Excerpt: "How is this apparent contradiction possible? It is generally done via secret arrangements not with the company, but with the employees. The company does not provide back-door access, but the people do. The trick is to place people with excellent tech skills and dual loyalties into strategic locations in the company. These 'assets' will then execute the work required in secret, and spare the company and most all of their workmates the embarrassment. ..."
In a discussion of this article (on a cryptography list) I observed this incredulous response: "Hmm. So what does that mean a team of ex-military/intelligence security
people work there way up or get assistance with contacts and references,
replace all the key people in a companies inner security department and
start coding up backdoors, APIs and allowing VPN access to it? All without
telling anyone or getting noticed by ops people etc."
To which the other party retorted: "Been there. They are noticed, but you get orders from on high to shut up and not notice."
If that's all true, then it sounds like only a very few engineers and managers acting as moles will have specific knowledge of the program. A few non-mole engineers will sense that something's afoot, but they'll stay mum. Maybe that's as far as it goes.
Well that's great, but it's also stupid. Companies like Google and Facebook have hundreds of high-level engineers staring at all levels of their system all day long, trying to find out where their microseconds have gone. And these people are responsible for umpteen billions of dollars in capital expenditures every year, and responsible for capacity planning and so forth. The theory espoused at the link you posted requires that all of these people are either not smart enough to notice that an external entity is using their resources, or that these people, who I would point out are largely not Americans, are in on the conspiracy, or, finally, that the NSA is capable of pulling off their surveillance without having any detectable impact on production CPU, memory, storage, and networking.
It is also, as far as I know, illegal to hack or disrupt computer networks in that way (even for the NSA). If they had warrants giving them access to information they wanted it would have been overkill to do something like that, risk getting caught, and now have to go to the company for intelligence cooperation in the information.
and if the NSA should break the law that makes it illegal to hack networks in this way, what would be its punishment? Do we send the NSA to jail? Do we fine the NSA? Who do you think pays the for the lawsuit (punishment, legal team, etc) when the NSA breaks the law?
I had the same thought as you, which is why I posted the skeptical response "... All without telling anyone or getting noticed by ops people etc."
To anyone who notices, there's always "shut up and not notice." But there's also "oh that rsync you see there is for our geographically redundant backup facility" or whatever -- in other words, dissembling.
https://financialcryptography.com/mt/archives/001431.html
Excerpt: "How is this apparent contradiction possible? It is generally done via secret arrangements not with the company, but with the employees. The company does not provide back-door access, but the people do. The trick is to place people with excellent tech skills and dual loyalties into strategic locations in the company. These 'assets' will then execute the work required in secret, and spare the company and most all of their workmates the embarrassment. ..."
In a discussion of this article (on a cryptography list) I observed this incredulous response: "Hmm. So what does that mean a team of ex-military/intelligence security people work there way up or get assistance with contacts and references, replace all the key people in a companies inner security department and start coding up backdoors, APIs and allowing VPN access to it? All without telling anyone or getting noticed by ops people etc."
To which the other party retorted: "Been there. They are noticed, but you get orders from on high to shut up and not notice."
If that's all true, then it sounds like only a very few engineers and managers acting as moles will have specific knowledge of the program. A few non-mole engineers will sense that something's afoot, but they'll stay mum. Maybe that's as far as it goes.