
U.S. National Security Agencies Said to Swap Data With Thousands of Firms - cinquemb
http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html
======
x0x0
Holy shit.

    
    
       Microsoft Corp. (MSFT), the world’s largest software company, provides 
       intelligence agencies with information about bugs in its popular software 
       before it publicly releases a fix, according to two people familiar with the 
       process. That information can be used to protect government computers and to 
       access the computers of terrorists or military foes.
    

Microsoft gives US military hackers and the NSA zero days to go hack people
with.

I think this helps explain Google's 7-day disclosure. Also, _fuck microsoft_.
Running your mouth and trying to blackball people who don't give you 60 days
while (presumably selling) those exploits to governments? Just amazing.

Edit: here [1] is discussion of Tavis Ormandy / Google's new 7 day policy. I
really wonder if this was partially driven by eg Microsoft's abhorrent
behavior.

[1] [http://www.theverge.com/2013/5/30/4379004/google-to-make-
cri...](http://www.theverge.com/2013/5/30/4379004/google-to-make-critical-
zero-day-exploits-public-after-7-days)

~~~
ankitml
governments of every other country should shit in their pants after reading
this. Stop using MSFT os at this very moment.

~~~
waterlesscloud
I can't believe there's a government anywhere in the world surprised by this
news.

~~~
ihsw
There's a difference between baseless speculation and justified paranoia.

------
gasull
I tried to submit this hours ago but nobody upvoted:

[https://en.wikipedia.org/wiki/Main_Core](https://en.wikipedia.org/wiki/Main_Core)

 _" As of 2008 there were reportedly eight million Americans listed in the
database as possible threats, often for trivial reasons, whom the government
may choose to track, question, or detain in a time of crisis."_

We are more than half way in the road to serfdom and tyranny.

EDIT: Resubmitted now as "http" \-
[https://news.ycombinator.com/item?id=5878571](https://news.ycombinator.com/item?id=5878571)

~~~
jlgreco
2.5% of the entire US population. Jesus christ...

~~~
stackedmidgets
I'll be sorely disappointed in myself if I'm not on the list.

------
lawnchair_larry
Well, there's the smoking gun for the reason behind CISPA. I'm sure tptacek
still won't admit he was wrong though.

~~~
yen223
What was tptacek wrong about?

~~~
eightyone
I'm not sure exactly what the parent comment is referring to, but here's one
instance.

tptacek: "Someone on Twitter (sorry) said that Google and Facebook "looked
like angels" compared to Verizon. That sounds about right to me, too."

[https://news.ycombinator.com/item?id=5876734](https://news.ycombinator.com/item?id=5876734)

------
dmschulman
"AT&T, Verizon

Before they agreed to install the system on their networks, some of the five
major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ).,
Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink
Inc (CTL). -- asked for guarantees that they wouldn’t be held liable under
U.S. wiretap laws. Those companies that asked received a letter signed by the
U.S. attorney general indicating such exposure didn’t meet the legal
definition of a wiretap and granting them immunity from civil lawsuits, the
person said."

This will make the ACLU's law suit 1000% more interesting as a legal battle.

Verizon doesn't just sit around and think to themselves "hey, if we're going
to work with the NSA we should do some CYA". They have entire legions of smart
lawyers who mulled this whole NSA business over (substantially I hope) and
came to the conclusion that "this is most certainly a violation of the law and
we need complete documented assurance from the government that our actions can
never be prosecuted in court".

And they got it. But will it hold up?

~~~
a3n
I don't understand how the executive branch can guaranty immunity from civil
action in the judicial branch.

~~~
dragonwriter
> I don't understand how the executive branch can guaranty immunity from civil
> action in the judicial branch.

The letters from the AG are protection from criminal action, and probably
_government_ civil action, that extend beyond the term of the administration
issuing them (wiretap laws have criminal as well as civil provisions, and
there are cases where the government can bring civil prosecutions.) For
criminal laws, ignorance of the law is not a defense, but reasonable reliance
on an interpretation provided by the public authority responsible for
enforcing the law usually _is_ a defense. For civil actions, reliance on the
representation of the party _bringing_ the action likewise can be a defense.

For civil action by a third party, unless there is a specific provision that
makes this a defense for the particular offense at issue (which there may be,
but I'm not aware of one), I don't think this would be particularly useful
under any generally applicable principal.

~~~
a3n
Thanks for the breakdown.

------
23david
`Committing officer`? wtf is this? Subpoena these guys. They have immunity, so
why not make them talk?

    
    
      If necessary, a company executive, known as a “committing officer,” is given 
      documents that guarantee immunity from civil actions resulting from the 
      transfer of data. The companies are provided with regular updates, which may 
      include the broad parameters of how that information is used.

------
femto
How much of a role did the requirement for complete secrecy play in this
scenario? Secrecy mean the recipients of such orders were isolated, thinking
they were by themselves in this. Such a person will be much less likely to
disobey orders.

Now that the dam has sprung a leak, and the full extent is becoming evident,
people will begin to realise that they are not alone, and it is safe to talk.
There is safety in numbers. One gets the feeling that the whole scheme is
unravelling, and this is the trickle before the dam bursts.

I'm looking forward to it.

------
jeremyflores
> While companies are offered powerful inducements to cooperate with U.S.
> intelligence, many executives are motivated by patriotism or a sense they
> are defending national security, the people familiar with the trusted
> partner programs said.

Their fervent patriotism certainly didn't stop them from demanding immunity as
a prerequisite.

~~~
narag
Patriotism. Yeah, sure.

This article runs terribly short on the other half of the question: what did
companies _really_ get in exchange?

Call me a cynic, but I can't believe it was just the fuzzy warm feeling of
being a patriot.

~~~
xradionut
Considering all the tax sheltering that the corporations engage in and the
government doesn't aggressively pursue, I think they already get great
financial breaks.

(My contacts at IRS said they are warned to avoid "poking" into certain
institutions actions without highest authorization. So they go after the small
fry and leave the big fish alone. Fucking game of life is rigged.)

------
mindcrime
Wow, this scandal just keeps getting bigger and bigger. Good to see some light
finally being shined into what had been darkness. A free and open society,
based on classical liberal / Enlightenment ideals of individual freedom, is
NOT compatible with secret governments, secret laws, secret courts, mass
surveillance of the public and all of the things the US government is doing.
Now we know, and now - if the people have any spine or backbone left - we can
force some change.

------
Fuxy
Am i supposed to believe all the companies participated in the program just
out of the goodness of their hearts?

Yeah right... Anybody want to dig deeper see what they got for participating?

~~~
rjd
Should be self explanatory. What would companies in say the manufacturing
industry want? ... access to sensitive foreign competitors data stored on the
cloud.

Industrial espionage plain and simple. It's in the interest of both the US
government (to increase domestic economic activity) and said business to share
this information.

------
gasull
This keeps getting worse.

~~~
samstave
Baffle them with bullshit or dazzle them with details.

I think we are against an effort to tranquilize us with tyranny!

Where we are just overwhelmed with outrageous actions such as to desensitize
us to the fact that ___" well, holy shit, this is so pervasive and so
entrenched, what is there to be done? I mean, my life was great for the last
three years and this has been going on, at such great lengths, for so many
years -- how bad can it be??"_ __

This is a test as to how much we will take. They want action - they want an
excuse to really show us what debt slaves we are.

------
riskable
To me, this is the scariest part though not that surprising:

    
    
        "That metadata includes which version of the operating system, browser and
        Java software are being used on millions of devices around the world,
        information that U.S. spy agencies could use to infiltrate those computers
        or phones and spy on their users."
    

A database that contains the specific versions of installed software for
millions of computers world-wide is a very powerful tool. For any given target
--if their machine is in the database--compromising their system is a trivial
matter! It's a "what exploit would you like to use today?" situation.

Assuming they gather this information from Internet backbones--I'm OK with
that. Good for them for skimming data off the _public_ Internet and shame on
the software that makes it too easy.

On the other hand, if they're obtaining this data from the likes of Microsoft
(or McAfeee or any other incredibly popular vendor with an item in everyone's
systray) that is an _incredibly scary_ proposition. No target stands a
snowball's chance in hell at not being (trivially) compromised. It's one of
those situations where, "you'd better not use _that_ company's products!"

I can't even imagine the sheer destruction that could occur if such
information fell into the wrong hands. Imagine if some "fuck the world"
anarchist hacker got his hands on a database that contained precisely the
information he needed to, say, compromise (and just plain erase; 'rm -rf *')
just about every banking computer that happened to be listed. It would be
like, ARMAGEDDON.

------
enoch-root
> If necessary, a company executive, known as a “committing officer,” is given
> documents that guarantee immunity from civil actions resulting from the
> transfer of data.

Letters of marque
([https://en.wikipedia.org/wiki/Letter_of_marque](https://en.wikipedia.org/wiki/Letter_of_marque))
of our day

------
makomk
Well I guess that explains stuff like this:
[http://arstechnica.com/security/2013/02/at-facebook-zero-
day...](http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-
backdoor-code-bring-war-games-drill-to-life/)

------
ig1
While it makes sense for US carriers to want immunity from civil lawsuit, I'm
not sure that would make sense for Google, Microsoft, et al - as obviously any
US guarantee wouldn't protect them from civil lawsuits in other countries such
as EU ones which have much stronger laws around data protection.

------
Mordor
Well, they could give data 'personhood' such that it's an individual in the
eyes of the law and covered by the US constitution. No more changes required,
except that the NSA would grind to a halt on all of these programs.

------
ivabz
This is holy shit of everything on this planet!

------
diminoten
Wait, can someone explain to me what's so bad about this? I'm a security
company and I go from company to company, trying to patch up holes in their
systems. I'm basically a network plumber/exterminator. Sounds like the NSA is
just telling me what the bugs and leaky pipes look like so I can fix them in
companies around the world.

What's so bad about that?

------
gesman
"Show me yours and I'll show you mine".

(For big boys)

------
bokchoi
What ever happened to Einstein 1 and 2?

------
o0-0o
-= YOU =- Hi, my name is __________ . I would like a [loan, voter registration, health care check up, et al]

-= THEM =- Ok, ________ . Did you live @ ___________ in _ _ _ _ ? Did you ever have an account at ________ ?

Where do you think they get the info. Connect the dots.

~~~
rgbrenner
that info comes from credit reporting agencies (trans union, experian,
equifax)

~~~
xradionut
And other systems. Amazing how much demographic data is available to third
parties alone. Spend some time with a skip tracer or good bail bonds person
and you realize how easy it is to get almost any data of significance on a
individual.

