Friday, June 07, 2013

Reconciling PRISM claims

I thought I'd write up a brief piece of journalists on reconciling the admissions by the NSA and the denials by the companies involved with the PRISM program.

The thing you need to look at is my Altivore program, a bit of code I wrote back in 2000 to explain the Carnivore controversy. Like the current issue, there were irreconcilable claims about Carnivore. One set of claims is that it eavesdropped on everyone's traffic, including "Echelon" style keyword searching of emails. The second set of claims is that it was just a law enforcement tool, that it only captured the traffic of a single person that was the subject of lawful warrant.

As my Altivore code shows, both competing claims are true. It both captures "everything" but is limited to only "one thing". You can download my code, compile it, and run it on your own computer to see for yourself (it works on Mac OS X, Windows, and Linux, and the little Raspberry Pi).

The confusion is where to draw the line between "everything" and "one-thing". If you give Yahoo a court order for the emails of "" (a notorious hacker), they must first access a server that holds the emails of millions of people. There is a boundary between the starting point that sees everyone's emails, and the end product, which is just the emails of this hacker.

You see that boundary line in the Verizon court order for all data. As the NSA's clarification points out, that doesn't give the NSA immediate access to all that data. Instead, while it exists on NSA servers, agents still need separate court orders to get at data, limited to only the person specified in the order. Thus, we see that while they have "everything", they are still only allowed "one-thing" at a time. (By the way, I'm discussing this at face value -- the NSA is being highly deceptive here, their omnipresent surveillance is Orwellian and wrong, but that'll be the topic of a future post).

Carnivore (and my Altivore) are a network tap. In theory, they see everything going across the network wire, which means law enforcement is theoretically seeing everything. But, Canrivore is designed to only copy the data that is the target of the warrant. It uses "deep packet inspection" to find when "" (the target of a warrant) logs on, then copies all the packets with her IP address until she logs out. Thus, as you see in the Altivore code, it sees "everything", but copies only the "one-thing" for law enforcement. Law enforcement personel only sees the end result, within the bounds of the court order, and not the starting data.

I'm betting that PRISM works the same way. On one hand, whatever it is, it could be described as "potential" access to everything, but that in practice, the only thing the NSA gets is "one-thing" at at a time for each court order.

Consider Facebook for the moment. When people access their Facebook accounts, the servers record the source IP address. However, in order to protect their privacy, some people use a proxy, so the servers won't know the real IP address of the user, just the IP address of the proxy. Proxies add a header like "X-Forwarded-For" that identify that original user. The problem is that Facebooks servers don't log that, so when the law enforcement asks Facebook for the IP address of a user identified in a warrant, Facebook can't tell them. What the government might do is go to Facebook and ask them to start logging that header, so that future warrants will get that information. Thus, we have a story where where government partners with Facebook to get direct access to more information, but yet, it's not what you thought those words meant, and both sides are telling the truth.

Here is what I'm betting: the PRISM program isn't all that we fear, but more than we find tolerable. For example, I find it interolerable that such companies would increase their logging in order to aid law enforcement.

To figure this out, you journalists are going to have to find the correct questions to ask these companies. Since we don't know the right answers, it is of course, hard finding the right questions. One question I would suggest is "Have you changed what you log at the request of law enforcement?" or "Do you log more things than you would otherwise had law enforcement not asked you?" Another question is "At any time has the government intimidated you, such as threatening investigations into business or whithholding regulatory approval, in order to get cooperation with law enforcement?".

By the way, among the things I'll bet you find is that Microsoft and Facebook are the ones helping law enforcement the most, and that Google and Apple are doing the least to help law enforcement. That would also be a good thread to investigate if I were you.


Anonymous said...

Good to read a post that isn't all about scare mongering and actually provides a little context. Thanks for the interesting read

RonnieinTexas said...

Regardless of the technological aspects of data mining, I sincerely believe that this Snowdon guy is fabricating his "revelations" for monetary gain or fame. I doubt that a 29 y.o. with only a GED could have ever gotten to such a position (supposedly making $120k or $200k , whatever - rotflmao on that amount!!!) with a NSA contractor where he could have been able to access such highly classified info, either as part of his job OR accidentally. Point in fact, if he says the "govt." is tracking us all by every electronic means 24-7, how come they can't track down undocumented immigrants or ,worse, folks really trying to do harm to this country. Rush L. said Booz & Allen just fired Snowdon and that he was ONLY making $120k...what?? Why would a guy with only a GED throw away a $120k job in Hawaii to "blow a whistle". I'm thinking the Chicom intelligence operatives co-opted this poor schlub to embellish his activities/abilities to embarrass the U.S. administration, promising him security, money, etc., in return for this fairytale.

He is no hero, but rather a zero if he is a fraud. If he is telling the truth, he's no better than the wikileaks guy and his sources, all of which are justifiably under criminal investigation, by both international and u.s. military/federal authorities.

Anonymous said...

RonnieinTexas, I'm retired military. After I retired, I began contracting as an NA/SA and later as IA for the DoD.
Only with a high school diploma and vendor certifications.
I was bringing in between $106k-$160k, depending on where I was working and what I was working on.
To put it mildly, he had access to the information. If I wanted to, I could have accessed that information. The government removed many, many barriers on information sharing after the 9-11 debacle.

As for him throwing away his career, perhaps you cannot comprehend that being possible for someone to do, but I've seen people do the craziest things over matters of honor.
As I said when the story first broke, he did the right thing in the wrong way. The right way would have been to approach a trusted member of Congress and have said member of Congress review the data in one of the Congressional SCIFs.

As for "the wikileaks guy", I assume you mean Private Manning.
His story is also one of a debacle. He was pending separation from the Army. Per DoD and in particular, Army regulations, when one is flagged for deleterious personnel actions, access to classified information is revoked immediately.
His S2 and commander both are equally responsible, as they were derelict in their duties to protect classified government information by adherence to regulation.
But, that part was quietly brushed under the rug, the officers who failed to adhere to regulations moving forward with their careers.

BTW, I "threw away" that DoD contracting position to return home and care for my elderly and ill father. Something you would also probably consider unconscionable. Are you going to blame "Chicom intelligence" on that as well?
I'll add that the reports on US-PRC hacking are reasonable close to the truth, it's been highly mutual.