Thursday, June 13, 2013

Direct Access -- UPDATE

"I'll have my girl send those punched cards right over in the afternoon mail, Mr. Security Guy."
Funny story.  True story.

Once upon a time many, many years ago, the IT shop I worked for did a brisk, unwitting business in stolen goods for a couple of weeks.

It was not an atypical IT setup for the time -- a talented, understaffed team embedded in a large and otherwise profoundly low-tech culture with almost everything from the network to the homemade security camera system was hand-built by my little crew of blackguards and pirates.  We were always spinning out of one crisis and into another -- real or imagined, god-wrought or self-inflicted -- and rarely had the time or the budget to do what we wanted as we wanted it done (or the budget to pay people putting in 10-12 hour days to get the place out of the shambles we found it in more than peanuts, which is one big reason why I left) but it was a fun place to work.

A large part of my job was intermediate between my crew -- smart people, somewhat lunatic, with spotty social skills and political views ranging from anarchic to Limbaugh-loving -- and the genteel tenured academic Eloi 

 
who ruled the place.

So back in these olden days when Newtons were still a (rapidly fading) thing and the ability to hack a talking Christmas Tree




and make it swear like a sailor was such an act of wizardry that it might actually get you laid, our networks, servers and administrative software were functional but crude affairs which is why it took us awhile to notice that one of our servers had been hacked and that some clever dog had buried cracked install copies of some of pricey software (Photoshop, Premier, Softimage, etc as I recall) way down deep in a sub-sub-sub folder.

Which was a bad thing, and could have been easily resolved by wiping and securing the server, securing every other server, and (because we were socially responsible pirates and blackguards) contacting the various software outfits and letting them know what had happened and what we were doing about it.  But that is not what happened.

Instead, security got involved.

Oh boy!


And so rather than just fixing the problem, security went on weeks-long bug-hunt for a nonexistent scoundrel who had (according to to their mad deductive skills) obviously come through two locked and alarmed doors, pulled a chair up to our humble, little server farm and had -- over the course of many, uninterrupted hours -- copied all of that ill-gotten booty onto the machine in question.

Security arrived at these conclusions because it was impossible to explain to them that "Direct Access" to a server doesn't mean sitting in front of it, and adding or taking thing off of a server was not like installing Tetris on your PC.  In fact, our second-grade explanations of how a server works (See, it's like Santy Claus except this Santy Claus doesn't need to leave his Biiiig house at the North Pole in order to...oh just fuck it) only deepened their belief that we were all in on the terrible conspiracy and were spinning fairy tales to cover for a confederate.  So the server was carefully wheeled away on a little cart along the keyboard and the chairs so that, presumably, they could be dusted for prints.  Everyone with a key to any door or who had the code to any of the alarms was "interviewed".  Some more than once


Many weeks later we got our server back, the incident was quietly downgraded from "Great Brinks Robbery" to "Let us not speak of this again" and we got back to playing Quake and Unreal until midnight and talking smack about the Luddites who ran the place working tirelessly and cheerfully to bring the benefits of the information age to our users.


There is no larger point here other than, when you are operating somewhat out of your depth, small misunderstandings about how things work on a starship...
The Guardian quietly walks back their PRISM overreach without correcting previous reporting

In their most recent article on the fallout from their Edward Snowden reporting, the Guardian dials back their initial claims. 
Here’s what they alleged in their first PRISM article, nearly a week ago:
The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.
The NSA access is part of a previously undisclosed program called Prism, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.
The Guardian has verified the authenticity of the document, a 41-slide PowerPoint presentation - classified as top secret with no distribution to foreign allies - which was apparently used to train intelligence operatives on the capabilities of the program. The document claims “collection directly from the servers” of major US service providers.
...
Now here’s how they described the program in their most recent write-up:
The Guardian revealed last week that seven technology companies - Google, Facebook, Skype, PalTalk, Microsoft, Apple and Yahoo - were involved in the Prism surveillance scheme run by the NSA.
The Guardian understands that the NSA approached those companies and asked them to enable a “dropbox” system whereby legally requested data could be copied from their own server out to an NSA-owned system.
...
...can sometimes create larger problems later on.


UPDATE: Now with 100% more Rick Perlstein --
...
Fogel points out that a widely read post to this effect called “Cowards” from the blog Uncrunched—“What has these people, among the wealthiest on the planet, so scared that they find themselves engaging in these verbal gymnastics to avoid telling a simple truth?”—is “mostly wrong.” He says, “It looks like Greenwald and company simply misunderstood an NSA slide [see image at the top of this post for the slide] because they don’t have the technical background to know that ‘servers’ is a generic word and doesn’t necessarily mean the same thing as ‘the main servers on which a company’s customer-facing services run.’ The ‘servers’ mentioned in the slide are just lockboxes used for secure data transfer. They have nothing to do with the process of deciding which requests to comply with—they’re just means of securely and efficiently delivering information once a company has decided to do so.”

In other words, this slide describes how to move data from once place to another without it getting intercepted in transit: “What the hell are the companies supposed to do?” Fogel jokes. “Put the data on a CD-ROM and mail it to Fort Meade?”
...

Greenwald has not yet made a public evaluation of whether or not he agrees that he made that mistake. He owes it to us to do so, with as much speed as practicably possible. It’s not too much to say that the fate of his broader NSA project might hinge on doing so effectively—because the powers that be will find it very easy to seize on this one error to discredit his every NSA revelation, even the ones he nailed dead to rights...

11 comments:

Swede said...

But the problem has been that "legally requested data" has been rubberstamped by the courts. So one could argue the NSA has had direct access and the "dropbox" is just a nice framing.

Nick said...

Let me just say that your take on the NSA data collection and the media's discussion of it has been very thorough and most excellent. As you've said, there are two important differences between what is happening here and what happened in the Bush years: this data collection is court approved and this data is only metadata, which has been collected from unsuspecting non-suspects since long before 9/11 (ie the Baltimore wiretapping cases). Your criticism and praise of Greenwald's handling is also spot on.

However I think you are largely missing the central issues: secrecy and constitutionality. Somehow the discussion of what data the government will collect on every citizen has become the preview of a secret court. This court was designed to permit the spying of people within the US with a legal warrant without tipping them off with open court papers. This same court is now being used to decide the legality of spying on EVERYONE without tipping them off. This threatens our democracy by preventing open debate on the issue. It also threatens our constitutional system by preventing a lawsuit over the constitutionality of the program from reaching the Supreme Court (as the ACLU has just filed in light of the disclosure).

In short, it is the secrecy of the program that threatens us, not the data collected or the whether it was court authorized. I do hope that you'll take up some of these issues in future posts/ podcasts since little people like me can only influence the discussion by catching the ear of great and powerful bloggers like you.

driftglass said...

Nick,

Thank you.

I very much agree with your assessment that "it is the secrecy of the program that threatens us, not the data collected or the whether it was court authorized."

If you have not seen it, this is a great push-back against that very real threat: Charles Pierce's, “Tell Me What Is Being Done In My Name” -- http://www.esquire.com/blogs/politics/Twitter_on_Whats_Being_Done_InMyName

Anonymous said...

Shh...don't tell anyone. If you are reading these words on this website..you are dealing with an FTP server.
Fight the Power!

Anonymous said...

Another thing about how this story has been handled bothers me. Why does this 41 slide PowerPoint presentation need to be exclusively mediated through the press? If I want to understand Freud's thinking, the last place I would begin my research would be an introductory psychology textbook, especially when Freud left so many excellent primary sources behind for me to study. Likewise, shouldn't I be able to read/ look over the actual PowerPoint presentation to understand for myself what the program is about and what its implications are?

Releasing the PowerPoint presentation in full would allow me to form my own judgements about the implications of this spectacular program.

Blotz said...

Awww, but we were having so much fun jumping to conclusions and self righteously beating our chests about how Obummer was so much worse than Bush and if we punch enough hippies the pretty girls/boys will finally talk to us.

Seriously, Fred Clark at Slacktivist likes to talk about the "Anti-kitten burning brigade", conservative christians who participate in a form of complicated live action roleplaying game wherein they fight bravely and alone against the forces of evil that constantly threaten all that is good and holy. These forces usually come in the form of wicked feminists, wiley abortionists and all other sorts of Liberal Demons. It's all a farce, but it's great for reinforcing in-group cohesion. We have our own form of this disease in the anarch0-libertarian fetishists who leap at every perceived failing of liberal government to throw the whole operation out the window. They salivate at the opportity to prove how righteous and pure they are in the face of the capitalist/military/security/infotainment state.

Reality is too boring it seems.

OBS said...

Releasing the PowerPoint presentation in full would allow me to form my own judgements about the implications of this spectacular program.

And help us figure out if the NSA is truly as bad at powerpoint as it seems. I mean from what I've seen they rival the bad slides I've seen come out of the EPA, and that's no easy feat.

Anonymous said...

I laughed at the story, I to work in IT. I started in the Navy, then at the Pentagon as a civilian, and now in international development.

I can say, people who do not work in IT constantly fuck shit up and confuse things. The worst are the ones who think they know what they're talking about. You'll give them an explanation of something and by the time upper management hears it and comes back to about everything is so confused you wonder "how the fuck do you people remember breathe".

If Greenwald truly fucked this up that badly he needs to be taken to court by MS, google, apple, and should never be taken seriously again on technical matters.

This reminds of the time they installed an MBA as our CIO, we'd tell him shit and by the time the CFO came back and told me what he said I was always "no, that's how it fucking works, that jackass doesn't his ass from his elbow".

Though... I play a lot of Battlefield 3 at work.

Anonymous said...

@OBS

That's standard for them. I've dealt with a lot of classified powerpoints in my time and they're all that bad. Death By Power Point!!!! is a long standing complaint of people in the military and intelligence circles.

If you want to hear any enlisted armed services member curse up a storm mention to them they are going to a high level power point and sit back.

Anonymous said...

This reminds me (once more) of the time I watched Greenwald misinterpret a short quote about Swedish law and run far, far away with it, without checking with people who were experts on the subject and could have set him straight in two minutes. He is his own worst enemy when he gets his blood up. And he doesn't like to admit that he is wrong.

Anonymous said...

Greenwald? Make a mistake (much less admit one)? UNPOSSIBLE!