
Rackspace Response to PRISM - BikalpT
https://community.rackspace.com/general/f/34/p/791/1347#1347
======
callmeed
I was thinking about Rackspace and PRISM today (I spend > $10K/month at
Rackspace) ... and that thread about how all this could harm the startup
ecosystem.

If the Govt/NSA wanted access to certain metadata and a company refused (like
some claim Twitter did), what's to stop them from going to Amazon or Rackspace
and throwing their weight around to get access that way? Or, if that didn't
work, they could just keep going up the OSI layers (or tier 1 providers) until
they get the access they want OR can force it be threatening to disrupt
service.

My point is, even awesome companies like Rackspace are dependent on less-than-
awesome companies for some types of infrastructure.

~~~
zero_intp
_DING_ _DING_ _DING_ we have a winner.

Any company that doesn't comply and hand the data by API will have it's links
scraped. Sure it's more costly. That's why they go through the arm twisting.

------
purephase
Probably one of the better responses that we've seen.

Regardless of my earlier posts, I'm actually inclined to believe these service
providers.

I'm curious, has anyone seen/heard anything from CA's? I imagine it would be
much easier to just create a split network route at the ISP layer and decrypt
all traffic.

Wouldn't be that crazy if you had all of the root keys.

~~~
jackowayed
Ugh, this keeps coming up. No amount of cooperation from Certificate
Authorities will enable _passive attacks_ on SSL.

All the CA does is cryptographically certify "this is the public key that the
Company (eg. Google) gave me"; they never see the corresponding private key.

Cooperation from the CA might give the NSA their own certificates for Google,
which would allow for an _active_ man-in-the-middle attack. Certificate
pinning would defeat that, and doing that on the fly in the Internet at large
would be a serious undertaking.

But if they want to decrypt traffic passively and they don't know about
serious SSL vulnerabilities, they would have to have Google's private key. And
with Perfect Forward Secrecy, even that is not sufficient. (PFS requires an
active attack because the session key can only be determined if you're
actually one of the two doing the handshake, or you know how to factor very
large numbers.)

~~~
mentat
1) Generating certificates on the fly for arbitrary domains has been the usual
operating mode for transparent proxies for at least 8 years. 2) There have
been many public SSL vulnerabilities in the last year. To think that there
might be some non-public ones is not a stretch. 3) If anyone can factor very
large numbers, it is the NSA. The move to ECC for Suite B has been interpreted
to imply this may be becoming more feasible.

~~~
sneak
Large-scale active attacks on SSL are infeasible, as many applications (Chrome
included) support certificate pinning.

Furthermore, this would be easily reproducible evidence that they are actively
intercepting (and proxying) traffic. Never happen.

------
icambron
> A blanket warrant covering thousands of customers cannot possibly comply
> with the Fourth Amendment

How about a blanket FISA order?

~~~
mehmehshoe
I saw the word "blanket" and cringed as well.

------
makeshifthoop
Dmitry's followup at the bottom of the page is both insightful and indicative
of our nitpicking attitude to this. Is metadata covered under this? How about
their routing and network equipment's logs? In the same time, when do we stop
asking clarifying questions and arguing about the semantics of the message, a
process that might turn into legalese and then lawyers talking to each-other?

~~~
femto
Strip away the accompanying material and the statement reduces to:

"We have never been served with a blanket warrant, or anything close to it,
that requires us to give data owned by multiple customers."

Those are the words that need to be examined for loopholes.

------
sneak
Note well that Rackspace offers primarily dedicated server services, which
would make it rather difficult for them to participate in PRISM as shown.
You'd tend to notice if someone rebooted your box and installed a service. :D

Nothing stopping NSA from splitting their transit fibers on the (3), Telia,
and Qwest sides though.

What's going to be really interesting is how PRISM integrates with AWS, once
some brave Amazon soul decides to self-immolate for our own intellectual
curiosity.

~~~
lightknight
Maybe you would, maybe you wouldn't.

See, that's part of the problem in terms of economic calculation when dealing
with a surveillance society -> since it's largely impossible to quantify the
amount of lost business due to various surveillance / justice actions, as the
methods and individual events in which such actions took place may never see
the light of day, a society could be going bankrupt due to an overly large
security division, and never know it.

Let's consider a real-life plausible scenario: a DEA agent gets a tip from a
questionable source about a large shipment of Molly coming in tonight on the
docks (cliche, but let's roll with it). The information isn't good enough to
get a warrant, but the DEA hasn't had a bust in a while, and the agents are
being pressured to find something to justify their jobs. This DEA agent
figures that it wouldn't hurt to have a look around (nothing illegal there,
right?), and spotting nothing immediately out on the docks, begins to think
that it's a bust. The agent notices that an upper window is open on one of the
warehouses, and that there are voices being heard within; it would take a
little effort, shimmying up the side, but the agent could peak through the
window (questionable)...and maybe even climb inside if the agent sees
something. The agent climbs up, and hears rising voices from within. Not
seeing anyone, the agent climbs in.

The agent, walking on top of some crates, sees the owners of the voices, and
after listening for several moments, realizes that it's just a typical
worker's spat. The agent goes to leave, not seeing anything of interest...but
as the agent moves, one of the crates topples, pushing the one in front of it,
and so on in a domino fashion. The agent manages to leave undiscovered, but
not before $30 million in Lowe's Italian Chandeliers are dropped three stories
onto a hard concrete floor.

The workers will be blamed for not stacking the crates correctly, and the
owner of the warehouse cited. The insurance company will, of course, cover the
costs of the damaged merchandise. However, the cost to society, for this
overstep, was more than a minor civil rights violation...it was more than
those workers make in a decade, possibly their lives.

And that's kind of at the heart of these infringements...when the intelligence
agencies screw up, when the police screw up, it's not like they're shouldered
with that debt; it's charged to society as the cost of doing business...no
different from what the bankers did recently when they 'privatized the gains,
and socialized the losses.'

~~~
coolj
I can't really tell if I agree with you or not, but that was a hell of a
story. I feel like I just watched an episode of Magnum P.I.

------
SeanDav
They don't address Government back doors into their routers as a result of
CALEA etc.

See:
[http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/conf...](http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/lawful_intercept/76LIch2.html)

and:
[http://en.wikipedia.org/wiki/Communications_Assistance_for_L...](http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act)

------
leoc
From the point of view of any non-resident alien who has US cloud data, this
is a _very_ ponderable answer. We know what the Fourth Amendment says. The
problem is that apparently (IANAL!) the US courts are upholding the idea that
_the Fourth Amendment does not apply to the US-based cloud data of non-US-
resident non-US-citizens_. I've heard a couple of people suggesting that this
interpretation is based on the idea of border search, but that's neither here
nor there: the upshot is that, unlike for example the US property of non-US-
resident non-US-citizens, which is protected by the Takings Clause, the US
cloud data of non-resident aliens seems to have no Constitutional protection.
This seems to be the Constitutional foundation of FISA
[http://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg178...](http://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg1783.pdf)
702
[http://www.govtrack.us/congress/bills/110/hr6304/text](http://www.govtrack.us/congress/bills/110/hr6304/text)
, the law which allows the NSA to get Foreign Intelligence Surveillance Orders
against non-resident aliens. _Absolutely the only thing_ the government has to
prove to the FISC court to get one of these orders is that the targets are
(more likely than not!) non-resident aliens. No probable cause, no standard of
suspicion for anything: the government doesn't even have to state its
motivation. And the "Notwithstanding any other provision of law" language in
702 seems to sweep away any other statute law you (or Rackspace etc.) might
want to use against the order. (Again IANAL.)

So how are we to interpret

"Based on our interpretation of the Fourth Amendment and ECPA, we are of the
view that Rackspace is prohibited from accessing and turning over customer
data stored on a customer’s server or other storage device in a U.S. data
center without a properly issued, lawful request ( e.g. search warrants, court
orders, Foreign Intelligence Surveillance Orders) from a U.S. court with
appropriate jurisdiction over Rackspace and the data sought."

? Coming right after the recitation of the Fourth Amendment, this gives the
impression that Rackspace will only hand out your data in response to a
warrant (or warrant-like-thing) that demonstrates probable cause. But in fact,
when the customer is a non-resident alien, the order is a FISA 702 order, and
the court is the FISC, probable cause never comes into it: the US can
(completely properly and lawfully!) get such an order for no stated reason at
all. Imagine the following conversation in 1860:

Q: I hear that you have slaves on your Virginia cotton plantation. Is this
really true?

A: The Fifth Amendment to the US Constitution states that 'No person shall
[...] be deprived of life, liberty, or property, without due process of law'.
No-one is forcibly detained on this plantation except fully in accordance with
the law and the Fifth Amendment.

This answer seeks to suggest that the only prisoners on the plantation are
convicted criminals, which is false - the plantation is worked by slaves. But
in fact the answer is precisely true though devious: slaves have no rights
under the law, while the Fifth Amendment does not apply to slaves. I really
hope this isn't the correct way to interpret Rackspace's statement as well.

~~~
znowi
Maybe it's time to compile a list of alternative non-US cloud services? I
would be particularly interested in a non-US hosting company comparable to
Linode.

~~~
MattJ100
I use Bytemark, based in the UK. They have a cloud service in beta:
[http://bigv.io/](http://bigv.io/)

~~~
bgilroy26
Is the privacy outlook for the UK very good?

~~~
jwmc
Not especially.

[http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Pow...](http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000)

------
Zarathust
Their main defense is that they operate within the boundaries of the law,
which the Obama administration also claims. If they ever face a court order
telling them to hand over everything, as long as it follows law at face value
then their statement is true.

------
dmourati
SCOTUS says Fourth Amendment does not apply to third parties. Smith v.
Maryland - 442 U.S. 735 (1979). Third party doctrine.

~~~
gergles
Someone trots this horse out of the barn every time privacy issues come up.

I don't give a fuck what SCOTUS said in 1979. They could have gotten it wrong.
Their interpretation could disagree with a plain reading of the Constitution,
or they could have based their decision on inaccurate or incomplete data. Even
if neither of those things are true, times have changed; issues at hand are
wildly different than would ever have been conceivable in 1979.

Going "SHUT UP, SCOTUS DECIDED THIS ALREADY" does nothing for the discussion,
and it comes out every single time there's an ECPA or 4th Amendment thread.

~~~
dmourati
Whoa!

I responded to one point in the Rackspace response I thought was a bit off-
base, specifically that their general counsel thinks the fourth amendment
applies to them ... "Based on our interpretation of the Fourth Amendment ". It
does not.

You may not give a * about what the SCOTUS decided in 1979 but the SCOTUS
does, it is called legal precedent.

Times may have changed, but Smith v Maryland is still controlling law.

Please try to be more civil.

~~~
einhverfr
But it is still controlling law in the area of pen registers applied to single
individuals, right? Knotts raises some uncertainty as to whether dragnet
surveillance should be under the same rules, and at least 5 justices in Jones
v. United States clearly articulated that it was different for long-term,
widespread surveillance of this sort.

So I am questioning as to whether Smith controls _the Verizon order as it is._
I am not sure a simple "yes" is possible.

------
rachelbythebay
Rackspace? Look up the history regarding Indymedia in 2004.

~~~
Domenic_S
That was a weird situation. Italian government asks US government for "help"
with servers (well, logs) in a UK datacenter run by US-based Rackspace.

They'd still do it today, IMO:

> _we are of the view that Rackspace is prohibited from accessing and turning
> over customer data stored on a customer’s server or other storage device in
> a U.S. data center without a properly issued, lawful request ( e.g. search
> warrants, court orders, Foreign Intelligence Surveillance Orders)_

> _without a properly issued, lawful request_

> _lawful request_

When you write the laws, anything is lawful.

------
adinb
Are the intel services (DIA, CIA, NSA, NRO, etc...) considered actual LEAs?
Part of the issue here afaik is the collection of data for _intel_ , not
actual LEA. Or else the FBI would be getting all this juicy NSA data to o
after actual criminals.

~~~
ihsw
Many USG agencies (Pentagon, NSA, Department of
Energy/Justice/Labour/Education, et al) have their own police services[1].

Their training and expertise ranges from glorified security guards to para-
military.

[1]
[http://en.wikipedia.org/wiki/Federal_law_enforcement_in_the_...](http://en.wikipedia.org/wiki/Federal_law_enforcement_in_the_United_States)

------
_pmf_
"We did not have an unconstitutional relationship with that authority."

------
vertis
I would very much like to have the same question answered by Amazon in regards
to AWS (maybe it has been already).

~~~
vertis
So I've opened support cases with both Amazon and Linode, the former will
probably get back to me in several days, but as usual Linode has already
replied.

\---

vertis 29 minutes ago I am an Australian (i.e. Non-US-Resident Non-US-
Citizen). While I have nothing of particular interest on my servers, the
revelations of the last week have concerned me for multiple reasons.

The Guardian story about the PRISM program suggests there is extensive
surveillance and interception of foreign citizens' data without a court order.
Do I need to move my servers to a provider that is based in a country that
respects my rights to not be surveilled?

lmatos 18 minutes ago Hello,

As an American citizen, I completely understand. With that said, we have to
comply with all US law as we are a US based company.

If there is anything else that we can do to help, please do not hesitate to
ask.

Regards, Lee M

------
zero_intp
95/5 splitters.

Rackspace buys service from somewhere. Those fibers are suspect.

------
vertr
The thing most bothering me right now is the lack of meaningful response from
the companies that really matter: Google, Microsoft, Apple, and others. The
responses we do have seem to be downright lies.

~~~
sneak
These sorts of things are gag-ordered. It may be that the top brass doesn't
even know, for plausible deniability's sake, or that they've been told and now
immediately face federal felony charges if they tell anyone (spouses and PR
flacks included).

There was a fight (which was won) to get the gag-order provisions of PATRIOT
NSLs lifted, at least for speaking to one's own lawyer, which is a protected
right (spouses and coworkers are still out, tho). Who knows if those rights
extend to FISA orders, though we've seen how they interpret other
constitutionally protected rights.

It's not their fault that they don't want jail time. Blame your government.
Support courageous people like Snowden. Tell your friends.

------
madaxe
So, they don't do it like google etc. don't do it? Encrypt your disks. Only
allow https. Don't let their support anywhere near your kit.

Although then again they could stick a physical intercept in a box.

