Hacker News new | comments | show | ask | jobs | submit login

Why didn't they release these documents a long time ago when everyone was racing to judgement that Google, Yahoo, et al were secretly in cahoots with the NSA helping to build drag-net surveillance extranet stuff for them? These are very important revelations!

I mean, when Greenwald/Snowden/Guardian released the original PRISM accusations, these slides would have provided a much much more important set of evidence, instead of months of speculation and parsing of meanings of "backdoor", "frontdoor", "side door", in the corporate communications of the tech companies who were struggling to say "we've never heard of PRISM, da fuq is this shit?"

Is the slow dripping out of these slides because they are trying to be responsible in not releasing stuff that is too damaging (e.g. not trying to be a Bradley Manning dump), or is it to preserve traffic by keeping the click-gravy-train going?

By releasing the documents in this order, they give government officials just enough rope to hang themselves by prompting them to defend themselves by making statements about what they do and do not do, and then releasing new documents directly contradicting those statements.

In a weird way, it actually motivates them to tell the "whole truth" because they don't know what documents will be released later so they don't know what lies to tell.

Yea, but as collateral damage, the rope hung the tech companies and damaged their brands by who knows how much.

They deserve to have their brands damaged.

They didn't do their due diligence in encrypting data going through leased fibers -- they should have had the foresight to realize what a phenomenally bad thing this was. They didn't, hence why I'll never trust them again.

Do you also blame your car company when a thief breaks into it? Do you never trust banks again if a bank robbery happens? They were working on it, but full-on encryption everywhere within your internal network is expensive, and one tends to not imagine that buried dark fiber is dug up and tapped by one's own government.

Let's say that they encrypted everything, and then you learn the NSA had kidnapped the children of one of their network engineers and forced him to turn over some keys. Again, whose brand deserves to be damaged here, the company, or the immoral nation state with vast military industrial resources at its disposal?

Why do I sometimes get the feeling that people specifically want to hate on these companies when the real outrage should be for the government spooks.

What an unbelievably stupid line of thinking.

Kidnapped their children? Get a hold of yourself here. Google is a tech company, it is a perfectly reasonable expectation that they get the big parts of their security model right. Not encrypting data going through leased (or even their own) fibers? Big, big mistake. NSA and US government aside, Google dropped the ball big-time here.

> Why do I sometimes get the feeling that people specifically want to hate on these companies when the real outrage should be for the government spooks.

Funny you say that. Because I was pretty much a Google fanboy before all of this happened (oh, and their recent changes wrt privacy policies). I am very angry at the government, but that is a separate issue.

Security is based on threat model. The spooks have capabilities that far exceed the threat models most companies assume from private blackhats. You think it is obvious to assume in hindsight that the government would dig up and tap your dark fiber, but you don't think it obvious the government would plant spies to do in-side-the-data-center taps. Now what? Encrypt all data between switches? The Soviets didn't think their undersea cables could be tapped either, and no one can claim they were insufficiently paranoid.

My point is, I don't want Silicon Valley in an arms race with the US government. The government is supposed to protect its citizens and companies, not work to undermine them. Google is working on rolling out better security, just like they eventually rolled out SSL everywhere before most other companies. They are at the forefront on this, but it still takes time and costs money. But even though they are spending time and resources on this, I would still like the US government to cut it out.

I'm not getting through to you.

At the end of the day, Google lost. To a considerable extent, cloud lost. People who were trusting Google with their data lost. What is ostensibly true at this point at is that Google could have done something to have prevented this. All else is immaterial. Just like I would expect to lose business if I made a mistake and had data compromised (because doing X and Y was too difficult or too costly for me to do, because it was 'outside' my control, because I was too inept, or whatever else), Google should expect to lose some business the same way. If security is based on a threat model -- and it eventually loses, it was bad security.

Well, it would help if you would write in a way that is not insulting and condescending.

There's no "if" about it. All security is based on threat model, the lock on your front door is based on the threat of the average criminal, and not Watergate burglars. Are you guilty of bad security? Is it your fault if your front door lock gets picked because you made assumptions about the sophistication of your attacker?

You originally said "I'll never trust them again", but that beg's the question, just who will you trust? Unless you are using end-to-end encryption with everyone, there is no way to secure against NSA interception, and pretty much all of Google's cloud competitors are actually worse in terms of deployed security. And assuming end-to-end is secure is basically just assuming a threat model where the NSA or Chinese government can't plant infected firmware or hardware in your devices.

How about not musing out loud that people who are criticizing companies just "want to hate on these companies", if you're entertaining the idea of not being insulting and condescending.

Google is a company that's been leading the way to get everyone on the cloud. It turns out what it's also been doing is making mass surveillance massively easy due to poor security practices. One individual having bad locks is not analogous to what is at play here. You keep suggesting that Google should get a free pass because the adversary in this case was too sophisticated of a player: no, that does not matter, that is an excuse. Don't give me excuses. Google makes billions, it should simply have done a better job. Your earlier post took issue with Google's brand being tarnished unfairly, this is what I'm talking about to you right now, so the question of just 'who' I will trust is not very relevant.

To answer your question anyway: basically I'm going to pull away from the cloud as much as I can. No more google apps for me, no more gmail, no more anything where I end up putting my personal data or my clients' data anywhere but on my dedicated servers -- and using end-to-end encryption when any data needs to travel out. That does not remove the possibility of getting compromised, it just mitigates it.

I don't think there are many people who disagree with me that there's been a huge amount of unwarranted snark recently. The uProxy release for example. Don't compare that with using words like "stupid".

>no more anything where I end up putting my personal data or my clients' data anywhere but on my dedicated servers

The probability that your servers would be compromised by actual damaging threats (hackers, malware, viruses, botnets) is far higher than that of Google, so I hope if your servers get hacked, you will similarly berate yourself and not make excuses that you should have done better and spent 10x more security than you are now. How many actual penetrations have occured of Google infrastructure where thieves (not government) made off with actual information that they'd put to damaging use, vs that of other smaller hosts? Everything you do has tradeoffs.

You keep making hand wave arguments about what Google could have or should have done, again, totally points about the threat models and historical context. When this program started, by some accounts in 2007, the vast majority of Web traffic wasn't even secured by HTTPS, no one was using channel-ID or forward security, and the majority of SMTP traffic was not protected by TLS. In fact, even today, only 50% of email traffic is TLS protected. In 2007, fewer Google services were probably multi-datacenter replicated as well. Encrypting the dark fiber would have been useless back then when the front door was left unlocked.

So, let's try to imagine a hypothetical conversation of some security engineers when new data centers got set up for replication:

Engineer #1: Dude, we should encrypt traffic on our inter-DC traffic. Engineer #2: It's a buried dark fiber. Engineer #1: Yeah, but the NSA could dig it up and tap it. Engineer #2: That's illegal, and besides, it's a theoretical threat. We have a bigger practical threat, right now, anyone could just tap all front-end traffic, because most incoming user traffic is not HTTPS.

Engineer #1: You're right, let's get everyone on HTTPS first. Let's upgrade browsers, and Chrome, with better cipher suites. Let's add Channel-ID. Let's try to get SMTP users to use TLS.

The point isn't about excuses, it's about understanding at each point in time, what the weakest link in the chain is. The NSA taps of your email traffic might be worrisome, but the reality is, the Russians slurping up your credit cards, passwords, and doing MITM's to install botnets have far greater, actual practical damaging effects on you and your customers.

In an ideal world, everything would be secured against all possible attacks from day one, but internet infrastructure is rarely ideal. I started on the internet in the 80s in an era with zero encryption and where many services didn't even have passwords. We have gradually made things more and more secure, but getting there is going to take time. It's unfortunate that Google's efforts to secure it's fiber didn't happen a few years earlier, but if they did happen a few years earlier, it wouldn't have a made a difference, because upstream attacks were far more effective back then.

You mean like the things that Google has done, as soon as the threat vector seemed credible?


what if that government who could tap into fiber was not US government? I think any communication outside the confines of corporate buildings should be encrypted.

> What an unbelievably stupid line of thinking.

Sentences like that have no place on HN.

> Kidnapped their children? Get a hold of yourself here.

It's supposed to be an extreme example. He's trying to probe your boundaries -- if you'd forgive them in the kidnapping example, he could then name a somewhat less extreme example, like if the CIA had broken into a Googler's home to plant a recording device.

But, since you totally dodged the question, the opportunity was missed.

Why would have they treated their own fibers untrustworthy?

As has been pointed out, Google owns a lot of fiber. When you have stuff that spans thousands of miles, there's a very real possibility that a bad actor can try to tap into it.

Apparently even tapping undersea cables is not as challenging as some think, according to Kapela: http://motherboard.vice.com/blog/undersea-cable-surveillance...

> Why do I sometimes get the feeling that people specifically want to hate on these companies

Because they promote themselves as tech-based companies, yet abdicated their professional duty to design secure systems because insecurity makes for easier monetization.

You would very much blame a car manufacturer when it turned out that all of its cars were keyed the same.

There is no such thing as a secure system, there is only conditional security. And what does unencrypted internal network traffic within a company have to do with monetization?

Pretty much all regular door locks on the majority of homes in the US are pickable. Have you installed an unpickable lock on your home?

Supposedly the US government is tapping fiber they own. Would you fault someone for not having security between rooms in their home?

They also gave the NSA and co. front-door access, and probably knew about the back-door access, but couldn't do anything about it.

It may be the case that the tech companies need to have their brands damaged for the greater good, at this point. If it turns out that G and Y are operating in an environment (USA) where a rogue government endangers consumers and prevents legit business from being done, G and Y need to either remove themselves from that environment or fall.

People are probably missing the idea. In the past, like with the WikiLeaks cables, they released all at once and it didn't have that much effect, after one week most countries were already on some other matter. The slow dripping allows this case to continue being discussed after six months. Can't remember this ever happening before with any other subject like the fake article on Saddam's WMD, the CIA flights and torture cases, etc.

Given what we currently know about the human mind and how people react to news I expect this to be the future way of releasing highly critical information.

Who knows how many thousands of pages they need to read and understand? Also, don't underestimate the difficulty of a reporter understanding these thousands of documents sufficiently to recognize when one is really important.

If they don't understand what's going on, wouldn't that argue in favor of doing more detailed research and analysis before writing claims? The original assumptions/claims in the Guardian story on PRISM are now shown to be false. This caused a lot of negative blowback on the companies involved.

Don't we expect our investigative journalists, to well, actually investigate things, instead of rushing to print?

How where they false? The PRISM program is real. There is a way for the NSA to automatically access Google's databases, with Google's knowledge under secret blanket (not case-by-case) court orders. They where clearly lying when they denied any "direct access".

No they weren't lying, as there is no evidence that Google had knowledge that the NSA had been tapping their dark fiber. What everyone assumed after the Guardian story was that Google had built some kind of firehose feed or portal for the NSA to just login and get whatever they wanted, never in any of those stories did they say the NSA was taking data against Google's knowledge or will.

For example, there was a famous slide showing when each company "joined the PRISM program", but the actual slide merely says "Dates when PRISM collection started for each provider". The reporter inserted the terminology "joined" which implies a partnership that didn't exist.

What these revelations reveal is that the NSA supplemented the data they got on a case-by-case basis through NSLs by outside-the-datacenter fiber taps of traffic, as well as upstream unencrypted HTTP and SMTP/IMAP traffic.

> What these revelations reveal is that the NSA supplemented the data they got on a case-by-case basis through NSLs by outside-the-datacenter fiber taps of traffic, as well as upstream unencrypted HTTP and SMTP/IMAP traffic.

Which still does not contradict the original speculation that Google provided bulk data for PRISM. We do not yet know enough of all the stories as to judge who spied or helped to spy on us in what extend. There are too many lies, too many secrets and far too little liability out there to let the big companies of the hook yet.

As I understand it, there is nothing in this latest release which contradicts the previous PRISM stories. They are two separate programs.

In other words, NSA used court orders to access data with the knowledge (but gagging) of the companies (PRISM), while at the same time also hacking into the companies to access data without their knowledge (MUSCULAR). These things were both true.

What claims in the Guardian PRISM story have been shown to be false?

I have no internal knowledge about this, but influenced by this Twitter thread[0] I would speculate that Greenwald and friends gave Google (and whoever else) advance notice and the opportunity to react to it before publishing. Responsible disclosure, and all that (not that it really applies in this case, but still).

[0] https://twitter.com/ioerror/status/395636984313413632

It sure looks like it could be strategic.

The "taps foreign heads of state" et. al. really due blood, e.g. DiFi shocked the intelligence community for doing a public about face.

Presumably because monitoring us proles is just fine with her, but other members of the international elite? That's beyond the pale, and I don't assume her call for a "top-to-bottom review of U.S. spy programs" is to do anything more than find out other such elite embarrassments.

BUT, to the extent the above is not true, or is making this Total Surveillance State toxic, now's a good time to drop this tidbit.

We're still talking about Snowden. This is the reason.

At this point I suspect Snowden has become a bit of an Emmanuel Goldstein. Any leakers who want to get their stuff out with some modicum of safety just need to get it to one of the usual suspects in the media, if the latter are willing to play the game (this does violate normal journalist ethics, then again this is not a normal situation). The leak can then be ascribed to "Snowden".

For those wondering who "Emmanuel Goldstein" is, he's a character in the novel 1984.

And in this novel, Emmanuel Goldstein represents an absolute enemy of the state that doesn't actually live, but only exist to be blamed of all that is bad.

this is brilliant.

Imagine you come into possession of tens of thousands of documents covering material and terminology that you barely understand. That is going to take months to work through, even before you consider that you would want to keep access to the documents/information limited to a small group of people that could help you work through it.

Here's an argument: assuming the worst suspicions, Google and the others are complicit in PRISM, so they deserve our scrutiny here. If this one were dumped at the same time, since Google was blindsided by this, people might forget to scrutinize Google for a while.

There's a difference between assuming the worst, and having evidence on your desk that refutes your own assumptions.

Don't forget the difference between possessing mountains of documents and having the right documents on your desk.

In what way were previous disclosures refuted? PRISM and MUSCULAR aren't mutually exclusive.

Probably because there was just too much information to make sense of all at once. So they just let out little at a time of what they understood to be verifiably and properly true.

Of course the cynical view that they held on to it to make some ad-money is not altogether wrong either, just unlikely to be accurate.

> is it to preserve traffic by keeping the click-gravy-train going?

If that were their intent, I would expect them to release slightly faster, at least one significant document per week.

click-gravy-train; almost certainly.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact