And in Denmark, hackers gained full access to many security services databases, among others the European 'most wanted' database, the driver's license database, passwords of 10'000 password officers etc.:
According to the Washington Post, "An estimated 854,000 people, nearly 1.5 times as many people as live in Washington, D.C., hold top-secret security clearances."
It's worth noting that having a Top Secret clearance does not automatically mean you have access to all information classified as Top Secret.
The scenario that a bigger adversary gaining access to the data is definitely troublesome. We also need to consider other scenarios.
How about the ramifications of the pipes created for NSA, getting leveraged by other actors?
What happens when a rogue employee hacks the infrastructure created for providing the pipe to NSA?
What if a group of such rogue employees across multiple companies act in concert, may be creating a cartel?
Such things have the potential to remain unnoticed for a pretty long time, ruining lives of innocent people.
Now, let's replace the word rogue with innocent and intelligent but cleverly manipulated by sophisticated player and the scenario reads bleaker.
To believe that such things haven't happened before or aren't happening now, in some part of the world, will be pointless.
Consider a scenario in developing countries: let's say you wrote some piece of code (unrelated to telecom) for a businessman. Let's also say that the businessman runs many companies, one of which provides BPO services to telecom companies. Let's say that the businessman wants to exploit you. He can very well track your location using the network of the telecom company without that company knowing it, let alone the law enforcement officials. He can remain under the radar because the request can be clubbed with other legitimate ones.
This is not just a US problem, it's a global problem.
It is precisely for such reasons, that we need a manifesto about data collection policies, like "Do No Evil" or "The Patent Pledge."
"He can remain under the radar because the request can be clubbed with other legitimate ones."
I still don´t see the legitimacy of the US government accessing citizen´s data. Perhaps it´s because I´m from an european country, and governments in europe have laws to proctect citizen´s private data.
The fact you are paranoid doesn't mean that there is not someone out there to get you.
This is useful information. Having access to someones social graph and contact list could go a long way to subverting dissidents.
If by chance NSA is aiding Russia and China by helping them secure internal stability and giving them more energy to play on the international scene is rather ironic.
Also it is not about downloading. Thing about the things you could do by just altering the data.
Do not mistake the NSA's security to that of your average government office.
Since we are probably talking about petabytes of data, this would not be a one-time download, but would require continuous access to query the dataset interactively, which wouldn't be hard to detect if you are on the look out for it.
It's easy to say that "it probably won't happen" today. But so much can happen to change the game in the future. Budget cuts to security, internal employees being "in" on the hack, etc.
And what happens when it actually gets hacked? Nothing. Nobody will come out and say "our bad we shouldn't have collected and stored all this sensitive data". Heck, you would be lucky if it's not used as evidence for why further pushes for massive surveillance is needed.
Then there is also the issue that even though the data might be stored with good intentions today, we don't know who is going to be in charge tomorrow, or after that. Whatever Obama promises only lasts until somebody else becomes president, who thinks that all this data that is already stored and ready, should be used in new interesting ways. The data doesn't even need to leak and be hacked for it to be misused, when the owners of the data are in constant flux.
I'm not sure why we should take for granted that the NSA has a better security story than other branches of government. I have not been impressed with any of the US government offices I've worked with at any level.
I would find it somewhat relieving to find out that the NSA is run better than the rest of the government, but I don't see any reason to believe that's the case. If anything, they are likely as over-confident and technically out-of-touch at the higher administrative levels as their peers.
So the question is what they could download before getting caught... each time....
Also another possible threat scenario would be a spearphishing attack that would plant a virus on the network which would slowly (in botnet fashion) access pieces and send it to China a little bit at a time, uncoordinated, many little connections inside the network.
Ask yourself, if you had unlimited funds, spies in the US, and so forth, how would you attack the NSA? Those resources make a sophisticated and successful largescale attack a lot more possible and feasible.
What's more likely is, convinced they're legally obliged to turn over data to anyone with a plausible government letterhead, private companies start being subjected to an enormous amount of false flag / social engineering attacks.
Do you think they'll ever admit they are responsible for something like that?
They'll just make the "cyberwarfare" campaign even louder, and say how new laws and bigger budgets are needed to keep you safe (and of course continue their spying and their hacking on others).
The "cyberwarfare" will be the new war on terror, 5-10 years from now.
> The "cyberwarfare" will be the new war on terror, 5-10 years from now.
Yes, just like the war on terror is the new war on communism.
By 1990, all the defence contractors figured out that without a boogey man to scare people with, the US government has a lot of things it would rather spend money on than billable hours.
What would happen? Well then they'd have an almost unlimited supply of individuals within our institutions whom they could easily blackmail and use to subvert those institutions.
But I don't find it much more terrifying than people in our own government having that power.
That's part of the reason for the Utah datacenter. Consolidating several NSA datacenters around the country into one super-secure fortress.
First, separate offline networks and the most advanced network security ever conceived will be put in place at this new datacenter.
If you're thinking that a reverse engineered Stuxnet might be able to hop over to the secure network, I doubt it, and even if it does then what will it do to transmit the data out?
It is slightly insulting to the engineers and security experts whose full-time job is to keep the NSA secure, but I suppose this scenario is worth discussing just in-case someone thinks of a clever way which the NSA has not.
The most vulnerable aspect is any remote access either to company servers or to the NSA search tools. I would hope that a data dump or unrestricted access to the NSAs "database" would be completely impossible. Even with extensive insider knowledge of the Utah datacenters systems, an ex-employee would have zero chance of gaining unauthorized access.
It's a truism in computing that the only really secure computer is one that has been disconnected from the network, turned off, encased in solid concrete, and sunk to the bottom of the ocean.
Even then, better hope James Cameron doesn't want what's inside.
I'm sure NSA's security people are aware of this. If they are not, then they're not very good at their job.
Why doesn't simply being disconnected from the internet and located in the middle of nowhere Utah locked in a super-secure fortress with the best network engineers, computer experts, and cryptologists suffice?
And yes, it is insulting. The NSA has been at the forefront of encryption and network security for the past 60 years.
>Why doesn't simply being disconnected from the internet and located in the middle of nowhere Utah locked in a super-secure fortress with the best network engineers, computer experts, and cryptologists suffice?
Because nobody can use it there. You might as well put it at the bottom of the ocean -- or not collect it in the first place. At some point you have to give agents in the outside world a way to use the data or it's totally worthless, and then you have an exploitation vector.
>Am I giving the NSA too much undeserved credit?
There is always a difference between best-in-class and infallible. And the problem is that you only have to be wrong once.
Cryptographers have a saying. Encryption is like a single fence post which is a thousand miles high. You're not likely to break the encryption, but it doesn't do you any good if the attacker can just go around it. Find a weaker link in the chain: Poor passwords, social engineering, bribery, good ol' fashion espionage, etc.
Yes you are giving them too much undeserved credit. You're asking us to have faith in a government agency being able to keep an enormous amount of digital data (and growing fast) when we've already seen that fail plenty of times.
So the NSA is special? What happens when the political winds change and they experience budget cutbacks, and some of the really talented employees move to the private sector? Or when they bring in outside private sector contractors.
The slip up doesn't even have to be monumental in itself, but the consequences are. The real terrorism (the one that will actually affect a large number of people) is and will be cyber based. You're basically stockpiling weapons.
If it's disconnected from the internet, how is it going to get any new data? If there's a way for it to get new data, then, well... isn't that exactly how Stuxnet happened?
An intermediary system. Sure, there will be internet access at the Utah facility, but the networks will be separated. Stuxnet was physically delivered on a USB drive. Stuxnet didn't have the requirement of sending back massive amounts of data (or any really).
Having said that, I guess it just comes back to the fact that the intermediary is the real target then. So we hope the NSA has had it's crack team in there. Which means that we hope that it's disconnected etc. as well... I mean, at some point there needs to a source that is connected to the internet and I guess that source is the real target.
If it's not connected to the internet, how are you going to get terabytes of data per day in there? If it's not connected to the internet, how are you going to get the "interesting™" stills that it has extracted from millions of hours of CCTV to the Pentagon? There is almost no point in not having it connected to the internet.
Separate networks at the Utah data center. One would be connected to the internet and very highly monitored for intrusion or unauthorized access.
Maybe even turn off the power for data over X years old. Then it would be impossible to steal that data without physical access to one of the most secure buildings on the planet.
This isn't a blockbuster action film, it's a data center. I think this sort of thing is interesting but I write software. I wouldn't bet any amount of money that everyone along the PRISM chain of decision making is as impressed with the idea of a super-fortress data center. Corners get cut, work is pushed towards those with connections instead of the ones who can best do the job. Compromises are made, money goes here instead of there.
I find the idea of a super-fortress of data a bit far-fetched to begin with, that such a place would be goverment run seems even more ridiculous.
The Utah data center is more of a consolidating effort than some new spy program. It's suppose to save money and increase security (and storage ability).
The NSA has computer security technology that the public and other government do not. They also have an unfathomable amount of processing power without the Utah data center (Tordella).
What congress in their right mind would slash the NSAs budget and put the entire nation at risk?
Also, it isn't a set fact of life that all government agencies / programs are inefficient and incompetent.
It wouldn't be the first time an unintended party gained access to unsuspecting parties' personal information via government surveillance systems. The Prime Minister of Greece, among others, had their cellphones tapped by a hacker using a law enforcement agency's backdoor.
Imagine if the US hacked into the Chinese data repository on their citizens?
Imagine if the US hacked into the Russian data repository on their citizens?
I'm sure it's already happened, and I'm sure it is not a huge coincidence that Google and Facebook are not the biggest search / social networking companies in those countries.
No idea about the others mentioned.
Oh and what about if those countries respective agencies have an agreement to share certain data amongst each other to make things a little easier?
> Imagine if the US hacked into the Chinese data repository on their citizens?
> Imagine if the US hacked into the Russian data repository on their citizens?
"Your copying all of my private data from several sources to the nsa, what is another country hacks that and copy it ?"
"No worry, we can hack them and copy their citizens data too"
I fail to see how to answer the concern for the question, or how that should be reassuring in anyway. That we can, or cannot, or already do similar data repository in other countries is irrelevant to the question "should all of my data be aggregated in a single juicy store".
I'm not even sure I agree with OP's premises (especially since I'm an European, for me the NSA thing is a foreign governement spying on me and I expect the EU new data privacy laws to be much more strict than the safe harbor joke we've had so far), but your answer doesn't address it at all.
We don't even know if this thing has a public interface and even if it did access would probably be limited to a couple dozen IPs.
Furthermore, the article assumes that an adversary gets somehow the data. We're probably talking about petabytes of storage, how on earth could you get hold of all that data? Download it? That would raise a gazillion alarms.
These are immaterial obstacles. It will have a public interface otherwise data would not get in (and there does not exist anything like a one way street in computer networking).
Extracting interesting parts of the data can be done with the tools that are available to the agents. If someone breaks in successfully, they will have someone inside feeding them. Wetware is still the weakest link in security most of the times.
Sounds like the Cold War line of thinking. It was Russia then, now China takes over the place. What if Country_X does Y? Oh we must keep up the pace! What history tells me is when a government starts to draw people's attention to some public enemy abroad, usually it has some ax to grind and some shit to hide.
I kind of think the China idea is far fetched too. Sounds a little too boogey-man. Why not a private interest like a cartel / mafia? Or maybe anonymous, etc.?
I'd also imagine that it's far easier to just go after the sources (whoever is allegedly forking over the data). Not to mention that it's probably much better organized at the source than in some sort of data dump format. Just a guess, though.
Tell me when the NSA, or the US in general pre-NSA, has ever endangered or compromised their encryptions? There surely is enough stories of how the CIA screwed up and stories like the FBI helping Whitey Bulger to continue murdering while he was an FBI informant.
http://www.washingtonpost.com/world/national-security/chines...
And in Denmark, hackers gained full access to many security services databases, among others the European 'most wanted' database, the driver's license database, passwords of 10'000 password officers etc.:
http://www.berliner-zeitung.de/politik/hacker-angriff-datenl...
(Newspaper article in German, sorry …)