
The NSA slide you haven’t seen - spikels
http://www.washingtonpost.com/business/economy/the-nsa-slide-you-havent-seen/2013/07/10/32801426-e8e6-11e2-aa9f-c03a72e2d342_story.html
======
runjake
Once again, I suggest everyone interested read James Bamford's book Shadow
Factory.

All these revelations regarding call metadata, PRISM collection (albeit under
a different codename at the time), modern fiber taps, and even more are
covered.

You'll learn about how they shave fiber optic cables in order to intercept
traffic and not be detected. You'll find out about the various facilities
already reported, along with others like the NSA Georgia facility. You'll find
out exactly where on what beach these fiber lines run in and out of. It's a
very well-researched book.

You'll learn a lot more than what's been verified with these leaks.

[http://www.amazon.com/The-Shadow-Factory-Eavesdropping-
Ameri...](http://www.amazon.com/The-Shadow-Factory-Eavesdropping-
America/dp/0307279391/ref=sr_1_1?ie=UTF8&qid=1373476980&sr=8-1&keywords=shadow+factory)

~~~
samsnelling
Thanks for this! I've been looking for more to read (I just went back and re-
read 1984).

... I thought one of the points of Fiber was that you couldn't tap in without
disturbing the optical signal? Did I just make that up in my head?

~~~
leephillips
I don't see why that would be true. This is classical signal transmitted
optically, not quantum cryptography. There is no reason you couldn't splice
the cable through a machine that recorded the signal and then recreated it. Or
a beam splitter that removed just a small fraction of the signal; the effect
would be a slight increase in transmission loss.

~~~
sneak
The prevailing theory is that they do the latter; the former would be both
easy to detect (at the time of splice) and locate (via TDR).

Getting the signal out of the fiber pales in comparison, though, with the task
of getting all of that data back to Maryland/Utah.

Unless they have specific cooperation of the cable owners and can tap/split
the fibers at the landings, they must be spending a significant percentage of
the cost of the original fiber runs (in parallel cables to return the tapped
data). The mind reels.

[https://en.wikipedia.org/wiki/USS_Jimmy_Carter_(SSN-23)](https://en.wikipedia.org/wiki/USS_Jimmy_Carter_\(SSN-23\))

~~~
cdjk
I don't know much about undersea cables (although it is a fascinating
subject), but I imagine there's no need to tap a cable in the middle of the
ocean. If instead you tap it a couple miles offshore (even tens of miles),
suddenly have a lot less undersea fiber to run. And if multiple cables come
ashore at the same place, you can probably disguise it as just another fiber.

Of course, this requires a friendly country at one end of the cable, but
that's probably not too big a problem.

~~~
wyck
Yes but there is a problem, other countries also have submarines/boats that
protect their assets.

------
david_shaw
After seeing this article today, I made a post on Facebook to explain to some
of my friends that aren't closely following the PRISM story that this is not
compatible with the statements released by Mark Zuckerberg, Marissa Mayer, and
Larry Page. I'll reproduce some of my post here--I'd link directly, but my
Facebook is set to 'private.'

Remember when Mark Zuckerberg (Facebook), Marissa Mayer (Yahoo!) and Larry
Page (Google) all denied "directly" giving the NSA everyone's data?

They claimed that all access was done through national security letters and
warrants, because the slides that had leaked at the time supported that. Turns
out new slides leaked, and everyone lied!

    
    
      *snip* (I linked to the WaPo article, and the slide directly)
    

And for sources on the original denial (each claiming "no direct access"):

[https://www.facebook.com/zuck/posts/10100828955847631](https://www.facebook.com/zuck/posts/10100828955847631)
(Zuckerberg/FB)

[http://yahoo.tumblr.com/post/53243441454/our-commitment-
to-o...](http://yahoo.tumblr.com/post/53243441454/our-commitment-to-our-users-
privacy) (Mayer/Yahoo!)

[http://googleblog.blogspot.com/2013/06/what.html](http://googleblog.blogspot.com/2013/06/what.html)
(Page/Google)

~~~
ignostic
They didn't lie - they just made the truth dance with help from legal
advisers. I think we already knew that, but the slide just confirms that they
knew exactly what they were doing.

 _EDIT: to clarify, GIVING someone access directly to a server and allowing
/knowing about access to the data going in and out of a server are not
technically the same thing._

When I saw the Google/Facebook responses, it was obvious that the posts had a
lot in common. Both used the phrase "direct access to our servers".

When you see a phrase repeated like that, one of two things has happened.
Either one copied the other's phrasing, or someone told them what to say. In
either case, the legal department would definitely weigh in on a huge issue
like this.

A smart lawyer would never let the company lie outright. They would advise
everyone to speak the truth, but "the truth they speak may not be the truth
you think you hear." No direct access to servers. Sure. They just had access
to the data going in and out of the server. To someone used to reading
political and legal documents, "no direct access to servers" almost screams
"some form of access to something." Otherwise the denial would have been more

Zuck and Page didn't lie, but they were less than forthcoming. Myers didn't
even bother addressing the claim directly.

I suspect a government lawyer fed them phrases they could use that sound like
denials without actually lying.

~~~
david_shaw
_> When I saw the Google/Facebook responses, it was obvious that the posts had
a lot in common. Both used the phrase "direct access to our servers". When you
see a phrase repeated like that, one of two things has happened. Either one
copied the other's phrasing, or someone told them what to say. In either case,
the legal department would definitely weigh in on a huge issue like this._

I totally agree that these organizations used the phrase "direct access"
intentionally, surely with legal advice. My point, however, was that at the
time that these companies released their responses, the slide that actually
said _direct access_ verbatim had not yet leaked. Although it's impossible to
tell what actually happened, it looks to me like they decided to deny "direct
access" in the hopes that there were no slides indicating that direct access
did exist. After all, it's unlikely that these companies had the full slide
deck (or anything other than what the media had published).

So, either:

(A) Larry Page and Mark Zuckerberg actually didn't know that they provided
"direct" access to data.

(B) NSA actually doesn't have "direct" access as indicated by this slide,
meaning that the slide is incorrect or falsified.

(C) Page and Zuckerberg lied in their statements.

I don't see a fourth option regarding direct NSA access to these companies'
data.

And you're right regarding Mayer not addressing the claim directly; I was a
little bit off there. Still, by saying "well, we received between 12,000 and
13,000 FISA requests," Yahoo! is implying that there isn't any sort of
"backdoor" access, which no longer seems to be the case.

~~~
mpyne
(D) the slide doesn't actually say 'direct access', but says 'collection
directly from the servers of', which is different.

My browser pulled the comment I'm replying to right now 'directly from the
servers of' HN, but I don't have 'direct access' to HN.

~~~
david_shaw
_> (D) the slide doesn't actually say 'direct access', but says 'collection
directly from the servers of', which is different. My browser pulled the
comment I'm replying to right now 'directly from the servers of' HN, but I
don't have 'direct access' to HN._

The slide I'm talking about ( [http://www.washingtonpost.com/wp-
srv/special/politics/prism-...](http://www.washingtonpost.com/wp-
srv/special/politics/prism-collection-documents/images/upstream-
promo-606.jpg?v2) ) states: "collection directly from the servers of these
U.S. Service Providers."

Since there's currently no way to "browse" private data on, say, my Google
search history or my GMail inbox, the conclusion seems to be that they either
have broad backdoor access, or a specific way of directly downloading from
these companies.

In a traditional warrant situation, the data would be collected by the
companies and sent to the requesting agency that provided a warrant. Police
officers that request, say, HTTP access logs do not download those logs
directly.

~~~
bincat
Here is this link again:
[http://slashdot.org/comments.pl?sid=204063&cid=16678583](http://slashdot.org/comments.pl?sid=204063&cid=16678583)

However one wants to define 'directly from the servers of' or 'direct access'
I think for all intents and purposes it means the same thing.

------
oscilloscope
It may have been published at the Post for the first time, but Guardian
released this over a month ago.

[http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-
server...](http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-server-
collection-facebook-google)

~~~
sneak
The codenames of some of the collection codenames were redacted: FAIRVIEW and
BLARNEY were visible, STORMBREW and OAKSTAR were not.

What's really quite interesting is that they're typeset differently on the
redacted/unredacted slides.

[http://www.washingtonpost.com/wp-
srv/special/politics/prism-...](http://www.washingtonpost.com/wp-
srv/special/politics/prism-collection-documents/images/upstream-promo-606.jpg)

[http://static.guim.co.uk/sys-
images/Guardian/Pix/pictures/20...](http://static.guim.co.uk/sys-
images/Guardian/Pix/pictures/2013/6/8/1370710424658/new-prism-slide-001.jpg)

EDIT: Also, as the WaPo article points out, the map is different too...

~~~
ChuckMcM
Exactly, one or both of these slides has been edited. I doubt that someone
went back to the NSA to get "the latest version" that makes me wonder who did
the editing and what was their motivation? Did the guardian change the map to
make it more relevant to the "global nature" of their coverage? Did someone
change it for WaPo to make it seem more credible? And the redacting part, who
redacted it and why? Neither slide would have been released as part of a FOIA
request it seems, so why the redactions? To make it look more "confidential" ?
(there have been suggestions that redactions add 'authenticity' to purported
documents from governments). Frankly it raises a lot more questions than it
answers.

~~~
randomnick852
I would guess WaPo edited the map. For the Guardian's version of slide it
seems easy to guess that those are the names of secret programs use to tap
fiber-optic cables in certain regions. NSA wanted 2 names of those programs to
remain secret. (i have some theory why..). WaPo published the names but edited
the map not to give precise locations of those programs. Just my theory ofc.

~~~
mpyne
I think the OO.o/MS Office explanation is perfectly reasonable and applicable
in this case. Even I suggested that was what the difference was when PRISM was
first leaked, and I've not exactly been on Greenwald's side throughout all of
this.

------
btipling
> "collection directly from the servers"

So either Snowden has incorrect slides, the slides are falsified, or everyone
has been lying. Actual evidence of direct access would be better than these
slides. I would like someone from Google, Facebook, et al to testify under
oath that there is no direct access. Or maybe even the NSA, but we know they
share inaccuracies under oath, so maybe that isn't worth so much.

~~~
jellicle
They're getting the info directly from Google et al., but they don't have root
on Google's servers. Google is required by law (CALEA, the Communications
Assistance for Law Enforcement Act) to provide the ability for law enforcement
to get information from them. This includes - required by law - the ability
both to get stored data and to make real-time intercepts of new
communications. Google is paid a fee to provide these services as well.

Google et al. have fully complied with this law. The FBI manages the
government-end of the CALEA tapping capabilities. The NSA makes requests to
the FBI, which passes them on to Google, which flips a switch and enables the
tapping of user "xyzzy123". From then on, xyzzy123's stored data and new
communications get sent to the FBI through the CALEA connection, which
forwards them to the NSA. CALEA also requires the service provider to provide
all sorts of metadata about the user.

This IS "direct access" to Google's servers. The denials about this have been
carefully worded things that all access is supported by some sort of legal
process, etc. The denials are non-denial denials. Yes, GOOGLE (et al.), not
the NSA, flips the final switch which sends the data. But Google is required
by law to do so, so....... And once the switch is flipped, all of the data is
flowing automatically to the NSA.

I hope this is clear.

~~~
indiefan
Correct me if I'm wrong, but you left out the step where a judge reviews the
request to make sure it's not overly broad or based on flimsy reasoning.

Aside from that I'd say it's a very clear, and it's sad that there seems to be
a pervasive inference that these companies are something something beyond what
our elected law makers have forced them to do. Why isn't more angst directed
at the politicians responsible for this?

~~~
lisper
A judge does review the request. Whether that judge "makes sure it's not
overly broad or based on flimsy reasoning" is far from clear. The judge has
been hand-picked by John Roberts and only hears the government's side of the
case. The FISA court has rejected 0.03 percent of the government's requests.
Now, maybe that's just an indication that 99.97% of the government's requests
are reasonable, but here's the problem: we have no way of knowing, because
it's all secret. THAT is the problem IMHO, more than the surveillance itself.

~~~
rsingel
No, a judge does not see an individual request in a 702 order. This is the
entire point of the 702 and PRISM -- NSA analysts no longer have to fill out
paperwork to get data from Google/Facebook/Etc, so long as they are 51% sure
the target is a foreigner. There is one court order per company per year.
After that, it's "direct access" \- e.g. analyst sends request directly to the
company.

~~~
lisper
First I've heard of this 51% thing. If it's true (and I don't doubt it) then
the situation is even worse than I thought. Do you have a reference?

~~~
rsingel
Sure, it's from the Washington Post's reporting:
[http://www.washingtonpost.com/wp-
srv/special/politics/prism-...](http://www.washingtonpost.com/wp-
srv/special/politics/prism-collection-documents/)

Search for 51.

~~~
lisper
I see where it says in the caption "The supervisor must endorse the analyst's
"reasonable belief," defined as 51 percent confidence, that the specified
target is a foreign national who is overseas at the time of collection." But
that's a caption written by the Post. What I don't see is any support for that
statement in the actual slide itself, nor any of the other slides on that
page.

------
zmmmmm
Are we agreed that the Washington Post has had access to the full set of
slides all along and are choosing to dribble them out, one by one?

If so I feel that there's a certain lack of ethics involved in this. We now
have a slide recommending "direct access", after weeks of denials and
pointless discussion about it that would have been much clarified and
bolstered if this slide had been released. On the other hand, we still don't
know the _full_ context of the slides. Perhaps the next one says "But we don't
have direct access yet, we are still working on that". Or perhaps it says "for
direct access, get a warrant". We just don't know.

I understand the motives of the WP in releasing these slides one by one. It
will undoubtably be maximizing the publicity and traffic they get from it. But
I am not at all sure it is serving the public interest.

~~~
falk
On the contrary, we've caught a lot of people in a lot of lies. It's worth
noting that the Guardian published this slide weeks ago, except they redacted
some information. We most likely wouldn't still be talking about this if the
Washington Post and Guardian played all their cards at once.

~~~
zmmmmm
> It's worth noting that the Guardian published this slide weeks ago, except
> they redacted some information

Heh, well, I guess I fell for the incorrect headline then. Thanks.

------
milhous
Is it possible that the CEOs are in fact telling the truth, but are
unaware/ignorant that at the carrier level (before reaching the ingress
points), data headed to their respective networks/server farms is being
"copied"?

Does Google, Apple, Skype, etc. physically own Internet infrastructure, or are
they all leased lines from carriers?

If they owned any physical "lines", and the gov was tapping into these lines,
then they would be lying about the direct access claim.

But if they don't own these lines, it seems the companies can't do anything
about it, and that the telcos are the villains.

Apologies in advance if I'm oversimplifying.

------
United857
Any speculation as to what the redaction next to "Processing" in the "PRISM
Collection Data Flow" slide is?

~~~
yk
It is next to "Protocol Exploitation," so it could be anything from "Data" to
"Public Key."

What I am wondering at the moment is the "DNI" on the same slide, is this
_direct neural interface_? /tinfoil

~~~
mpyne
Though I can't look at the slide, DNI should stand for Director of National
Intelligence.

------
anigbrowl
I'm amused by BLARNEY. I presume this represents cable that runs from the US
to Ireland.

[http://en.wikipedia.org/wiki/Blarney_Stone](http://en.wikipedia.org/wiki/Blarney_Stone)

 _Before the safeguards were installed, the kiss was performed with real risk
to life and limb, as participants were grasped by the ankles and dangled
bodily from the height._

I can reliably inform you that this is indeed as scary as it sounds.

~~~
ajtaylor
Been there, done that. I've only kissed the Blarney Stone with the safeguards,
but it was still pretty freaky leaning down for the kiss. Everyone should do
it at least once. :)

------
rschmitty
Not to sound like a conspiracy theorist, but does anyone else think this prism
thing was all something made up by PalTalk as a PR stunt?

~~~
unreal37
It's never been published "there" before, so it's technically true.

And this is the first time I'm making this comment here.

------
josephlord
I wonder if the Guardian redactions are due to D-Notices.

------
hawkharris
I don't mean to brag, but as I was writing a story about surveillance on my
home computer today, the NSA director called and said, "I really love where
you're going with this."

------
dmourati
Here's a much better map of the underwater cables:
[http://www.submarinecablemap.com/](http://www.submarinecablemap.com/)

------
leephillips
This is truly shocking. Who in the NSA thought that this was an acceptable
color combination?

------
mmuro
I feel like it will be a while before we truly know exactly what is going on.

~~~
fragsworth
It is likely that we will never know. I suppose "forever" counts as a while.

------
csomar
If we are going to rely and trust the slide, it mentions "You Should Use
Both". That might mean, they are still not using the two of them, or one of
them.

------
samstave
Not sure how that's "published here for the first time" as I had seen that
slide a few weeks back... though I do not recall from where..

------
chrissnell
For those with security clearances, clicking on a random HN link is risking
your job and livelihood. It's easy to see a link to WikiLeaks and avoid that
but when it's the WP posting it, not so much.

These articles really need to be flagged/tagged by HN and by the newspapers
that publish them. I don't want to see a TS/SCI-classified document and I
don't want to be seen as seeking them out.

I love the technical stories on HN (95% of what we read here) but it bothers
me that I'm risking my clearance when I read this site.

~~~
specialist
Do we need a new tag? [OPENSECRET]?

Listening to Democracy Now this morning, one of the defense witnesses in the
Manning trial explained that many, many of classified documented Manning is
accused of leaking are also publicly available via government websites or in
the media. For instance, personal details of detainees at gitmo.

I'm struggling to understand how information which is in the public domain can
be classified.

~~~
rdixit
AFAIK this is primarily for the purposes of avoiding the court system. Things
that are classified seem to be dealt with by the rubber-stamp FISA courts
instead of the actual judicial system so they can avoid being challenged in
the light of day.

------
pointernil
My quite simple opinions on Prism etc.
[https://bitly.com/14SrSXI](https://bitly.com/14SrSXI)

------
kimlelly
Anyone still using \- Microsoft \- Yahoo \- Google \- Facebook \- PalTalk \-
AOL \- Skype \- YouTube \- or Apple?

Yeah, I thought so.

EDIT: Seriously, downvoters: you NEED TO WAKE THE FUCK UP !

~~~
ihuman
Yes, because I actually carefully choose what I do online.

~~~
kimlelly
Good, continue to support the surveillance state with

\- either your data

\- and/or your money.

Sincerely, your NSA

~~~
ihuman
But I am not giving them useful information, nor am I paying for those
services.

~~~
PavlovsCat
You're still supporting them. They do get paid, and you figure into the usage
statistics and eyeballs for which they get paid. Like it or not.

------
kimlelly
I'll say it again, because I was immediately downvoted into invisibility:

You CAN NOT continue to use products and services by NSA companies like
Microsoft - Yahoo - Google - Facebook - PalTalk - AOL - Skype - YouTube - or
Apple and THEN turn around and BITCH AND CRY ABOUT LOSING YOUR RIGHTS AND
PRIVACY.

This is completely INSANE, you NEED TO WAKE UP!

EDIT: Yeah, let the censuring begin again. You know what? When I look at the
people here on HackerNews, I'm beginning to see a SOCIETY THAT ACTUALLY WANTS
TO BE FUCKED - DEEPLY EVEN.

~~~
brandonbloom
You're being down voted because your comment is entirely non-constructive.

1) Calling people _insane_ won't win you any favors.

2) "WAKE UP" is an entirely useless platitude.

3) Simply not using "NSA companies" is completely impractical. Not everyone
can afford to be a recluse eccentric by ignoring the largest software
providers on the planet. Never mind the fact that switching to an alternative
in mass would simply produce a new "NSA company". These companies aren't at
fault, our government is.

Do you have any concrete proposals? Do you have anything new to share? It
doesn't seem that you do.

~~~
laxatives
Avoiding Microsoft, Google, and Apple doesn't leave many smart phone options
either.

~~~
jeltz
There is always the Blackberry.

~~~
winthrowe
If they've publicly provided similar capabilities to the Indian government, it
seems naive to think that list isn't longer.

[http://gadgets.ndtv.com/telecom/news/government-to-take-
over...](http://gadgets.ndtv.com/telecom/news/government-to-take-over-
possession-of-blackberry-interception-infrastructure-338040)

~~~
jeltz
Yeah, they might join PRISM any day.

~~~
Apocryphon
I was going to ask if the Canadian government could do anything about that,
but then disillusionment set in.

