[BuckeyeTexan]

Yes, as a unix sysadmin and DBA, I have root. I’ve been managing the servers and data myself for 20+ years. That was my entire point. The Guardian’s allegation that the NSA has direct access to Google’s (etc.) servers is bunk.

There is no way the NSA has direct access to the servers of private companies. The sysadmins and DBAs wouldn’t allow it. Sysadmins & DBAs are pulling data relative to FISA warrants and putting in on isolated servers where the NSA retrieves it and puts it on their own servers to analyze it.

[PieterCasparzen]

Only difference is room 641A.

It's straightforward, but non-technical folks simply need it layed out in laymen's terms (so I'll lay it out for readers, I'm sure you understand).

If I have a website, it's running on a webserver that has a public IP address, ie., 1.1.1.1, 255.255.255.255, etc. (but not those !).

People could access the website from their web browsers world wide. The browsers send and receive packets of data to and from the webserver; the "route" starts at the browser, goes to the ISP, goes through various ISPs to the ISP of the webserver, then to the webserver.

On the back end, the webserver then could talk to a private network, i.e., behind a firewall, if it's doing secure transactions. If it's just a flat text/graphics website with no interaction, all the HTML may all be sitting on the webserver.

The company that runs the webserver will have their own network(s) behind their firewall, with all their computers on their network. If an unauthorized person accesses their webservers or networks, that's "hacking". Email server(s) will be in their network as well. The company's administrators want to keep it all secure.

But between their webserver and the public's web browsers - that's all under the control of ISPs (internet service providers).

Room 641A (readers, read up on this) is just the idea of going to ISPs and saying hey, we've got a computer room here. Can you take ALL your packet traffic basically splice in Room 641A - so our equipment will get a look at every packet as it goes by.

This will give Room 641A email traffic and every web page that's viewed.

And every system administrator will still have their own networks secure.

Except there's an implicit part of their network - the connection to their users over the internet - which they have no control over.

This is why using encryption (https) is a good thing.

If it's set up well enough, it means that the 641A sniffer has to decrypt on the fly, which requires at least some effort, offering at least some degree of security.

Of course, encrypted data will stand out like a sore thumb, and the "from" and "to" IP address of the packet (i.e., who the user is and the IP the website is hosted on) can be logged for further "looking into".

If the website is public (but uses the encryption of the https protocol), then Mr. Government can simply surf over to the website and see what it is. Ergo, there is no way to have big brother not be able to be using machines to scan everything everyone is looking at and algorithmically categorizing out targeted situations for gubmint people to review. Of course, how efficient the gubmint is at this is mostly limited by the features of the SOFTWARE and CONSULTING the gubmint's contractors propose to the gubmint.

Of course, there is the man-in-the-middle hack attack, typically done in PC malware or on company networks, that also can make the web browswer to web server connection corruptable by hackers. This is why business transaction websites should always use encrypted connections and of course do a good job of it.

[unixfox]

Even if they did not have direct access to the servers they would have access to traffic flowing to and from the servers.

If the data from those servers leaves the LAN then all bets are off.