You think US intelligence doesn't have access to other major airlines' back end databases, or things like major hotels' reward programs, airbnb, uber, lyft?
As someone who has worked on security for said systems, and who is somewhat familiar with the types of requests that are serviced to LEAs and TLAs, I do think that they don’t have access to back end databases.
What, you think we set up a VPN for them so their SQL client in Fort Meade can just query as they please? Or do you think they hack us?
If you work for a useful target yes they probably have hacked you. They've certainly hacked google in the past for example - see below. These agencies are lawless and motivated. I imagine knowing where targets stay/travel in advance could be very useful.
"Reports that NSA taps into Google and Yahoo data hubs infuriate tech giants"
Files obtained from Edward Snowden suggest NSA can collect information sent by fibre optic cable between Google and Yahoo data hubs 'at will'...
Citing documents obtained from former NSA contractor Edward Snowden and interviews with officials, the Washington Post claimed the agency could collect information "at will" from among hundreds of millions of user accounts.
The documents suggest that the NSA, in partnership with its British counterpart GCHQ, is copying large amounts of data as it flows across fiber-optic cables that carry information between the worldwide data centers of the Silicon Valley giants. The intelligence activities of the NSA outside the US are subject to fewer legal constraints than its domestic actions.
What is domestic and what is not? Is a company with assets abroad domestic or fair game abroad? You are aware these agencies share most data across borders aren't you?
Tempora is domestic hacking, Stellar Wind is domestic hacking (sweeping up data from all Americans), and these agencies share data extensively, so domestic vs foreign has very little meaning to them at least.
No, interception and wiretapping (especially with permission of the service provider) are not the same thing as hacking a company to maintain persistent access and surreptitiously using their assets to exfiltrate data. These are very different things and the distinction matters.
I’m familiar with what kinds of things they do, and I don’t agree that they should be doing a lot of what they do. It’s just that rooting american assets isn’t one of those.
A reasonable question. There are many answers. My first one would be for leverage. E.g. To solve a crime, they want information from someone who is not under formal investigation. That someone may not voluntarily cooperate, so they use information for leverage. E.g. threaten to leak information about a pending business deal to others in the transaction. It's not very effective for Joe Sixpack, but it is for organized crime of all kinds.
>They've certainly hacked google in the past for example - see below.
You've referenced proof they couldn't hack Google and instead they had to use alternative measures.
>Google is understood to be working on "forward encryption" for its private network so that communications even over its private leased lines would be unintelligible to anyone without the "keys" to decrypt it.
That's basically the reason it was even possible. Such surveillance is not a hack.
Of course they claimed after being exposed that these programs are legal, but I think lawless is apt as these agencies don't consider the law as a boundary they need to respect.
I was asked for an example of the organization being lawless, I gave a concrete example of the organization failing the most basic of accountability measures: Being asked under oath about their processes. The leader of the organization lied. I think that's a decent indictment of the organization.
What are you trying to say with the second picture? Getting access to a GFE gets you access to what's going through it? What does that have to do with the FBI hacking into the backend of a airline company?
The FBI (and NSA for that matter) are a lot more constrained by the law than HN seems to think, they can't just shell anyone they want especially if the target is a third party that has done nothing wrong.
Pretty much that, and also tapping any traffic that's in their internal networks, since that's not encrypted either.
> What does that have to do with the FBI hacking into the backend of a airline company?
That's one possible attack that the FBI could be carrying out. ie. sabre doesn't encrypt its communications in their internal network, and that's being tapped similar to how the NSA tapped google's internal networks.
> they can't just shell anyone they want especially if the target is a third party that has done nothing wrong.
The reality is not that clear. A lot of what governs what these agencies can and can't do comes from executive branch policies. There is a lot of gray around what is "legal" and congress likes it that way because it keeps responsibility for allowing to much or not enough surveillance far away from them.
What's more, you cannot adjudicate what you don't know about and a lot of the secrecy in programs like this is just as much about keeping away civil libertarian attorneys as it is about confounding "the enemy". There's a reason the FISA court rules nearly 100% of the time with the state. Responding attorneys are rarely involved and when they are they are often hamstrung due to a lack of knowledge that prevents them from filing any kind of useful motion or raising serious opposition.
Sure, NSA can't directly query against whatever database gmail uses to store your email, but they still have all your emails, photos, and login history. As far as your privacy is concerned, there isn't really any meaningful difference.
>Suppose I sent an email yesterday from my Gmail to a friend's Gmail, are you saying the text of this email is stored on an NSA machine?
Maybe not today, but during its heyday must certainly.
>Internal NSA presentation slides included in the various media disclosures show that the NSA could unilaterally access data and perform "extensive, in-depth surveillance on live communications and stored information" with examples including email, video and voice chat, videos, photos, voice-over-IP chats (such as Skype), file transfers, and social networking details.[2] Snowden summarized that "in general, the reality is this: if an NSA, FBI, CIA, DIA, etc. analyst has access to query raw SIGINT [signals intelligence] databases, they can enter and get results for anything they want."
>[Glenn Greenwald] added that the NSA databank, with its years of collected communications, allows analysts to search that database and listen "to the calls or read the emails of everything that the NSA has stored, or look at the browsing histories or Google search terms that you've entered, and it also alerts them to any further activity that people connected to that email address or that IP address do in the future."[44] Greenwald was referring in the context of the foregoing quotes to the NSA program X-Keyscore.[45]
But let's suppose they don't have your emails stored in their datacenters. Instead, it's still stored on google's servers but they can access your emails via automated requests to google, via search terms or by providing your user handle. Is that a meaningful difference, in terms of privacy?
So essentially, no, they do not have "all my emails".
> "Instead, it's still stored on google's servers but they can access your emails via automated requests to google, via search terms or by providing your user handle"
You just said previously the exact opposite! That they can't query Google, but they have the data themselves.
> "Is that a meaningful difference, in terms of privacy?"
Yes, because it means Google are aware of what data they are being requested, and what they are sending in return.
The transparency reports for these companies show that the total number of requests is in the region of 10k/year - a lot in some senses, but nowhere near the level of surveillance many people seem to believe.
No, they in fact cannot query my emails via automated requests to Google. I actually do know how that process works, and there is a human involved, so please stop making things up.
We can discuss the problems with it, but only if we start from a point of truth.
> The second one does not refer to domestic hacking. They don’t do that.
What do you believe is happening in that second image?
One could argue semantics as to whether a fiber tap is "hacking" or not, or whether tapping a domestic company's network from an international transit link counts as "domestic hacking"... but there is ample evidence that US intelligence agencies do target domestic companies and their networks.
There's also ample evidence that various companies choose to cooperate with the intelligence community for a variety of reasons. AT&T has made a healthy living off .gov, but I'm not sure Western Union was ever compensated for giving CIA decades' worth of international telegrams, and it appears their recent cooperation with the Agency regarding international money transfers was spurred by patriotism.
Since the links are likely compromised, ubiquitous encryption is your friend.
I don't imagine they have raw sql access but you probably have an API that takes a name or social or other identifier and returns relevant results. This access may have been granted to an account that is not described as "FBI" it's probably another sub-contractor or analytics provider.
You are incorrect. None of the companies we are talking about would build this backdoor interface and grant access like that to a shell company or contractor. If they wouldn’t do it for the TLAs directly, why on earth would they do it for a third party?
I once had a rep at an airline email me PDF's containing full instructions on how to connect to their developer VPN, connect to their dev and prod databases, a Java code sample, and full credentials for all. It was meant for a new developer but got sent to me (contractor working outside the company).
I haven't ever tried connecting to it, but I'll tell you when I alerted their security team there was no urgency about it, and the password was so simple I bet you could guess it within 10 tries.
Is that data encrypted in transit? If so, what encryption was used? The ones "suggested" that NSA knows how to decrypt? Also, do you know what agreements have been made that are "above your pay grade"? Do you know what every piece of equipment in your data center does? What about what equipment is installed at the ISP level?
Don't be so quick to say "you" are not actively having data taken. "You" just might not be aware of it.
Don’t be so quick to assume you have any idea how these things actually work, and what is or isn’t possible. None of the examples that you are running through would facilitate this type of thing.
In some ways that actually makes it a lot easier for the NSA doing its role as sigint agency against anything "foreign", which doesn't have any US legal protection related to the 4th amendment.
Would that surprise anyone? Governments are known to stockpile and exploit vulnerabilities in targeted computers in order to obtain access. The US government even came up with an euphemism for this malware: network investigative techniques.
This is largely a moot point. All names of departures and international arrivals are sent to the Department of Homeland Security via the Secure Flight/APIS data pipeline. This returns to the airline authorization to board, select for additional screening (SSSS on boarding pass), or inhibit boarding (unless overridden by a TSA call center), as well as, for international flights, authorization for who can even overfly the country.
Intelligence agencies are also highly interested in things that don't involve the DHS or have a flight involving a destination in the USA. Such as obtaining PNRs for people who buy flights from Dubai to Mogadishu.
Of course it's laughable to think you could get away with doing anything on a plane in a post-9/11 USA - they're obviously going to have data on every citizen's and foreigner's flights. Beyond that I wouldn't know.
All I can say is you're very likely not a point in Sabre's private data mining set.
