Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Privacy Encryption Google Government

How Big Companies Can Hamper the Surveillance Infrastructure 153

Posted by timothy
from the little-friction-here-little-friction-there dept.
Trailrunner7 writes "Buried underneath the ever-growing pile of information about the mass surveillance methods of the NSA is a small but significant undercurrent of change that's being driven by the anger and resentment of the large tech companies that the agency has used as tools in its collection programs. The changes have been happening since almost the minute the first documents began leaking out of Fort Meade in June. When the NSA's PRISM program was revealed this summer, it implicated some of the larger companies in the industry as apparently willing partners in a system that gave the agency 'direct access' to their servers. Officials at Google, Yahoo and others quickly denied that this was the case, saying they knew of no such program and didn't provide access to their servers to anyone and only complied with court orders. More recent revelations have shown that the NSA has been tapping the links between the data centers run by Google and Yahoo, links that were unencrypted. That revelation led a pair of Google security engineers to post some rather emphatic thoughts on the NSA's infiltration of their networks. It also spurred Google to accelerate projects to encrypt the data flowing between its data centers. These are some of the clearer signs yet that these companies have reached a point where they're no longer willing to be participants, witting or otherwise, in the NSA's surveillance programs."
This discussion has been archived. No new comments can be posted.

How Big Companies Can Hamper the Surveillance Infrastructure

Comments Filter:
  • Outsource freedom (Score:4, Insightful)

    by Anonymous Coward on Saturday November 16, 2013 @05:52PM (#45445235)

    If you want large companies to not perform surveillance, move them to a country where the government cant secretly compel them to do what every they want.

    Due to US cryptography export restrictions, its likely easier to actually provide some security if you leave the US too.

    Outsource freedom: because losing the jobs isn't enough anymore.

    • If you want large companies to not perform surveillance, move them to a country where the government cant secretly compel them to do what every they want.

      There was a story recently on /. about Switzerland wanting to become such an alternative. They've had some of the strictest privacy policies for a long, long time. For the wrong reasons of course (it is basically what allowed their secret banking sector to attract untold billions from tax dodgers and worse) but who knows, maybe that is actually a decent idea.

      My hope is that, I've said it before, when this whole Stasi fetish starts to really hit the bottom line of some big campaign contributors, perhaps the

      • by Joce640k (829181)

        The famous Swiss banking privacy isn't what it used to be.

        The US Gov. (and others) has had teams of people working on special "Switzerland policies" for decades.

        • Re:Outsource freedom (Score:4, Interesting)

          by erikkemperman (252014) on Sunday November 17, 2013 @07:56AM (#45447797)

          The famous Swiss banking privacy isn't what it used to be.

          The US Gov. (and others) has had teams of people working on special "Switzerland policies" for decades.

          Which, as I understood it, might be part of the reason they apparently want to branch out from banking. Still backed by some of the same strict privacy laws which allowed anonymous banking to flourish, even if that is now drying up slightly, they might well succeed in setting up what amounts to a data haven.

          Of course it won't be very long until the various spooks will try and eventually no doubt succeed at infiltrating and subverting that in the same they have been doing to Swiss banks.

          It was one of these operations (CIA, I believe, getting a banker drunk behind the wheel with the aim of blackmail) that appalled Snowden in particular while he was stationed thereabouts.

          In a weird way we'll have come full circle if one result of all this would be a data haven in Switzerland.

      • by lennier (44736)

        There was a story recently on /. about Switzerland wanting to become such an alternative. They've had some of the strictest privacy policies for a long, long time.

        That would be the Switzerland which was home to Crypto AG [wikipedia.org]? Possibly not as strict about privacy as one might like to imagine.

    • by contrapunctus (907549) on Sunday November 17, 2013 @09:17AM (#45448087)

      Can't remember quote exactly or who said it: "I want to leave the US but I'm afraid to be a victim of its foreign policy"

  • by ameline (771895) <(ian.ameline) (at) (gmail.com)> on Saturday November 16, 2013 @06:00PM (#45445271) Homepage Journal

    They aren't getting *nearly* paranoid enough. They should be encrypting the data on disk, on network connections between machines in the *same* data center, not just between centers. In fact the data should remain encrypted at all times unless absolutely necessary to have in clear-text to process it -- and that should never leave the CPU. It should remain clear-text only for the absolutely minimum time required.

    They should assume that hostile agencies (foreign *and* domestic) have tapped every last network link they own. As well as most routers and processing machines. They should also assume that some small percentage of their workforce are working on behalf of one of these adversaries. Given these assumptions they should design a system that can remain as secure as possible given these circumstances.

    Merely encrypting the network links between their data centers is not nearly enough to thwart the likes of the NSA, CSEC, GCHQ or other nameless agencies.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Oh come on, you expect them to drastically increase costs to encrypt everything everywhere and thus make every machine that works with the data have decryption keys? Sure, adding layers of encryption does not hurt, but it does not help much, and its expensive.

      If you want your data protected that badly, perhaps you should not trust/expect someone else to do expensive things that you have no way to verify are done properly. And regardless, none of that helps if the NSA asks for the data.

      If you want your data

      • by 0123456 (636235) on Saturday November 16, 2013 @07:47PM (#45445681)

        Oh come on, you expect them to drastically increase costs to encrypt everything everywhere and thus make every machine that works with the data have decryption keys?

        Setting up IPSEC tunnels between the machines is easy[*], and pretty close to free. Encrypting the drives should also be pretty much trivial, though not necessarily much help if the attacker already has access to the machine.

        [*] - as in, once you've spent days working out how to configure that monstrosity the first time, you can set it up easily on any other machines.

      • Homomorphic encryption [wikipedia.org] might work for some applications. Still I'm always going to expect NSA et al, depriving academia as they do of some of the best an brightest in the relevant fields of math and CS, to subvert that approach as well.

      • The answer is IPSec.

        Forget the whole "Using it for VPNs crap", it was designed from the start, originally with IPv6 in mind, for opportunistic encryption-by-default (including "Talking to this host? IPSec or nothing".)

        Increase in costs? Maybe, but you're talking marginally more CPU power needed and only a one-off administration overhead. It's not a "drastic increase (in) costs" by any measure, and quite honestly, it should be best practices, and at an Internet company like Google or Yahoo, it probably

    • But then how would they handle key management?

      • by ameline (771895)

        An excellent question -- and not one I have an answer to.

        I think that perhaps they should get Bruce Schneier to help design their systems for them.

    • Re: (Score:3, Insightful)

      by Mitreya (579078)

      They should assume that hostile agencies (foreign *and* domestic) have tapped every last network link they own.

      I am sure they knew all along. They were fine with it

      Everyone is making noise now, because it became public and there is some concern over backlash from the users.

      • by Silentknyght (1042778) on Saturday November 16, 2013 @08:34PM (#45445883)

        They should assume that hostile agencies (foreign *and* domestic) have tapped every last network link they own.

        I am sure they knew all along. They were fine with it

        Everyone is making noise now, because it became public and there is some concern over backlash from the users.

        Let's be honest here. "They" in these cases are companies staffed by 1,000's of people. It seems highly implausible that all of those people, or even just all of the 100's that matter with respect to IT & infrastructure security, would have "known it all along," even less so been "fine with it." I find it more likely that the outrage is 99+% genuine, with 1% reserved for the dozen or fewer people who would have actually (or theoretically, if it's just a conspiracy theory) been in the know on something this big.

      • Sure based on what? Your anti-corporate bias? Internal knowledge? Things you decided not to cite?
        You are the epitome of disillusioned doogoders everywhere. Where a single failure lies, all others are equally damned.
        Business makes bad decisions, this is true. Business rarely makes the same bad decision.
        As with any rule, follow the money. If big business hands over your data, and Snowden reveals it, you have big money coming at you.
        Your homework: who would risk that, and what is the minimum payoff to make it

        • by Anonymous Coward

          "If big business hands over your data, and Snowden reveals it, you have big money coming at you."

          Where do you get this nonsense? Quite clearly it is Snowden that has troubles from our leadership. Why would our leadership self destruct?
          Very wealthy business leadership and government are now combined. Elections consume ridiculous amounts of cash contributions and government employees leave an administration to immediately occupy positions in businesses they previously regulated. Heavy accumulations of wealth

    • by Aighearach (97333)

      Those new open switches are going to really help companies set that stuff up! The future of network security is getting clearer. It probably isn't needed to encrypt all the disks if you have good enough network security. Obviously that depends on the data, and that calculation has changed. It is probably worth having cameras on your racks for physical security, though.

      • by kermidge (2221646)

        "...having cameras on your racks..."

        I thought that was what the porn sites were for.

        So, ok, who watches the cameras? How do you vet them? Oh - have an algorithm do the watching? Ok, fine. How do you write a routine that can tell a good guy from a bad guy? How do you vet his identity? Use a badge that can be switched? Well, that can be avoided by using a password pill, I guess. But still, who's good and bad? Ah, catch the keystrokes and distinguish between proper maintenance and improper access. Th

    • They should assume that hostile agencies (foreign *and* domestic) have tapped every last network link they own.

      They should also assume that some of their own employees are moles.

      • by ameline (771895)

        | They should also assume that some of their own employees are moles.

        I mention that they should assume that.

        • You have either shown incredible restraint or implied megahours of devotion to /. with your reluctance to meme RTFS. Not above a subtle "Told you So"' though... no one's perfect.
    • by sk999 (846068)

      "They should be encrypting the data on disk, on network connections ..."

      Let's see how that paranoia thing works in practice.

      "Microsoft's Azure service hit by expired SSL certificate"
      http://www.computerworld.com/s/article/9237076/Microsoft_39_s_Azure_service_hit_by_expired_SSL_certificate [computerworld.com]

      Hmm, needs more work.

      • by Pav (4298)
        Yes... every increase in complexity causes problems, and security is a feature that at best is imperceptible to the end user, and often changes the user experience for the worse. Also you're never sure if it's good enough - at best you discover a compromise when your bank account gets drained, and at worst... well... today whole societies can be subtly subverted for the worse while remaining completely ignorant. Still, suddenly everyone is aware it's important.
    • by akozakie (633875)

      Assuming they want to thwart them, not just show that they are trying.

    • camera dong nai [cameradongnai24h.com]
    • by mlts (1038732) *

      Encrypting is useful, but then comes the very nasty thing that comes with it: Key management.

      Key management is something people fail to think about after the "Encrypt it, encrypt it now!" statement is implemented. How are keys stored, who has access to them. You have to sail your way between the Scylla of having keys obtainable by the bad guys, versus the Charybdis of a disaster causing all data to be forever inaccessible.

      Of course, there are plenty of guys who will sell you an encryption appliance that

      • Encrypting is useful, but then comes the very nasty thing that comes with it: Key management.

        This hits the nail right on the head. Encrypting is an important thing to do but if they hand over the keys (intentionally or not) then all the encryption in the world means nothing. And frankly key management is the most difficult piece of the puzzle because of the human factor. Only one person has to be compromised and all your encryption is for naught. Furthermore under our current legal framework with national security letters, people can probably be compelled to hand over encryption keys and risk j

      • by swillden (191260) <shawn-ds@willden.org> on Sunday November 17, 2013 @12:30AM (#45446763) Homepage Journal

        Encrypting is useful, but then comes the very nasty thing that comes with it: Key management.

        Google has an outstanding key management infrastructure. That problem was actually already thoroughly solved a while ago. Actually, it's pretty well-solved outside of Google as well, for point-to-point links within an enterprise. Kerberos (though Google's solution is more robust than Kerberos).

        Oh, the CA keys. Are they stashed in an armored HSM

        Google has a great answer there, too. I wish I could share it.

        • by mlts (1038732) *

          Google is to be respected there. In the past, I've encountered many businesses that, at best, provide lip service, at worst, have nothing whatsoever.

          Almost every business should have some form of key management solution in place, even if it is a printed out piece of paper with all the BitLocker recovery codes stashed in a couple safe deposit boxes. Of course, if some antagonist is big enough, a safe deposit box can be frozen or seized, so for some organizations, that isn't a wise idea.

          I just wish USB cryp

        • You can't have 'outstanding' key management structure for HTTPS sites in a distributed environment with failover and load balancing. The private keys are in possibly thousands of different places. Only one of them needs to be compromised for those private keys to get out there and then someone uses them to man in the middle all your customers HTTPS traffic.

    • by swillden (191260) <shawn-ds@willden.org> on Sunday November 17, 2013 @12:14AM (#45446721) Homepage Journal

      Dude, I really wish I could give you a point by point response. Actually, I typed one out, and then realized that I went too far. I personally think Google is making a big mistake by not being more open about its security policies, procedures and technologies -- because they're awesome -- but the fact is that a lot of it is confidential, and I like my job.

      What I will tell you is this: Google's general solution to cross-DC traffic wasn't to add link-level encryption to the cross-DC links, and there is so much cross-DC traffic that it would be a nightmare to try to identify the cross-DC connections and encrypt just them. Further, stuff gets shifted around between DCs a lot, so any such solution would be beyond brittle. I'll let you extrapolate from there.

      The other thing I'll say is just to give you a testimonial of sorts. You take it with however much salt you want... and I guarantee I'm going to get a bunch of foul-mouthed ACs (and maybe even non-anonymous cowards) calling me all sorts of variations of "liar". Whatever.

      I was an IBM security consultant for many years. I spent a lot of time working in the bowels of the security infrastructure of a lot of big companies, and even some governmental organizations -- including some military organizations. I was also a security policeman in the US Air Force in a previous life (long story), so I have a pretty solid grounding in physical security, not just infosec. One of my degrees is in mathematics, and I was fascinated with cryptography from an early age, so much of my independent study during my degree was around crypto, and I continued my self-education and practical education afterward (which is how I ended up as a security consultant).

      My point? I know more than a little about security, and I've seen a lot of what passes for security in both government and industry, including in organizations that handle a lot of sensitive data and really should know how to secure it.

      Google is better at it than any of them. Head and shoulders.

      Perfect? No. Nothing is perfect. But Google has world-class security talent, a lot of it, and Google's engineers have always cared a lot about security... and are now angry as well.

      Anyway, take that for whatever you want, but it's my absolutely honest opinion. Google can do a hell of a lot to obstruct the NSA's illicit snooping, and intends to do everything feasible.

      (Disclaimer: I work for Google, but I don't speak for them and they don't speak for me.)

      • by ameline (771895)
        I'm very happy to hear that they aren't just encrypting cross DC links. I always suspected Google had world-class talent in this area -- I'm glad to have it confirmed. It's good that google's security people are aware and upset about the taping.
      • by hlavac (914630)
        The problem is not technical, it's legal. As long as there are the national security letters and secret courts ordering people to hand over keys and shut up about it there can be no security. All they have to do is extort one individual with access to the keys...
        • The problem is not technical, it's legal. As long as there are the national security letters and secret courts ordering people to hand over keys and shut up about it there can be no security. All they have to do is extort one individual with access to the keys...

          Have an offshore third party read all your mail before handing it to you and leak all the 'national security letters' before you even receive them.

      • by Anonymous Coward

        You may not be a liar but you are not in the loop. It's quite funny because even with your training and position you believe you were. I was a security specialist in my past life too. I can tell you that my closest co-workers, my managers, my manager's managers, the board of directors, people that had official clearance above me, knew nothing of what was being done behind the scenes. I worked directly with the CEO and that's all I will say about that. So while I believe there are people at Google that

      • by jdogalt (961241)

        My point? I know more than a little about security, and I've seen a lot of what passes for security in both government and industry, including in organizations that handle a lot of sensitive data and really should know how to secure it.

        Google is better at it than any of them. Head and shoulders.

        Perfect? No. Nothing is perfect. But Google has world-class security talent, a lot of it, and Google's engineers have always cared a lot about security... and are now angry as well.

        Anyway, take that for whatever you want, but it's my absolutely honest opinion. Google can do a hell of a lot to obstruct the NSA's illicit snooping, and intends to do everything feasible.

        (Disclaimer: I work for Google, but I don't speak for them and they don't speak for me.)

        The problem you aren't paying enough attention to is the relationship between "feasible" and "profitable". Real security could come about through Google leading the industry away from server-prohibition terms of service for residential ISPs. Or the recently modified "commercial-server-prohibited" terms. Once people en-masse are allowed to host their own data (and encryptedly replicate their friends), that will remove the real crux of the issue- An internet services architecture that is fundamentally fla

  • But there's a long way to go yet.

    • "I am not a perfect man and I will not be a perfect president." "I will wake up every day and work as hard as I can." "Refudiate, misunderestimate, wee-wee'd up..." "There's a long way to go yet." See what you did there?
  • Just another veil of secrecy, big company internals - The NSA++ sub-state in a state supposedly in cahoots with big companies - or the other way around..

    No one on the outside is getting the real story.
    The defense against anything is common: First total denial, then admit something and at the same time issue counter-info. What was it? Ah, it defends against terrorism, how many actual cases - 57 as one number came out. The number is not getting into many people's brains, the terrorism-defense does, world OK
  • No longer willing (Score:4, Insightful)

    by gmuslera (3436) on Saturday November 16, 2013 @06:32PM (#45445373) Homepage Journal
    Too bad secret laws exist to force you, even if you don't want, and to not say that you are doing it. And a lot could want anyway, as could be incentives to make it desirable (like obtained secrets of competitors, "friendly" judges and so on). In any case, American companies can't be trusted, and big enough from other countries on line with this (UK, Australia, Sweden, Israel, maybe whoever signs the TPP, etc) probably should be avoided too.
    • by swillden (191260)

      Too bad secret laws exist to force you, even if you don't want, and to not say that you are doing it.

      I don't think there's any evidence that companies can be forced to lie. They can be forced to keep quiet.

  • by JoeyRox (2711699) on Saturday November 16, 2013 @06:42PM (#45445407)
    The genie is out of the bottle. Users, particularly non-USA users, will never again trust American internet service providers. I expect far-reaching ramifications, the extent of which wont be fully known for a couple years.
    • by 0123456 (636235)

      I expect far-reaching ramifications, the extent of which wont be fully known for a couple years.

      More like a decade, I'd say. A lot of companies will be moving off US 'cloud' servers, but they won't be able to dump Windows and US computer hardware that fast.

      • ...and others will simply add yet another layer of encryption on top of whatever the cloud provider is already supposed to have. Any home/SB user can install Truecrypt and use that to encrypt all his Google and Dropbox storage. Yes, things will then be a little less convenient, but he will also sleep better, knowing that it will be more difficult for a three letter agency to frame him with something. As things are now, any three letter agency can upload child porn to anyone's online accounts and then ale
  • by Anonymous Coward on Saturday November 16, 2013 @06:44PM (#45445413)

    Mass surveillance and data collection is the business model at companies like Google and Yahoo. If their frustrations are genuine it is only that they are angry that their data is being taken without being properly paid for it.

    • by cffrost (885375)

      Mass surveillance and data collection is the business model at companies like Google and Yahoo. If their frustrations are genuine it is only that they are angry that their data is being taken without being properly paid for it.

      That's right; this discussion's headline probably should have read, "How Corporations Can Retain, Increase Profits Following Surveillance Revelations." Likewise, the summary's author spoke of "anger and resentment of the large tech companies" — perhaps within those companies (due to inadequate payment, as you mentioned) — the only emotional attribute of a corporation is insatiable greed, and like any other sociopathic entity, it will feign and project the illusion of whatever human attribute is

  • Dear Google, (Score:3, Insightful)

    by Mister Liberty (769145) on Saturday November 16, 2013 @06:45PM (#45445415)

    "If it looks like a duck, ..."
    "You probably know that one.

    "Please tell me, what is all this drive towards one account, no anonymity, all this cloud
    and data storage about?
    "You have been convicted of privacy transgressions before, althougn admiitedly minor
    compared to the Nefarious Scumbag Assholes".
    "Please, Miss Google, get some clue that 'appearances are against you', as they say"
    "Why is it that I, a prolific and avid googler, have never seen on your sites, never once
    among the many times I pass by on a single day, any statement to the effect that you
    despise the NSA, that you will not commit my data to them, that ...",
    "well, you know what I mean (actually I suspect you know I'm mean)"

    "Dear Google, are you with me or against me".
    "Whatever happened to 'Do no evil'. Was that just a hollow PR ploy? An imperative
    to the 'other players' and something to pat yourself on the back with now and then?"

    "In fact Google --since you started it (the mentioning)-- how do you define evil?"
    "it would be nice to get you enlightened insights, preferably with a name under it".
    "Nothing personal -- just accountability, you know"
    "Thank you".

  • by cas2000 (148703) on Saturday November 16, 2013 @06:47PM (#45445429)

    or maybe their protests and hand-wringing and emphatically blogged thoughts are just business as usual - corporations routinely pay spin doctors to advise them on what to do and how to manipulate opinion whenever they get caught doing stuff they're not supposed to.

    to their way of thinking reality is nothing, perception is everything.

  • by Teun (17872) on Saturday November 16, 2013 @06:59PM (#45445485) Homepage
    Not only the big boys beef up their security, even Kubuntuforums.org has today enabled https access.

    Encrypting by the big players is significant, the data streams between their centers effectively mirrors all they have, from the POV of the government sanctioned goons it is about as good as you're going to get without the need to physically enter the server rooms.

    A small forum is obviously not using a secure connection to hide their data but instead it's meant to secure the login process.
    Yet it shows not only the big enterprises are able to improve security and especially the privacy of their users

    • I like your sig.
      Furthermore I suspect we're not too far apart.

      • by Teun (17872)
        The signature is mainly about commercial entities gathering data on us and then marketing it.

        I don't like what the NSA's of this world are doing, specifically on the scale it seems to happen, the apparent brassiness of it and the lack of political oversight.

        Because of the near total lack of US legislation on the the subject I'm more mad and worried about the hidden marketing of my privacy by the commercial aggregators.
        What is not mentioned is often at least as dangerous as what is in the open, possibly m

        • Because of the near total lack of US legislation on the the subject I'm more mad and worried about the hidden marketing of my privacy by the commercial aggregators.

          Regarding these Interwebs: think of how stupid the average Congressman is, and realize half of them are stupider than that. The average Congresscritter is about 59 years of age and favors belief in religious dogma over science. Don't confuse the proficiency with which the NSA et al peruse your privacy online with the legislative branch's collective ignorance of it. In another decade or two of turnover, our lawmakers will be better suited to legislate this 'newfangled' innovation.

    • by Slayer (6656)
      HTTPS is completely pointless when it comes to stopping spies. Even the Iranian government was able to snoop on gmail communications thanks to compromised root certificates. [pastebin.com]. While the Iranians had to actually compromise a CA, the US could just coerce a US based CA into cooperating without anyone else ever hearing about it.
  • Appearances (Score:5, Insightful)

    by Tony Isaac (1301187) on Saturday November 16, 2013 @07:13PM (#45445547) Homepage

    The big tech companies want to appear to be unwilling to cooperate with spying. But what's to keep them from secretly cooperating all the same?

    • The big tech companies want to appear to be unwilling to cooperate with spying. But what's to keep them from secretly cooperating all the same?

      You. With fervent outrage, you vote with your wallet when you decide not to do business with a corporate lackey of the governmental spy agencies. Unlike the sovereign governments of the World, Google and Amazon cannot have your money without your permission.

      • by Entropius (188861)

        It's only because of a one-off event that people know who's been helping out the NSA. Can you count on future such events to tell you who should be trusted?

      • by Anonymous Coward

        OK, I'm fervently outraged. What force in the universe now causes Google to cry out that I have destroyed their beautiful wickedness as they melt? I don't pay google. Others pay google to spy on me. The NSA and Google are not buddies next door that I can introduce to the world of respectful and respectable social discourse. What now? A strongly worded letter perhaps? Maybe I should gnaw the carpet?

    • by swillden (191260)

      The big tech companies want to appear to be unwilling to cooperate with spying. But what's to keep them from secretly cooperating all the same?

      For one, the employees.

      • You mean, the employees that have been working there already, who have been cooperating with the spy agencies? I feel better already!

        • by swillden (191260)

          You mean, the employees that have been working there already, who have been cooperating with the spy agencies? I feel better already!

          They haven't been cooperating. Google has denied all cooperation, and none of Snowden's revelations have provided any evidence of cooperation.

  • Distrusted cloud services get abandoned, which costs them money, which costs their stock prices, which costs millions of middle Americans stock price, which drives a stake of fear into the hearts of Congress.

    Let the money issue work *for* you.

    • I'd mod you up.
      But in my case, it would have been invalid, since out of /agreement/ to your view,
      as discernable from your post.
      (However, since that view is an ironic comment to the current state of affairs, I
      personally would want to claim a small dissent with the expression of the fact that
      'it doesn't have to be that way' (i.e. it's not a law of nature), with my mind going to
      what Noam Chomsky [now there's a personification of hope!] always says).

  • by Anonymous Coward on Saturday November 16, 2013 @07:55PM (#45445713)

    Microsoft helping NSA to hack your Windows [techrights.org]

    According to a new report from the corporate press (as corporate as it can get, being Bloomberg), Microsoft tells NSA staff about universal unpatched holes before they are being addressed:

            Microsoft Corp. (MSFT), the worldâ(TM)s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

            Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesnâ(TM)t ask and canâ(TM)t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

            Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to be give government âoean early startâ on risk assessment and mitigation.

    Glyn Moody asked, âoewhy would anyone ever trust Microsoft againâ¦?â

    Frank Shaw is not a technical man. His job is to lie, e.g. about sales of Vista 8 (quite famously and most recently). He came from Waggener Edstrom, a lying and AstroTurfing company. The above should be read as follows: when new holes exist which permit remote hijacking the unaccountable, cracking-happy NSA is being notified. What can possibly go wrong now that we have proof that the NSA is cracking PCs abroad with impunity?

    Some of the back and forth is innocuous, such as Microsoft revealing ahead of time the nature of its exposed bugs (ostensibly providing the government with a back door into any system using a Microsoft OS, but since itâ(TM)s donâ(TM)t ask, dontâ(TM) tell, nobody really knows). However the bulk of the interaction is steeped in secrecy: âoeMost of the arrangements are so sensitive that only a handful of people in a company know of them, and they are sometimes brokered directly between chief executive officers and the heads of the U.S.â(TM)s major spy agencies, the people familiar with those programs said.â

  • Which guys does he speak of? In the recently published article [washingtonpost.com], the subject diagram isn't clear on exactly what is going on. My reading of this is that the "SSL Added and removed here!" note with smiley face is pointing directly at the GFE (Google Front End) server, meaning that this activity is occurring on this server (group). Now, in my limited time as a sysadmin, I have yet to see how any outside party can gain ongoing access for such processes without the complicity of the admin. So, perhaps these Go

  • They seem to have caught on, but not the lesson needs to be made memorable.

  • by manu0601 (2221348) on Saturday November 16, 2013 @09:18PM (#45446085)
    TFA just says tech giants do not want to cooperate with NSA. No real news here. Save your time, skip that one.
  • Is there a remedy to surveillance that can stand up to that 5 dollar wrench called being detained indefinitely as a terrorist?

  • I think a lot of this is consumer attitudes.

    Look at how the SSN is used in the US. Its a great identifier as there is a direct 1:1 mapping between a person and their SSN.
    In the US almost everyone asks for it and they are normally given the number.


    In Canada (and i lived in both countries for a while) I think the privacy laws are tougher to protect the privacy of the citizens. Look at all the fighting the Canada privacy commission did with Facebook, or other examples of US based services encountering
  • A recent foia request by propublica for emails between NSA employees and employees of the National Geographic Channel over a time period that the TV station had aired a friendly documentary on the NSA resulted in the following response from the NSA (the supercomputing powerhouse) "There's no central method to search an email at this time with the way our records are set up, unfortunately.... [the system is] a little antiquated and archaic." A former employee of the department of labor statistics said that
  • I thought it's not a cpu penalty to encrypt EVERYTHING. I'm also looking at the ISP's out there like Cox, Comcast, at&t, et al. From the demux at the customer premise to your switching and peering centers should ALL be encrypted. Every last bit of it. Let the NSA chew on that.
  • Too Dumb; Didn't Read

    Anything the industry does to try to hamper surveillance efforts, they can be told to stop doing by secret courts, and prohibited from even letting us know about it.

    The only thing the industry can do to hamper surveillance efforts is to spill all the beans, all the time, about all the national security requests. But that would result in a bunch of rich people going to jail. Let us not forget the lesson of Qwest [wikipedia.org].

Do you suffer painful illumination? -- Isaac Newton, "Optics"

Working...