|Slide 4 presents a timeline.|
Pay attention to the timeline.
The government has admitted to the general outline of all this, though it protests that many details are wrong. That it has come to this should surprise no one familiar with current events and the unconstrained growth of the state.
Importantly, the original Guardian report noted that monitoring agencies could practically view one's typing in real-time.
The eruption of outrage was immediate, with most commentators taking literally the statement "collection directly from the servers" which appeared on the latest slide to be revealed, again by the Guardian, the "FAA702 Operations" slide.
Company spokesmen quickly denied the reports, first with brief, cautious statements remarkable for their similarity, and subsequently with broadened and less equivocal denials. Meanwhile the sheer scale and intrusiveness that would be required to access these complex services "directly from the servers" is mind-boggling; the practicalities of mounting such an effort in so many technically diverse sites without a prior leak is hard to imagine.
|The newly released "FAA702 Operations" slide |
features the "directly from the servers" comment.
A focus on data in-transitThe second of the four slides originally published by the Guardian notes, "Much of the world's communications flow [sic] through the U.S." And the newly released FAA702 Operations slide speaks of collection from cables and equipment. Putting the two together suggests that the eavesdropping infrastructure is in place at the trunk and/or ISP level. This would hardly be news, as such monitoring is familiar from the evergreen ECHELON and Carnivore programs of the '90s, not to mention the fabled Room 641A.
|Slide 2 of the original set.|
Conventionally, data sent via encrypted transport cannot readily be eavesdropped. Two problems, though: they only encrypt from user to server; from there on there may be no encryption. Encryption between servers is rarer. Furthermore, some encryption is better than others. PPTP VPNs, for example, are more readily compromised than some others (though as I've argued elsewhere PPTP is adequate for many uses). Also note that when you send an email, its recipients are always exposed to your email service provider and to any eavesdropper, unless your email service and your recipient's service are among the minority that will encrypt server-to-server connections, and then only for that hop in the chain.
Meanwhile, there is a compelling hint in Slide 4 that encrypted transport is not the roadblock it once was, at least to the NSA. Note the progression of PRISM "participants," from 2007 to the present. Now compare:
- Microsoft. "Collection began" in 2007, per Slide 4. SSL encryption for anything but the login screen didn't begin until 2010.
- Yahoo. "Collection began" in 2008. HTTPS only became available this year.
- Google. "Collection began" in 2009. HTTPS was available as a rarely-used option but became the default in 2010.
- Facebook. "Collection began" in 2009. HTTPS only became available in 2011.
And so on. The compelling thing about this observation is the possibility that Slide 4 represents a progression of low-hanging fruit, as the chronology lines up. In each case there was an extended period between "participation" in PRISM and implementation of encryption. This would give an eavesdropper ample time to optimize parsing schemes for a service's formats, patterns and protocols before having to deal with encryption.
This notion is supported by the fact that as recently as April, Apple's transport encryption scheme was reported as uncrackable by the government. But that report was based on a leaked document from the Drug Enforcement Agency, which resides many steps down from NSA in the surveillance-technology totem-pole. It's entirely possible that the DEA had not gotten the memo in April that the NSA had cracked Apple's encryption just last October as the latest in a rollout of that elite agency's decryption capability going back several years.
Also, note that most commercial transit encryption is based on encryption keys managed and secured by Certificate Authorities (CAs), firms specializing in creating, storing and serving authentication credentials that uniquely identify the participants in a secure transaction. (Some large companies run their own CA, including Apple.) But successful break-ins of Certificate Authorities have occurred with startling regularity in recent years; a Google search for certificate authority hacked yields tens of thousands of hits. A sophisticated state actor possessing a CA's identity, keys or tools for generating them can eavesdrop on communications secured by the hacked authority's services. Hence, one interpretation of the PRISM revelations is that they may indicate the ongoing cavitation of the CA-based trust chain.
[UPDATE: A new article in the Huffington Post describes the communications between whistleblower Snowden and journalist Greenwald: "Snowden only wanted to communicate securely using PGP encryption…" Now, if Snowden is what he says he is and knows what he says he knows, that's a hell of an endorsement of PGP. And more importantly, it indicates that the NSA does not have the ability to decrypt by brute-force. So Snowden's reported preference--together with Slide 4's $20M budget number--even more strongly indicates a CA-spoofing approach as the likeliest explanation of the "as-you-type" claim.]
[UPDATE: A report by CNN, quotes further claims by Snowden, including "targeting fat data pipes that push immense amounts of data around the Internet... We hack network backbones -- like huge Internet routers, basically -- that give us access to the communications of hundreds of thousands of computers without having to hack every single one." If true, breaking the encryption of such massive amounts of data can only be achieved by possession of spoofed or purloined CA credentials. No known technology exists which would allow it otherwise, especially if costs are anywhere near the Slide 4 number.]
[UPDATE: The Electronic Frontier Foundation has published a marvelous and timely article, "How secure is HTTPS today? How often is it attacked?" Money quote:
In short: there are a lot of ways to break HTTPS/TLS/SSL today, even when websites do everything right. As currently implemented, the Web's security protocols may be good enough to protect against attackers with limited time and motivation, but they are inadequate for a world in which geopolitical and business contests are increasingly being played out through attacks against the security of computer systems.#1 on their list of vulnerabilities: "Break into any Certificate Authority (or compromise the web applications that feed into it). As we learned from the SSL Observatory project, there are 600+ Certificate Authorities that your browser will trust; the attacker only needs to find one of those 600 that she is capable of breaking into. This has been happening with catastrophic results."
The rest is essential reading, too. Read the whole thing.]
The "As-You-Type" claim is a special concernWebmail services help prevent loss of your work in the event of a disconnect or crash by frequently storing your draft on their server as you compose it. This blog post, for example, has been saved to Blogger's server automatically many dozens of times as I've worked on it. Had I typed something incendiary and intemperate about some politician or bureaucrat, that would have been stored as well-- and potentially monitored and inspected if my phrasing (or integrated profile) contained certain keywords or triggers.
This means cloud-based services of a wide variety have the capability of capturing and potentially monitoring your evolving thoughts and phrasing, even if you think better of them before committing the "Send" or "Publish" button. So, it's bad enough that what you email and say is monitor-able... what you think is also.
ArgumentsPerhaps PRISM is just an ordinary court-ordered data dump. Verizon showed that those court orders can cast a wide net. Counter-argument: Insufficient to explain "as you type" surveillance of the alleged sweeping extent, assuming that's true. But maybe the as-you-type capability is part of the "Upstream" segment of the FAA702 slide rather than the PRISM segment.
Perhaps PRISM really does represent monitoring operations or back-doors at the servers of Google, Apple, Facebook, Microsoft, etc. Counter-argument: These are highly heterogeneous computing environments. Insertion of monitoring equipment or back-doors would be a massive undertaking and specific to each provider, involving their top engineering talent. Hard to imagine how this could be feasible, especially for the $20 million annual budget in Slide 4. On the other hand, the information flowing into and out of those servers, decrypted, is standards-compliant HTML and so forth-- eminently monitorable.
Perhaps the companies are lying. Their statements were too similar, too scripted. Counter-argument: Lawyers and executives tend to phrase things with precision, and the statements issued by company spokesmen reeked of lawyerly parsing and executive tip-toeing. Spokesmen and CEOs would naturally have little interest in their companies' cooperation with occasional court orders, though they'd know they occur. That's sufficient to explain the initial denials. In fact, corner a Zuckerberg, Page or Cook on any controversial issue, and you'll get cautious phrasing like that. It doesn't necessarily indicate collusion with the Feds nor anything to hide. On the other hand, the creepy collection, correlation and wholesaling of user information is the foundation of the business models of several companies on the list. But that doesn't provide as-you-type surveillance.
Perhaps PRISM represents an unfolding decryption capability based on Carnivore's progeny. This, I think, is the conjecture most in keeping with the published reports to date, the as-you-type claim, the $20 million budget number, and Occam's Razor. It requires only a generous interpretation of Slide 2's "directly from the servers": if one assumes that can mean directly from the pipes supplying the servers then the companies' broadening denials begin to make sense. Even the Slide 4 timeline makes sense.
Law-abiding citizens have nothing to worry about. This all just benefits terrorists and child-porn freaks. Counter-argument: If you feel like bcc'ing Eric Holder on every email you send, be my guest. Go ahead, set up your phone as a permanent party line with the NSA. Think of a politician or bureaucrat you really loathe and share your desktop with them 24/7. ...It is untrue that only creeps, paranoiacs and enemies of the state should be uncomfortable with the cataclysmic loss of privacy that PRISM may represent. And here's a thought: if the US can do it, what if other countries can? Fine, say you trust Barack Obama and the entire Federal edifice; do you also trust Xi Jinping? Vladimir Putin?
Lots of the hoo-hah is about metadata. At least the government isn't listening into your conversations. Counter-argument: If you use any digital communications channel such as a cell phone or VoIP, conversations are among the most readily monitorable types of data on the list in the NSA slides, enjoying weak encryption if any. Besides, the metadata--collected over time and correlated with that of your contacts and your interests--paints a very detailed picture of you. It's the reason why the social networks are so highly valued.
What to doPresident Obama defends the PRISM practices and warns that its disclosure will drive the bad guys underground. That's a clue that it is still possible to hide.
First, although the trust chain for conventional commercial encryption may be irretrievably broken by now, it's still very much worthwhile to use https, ssl, tls and other transport encryption tools. They are still effective against eavesdropping by all but the most sophisticated eavesdroppers, at least between your computer and your service provider. After that first node, however, there are no guarantees.
Beyond that, encrypting your files and message contents using private encryption techniques (non-CA-based) would seem, from Obama's comment, to still be a way of cloaking your communications from inspection by anyone. It seems likely that brute-force decryption remains elusive, especially for real-time monitoring. (Certainly then-Sen. Biden must have had a reason for inserting identical anti-encryption wording in two unrelated bills.)
Among my suggestions --and believe me, the bad guys already know about these:
- TrueCrypt is a free/open-source tool for encrypting files in various ways.
- GPGtools.org makes a fabulous plug-in for the OS X's mail.app that makes it easy to send and receive emails signed and encrypted privately, without reliance on Certificate Authorities. It's free and open-source... I've donated, and recommend you do too.
- GPG4Win offers something similar for Windows users.
- FileVault2 is a whole-disk encryption technology that encrypts your Mac's entire hard disk with virtually no noticeable performance hit. It secures your machine whenever it's locked or turned off, so that a thief, spy or Evil Hotel Maid is unlikely to get anything useful off of it. It's installed on recent versions of OS X and just a Preference Pane check-box away from activation.
- CryptoCat is an easy-to-use secure messaging tool, free and open-source, that supports a wide variety of computers and operating systems and can also be accessed in browsers.
- Tor is an anonymized Internet connection that, used properly, obfuscates your location and cloaks what you're doing on it from your ISP on to whatever service you're accessing. (Just, don't in the fullness of your fervor allow your machine to be a Tor exit node... the service is popular with assorted creeps and bad-guys, and you will be their traceable identity if you do that.) [UPDATE: In reply to my question on their "Tor vs. PRISM" blog post, Tor developers noted, "Tor does not rely on any CAs. Every node generates its own keys and directory authorities are hard coded into the application. If you are looking for an introduction to the way Tor works there are several videos on YouTube."]
- Wickr is a secure communications app for iOS and, soon, Android that features self-destructing messages and other privacy tools for communicating with other Wickr users. (My username: sjwickr)
- Silent Circle is a secure communications platform that includes encrypted VoIP for talking, emailing and messaging other Silent Circle users. From Phil Zimmermann, inventor of the PGP encryption algorithm (and the target of Biden's legislative trickery).
- Liberté Linux is a specialized version of Linux which deeply integrates encryption and Tor networking (for example replacing the conventional browser with one that only uses Tor) and which replaces conventional email with secure "cables" to other Liberté users (I'm email@example.com ...for now). Liberté can be run in a virtual machine or booted from a CD or USB stick and must be left running in order to receive cables.