On the podcast Security Now, episode 408, “The State of Surveillance“ from TWiT.tv, Steve Gibson detailed how the NSA is obtaining data and how companies themselves are not participating or cooperating with them outside of court orders and requests.
Basically, they’re tapping into the fiber optic feeds at the ISP level and splitting the light waves off (hence the term Prism) to their own routers and equipment. This is all done upstream of companies like Apple and Google. The NSA is getting that data before it ever makes it’s way to Apple, Google et al…
Skip ahead to about 57:31 to get the technical details of this.
In the podcast he cited the sources for the information he used and linked to the papers on his Twitter account last week. Here are the URL’s:
About SSL and Data Gathering
SSL encrypts, for example, my Gmail session between my web browser and Google’s server. Once I send an email to someone and it passes through Gmail’s servers and back out on it’s way to whom I’ve sent it, it’s carried over the SMTP protocol which is not encrypted. The email travels unencrypted over the Internet to another ISP and routed to say AOL and then the person whom I sent the email to. The NSA is capturing that email, unencrypted as it’s carried via SMTP over the open Internet -after it left Google’s servers and before it reached AOL.
The only way to combat this is to encrypt the contents of your message with PGP before clicking send. You must encrypt it locally and ensure the person receiving the email (the intended recipient) has the proper public key to decrypt it. If done this way, the email is still sent unencrypted over the Internet and SMTP, but the contents of the email is still encrypted (because you did it locally with PGP) and thus the NSA cannot read it. They can capture it, but cannot read it.
The fancy light splitting is just a simple method of splitting one signal into two identical signals. One signal goes it’s intended route to Google and the second signal goes to an unintended destination, the NSA. Since these communications are done over fiber-optics, it’s data sent via light-waves and thus the terms light splitting and Prism, because as we know from high school science, a prism splits light.
Here is a diagram from the EFF (Electronic Frontier Foundation) showing how it’s working.
PGP (Pretty Good Privacy)
For those interested in how PGP and cryptograpghy works, here is a series on it from the podcast Security Now done in 2006. These are the MP3 audio files linked.
Page URL: https://www.grc.com/sn/past/2006.htm
- Episode 30: Cryptographic Issues
- Episode 31: Symmetric Stream Ciphers
- Episode 32: Listener Feedback Q&A #5
- Episode 33: Symmetric Block Ciphers
- Episode 34: Public Key Cryptography
- Episode 35: Cryptographic Hashes
- Episode 36: Listener Feedback Q&A #6
- Episode 37: Crypto Series Wrap-up
It’s been a while since I’ve listened to these and I may do so again for a refresher. It’s very interesting and detailed information on this subject.
PGP when used properly is virtually un-crackable; that doesn’t stop the NSA from gathering the data and storing it though.
Since most of us don’t use PGP, for various reasons, there is plenty of un-encrypted data flowing through ISP’s that is being gathered and easily analyzed.
However, If PGP is being used, one can be about as certain as gravity that the data is protected. PGP has been pounded on for years by all the “experts,” and it’s never been broken. However, anything is possible and I’d say there is a 99.999999% certainty that it’s safe.