[lmm]

> I personally think that PRISM works by externally intercepting data communication lines running to these facilities. Similar to the rumors that international comms links have been tapped. The companies themselves have not participated, but the data path has been compromised.

That wouldn't work without the company being at least passively complicit. Links between datacenters are encrypted. If you want even basic PCI-DSS compliance then links between racks must be encrypted (and a rack that uses unencrypted links must be physically secured). And properly implemented TLS or equivalent (which is table stakes for a company that takes this stuff at all seriously) can't be broken by the NSA directly (and if it could be then everything would be hopeless). Thus the MUSCULAR programme where the NSA put their own equipment in Google's datacenters - that's really the only way you can do it.

Remember how the legal regime in the US works with National Security Letters. Companies can be, and are, required to install these backdoors and required to keep their existence, and the existence of the letter itself, secret. Of course Google, Apple, Facebook, every other company with a significant US presence is in receipt of one of those letters and has installed backdoors - the NSA aren't stupid, what else would those laws and their funding be for?

[dijit]

There’s a lot of incorrect information here.

PCI-DSS does not mandate encryption between racks or datacenters, maybe your own PCI compatible policy does. I’ve worked in PCI-DSS environments (one of which being tier 1 with on-site cardholder data) and we didn’t need to have encryption between racks.

Site to site VPNs are common for smaller companies too, those are encrypted, but the thing with encryption is that there are physical limits to throughput.

For a standard CPU I think it was 3.5Gbp/s or so in 2018, if you want to get much higher (like 9Gbps) then you need special hardware offloading which is expensive.

What is cheap (comparatively), is laying your own fibre cables.

Then it’s “basically” secure and you can have a single cable carrying 100GBPs over a mile.

This is what google used to do, I suspect this is what Apple used to do- this is what many people do.

Google’s solution does not involve site to site VPNs, Google’s solution was to make all internal network traffic encrypted, but the lines do not get implicitly encrypted because they go over that path, like a vpn would.

[szc]

This thinking is based on trusting "encrypted" links. Did you build the hardware that drives these links? Did you audit the Verilog or code that operates this hardware?

I know of at least one way a to implement a "secure" TLS product that you could purchase and deploy in your datacenter that would leak all of the the keying material to compromise every data connection to the NSA. You would be 100% in compliance of all technical requirements, but your data would be utterly transparent. You would not be able to detect this using an internal or external audit.

Did you purchase your rack-to-rack equipment from the equivalently Trojaned "Solar Winds" vendor? The "Solar Winds" event was a "commercially" botched exploit.

Sorry, NSL(s) do not scale. It is an ever expanding "circle of trust".

Containing secrets is only effective if they are only shared within "your shared culture" and your culture is very stable -- nobody leaves because of a difference of opinion.

NSL can only be effective if nobody knows.

[salawat]

Mmmmhmmm. Guess who gets the NSL? Legal and exec team. Guess who are selected occupationally for the ability to keep one's mouth shut?

The velvet glove gets more mileage than you think.

[croutonwagon]

>That wouldn't work without the company being at least passively complicit. Links between datacenters are encrypted.

They aren't always. In fact the Snowden leaks were the actual event that got many of these companies to do just that.

You mentioned MUSCULAR, but it was that revelation that the DC to DC connections were not in fact encrypted. I believe that program was taps on the DC connections, since the SSL connectivity was added and then removed in the front end, leaving the replication in the clear. Google seemed to be relying on the physical security of those links and them not being on some shared infra. [1]

WARNING: the link below has classified info from the Snowden leaks. If you have a security clearance, dont click it.

[1] https://www.washingtonpost.com/world/national-security/nsa-i...

[closeparen]

As I recall, Google reacted to the Snowden leaks by encrypting traffic within and between its datacenters, which it had not previously been doing.