Forgot your password?
typodupeerror
Communications AT&T Government Privacy Your Rights Online

WA Post Publishes 4 More Slides On Data Collection From Google, Et Al 180

Posted by timothy
from the so-much-wool-so-many-eyes dept.
anagama writes "Lots of new program names, flowcharts, and detail in four previously unreleased PRISM slides published by the Washington Post today. These slides provide some additional detail about PRISM and outline how the NSA gets information from those nine well known internet companies. Apparently, the collection is done by the FBI using its own equipment on the various companies' premises and then passed to the NSA where it is filtered and sorted."
This discussion has been archived. No new comments can be posted.

WA Post Publishes 4 More Slides On Data Collection From Google, Et Al

Comments Filter:
  • by Anonymous Coward on Sunday June 30, 2013 @11:33AM (#44147809)

    I've already quit Google. Now how about you?

  • by Anonymous Coward on Sunday June 30, 2013 @11:38AM (#44147845)

    Google et al. said something, IIRC, like 'we do not collect and pass on any info to the NSA'. Technically true, but also completely irrelevant to whether or not the NSA was actually collecting data.

    Asking corps or government about what they do and don't collect is like asking a genie for a wish: one must phrase the question perfectly, or they'll twist it any way they can in order to answer what you asked, but not what you really wanted to know.

    • Quoted company may have or may not have used weasel words. We await conformation of this rolling news headline.
    • by Nerdfest (867930)

      ... and to the person that said the devices were in ISPs, it's unlikely because of the prevalence of SSL. The equipment would need to be behind the company firewalls.

      • Because the NSA couldn't possibly have their private keys...

        • Having a copy of the private key doesn't help you when using Perfect Forward Secrecy [wikipedia.org] through ephemeral Diffie-Hellman session keys.

          Though I suppose that if you disable everything but the EDH and DHE ciphers in your browser, many sites will not work.

    • by achbed (97139)

      They are technically correct. The best kind of correct. The FBI is the one doing the collection and passing on.

      So, by statute the NSA is not allowed to spy on American citizens on American soil (since that's the FBI's job). But because of all the Intelligence-sharing laws that passed in the early and mid 2000s, that's been totally neutered. It's an offshoot of the outsourcing mindset - we're not allowed to do it, but we can ask someone else who IS allowed to and share the results.

      • by memnock (466995)

        I honestly don't know, but I thought it was illegal for the FBI to spy on U.S. citizens as well?

    • Google is correct. They do not pass data to the NSA, the FBI does it for them. Everybody in the spy industry is just playing silly buggers and thinks that all citizens are morons.
    • Oh, be fair. These infamous 9 have a lot of data centers, and you can't expect the CEO to know which equipment from whom is in every corner there? I mean, just walk up to one of their data centers with a router in your hand, and tell them that you need an Internet connection. I'm sure that they'll let you waltz in and connect wherever equipment you want . . .

      . . . when monkeys fly out of my ass.

      The FBI probably has technical offices and agents in each data center, to maintain all this stuff. Ask them

    • Re: (Score:3, Interesting)

      by messagelost (1989296)

      Google et al. said something, IIRC, like 'we do not collect and pass on any info to the NSA'. Technically true, but also completely irrelevant to whether or not the NSA was actually collecting data.

      They didn't mention the NSA: http://googleblog.blogspot.com/2013/06/what.html [blogspot.com] That post is unequivocal, and is in direct contradiction to statements by the post like:

      The Foreign Intelligence Surveillance Court does not review any individual collection request.

      and

      The FBI uses government equipment on private company property to retrieve matching information from a participating company

      Which directly contradicts a statement here: http://www.wired.com/threatlevel/2013/06/google-uses-secure-ftp-to-feds/ [wired.com] Unfortunately, all such statements in the Post's article aren't on the slides; they are the Post's annotations on the slides, and the author doesn't provide any evidence to support them. Take from that what you will.

    • by bl968 (190792)

      They don't pass it along to the NSA they pass it to the FBI who passes it to the NSA.... So while technically correct was a part of the big lie that the NSA is not spying on Americans...

  • by roman_mir (125474) on Sunday June 30, 2013 @11:45AM (#44147881) Homepage Journal

    This is an unconstitutional power that the USA federal government usurped from the people, it doesn't actually matter how they grab most of it, however what does matter is that they do and it looks like it's not going to stop until the system crashes and there is no more money to run it.

    Encrypt your communications, encrypt everything you can. Use self signed certificates, by the way, avoid Certificate Authorities, AFAIC they only make it easier to create a MITM attack, not harder. They can confirm to your device that a certificate is valid even if it is not the certificate that you want to use. Of-course if you use CAs do not let them generate your keys for you.

    At this point the behaviour of browsers to treat self-signed certificates as worse than plain text should be suspect to everybody, there is no rational explanation to that sort of attitude except: we don't want you to use certificates that authorities can't revoke and replace.

    • by mcgrew (92797) *

      Encrypt your communications

      Djl;lk;mckj88 d d ddddja;pdooble!

      How's that? The NSA will never know what I said there!

    • by pilot1 (610480) *

      At this point the behaviour of browsers to treat self-signed certificates as worse than plain text should be suspect to everybody, there is no rational explanation to that sort of attitude except: we don't want you to use certificates that authorities can't revoke and replace.

      I agree that everyone would be better off if everyone encrypted everything. I also agree that CAs shouldn't be trusted.

      But seriously? You can't see any reason to distrust self-signed certificates? They aren't trusted because the browser has no way to verify their authenticity, which makes them dangerous. Trusting them would make man-in-the-middle attacks against SSL too easy; many studies have shown that users ignore the warnings. This _IS WORSE_ than plaintext because the user believes they have a secur

      • by roman_mir (125474)

        You can't see any reason to distrust self-signed certificates?

        - I trust them much more than I trust governments and certificate authorities. I trust that using an encrypted connection with self signed certificate is NOT WORSE than using plain text and I don't trust that the browser behaviour regarding self signed certificates is without suspect, without a bias.

        IF your argument had any merit, THEN browsers could at least use the self signed certificate and NOT show the 'secure' icon, show whatever you like, don't break browsing experience for users. Don't say that t

        • by pilot1 (610480) *

          - I trust them much more than I trust governments and certificate authorities. I trust that using an encrypted connection with self signed certificate is NOT WORSE than using plain text and I don't trust that the browser behaviour regarding self signed certificates is without suspect, without a bias.

          It is worse. Using an encrypted connection with a self signed certificate is worse than plain text in terms of security. With HTTP a man-in-the-middle can see everything you send. With HTTPS using a self-signed certificate a mitm can substitute their certificate for yours and see everything you send. You'll have no idea this happened because you'll see the self-signed warning either way. The difference is that with HTTP the user knows the connection is insecure and choose what data to transmit accordingly;

          • Re: (Score:3, Interesting)

            by roman_mir (125474)

            It is worse. Using an encrypted connection with a self signed certificate is worse than plain text in terms of security. With HTTP a man-in-the-middle can see everything you send. With HTTPS using a self-signed certificate a mitm can substitute their certificate for yours and see everything you send.

            - nonsense and it is dangerous nonsense given the facts that we now are aware of about the governments recording all communications to look at a LATER DATE.

            If somebody, especially government is specifically targeting you for MITM attack, no CA will stop them, worse, AFAIC CAs are are highly suspect, CAs are a perfect target for government 3LAs to create an easy way to penetrate security.

            In fact there cannot be 'secure' icon on a browser if a CA is used! The only way to have highest order of security that

            • by pilot1 (610480) *
              I'm sorry, but either you didn't read my post or you don't understand how SSL/TLS and public key cryptography work.

              If somebody, especially government is specifically targeting you for MITM attack, no CA will stop them, worse, AFAIC CAs are are highly suspect, CAs are a perfect target for government 3LAs to create an easy way to penetrate security.

              Correct, and a self-signed certificate won't stop them either. Here's a simple algorithm to break self-signed HTTPS:
              1. If HTTPS using a CA-signed certificate is detected, record the traffic.
              2. Else if HTTPS using a self-signed certificate is detected, perform a mitm attack and record the decrypted traffic.

              It's only secure to use trusted self-signed certificates, which is what I've been arg

              • by roman_mir (125474)

                I saw your post, I understand what encryptions is, what certificates are, what self signing is, I develop with it and use it all the time. Again, unless you are working for CAs and have a dog in this fight or you are NSA, you wouldn't want people to use self signed certificates, that's true. Otherwise it is a nonsensical irrational position to state that self signed certificates EVEN when are not deployed manually, when the fingerprint is not checked by the end client are worse in any way than plain text g

                • by pilot1 (610480) *

                  ... given the fact that governments are recording everything for assessment and for looking at it when time comes later. When time comes later, the information may still be recovered if the government is really really interested in finding out what it was that you wrote there, however it's going to be much more difficult than if it was plain text, there is nothing to recover with plain text, it's out in the open.

                  There are two scenarios here: either the government performs mitm attacks or they don't.

                  If they do perform mitm attacks, using an untrusted self-signed certificate is equivalent to using a CA-signed certificate in terms of what the govt can see. The govt can perform a mitm on the self-signed connectino by using their own self-signed cert, and the govt can perform a mitm on the CA-signed connection by forcing the CA to give up the CA cert and signing a new cert with the CA cert.

                  If they don't perform m

    • by Anonymous Coward

      How long before we find out that CAs are part of the whole spying industry also?

      • How long before we find out that CAs are part of the whole spying industry also?

        There is very high likelihood that they are . Verisign was founded by a group of ex CIA/FBI directors back in the 90's, who resigned to start Verisign. This happened after the Clipper chip program got canned. (The US government wanted to build a legal backdoor into every computer running the Clipper cryptographic system.)

        Its the same reason that they bought Thawte from Mark Shuttleworth for about a $1 billion dollars. He controlled a significant amount of HTTPS encryopted HTTPS traffic via his start-up.

        I suspect that Most HTTPS traffic can be decrypted on the fly by the US spy organisations.

  • by Anonymous Coward on Sunday June 30, 2013 @12:05PM (#44147993)

    Lies, Facebook in particular lied about this, even as Obama was confirming it and claiming a [non-existent] warrant is needed to access this data:
    "The search request, known as a “tasking,” can be sent to multiple sources — for example, to a private company and to an NSA access point that taps into the Internet’s main gateway switches. A tasking for Google, Yahoo, Microsoft, Apple and other providers is routed to equipment installed at each company. This equipment, maintained by the FBI, passes the NSA request to a private company’s system. Depending on the company, a tasking may return e-mails, attachments, address books, calendars, files stored in the cloud, text or audio or video chats and “metadata” that identify the locations, devices used and other information about a target."

    I don't care about the pathetic protections put in place for Americams, I'm not American. I care that these services hand my data to a military structure that works against me. Worse they inevitably turn America into a dictatorship.

    "Before an analyst may conduct live surveillance using PRISM, a second analyst in his subject area must concur. "
    So any boss that oversees 2 analysts can spy on Americans, simply because he can order 2 of them to concur. And the big boss, General Alexander can even waive this, because its HIS policy not law, i.e. no protections at all.

    You want to fix this? Well try running for President and sacking the NSA chief. He'll have record of every mistake you've made, detailed knowledge of who backs you, the campaign team, private communications, strategies, everything. They've made a dictator and people like Dianne Feinstein are so stupid and incompetent they can't see why they've done so much damage.

    Completely flipping the system in secret, the system that's kept the US a democracy for the longest time any democracy has survived so far. Those little shits just threw it away.

    • by gl4ss (559668)

      Obama was only speaking about americans when he said that you need a warrant. that's where the 51% probability comes from, so some dude has to think that there's 51% probability that someone is a foreign national on foreign soil and therefore they can SPY ON HIM INSIDE USA from american servers ;)DDSSAFSD.

  • by seyyah (986027) on Sunday June 30, 2013 @12:09PM (#44148015)

    I'm just a dumb Canadian... Is WA ever used for Washington DC?

    • by mcgrew (92797) *

      No. WA is always Washington state, DC is the District of Columbia; Washington, DC is not in any state. WA is a postal code, like IL is Illinois and FL is Florida.

      • by vux984 (928602)

        While "WA Post" is rather ... odd, its frequently abbreviated to WAPO.

        In fact, google for wapo and the first result is the washing post site. Wikipedia redirects wapo to the article about the washington post.

        Etc.

        • I've only seen it a few times -- on Poynter.org, who report on journalism, and they seem to have standards on how they form abbreviations. I don't know that I've seen it in other places -- most people reporting try to cater to a wide audience and don't tend to slip in jargon.

          And when I've seen it on Poynter, I've always seen it as mixed case 'WaPo' not "WAPO'. I've also seen it abbrreviated 'WashPost', but this is the first that I've ever seen it as 'WA Post'. (and I don't think I might've over looked it

    • by hydrofix (1253498)
      I was also baffled by the headline. Though speaking as a non-American, I have still never seen "WA Post" being used for "Washington Post", and deciphering the meaning took a while. This usage seems very original, and is probably erroneous, as "Washington" in "Washington Post" does not refer to Washington state.
    • by Guppy06 (410832)

      I love it when people try to show themselves as clever and end up showing the complete opposite.

    • I'm just a dumb Canadian... Is WA ever used for Washington DC?

      No it isn't - WA is the official US Post Office abbreviation for the State of Washington, which incidentally is where I live (so I've written or typed it thousands of times in my life).

      • by xenoc_1 (140817)

        Correct, and the GP, Happy Canada Day.

        The OP should either have used the commonly understood abbreviation, "WaPo", for the Washington Post, or used perhaps, "Wash. Post" which is a correct-US-English, though not US Postal Service, abbreviation for Washington, D.C.

        "WA Post" makes it seem it might be out in Tacoma or Spokane or thereabouts.

        • by anagama (611277)

          "Wash." used to be the postal code for WA before we went to two letter abbreviations. I'm surprised though that people are having such a hard time reading this (well, I can understand non US based people not getting it, but anyone in America who doesn't must lead an incredibly hard life, being so literal and all).

          Or maybe it is just that I live Washington State, and it rankles me whenever I hear people say "Washington" when they mean "Washington DC".

          I live in the real Washington, the one with trees and mou

          • by anagama (611277)

            Usually I hate Slashdot tangents, especially pedantic ones, but this one got me looking at some Utah Phillips stuff on Youtube.

            http://www.youtube.com/watch?v=U0f-mlwaGcE [youtube.com]

            That is from Amy Goodman's interview with him before he died. Interestingly, he talks about the prosecutions under the espionage act of labor organizers (Phillips was a Wobbly) around WWI toward the end of that segment. http://en.wikipedia.org/wiki/Palmer_Raids [wikipedia.org]

            J. Edgar Hoover was involved in those.

            Anyway, this tangent on "WA Wash Washingto

          • by Guppy06 (410832)

            "Wash." used to be the postal code for WA before we went to two letter abbreviations.

            There were no standardized abbreviations before the US Postal Service created them. At best you had something like the Associated Press style manual for datelines. Canada Post collaborated (note that "MB" is the only possible abbreviation for Manitoba that doesn't overlap with a US state).

            I'm surprised though that people are having such a hard time reading this (well, I can understand non US based people not getting it, but anyone in America who doesn't must lead an incredibly hard life, being so literal and all).

            It's up there with there/their/they're and to/too/two: "WA" has a clear and unambiguous meaning and its incorrect use is jarring, interrupting the smooth flow of reading while we have to consciously decipher the writer'

            • by anagama (611277)

              Anagama wanted to use jargon to sound "in the know"

              No, I wanted to make sure I fit the headline in the space allotted so I abbreviated without even thinking about it. I abbreviate WA DC like that all the time when commenting on stuff here and elsewhere and nobody has ever expressed confusion. Seemed totally natural to me. Next time I'll be sure to write "Mordor Post" or something to avoid confusion.

  • WA is the abbreviation typically associated with Washington State, not the city of Washington, D.C.

    Wash. Post is the more commonly accepted abbreviation of the newspaper based in Washington, D.C.

  • by Anonymous Coward on Sunday June 30, 2013 @03:18PM (#44148875)

    With each new iteration it is clear that the NSA is bullshitting congress (partly under oath), and congress is bullshitting the public by well-chosen weasel-wording.

    What those criminals don't understand is that stating technical truths with the explicit intent of causing false beliefs in the recipient is lying. The intent to deceive and mislead is not ameliorated by some technical truth to a statement.

    What is intended to convey wrong information is a lie. The bitter truth is that the NSA is trying to test with how little truthful information they can get away with congress and public, and congress and government are trying to test with how little truthful information they can get away with the citizens.

    As long as their is no intention to actually and truthfully communicate, the respective entities need to get dissolved. They are out of control, and they like being out of control.

  • I think it's pretty clear that the US government simply does not have the manpower to read every single online communication in the world and if they can't read it it is useless. So is there some way we can fuck up their automated filters? It would be great if Snowden had information on the actual keywords that PRISM searches for to bump the communication over to a human.

    How about an application that intentionally comes up with suspicous sounding emails that spam all of the NSA keywords. If each of us ran s

What this country needs is a dime that will buy a good five-cent bagel.

Working...