[szc]

Sorry, but I do not believe that is what the leak revealed.

There was a slide that indicated that data from Apple and other companies was now part of the PRISM program.

I am not trying to deny or refute Snowden's whistleblowing. I think it is highly likely that PRISM exists. What I dispute are the speculations that the companies listed are complicit.

The 2012 date is quite suspicious - it is precisely the same year that a new Apple datacenter in Prineville came online. Facebook also has a datacenter. Literally next door. Facebook also appears on those slides. I am not sure who else is also now in the area.

I wonder where all of the network cables go?

I personally think that PRISM works by externally intercepting data communication lines running to these facilities. Similar to the rumors that international comms links have been tapped. The companies themselves have not participated, but the data path has been compromised.

The NSA has previously tapped lines (AT&T), but they made the mistake of doing it inside the AT&T building. Google "Room 641A at 611 Folsom Street, SF". That is where "beam splitting" was done. This eventually leaked out. The NSA isn't stupid, I doubt they wanted to repeat that sort of discovery. The best way to keep something from being discovered is to not let people know. This is why I think it is believable and likely that the companies listed on the slides have no idea what has been done.

I will also note that PRISM and "beam splitting" are a rather cosy coincidence.

I think it is most likely that PRISM is implemented without the knowledge of anyone except the NSA and in Prineville there is some "diversion" of network cabling to a private facility that is tapping the lines.

[lmm]

> I personally think that PRISM works by externally intercepting data communication lines running to these facilities. Similar to the rumors that international comms links have been tapped. The companies themselves have not participated, but the data path has been compromised.

That wouldn't work without the company being at least passively complicit. Links between datacenters are encrypted. If you want even basic PCI-DSS compliance then links between racks must be encrypted (and a rack that uses unencrypted links must be physically secured). And properly implemented TLS or equivalent (which is table stakes for a company that takes this stuff at all seriously) can't be broken by the NSA directly (and if it could be then everything would be hopeless). Thus the MUSCULAR programme where the NSA put their own equipment in Google's datacenters - that's really the only way you can do it.

Remember how the legal regime in the US works with National Security Letters. Companies can be, and are, required to install these backdoors and required to keep their existence, and the existence of the letter itself, secret. Of course Google, Apple, Facebook, every other company with a significant US presence is in receipt of one of those letters and has installed backdoors - the NSA aren't stupid, what else would those laws and their funding be for?

[dijit]

There’s a lot of incorrect information here.

PCI-DSS does not mandate encryption between racks or datacenters, maybe your own PCI compatible policy does. I’ve worked in PCI-DSS environments (one of which being tier 1 with on-site cardholder data) and we didn’t need to have encryption between racks.

Site to site VPNs are common for smaller companies too, those are encrypted, but the thing with encryption is that there are physical limits to throughput.

For a standard CPU I think it was 3.5Gbp/s or so in 2018, if you want to get much higher (like 9Gbps) then you need special hardware offloading which is expensive.

What is cheap (comparatively), is laying your own fibre cables.

Then it’s “basically” secure and you can have a single cable carrying 100GBPs over a mile.

This is what google used to do, I suspect this is what Apple used to do- this is what many people do.

Google’s solution does not involve site to site VPNs, Google’s solution was to make all internal network traffic encrypted, but the lines do not get implicitly encrypted because they go over that path, like a vpn would.

[szc]

This thinking is based on trusting "encrypted" links. Did you build the hardware that drives these links? Did you audit the Verilog or code that operates this hardware?

I know of at least one way a to implement a "secure" TLS product that you could purchase and deploy in your datacenter that would leak all of the the keying material to compromise every data connection to the NSA. You would be 100% in compliance of all technical requirements, but your data would be utterly transparent. You would not be able to detect this using an internal or external audit.

Did you purchase your rack-to-rack equipment from the equivalently Trojaned "Solar Winds" vendor? The "Solar Winds" event was a "commercially" botched exploit.

Sorry, NSL(s) do not scale. It is an ever expanding "circle of trust".

Containing secrets is only effective if they are only shared within "your shared culture" and your culture is very stable -- nobody leaves because of a difference of opinion.

NSL can only be effective if nobody knows.

[salawat]

Mmmmhmmm. Guess who gets the NSL? Legal and exec team. Guess who are selected occupationally for the ability to keep one's mouth shut?

The velvet glove gets more mileage than you think.

[croutonwagon]

>That wouldn't work without the company being at least passively complicit. Links between datacenters are encrypted.

They aren't always. In fact the Snowden leaks were the actual event that got many of these companies to do just that.

You mentioned MUSCULAR, but it was that revelation that the DC to DC connections were not in fact encrypted. I believe that program was taps on the DC connections, since the SSL connectivity was added and then removed in the front end, leaving the replication in the clear. Google seemed to be relying on the physical security of those links and them not being on some shared infra. [1]

WARNING: the link below has classified info from the Snowden leaks. If you have a security clearance, dont click it.

[1] https://www.washingtonpost.com/world/national-security/nsa-i...

[closeparen]

As I recall, Google reacted to the Snowden leaks by encrypting traffic within and between its datacenters, which it had not previously been doing.

[alfiedotwtf]

> I wonder where all of the network cables go?

Remember the smiley face in the slide deck?

[szc]

I do not. It would be helpful to enumerate the specifics of this rather than to play the role of a cheshire cat and say nothing.

(I am independently looking for this, but cannot currently confirm)

[alfiedotwtf]

Sorry, I thought it was part of the collective. ICYMI:

https://slate.com/technology/2013/10/nsa-smiley-face-muscula...

[szc]

Thanks.

This can be entirely explained if the NSA had already performed a "solar winds" supply chain attack on the vendor that supplied the TLS encrypt / decrypt endpoints. Is the vendor of that hardware known or discoverable?

Google would have no idea the traffic could be intercepted. The NSA could use the Smiley face, perhaps with a nudge, nudge, wink, they are now a "supplier of data" on slides.