
Yahoo wins motion to declassify court documents in PRISM case - falk
http://news.cnet.com/8301-1023_3-57593871-93/yahoo-wins-motion-to-declassify-court-documents-in-prism-case/
======
pvnick
I'm switching back to Firefox and exploring Yahoo equivalents to google
products? Hell must be getting pretty cold right about now.

~~~
csoghoian
Yahoo still doesn't use HTTPS by default, for email or search.

Not using HTTPS is huge, gift-wrapped present to the NSA. It also means that
the NSA can get Yahoo users' communications without even having to bother
Yahoo, as they can get it with the assistance of backbone networks. Lower
legal compliance costs for Yahoo, and the NSA gets what they need.

Seriously, Yahoo is awful on privacy and security. Don't reward them with your
business.

~~~
enko
Hm, I think the HTTPS thing is overblown for sites that are hosted in the US.
Almost no large sites do HTTPS termination on the actual app servers; it would
be the simplest thing in the world to put the collection device behind the
HTTPS endpoint.

Why bother trying to piece together data flows over a bunch of disparate
backbone networks when you can just hook up a collector at the wellspring? I'd
sure they'd be delighted to be able to tick off that whole company as "done",
and set the verizon taps etc to ignore anything to them, secure in the
knowledge they were getting it all elsewhere.

~~~
mjolk
You're thinking about it incorrectly. While termination at a load balancer is
common, at least then you're in the company's network by the time your data is
being transmitted in the clear.

It's far different for traffic to be plaintext from a load balancer backend,
switch, to server interface than over X number of hops.

~~~
enko
> you're in the company's network

Yes, of course. What's incorrect?

I'm just saying that if you have unlimited ability to make secret tapping
demands from whoever you want, you might as well make it easy for yourself and
just go straight to the source.

~~~
mjolk
>you might as well make it easy for yourself and just go straight to the
source.

I feel as if I'm not fully understanding you. Are you saying that because you
expect your traffic to be read by a government agency, you might as well let
any/everyone see your data?

~~~
enko
Sorry. I am evidently not explaining myself well.

I am saying that people seem to be putting a lot of trust into HTTPS to shield
them from NSA monitoring. If I was the NSA, and could just tap whatever I
wanted, I'd obviously set up my tap on the _other side_ of the encrypted
tunnel.

And let's not exaggerate. Only a very few organisations would have any ability
to read your data even if sent unencrypted, barring of course wifi. It's
simply not true that "any/everyone" can see your data if you're on a private
LAN at home.

That being said, of course I prefer HTTPS. I just have no illusions that it's
going to stop someone who can just waltz into the DC holding an NSL. There's
no security from someone with physical access to the network.

~~~
s_q_b
I think NSA is cognizant of the fact that they could lose the FISA
authorization to collect from endpoints at the internet services sometime
soon, while they're more likely to retain access to the backbones.

It's bass ackward, since access to the trunk lines lets you read everything.
However, most people don't understand what internet backbones are. They do
know what PRISM, Facebook, Yahoo, and Google are.

As such, I can see HTTPS providing some limited security from dragnet
surveillance, but it certainly wouldn't help if you caught their attention.
Remember, NSA can straight up break weak encryption, and SSL/TLS is probably
in that category.

~~~
voltagex_
I think the ability to break SSL would be a major trump card that wouldn't be
shown that easily - can you cite any sources?

~~~
s_q_b
First, FBI cracked 512-bit disk encryption in a recent case, seemingly with
NSA help, so it seems they've got some pretty powerful brute forcing
capabilities. SSL is generally only 256-bit.
[http://www.fiercecio.com/techwatch/story/fbi-cracks-
encrypte...](http://www.fiercecio.com/techwatch/story/fbi-cracks-encrypted-
hard-disk-mere-weeks/2013-05-31)

Second, since some sites don't use Diffie Hellman key exchange (which provides
for perfect forward secrecy), they don't even need to work that hard. They can
just grab the keys in transit.

Third, with a MITM attack, you can just drop in a box that makes SSL
connections on both ends transparently. Therefore neither endpoint knows the
encryption is being routed through a third malicious point. See e.g.
[http://www.zdnet.com/how-the-nsa-and-your-boss-can-
intercept...](http://www.zdnet.com/how-the-nsa-and-your-boss-can-intercept-
and-break-ssl-7000016573/)

None of this proves definitively that the NSA can do this, but it does mean
that if you have something to hide you'd be foolish to rely purely upon SSL.

~~~
enko
Some very doubtful assertions here.

> FBI cracked 512-bit disk encryption in a recent case

Very hard to believe that they brute-forced 512-bit AES. More likely they
guessed, or otherwise located, the key, or found some implementation flaw in
the software/device.

> don't even need to work that hard. They can just grab the keys in transit.

If and only if they have the private key. Which, I concede, they may well be
able to get.

> Third, with a MITM attack, you can just drop in a box that makes SSL
> connections on both ends transparently

No you can not, not without installing a cert on every single user's machine.
This would have been noticed if it was going on.

I admit that now I think about it, putting taps on DC data connections and
simply requiring sites or the DC to provide any and all private keys would be
substantially less invasive/visible than actually putting taps into the
building, and with basically the same effectiveness (except for the PFS
thing).

------
tomelders
It's good, but it's not US Constitution good. None of the companies involved
should obey the law in this matter, and they should adhere to their moral
responsibilities and reveal everything they know.

Plus, I doubt locking up the CEO's of the worlds largest tech companies would
work out well for any government.

~~~
mratzloff
If they were arrested, they wouldn't be arrested for "failure to comply with
national security requirements" or whatever. They would more likely be
arrested for insider trading or something equally plausible.

~~~
adrr
Don't think current administration would risk that, republican controlled
house is looking for any shred of a scandal to have hearings, they are itching
to impeach Obama. More than likely you'll see the executive branch would do
any business(advertising etc) with yahoo and military would do some knee jerk
reaction like ban armed serviced personnel from viewing yahoo properties
similarly to what they did with the Guardian. Its easier and safer to cut the
money streams. Luckily for Yahoo it isn't much, unlike Microsoft or Att who
have more to lose in terms of government contracts.

------
rfctr
> "The Government shall conduct a declassification review of this Court's
> Memorandum Opinion of [Yahoo's case] and the legal briefs submitted by the
> parties to this Court," the ruling read.

What I don't get here: it was told many times that FISA court only hears one
side, namely government. Here though Yahoo seems to be named a party in the
Court. Has rules change? o_O

~~~
DannyBee
You have to understand that contrary to the single story the news presents,
the FISA court is actually responsible for hearing a bunch of types of things.

There are three categories, and i haven't read hard enough (an don't have time
to right now) to distinguish all the use cases.

You have 50 USC 1803, which is a one-sided deal currently (and what you hear
most about)

You also have 50 USC 1861f, which a party can challenge.

You also have 50 USC 1881a, which a party can challenge.

------
locusm
At least they stopped getting Chinese dissidents locked up
[http://en.wikipedia.org/wiki/Criticism_of_Yahoo](http://en.wikipedia.org/wiki/Criticism_of_Yahoo)!

~~~
rfctr
In USA Yahoo complies with US laws.

In China Yahoo complies with Chinese laws.

Dura lex sed lex.

~~~
Zigurd
All of these services could provide convenient key exchange, web-of-trust,
secure email and storage, and secure communications services with ephemeral
keys. They might have to charge money to do so, but they could all raise the
cost of surveillance by orders of magnitude, if not make it impractical, and
remain within US law. If they wanted to.

------
eastdakota
Working link: [http://news.cnet.com/8301-1023_3-57593871-93/yahoo-wins-
moti...](http://news.cnet.com/8301-1023_3-57593871-93/yahoo-wins-motion-to-
declassify-court-documents-in-prism-case/)

------
count
Hmm, it doesn't say they get to declassify, only that the classification must
be reviewed, and then the document published with any properly classified
information redacted.

Expect a letter of all black lines.

------
Groxx
Question:

> _Yahoo has previously denied the allegations regarding participation in the
> program, calling them "categorically false."_

That's what they say, but doesn't this just show that while they fought it,
they _did_ participate because they lost the fight?[1]

I'm not aiming to say "liar, liar, pants on fire" since they were probably
required to say that (if my reading is accurate). I'm just wondering if they
_were_ required to say that, as this is _nearly_ evidence of it, which would
cast even more doubt on the other companies' denials.

[1] [https://www.eff.org/deeplinks/2013/07/yahoo-fight-for-
users-...](https://www.eff.org/deeplinks/2013/07/yahoo-fight-for-users-earns-
company-special-recognition) (thanks, cmwelsh!) in particular this quote:

> _Ultimately, the Court of Review ruled against Yahoo, upholding the
> constitutionality of the Protect America Act and ordering Yahoo to turn over
> the user data the government requested._

Though they can't say what was turned over.

~~~
haakon
> I'm not aiming to say "liar, liar, pants on fire" since they were probably
> required to say that

Can a court really order a person to lie, though?

~~~
mcguire
This particular court? Yes. It's required by the law.

~~~
declan
Except it isn't: [http://news.cnet.com/8301-13578_3-57589012-38/nsa-
surveillan...](http://news.cnet.com/8301-13578_3-57589012-38/nsa-surveillance-
retrospective-at-t-verizon-never-denied-it/)

------
motters
The leaked slide says that Yahoo was assimilated into PRISM on 3/12/2008\. I
assume that must be some time after the secret court decision.

~~~
VladRussian2
>...Yahoo was assimilated into PRISM...

Resistance is futile.

Big box data center in the emptiness of Uta desert where the online "you" \-
your private photos and intimate chirps ...err ... tweets - will be stored for
posterity and peered over again and again by lifeless Big Data program ... Not
of course that it hasn't been happening for the last 10 years in Mountain View
or in Palo Alto/Menlo Park :)

------
brymaster
Wow. First they lie and deny, now this.

What does this mean for Google and the others participating in the program?
I'd love to read some explanations from Page, Yonatan Zunger, Matt Cutts and
friends. These guys were swearing up and down that Google had no involvement.

~~~
myko
> I'd love to read some explanations from Page, Yonatan Zunger, Matt Cutts and
> friends. These guys were swearing up and down that Google had no
> involvement.

They swore they didn't allow the NSA to access their servers. All we know that
they do is comply with lawful requests for users data. There was no lying
involved.

~~~
brymaster
No, not quite.

> Google had no involvement in the PRISM program and the first we heard of it
> was when Greenwald's article hit the press. -Yonatan Zunger

I'd say that's a pretty big lie right there.

~~~
declan
Where's the lie? PRISM is the name of an NSA _software package_ used to
collate data the agency receives under a well-known section of the Foreign
Intelligence Surveillance Act.

But because of poor reporting and unintentional errors, the name of a software
program used to analyze data has become transmorgrified into (1) a "government
program" that companies (2) "participate in" that gives the NSA (3) "direct
access" to their servers. Not one of those three assertions is true.

~~~
brymaster
You seem to be spinning it the same way the participating companies were.

~~~
declan
I reached these conclusions as a result of my own reporting:
[http://news.cnet.com/8301-13578_3-57593538-38/](http://news.cnet.com/8301-13578_3-57593538-38/)
[http://news.cnet.com/8301-13578_3-57588337-38/](http://news.cnet.com/8301-13578_3-57588337-38/)

I note you didn't actually allege I'm wrong. If you have evidence my
representations are incorrect -- and this is HN, after all -- kindly say so
directly.

~~~
brymaster
All three points you made seem to be irrelevant.

1) NSA is a government agency and PRISM is a blanket-term for the surveillance
state in effect by the US Government. There are many other programs and names.

2) These companies certainly do participate in them under order by the US
Government (FISA court).

3) The term "direct access" is quite silly to argue on since the NSA is
slurping up any data possible through as many means necessary.

So when Google, Yahoo, Apple, Facebook, etc said they didn't participate in
the program and NSA didn't have direct access, they were lying.

~~~
declan
An alternative explanation is, of course, that you haven't researched the
topic.

1) You are incorrect to say "PRISM is a blanket-term for the surveillance
state in effect by the US Government." You may wish to think it is, but
wishful thinking does not mean it's true. Accuracy matters.

2) The Internet companies do not "participate" in PRISM, which is a software
utility. That's like saying I "participate" in Excel or Chrome. They do turn
over data when compelled to through the Foreign Intelligence Surveillance Act
and other laws. If an ambulance following you turns on its lights to tell you
to pull over, you're compelled to do so -- it doesn't mean you're
"participating" in a medical emergency.

3) You're right that the NSA would like to slurp up data through as many means
as it can. That doesn't mean it is. Put another way, the fact that I would
like to have Bill Gates' bank account does not mean I actually do.

If you possess actual evidence that Internet companies "participate" in PRISM,
as opposed to being compelled by law and legal threats, and if you have
evidence that the NSA has "direct access" to the Internet companies' servers,
kindly share it. Otherwise I'm not sure what your point is, except to argue
for the sake of arguing.

~~~
brymaster
Ah, I get it. You're still riding this wave:
[https://plus.google.com/+EricSchmidt/posts/XfgQ1PXzM5g](https://plus.google.com/+EricSchmidt/posts/XfgQ1PXzM5g)

It's a non-denial denial and Eric Schmidt is the last person I'd trust to be
truthful on the matter. Deny doing something you weren't actually accused of
doing, but that sounds enough like it, so that you don't have to deny doing
the thing you actually did.

"Nope! Not Direct!"

SFTP, virtualized access, automated access - it's all the same but as long as
they can find something to deny, they'll run with it. Accuracy matters when
you need to spin the lie.

You're talking about arguing for the sake of arguing but that's exactly what
you're doing. You can play cheerleader and spin the lies the PR masters put
out and I'll continue to read the leaked documents for the truth.

~~~
declan
If you somehow claim that doing independent reporting (and reaching
independent conclusions) is "spinning," then my attempts at having a
reasonable conversation are futile. I will note, once again, that you haven't
refuted a single claim I made about the three main errors in reporting on this
topic.

~~~
brymaster
I will note, once again, I already did but you're choosing to ignore them
since you can't seem to shake away from the "direct access" fallacy because
Schmidt told you otherwise.

------
mindslight
So wait, if PRISM is merely the process by which NSA et al request data on
individual suspects which are then reviewed and fulfilled with human
involvement (as the denials by Google etc purport)... why did Yahoo see fit to
challenge their involvement?

~~~
kllrnohj
Yahoo didn't challenge their involvement in PRISM according to these court
documents. They instead challenged FISA orders. PRISM is not mentioned
anywhere. The shitty CNET article is conflating the two, but they are not the
same.

So no, Yahoo has not contradicted themselves.

------
perlpimp
.. "redacts any properly classified information" ..

Who gets to decide what is property classified information? They can redact
the document in such a way that it carry only vacuous material and thus
passively aggressively refuse even if they are compelled.

------
Mordor
This proves nothing, since PRISM likely isn't the only program run by the NSA.

------
yaix
I'd love to switch to ymail, if it didn't suck so bad. I just read, that Y!
will be /reassigning/ email adresses that have not been used (no login) for a
year.

------
michaelxia
yay!

yahoo, the internet giant whose products gather data from evuhreybaddy, is on
our side!

now all our problems are solved and we can sleep at night

oh wait...

~~~
cmwelsh
They must have been doing something right. They won commendation from the EFF
today for their longstanding secret fight against the United States
government.

[https://www.eff.org/deeplinks/2013/07/yahoo-fight-for-
users-...](https://www.eff.org/deeplinks/2013/07/yahoo-fight-for-users-earns-
company-special-recognition)

------
_pmf_
So brave.

