The NSA’s Prism Program

On the podcast Security Now, episode 408, “The State of Surveillance from TWiT.tv, Steve Gibson detailed how the NSA is obtaining data and how companies themselves are not participating or cooperating with them outside of court orders and requests.

Basically, they’re tapping into the fiber optic feeds at the ISP level and splitting the light waves off (hence the term Prism) to their own routers and equipment. This is all done upstream of companies like Apple and Google. The NSA is getting that data before it ever makes it’s way to Apple, Google et al…

Skip ahead to about 57:31 to get the technical details of this.

 

[youtube http://youtu.be/fX8CSMPiTs4?t=57m31s]

In the podcast he cited the sources for the information he used and linked to the papers on his Twitter account last week. Here are the URL’s:

http://www.narus.com/images/pdf/Narus_nSYSTEM_brochure.pdf
https://www.eff.org/files/filenode/att/SER_marcus_decl.pdf
https://www.eff.org/files/filenode/att/SER_klein_decl.pdf
http://cryptome.org/scott-marcus.pdf
http://cryptome.org/klein-decl.htm
https://www.eff.org/files/filenode/att/presskit/ATT_onepager.pdf

About SSL and Data Gathering

SSL encrypts, for example, my Gmail session between my web browser and Google’s server. Once I send an email to someone and it passes through Gmail’s servers and back out on it’s way to whom I’ve sent it, it’s carried over the SMTP protocol which is not encrypted. The email travels unencrypted over the Internet to another ISP and routed to say AOL and then the person whom I sent the email to. The NSA is capturing that email, unencrypted as it’s carried via SMTP over the open Internet -after it left Google’s servers and before it reached AOL.

The only way to combat this is to encrypt the contents of your message with PGP before clicking send. You must encrypt it locally and ensure the person receiving the email (the intended recipient) has the proper public key to decrypt it. If done this way, the email is still sent unencrypted over the Internet and SMTP, but the contents of the email is still encrypted (because you did it locally with PGP) and thus the NSA cannot read it. They can capture it, but cannot read it.

The fancy light splitting is just a simple method of splitting one signal into two identical signals. One signal goes it’s intended route to Google and the second signal goes to an unintended destination, the NSA. Since these communications are done over fiber-optics, it’s data sent via light-waves and thus the terms light splitting and Prism, because as we know from high school science, a prism splits light.

Here is a diagram from the EFF (Electronic Frontier Foundation) showing how it’s working.

 

Fiber tapping.

 

PGP (Pretty Good Privacy)

For those interested in how PGP and cryptograpghy works, here is a series on it from the podcast Security Now done in 2006. These are the MP3 audio files linked.

Page URL: https://www.grc.com/sn/past/2006.htm

It’s been a while since I’ve listened to these and I may do so again for a refresher. It’s very interesting and detailed information on this subject.

PGP when used properly is virtually un-crackable; that doesn’t stop the NSA from gathering the data and storing it though.

Since most of us don’t use PGP, for various reasons, there is plenty of un-encrypted data flowing through ISP’s that is being gathered and easily analyzed.

However, If PGP is being used, one can be about as certain as gravity that the data is protected. PGP has been pounded on for years by all the “experts,” and it’s never been broken. However, anything is possible and I’d say there is a 99.999999% certainty that it’s safe.

2 comments

  1. Hey, I am sure you heard of the hacker group Anonymous. They actually helped out with a case in my area of a rape of a 16 year old girl. They were able to get a 12 minute video of high school football players telling in graphic detail of what they did to this poor girl and the names of others involved. They also dug up info on adults and law enforcement that were hiding information about this crime. I do not want the government snooping on me in any way, but if Anonymous wouldn’t have hacked websites and got information from cell phones, these boys would have gotten away with rape. What are your thoughts about this group?

    Like

Comments are closed.