyone everywhere. We like to make a distinction between us and the others. But we are in almost every country in the world"  If that's true, not very much of it's been brought to light by the commercial security industry, suggesting that there are some interesting techniques in need of discovery.

16 comments:

sunbeam said...

I think a better question is why was this article allowed to be published.

I'm one of your tin foil hat readers. I think if the NSA or CIA wants to float a story in a major newspaper, they call up one of their assets there and do it ("Assets," not spied). If some sensitive info might be disclosed someone makes a call to Langley or wherever to make sure everything is ok.

The fact that it was published, serves someone's purpose.

Whose though I have no guess.

But I kind of think that this isn't exactly news to any intelligence service. Or it shouldn't be.

In my opinion anyway.

Sounds like it would make a good Saturday Night Live skit. Something about John LeCarre spy fiction and geeks.

I'm not outraged. I mean I have thought they were doing stuff like this a long time.

dr2chase said...

The "how" is somewhat interesting, and I partly wonder if they're happy to filter the easy 90%, knowing that sooner or later the bad guys in the 10% will make a mistake, and that people with both the knowledge to evade surveillance and the willingness to put up with that hassle are rare.

I imagine the 90% consists of closed source user platforms and big-company network services, and it could just be backdoors, so it could be hard for the security companies to spot. That's all closed and untrustworthy, but very convenient, very common, and the path of least resistance for most people

Open source the situation is reversed -- someone might spot a backdoor reading code (I'm assuming no compiler-hosted backdoors), but I don't think as much money is devoted to the task of finding security holes, so the spooks could use them sparingly and hope to avoid notice.

There's also sort of an interesting question, for some of this, of how-exactly-would-you-pull-it-off? Where do you put the guy who injects the hole, such that nobody else notices it?

Adam Schuetzler said...

Just a note - this doesn't surprise me even slightly, and this is just one part of a pattern of abuses of to the 4th amendment over the years. Look up the "drug exception" to the 4th amendment to see what the drug war did to it - the most egregious evil probably being so-called "civil forfeiture".

It would be pretty hilarious if the NSA has moles in Facebook and Google. That's a pretty straightforward attack on civilian activity. But hey, if you've got motive, opportunity, and you will NEVER be called to task for what you do, why not?

It's the same reason we had torture and still HAVE illegal detention, why the banks got away with massive mortgage and title fraud, why police officers often get away with murder, etc. Corruption does that. When there is no accountability, why stop? Why take an inch when you can take a mile?

Michael R said...

Stuart,

You've overlooked the most likely (in my mind) hypothesis: polio vaccination.

In much the same way that the CIA used a ruse (a polio vaccination campaign) to get into Osama bin Laden's hideout, I expect that the FBI "persuaded" the organizations in question to install remote access under a somewhat more palatable cover story.

Because that's just the way that crew rolls.

Michael R said...

To place a insert door in the infrastructure, first insert a back door in the organization:

"Tech companies might have also denied knowledge of the full scope of cooperation with national security officials because employees whose job it is to comply with FISA requests are not allowed to discuss the details even with others at the company, and in some cases have national security clearance, according to both a former senior government official and a lawyer representing a technology company."

New York Times

William M. Connolley said...

> However, after the Obama administration had confirmed the program's existence

This seems a rather careless statement by you. You're treating "confirmed the programme's existence" as the same thing as "confirmed all the Graun and Wapo speculation". From reading your link, its not at all clear to me what the US govt has confirmed: what *exactly* do you think they've confirmed?

> The company's denials clearly mean nothing (since the government has now confirmed PRISM, thereby making liars of them all)

Strong language. Are you still comfortable with that?

Michael R said...

Circumstantial evidence points to a coordinated response. The Facebook and Google denials appear to have been typed up from the same set of talking points, in order:


Zuckerberg: "Facebook is not hand has never been part of any program to give the US or any other government direct access to our servers."

Page: "we have not joined any program that would give the U.S. government--or any other government--direct access to our servers."


Zuckerberg: "We hadn't even heard of PRISM before yesterday."

Page: "We had not heard of a program called PRISM until yesterday."


Zuckerberg: "When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if it is required by law."

Page: "we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don't follow the correct process."


Zuckerberg: "We strongly encourage all governments to be much more transparent about all programs aimed at keeping the public safe."

Page: "there needs to be a more transparent approach....of course, we understand that the U.S. and other governments need to take action to protect their citizens' safety"


So, just to recap:

1. They provide any information requested by security agencies as long as the Foreign Intelligence Surveillance Court approves.

2. The Foreign Intelligence Surveillance Court always approves.

3. They can't say what they provide, because it's illegal to talk about it.

4. If it were legal to talk about it, the likely outcome is that what they provide would change.

Anonymous said...

Interesting comments, especially coming from a computer security guy.

I'm a little puzzled though, as I thought the NSA was well-known to be monitoring internet comms pretty much everywhere.

From wikipedia: "NSA is or was provided total, unsupervised access to all fiber-optic communications going between some of the nation's major telecommunication companies' major interconnect locations, including phone conversations, email, web browsing, and corporate private network traffic"

Is this not what Bluffdale is for?
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1

Mr. Sunshine said...

Why not be comfortable with the language? Of course the corporations will deny and lie. People lie.

I'm not sure 'direct access' is actually needed, though, if one has 100% backbone mirroring, which seems to have been the case since 2006. When you have the world's "order flow" in the cache, you have everything to and from the sites you want and can reassemble it as desired.

Unknown said...

Does backbone mirroring help if you're mirroring SSL encrypted traffic?

Does the mirroring extend to things like the private connectivity Google etc use to replicate data between sites?

Unknown said...

The difference is that direct access circumvents end-to-end encryption. That makes all the difference.

Kobayashi said...

I am from CE Europe and I find it inconcieavble that the managements of Google and Facebook did not know about Prism or did not suspect that whatever information/data were handled by Google/Facebook do not go straight to US data bases.

I mean you have to be be most naive guy on Earth, to believe otherwise.

Hacking, caber-war, warrantless email searches etc. have been major news topics for years. legal scholars/legal departments as well as IT departments deal with these issues on a constant basis.

Google/facebook/MS have, I suspect, daily contacts with national security apparatus, and they probably have people from the intelligence apparatus actually seconded to (sitting at the offices of) these companies on a permanent basis (although the identities of these individuals are unknown to all but a few corporate officials). That's how they do it here, I would be surprised if US would be different.

Companies also spend a lot on monitoring potential hacking.

From all the cooperation, tidbits, tendencies both in legal terms, as well as tech-wise, Facebook and Google did not know?

C'mon. They must have suspected it, although the management may have have grounds to give a pluasuble denial (i.e. they did not have 100% certainty, so they did not in fact know it).

Chris Reynolds said...

This has been going on for decades. Here in the UK MI5 had a secret interception site to tap phone calls to Northern Ireland.
http://www.lamont.me.uk/capenhurst/original.html

There has always been the high capacity 'tap' between Menwith Hill and Hunter's Stones (UK). Last thing I heard the capacity into Hunter's Stones exceeded outgoing capacity by the equivalent of some 200,000 phone calls equivalent. Easily enough data for the optic fibre connection between Hunter's and Menwith. In other words a pipeline for NSA to intercept the UK ISDN at will.

When I used to work in telecoms it was pretty common knowledge amongst those of us who worked with cellular telecoms that the original GSM standard (A5/1) had the encryption fixed to 54 bits instead of 64bits. This was done at the request of various security services to allow in-the-field interception using a laptop with special software to decode calls in an operationally tolerable timescale. The full 64 bits would have increased the time substantially. This was wanted by the security services despite the fact that the could request warrants even on mobile numbers. In other words they wanted to intercept without recourse to warrant.

Even the UK Police's highly secure TETRA system reportedly has a backdoor for the security services.

Basically those in power are control freaks who have an almost innate desire to monitor everything.

It was said on a politics programme earlier today that we shouldn't worry and that worrying about one's communications being intercepted was indicative of individuals thinking they're more important than they really are. This is tripe. Data mining through analysis and use of maths (pattern recognition and correlation) is being used on us all.

We've sleep walked into a police state. Note the past-tense.

Mr. Sunshine said...

I had the good luck and pleasure to talk for a while with Phil Zimmerman back in the 80's and frankly, have not placed a lot of stock in most end to end encryption since that conversation. :)

Brandon Thomson said...

I am ambivalent about this news: glad that more widespread attention is being called to this important issue, and also a little nervous that sunbeam may be right. That is, the story may be more complex than is generally being presented, with some group(s) planning to benefit from this reveal (probably at the expense of the public).

Stuki said...

Interesting. In general, an "organization" is not allowed to disclose that they are providing data, but of course, organizations do nothing; individuals within each organization do. So, in organizations as large as these, are those providing access allowed to inform those they report to what they are doing? And what about those they would need to rely on to carry out the actual work?

The "deny everything" stance is probably fairly easy to implement in the naive case; where what is provided is "documents." Then, only a few, select people in the legal, and perhaps executive and financial departments would need to be involved/informed. And these are already people who are familiar and comfortable with nondisclosures, government edicts and such. But for the government to grab all data from gigantic companies whose entire business revolves around amassing as much data as possible, they would have to rely on almost all employees doing "their" legally bound duty, ideally without telling the guy they work next to, despite him doing exactly the same.......