back to article Right, that's IT: We'll encrypt INTERNAL traffic to thwart NSA - Yahoo

Yahoo! is going to start encrypting its intra-data-center traffic and will offer a similar service as an option to webmail users next year, CEO Marissa Meyer has pledged. "I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever," she …

COMMENTS

This topic is closed for new posts.
Silver badge

The point is?

Really, when the US gov can ask in secret for the data and pretty much compel any US-related business to comply, what is the point in them huffing and puffing and putting in SSL links that, most likely, use a certificate that is from a potentially compromised issuer?

The issue behind all of this is judicial oversight, or more precisely the lack of. We, the public, should expect privacy unless there is "probable cause" for investigation, and that should be properly signed off by a judge after considering the supporting evidence and not rubber-stamped en mass and in secret.

Fix that, USA, and maybe some trust will return. Until then everyone should treat all USA-based companies as fundamentally compromised.

11
0

This post has been deleted by its author

Bronze badge

Re: The point is?

Dear heavens, the masses haven't responded to their leaders panem et circenses.

Guess it's time for more circenses!

Release the lions!

0
0
Anonymous Coward

Re: The point is?

As well as any company that does business in the USA. The import requirements are the same, you need an import license, and you have show your stuff to get one !

0
0

This post has been deleted by its author

Re: The point is?

The point is?

Marketing, and there is a LOT more coming - I predicted as much quite a while back.

As others in the comments here have already pointed out, such statements can be comfortably made without any risk of retribution even though there are a tad creative with reality - after all, they are a US company. When (not if, IMHO) they are required to cough up user data they are bound to keep it secret, so if it ever leaks they have done so, they can blame the government for forcing them to keep it quiet.

0
0
Silver badge

NSA gets no free access to our data centers

So they are upset that NSA and friends are tapping into their lines without paying...

As long as the secret court gag orders exist nothing you say is worth exciting electrons over.

5
0

This post has been deleted by its author

Bronze badge

Re: NSA gets no free access to our data centers

Bleh. First, I won't use Yahoo. If I can't use my own, advertisement free client, it's not a mail/messaging service for me.

I use gmail. I also routinely encrypt much of my traffic, even if I'm only sending e-mail to my wife.

For "intercom", I have my own jabber server running in house.

My video camera system is all in house and isolated from the internet (I have a father who suffers from dementia, so I installed those cameras and zoneminder to keep an eye on him).

For crying out loud! Is GPG too expensive? Is running your own software too expensive? Is setting a keyserver up suddenly rocket science to IT professionals?

0
1
Anonymous Coward

Yes, we believe you

Even though you _will_ lie as the powers the FISA act grants you are for exactly this purpose.

What planet do these fcukwits live on? Next they'll tell us there's no child porn cos they've removed it from their index!

3
0
Silver badge
Unhappy

Keep fighting to preserve that trust Marissa . . .

"I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever."

The first response is, of course, that that is not really what people are asking. What does "access to our data centers" mean anyway? What people want to know is if you have given the government access to our data - in whatever fashion.

The second response is best delivered as a question: if the NSA (or "other government agency") came to you with an NSL demanding "access to <your> data centers", and preventing you from speaking about it, what would you say if asked the direct question of if you have given the government access to your data centers? Would you tell people the truth or would you lie to them?

I really do feel for these companies as they are in a horrible position but the simple fact remains that so long as they can (legally) be compelled to lie to their customers and the public, nothing they say regarding these matters can be trusted.

With that in mind, statements like: "There is nothing more important to us than protecting our users’ privacy" are really a slap in the face as there quite clearly is something more important than protecting their users' privacy, and that is the continuation and profitability of their business.

I don't blame them for that stance, but I do very much resent them pretending that that is not the case.

I forgive them the lies they are forced to tell to remain inside the law; I do not forgive them the lies they choose to tell in an attempt to make themselves look good.

7
0
Bronze badge

Re: Keep fighting to preserve that trust Marissa . . .

"I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever."

Quite correct. The warrant is served and Yahoo submits the data. Makes sense, as agents would have zero clue where what is stored and how. Meanwhile, Yahoo admins can trivially copy down the data as needed, install network monitors, etc.

All without any agent of any agency doing more than process serving the warrant.

Just more panem et circenses. Bread and circuses.

Or to use the US vernacular, as most have no clue what the above means, throwing the dog a bone.

Regrettably, a bare, worn out and weathered bone.

0
0
Anonymous Coward

Re: Keep fighting to preserve that trust Marissa . . .

All those data centers, yahoo's, googles, microsoft, etc. each and all have to send the data through internet nodes or switches or routers in the big sense. That is where the NSA taps into the data. A decade ago, there used to be about 12 of the nodes where all internet traffic flowed. We were working on the next generation of router for the next generation of the internet. The dot com bubble went bust and I moved on. But the router sat ready for deployment. We planned on building 25 to maybe 50, before moving onto the next generation.

At the time, one unit could have handled all the internet traffic of the world, but you need backup and alternate routes for when the cables go down. So all internet traffic goes thru this hardware, and can be sorted and filtered as desired. ps. there is some competition, and it is gaining. My guess is that there is less than 100 nodes that need to be connected to for spying on the whole world for internet traffic.

Google, Yahoo, and others are just noise and part of the plan. They can claim there is no spying on their property and that could be very true. A little research and you might be able to deduce where the spy connections are hosted.

0
0

The sad fact is that we simply cannot trust any American company because they can be compelled to lie to us and are probably quite happy to so long as we do not find out. The public declarations do seem to be complete with weasel words subject to careful interpretation.

What does "access to our data centers" actually mean? It implies that data has never been handed over but it may simply really mean that government agents had no need to physically enter the data centers.

3
0
Bronze badge
Trollface

Don't worry...

I won't be surprised if MI6 is tagged next for spying on everyone in the UK; it is just that the US gumshoes, got caught in the act - like no one in America didn't already know they were up to no good. We've been fighting the Patriot Act every since it came out.

0
0
Bronze badge

It means precisely what it says.

First, consider this: How much effort would it take for federal agents to locate the files/messages of a particular user of a system they never saw before?

Meanwhile, the warrant directs the data provider owner to submit the information.

So, no agent has physically entered the data centers. No need to.

Only the management offices to present the warrant.

0
0
Bronze badge

Re: Don't worry...

"I won't be surprised if MI6 is tagged next for spying on everyone in the UK"

It wouldn't be the first time, nor the last time. I recall a rather interesting habituation during WWII...

Want a small hint? *Every* nation is doing it to various degrees. The leadership of said nations know quite well who is doing what to whom.

Any objections are largely weak or procedure filled in order to provide bread and circuses for the populace, who have absolutely no clue about what happens in the real world.

0
0

"Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever,"

Would that be just US government agencies or does does that include GCHQ et al?

Does that also include third party companies hired by any particular government that then pass the data on.

"Yahoo has never given access to our data centers" Does this mean access was just taken?

"our data centers" do they pass the data on to other data centres not owned by them?

Just a few thoughts

0
0
Bronze badge

I can only believe that you have never worked in a data center.

Otherwise, you'd know quite well how confounding a data center is to an outsider and the necessity of the staff to do what you require, lest it take months to years to do so by oneself.

0
0

Secret Courts, Secret Laws, and the cooperation of every TELCO in the country thanks to CALEA equal tyranny on a grand scale.

0
0

It's nice to hear the chief exec confirm the statement her company issued the day after the "revelations" became public. Well done for making sure those doors were locked, Mrs Meyer.

However, I'm still left wondering why/how systems/network designers at - apparently - every major 'Net firm, couldn't be bothered (or - I'll be kind - didn't see the need) to encrypt traffic after it had arrived within their system; but would - fairly obviously from their perspective - be leaving it again so soon?

I did/do systems design (not usually networks, though) so I find myself wondering ... Just exactly what is/was the thought process? Was it:

a) "There's no way anyone can ever get at this data - We rent the cables for our own use only - May as well save the world some elastic-trickery and our servers some processor cycles."

or was it:

b) "May as well leave it all in clear-text, anyone who could get at it can come request the same data anyway"

(And I appreciate that any of the people who were paid to "look after the networks", who were also in a desperate battle against the-Orcsez, might have been a bit distracted)

0
0
Bronze badge

Pity you never studied legal requirements, as every information security professional has to.

Regulatory requirements include backup of data, retention of said data for specific amounts of time for certain data items (such as e-mail and other messaging). They also include court orders and mandatory compliance of IT workers retrieving the data ordered by the court.

I personally handled a few such orders, from both sides of the IT and security aisle for criminal cases. One, I personally handled fully, signing into the chain of custody and all, but that one was a service member stealing credit card information from a service member who was on R&R at our base, literally robbing the poor kid to his credit limit.

Then, the kid learned, there is more than one BOFH in this world. :)

Come to think of it, that kid should be getting out of prison soon.

I wish him well in a more law abiding career.

0
0

ROT13

Yes, they will encrypt with the very strong rot13 encryption algorithm which no one has ever cracked!

"If you tell a lie big enough and keep repeating it, people will eventually come to believe it. The lie can be maintained only for such time as the State can shield the people from the political, economic and/or military consequences of the lie. It thus becomes vitally important for the State to use all of its powers to repress dissent, for the truth is the mortal enemy of the lie, and thus by extension, the truth is the greatest enemy of the State.”

--Joseph Goebbels

2
0
Anonymous Coward

Too funny, this public posturing about encryption enabling... but no mention of the Fed regulatory issue from the NSA that requires all encryption schemes being registered with them. This promotion is all a usmoke screen by the industry to get us to believe that our data will now be encrypted beyond reach of the NSA. Ain't happening. You have already seen the earlier story about getting in bed with encryption teams.

We encrypt our video data from security cameras to keep the "A-Team" or "Mission Impossible Team" from hacking the video's. But the NSA requires us to provide the keys so that they can. If we do not, then there is no export license and we cannot sell overseas. Also, there is a ban on interstate commerce, so we can only sell in the state it originates in. And that means we cannot transfer the knowledge across state lines unless approved by the NSA - unless we comply by revealing the keys.

All this blustering and posturing by the big guys is pure BS meant to mollify the public into trusting them once again with the 'cloud' business model, which is the governments model to track everyone and everything. A few good search algorithms, and you can catch anyone at anything they are up to...

4
0

Who cares ?

IMHO this is, for the majority of people, a non issue because they don't comprehend the issue, have better things to do or as a US collegue I was talking to last week believes, there are so many bad guys out there that there is the need for the government (the good guys) to do whatever it takes to keep him safe.

As for CEO Marissa Meyer's comments, they are just PR to the semi-litterate on the subject; the NSA doesn't need access to her datacentre when as AC indicates, they can just tap into the IXPs. We just need to accept that governments have unlimited resources and expertise so anything we do on the internet can be traced. The same goes for the commercial organizations we give our data via our usage and buying habits; that's before I get started on 'loyalty cards'.

If you really are that paranoid then you should stay as anonymous as possible starting with getting off the internet.

0
0
This topic is closed for new posts.

Forums