Slashdot Mirror
CNET: Feds Put Heat On Web Firms For Master Encryption Keys
First time accepted submitter fsagx writes "The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users' private Web communications from eavesdropping. These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users."
I know this is an important issue, but didn't we just do this exact same article yesterday?
http://it.slashdot.org/story/13/07/24/1812227/anonymous-source-claims-feds-demand-private-ssl-keys-from-web-services
From TFA.. "Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner Cable, and Comcast declined to respond to queries about whether they would divulge encryption keys to government agencies." Now you know who is coughing up to the NSA..
Have you fscked your local propeller head today?
I wanted the first post saying it was a dupe!
Anonymous Source Claims Feds Demand Private SSL Keys From Web Services
Posted by Unknown Lamer on Wednesday July 24, 2013 @02:41PM
from the world-wide-fool-proof-cage dept.
[shakes fist at rsmith-mac]
Congress agrees: Americans no better than foreigners, spy on everyone!
Fuck the NSA.
"The government's view is that anything we can think of, we can compel you to do."
Seems pretty spot-on. Unless people challenge these illegal activities, they'll just keep on and on.
After all, they have pretty-much unlimited resources compared to most private entities, and no real pressure to justify their usage.
Your tax dollars at work.
I am aware even ingame chats are monitored.
That includes WoW, Steam etc.
If they can get the keys, then they don't need to use PRISM, they can grab the data upstream.
It lets them hide the PRISM surveillance, Google/Yahoo/Facebook/DropBox etc. no longer gets to see the volume of requests, it is hidden. US companies can claim, with some degree of truthiness, that they no longer deliver data to PRISM requests, as if the program has been ended, because they no longer see the requests or get to challenge them. In fact surveillance had been expanded to all https traffic.
They gain 'plausible deniability', and NSA gains 100% surveillance of their https traffic and the ability to man-in-the-middle at will, by simply using their connection upstream. NSA also removes the problem of companies challenging the intercepts.
The fix is to avoid US based services, either their servers are compromised by the NSA, or their keys.
More difficult is if NSA has signing rights from the US certificate authorities. Most of these are built into your browser. I tried deleting them from Firefox but it was not possible. With those compromised NSA can sign *foreign* traffic and man-in-the-middle intercept it even though both ends of the conversation are outside NSA control.
The fix there is to avoid traffic being routed across NSA controlled territories (USA/Canada/UK/NZ/AUS). So if it crosses the UK they record everything and the private keys will let them record all https traffic too. A lot of backbone crosses the US, and a lot of European traffic crosses the UK, so France to Germany might cross the UK, and Germany to Japan might cross the US.
Seems like a PR stunt:
1) NSA gets caught spying on everyone
2) NSA makes a big public show of asking for encryption keys from telecoms, emplying they haven't been able to read as much traffic as previously thought.
3) Telecoms of course refuse after rallying together.
4) NSA is foiled! We all believe we have security again because the NSA can't read our encrypted e-mails!
5) NSA goes back under the radar.
Bullshit. If the US government wants to break standard encryption, they have the resources to do so. At best, the telecoms crumbling under this demand would only reduce the required resources to spy on us.
Every telecommunication company that operates within the United States is required by law to provide law enforcement access to communication streams on demand. It's called CALEA and all telecommunications companies are required by law to follow it.
CALEA also requires that encrypted communications be decrypted. This includes services like Skype(specifically). CALEA requires that Microsoft provide law enforcement access to the UNENCRYPTED streams of Skype communications, on demand. This is not new and, in light of the House vote yesterday, is not likely to change.
Seem like the better option now. At least you know what the CA has done with the master key.
Join the Slashcott! Feb 10 thru Feb 17!
https://xkcd.com/538/
god dammit, i pray to heaven that terrorists or anyone will nuke those sorry fuckers.
I imagine this has crossed (or should have) the minds of a few people here, is there any "credible" advice about the theoretical process and the best/least-worst practical actions to take if you're approached by your friendly local domestic intelligence agency and told to pony up your company's private keys (for example) along with the explicit instructions not to inform anyone else, ever? For the record I'd like to declare that I've never been in that or any similar position.
Regards, Phil
Total Information Awareness, championed by Admiral John Poindexter, former United States National Security Advisor to President Ronald Reagan, a one time felon over Iran-Contra (overturned on appeal), wanted to do much of what the NSA is doing today. When the details of TIA became public there was an outrage and the plans for it had to be scrapped. Or were they?
The point is this: the public (voters) say "no" to these things... and they just sneak around our backs and do it anyway. Saying "no" once is not sufficient. If, as a citizen, voter, and patriot you believe that these ideas are bad you need to say "no" repeatedly, early, and often. Once whole bureaucracies are constructed to serve a bad aim it is difficult, and perhaps impossible, to stop them.
As U.S. Supreme Court Justice Louis Brandeis once said, "Sunlight is the best disinfectant." With all due respect to Justice Brandeis, if some of these bad ideas do survive, though, it might be more because of public exhaustion than of public acceptance. Or, more simply, perhaps once a secret bureaucracy gets big enough in the darkness there is no way to kill it once it comes into the light. Even sunlight has its limits.
The good news is that if the web servers use forward secrecy in the SSL encryption ( https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy ), then an attacker who has the private key is not able to decrypt a connection he has passively eavesdropped on. An active man-in-the-middle attack is required in order to listen in on the connection.
This is why such services that let users store data in their "cloud" should enable user-specific encryption keys - the user's public key encrypts the data, and ONLY the user's private key can decrypt it. Then if "authorities" want access to the data, they would have to ask each and every user for their key. Sure, as in I'm convinced I would do that!
Sometimes, real fast is almost as good as real-time.
All the movies/shows that use the repeating day theme are PKD ripoffs.
Then why hasn't Dick's estate sued?
Is there any external mathematical difference between "we need to spy on terrorists" and "we are going to spy on political opponents"? How could we tell?
- "Trust us" is used in both situations.
- "We have processes in place" is claimed in both cases.
- Alarms don't go off if an agent listens in on a call without a warrant. See first two points?
I suppose we should rely on historical experience of how governments operate. Oh oh.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
What I wish....
FED, "Give us your encryption keys"
CORP: "EAD, DIAF!"
Reality....
FED: "Give us your encryption keys"
CORP: "Why?"
FED: "To fight terrorisim, you are not harboring terrorists are you?"
CORP:" Here's the keys, would you also like the keys to the bathrooms and the filing cabinets?"
Do not look at laser with remaining good eye.
If you are relying on a service with a master key for security, you have no security. This is true regardless of whether the government has access to those keys.
And Obama sided with the extremist in the Republican party to keep the surveillance of US citizens.
This block of data is all American data, who called who, when where they were (cell tower triangulation), their subscriber id needed to link it to their name, bank etc. If it includes the cell tower handshake data (almost certainly true), then its the location of where you are even when you're not making a phone call. Simply having your phone with you, means its handshaking with towers as you move around, marking your position and that's metadata too.
No question that this is domestic surveillance, no question that its unfiltered, and its only about a terabyte of data a day (300 million * 40 calls a day * 100 bytes estimated) so its only a tiny tiny portion of the data NSA is capturing.
The claim it is anonymous is false, CDR metadata includes the subscriber ID needed for telephone billing which links to the identity of the person.
I bet Senate was told three lies:
a) It's anonymous, which is untrue because the id is in the CDR.
b) I bet they were not told about the location tracking, even when you are not making calls, courtesy of the tower handshake the phone does as you move around. This is a lie by omission.
c) That there is judicial protection in place on these. There isn't, the FISA warrant was supposed to separate good and bad intercepts, capturing everyone's data necessarily captures both good AND bad.
Since Gen. Alexander & president Obama did "last second 'lobbying'" http://www.huffingtonpost.com/2013/07/24/justin-amash-amendment_n_3647893.html ONLY - & yes, I strongly suspect that of those mere 7 votes, the ones that sent it over the top were coerced. After all, nobody's going to tell me that J. Edgar Hoover style blackmail tactics or bribes/favors (ala lobbyists, since that is all that really is with another term assigned to it) didn't take place. Nobody in their RIGHT MIND likes this stuff going on, period. Nobody. Clapper & Alexander outright LIED to congress (twisting words using DIRECTLY, just like how they CLAIM there is no easy CENTRAL way to query their own mail but they do it to everyone else - I found that hilarious & disgusting, since mail is really DBMail and to select/insert/update/delete into those, you NEED to have abilities for that... What they told us, unless someone can show me otherwise, is total bullshit. Hypocritical bullshit). It's wrong. Just like screwing with protesters was. Just like the IRS used against political opponents of the current regime in office. I started looking at all of this madness & lunacy and just was utterly disgusted. Most folks, are. This is insane. Truly insane. Why does this concern me and it should you all as well? I was told decades ago by a history professor of mine in collegiate academia this: "Totalitarian regimes start with 'little laws' they pass, getting an inch, & reaching for a mile: Before you know it, you are Nazi Germany/Soviet Russia USA: DO NOT THINK IT CANNOT HAPPEN HERE" & even former President Carter feels the same http://now.msn.com/jimmy-carter-says-the-nsa-has-eliminated-a-functioning-democracy I used to think HISTORY was a waste of my time then. That was until I figured out that the "powers that be" use it as a guidebook for scamming the populace. Polishing up the mistakes those that set the pattern for what they're doing messed up on, & just trying it again, often a generation or two later. These guys have to be reined in. No questions asked. Why? "Absolute Power Corrupting Absolutely". Sooner or later, that kind of power goes to ANYONE's head and they will abuse it. Heck, they lied to Congress, nothing was done. The head of the IRS didn't lose her job either. I suspect that Clapper, Alexander, & the IRS head told Obama "Pal, you fire me? I will let the dogs out on the FACT you gave ME THE 'GO-AHEAD' to do these things and I will take you down with me. Try it!". That's how "politicians" operate. Thuggery, bribery, etc. and the USA isn't happy either http://firstread.nbcnews.com/_news/2013/07/23/19644154-nbcwsj-poll-faith-in-dc-hits-a-low-83-percent-disapprove-of-congress?lite and I certainly didn't see their machinations stop the Boston Bomber either. The trade off/cost-benefit ratio of effectiveness vs. actual crmiinals with their bogus programs is far outweighed by the potentials for misuse. As far as misuse of powers? See just SOME of the examples above that make folks have that all-time low faith in government. What they're doing is dangerous to us all, no questions asked, & fits the pattern described to me by my former history Prof. (smart man, he left a real impression on me back in 1985 with that statement quoted above in fact. I never forgot it, but felt then as a young man it was bullshit... funny how his words are coming to pass now, nearly 30 yrs. later).
APK
P.S.=> Quotes from that article: Conyers said the lobbying "was heavy. They were very worried about it." But, he added, "the fact that they won this narrowly means they still are worried -- because this thing isn't over yet. This is just the beginning." ... They ought to be w
GPG is your friend. More people should use it.
But then you'd have to get your key signed. And to extend your web of trust outside your hometown, you'd have to fly to a key signing party elsewhere, get your junk touched, and still worry about what information airlines share with the spooks.
you've managed to make me feel sorry for the poor saps that have to spy all day on us
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I know this is an important issue, but didn't we just do this exact same article yesterday?
http://it.slashdot.org/story/13/07/24/1812227/anonymous-source-claims-feds-demand-private-ssl-keys-from-web-services
The editor is timothy, so what did you expect?
Our two party system only works were the two parties are not the same.
I've said it before, and I'll say it again...the left-leaning half of the Ruling Party is no more, or less, virtuous than the right-leaning half of the Ruling Party.
The only real difference between them is how they want to kill us. The left want to smother us in a stifling nanny-state bureaucracy that'll collapse under its own weight, and the right want to abandon us to fend for ourselves. The latter is more sustainable, but either way we die a miserable death.
"Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
Instead of using HTTP for both authentication and key exchange, I suggest it be used ONLY for authentication. After authenticated, then a random PKI keys be generated by the client, and the public key for that be sent to the server.
When the session ends, both public and private keys be dropped by the client.
For the NSA it would make access to the private keys impossible.
Relative to the status quo many years ago, of course, I agree. Relative to the last couple months of news, no, it is not. Think of it as a "Man in the .. uh .. at the Endpoint attack." This isn't any different than NSA's demands of getting the decrypted plaintext from various services. Of course it's bad and there's no reason our government should be doing it, but: at least one of the two parties in the conversation knows about it. This is extremely different than the risks that come about when people speak plaintext on the Internet, where no party in a conversation knows what has been passively intercepted without leaving behind any evidence of their crime.
That said, the above parties which are basically admitting guilt, should be prosecuted for fraud if their sites or proprietary services contain any sort of statement that it's "secure" due to the encryption, since they definitively know that by giving away their keys, the communications were not "secure" by any reasonable definition of that word. They knew for sure (without any doubts; it's not even a question of reasonably small risks) that the plaintext could be recovered by eavesdroppers. It would please me if the above organizations' equity were completely wiped out by punitive fines for their knowledgable participation in premeditated fraud.
""Strongly encrypted data are virtually unreadable," NSA director Keith Alexander told (PDF) the Senate earlier this year." Hmmnnn, should I trust what the Emperor of the NSA, who has directly lied under oath numerous times, is saying? I have no doubt that if the companies don't provide those master keys (seems many if not all of the big ones won't do this), this intelligence empire would just obtain them illegally via direct attacks and/or people on the inside of these organizations.
Forgive my naivete, but how can there be a "master" encryption key that decrypts everything? If such a thing existed, there would be no point in encrypting anything.
I thought the whole point of hashing encryption algorithms was that there could be no such thing as a "master" key.
..no takers on THAT bet....too much like a sure thing.. BT (our biggest ISP and our biggest telecoms company) regularly spreads its legs for the government, so I would bet BT handed the keys over at the first hint.. So now anyone in gorvernment who doesn't like your face can make your bank accounts say whatever they want. We're all doomed.
"Cock Up Your Beaver" does not mean what you think. This sig is intended to clog filters and annoy do-gooders
All the other so-called terrorists are pretenders.
Bradley Manning and Edward Snowden are heroes. I salute their
courage.
It would explain a lot.
Can the FBI or a spooktacular TLA simply request a US based CA hand over private keys used to generate an intermediate signing key?
If not why? Is the CA's "private key" not a "tangable thing" and I could imagine it would be quite helpful to a great number of "authorized investigations".
Planet scale trust anchors are an oxymoron anyway I suppose.
All the commentary I'm reading about this just talks about using it to decrypt captured traffic. One aspect I've not seen anyone address yet is this: wouldn't this allow them to spoof the services in question, and just capture any data they want directly? If you have someone's server certificate (which the server will give you freely), and the corresponding private key, you can set up a server which looks exactly like the real, say, gmail.com, legit certificate signed by a trusted CA and all, and capture unencrypted data to your heart's content.
Maybe that's what the government wants those private keys for? It would completely sidestep the issue of forward secrecy. To me that's even more scary than the possibility that they may be capturing encrypted traffic and using these keys to decrypt it...
"Apple, Yahoo, AOL, Verizon, AT&T, Opera Software's Fastmail.fm, Time Warner Cable, and Comcast declined to respond to queries about whether they would divulge encryption keys to government agencies."
I'm sometimes surprised at big companies cozying up with big brother. This might help get them some favorable legislation and tax breaks, but it comes at the expense of international credibility. If I worked at a company in Europe, I would have second thoughts about purchasing software from a US vendor with backdoors for the US government. Same goes for cloud service providers where the US government could issue national security letters and read all my data without notifying me. I don't know how this kind of policy could be good for Silicon Valley in the long run.
Just revoke them as soon as you hand them over, issue a new key and wait for the next request... Rinse. Repeat.
This is eerily reminding me of the fall from power the Roman Senate experienced at the end of the republic.
I now could foresee an actually revolution. Not saying it is going to happen, but of all the possible roads we could travel, the probability of this particular road being taken has dramatically increased, imho.
And not a revolution of blood - that could also happen (there are *a lot* of crazy people in the US all of sudden) - but of the people finally rising up to the challenge of voting for candidate representatives for their district who actually represent them, and following up on what their representative is actually doing!
I am slowly seeing it start to happen in mainstream media, and I mean slowlyy, but I do see it; They are finally, barely starting to realize what the majority of their viewers actually believe and not all this bullshit. Albeit, the recent come back of Palin "the contributor" to Fox and Friends has casted a darker shadow...
I still have hope we will wake up... Eventually
Stealing an idea isn't infringing, only the concrete expression of that idea.
That depends on where the judge chooses to draw the line in each particular case between what is idea and what is expression. For example, judges have drawn that line in different places for APIs (Oracle v. Google) and business software user interfaces (Lotus v. Borland) compared to video games (Tetris v. Xio).
Although companies may refuse to hand over keys, nothing prevents employees with access to the keys from turning them over secretly to the government; perhaps as their perceived patriotic duty.
This is how intelligence collection has traditionally worked.