Yahoo still doesn't use HTTPS by default, for email or search.
Not using HTTPS is huge, gift-wrapped present to the NSA. It also means that the NSA can get Yahoo users' communications without even having to bother Yahoo, as they can get it with the assistance of backbone networks. Lower legal compliance costs for Yahoo, and the NSA gets what they need.
Seriously, Yahoo is awful on privacy and security. Don't reward them with your business.
Hm, I think the HTTPS thing is overblown for sites that are hosted in the US. Almost no large sites do HTTPS termination on the actual app servers; it would be the simplest thing in the world to put the collection device behind the HTTPS endpoint.
Why bother trying to piece together data flows over a bunch of disparate backbone networks when you can just hook up a collector at the wellspring? I'd sure they'd be delighted to be able to tick off that whole company as "done", and set the verizon taps etc to ignore anything to them, secure in the knowledge they were getting it all elsewhere.
You're thinking about it incorrectly. While termination at a load balancer is common, at least then you're in the company's network by the time your data is being transmitted in the clear.
It's far different for traffic to be plaintext from a load balancer backend, switch, to server interface than over X number of hops.
I'm just saying that if you have unlimited ability to make secret tapping demands from whoever you want, you might as well make it easy for yourself and just go straight to the source.
>you might as well make it easy for yourself and just go straight to the source.
I feel as if I'm not fully understanding you. Are you saying that because you expect your traffic to be read by a government agency, you might as well let any/everyone see your data?
I am saying that people seem to be putting a lot of trust into HTTPS to shield them from NSA monitoring. If I was the NSA, and could just tap whatever I wanted, I'd obviously set up my tap on the other side of the encrypted tunnel.
And let's not exaggerate. Only a very few organisations would have any ability to read your data even if sent unencrypted, barring of course wifi. It's simply not true that "any/everyone" can see your data if you're on a private LAN at home.
That being said, of course I prefer HTTPS. I just have no illusions that it's going to stop someone who can just waltz into the DC holding an NSL. There's no security from someone with physical access to the network.
I think NSA is cognizant of the fact that they could lose the FISA authorization to collect from endpoints at the internet services sometime soon, while they're more likely to retain access to the backbones.
It's bass ackward, since access to the trunk lines lets you read everything. However, most people don't understand what internet backbones are. They do know what PRISM, Facebook, Yahoo, and Google are.
As such, I can see HTTPS providing some limited security from dragnet surveillance, but it certainly wouldn't help if you caught their attention. Remember, NSA can straight up break weak encryption, and SSL/TLS is probably in that category.
First, FBI cracked 512-bit disk encryption in a recent case, seemingly with NSA help, so it seems they've got some pretty powerful brute forcing capabilities. SSL is generally only 256-bit. http://www.fiercecio.com/techwatch/story/fbi-cracks-encrypte...
Second, since some sites don't use Diffie Hellman key exchange (which provides for perfect forward secrecy), they don't even need to work that hard. They can just grab the keys in transit.
Third, with a MITM attack, you can just drop in a box that makes SSL connections on both ends transparently. Therefore neither endpoint knows the encryption is being routed through a third malicious point. See e.g. http://www.zdnet.com/how-the-nsa-and-your-boss-can-intercept...
None of this proves definitively that the NSA can do this, but it does mean that if you have something to hide you'd be foolish to rely purely upon SSL.
> FBI cracked 512-bit disk encryption in a recent case
Very hard to believe that they brute-forced 512-bit AES. More likely they guessed, or otherwise located, the key, or found some implementation flaw in the software/device.
> don't even need to work that hard. They can just grab the keys in transit.
If and only if they have the private key. Which, I concede, they may well be able to get.
> Third, with a MITM attack, you can just drop in a box that makes SSL connections on both ends transparently
No you can not, not without installing a cert on every single user's machine. This would have been noticed if it was going on.
I admit that now I think about it, putting taps on DC data connections and simply requiring sites or the DC to provide any and all private keys would be substantially less invasive/visible than actually putting taps into the building, and with basically the same effectiveness (except for the PFS thing).
s_q_b, you are hellbanned. I can't reply directly.
I don't really believe the NSA can effortlessly break TLS at will. That just seems too far fetched. What kind of alien supertechnology do people suppose they have?
I prefer Occam's razor. If the NSA are interested in XYZ.com, they'll just go to XYZ.com's DC and put a damn traffic splitter on their network. There wouldn't be too many XYZ.coms before they covered a huge majority of the kind of traffic they're interested in.
Sure, they'll do the backbone listening as well, just because they can, but most of the time I don't see why they'd bother. Sure they could lose the authorisation. An asteroid could hit the earth. In the meantime...
edit: s_q_b's hellban seems even less justified than usual.
edit 2: nice work removing the hellban, mysterious admin person. Was not justified.
Wait, what? Yahoo is still part of PRISM. We don't really know how Google, Apple, Dropbox, etc. reacted to attempts by the NSA to be put under PRISM.
We only know that Microsoft wilfully made it as easy and accessible as possible, but no other company has revealed to be more culpable (or victimized?) than the rest.
I think it is pretty clear that the person you are responding to is pleased with the progress Yahoo is making. Criticizing them for still being a part of PRISM is not entirely fair as I imagine these companies are all being coerced. To see good news about Yahoo taking an anti prism stance, see someone say "I'm going to use Yahoo products more" and then say what you said seems a bit disingenuous honestly.
itunes is not the product that would get the NSA salivating - not much of it's data was that useful imo before the phones came out. It's about phones and messaging. When did imessage get released? How long have apple been able to track your location with GPS? How long have you been storing your photos on the cloud (whether or not you realised it) etc etc.
Once they had 1-2 of the big tech companies as precedent they really just would have started to go round to anyone they thought might be of interest. Because that is the whole point. Collect everything you can get your grubby mitts on and sort through it later.
If the NSA actually pays any consideration to how the value of their data helps find "terrorists"/criminals, iTunes data is probably not particularly valuable.
Nobody on the internet is NSA-free as they're siphoning photons off the fiber optic cables. I choose to give my support to those fighting tooth and nail against the surveillance, and right now the evidence points towards Yahoo doing that better than most.
> right now the evidence points towards Yahoo doing that better than most
I see your point. Still, Yahoo may be just the first to win the right to disclose. Similar decisions may follow towards Google and MS, for example, and -- oh horror -- HN.
HN is all public messages anyway. There's no private message feature. The only data they have to give is what you've upvoted and your email. (Though that former set of data might be interesting.)
Yes, on HN is it public (for example) that a user with a nickname "abcdefg" made some statement about cryptography in general and some government projects in particular.
What is not public is who is "abcdefg" in the real life? What is their IP, for instance, at time moment T?
Under some conditions NSA may be interested and request this information from HN.
It's unclear whether Yahoo did fight tooth and nail. They were assimilated into PRISM on 3/12/2008 according to the leaked slide. Other companies (particularly Apple) took longer to undermine and presumably put up more of a fight.
Yes all major firms are culpable in this but if their beliefs are in line with mine(We should know what the gov does) then I should support them and use their product.
Lesser of many evils? What about DDG? How accurately can the NSA track DDG queries that get farmed out to the 3rd party search engines (Bing? and others?)?
It's good, but it's not US Constitution good. None of the companies involved should obey the law in this matter, and they should adhere to their moral responsibilities and reveal everything they know.
Plus, I doubt locking up the CEO's of the worlds largest tech companies would work out well for any government.
If they were arrested, they wouldn't be arrested for "failure to comply with national security requirements" or whatever. They would more likely be arrested for insider trading or something equally plausible.
Don't think current administration would risk that, republican controlled house is looking for any shred of a scandal to have hearings, they are itching to impeach Obama. More than likely you'll see the executive branch would do any business(advertising etc) with yahoo and military would do some knee jerk reaction like ban armed serviced personnel from viewing yahoo properties similarly to what they did with the Guardian. Its easier and safer to cut the money streams. Luckily for Yahoo it isn't much, unlike Microsoft or Att who have more to lose in terms of government contracts.
> "The Government shall conduct a declassification review of this Court's Memorandum Opinion of [Yahoo's case] and the legal briefs submitted by the parties to this Court," the ruling read.
What I don't get here: it was told many times that FISA court only hears one side, namely government. Here though Yahoo seems to be named a party in the Court. Has rules change? o_O
You have to understand that contrary to the single story the news presents, the FISA court is actually responsible for hearing a bunch of types of things.
There are three categories, and i haven't read hard enough (an don't have time to right now) to distinguish all the use cases.
You have 50 USC 1803, which is a one-sided deal currently (and what you hear most about)
You also have 50 USC 1861f, which a party can challenge.
You also have 50 USC 1881a, which a party can challenge.
All of these services could provide convenient key exchange, web-of-trust, secure email and storage, and secure communications services with ephemeral keys. They might have to charge money to do so, but they could all raise the cost of surveillance by orders of magnitude, if not make it impractical, and remain within US law. If they wanted to.
The Wikipedia article seems to imply that Google and Microsoft keep their users' private data outside of China, which means they don't have to comply, but IANA(Chinese)L.
Hmm, it doesn't say they get to declassify, only that the classification must be reviewed, and then the document published with any properly classified information redacted.
>Yahoo has previously denied the allegations regarding participation in the program, calling them "categorically false."
That's what they say, but doesn't this just show that while they fought it, they did participate because they lost the fight?[1]
I'm not aiming to say "liar, liar, pants on fire" since they were probably required to say that (if my reading is accurate). I'm just wondering if they were required to say that, as this is nearly evidence of it, which would cast even more doubt on the other companies' denials.
>Ultimately, the Court of Review ruled against Yahoo, upholding the constitutionality of the Protect America Act and ordering Yahoo to turn over the user data the government requested.
Big box data center in the emptiness of Uta desert where the online "you" - your private photos and intimate chirps ...err ... tweets - will be stored for posterity and peered over again and again by lifeless Big Data program ... Not of course that it hasn't been happening for the last 10 years in Mountain View or in Palo Alto/Menlo Park :)
What does this mean for Google and the others participating in the program? I'd love to read some explanations from Page, Yonatan Zunger, Matt Cutts and friends. These guys were swearing up and down that Google had no involvement.
> I'd love to read some explanations from Page, Yonatan Zunger, Matt Cutts and friends. These guys were swearing up and down that Google had no involvement.
They swore they didn't allow the NSA to access their servers. All we know that they do is comply with lawful requests for users data. There was no lying involved.
Where's the lie? PRISM is the name of an NSA software package used to collate data the agency receives under a well-known section of the Foreign Intelligence Surveillance Act.
But because of poor reporting and unintentional errors, the name of a software program used to analyze data has become transmorgrified into (1) a "government program" that companies (2) "participate in" that gives the NSA (3) "direct access" to their servers. Not one of those three assertions is true.
I note you didn't actually allege I'm wrong. If you have evidence my representations are incorrect -- and this is HN, after all -- kindly say so directly.
1) NSA is a government agency and PRISM is a blanket-term for the surveillance state in effect by the US Government. There are many other programs and names.
2) These companies certainly do participate in them under order by the US Government (FISA court).
3) The term "direct access" is quite silly to argue on since the NSA is slurping up any data possible through as many means necessary.
So when Google, Yahoo, Apple, Facebook, etc said they didn't participate in the program and NSA didn't have direct access, they were lying.
An alternative explanation is, of course, that you haven't researched the topic.
1) You are incorrect to say "PRISM is a blanket-term for the surveillance state in effect by the US Government." You may wish to think it is, but wishful thinking does not mean it's true. Accuracy matters.
2) The Internet companies do not "participate" in PRISM, which is a software utility. That's like saying I "participate" in Excel or Chrome. They do turn over data when compelled to through the Foreign Intelligence Surveillance Act and other laws. If an ambulance following you turns on its lights to tell you to pull over, you're compelled to do so -- it doesn't mean you're "participating" in a medical emergency.
3) You're right that the NSA would like to slurp up data through as many means as it can. That doesn't mean it is. Put another way, the fact that I would like to have Bill Gates' bank account does not mean I actually do.
If you possess actual evidence that Internet companies "participate" in PRISM, as opposed to being compelled by law and legal threats, and if you have evidence that the NSA has "direct access" to the Internet companies' servers, kindly share it. Otherwise I'm not sure what your point is, except to argue for the sake of arguing.
It's a non-denial denial and Eric Schmidt is the last person I'd trust to be truthful on the matter. Deny doing something you weren't actually accused of doing, but that sounds enough like it, so that you don't have to deny doing the thing you actually did.
"Nope! Not Direct!"
SFTP, virtualized access, automated access - it's all the same but as long as they can find something to deny, they'll run with it. Accuracy matters when you need to spin the lie.
You're talking about arguing for the sake of arguing but that's exactly what you're doing. You can play cheerleader and spin the lies the PR masters put out and I'll continue to read the leaked documents for the truth.
If you somehow claim that doing independent reporting (and reaching independent conclusions) is "spinning," then my attempts at having a reasonable conversation are futile. I will note, once again, that you haven't refuted a single claim I made about the three main errors in reporting on this topic.
I will note, once again, I already did but you're choosing to ignore them since you can't seem to shake away from the "direct access" fallacy because Schmidt told you otherwise.
So wait, if PRISM is merely the process by which NSA et al request data on individual suspects which are then reviewed and fulfilled with human involvement (as the denials by Google etc purport)... why did Yahoo see fit to challenge their involvement?
Yahoo didn't challenge their involvement in PRISM according to these court documents. They instead challenged FISA orders. PRISM is not mentioned anywhere. The shitty CNET article is conflating the two, but they are not the same.
Bingo. We've been misled and lied to by every company implicated. We have no reason to trust them. At least Yahoo! is fighting back. Now if only they would remove that damn exclamation mark from their name.
.. "redacts any properly classified information" ..
Who gets to decide what is property classified information? They can redact the document in such a way that it carry only vacuous material and thus passively aggressively refuse even if they are compelled.
I'd love to switch to ymail, if it didn't suck so bad. I just read, that Y! will be /reassigning/ email adresses that have not been used (no login) for a year.
They must have been doing something right. They won commendation from the EFF today for their longstanding secret fight against the United States government.
