

Google’s Real Secret Spy Program? Secure FTP - smaili
http://www.wired.com/threatlevel/2013/06/google-uses-secure-ftp-to-feds/

======
WestCoastJustin
ZDNet.com reported in 2010 [1] (and others [2]), that when Google was hacked
via suspected chinese hackers, that their " _internal spy system was the
target_ ".

 _...they [hackers] apparently were able to access a system used to help
Google comply with search warrants by providing data on Google users, said a
source familiar with the situation, who spoke on condition of anonymity
because he was not authorized to speak with the press. "Right before
Christmas, it was, 'Holy s!@#, this malware is accessing the internal
intercept [systems],'" he said._

I guess this could be the system that google uses to compile the data before
transmission, or something else, but none the less, it does raise questions.

[1] [http://www.zdnet.com/blog/foremski/googles-internal-spy-
syst...](http://www.zdnet.com/blog/foremski/googles-internal-spy-system-was-
chinese-hacker-target/1047)

[2] [http://www.informationweek.com/security/attacks/google-
auror...](http://www.informationweek.com/security/attacks/google-aurora-hack-
was-chinese-counteres/240155268)

~~~
rasterizer
I assume they need to know what data to send; the "system" might refer to the
database with FISA orders.

~~~
gwgarry
Or it could mean Google is lying or just trying to create rhetoric to confuse
the public to keep them from looking for alternatives to their search engine
and other services.

------
nikcub
Google continue to deny, rather than explicitly explain why their name is
mentioned as a partner in an internal NSA document.

A remaining explanation that matches all the known facts right now is that
PRISM is a data format or data standard. It makes the process more efficient
since it doesn't require the NSA to adapt disparate data sources from
different web companies.

One of the other slides mentions that this is a big problem for SIGINT at NSA.
PRISM being a data standard would also explain why the program only cost the
NSA $20M.

The difference between the tech companies participating in the program would
be how they implemented it - perhaps Google push the data to the NSA but it
sounds like other participants let the NSA pull the data (or they store it on
a third server which the NSA retrieves from - the lockbox).

Also, saying that the requests are 'legal' isn't reassuring, since a large
part of the recent NSA revenlations is the world finding out just what the
Obama administration considers to be 'legal'.

Legal means nothing more than finding a government lawyer who will write an
opinion that blanket metadata requests or pulling or pushing data from
Facebook and Google is legal. The opinion is classified, the court arguments
are classified, there is only the government at the court and it is presented
to a judge who is appointed by the government.

Exact same thing happen with John Yoo and his legal opinion that the torture
the government was carrying out was legal[1]. When the rest of the world found
out just what the government considered legal, it very quickly became
_illegal_.

[1]
[http://en.wikipedia.org/wiki/Torture_Memos](http://en.wikipedia.org/wiki/Torture_Memos)

~~~
McGlockenshire
> Google continue to deny, rather than explicitly explain why their name is
> mentioned as a partner in an internal NSA document.

Assuming that PRISM is the mechanism by which FISA requests are fulfilled,
they can't discuss FISA requests in the open without breaking the law.

------
betterunix
Ah, well, glad that is cleared up. "We _never_ give the government direct
access to our systems, nor do we have a server set up for them to obtain
copies. Instead, we just use _scp_ to send the data directly to the
government's systems! Trust us, we respect your privacy while we do this --
it's even encrypted!"

~~~
cromwellian
Google never said it doesn't send data on user accounts when proper legal
warrants are served, it publishes these facts in the yearly Transparency
Report.

What people were worried about, a "dragnet" that allows arbitrary access and
intercept of any user data by the NSA turns out to be false.

Unless you think you can use SFTP to upload, in real time, all traffic on
Google services.

~~~
cracell
Google continuing to deny that their is a dragnet is not evidence that their
is no dragnet. If there was a dragnet it is very likely that they legally are
not allowed to admit it as per terms of the court order.

There's nothing Google could say or do to clear their name on this. The NSA,
Congress or the Executive branch need to detail the level of access and the
form of access that the NSA has to Google's information in order to clear
Google's name. Even that unfortunately has to be taken with a large grain of
salt.

There's simply too much information pointing towards mass surveillance with
assistance from US companies to believe what the companies themselves say.
This is a shitty position for Google to be in but consumers didn't put them in
it, the US government did by admitting to the PRISM slides being correct
without detailing how the companies mentioned on them are involved.

~~~
jmillikin

      > If there was a dragnet it is very likely that they
      > legally are not allowed to admit it as per terms of
      > the court order.
    

In the US, gag orders may compel silence but to my knowledge may not compel
private citizens to claim they are not under a gag.

    
    
      > The NSA, Congress or the Executive branch need to
      > detail the level of access and the form of access
      > that the NSA has to Google's information in order
      > to clear Google's name.
    

Just to be clear: you believe that Google's press release is untrustworthy,
but you would trust an NSA press release about the extent of NSA surveillance?

~~~
cracell
An NSA release that is confirmed by another party such as Senator Wyden, Rand
Paul, ACLU or EFF.

Realistically I'm not sure what the NSA would share with anyone that could be
conclusive. But a logical explanation of how the NSA gets into data without
corporate cooperation and that explanation matching up with the timeline
presented on the one slide would be a great start.

For instance, you could argue that the PRISM timeline is simply showing once
the NSA had filters in place to identify and capture general internet traffic
headed to and from those specific companies. But this has a large hole in that
why would Google, a company who's search queries would be highly valued, come
so far after Microsoft on the timeline. So an explanation that addresses the
large questions like that.

As opposed to the current situation which is a credible leak that makes Google
look very bad, an executive branch that is defending the information in the
leak as being legal and Google flat out denying any involvement.

~~~
aniket_ray
I think you're conflating two different issues. The government was defending
intercepting emails and getting phone records. The government too never
claimed that they can access data from web companies.

------
tlrobinson
Providing descriptions of how they comply with these requests is a good start.

However, they should be even more specific. A skeptical person could say this
still leaves the door open to, say, a custom SFTP server that gives the NSA
access to any user data. I don't believe that's the case, but I think they
should provide more detailed procedures for exactly how they comply with these
requests.

e.x.

"The following procedure is the _only_ method by which we provide data to law
enforcement:

1\. When we receive a request for user data from law enforcement, our legal
department thoroughly examines the request to ensure it's legitimate, not
overly broad, blah, blah, blah.

2\. X person performs Y steps to extract the specifically requested data from
our data stores, with Z safeguards to assure no additional data is included.

3\. The legal department reviews the extracted data to ensure it matches the
requested data, and only the requested data.

4\. X person sends data to law enforcement agency using Y methods (i.e.
uploading data to a SFTP server account) and notifies the agency that the
request has been fulfilled."

~~~
drsim
This is what they're dancing around, instead releasing tidbits of info that
make it look as if it's not as bad.

Just because the transfer mechanism is sftp doesn't matter. My supposition is
that prism is an auto-importer of these files: able to parse the data formats
from these companies and present it to agents in their database UI.

Prism: import.io for anyone's data?

------
bitwize
Look, you either install the special bugging equipment -- and deny that it was
ever installed -- or you find that you are suddenly guilty of wire fraud,
insider trading, tax evasion, or similar.

~~~
astrange
Your post is not obviously connected to anything that's happened in reality.
That is, you're just replying to Google's claim with "they're lying" but
giving no way to move the argument forward. How do you plan to test this?

~~~
crgt
Your parent post may be referring to what happened to the CEO of Qwest after
declining to support the surveillance state.

[https://en.wikipedia.org/wiki/Joseph_Nacchio](https://en.wikipedia.org/wiki/Joseph_Nacchio)

~~~
mpyne
So your theory is that the NSA somehow drugged 12 jurors and a judge into
seeing evidence of insider trading that wasn't actually there?

~~~
davorak
I do not see that argument being made. Maybe he is guilty, but it was only
brought to light because he did not do what the NSA wanted.

~~~
mpyne
Then I don't feel sorry for him. Two wrongs don't make a right, if you don't
want to go to jail for insider trading then don't put yourself, your company,
_and your customers_ in a position to be compromised by blackmail. That right
there is beyond despicable.

~~~
davorak
> Then I don't feel sorry for him.

I guess I never thought of it being about feeling sorry for him. It was about
the NSA using black mail to get CEOs to do what they want. Allowing CEOs to
get away with crimes such as insider trading as long as they did what the NSA
wanted.

If I try to imagine the consequences of this it includes promoting corruption
at the CEO level down in the industries that the NSA deals with. The long term
effects of this are certainly negative and hard to quantify.

Now are the negative consequences out weighed by the benefit that the NSA
receives and passes on to the USA then to the world? I do not know, I am not
familiar enough with that arena, it is far from an obvious win from where I am
sitting however.

------
brown9-2
What is confusing to me about this idea is that it would seem as if Google
would then only be passing over _past_ data for the requested account.

Since FISA is all about active surveillance and wiretaps (of phones when it
was written in 1978), wouldn't the government also want a way to watch
activities in online accounts in realtime?

~~~
mpyne
With a frequent enough update cycle there's no reason it can't be close to
real time. The government's systems could then use inotify or some other
filesystem watcher to automatically reload the page when new data comes in
over SFTP.

~~~
brown9-2
If this is the case, then Google's assertion that it's just SFTP seems a bit
meaningless.

~~~
mpyne
I don't see why technical accuracy would ever be _meaningless_. I thought we
were better than that. If we're smart enough to understand the technical
details then we should be smart enough to understand the further
_implications_ of those details without having to be lied to by journalists.

------
ErikAugust
"Photoillustration: Kevin Poulsen/Wired"

Anyone else find humor in this?

------
grandalf
Recall Wired's role in the Bradley Manning case. Regarding Wikileaks, Wired
has consistently acted as a propaganda voice for the US Government.

As a result I'm reluctant to take this article with more than a grain of salt.

------
wahnfrieden
Hate to leave irrelevant comments, but gawd Wired is annoying on mobile. That
header just continuously jumps in and out senselessly as I consume the
article, very distracting.

------
JeanSebTr
So no Plug&PLay device installed at Google by the NSA? Even so it would be so
easy to install a generic program on Google's servers to make live query on
any dataset. Google probably use SQL everywhere right?

Seriously, these conspiracy theories are simply impossible most times.

------
drivebyacct2
Thank god it's "secure". FTPS or SFTP, dare anyone ask?

~~~
switch33
Hey man. NSA stands for No Such Agency.

And SFTP stands for secure for NSA file transfer protocol, cause they are cool
katz apparently.

~~~
drivebyacct2
Congratulations, that's the first time I've managed to laugh about PRISM in
the last week.

