Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PyCon Ireland Keynote: PRISM as a Service

Lynn Root
October 13, 2013

PyCon Ireland Keynote: PRISM as a Service

Blog write-up: www.roguelynn.com/prism

Originally presented @ PyCon Canada 2013, but updated with more revelations & current events.

Lynn Root

October 13, 2013

More Decks by Lynn Root

Other Decks in Programming


  1. @roguelynn Who am I? • Engineer at Spotify • PSF

    Board Member • PyLadies of San Francisco
  2. @roguelynn Why am I here? • What is PRISM? •

    Unanswered Questions • How does it affect cloud services? • What can we do now?
  3. @roguelynn Disclaimer • I am not a lawyer! • I

    have no three-letter-agency or PRISM-cooperative-company insight • Thoughts & opinions are my own
  4. @roguelynn What is it? • electronic data mining tool •

    purpose is for mass surveillance • collect intelligence that passes through US servers • supposedly only metadata
  5. @roguelynn Who does it affect? • Targets foreigners’ communication •

    Can not specifically or intentionally target US Citizens
  6. @roguelynn Who’s involved? • 98% of PRISM data comes from

    Google, Microsoft, and Yahoo • Other companies: Apple, AOL, Facebook, PalTalk, Skype, & YouTube
  7. @roguelynn What is it? • Digital Network Intelligence Exploitation System

    • 500-700 servers as of 2008) • Federated query system • Completely unfiltered data
  8. @roguelynn Wait, what?!!? • Searches collected email addresses, user activity,

    phone numbers • Extracts files e.g. attachments • Client-side HTTP traffic parser • Real-time interception
  9. @roguelynn All your email are belong to US • Query

    for an email address • Searches bodies of emails, web pages, documents, including To, From, CC, and BCC lines
  10. @roguelynn Show me... • Encrypted word documents from $X country

    • PGP usage in $X country • VPN connections in $X country, and give me all data to I can decrypt and discover users
  11. @roguelynn Show me... • All Excel spreadsheets containing MAC addresses

    coming out of $X country • All exploitable machines in $X country • Email addresses tied to Google Map searches • All documents that reference $Y
  12. @roguelynn 1952 1973 1978 2000 2001 1946 Five Eyes Group

    • USA, UK, Australia, Canada & New Zealand • Purpose to share intelligence, concentrating on signal intelligence
  13. @roguelynn 1952 1973 1978 2000 2001 1946 NSA Established Purpose

    for collecting, processing, and disseminating intelligence information from foreign electronic signals for national foreign intelligence and counterintelligence purposes and to support military operations.
  14. @roguelynn 1952 1973 1978 2000 2001 1946 Warrants needed Supreme

    Court rules that warrants are now required for domestic intelligence surveillance.
  15. @roguelynn 1952 1973 1978 2000 2001 1946 FISA signed to

    law Foreign Intelligence Surveillance Act to protect widespread abuse of wiretaps.
  16. @roguelynn 1952 1973 1978 2000 2001 1946 “live on the

    network” NSA transitions into 21st-century by expressing desire to “live on the network” to perform its offensive and defensive missions.
  17. @roguelynn 1952 1973 1978 2000 2001 1946 9/11 WTC Attacks

    Culture against spying begins to shift at the NSA.
  18. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 NSA

    resurfaces spying plan from 1999 Originally illegal in 1999 as deemed by FISA, NSA resurfaces its plan to perform contact chaining on metadata it collected.
  19. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 Telecoms

    + Domestic spying US Admin gains access to large telecom switches carrying the bulk of US’s phone calls. Seems to be no obstacle to prevent NSA from eavesdropping.
  20. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Winter ’02 Total

    Information Awareness Program to record and analyze all digital information generated by all US citizens. Defunded, but continued to run under different names.
  21. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Room 641a AT&T

    employees discover NSA officials on an undisclosed mission; also discovered secret rooms being built within AT&T offices. Winter ’02
  22. @roguelynn Winter ’01/02 Summer ’02 Fall ’01 Telecoms enter formal

    agreement to give data Major telecommunication companies enter into voluntary formal agreement to give metadata of calling information to the NSA. Winter ’02
  23. @roguelynn 2007 2008 2011 2012 2005 NYT reveals companies gave

    backdoor access NSA gained cooperation with US telecoms to obtain backdoor access to streams of domestic and international communication.
  24. @roguelynn 2007 2008 2011 2012 2005 Protect America Act President

    Bush signs bill to give NSA the right to collect communications without warrant and without court oversight.
  25. @roguelynn 2007 2008 2011 2012 2005 PRISM data collection September

    2007, PRISM data collection began with Microsoft, the first of the PRISM-cooperative companies.
  26. @roguelynn 2007 2008 2011 2012 2005 FISA Amendments July 9th,

    Congress passes amendments to FISA that gives telecoms legal immunity for those that cooperated with NSA’s wiretapping.
  27. @roguelynn 2007 2008 2011 2012 2005 UK’s turn Estimated launch

    of GCHQ’s Tempora program, clandestine security electronic surveillance program after first trialled in 2008.
  28. @roguelynn 2007 2008 2011 2012 2005 NSA Datacenter The NSA

    starts building its biggest spy center in Utah for the purpose of intercepting, deciphering, analyzing, and storing vast swaths of the world’s communications.
  29. @roguelynn ? ? ? ? 2013 PRISM revealed June 6th,

    Washington Post reveals PRISM program, 6 years after data collection started.
  30. @roguelynn ? ? ? ? 2013 XKeyscore revealed July 31st,

    the Guardian reveals the XKeyscore program that has been in use since at least 2008.
  31. @roguelynn • How is “foreignness” determined? • What if foreigners

    and US citizens communicate? • What do words like “backdoor”, “direct”, “intentional” mean? • How is the PRISM-collected data handled? • What analysis is being done on collected data?
  32. @roguelynn • US citizens abroad? • US citizens using services

    abroad? • Are US permanent residents considered foreigners? • Foreign persons/companies using services from US-based companies incorporated abroad? What about...
  33. @roguelynn Recognized effects • 56% less likely to use US-based

    services • 10% cancelled US contracts • Germany forbids future data transfers to non-EU clouds • US economy stands to lose $22-35 billion
  34. @roguelynn Recognized effects • Silent Circle’s voluntary shutdown • Lavabit

    now in court over SSL certs • Wikipedia switches to HTTPS • Silk Road shutdown
  35. @roguelynn Which is it? Does it matter? • Is security

    compromised? • Or lack of government oversight?
  36. @roguelynn As professionals • Use services that are within your

    company’s jurisdiction • DIY-clouds • Know your neighbors
  37. @roguelynn As professionals • Use services that are within your

    company’s jurisdiction • DIY-clouds • Know your neighbors • Encryption
  38. @roguelynn Outlook • How much can we still trust SSL?

    • Do we need to reevaluate CA system? • Reboot our encryption protocols and habits entirely?
  39. – Ralph J. Gleason “No matter how paranoid you are,

    what they’re actually doing is much worse than you can imagine.”