Slashdot Mirror
NSA Foils Much Internet Encryption
An anonymous reader writes "The New York Times is reporting that the NSA has 'has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. ... The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.'" You may prefer Pro Publica's non-paywalled version, instead, or The Guardian's.
For awesome powa
A feeling of having made the same mistake before: Deja Foobar
I love my country.
I wonder if their list includes SSH
I believe the "working with industries to install backdoors" part, but the cracking internet standards encryption? Nope. The report doesn't even say what they are supposed to have cracked, only some nebulous "widely used internet encryption". Do they have a ton of computation power? Yes. Do they have some magical break on AES that no one in academia knows about or can even fathom? No. Just some FUD.
back to 1234.
From Bruce Schneier Here and here.
Also a nice call to arms here.
"I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better."
grammar-lesson free since 1999. (rescinded - 2005)
1. The NSA actively worked to gain control of standards processes and subvert them.
2. The NSA covertly employs people in telcos without the knowledge of the telcos.
The sound you hear is the sound of the last 20 years of work in academic and industry, on standards
and code, on processes and procedures, quietly disintegrating.
The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions [...] .
Yet, the article does claim this:
"Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.
But they also quote Snowden that:
"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on," he said before warning that NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.
Maybe we still have some hope?
all the leaked evidence suggests otherwise.
The Kruger Dunning explains most post on
"Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”
So much for having your source open. It takes time to find bugs even in standards that guide the way software is written. How many people are out there who are qualified to find such issues in the code?
Scheiner's related call for engineers involved in creating backdoors to develop a conscience : http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying
The NSA invented using computers with faster processing power to crack encryption?! I'm absolutely stunned that such a fine federal level agency has discovered such a feat with only the use of a giant budget.
When writing finite bits to the disk sector, there is a finite probability that the resultant string of randomised bits MAY in fact generate something incriminating.
For example: (regardless of how unlikely this may seem), any string of random characters may well create a brand new wordfile on the computer by pure chance .. which contains legible words, which string together to form sentences which may in turn connect the previous owner of the hard disk with Al-Qaida, the Mafia, insider trading, un-patriotic activites, Linux 'development', or any manner of unsavory activities.
The larger the hard disk being randomly 'wiped' in this fashion, the greater the probability that some new and undesirable content would be created by chance.
I for one would NOT place my trust in such a tool, risking a lifetime of torment in Guantanimo Bay in exchange for the 'security' of having my hard disk cleaned prior to resale.
The solution ? One should purchase a new copy of the Windows 8 for the said hard disk, and install this on the disk. This would effectively wipe clean the disk of any previous content. The disk could then be disposed of cleanly, with a note that the new owner must purchase another legal copy of the Windows 8 before installing the disk.
In this situation - everyone wins.
--
BMO
So I'm left with the impression that the NSA will add features in return for improved access.
SELinux comes to mind as a gift from the NSA to the Linux community. A gift with a hidden payload.
Hmm.... We can call it Trojan Linux. Ribbed for your pleasure. The ultimate in back door penetration.
No need to worry, actually telling companies of these vulnerabilities and helping to secure all of global commerce isn't a goal worth pursuing as long as the US can spy on people. The billions of dollars lost every year to theft, botnets, and other such attacks are of no consequence. Nor is revelations of spying and the loss of billions of dollars in US dominated cloud infrastructure and operations of any consequence so long as a handful of terrorists can be claimed to be caught. You might have a low paying temp job if any job at all, because of global economic effects more people will starve to death and die of disease because they can't afford food and medicine otherwise bought by jobs created by a better performing economy; But you'll be a tidbit safer from potential terrorist attacks! Have a nice day citizen, and remember, you'll only be directly affected by all this if you're muslim or know anyone personally at the NSA because they're probably spying on you.
the NSA has done over a 100,000,000 million legal searches.
From all the leaked records, 22,000 are questionable. Those 22,000 lie everywhere between needing a judicial interpretation, to blatant breech.
The leaks also show NSA's number one whistle blower to the courts is the NSA. They report them and correct them.
Not to excuse there blatantly illegal searches, but to thing the whole system is some corrupt entity that s out to get everyone is simply wrong. /. claim.
No evidences supports that at all.we have a lot of hope becasue none of the evidences shows it to be nearly as bad as the media claims. And certainly nowhere near where the chicken littles on
The Kruger Dunning explains most post on
Code breaking.
That is sort of what their stated mission is.
Not that i believe the premise of the article.
Which encryption, and more importantly how long does it take?
(offtopic)
Shouldn't it be "NSA foils a lot of encryption" or "NSA foils most encryption" instead of "much encryption"?
It don't sound right to me.
/
"from the do-your-taxes-buy-civilization? dept"; are we referencing slashdot users sigs in the by-line now?
"Kill 'em all and let Root sort 'em out"
Does anyone really find this surprising? Wasn't it a few years back that the NSA told the banks that 128-bit encryption was perfectly safe, but mandated that the military switch to 256?
So now they've created a high value job because of the level of information access and made breaking the law classified on top of it!!! Next they will be hiring directly from minimum security detention facilities.
The picture on the guardian site mentions:
CA Service Requests (certificate authority)
Now the question is...what is hardware accelerated decryption, they would not need this if they had the keys....they must have a weakness in SSL in its current form, one they can quickly get that sessions encryption, and if it cannot break in real time, then the encrypted data is saved for later.
Back around year 2000 Microsoft had a long quote emphasizing on everyone's Windows XP updater that encryption was so strong that it would take the age of the universe and all the energy in the universe to decrypt 128bits.
surely there should be a ripe market niche for some smart geek to 3D print arduino-controlled quadcopters to facilitate key exchange. hmmmm... hold on, still a few bugs to be worked out...
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
The NSA can crack 4096-bit PGP keys? I doubt it. Seems like FUD to dissuade people from even attempting to use encryption
I never even changed away from that
From ProPublica:
In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.
Who else remembers the debacle about the government no longer purchasing Lenovo computers? I remember some people saying that if the U.S. government is making all this fuss about it, they're probably the ones doing it.
This seems to indicate those people are correct.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
Bah, that's easy.
With MY algorithm, you don't even need to transmit the message to me, I can just generate it locally.
Heck, that's faster than the speed of light, time to fire up the patentbot9000 again!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
They claimed it was "China". Now we know the truth.
My guess is for most of their easy-mode access, they are actually using a rootkit of some sort to simply pass along whatever they want before any encryption is applied.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
"A 10-year NSA program against encryption technologies made a breakthrough in 2010 which made "vast amounts" of data collected through internet cable taps newly 'exploitable'."
The Slashdot article last month about RSA encryption failing in 5 years may in fact be behind the times. The only things that come to mine when reading the above blurb are a successful attack on 3DES, AES, RSA, or Diffie-Hellman.
Here's what I found in the article.
N.S.A. documents show that the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it.
How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored. To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal means. “Approval to release to non-Sigint agencies,” a GCHQ document says, “will depend on there being a proven non-Sigint method of acquiring keys.”
So various agencies hack companies' servers to obtain their private keys. Those keys get stored in some central NSA database and are used later to decrypt messages. That would indicate they didn't break all the encryption algorithms, but are getting around them via other means. Of course, it does sound like the NSA has backdoors in other protocols which let them get in. That part has been known for years, but hacking companies' servers sounds like something new. And probably illegal.
Over the past few years I have read about mind-boggling exploits in protocols WEP, WPS, and now IPMI. I have always thought it was either "idiot programmer who doesn't understand security 101" or "NSA". I think it's fairly obvious that a number of these things probably are their doing. Wonder if they are legally liable for the cost imposed on others to fix/repair/restore?
There is ZERO 'magic' cracking of encryption algorithms by the NSA. There are ZERO magic supercomputer facilities breaking into encrypted data that the informed community considers mathematically secure.
The NSA gets into people's data the same as everyone else- weak encryption- weak passwords- NSA backdoors in ALL significant commercial software- NSA backdoors in ALL major significant 'open-source' projects. You know, the usual age old methods of SPYCRAFT.
The NSA also spends tens of millions of dollars every year in propaganda stories like this one promoted by the owners of Slashdot. They are designed to weaken the resolve of users to use BEST PRACTICE. Make a thing seem 'pointless' and plenty of people won't take it seriously in the first place.
NSA full surveillance is NOT about slurping every piece of electronic data- it is about slurping almost every piece of data, and improving the dirty methods used to slurp data naive users think is secure is some way, including commercial encryption from Microsoft or Google. Compare with the NSA spy platform, Bill Gates' Xbox One. Will every idiot that buys this console set it up for optimal NSA spying? Of course not. The NSA is happy with the 95% of owners who will leave Kinect attached and the router connection permanently on. After all, the NSA can't get into the livings rooms of those that DO NOT buy the Xbone, can they?
Strong encryption defeats everyone. Deleting your HDD data properly (over-writing with 'trash' files full of random data) defeats everyone. The monsters that rule over you do NOT have access to 'magic' (even when you define 'magic' as significant secret technology). The NSA fear P2P end-point encryption above EVERYTHING else. P2P end-point encryption no more protects serious criminals than any other method (you become a target, and they'll watch you enter your password if necessary). But if ordinary users moved to such protected methods, the default slurping of ALL our available data would end.
PS we are seeing how Snowden, just like Assange, is a carefully managed FUD operation. Both men were purposely given access to large amounts of 'data' that is both laughable false, and serves the interests of those that rule the West. The three-ring-circus legitimises the 'leaks' from the manipulated dummies in the minds of the sheeple. And for those of you too thick to know anything of your History, the British were the masters of exactly this ploy during the time of WW2. The degree to which false information created by the British manipulated the Nazis is one of the most astonishing events in Human History. The pen is infinitely mightier than the sword, and 99.9% of your here have no critical facilities whatsoever. To fool you (given a fraction of the black ops budget of tens of BILLIONS that the intelligence operations of the West spend every year) is actually easier than taking candy from a baby.
Glad I live in Canada, hold on, someone's knocking on my door...
I've got better things to do tonight than die.
The CAs' public keys come with your browser (or SSL client, it could be a web server or other piece of software). If you sign your own the problem becomes to distribute the keys.
Also it is trivial to stop the server with your private keys serving authentication requests. Governments will say terrorism, national security or one of those scary words and no judge will try to defend you rights, as shown in the UK they will even widen a narrow law to suit the needs of the security and/or intelligence bodies.
We are really fucked.
IANAL but write like a drunk one.
By any stretch of the definition it fits the pattern as an organization that has a harmful, if not outright destructive, impact on the stability of the country and its relationships to other countries.
But probably they already have more than enough dirt on any politician to keep them in line. It's kinda scary if you think about it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Between two individuals:
It seems to me that encryption based on a shared private password
and then encrypted again with public/private key encryption gains you the best
of both worlds.
Won't somebody think of the children!
that the NSA can do this, doesn't this constitute the breaking of a digital lock? Didn't America force a DMCA upon the entire world to prevent this from being legal, and isn't it a double standard to allow the NSA to undertake the very activity the rest of the world has been forbidden to attempt?
How To Securely Store Transmit Data
Encrypt your whole fucking drive. Don't use Bitlocker or any hard drive manufacturer's built in shit that stores the key anywhere.
For instance: http://www.truecrypt.org/
How To Securely Transmit Data
Encrypt it your fucking self before you send it. Send the key separately, securely.
For instance:
Install 7zip
Right click the file you want to transmit
Click "Add to archive..."
Archive format: 7z
Compression level: Whatever you need / want (I almost always use Ultra)
Compression method: LZMA2
Enter a secure password
Encrypt file names if you want
Click OK
Then distribute the file however you want. Transmit the password to the recipient in person only.
...is why I'm a conservative.
This is the harvest we reap by sowing the seeds of big government my liberal friends.
I'm a bit off topic but... Just as information is shared with the DEA, it will probably also be shared with major media companies and the **AAs. They spend a lot of money in D.C. and "piracy" is on an equal footing according to them. The media companies say it is illegal to break their encryption or bypass DRM, explain to me again why its OK to break mine? Seems like fair game when the authority engages in the same behavior they would punish you for (see Parenting 101).
"Kittens give Morbo gas!"
It's like my 100% encryption, but at 100% loss kinda lossy, too...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Cracking today isn't required. They'll save the data for a future time when the suspect (we're all suspects in today's world of universal snooping) will be investigated for anything at all. By then the computers will crack today's encryption much faster. Yes, you can be afraid now.
It's probably too late to do anything about our totalitarian police state through regular political means. Unfortunately, if it's going to be stopped, and rolled back, it's going to mean that some people are going to have some very bad days.
Let's hope that more courageous whistleblowers step forward. I have a feeling that citizens will get motivated to address this issue head-on much sooner than most people think. Yes, we like our creature comforts, but human beings can get pretty obstreperous when they learn they're being watched all the time, notwithstanding any possible good intentions by the snoops-in-charge.
You are welcome on my lawn.
The raw document provides some more details but remains not especially explicit.
"The fact that NSA/CSS has some capabilities against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL, and other network communication technologies".
Capabilities are defined here as NSA/CSS ability to exploit a specific technology. This may encompass acquiring and processing plaintext data and/or acquiring, decrypting and processing encrypted data.
So do you want the NSA to break Syria's encryption about their chemical weapons attacks?
Or do you prefer we not know that the Syrian government uses chemical weapons to kill civilian populations, affecting public policy?
Which social contract would you prefer government to break? the "Government shouldn't know private activities of foreign governments" or "Government shouldn't allow foreign governments to kill civilians"?
If your privacy is important, then you think that means your government shouldn't monitor foreign communications, correct? And that means you think it's ok for foreign governments to kill civilians as they please? And if you think foreign governments should be allowed to kill civilians, then I guess you don't donate to charity either? Why would you want to help other people, after all?
You can pick either charity or privacy, but you can't have both. Sorry. That's because bad guys have power, and you need more power to overcome those bad guys for the purposes of charity.
So charity or privacy? What's it going to be?
Won't somebody please think of the civilians!
All else aside, if you think the NSA breaks codes in order to prevent civilian casualties, or for "charity", you have another thing coming. They do it to provide intelligence to the US government to facilitate furthering its national interest, in whatever form that may take. And if you think civilian casualties or chemical weapons are the actual reason we are considering whether or not to attack Syria, you have yet another thing coming.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
Whatever. I've got a write only disk. Doesn't need encrypting.
...to stop them reading my thoughts.
"Government shouldn't allow foreign governments to kill civilians"?
Incidentally, that policy also applies to the Syrian government versus the US. Cos', you know, the US is a foreign government and airstrikes would surely also kill civilians.
Also, your entire post is a false dichotomy.
I don't think the NSA has to break actual keys brute-force, but with information leakage it has been shown that data can be sussed-out of an encrypted stream (particularly an interactive one). Given sufficient leakage of known quantities, keys can be broken in much less time.
As we've seen just recently, even something as innocuous as HTTP compression over a SSL link can result in serious information leakage by anyone monitoring the size of the payloads.
Encryption streams, in general, require additional random data to be inserted into the stream and for the salt to be continuously modified (i.e. feedback) to remain strong. If one does neither of those things than the information leakage increases to the point where the keys can be broken without spending years of cpu cycles.
-Matt
There are a surprisingly large number of public key generators with weak random number generators:
And those are the ones we know about.
For open source systems, the person or persons who inserted the weak code should be identified and kicked off the project. It may just be incompetence, but that's a good reason to keep them out of security-critical areas.
Weak keys don't just let the NSA in. They let the People's Liberation Army of China in, too.
I'd wager that the fundamental flaw in HTTPS is that the government has the private keys direct from the CAs. The protocol is flawed in the key management (as most are).
This would be a MITM forgery, as most (clueful) people don't send private keys to the CA, but rather it's the CSR that is signed.
At least I've never done it in the ten years I've been in IT. I've always done an "openssl genrsa" when it's renewal time, and they "openssl req -key foo.key -out foo.csr". Then upload the CSR.
If you're a more protective organization then it's more likely you have an internal CA, which is the trust chain you'd verify against.
You missed the if you accept that X is OK, that logically you must approve of killing kittens.
It's safe to assume that any commercial product has been compromised.
I can see (although I don't necessarily agree with) the argument that we have no expectation of privacy on metadata, but surely there is an expectation of pricacy on encrypted data. Surely the fact that the user has encrypted his data (or knows that it will be) provides an expecation of privacy that would invoke a 4th amendment protection.
The real "Libtards" are the Libertarians!
I think it's telling that these organizations used code names for these programs that reference civil war battles. Really shows their motivation for doing these things.
Anyone that still has SELinux compiled into their kernels are idiots. I believe that the names of the industry collaborators will eventually come out, and the FOSS community will be shocked at the amount of cooperation given to NSA, et. al.
Hey, CNET and you other tech rags, aren't you tired of the non-tech media encroaching in on what was traditionally was tech story territory? How 'bout putting some CTO's and other open source leaders on the spot with some hard questions about their possible involvement with government spooks. Do something other than just being a PR machine for new product announcements
Using that number 22,000 assumes two things:
A) The NSA reports ALL privacy breeches using their internal procedures.
B) The NSA is aware of all privacy breeches using their systems.
We know for a fact the NSA hasn't been reporting information properly to the oversight committees in congress or the court system. Indeed they have gone to some lengths to avoid oversight and intentionally lie under oath. This misinformation has been carried out at the very highest leadership levels for years, which nearly always breeds a pervasive culture of the same across the organization. This certainly calls into question point A.
Apparantly Snowden got around their internal security to the point that they don't even know what files he took. Out of tens of thousands of employees that specialize in computer security, is he the only one who knows how to skirt their security systems? That throws B into question.
The phrase is "you have another think coming".
I do. I do give a fuck about people who nerve gas to kill civilians in large amounts. If you don't, you are a sociopath.
How did the NSAs ability to decrypt most of the encrypted communications of the world prevent Syria's chemical attack on its own people?
Or even help after the fact, for that matter?
How is helping Syria's people even part of the NSAs charter?
It looks like the NSA (aka the government) can see or hear or read any thing I send or receive on a network ( internet or voice). When I want to find out anything about the government all I ever get back is that "that information is classified". I wonder if there is a way I can classify my own transmissions?
No, it's not a false dichotomy. And I'm continually impressed by the inability of people to distinguish between bombing targets that happen to have civilians in them in order to primarily kill military people, and bombing targets that have civilians in them in order to primarily kill civilians. That's exactly why they used Sarin; it kills (or injures ) EVERYBODY in an area. It makes no distinction between civilians and combatants. Perhaps you should.
You can't underestimate the power of clusters the size of the NSAs, especially the dedicated/custom hardware components.
Most of the encryption standards supported by TrueCrypt would fall to the NSAs clusters in a matter of hours or days at most. Only the "hardest" of encryptions like AES256 or RSA2048 have any hope of keeping them out. And that presumes they don't just install a backdoor on your computer to steal your keys.
I do not fail; I succeed at finding out what does not work.
Now that we know the NSA can intercept and decrypt any message, doesn't it also mean that they can change the message to whatever they want, re-encrypt it, and pull it out in a court of law as evidence?
If they do, or even if they don't, I can now say they did, and they can't prove they didn't.
They censor the names of the algorithms for the NSA but mention one was adopted by NIST in 2006 and later by ISO. That would be AES ladies and gentlemen. The article strongly implies they can decode all SSL and AES in real time as it flies over the fiber... You aren't using AES anywhere are you ladies and gents?
Spy on foreign governments and foreign citizens. They need to stay the fuck away from Citizens of the United States of America. Spying on Americans is what other governments are for.
The NSA is operating far outside of its charter. Put them straight.
Why is it so hard to only have politicians for a few years, then have them go away?
Can we all please accept now that Obama - like his predecessor - is a traitor?
Actually, you will get neither if the NSA is able to read all encrypted communication. Simply put, if the government has the ability to penetrate all encrypted communications, there will be no privacy. If there is no privacy the government will eventually degenerate to a tyranny. Given a choice between a tyranny and dead Syrians, I choose the dead Syrians. I don't like the idea of people being killed by their government but I'd rather have the Syrian government killing Syrians than the American government killing Americans, something which will eventually happen if we lose our civil rights.
Don't doubt for a minute that there are forces in the government that are working toward that. They're mostly not evil people and most don't really understand what the ramifications of what they are doing, but history does repeat itself and there is plenty of history that demonstrates what happens when a government can do whatever it wants. Orwell's "1984" is fiction, not history, but it is based upon history and basic psychology. If we want to retain our civil rights, we need to fight and struggle for them, both in the courts and in civil disobedience if necessary.
It's really quite a simple choice: Life, Death, or Los Angeles.
Richard Stallman warned us about this decades ago. It is incredible how people are still able to dismiss his warnings as more and more of his predictions come into reality.
in the 1980s, under R Reagan, the USofA supported one S Hussein in his war against Iraq, and in his use of chemical weapons.
So what the US govt won't do is pretty extreme
I'd like us to continue treating encryption as weapons and regulate its export accordingly. Unfortunately, it is not really possibly — any enemy worth the designation would be able to get it anyway, because moving an algorithm is much easier than a gun. And, unlike guns, you only need to move an algorithm once.
I wish I had sufficient confidence in my own government to be able to sincerely pick charity... Unfortunately, I do not. If the President can already ask the IRS to hurt opposition's finances, what's to prevent him from asking the NSA to look into the opposition's e-mails? The sort of thing, that got Nixon to resign is barely an issue with today's Americans...
However, according to an earlier article about Snowden's interaction with journalist(s), PGP (with sufficiently large keys) is still unbreakable even to the NSA — at least, as far Snowden was aware:
So that's, what a particularly private person should be using for all of his communications...
In Soviet Washington the swamp drains you.
"...So do you want the NSA to break Syria's encryption about their chemical weapons attacks?"
Perhaps we shouldn't have provided the Syrians with the precursor chemicals to make weapons in the first place. It wouldn't surprise me in the slightest if we provided the Syrians with those precursor chemicals just to provide a seemingly legitimate reason to invade Syria later down the line.
CAPTCHA: misuses
I do. I do give a fuck about people who nerve gas to kill civilians in large amounts. If you don't, you are a sociopath.
So true! It is like if you support Obamacare then you are a socialist or maybe a capitalist pig--it depends on the crowd. The important thing to realize here is that there can't be a nuance in the discussion. Either you side with Abe Lincoln and justice or you side with Hitler and tyranny. Pick a side.
Fucking false dilemma and you know it.
The feds can snoop OTHERS without snooping US.
And honestly, with all the hackers out there I'd rather they spend their time protecting us FROM hacks than making other people easier to crack.
Sure, it's an arms race and things will filter out eventually, but I think we can stay further ahead of the encryption arms race by investing in our own cybersecurity first, rather than trying to leave exploits we can use to snoop on everyone else.
I would rather let ten terrorists go free than invade the privacy of even one innocent citizen.
Unfortunately, Schneier doesn't go far enough. The problem isn't specifically that the US government has betrayed the Internet, the problem is that governments in general have acquired too much power over our lives. In the US, between Obamacare, e-Verify, gun registration, income tax, banking regulation (and the associated data disclosures), TSA, DHS, and other laws, the federal government would get detailed and personal information over every aspect of our lives even if there were no Internet at all.
We need a fundamental shift of government power back from the federal government to state and local governments, and we need to limit government power in general. But that requires sacrifices. Unfortunately, many of the same people who complain about the NSA are unwilling to actually make the necessary sacrifices; they erroneously think that there is some magic solution that keeps the government out of people's hair while still delivering a social welfare state.
We did not care about Iraq when they where 'stopping' Iran. Now we care about mercenaries moving into Syria?
Domestic spying is now "Benign Information Gathering"
Yes, it is. Citation: http://grammarist.com/usage/another-think-coming/
Why exactly is this so? Of course, it would be rather uncomfortable to have no privacy, but would it necessarily lead to tyranny? Why not the opposite, for example — if no one's dealings are private and all information (from banking transactions, to kissing, to bowel movements) about everyone is readily available to whoever cares, wouldn't it be harder to subdue the electoral process, for example?
In Soviet Washington the swamp drains you.
Well we got that sound clip from Syria....... What is strange is the lack of detail from the UK and the GCHQ listening post in Cyprus.
They have the range and skill to pick up everything in the region.
Domestic spying is now "Benign Information Gathering"
How about weakening it enough that it is crackable. Like when Debian accidentally weakened all the keys generated by ssh, but done intentionally. Also I like the 'humint' reference, i.e. they are planting moles in these organizations for their own purposes ... great.
"Which social contract would you prefer government to break? the "Government shouldn't know private activities of foreign governments" or "Government shouldn't allow foreign governments to kill civilians"?"
Maybe before referencing the "social contract" you figure out what it actually describes. Preventing foreign governments from killing their own people is not in the US government's charter, regardless of their seeming flair for trying. I would additionally suggest that if the Syrian army is relaying troop movements through Gmail, they should probably fire them and get a new army.
As long as the NSA, or anyone else, can get into our and our correspondents' emails, they can get our keys and use them, themselves, jthe same way our friends do. They can find whose email to raid for our keys from the "macro-information", headers and such, that they claim is all they collect and so does not compromise our privacies.
Plenty of people like me cared. Just because you (or even most people you noticed) didn't care doesn't mean " we " didn't.
Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)
Because that world would never come to be. What we'd have is certain people being completely transparent and other, more privileged, people having privacy. All of the shady stuff that happens today would continue to happen in private, but everyone would also know about every BM you made.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Though I sympathize with the gist of your position, I must question this particular argument:
Why exactly is this so? Of course, it would be rather uncomfortable to have no privacy, but would it necessarily lead to tyranny? Why not the opposite, for example — if no one's dealings are private and all information (from banking transactions, to kissing, to bowel movements) about everyone is readily available to whoever cares, wouldn't it be harder to subdue the electoral process, for example?
You would make it much, much easier to "subdue the electoral process". If you're currently the party in power and facing re-election, you first kill everyone who donates money to the opposition--everybody stops giving them money, hampering their campaign. Then you kill anyone who's given any hint that they might vote for the opposition. You and your cohorts get re-elected. Rinse and repeat, and eventually nobody dares form an opposition party, much less support one. If anybody says or does anything that remotely sounds like rebellion, you kill them too. Your party stays in power indefinately, the only things that might end your reign are a split in your party, or killing off so many people that there not enough people left to work and your economy collapses.
I've never seen a bomb that doesn't kill EVERYBODY in an area. As I understand you US have invented a bomb which when exploding sends its parts to search for military people?
I'm not sure, this is, what the OP meant. His statement was simply "If there is no privacy the government will eventually degenerate to a tyranny."
Maybe, he meant something like: "If only government-connected people retain privacy, the government will eventually degenerate to a tyranny," — but that's not, what he wrote...
In Soviet Washington the swamp drains you.
...so they don't get decrypted while resting on NSA controlled communication cables?
Yeah, 'accidental' civilian deaths, or deaths from 'necessary collateral damage' are so very noble and just.
In Serbia the US/NATO 'accidentally' bombed a farmers market, two hospitals, the Chinese embassy, civilian radio/TV stations, bridges on the wrong side of the country with civilians on them, etc. Also random factories that weren't military-related industry (eg. tobacco) - Interestingly the tobacco factory got bought by Phillip Morris a couple years later...
Chemical weapons are abhorrent, absolutely. But unless use is widespread, picking winners and causing more death and destruction isn't ideal, neither.
Sent from my PDP-11
But how would you be able to do all of this, if everybody — including your would-be victims — can access your communications (such as the orders to kill) just as well?
Obama has already ordered the IRS to suppress the opposition, because the opposition's records weren't private, while Obama's and the IRS' still were. I'd argue, that opening everybody's records and communications would help prevent tyranny just as much as keeping records properly private.
In Soviet Washington the swamp drains you.
Those governments are spying on US citizens. What's easier: Spying on foreigners and learning what they've learned about US citizens or cutting out the middle men and spying on US citizens thus directly learning what the foreigners are trying to learn?
The executives in charge of any company with NSA backdoors should be executed. There is no legal requirement to instal these backdoors. If the NSA guy shows up your door shoot him in the head like you would any other fascist.
Problem solved.
> I'd like us to continue treating encryption as weapons and regulate its export accordingly.
Except that:
- encryption is not a weapon so treating it as such makes no sense.
- the rest of the world is able to invent encryption algorithms too. While creating good encryption requires very specialized knowledge and skill, these things are not exclusive to the US.
- strong encryption is a requirement for electronic commerce, when the rest of the world does not have access to encryption this hurts the US financially.
It doesn't matter which three letter agency is doing the spying does it. I'm pretty sure the DHS would be more than happy to directly comandeer NSA resources, for the same effect.
Your can configure your HTTPS server to use forward secrecy. Forward secrecy uses one-time keys, generated by between the website and the browser for the single session. Most modern browsers support it. But it generally requires compiling the latest version of OpenSSL and the compiling Apache 2.4.x against that, not using the Apache 2.2.x versions that are standard in most of the Linux distros. More detail also here.
If you set up your webserver this way, and your visitors use the right browsers, they NSA's having good copies of the site's certificates won't gain them much. At least that's what Ivan Risti's saying. On TLS/SSL stuff, there may be no one better.
"with their freedom lost all virtue lose" - Milton
Where do your numbers come from? Who is making the judgment on whether the acts were legal or not? (i.e. Is following a very questionable interpretation of a law that is itself possibly unconstitutional still counted as legal?) Could the answer to both questions be the very agency whose conduct is being called into question?
And if the NSA's portrayal of themselves as ultimately noble and only breaking the law because of training failures and low-level misconduct here and there is accurate, how long can you say that that will remain true? I'm guessing you'd probably just ask the NSA on that one too.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Early in 2010, the internet leak site WikiLeaks made a public request for assistance in decrypting a video it described as "US bomb strikes on civilians", specifically requesting access to supercomputer time."
The video footage captured on the helicopter was encrypted almost certainly with AES. I do not know how many bits the key was but clearly this well known counter example shows you AES as was implemented by the US government was able to be brute forced.
"The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs."
So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace.
If we could just get the NSA out of the exploit market, the whole thing would probably collapse like a real-estate broker's wet dream.
The other chilling revelation is the names of these programs:
"The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier."
The NSA has crappy internal discipline. Instead of using meaningless codewords for project names, their codewords frequently describe the project. PRISM described how the NSA collects info. These project names shout that the NSA is fomenting civil war. They are at war with the rest of the country.
If we survive as a nation of liberty, the NSA must serve us, not attack us.
Perhaps we shouldn't have provided the Syrians with the precursor chemicals to make weapons in the first place.
Your position is laughable. You have the precursor chemicals to make weapons under your kitchen sink. It's basically impossible to have any kind of modern industrial base without them.
People like you are why I can't buy fucking cold medicine anymore.
What part of "shall not be infringed" is so hard to understand?
And I suppose you think we should do something about it? Why are you such a bloodthirsty warmonger? Why do you support the huge military-industrial complex's war machine to violate the sovereignty of other nations and assert imperialism around the globe?
False Dichotomy, I love this game and I'd love to play another round with you!
We already have access to more information than we could possibly process. There's no way we could reliably learn about plots against us (with the keyword being reliably).
from wiki (ha, yeah the other wiki);
Early in 2010, the internet leak site WikiLeaks made a public request for assistance in decrypting a video it described as "US bomb strikes on civilians", specifically requesting access to supercomputer time."
The video footage captured on the helicopter was encrypted almost certainly with AES. I do not know how many bits the key was but clearly this well known counter example shows that AES as was implemented by the US government was able to be brute forced.
this may have taken a significant amount of "supercomputer" time but it shows that "brute forcing" is possible. the level of custom hardware that the NSA has is unknown. sure, bumping up the key size and changing the algorithm can easily make this impossible, say pushing the requirements beyond the age of the universe for a idealised computer using every visible atom.
there is always the difference between theory and implementation too.
Except it's nothing even close to that. The voyeurs with badges are absolutely shitting themselves over the face that someone had the nerve to expose their secrets. They sit in their tower, safe from any public scrutiny at all. They have so much privacy that you can't even tell others that you got a `warrant' served to force you to put in a backdoor apparently.
I just encrypt everything in Perl. It may be breakable, but it drives the analysts insane before they ever finish.
Table-ized A.I.
I'd like hard proof that it was the Syrian military, on direct orders from the Syrian government, that delivered the payload. No testimony from people that have something to gain, or any other circumstantial bullshit.
The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
As an example to compare against, I chose a major bank in my country (Australia's Commonwealth Bank), and looked around their website. There is a page called 'Security', and the first thing I spot on that page is the statement: "100% Security Guarantee: With NetBank, the safety of your money is 100% guaranteed."
Putting aside the fact that the SAFETY of something is not necessarily the same as the SECURITY of something, what does this news mean to a banking customer? Does the bank have the obligation, under the advertised "100% Security Guarantee" to find and implement methods that hinder NSA/GCHQ access?
And this doesn't affect just Commonwealth Bank (I just chose it as an example). One of the main points of putting money in a bank is that it's SECURE. If a government agency (from another country, even) has the ability to reach into my bank account and make my money disappear in a virtual puff of smoke, then how is the account any more secure than, for example, hiding cash under a mattress?
I, for one, welcome our new fourth reich overlords. But I'm sure they're the good ones this time. Right guys, right?
You do realize evil people use the internet too, right?
You do know evil people nest within the US and are very very hard to distinguish from "US citizens" when you aren't even allowed to look at metadata to figure out what you have.
Expanding on the above post, if the US is installing and/or exploiting bug related backdoors in
commercial software it would take relatively few to reach 99+% coverage.
If you can get the OS's you're set as you can hit 99% with less than a half dozen.
Likewise with cellular providers, handset makers, virus scanners, printer (driver) manufacturers,
cpu manufacturers, router manufacturers, email clients, web browsers, office suites, etc....
Take any category of software or hardware most of which are dominated by only a few major players
and if you can get your foot in the door with any of them then you have control of the computer or
device. I'm not sure that linux even has that much advantage as there are few if any people who
compile everything from scratch and even if they do, how hard would it really be to get an
undocumented bug inserted into one of several hundred programs that run on a typical computer.
If they're willing to throw enough time, money, and power behind it, there is no way someone can
avoid being eavesdropped on.
The more revelations we get about the extent of NSA spying, the less I believe its purpose is fighting terrorism as it has always be claimed, or even ensure the security of American citizen. This cannot be justified in a democracy, even in a state of war.
Because knowledge is power, and people with power use it.
Because the anointed Ruling Class will keep their privacy, and have an advantage... or they'll just apply the laws unequally (because what are you going to do about it, you little piss-ant plebe?)
There's also an Ayn Rand quote about turning everyone into criminals that applies, but I hesitate to mention it because of all the objectivist baggage that comes with bringing her up...
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
It's hardly a new issue and don't think for a moment that any form of encryption is safe and reasonably easy to use. Usually the spooks have both software and hardware alterations in place before they are released to the public. Also it is the very nature of communications that in a network or organization one or more members will be involved in crime or terror plots and foreigners as well. Interception of communications in foreign nations will capture much of what goes on inside the US as well.
What will really rock your socks off is that technology is getting very close to operation lie detection methods that are very reliable. Imagine court rooms in which all witnesses as well as cops, lawyers and judges are wired and can not lie. What a party time that will be.
You can't do much with the knowledge that a government wants you dead.
But a government can do a lot with the knowledge that you want it replaced.
Rethinking email
The phrase is "you have another think coming".
Judas Priest disagrees.
From TFA:
The secrecy of their capabilities against encryption is closely guarded, with analysts warned: "Do not ask about or speculate on sources or methods."
Speculate away. What are they going to do? Assassinate you? And how long do you think the public would put up with that nonsense? You TLA boys will get defunded and your toys taken away. Then NSA will truly mean "No Such Agency".
3000 deaths every dozen years? We can live with that. al Qaida isn't even as dangerous as Detroit.
Have gnu, will travel.
Be nice to America, or America will bring Democracy to your country!
Your whole post is fucking retarded:
1. Encryption isn't a weapon. Period. Comparing the two is fucking stupid.
2. The president didn't ask the IRS to hurt opposition's finances. You were lied to by Darrell Issa who had no evidence but a heavily modified report which when taken as whole actually painted the IRS as anti-liberal rather than anti-conservative. But please keep spouting your ignorance on the subject, you really deserve those moderation points!
So do you want the NSA to break Syria's encryption about their chemical weapons attacks?
Or do you prefer we not know that the Syrian government uses chemical weapons to kill civilian populations, affecting public policy?
NSA/CIA will be perfectly happy to tell you about Syria's chemical weapons attacks without having to rely on any actually decrypted communication. That's how we got to know about weapons of mass destruction in Iraq as well.
Sorry Daily Caller is an "opposition" propoganda news source and therefore is hardly credible.
User-ID:
Ed Snowden
a.k.a.:
Ed Snowden
a.k.a.:
Edward Snowden
a.k.a.:
Edward Snowden
a.k.a.:
Edward Snowden
Validity:
from 2013-03-24 07:21 until forever
Certificate type:
4,096-bit RSA
Certificate usage:
Key-ID: 21B7141F
Fingerprint: 21B7141F"
So now we know what he uses
In the end, the only way to make sure no one is looking at your private conversation and data is to use end-to-end encryption in open source software on open source operating systems. Your data must be encrypted before it even reaches your hard drive or Internet stack, and you must know that there are no foreign programs running on your computer. You no longer have any guarantee of privacy on Windows and Mac OS X.
Signature intentionally left blank.
"Having the CA signing certificates doesn't give you the magic ability to decode a site's traffic;"
Yes it does. You man in the middle it. You send YOUR OWN PRIVATE KEY to the end user, with your fake authority telling his browser this is authentic. You then see everything.
"They never see the private server key(s). "
Partially true, Comodo for example, they 'generate' the private key in the browser during signup and a simple backdoor would be to send that to their servers. Another would be to only generate the private key on a limited number of parameters which can be brute forced.
If you own the cert, you own the encryption, you own the democracy. UK will never elect a leader who opposes NSA surveillance now, they leak against him. GCHQ's job is to protect us from that, and they're turncoats.
I don't care what discussions Syria has internally about chemical weapons. I do care when they actually USE them, though I doubt that cruise missiles are an effective or moral response. The fact Syria HAD such weapons seemed to be known already, we're only now getting into a tiff over it since they may have actually been used. But If you think you need to decrypt someone's communications to figure that out if WMD has been used, you've got bigger problems, because Syria or the next Syria could end up using sneakernet for that communications, or a form of encryption you can't decrypt. This whole reliance on knowing everyone's electronic thoughtcrimes about WMD or whatever is simply laziness. There's this idea that you don't need spies on the ground who risk detection anymore and that it can all be done from an office chair in Langley, and frankly, that's dangerous thinking that puts us all at risk. Similar the idea that you don't need boots on the ground and can wage an effective pushbutton war. You can certainly kill a lot of people with a pushbutton, but that's not the same thing. However, it's easy to sell these ideas to get big budgets for cool equipment and the ability to violate privacy just like the Stasi and you don't even have to get out if your office chair to earn your paycheck. I'm sorry but it's a really lousy long-term solution for the rest of us.
"generated by between the website and the browser for the single session"
That won't fix the MITM problem.The browser in the MITM case is the NSA's browser software.
The fix is to avoid NSA controlled infrastructure, avoid transits across UK, US, NZ, AUS, CAN, better to keep your communications inside your own country.
Avoid US/UK based security software in particular. Norton 360 lockbox just screams "honeypot" to me.
Why are you lot the only people in the world entitled to privacy?
Spy on foreign governments and foreign citizens. They need to stay the fuck away from Citizens of the United States of America. Spying on Americans is what other governments are for.
The NSA isn't actually spying on US CItizens, they're just storing the data in easy-to-interpret databases so that other governments can do the spying for the NSA. Oh, and probably also providing those governments with the tools they need to better spy on US Citizens.
Skirting the law is easy with the right thinkers. New Zealand was doing a similar thing with the GCSB by sending their contractors off to work for other government agencies. The contractors, being employed by the other agencies and hidden from the GCSB by a really secure "please don't let us know if you use our computers while working for them" policy, weren't part of the GCSB, so didn't have to play by their rules (which basically said "no spying on NZ citizens", recently changed to "only spy on NZ citizens if the government-selected overseer decides there's good reason for it").
I also give a fuck about the Syrian civilians who've been gassed.
I also realise that bombing Syrian won't bring them back to life.
It also occurs to me that the Assad régime's reaction to strikes against their country might well employ some "Now see what you made me do" logic to justify gassing some more.
Il n'y a pas de Planet B.
The following documents were published in 2006 by NIST that relate to IT security:
SP 800-96 PIV Card to Reader Interoperability Guidelines
SP 800-103 DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation
SP 800-92 Guide to Computer Security Log Management
SP 800-89 Recommendation for Obtaining Assurances for Digital Signature Applications
SP 800-88 Guidelines for Media Sanitization
SP 800-69 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
SP 800-18 Rev.1 Guide for Developing Security Plans for Federal Information Systems
Religion is what happens when nature strikes and groupthink goes wrong.
No it's not. Citation http://www.youtube.com/watch?v=XWhInhE6emE ;)
The United States has never lost a war before the NSA was founded.
The United States has never won a war since the NSA was founded.
The same is true for the CIA. Close them down.
Right now, the "democratic" government is expressing heavy totalitarian tendencies.
You can allow it to happen, or you can support the project that is working to eventually free us and create real democracy using principals from FOSS.
Which sounds like the better course of action?
"So do you want the NSA to break Syria's encryption about their chemical weapons attacks?"
I want the NSA to tell us exactly when you stopped beating your wife.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
Google pushed all of it's searches to SSL, thus encrypted, as a way to supposedly protect our searches from other's eyes.
But doesn't doing our searching over encryption also put us into the situation where the NSA will record it "to be decrypted later"?
Was Google one of the companies that shared keys or added a backdoor?
I would be surprised if the NSA did _NOT_ have all (few dozen) the private keys behind the Certs of Google, Yahoo, Hotmail, and their ilk. Trivially easy to get:
1) Find credible evidence of certifiable badguy using service;
2) Make application to FISA court for all keys & gag;
3) Read _all_ traffic on the service, now or later (if cycles short at that time).
The obvious problem is that ISP does not have keys for just target badguy, so have to hand everyone's keys over. The solution is to switch to per-user keys after auth, but that is more trouble.
the NSA has done over a 100,000,000 million legal searches.
That means there is a court order for each of the searches. Assuming that every of the 300 million inhabitants of the U.S. is a certified judge, that still means that every of those judges is responsible for about 330000 court orders. Assuming that it takes about half an hour to evaluate and fill such an order and that an average month has about 165 working hours, it means that the average U.S. citizen has spent about 1000 months or 80 years of signing court orders for legal searches so far.
Of course assuming that all of those searches were legal.
Sounds legit to me.
First off, assume encryption is broken.
Second, if you're relying on a third party to encrypt for you, then assume that they read your stuff before they even encrypted it.
Third, if you're at all concerned about this stuff, then don't do anything on the internet that you don't want the entire world to know about.
None of this news story should be a surprise to anyone. Everyone should already have assumed that the NSA cracked it all, and everyone should already have assume that the handy third party web sites are busily sending all your data to the NSA or someone else.
This doesn't mean it's hopeless. It means don't be naive and trust third parties if you want security. Security does not coexist with convenience. Encrypt your sensitive data before you hand it off to someone else for transport (even then it may be broken, but it's vastly more secure than handing plain text to third party site and asking them to encrypt it on your behalf).
So because there are scary bad men out there the government should be able to do whatever the fuck it wants to be able to catch them? Even if that includes massively violating the privacy of every citizen (never know who's a scary bad man!!) in the country? Even if it includes building a massive database filled with who the fuck knows what that never, ever, gets erased? You know how they say the internet forgets nothing? This is even worse, since random fruit loops on the internet don't have access to your phone records, your banking records, your phone calls, your location and every niggling little detail of your entire life! If you think it's bad that /b/ can access something stupid you said on your blog and troll you even if you delete it, just wait until some scary bad men, I mean trusted public servants, get ahold of all that juicy personal information that those stalwart do-gooders of the NSA put together for them, they'll have a field day! Accidently piss off some bureaucrat at the DMV? He'll just call his cousin at the Ministry of Love and they'll whip up some charges doubleplusquick then off to the Re-education centers (actually, that's too expensive, off to the work camps, more than likely).
If you really think it's just "metadata" you're deluded. All this stuff that's coming out used to sound like the fever dreams of the loony fringe, and god damn does it suck having to listen to them smugly say "We told you so."
Celebrity worship is a poor substitute for Deity worship and costs more to boot.
Stenography is what is interesting.
I prefer the "u" in honour as it seems to be missing these days.
and one time pads for me
Clearly all the years of talk of security and encryption has accomplished is to lull many of us into a false sense of security. (Much like meeting with the TSA at the airport.) That false sense has kept many of us from asking the hard questions and really thinking about the weaknesses of the whole setup... which, as we are seeing more and more clearly, is rotten to the stinking core.
Good. Thinking about it all is good, and so is talking about it.
"You must try to forget all you have learned. You must begin to dream." -- Sherwood Anderson
We have laws that protect us from being spied on by our own government. You are welcome to pass such laws in your own country or not.
All else aside, if you think the NSA breaks codes in order to prevent civilian casualties, or for "charity", you have another thing coming. They do it to provide intelligence to the US government to facilitate furthering its national interest, in whatever form that may take. And if you think civilian casualties or chemical weapons are the actual reason we are considering whether or not to attack Syria, you have yet another thing coming.
Well, yes. The NSA breaks codes to provide intelligence to the US government. We've known that for a long time. It's not a secret.
And I do think the chemical weapons are the issue -- not civilian casualties. The government hardly raised an eyebrow for two years while the Assad government murdered its citizens by the thousands with bullets, shells, grenades and fuel-air bombs and anything else they could think of. It's not like anything else changed. The chemical weapons are the only difference I see.
So which side are you taking in the Syrian conflict...Hezbollah's or Al Qaeda's?
It's like debating virtue among whores.
"Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
because the opposition's records weren't private, while Obama's and the IRS' still were. I'd argue, that opening everybody's records and communications would help prevent tyranny just as much as keeping records properly private.
And now that you know about it, what have you done exactly? You've lifted a finger to complain on slashdot. I'm sure that will scare Obama into being a good boy again. Thanks Captain Freedom.
I interpreted that the GP as meaning that as it is the government eliminating privacy there would be an implicit asymmetry in the access of such information. That is, the government, or more properly its agents, would have unprecedented access into the personal lives of, well, everybody. The statement "If there is no privacy the government will eventually degenerate to a tyranny" does not imply that absolutely all privacy is removed, rather, the privacy of ordinary citizens is removed and those who can pay or otherwise maintain control of their own privacy, i.e. by brute force, have a grossly unbalanced amount of power and tyranny results from the malicious use of that power.
I mean really, if the NSA can break all encryption what exactly leads to the conclusion that everyone can do it? Even in the event that some clever crackers find and exploit whatever backdoors the NSA had placed in some encryption method most people would not have the resources or skills to intercept enough of other peoples traffic to make any real use of that ability. We've been hearing about how the NSA basically stores all, or nearly all, internet traffic. Do you have a tap at ATT&T as well?
Celebrity worship is a poor substitute for Deity worship and costs more to boot.
That reminds me...I have a rock that wards off tigers. I'll sell it to you. You want proof that it works? Well, I don't see any tigers around, do you?
"Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
If you're currently the party in power and facing re-election, you first kill everyone who donates money to the opposition--everybody stops giving them money, hampering their campaign. Then you kill anyone who's given any hint that they might vote for the opposition.
You think too much, with all your blather about votes and elections.
All that is necessary is martial law, curfews, and public executions.
But really not even that is necessary. A new season of American Idol combined
with gas lines and bread lines with get the job done.
-
lol ok not gonna argue with Judas Priest
how do we know that the session keys are chosen securely and not divulged with steganography somehow? I know that products have existed which did exactly that, revealing part of the encryption key in the encrypted data stream (and I know that because the vendor was fairly open about the practice).
If you're going to make such a massive claim, you need to back it up. Name the vendor/manufacturer and equipment, or I, and every other slashdot reader, will consider this bullshit.
Please help metamoderate.
A bit OT. But the first thing that struck me when I got to the NY Times story is a picture of the NSA headquarters that vaguely reminded me of Mecca, particularly the Kaaba, that black building at the center of the Islamic religion. Both buildings appear to rise up from their surrounds like the real life equivalent of the black monolith in 2001: A Space Odyssey.
See for yourself and compare:
https://en.wikipedia.org/wiki/File:Mosqu%C3%A9e_Masjid_el_Haram_%C3%A0_la_Mecque.jpg
https://en.wikipedia.org/wiki/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg
You don't think we won the first Gulf war? Well, it probably depends both on your definition of "war" and "win". We haven't declared war since 1941.
If you think the original form of the phrase will make a come back, you have another thing coming.
You guys have a good think going!
Only dumb birds land downwind.
Dilbert may have a point
Need an ISP in South Africa?
Be gentle man. You just broke to him that he has a kitchen sink. You insensitive clot!
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
So it's okay if you're spied on by Australians, and Australians are spied on by the USA, and any intelligence is shared?
In Serbia the US/NATO 'accidentally' bombed a farmers market, two hospitals, the Chinese embassy, civilian radio/TV stations, [...]
Nitpick: TV stations were targeted deliberately, with the justification that, by disseminating (Serbian) gov't propaganda, they were aiding the military, ergo were a legitimate target. The problem with that line of reasoning is that it's possible to stretch it to absurd lengths and use it to bomb everything you can think of.
I read about this one a while back:
http://en.wikipedia.org/wiki/CBU-97_Sensor_Fuzed_Weapon
It's pretty amazing how it works, I didn't know anything nearly this advanced was around until I accidnetly stumled across its wikipedia page.
Children children, there is no need to get emotional or fight about this. Like all technology, the ability to break codes can be used for both good and bad.
The real worry is - when NSA can do it, then there will be other criminals who can as well. You may not like your government, but they are pretty sweet compared to Mexican drug cartels or the Mafia; and even they are notable for their humane touch compared to some of the major gangs in SE Asia.
Self Signed Certs are good, if you control both ends of the pipe, as for a corporate VPN. If you only control one end, as for a public web server, then a self signed cert system doesn't confirm the identity of the other end, so you could be talking directly with Edward Snowdon's second cousin twice removed at the FSB and would not know it.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
The famous joke is allready at equilibrium and the site knows this !
BTW, thanks for the link
While you guys are cracking jokes on ROT13, a letter to NYT ( http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?_r=0 ) caught my attention
- - - B Missouri Reader
Missouri
On the one hand, âoeIn the future, superpowers will be made or broken based on the strength of their cryptanalytic programs,â but on the other hand the liberties of Americans are at risk by such programs.
In other words, we face a situation where the strongest, most secure nation can no longer be a nation that guarantees the rights of its citizens.
Privacy is not simply a convenience, but it is intimately linked to free speech and to the future prospects for democracy in America. Key elements of the Constitution provide a framework where incumbents can be challenged in free elections, ensuring that better ideas and better leaders will become available to guide the nation. But nobody can win an election against an incumbent with unlimited access to the communications of its rivals. We're not there yet, but the trend is in that direction.
It is high time that members of both parties in Congress get off of their high horses and address this growing threat to our democracy. Technical and legal hurdles must be cleared, and it may even be necessary to make significant changes in the way the internet works. But time passes very quickly in the technology world, and the clock has already been ticking for quite a long time."
Muchas Gracias, Señor Edward Snowden !
Thinking about the online serivces that I use for banking, credit card, utilities, insurance, etc. All commcerical enterprises.
I have little choice in what I choose for a password. There are usually a set length of 8-15 chars and require a capital letter and some numbers.
Given what we know about entropy, this is insecure. But they wont let me choose my own password policy. Thanks to idiots using Password1234
They may have additional pass phrases which by design are insecure: Asking which my first school was, first car etc.
Potentially found on Facebook etc for many people, or easy to find out for a government entity that controls the databses for such things.
So, it's not just that the encryption is insecure, most commonly used systems can be compromised easily, without having the service reveal the passwords. The NSA etc just need access to a version of the site which doesn't give the user only 3 attempts to "guess" the password before locking them out.
I'm sure the service provider could be offered the opportunity to pony up such access.
But I wonder who has advised on the password policy, which seems awfully simple to compromise with minimal computing time & a backdoor with no need to reveal whats in the hashes.
Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about.
He recommend Silent Circle right after saying "the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. "
Silent circle - a US and UK connected commercial company - propriety closed source, and in a sneaky "no we are open, really trust us" sort of way. W T F!???
let me reproduce this message posted to the comment section of the second link you posted.
I usually rate Bruce Schneier highly, except for his faux pas a few years ago when he initially endorsed showing passwords on screen, saying that shoulder surfing is not such a big deal.
But I am not sure about some of the security mobs he is advocating here.
GPG: OK, clever people can read the source code (though most average Joe programmers can't)
Silent Circle: It's USA based, and subject to the same backdoor 'requests' as anyone US-based company. It also employs ex-special forces 'security experts' - just the sort of people who might go and do wiretaps in foreign climes.
Tails: What I have just seen on their website, 'Numerous security holes in Tails 0.19 Posted Mon 05 Aug 2013 12:00:00 AM CEST'. Not exactly the best advert and hardly comforting if one wanted security.
OTR: Same as GPG as the source code is available.
Truecrypt: Well the soruce code is avaiable, so I would put it in the same basket as GPG. It has a choice of algorithms, including one (partly) designed by Schneier.
Bleachbit: Well that is client-side. Anything in the clear across the net (i.e. non encrypted traffic) can be read anywhere along the route.
But the big glaring thing is, at least in the UK, you can be sent to prison for refusing to hand over your encryption keys. And this has happened. People like to talk big, but the prospect of eating porridge with a lot of nasty looking and foul smelling prisoners, does not appeal to most people.
I would say that doing your own encryption, by this I mean using some of the open source tools and not closed source ones (and definitely not American ones) is a good thing.
Dear America, The world does not belong to you. You have a pretty big country, to take care of, please mind your own business. We are sure Syrian will come to a solution by themselves, because you know, they are a sovereign country. Best regards, The rest of the World
I do. I do give a fuck about people who nerve gas to kill civilians in large amounts. If you don't, you are a sociopath.
Why does "caring about the civilians" have to equate to "bombing Syria"? Bombing Syria is likely to shatter human lives, civilian, military, and political; leaders and followers. How many more civilians need to be killed to punish Assad for killing civilians? It is the leap of faith from compassion to violence that much of the world is unwilling to make. Right now, the US is running around telling everyone that, if we 'allow' Assad to use chemical weapons, we send the message that such use is ok. Every time the US takes more-or-less unilateral military action against a sovereign power, it sends the message that preemptive or punitive military action is OK, and nevermind what the UN says.
The US wants to lead the world? Fine: do it by example. Show us a world of rational, adult politicians capable of building consensus support for carefully considered decisions. Show us a world that respects both sides of a dispute and finds the common ground among all parties. For now, US international policy seems to be stuck in the same uncompromising, do-as-I-say under progressively more violent sanctions, paradigm that characterizes playground bullies. The US is showing the world that bigger, better guns give a nation the right to impose its fickle will on other countries. It's showing the world that possession of a nuclear weapon makes you immune to serious military action.
I'd like us to continue treating encryption as weapons and regulate its export accordingly.
A man walks into a bank and hands the teller a note saying, "Hand over the money, I know ROT-13." Teller calmly says, "We have 3DES," and the would-be robber runs off in terror.
Your whole post is fucking retarded:
1. Encryption isn't a weapon. Period. Comparing the two is fucking stupid.
You do realize that up until around 1992 cryptography was considered a munition in the US and the export of which was heavily regulated.
Slow Down Cowboy! It's been 1 hour, 47 minutes since you last successfully posted a comment
se, there's a great illustration of the problem. Killing people in a foreign soverign nation for behaving in a way that we don't like but which does not directly threaten us and does not violate any treaties (dont forget that syria never signed a chem treaty) was never part of the social contract. Protecting the homeland is part of the contract; waging an unprovoked war is not. Enforcing treaties with other signatory nations is part of the contract; protecting an executive from embarassment because he foolishly drew a line jn the sand and doesn't know how to backpedal is not.
Stinky Barrack Obama
Speaking as a forigner from a country that has been allied with the US for longer than any of us have been alive: Fuck you, and the NSA.
Really, all the things they have been complaining that China was doing, the NSA was also doing, and more. All that encrpytion cracking stuff, just waiting to be stolen by an enterprising hacker. Start sending your bills for identity theft to the NSA
Encryption is no less a weapon than, for example, a bulletproof vest. And though you can buy those on eBay, you must vouch to be an American and promise not to export it...
Oh, but he did... Of course, he retained a perfectly plausible deniability, and there is not enough evidence for a "beyond reasonable doubt" conviction. But there is plentiful "preponderance of evidence" none-the-less...
In Soviet Washington the swamp drains you.
What does your naive ass think the NSA is for? It is for gaining intelligence on foreign countries. Other governments have similar operations.
Why is it so hard to only have politicians for a few years, then have them go away?
If you read the article carefully--I know, that's a stupid thing to say on /.--you'll see that the NSA often simply bypassed encryption entirely by grabbing the data either before it was encrypted or after it was decrypted. So the argument about which encryption is "better" is irrelevant. More importantly, anyone who believed that any of their communications COULD NOT through technical means end up in the hands of the government was/is naive.
Interesting! Thanks for the link. But because I am a child of the 80's, and because it rocks, I'm sticking with the Judas Priest interpretation.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
It is, and was even treated as such until 1992 — when the export bans were abolished because of being impractical.
Absolutely. But if the foreigners were unable to use our algorithms, there would've been no justification for the NSA to seek to undermine and break them. They would've been able to perform their mission — spying on foreigners — while unable to spy on Americans.
As you said, the rest of the world can invent their own methods — and the NSA would be allowed (nay, encouraged!) to covertly break into them. And the American firms would've had the advantage of being able to use American algorithms (even if only with American customers).
But all of this is moot, because it is between simply impossible to keep an algorithm a secret for very long — all the while various implementations of it are in daily use by millions of people.
In Soviet Washington the swamp drains you.
Dear America, The world does not belong to you. You have a pretty big country, to take care of, please mind your own business. We are sure Syrian will come to a solution by themselves, because you know, they are a sovereign country. Best regards, The rest of the World
Yeah. Thing is, the overwhelming majority of Americans agree. But Obama drew a line in the sand last year, and now we have to kill people in order to save face, you know......
Why would anyone want fucking cold medicine?
Which is probably what actually scares the government. Civilians are generally outgunned by the military (and particularly the US military), however - while sarin etc are not quite as easy - there's a *lot* of stuff that can be made from common chemicals.
They're afraid that not presenting a show of force now will "encourage" further use of such chemicals in the future, which puts their own military at somewhat of a disadvantage. Big guns don't do much against nerve gas, and it's already been shown that basic (component-wise) roadside bombs etc are pretty hard to defend against too.
It's not ok, and anyone of even moderate intelligence would see that it is difficult to pass laws for other sovereign nations.
I, have to, wonder what's, with, all the inappropriate, commas, in your, posts? Did you get, a bunch cheap?
Totally agree. I'd expect the NSA to be the best at what they're supposed to do. Trouble is, the have no regulation or scrutiny. The rubber stamp FISA court is a joke. The NSA spends a lot of time lying, spying on, and gaming American citizens, when they should be devoting that time and energy to cracking codes from our enemies. Sheesh.
The NSA is the supreme code-cracker of all code-crackers. They basically invented the word encryption as it relates to modern times. If they can access it, I bet they can crack it, (since they wrote most of the algorithms used for encryption). They now read your emails, listen to your cell calls, and probably read your letters. And, they provide that information to the Administration in power. George Orwell was being a fortune teller, he was demonstrating what you get when you give a government that much power. We weren't there in 1984, so his timing was off, but we most certainly are there now. And it is all covered under the blanket of protecting the National Security, and Mr Snowden has tried to show us and the world just exactly what we are paying our government to do. Absolute Power Corrupts Absolutely! Benders
Organized crime, prisoners, and others have used the concept of "hide in plain site" or "code speak" for communicating. Its similar to the idea of public key cryptography where you first share a "key" with someone and only that someone directly and in-person. Then you change it up every now and then to keep interlopers guessing all the time.
If the NSA is looking for encrypted communications thinking they are highly suspicious, they might see open unencrypted communications as innocuous and overlook it.
For example, "golf club" might actually mean money and each golf club iron represents a number to make a total. "Apartment" might refer to a local pub somewhere. So you email/text your friend:
You: I need to borrow some golf clubs. Mine are broke.
Friend: Which clubs do you need?
You: I need a 9 iron and an 8 iron.
Friend: No problem. Stop by the apartment and I'll have them ready.
Now you just asked to borrow $98 dollars from your friend who is going to meet you at a predetermined place to give you the cash. This is a silly and simplified example, but it works. After a few uses, the next time you meet your friend in person you change it from golf clubs to shirt sizes or something, and you pick a different meeting location for the apartment.
All else aside, if you think the NSA breaks codes in order to prevent civilian casualties, or for "charity", you have another thing coming. They do it to provide intelligence to the US government to facilitate furthering its national interest, in whatever form that may take. And if you think civilian casualties or chemical weapons are the actual reason we are considering whether or not to attack Syria, you have yet another thing coming.
Yup... why do we want to overthrow Assad and why are we backing Al Quaeda rebels (wait, aren't they our enemy?)?
I have two words for you: gas pipeline.
If you think we give a rats a** about the people of Syria, you need to have your head examined. There is nothing at all "humanitarian" about what we want there, if we could get away with slaughtering 3/4 of the country *including* all those "innocent women and children" to get that gas pipeline through the country, we'd do it in a second and to hell with who we killed. But that would tarnish our "image". The word "psychopath" pretty much sums up our government.
All weapons are chemical weapons, is not a caveman's club made out of lignon, cellulose, and varied other chemicals?
Problem is, as everyone likes to ignore, most of the middle east is BEGGING US to do something.
If the wikileaks cables showed the world anything it was the while countries in the middle east 'denounce' America in public, they secretly beg us to fucking help take out their trash.
Funny how people ignore these things, but seem to be too fucking stupid to notice the edits in the whole collateral murder video.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I do. I do give a fuck about people who nerve gas to kill civilians in large amounts. If you don't, you are a sociopath.
Which means the US government if sociopathic. Face it, they don't give a damn about some Syrian women and children getting gassed, it makes zero difference to them. What they care about is:
Gas Pipeline.
For years they've wanted a gas pipeline through Syria, and the Syrians have refused (backed by the Russians because a gas pipeline to the coast would mean an alternate source of gas to Europe, which Gazprom has a virtual stranglehold on).
If they could get that pipeline and "all it meant" was gassing a few million Syrians, they'd do it in a second... but it would make them look bad, so it's easier to back the rebels (1/2 of them Al Quaeda, wait, aren't the our enemy?) so that we don't have to 'dirty our hands'. But that's taking too long, so now they might just help them out with a little bombing... and we'll "try" not to take out many civilians, for our 'image', but honestly we don't really care.
Or maybe I am? Read the piece and let me know what you think. The language does appear to be deliberately vague.P?
If the NSA has referred to encryption as "Digital Scrambling" I think we are just fine.
I've never seen a bomb that doesn't kill EVERYBODY in an area. As I understand you US have invented a bomb which when exploding sends its parts to search for military people?
Whaat? That would be pointless... They are all guilty of something! They shouldn't have done whatever it was they did.
Your party stays in power indefinately, the only things that might end your reign are a split in your party, or killing off so many people that there not enough people left to work and your economy collapses.
In a resource-thin country, that'd be true. In a resource-rich country, the government and people left would raze the country's available natural resources if only in order to survive.
And then, after that, a stronger country, probably a neighboring one, will continue to prop up your government, because that country wants to keep your's stable.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
> It is, and was even treated as such until 1992 — when the export bans were abolished because of being impractical.
It isn't, and saying it is doesn't make it so. That someone at some point in the past decided to classify encryption as a munition doesn't prove anything, it just tells us that crazy people existed back then too.
> Absolutely. But if the foreigners were unable to use our algorithms, there would've been no justification for the NSA to seek to undermine and break them. They would've been able to perform their mission — spying on foreigners — while unable to spy on Americans.
They could simply ignore all packets that originate in the US and have a destination in the US, which would avoid most spying on your precious Americans. They don't give a fuck about your privacy or they would use such simple techniques to protect it.
Here is rather lengthy article in Russian magazine 'Hacker' published in 2011 (google translation) Author describes his findings while working with Intel's MB manufactured in China:
The totality of the facts suggests an alarming rate and paranoid thoughts in the style spy detectives. These facts clearly talking about the following:
> Encryption is no less a weapon than, for example, a bulletproof vest.
Indeed, it is no less a weapon than any other object that isn't a weapon. It is also no more a weapon than any other object that isn't a weapon.
I suppose one could argue for export restrictions (even though that is never going to work) but arguing for encryption to be classified as a weapon doesn't make any sense.
there is no way to affirm or refute the assertion, by definition. So we're supposed to believe a statement which can't be proved or disproved and which is made by known liars. duh?
aren't these the same people who claimed they were firing 90% of their sysadmins?
bluff, bluff, bluff.
you've got no clothes on, fellas, and people are talking about you.
As a citizen of a foreign country, allow me to be the first to say: fuck you.
Also: I hope you enjoy having every byte of data and second of phone call monitored by the Chinese intelligence services, because you have rather surrendered the moral high-ground and with it any right to complain about your privacy being violated by malicious superpowers.
Say whatever you want. It is my governments job to secure my freedoms from foreign intervention. It is your governments job to do so for you. Your lack of understanding is really cute. Do you go to your boss everyday and list out the things that happened yesterday that "Just were not Fair!"?
Why is it so hard to only have politicians for a few years, then have them go away?
Having a CA public key changed is a real PITA because there is no easy way to update such key in Joe Public's web browser.
Of course in your Intranet you can do whatever you want to Joe Employee's computer, and I am sure proper OSes, where their code can be inspected for added security, can comply with this task.
IANAL but write like a drunk one.
if you don't want nsa or a hacker to see your stuff don't use a computer that is hooked up to the net. don't post your stuff on line F, T, etc.. protect your med records by paying your own med bills and take your records with you. DON'T ask the government for anything! most of all get of your dead ass and elect good people to public office instead of who we got.