The article is dated "May 6, 2014 5:00AM ET", hardly news...
To me it seems more like the NSA wanted to make the Web giants aware of new or unmitigated threats. Here's a quote from Gen. Alexander:
“About six months ago, we began focusing on the security of mobility devices,” Alexander wrote. “A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles. When we reach this point in our projects we schedule a classified briefing for the CEOs of key companies to provide them a brief on the specific threats we believe can be mitigated and to seek their commitment for their organization to move ahead … Google’s participation in refinement, engineering and deployment of the solutions will be essential.”
* "Edit: Not entirely sure why I'm being downvoted for this" *
You are implying something negative about Google. There are a lot of Google employees and Google fanboys active on HN that will happily downvote anything negative on Google whether it has merit or not.
That is not to say that everyone who works at Google or who likes Google products cannot accept criticism but a number will downvote you regardless. The same applies to Apple, Microsoft and other cliques. If you make a negative post about them, be prepared for downvotes.
In addition you are not presenting any proof and even though your point may be perfectly valid and correct it does smack of a conspiracy theory which tends to attract downvotes as well. Who knows what the real truth is, just don't use Google products if you are concerned, there are alternatives out there.
> Yes it does. A year ago "it seemed" that the internet wasn't 100% insecure, however.
Who that knows anything about the internet ever thought it wasn't 100% insecure? It's a distributed network built routing packets untrusted intermediaries, and many of the core protocols send plain-text data in those packets. It's 100% insecure by design.
I'm very concerned about the mass surveillance revealed by Snowden, but based on those links I can't really see that any cooperation was needed.
The last link makes it quite clear that this is about the NSA reflashing machine BIOS with a compromised version ("Through remote access or interdiction"). If the NSA decides to reroute your shipment of a new computer to their facility to mess with it, no amount of BIOS security is going to stop that. The same applies if they already have remote access (I'm guessing in that case it's about implanting a persistent backdoor in case the targeted user wipes his machine).
I would expect that they have ready-to-go compromised BIOS replacements with persistent backdoors for most popular machines.
The tomsitpro article suggests that this has been "solved" by UEFI signed BIOS firmware, which is just ridiculous. Does anyone really believe that the NSA does not have access to means to get stuff signed by CAs? Just looking at what they're trying to do they would be seriously incompetent if they did not (the CA system is a joke!). And even if they were so incompetent, what's to stop them from using a hardware flasher to flash the BIOS chip directly if they already have physical access to the machine through interdiction?
And this is where reasoned debate turns into conspiracy theories.
> we already know from Snowden that the bios bit is a lie
Do we? So because they discovered a vulnerability in a particular Dell server in 2007 (discovered != introduced) this means that they could not have possibly disclosed details of a different bios vulnerability to tech giants years later?
> Not entirely sure why I'm being downvoted for this
Because you are claiming opinion and speculation as fact.
The NSA's biggest public facing role is to provide security to the government and private sectors. It's not at all unusual or suspicious that Alexander would meet with top CEOs to discuss security and mitigation strategies, without any of the CEOs knowing the extent of the wiretapping going on.
I highly doubt anyone at Google was aware of traffic being intercepted between their data centers during these meetings as well. I'm sure Alexander knew, but he only told Google what they needed to know.
This just exemplifies the NSA's role of being the crack dealer of information security. There's always a free sample, and it's always addictive enough to get you coming back for more, at their costs. Google et al got info on actual threats, so when the NSA came back later to ask for "favors", a lot of critical analysis of what the actions really entailed that should have been done was left by the wayside.
Then again, the NSA has a pretty long history of doing this. Look at the work the NSA did on DES, for example. They strengthened the S-boxes against differential cryptanalysis at the cost of ensuring that they'd be able to brute force things secured with the algorithm years before anyone else could.
Not to be an apologist but I've only ever heard the first part - that they strengthened the S-boxes against differential cryptanalysis at a time when everyone else was still 10 years away from discovering it.
If you mean with the second part that the key was shortened from 64 to 56 bits then that made it easier for everyone to brute force it, provided you had the resources.
Yes, it made it easier for everyone, however, because the NSA had a lot more money to throw at the problem, they could do such years ahead of anyone else. Also, the NSA originally was trying to get IBM to use a 48-bit key; 56 bits was a compromise.
The Technical Director of the NSA Information Assurance Directorate gave a less sinister explanation for this in a keynote talk[1]. It was dropped from 64 bits to 56 bits for two reasons: 1) they wanted to add 8 parity bits to make it more robust for tactical military use, and 2) they decided that 56 bits would be an acceptable key length to only last for a couple decades before it would have to be replaced. They had no way of knowing in 1976 what advances in cryptanalysis would be made over the next several decades, and wanted to make sure that the public wouldn't be tempted to rely on any one particular algorithm longer than was necessary.
This might seem counter-intuitive at first, but remember that the biggest threat to NSA cryptography was from Soviet cryptanalytic work, not from the public sector. Public researchers would publish any advances they made. If the Soviets cracked DES there wouldn't be any public notification - they'd just siphon off sensitive data for years until they were caught.
As far as I can decipher - because like most news posts, it contains a lot of words without a matching volume of content - the core of the content can be boiled down to:
* Silicon Valley CEOs and the government had meetings on protecting infastructure
* A BIOS infiltration plot was derailed, but details on it were technobabble,
according to expert : https://news.yahoo.com/60-minutes-bios-plot-may-214330769.html
* Alleged backdoor in BIOS. Linked article on Spiegel is about routers :
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html)
* Government continues to enlist company help in thwarting attacks.
Specifically targeting mobile devices. Again, details are sparse.
There's no direct evidence, and it's unlikely you'll ever find any, that Google or indeed most other companies are directly giving the government access to private data. The biggest issue is the obvious conflict of interest as noted by observers where the NSA is trying to protect infrastructure while having a means to weaken it benefits them as well.
So does Google but the article specifically says, "and other industry executives". Microsoft has long been known to freely divulge information to the NSA while Google has long complained about government intrusion and publishes such information requests when it can.
Please don't be under the false impression that Google, and only Google, is complicit in these things as headlines like this imply.
In fact, the headline implies there is wrongdoing going on which, on its face, is blatantly false. There is no fact.
To me it seems more like the NSA wanted to make the Web giants aware of new or unmitigated threats. Here's a quote from Gen. Alexander:
“About six months ago, we began focusing on the security of mobility devices,” Alexander wrote. “A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles. When we reach this point in our projects we schedule a classified briefing for the CEOs of key companies to provide them a brief on the specific threats we believe can be mitigated and to seek their commitment for their organization to move ahead … Google’s participation in refinement, engineering and deployment of the solutions will be essential.”