In related news, DuckDuckGo has seen a huge spike in traffic (https://duckduckgo.com/traffic.html). Even if the NSA has probably circumvented DDG's privacy features, it's still worth using them for trying to preserve user privacy. And in my experience, DDG's search results have improved drastically, to the point that I very rarely have to resort to Google.
I wonder what Gabriel Weinberg would do if the NSA told him to hand over his SSL keys so they could view all his traffic. Would he shut down like Lavabit did? Would be interesting to get a statement out of him about this.
Have to give you more than an upvote here. This is an excellent point, and could be extended to many companies that are concerned with privacy. It would be great if their leaders made preemptive public statements on how they would handle that situation.
What we need is not someone who will shut down the server like Lavabit did, but someone who will refuse to hand over the keys and yet keep the service running. Someone who will fight. I get it, it's better to shutdown than to be evil and hand over the keys, but it's much better to fight.
You've got to draw the line somewhere, unless you're fine with the conclusion that you can't trust any form of computing technology (which leaves you powerless against mechanized systems of control).
It seems like we should be able to progress on this front, but I haven't seen much work towards it. Trustable computers are necessary but clearly not sufficient to push back against tyranny, which is why I (like everyone else) just assume my computing base is solid (or at least not infecting the software I'm writing), while working on software to help get us out of this VC-fueled "web 2.0" trap.
1) You can generally trust network equipment because there are many types of it, produced by many companies all over the world.
2) This means any backdoor in your computer that transmits information over the network would be trivial to detect and therefore useless for NSA et al.
With that in mind, the most dangerous backdoor that could feasibly exist is probably the one that subverts the RNG. Here is a discussion about a hypothetical backdoor in the hardware RNG built into new Intel CPUs: http://crypto.stackexchange.com/questions/9210/technical-fea...
There'd be plenty of ways to use existing network traffic as a side channel when you've tapped the network a few hops away (eg adjusting packet timings or sequence numbers). Also, a backdoor doesn't have to be active all the time (although that would hinder dragnet surveillance)
Much of DDG's privacy stems from not having any user data to store in the first place. While that can be circumvented to some extent, it's hard to do so without outwardly visible consequences.
I have tried DDG a bit for the last week, but unfortunately for me its results have been so much inferior to Google's that I had to give up on it. I hope it gets there.
I use DDG as my default, and when I'm not getting the results I know I could get with Google, I go to Google. It's usually pretty obvious. This way I support DDG, while not sacrificing my productivity (too much).
The judgment revealed that the NSA was collecting up to
56,000 wholly US internet communications per year in the
three years until the court intervened. Bates also
rebuked the agency for misrepresenting the true scope of
a major collection program for the third time in three
years.
This "judgement" showed they were only collecting 56,000 emails per year? Give me a break. Even if their system for collecting foreigners' emails was actually trying to only collect foreigners' emails, I would whole-heartedly expect them to nab more than 56k/year accidentally.
I think if you dig in, you'll find it's a few orders of magnitude higher.
My cynical take: 56,000 out of how many samples? This number is meaningless without context. I'd expect that an audit would be over a small sample of the total data collected.
I also wonder what the units are, because I don't know what they mean by a "communication". 56,000... packets? sessions? accounts? physical connections? edit: emails?
> I think if you dig in, you'll find it's a few orders of magnitude higher.
Based on what? If the goal is just to capture all the wholly domestic communication possible, why engage in this elaborate charade of procedures that are done in secret and not publicly visible anyway?
Occam says that they lied to the judge because even they would have a problem with it. Turns out, they were right. This is why they keep it so secret: they knew or suspected nobody else would allow them to do it they way they were.
"I’m not sure I can say this more clearly: we’re not in cahoots with the NSA and there’s is no government program that Google participates in that allows the kind of access that the media originally reported." - Drummond
One do wonder what NSA paid good money for if not for a government program which Google participated in.
The companies have hinted there is much more they would like to talk about, but aren't allowed to. It must be hugely frustrating for them to see headlines like this, and be saying "yes, but you are missing the really important facts which we know but aren't allowed to tell you!".
I wondered if the comments in those slides about these companies "joining the program" were meant to be an internal joke. In other words, this could be internal NSA jargon for "screwed up their security badly enough that we were then able to wholesale intercept data going between their servers".
These latest revelations would seem to imply that no, it's not an internal joke.
I guess I don't feel too much sympathy for their frustrations. These are billion-dollar companies, the real behemoths of our age. If they leaned on Senators the NSA program would go away but they don't. They play ball and we're all the worse off for it.
Yes. Even better would be statements like Wyden and Udall have made. They should say something like:
"We won't lie to you, but we think this information should be public and if you knew what we know, then you'd be writing and calling your representative urging them to allow us to talk about it."
They could go even farther by passing judgement with the addition "... because what is being done in the name of the average citizen presents an existential threat to democracy and the betterment of a free and open society."
This why I'm not comfortable with the idea of companies getting paid for this, and actually being profitable for them to do it. If it wasn't sustainable for a company to give so much data to the NSA, they would protest a lot louder about it. Remember how hard Google fought against SOPA, because SOPA would've been very unsustainable for them, and it would've even put Youtube in danger of being shut down.
Being paid, combined with them getting immunity for this sort of stuff just makes the companies a whole lot more complacent about it, and much more likely to agree to giving them all the data they need, knowing that almost nothing can happen to them,as long the process is kept secret - and they probably didn't worry too much about that, because secrecy is NSA's job.
Now, when are we going to create backlash against the ISP's and carriers for allowing NSA to scoop up most of the web's traffic? Almost nobody is mentioning them in these stories, even though they play an even bigger role than the companies listed in PRISM.
It costs money to respond to these requests. Should companies not be permitted to seek reimbursement for such things? Most courts have for a long time allowed companies not directly related to a lawsuit to bill for materials and effort to comply.
I think it's a mistake to target and blame private companies for that. Should they not comply with the demands, feds would make their lives very difficult. How about you just stop paying to the NSA? Oh wait, you can't, cos if you don't pay your taxes, you go to jail.
So if they're getting money directly from the NSA, it's hard for them to claim that they were in the dark as far as allowing the NSA direct access to their data.
Remember when Gmail got hacked by the Chinese? It was reported at the time that they were using the interface that Google had set up for the US government to get access to user emails. They don't need a warrant to view email headers or emails that are more than 6 months old.
Since 'direct' means 'without Google interaction'. It's a different scenario if the government just goes into your email and pulls your info, vs. if they request the info and Google has the ability to deny/verify validity of the request.
Is that what direct implies in this context? AFAIK it was never defined; i.e. having access to a bit-for-bit copy of their database wouldn't necessarily be 'direct'.
I bank at a small credit union. I very rarely have direct access to my own account. I regularly have to go through proxies and gateways via the ATM network. :)
i think there is a whole big unexplored story with the "black" ... err ..."Special Source Operations" money what NSA pays to Google/FB/etc... for their services in secret programs like PRISM - for example how the companies "launder" the money so they can be reported [to SEC, etc...] as part of the "white" revenue. Or may be this money not reported? Special secret exception in special secret GAAP/SEC rules? "excluding special one-time non-GAAP items and secret revenue from NSA our earnings is ..." :)
For example, government agencies buying "likes" from FB - seems like a perfect way to pay for PRISM participation using kosher looking transactions.
Interesting how they aren't focusing on the most important revelation in that story, which is that the NSA went to considerable effort and expense to fix the things that a FISA judge said were unconstitutional.
How in the hell is impeachment of POTUS for outright lying to the American people not under consideration? Is this not being considered because none of his statements were made under oath? If that is the case, I get the feeling that we should have a law somewhere that states that everything that POTUS or a White House spokesperson says is always said under oath with penalty of perjury for lying.
Once you've been elected to office, it should be perjury to lie to the citizens that have elected you.
Ixquick.com is another search engine which keeps no record of ip addresses and uses ssl. It also serves as a proxy so that you can view webpages through ixquick by clicking on a "proxy" link under each search result.
I'm torn. If I was running the company I would want to charge the NSA to try and discourage them from overusing the capabilities but I don't want it to become an appealing business for the companies.
I would assume no, especially since these companies are sworn to secrecy when they participate in these programs. Any equipment purchases would have to be offset by reimbursements from the NSA, such that they do not have those assets on the books.
It is probably more along the lines of paying directly the contractors to build out the infra/supporting-infra for these.
NSA requires gear in a rack, NSA pays some defense contractor-integrator to show-up and install the gear. Pays for whatever telco to install a new demarc etc.
The company just needs to point to the locations and provide badge access to spaces etc.
I am kind of keen to see numbers on the negative impact this program has had on the (American) cloud and Internet industry. I know a handful of companies in Europe and Asia who moved away from Google and Rackspace lately and set-up/revived their own machines.
My best guess is that the monetary loss due to this whole forceful invasion of privacy would be in order of billions (I am just guessing here; would be great if someone could point me to a thoroughly researched number though). This cost is apart from the bazillion sunk money that the US/UK Government put in to get hold data from the trunk, set up data center of NSA etc. All to just get hold of less than 50 so-called potential murderers (Avoiding the T-word!).
Looking at the cost of the whole thing and the stupidity of the presented picture, I think purpose of PRISM is already lot more than just curbing terrorism.
I build and deploy openstack private/public clouds and our business is booming.
Personally, I think the important lesson here is to see that the barrier to entry to deploy your own cloud, of any size, is extremely low at this point.
Personally, this has galvanized me to figure out a way to help people deploy their own, secure, micro-cloud stacks with the ability to deploy your own services. I'd love to chat with HNers about this - as I believe there is a whole new market, industry opening up at this point; Fractalization of the web.
> ... the barrier to entry to deploy your own cloud, of any size, is extremely low at this point.
> as I believe there is a whole new market, industry opening up at this point; Fractalization of the web.
Totally agree. And it could be state-of-the-art, methinks! I'd say decentralization is of extreme importance and also a way for people to converse with static/dynamic IPs (lol).
What stack do you recommend to say a bootstrapping startup of say less than 10 people?
The number of people in your organization is irrelevant, but rather what services you're looking for.
Clearly, any organization can leverage AWS and any number of other cloud providers.
But - if you want to build your own cloud, then I do recommend OpenStack. I also recommend that you bring external consulting to get you launched quickly where your dev-ops folks can get familiar.
go to fuel.mirantis.com to see how to get a tool that allows you to very quickly and easily put up a stack.
I think the impact will be bigger in the long term, I myself, as a brasilian, atheist, bit fair skinned, know I'm probably not a 'target'(although the left-leaning probably makes me a potential, cause I'm not sheep), but it still doesn't feel right that my data and privacy is free-to-snoop because it violates rights I have here, I had this right since birth according to my constituition and this is a fact. It is absolutely and completely indecent, it doesn't matter any analogies made like 'intelligence have always done this in every country', this is just distorting and repositioning and obviously The Internet is a whole different thing and should be treated as such, no explanation or justification will make this right ever.
I've not moved out of a lot of services YET, but people around the world are certainly moving their sticks to provide options, it's now also a market, not just idealism, political positioning.. they'll arrive and I'll certainly and happily go, and maybe try taking the opportunity myself, why not? Think of a good leader, he's respected and followed because people trust him, trust him to that position, but it's a fragile thing and after it's broken, it's broken. There's a vacuum.. and naturally it's got to be filled
