Slashdot Mirror
NSA Foils Much Internet Encryption
An anonymous reader writes "The New York Times is reporting that the NSA has 'has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. ... The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.'" You may prefer Pro Publica's non-paywalled version, instead, or The Guardian's.
For awesome powa
A feeling of having made the same mistake before: Deja Foobar
I wonder if their list includes SSH
I believe the "working with industries to install backdoors" part, but the cracking internet standards encryption? Nope. The report doesn't even say what they are supposed to have cracked, only some nebulous "widely used internet encryption". Do they have a ton of computation power? Yes. Do they have some magical break on AES that no one in academia knows about or can even fathom? No. Just some FUD.
From Bruce Schneier Here and here.
Also a nice call to arms here.
"I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better."
grammar-lesson free since 1999. (rescinded - 2005)
1. The NSA actively worked to gain control of standards processes and subvert them.
2. The NSA covertly employs people in telcos without the knowledge of the telcos.
The sound you hear is the sound of the last 20 years of work in academic and industry, on standards
and code, on processes and procedures, quietly disintegrating.
The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions [...] .
Yet, the article does claim this:
"Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.
But they also quote Snowden that:
"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on," he said before warning that NSA can frequently find ways around it as a result of weak security on the computers at either end of the communication.
Maybe we still have some hope?
all the leaked evidence suggests otherwise.
The Kruger Dunning explains most post on
"Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”
So much for having your source open. It takes time to find bugs even in standards that guide the way software is written. How many people are out there who are qualified to find such issues in the code?
When writing finite bits to the disk sector, there is a finite probability that the resultant string of randomised bits MAY in fact generate something incriminating.
For example: (regardless of how unlikely this may seem), any string of random characters may well create a brand new wordfile on the computer by pure chance .. which contains legible words, which string together to form sentences which may in turn connect the previous owner of the hard disk with Al-Qaida, the Mafia, insider trading, un-patriotic activites, Linux 'development', or any manner of unsavory activities.
The larger the hard disk being randomly 'wiped' in this fashion, the greater the probability that some new and undesirable content would be created by chance.
I for one would NOT place my trust in such a tool, risking a lifetime of torment in Guantanimo Bay in exchange for the 'security' of having my hard disk cleaned prior to resale.
The solution ? One should purchase a new copy of the Windows 8 for the said hard disk, and install this on the disk. This would effectively wipe clean the disk of any previous content. The disk could then be disposed of cleanly, with a note that the new owner must purchase another legal copy of the Windows 8 before installing the disk.
In this situation - everyone wins.
--
BMO
So I'm left with the impression that the NSA will add features in return for improved access.
SELinux comes to mind as a gift from the NSA to the Linux community. A gift with a hidden payload.
Hmm.... We can call it Trojan Linux. Ribbed for your pleasure. The ultimate in back door penetration.
the NSA has done over a 100,000,000 million legal searches.
From all the leaked records, 22,000 are questionable. Those 22,000 lie everywhere between needing a judicial interpretation, to blatant breech.
The leaks also show NSA's number one whistle blower to the courts is the NSA. They report them and correct them.
Not to excuse there blatantly illegal searches, but to thing the whole system is some corrupt entity that s out to get everyone is simply wrong. /. claim.
No evidences supports that at all.we have a lot of hope becasue none of the evidences shows it to be nearly as bad as the media claims. And certainly nowhere near where the chicken littles on
The Kruger Dunning explains most post on
Code breaking.
That is sort of what their stated mission is.
Not that i believe the premise of the article.
Which encryption, and more importantly how long does it take?
(offtopic)
Shouldn't it be "NSA foils a lot of encryption" or "NSA foils most encryption" instead of "much encryption"?
It don't sound right to me.
/
"from the do-your-taxes-buy-civilization? dept"; are we referencing slashdot users sigs in the by-line now?
"Kill 'em all and let Root sort 'em out"
Does anyone really find this surprising? Wasn't it a few years back that the NSA told the banks that 128-bit encryption was perfectly safe, but mandated that the military switch to 256?
So now they've created a high value job because of the level of information access and made breaking the law classified on top of it!!! Next they will be hiring directly from minimum security detention facilities.
The picture on the guardian site mentions:
CA Service Requests (certificate authority)
Now the question is...what is hardware accelerated decryption, they would not need this if they had the keys....they must have a weakness in SSL in its current form, one they can quickly get that sessions encryption, and if it cannot break in real time, then the encrypted data is saved for later.
surely there should be a ripe market niche for some smart geek to 3D print arduino-controlled quadcopters to facilitate key exchange. hmmmm... hold on, still a few bugs to be worked out...
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
The NSA can crack 4096-bit PGP keys? I doubt it. Seems like FUD to dissuade people from even attempting to use encryption
I never even changed away from that
From ProPublica:
In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.
Who else remembers the debacle about the government no longer purchasing Lenovo computers? I remember some people saying that if the U.S. government is making all this fuss about it, they're probably the ones doing it.
This seems to indicate those people are correct.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
Bah, that's easy.
With MY algorithm, you don't even need to transmit the message to me, I can just generate it locally.
Heck, that's faster than the speed of light, time to fire up the patentbot9000 again!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
They claimed it was "China". Now we know the truth.
My guess is for most of their easy-mode access, they are actually using a rootkit of some sort to simply pass along whatever they want before any encryption is applied.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
Here's what I found in the article.
N.S.A. documents show that the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it.
How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored. To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal means. “Approval to release to non-Sigint agencies,” a GCHQ document says, “will depend on there being a proven non-Sigint method of acquiring keys.”
So various agencies hack companies' servers to obtain their private keys. Those keys get stored in some central NSA database and are used later to decrypt messages. That would indicate they didn't break all the encryption algorithms, but are getting around them via other means. Of course, it does sound like the NSA has backdoors in other protocols which let them get in. That part has been known for years, but hacking companies' servers sounds like something new. And probably illegal.
Over the past few years I have read about mind-boggling exploits in protocols WEP, WPS, and now IPMI. I have always thought it was either "idiot programmer who doesn't understand security 101" or "NSA". I think it's fairly obvious that a number of these things probably are their doing. Wonder if they are legally liable for the cost imposed on others to fix/repair/restore?
Glad I live in Canada, hold on, someone's knocking on my door...
I've got better things to do tonight than die.
The CAs' public keys come with your browser (or SSL client, it could be a web server or other piece of software). If you sign your own the problem becomes to distribute the keys.
Also it is trivial to stop the server with your private keys serving authentication requests. Governments will say terrorism, national security or one of those scary words and no judge will try to defend you rights, as shown in the UK they will even widen a narrow law to suit the needs of the security and/or intelligence bodies.
We are really fucked.
IANAL but write like a drunk one.
By any stretch of the definition it fits the pattern as an organization that has a harmful, if not outright destructive, impact on the stability of the country and its relationships to other countries.
But probably they already have more than enough dirt on any politician to keep them in line. It's kinda scary if you think about it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Between two individuals:
It seems to me that encryption based on a shared private password
and then encrypted again with public/private key encryption gains you the best
of both worlds.
How To Securely Store Transmit Data
Encrypt your whole fucking drive. Don't use Bitlocker or any hard drive manufacturer's built in shit that stores the key anywhere.
For instance: http://www.truecrypt.org/
How To Securely Transmit Data
Encrypt it your fucking self before you send it. Send the key separately, securely.
For instance:
Install 7zip
Right click the file you want to transmit
Click "Add to archive..."
Archive format: 7z
Compression level: Whatever you need / want (I almost always use Ultra)
Compression method: LZMA2
Enter a secure password
Encrypt file names if you want
Click OK
Then distribute the file however you want. Transmit the password to the recipient in person only.
I'm a bit off topic but... Just as information is shared with the DEA, it will probably also be shared with major media companies and the **AAs. They spend a lot of money in D.C. and "piracy" is on an equal footing according to them. The media companies say it is illegal to break their encryption or bypass DRM, explain to me again why its OK to break mine? Seems like fair game when the authority engages in the same behavior they would punish you for (see Parenting 101).
"Kittens give Morbo gas!"
Back then it probably did. And I sure agree that for an update of WinXP in the year 2000 it is sufficient to use a method that was secure in the year 2000.
There are essentially two kinds of considerations when you wonder whether encryption is "good enough": How long does it take to crack it with current means and how long will it take to crack it by the time it becomes obsolete and replaced with a newer version. There is a good reason why RSA keys have an expiration date. Computers get faster and after a few years we notice that what we considered secure is no longer.
Now, there are rarely big leaps in security obsolesce. One of the few I can think of right now of the more recent past is back when we learned how GPUs are great at calculating primes and how we can use clusters thereof to do it. Usually, it is pretty predictable how it will developed, simply by predicting how hardware and clock speeds progress, which is pretty well predictable. We can fairly well predict how many years we'll still be "secure" (read: it takes too long to crack it to be sensible).
Of course, this applies mainly to information transfer that itself has an expiration date. The data that was transferred during the Windows update in 2000 is no longer secure, but it does not matter. It was never secret in the first place, and the encryption served mainly the purpose of ensuring that the source is genuine (more a signature than an encryption matter). That purpose it served back then, and that it doesn't serve that purpose anymore does not matter, since any transfer today would not be done with this kind of encryption (at least I'd CERTAINLY HOPE SO!).
Other information that had to be secret but still doesn't need encryption that stands the "test of time" is data where its secrecy has an expiration date. Discussions about a merger of companies X and Y have to be tightly secret before the merger, they're by no stretch secret anymore when the merger has happened, usually it's announced big time by the companies themselves. That secret does not matter anymore, despite being important back when it was encrypted.
There is other information, though, that suffers from the problem you mention, but it's not updates or anything like that: It's when data should UNDER NO CIRCUMSTANCES, EVER, be public. The transfer of such data is problematic, since its "expiration date" is quite far in the future. Data that has a negative impact on your person should not get out before you die, which can be a few decades away. Data that has a negative impact on your company probably should never get out, provided your companies stands the test of time. How do you want to encrypt something for that purpose?
For transit, I'd suggest against it and instead ensure that the channel you choose is secure itself. Don't encrypt and send it via Internet, store it on a HD and transport that HD in an armored car. Any data you send today can be stored. No, they cannot decrypt it. Now. But they will, in a year, in 10 years, in 50. What channel you choose for transport of data, and what encryption, depends highly on the expiration date of the secret.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's like my 100% encryption, but at 100% loss kinda lossy, too...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's probably too late to do anything about our totalitarian police state through regular political means. Unfortunately, if it's going to be stopped, and rolled back, it's going to mean that some people are going to have some very bad days.
Let's hope that more courageous whistleblowers step forward. I have a feeling that citizens will get motivated to address this issue head-on much sooner than most people think. Yes, we like our creature comforts, but human beings can get pretty obstreperous when they learn they're being watched all the time, notwithstanding any possible good intentions by the snoops-in-charge.
You are welcome on my lawn.
The raw document provides some more details but remains not especially explicit.
"The fact that NSA/CSS has some capabilities against the encryption in TLS/SSL, HTTPS, SSH, VPNs, VoIP, WEBMAIL, and other network communication technologies".
Capabilities are defined here as NSA/CSS ability to exploit a specific technology. This may encompass acquiring and processing plaintext data and/or acquiring, decrypting and processing encrypted data.
I'm already stunned that there is a government agency that actually can get something accomplished besides lining the pockets of a few officials.
Why can we have such people in domestic spying but not in domestic economy?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So do you want the NSA to break Syria's encryption about their chemical weapons attacks?
Or do you prefer we not know that the Syrian government uses chemical weapons to kill civilian populations, affecting public policy?
Which social contract would you prefer government to break? the "Government shouldn't know private activities of foreign governments" or "Government shouldn't allow foreign governments to kill civilians"?
If your privacy is important, then you think that means your government shouldn't monitor foreign communications, correct? And that means you think it's ok for foreign governments to kill civilians as they please? And if you think foreign governments should be allowed to kill civilians, then I guess you don't donate to charity either? Why would you want to help other people, after all?
You can pick either charity or privacy, but you can't have both. Sorry. That's because bad guys have power, and you need more power to overcome those bad guys for the purposes of charity.
So charity or privacy? What's it going to be?
Won't somebody please think of the civilians!
All else aside, if you think the NSA breaks codes in order to prevent civilian casualties, or for "charity", you have another thing coming. They do it to provide intelligence to the US government to facilitate furthering its national interest, in whatever form that may take. And if you think civilian casualties or chemical weapons are the actual reason we are considering whether or not to attack Syria, you have yet another thing coming.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
Whatever. I've got a write only disk. Doesn't need encrypting.
"Government shouldn't allow foreign governments to kill civilians"?
Incidentally, that policy also applies to the Syrian government versus the US. Cos', you know, the US is a foreign government and airstrikes would surely also kill civilians.
Also, your entire post is a false dichotomy.
I don't think the NSA has to break actual keys brute-force, but with information leakage it has been shown that data can be sussed-out of an encrypted stream (particularly an interactive one). Given sufficient leakage of known quantities, keys can be broken in much less time.
As we've seen just recently, even something as innocuous as HTTP compression over a SSL link can result in serious information leakage by anyone monitoring the size of the payloads.
Encryption streams, in general, require additional random data to be inserted into the stream and for the salt to be continuously modified (i.e. feedback) to remain strong. If one does neither of those things than the information leakage increases to the point where the keys can be broken without spending years of cpu cycles.
-Matt
There are a surprisingly large number of public key generators with weak random number generators:
And those are the ones we know about.
For open source systems, the person or persons who inserted the weak code should be identified and kicked off the project. It may just be incompetence, but that's a good reason to keep them out of security-critical areas.
Weak keys don't just let the NSA in. They let the People's Liberation Army of China in, too.
I can see (although I don't necessarily agree with) the argument that we have no expectation of privacy on metadata, but surely there is an expectation of pricacy on encrypted data. Surely the fact that the user has encrypted his data (or knows that it will be) provides an expecation of privacy that would invoke a 4th amendment protection.
The real "Libtards" are the Libertarians!
Using that number 22,000 assumes two things:
A) The NSA reports ALL privacy breeches using their internal procedures.
B) The NSA is aware of all privacy breeches using their systems.
We know for a fact the NSA hasn't been reporting information properly to the oversight committees in congress or the court system. Indeed they have gone to some lengths to avoid oversight and intentionally lie under oath. This misinformation has been carried out at the very highest leadership levels for years, which nearly always breeds a pervasive culture of the same across the organization. This certainly calls into question point A.
Apparantly Snowden got around their internal security to the point that they don't even know what files he took. Out of tens of thousands of employees that specialize in computer security, is he the only one who knows how to skirt their security systems? That throws B into question.
The phrase is "you have another think coming".
I do. I do give a fuck about people who nerve gas to kill civilians in large amounts. If you don't, you are a sociopath.
How did the NSAs ability to decrypt most of the encrypted communications of the world prevent Syria's chemical attack on its own people?
Or even help after the fact, for that matter?
How is helping Syria's people even part of the NSAs charter?
You can't underestimate the power of clusters the size of the NSAs, especially the dedicated/custom hardware components.
Most of the encryption standards supported by TrueCrypt would fall to the NSAs clusters in a matter of hours or days at most. Only the "hardest" of encryptions like AES256 or RSA2048 have any hope of keeping them out. And that presumes they don't just install a backdoor on your computer to steal your keys.
I do not fail; I succeed at finding out what does not work.
Now that we know the NSA can intercept and decrypt any message, doesn't it also mean that they can change the message to whatever they want, re-encrypt it, and pull it out in a court of law as evidence?
If they do, or even if they don't, I can now say they did, and they can't prove they didn't.
They censor the names of the algorithms for the NSA but mention one was adopted by NIST in 2006 and later by ISO. That would be AES ladies and gentlemen. The article strongly implies they can decode all SSL and AES in real time as it flies over the fiber... You aren't using AES anywhere are you ladies and gents?
Spy on foreign governments and foreign citizens. They need to stay the fuck away from Citizens of the United States of America. Spying on Americans is what other governments are for.
The NSA is operating far outside of its charter. Put them straight.
Why is it so hard to only have politicians for a few years, then have them go away?
Actually, you will get neither if the NSA is able to read all encrypted communication. Simply put, if the government has the ability to penetrate all encrypted communications, there will be no privacy. If there is no privacy the government will eventually degenerate to a tyranny. Given a choice between a tyranny and dead Syrians, I choose the dead Syrians. I don't like the idea of people being killed by their government but I'd rather have the Syrian government killing Syrians than the American government killing Americans, something which will eventually happen if we lose our civil rights.
Don't doubt for a minute that there are forces in the government that are working toward that. They're mostly not evil people and most don't really understand what the ramifications of what they are doing, but history does repeat itself and there is plenty of history that demonstrates what happens when a government can do whatever it wants. Orwell's "1984" is fiction, not history, but it is based upon history and basic psychology. If we want to retain our civil rights, we need to fight and struggle for them, both in the courts and in civil disobedience if necessary.
It's really quite a simple choice: Life, Death, or Los Angeles.
Richard Stallman warned us about this decades ago. It is incredible how people are still able to dismiss his warnings as more and more of his predictions come into reality.
in the 1980s, under R Reagan, the USofA supported one S Hussein in his war against Iraq, and in his use of chemical weapons.
So what the US govt won't do is pretty extreme
I'd like us to continue treating encryption as weapons and regulate its export accordingly. Unfortunately, it is not really possibly — any enemy worth the designation would be able to get it anyway, because moving an algorithm is much easier than a gun. And, unlike guns, you only need to move an algorithm once.
I wish I had sufficient confidence in my own government to be able to sincerely pick charity... Unfortunately, I do not. If the President can already ask the IRS to hurt opposition's finances, what's to prevent him from asking the NSA to look into the opposition's e-mails? The sort of thing, that got Nixon to resign is barely an issue with today's Americans...
However, according to an earlier article about Snowden's interaction with journalist(s), PGP (with sufficiently large keys) is still unbreakable even to the NSA — at least, as far Snowden was aware:
So that's, what a particularly private person should be using for all of his communications...
In Soviet Washington the swamp drains you.
This has nothing to do with liberal or conservative and everything to do with the power of government.
From Bruce Schneier:
Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground.
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying
I don't read your sig. Why are you reading mine?
Fucking false dilemma and you know it.
The feds can snoop OTHERS without snooping US.
And honestly, with all the hackers out there I'd rather they spend their time protecting us FROM hacks than making other people easier to crack.
Sure, it's an arms race and things will filter out eventually, but I think we can stay further ahead of the encryption arms race by investing in our own cybersecurity first, rather than trying to leave exploits we can use to snoop on everyone else.
I would rather let ten terrorists go free than invade the privacy of even one innocent citizen.
Unfortunately, Schneier doesn't go far enough. The problem isn't specifically that the US government has betrayed the Internet, the problem is that governments in general have acquired too much power over our lives. In the US, between Obamacare, e-Verify, gun registration, income tax, banking regulation (and the associated data disclosures), TSA, DHS, and other laws, the federal government would get detailed and personal information over every aspect of our lives even if there were no Internet at all.
We need a fundamental shift of government power back from the federal government to state and local governments, and we need to limit government power in general. But that requires sacrifices. Unfortunately, many of the same people who complain about the NSA are unwilling to actually make the necessary sacrifices; they erroneously think that there is some magic solution that keeps the government out of people's hair while still delivering a social welfare state.
We did not care about Iraq when they where 'stopping' Iran. Now we care about mercenaries moving into Syria?
Domestic spying is now "Benign Information Gathering"
Yes, it is. Citation: http://grammarist.com/usage/another-think-coming/
Why exactly is this so? Of course, it would be rather uncomfortable to have no privacy, but would it necessarily lead to tyranny? Why not the opposite, for example — if no one's dealings are private and all information (from banking transactions, to kissing, to bowel movements) about everyone is readily available to whoever cares, wouldn't it be harder to subdue the electoral process, for example?
In Soviet Washington the swamp drains you.
Well we got that sound clip from Syria....... What is strange is the lack of detail from the UK and the GCHQ listening post in Cyprus.
They have the range and skill to pick up everything in the region.
Domestic spying is now "Benign Information Gathering"
How about weakening it enough that it is crackable. Like when Debian accidentally weakened all the keys generated by ssh, but done intentionally. Also I like the 'humint' reference, i.e. they are planting moles in these organizations for their own purposes ... great.
Plenty of people like me cared. Just because you (or even most people you noticed) didn't care doesn't mean " we " didn't.
Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)
Very unlikely. Far more likely is a passive attack against one or several major SSL implementations.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Because that world would never come to be. What we'd have is certain people being completely transparent and other, more privileged, people having privacy. All of the shady stuff that happens today would continue to happen in private, but everyone would also know about every BM you made.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Though I sympathize with the gist of your position, I must question this particular argument:
Why exactly is this so? Of course, it would be rather uncomfortable to have no privacy, but would it necessarily lead to tyranny? Why not the opposite, for example — if no one's dealings are private and all information (from banking transactions, to kissing, to bowel movements) about everyone is readily available to whoever cares, wouldn't it be harder to subdue the electoral process, for example?
You would make it much, much easier to "subdue the electoral process". If you're currently the party in power and facing re-election, you first kill everyone who donates money to the opposition--everybody stops giving them money, hampering their campaign. Then you kill anyone who's given any hint that they might vote for the opposition. You and your cohorts get re-elected. Rinse and repeat, and eventually nobody dares form an opposition party, much less support one. If anybody says or does anything that remotely sounds like rebellion, you kill them too. Your party stays in power indefinately, the only things that might end your reign are a split in your party, or killing off so many people that there not enough people left to work and your economy collapses.
I've never seen a bomb that doesn't kill EVERYBODY in an area. As I understand you US have invented a bomb which when exploding sends its parts to search for military people?
I'm not sure, this is, what the OP meant. His statement was simply "If there is no privacy the government will eventually degenerate to a tyranny."
Maybe, he meant something like: "If only government-connected people retain privacy, the government will eventually degenerate to a tyranny," — but that's not, what he wrote...
In Soviet Washington the swamp drains you.
...so they don't get decrypted while resting on NSA controlled communication cables?
Yeah, 'accidental' civilian deaths, or deaths from 'necessary collateral damage' are so very noble and just.
In Serbia the US/NATO 'accidentally' bombed a farmers market, two hospitals, the Chinese embassy, civilian radio/TV stations, bridges on the wrong side of the country with civilians on them, etc. Also random factories that weren't military-related industry (eg. tobacco) - Interestingly the tobacco factory got bought by Phillip Morris a couple years later...
Chemical weapons are abhorrent, absolutely. But unless use is widespread, picking winners and causing more death and destruction isn't ideal, neither.
Sent from my PDP-11
But how would you be able to do all of this, if everybody — including your would-be victims — can access your communications (such as the orders to kill) just as well?
Obama has already ordered the IRS to suppress the opposition, because the opposition's records weren't private, while Obama's and the IRS' still were. I'd argue, that opening everybody's records and communications would help prevent tyranny just as much as keeping records properly private.
In Soviet Washington the swamp drains you.
> I'd like us to continue treating encryption as weapons and regulate its export accordingly.
Except that:
- encryption is not a weapon so treating it as such makes no sense.
- the rest of the world is able to invent encryption algorithms too. While creating good encryption requires very specialized knowledge and skill, these things are not exclusive to the US.
- strong encryption is a requirement for electronic commerce, when the rest of the world does not have access to encryption this hurts the US financially.
Your can configure your HTTPS server to use forward secrecy. Forward secrecy uses one-time keys, generated by between the website and the browser for the single session. Most modern browsers support it. But it generally requires compiling the latest version of OpenSSL and the compiling Apache 2.4.x against that, not using the Apache 2.2.x versions that are standard in most of the Linux distros. More detail also here.
If you set up your webserver this way, and your visitors use the right browsers, they NSA's having good copies of the site's certificates won't gain them much. At least that's what Ivan Risti's saying. On TLS/SSL stuff, there may be no one better.
"with their freedom lost all virtue lose" - Milton
Where do your numbers come from? Who is making the judgment on whether the acts were legal or not? (i.e. Is following a very questionable interpretation of a law that is itself possibly unconstitutional still counted as legal?) Could the answer to both questions be the very agency whose conduct is being called into question?
And if the NSA's portrayal of themselves as ultimately noble and only breaking the law because of training failures and low-level misconduct here and there is accurate, how long can you say that that will remain true? I'm guessing you'd probably just ask the NSA on that one too.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The idea would go back to WW1 with a slight need for extra funding in the 1920-30's.
The only other low point would have been in the 1990's as in CIA tensions.
Foreign stations, staffing, meaningful political power vs just been on endless sub-committees.
Domestic spying is now "Benign Information Gathering"
"The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs."
So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace.
If we could just get the NSA out of the exploit market, the whole thing would probably collapse like a real-estate broker's wet dream.
The other chilling revelation is the names of these programs:
"The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill, is named after the first major engagement of the English civil war, more than 200 years earlier."
The NSA has crappy internal discipline. Instead of using meaningless codewords for project names, their codewords frequently describe the project. PRISM described how the NSA collects info. These project names shout that the NSA is fomenting civil war. They are at war with the rest of the country.
If we survive as a nation of liberty, the NSA must serve us, not attack us.
Perhaps we shouldn't have provided the Syrians with the precursor chemicals to make weapons in the first place.
Your position is laughable. You have the precursor chemicals to make weapons under your kitchen sink. It's basically impossible to have any kind of modern industrial base without them.
People like you are why I can't buy fucking cold medicine anymore.
What part of "shall not be infringed" is so hard to understand?
The NSA was built in the 1950s. No conservative politician since then has attempted to have its powers limited.
And I suppose you think we should do something about it? Why are you such a bloodthirsty warmonger? Why do you support the huge military-industrial complex's war machine to violate the sovereignty of other nations and assert imperialism around the globe?
False Dichotomy, I love this game and I'd love to play another round with you!
We do have such people in domestic economy, hence the wall street collapse. The total collapse of the reputation of the USA just takes longer to hit the ground is all.
Except it's nothing even close to that. The voyeurs with badges are absolutely shitting themselves over the face that someone had the nerve to expose their secrets. They sit in their tower, safe from any public scrutiny at all. They have so much privacy that you can't even tell others that you got a `warrant' served to force you to put in a backdoor apparently.
Nobody knows how it was encrypted, maybe it was a zip file with a password that they broke? If they had decrypted an AES file with a random key, we would know about it.
I just encrypt everything in Perl. It may be breakable, but it drives the analysts insane before they ever finish.
Table-ized A.I.
The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
As an example to compare against, I chose a major bank in my country (Australia's Commonwealth Bank), and looked around their website. There is a page called 'Security', and the first thing I spot on that page is the statement: "100% Security Guarantee: With NetBank, the safety of your money is 100% guaranteed."
Putting aside the fact that the SAFETY of something is not necessarily the same as the SECURITY of something, what does this news mean to a banking customer? Does the bank have the obligation, under the advertised "100% Security Guarantee" to find and implement methods that hinder NSA/GCHQ access?
And this doesn't affect just Commonwealth Bank (I just chose it as an example). One of the main points of putting money in a bank is that it's SECURE. If a government agency (from another country, even) has the ability to reach into my bank account and make my money disappear in a virtual puff of smoke, then how is the account any more secure than, for example, hiding cash under a mattress?
The Guardian article refers to it as a "10 year program" which would put it's inception in the Bush Jr. years. As for the EU is better argument, it looks like my own country's government was a prime mover in this. Way to go guys.
Expanding on the above post, if the US is installing and/or exploiting bug related backdoors in
commercial software it would take relatively few to reach 99+% coverage.
If you can get the OS's you're set as you can hit 99% with less than a half dozen.
Likewise with cellular providers, handset makers, virus scanners, printer (driver) manufacturers,
cpu manufacturers, router manufacturers, email clients, web browsers, office suites, etc....
Take any category of software or hardware most of which are dominated by only a few major players
and if you can get your foot in the door with any of them then you have control of the computer or
device. I'm not sure that linux even has that much advantage as there are few if any people who
compile everything from scratch and even if they do, how hard would it really be to get an
undocumented bug inserted into one of several hundred programs that run on a typical computer.
If they're willing to throw enough time, money, and power behind it, there is no way someone can
avoid being eavesdropped on.
The more revelations we get about the extent of NSA spying, the less I believe its purpose is fighting terrorism as it has always be claimed, or even ensure the security of American citizen. This cannot be justified in a democracy, even in a state of war.
Because knowledge is power, and people with power use it.
Because the anointed Ruling Class will keep their privacy, and have an advantage... or they'll just apply the laws unequally (because what are you going to do about it, you little piss-ant plebe?)
There's also an Ayn Rand quote about turning everyone into criminals that applies, but I hesitate to mention it because of all the objectivist baggage that comes with bringing her up...
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
It's hardly a new issue and don't think for a moment that any form of encryption is safe and reasonably easy to use. Usually the spooks have both software and hardware alterations in place before they are released to the public. Also it is the very nature of communications that in a network or organization one or more members will be involved in crime or terror plots and foreigners as well. Interception of communications in foreign nations will capture much of what goes on inside the US as well.
What will really rock your socks off is that technology is getting very close to operation lie detection methods that are very reliable. Imagine court rooms in which all witnesses as well as cops, lawyers and judges are wired and can not lie. What a party time that will be.
You can't do much with the knowledge that a government wants you dead.
But a government can do a lot with the knowledge that you want it replaced.
Rethinking email
The phrase is "you have another think coming".
Judas Priest disagrees.
From TFA:
The secrecy of their capabilities against encryption is closely guarded, with analysts warned: "Do not ask about or speculate on sources or methods."
Speculate away. What are they going to do? Assassinate you? And how long do you think the public would put up with that nonsense? You TLA boys will get defunded and your toys taken away. Then NSA will truly mean "No Such Agency".
3000 deaths every dozen years? We can live with that. al Qaida isn't even as dangerous as Detroit.
Have gnu, will travel.
Your whole post is fucking retarded:
1. Encryption isn't a weapon. Period. Comparing the two is fucking stupid.
2. The president didn't ask the IRS to hurt opposition's finances. You were lied to by Darrell Issa who had no evidence but a heavily modified report which when taken as whole actually painted the IRS as anti-liberal rather than anti-conservative. But please keep spouting your ignorance on the subject, you really deserve those moderation points!
Sorry Daily Caller is an "opposition" propoganda news source and therefore is hardly credible.
User-ID:
Ed Snowden
a.k.a.:
Ed Snowden
a.k.a.:
Edward Snowden
a.k.a.:
Edward Snowden
a.k.a.:
Edward Snowden
Validity:
from 2013-03-24 07:21 until forever
Certificate type:
4,096-bit RSA
Certificate usage:
Key-ID: 21B7141F
Fingerprint: 21B7141F"
So now we know what he uses
In the end, the only way to make sure no one is looking at your private conversation and data is to use end-to-end encryption in open source software on open source operating systems. Your data must be encrypted before it even reaches your hard drive or Internet stack, and you must know that there are no foreign programs running on your computer. You no longer have any guarantee of privacy on Windows and Mac OS X.
Signature intentionally left blank.
I don't care what discussions Syria has internally about chemical weapons. I do care when they actually USE them, though I doubt that cruise missiles are an effective or moral response. The fact Syria HAD such weapons seemed to be known already, we're only now getting into a tiff over it since they may have actually been used. But If you think you need to decrypt someone's communications to figure that out if WMD has been used, you've got bigger problems, because Syria or the next Syria could end up using sneakernet for that communications, or a form of encryption you can't decrypt. This whole reliance on knowing everyone's electronic thoughtcrimes about WMD or whatever is simply laziness. There's this idea that you don't need spies on the ground who risk detection anymore and that it can all be done from an office chair in Langley, and frankly, that's dangerous thinking that puts us all at risk. Similar the idea that you don't need boots on the ground and can wage an effective pushbutton war. You can certainly kill a lot of people with a pushbutton, but that's not the same thing. However, it's easy to sell these ideas to get big budgets for cool equipment and the ability to violate privacy just like the Stasi and you don't even have to get out if your office chair to earn your paycheck. I'm sorry but it's a really lousy long-term solution for the rest of us.
Why are you lot the only people in the world entitled to privacy?
Spy on foreign governments and foreign citizens. They need to stay the fuck away from Citizens of the United States of America. Spying on Americans is what other governments are for.
The NSA isn't actually spying on US CItizens, they're just storing the data in easy-to-interpret databases so that other governments can do the spying for the NSA. Oh, and probably also providing those governments with the tools they need to better spy on US Citizens.
Skirting the law is easy with the right thinkers. New Zealand was doing a similar thing with the GCSB by sending their contractors off to work for other government agencies. The contractors, being employed by the other agencies and hidden from the GCSB by a really secure "please don't let us know if you use our computers while working for them" policy, weren't part of the GCSB, so didn't have to play by their rules (which basically said "no spying on NZ citizens", recently changed to "only spy on NZ citizens if the government-selected overseer decides there's good reason for it").
I also give a fuck about the Syrian civilians who've been gassed.
I also realise that bombing Syrian won't bring them back to life.
It also occurs to me that the Assad régime's reaction to strikes against their country might well employ some "Now see what you made me do" logic to justify gassing some more.
Il n'y a pas de Planet B.
The following documents were published in 2006 by NIST that relate to IT security:
SP 800-96 PIV Card to Reader Interoperability Guidelines
SP 800-103 DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation
SP 800-92 Guide to Computer Security Log Management
SP 800-89 Recommendation for Obtaining Assurances for Digital Signature Applications
SP 800-88 Guidelines for Media Sanitization
SP 800-69 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
SP 800-18 Rev.1 Guide for Developing Security Plans for Federal Information Systems
Religion is what happens when nature strikes and groupthink goes wrong.
"So do you want the NSA to break Syria's encryption about their chemical weapons attacks?"
I want the NSA to tell us exactly when you stopped beating your wife.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
Google pushed all of it's searches to SSL, thus encrypted, as a way to supposedly protect our searches from other's eyes.
But doesn't doing our searching over encryption also put us into the situation where the NSA will record it "to be decrypted later"?
Was Google one of the companies that shared keys or added a backdoor?
I would be surprised if the NSA did _NOT_ have all (few dozen) the private keys behind the Certs of Google, Yahoo, Hotmail, and their ilk. Trivially easy to get:
1) Find credible evidence of certifiable badguy using service;
2) Make application to FISA court for all keys & gag;
3) Read _all_ traffic on the service, now or later (if cycles short at that time).
The obvious problem is that ISP does not have keys for just target badguy, so have to hand everyone's keys over. The solution is to switch to per-user keys after auth, but that is more trouble.
the NSA has done over a 100,000,000 million legal searches.
That means there is a court order for each of the searches. Assuming that every of the 300 million inhabitants of the U.S. is a certified judge, that still means that every of those judges is responsible for about 330000 court orders. Assuming that it takes about half an hour to evaluate and fill such an order and that an average month has about 165 working hours, it means that the average U.S. citizen has spent about 1000 months or 80 years of signing court orders for legal searches so far.
Of course assuming that all of those searches were legal.
Sounds legit to me.
First off, assume encryption is broken.
Second, if you're relying on a third party to encrypt for you, then assume that they read your stuff before they even encrypted it.
Third, if you're at all concerned about this stuff, then don't do anything on the internet that you don't want the entire world to know about.
None of this news story should be a surprise to anyone. Everyone should already have assumed that the NSA cracked it all, and everyone should already have assume that the handy third party web sites are busily sending all your data to the NSA or someone else.
This doesn't mean it's hopeless. It means don't be naive and trust third parties if you want security. Security does not coexist with convenience. Encrypt your sensitive data before you hand it off to someone else for transport (even then it may be broken, but it's vastly more secure than handing plain text to third party site and asking them to encrypt it on your behalf).
So because there are scary bad men out there the government should be able to do whatever the fuck it wants to be able to catch them? Even if that includes massively violating the privacy of every citizen (never know who's a scary bad man!!) in the country? Even if it includes building a massive database filled with who the fuck knows what that never, ever, gets erased? You know how they say the internet forgets nothing? This is even worse, since random fruit loops on the internet don't have access to your phone records, your banking records, your phone calls, your location and every niggling little detail of your entire life! If you think it's bad that /b/ can access something stupid you said on your blog and troll you even if you delete it, just wait until some scary bad men, I mean trusted public servants, get ahold of all that juicy personal information that those stalwart do-gooders of the NSA put together for them, they'll have a field day! Accidently piss off some bureaucrat at the DMV? He'll just call his cousin at the Ministry of Love and they'll whip up some charges doubleplusquick then off to the Re-education centers (actually, that's too expensive, off to the work camps, more than likely).
If you really think it's just "metadata" you're deluded. All this stuff that's coming out used to sound like the fever dreams of the loony fringe, and god damn does it suck having to listen to them smugly say "We told you so."
Celebrity worship is a poor substitute for Deity worship and costs more to boot.
Stenography is what is interesting.
I prefer the "u" in honour as it seems to be missing these days.
and one time pads for me
Clearly all the years of talk of security and encryption has accomplished is to lull many of us into a false sense of security. (Much like meeting with the TSA at the airport.) That false sense has kept many of us from asking the hard questions and really thinking about the weaknesses of the whole setup... which, as we are seeing more and more clearly, is rotten to the stinking core.
Good. Thinking about it all is good, and so is talking about it.
"You must try to forget all you have learned. You must begin to dream." -- Sherwood Anderson
All else aside, if you think the NSA breaks codes in order to prevent civilian casualties, or for "charity", you have another thing coming. They do it to provide intelligence to the US government to facilitate furthering its national interest, in whatever form that may take. And if you think civilian casualties or chemical weapons are the actual reason we are considering whether or not to attack Syria, you have yet another thing coming.
Well, yes. The NSA breaks codes to provide intelligence to the US government. We've known that for a long time. It's not a secret.
And I do think the chemical weapons are the issue -- not civilian casualties. The government hardly raised an eyebrow for two years while the Assad government murdered its citizens by the thousands with bullets, shells, grenades and fuel-air bombs and anything else they could think of. It's not like anything else changed. The chemical weapons are the only difference I see.
So which side are you taking in the Syrian conflict...Hezbollah's or Al Qaeda's?
It's like debating virtue among whores.
"Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
because the opposition's records weren't private, while Obama's and the IRS' still were. I'd argue, that opening everybody's records and communications would help prevent tyranny just as much as keeping records properly private.
And now that you know about it, what have you done exactly? You've lifted a finger to complain on slashdot. I'm sure that will scare Obama into being a good boy again. Thanks Captain Freedom.
I interpreted that the GP as meaning that as it is the government eliminating privacy there would be an implicit asymmetry in the access of such information. That is, the government, or more properly its agents, would have unprecedented access into the personal lives of, well, everybody. The statement "If there is no privacy the government will eventually degenerate to a tyranny" does not imply that absolutely all privacy is removed, rather, the privacy of ordinary citizens is removed and those who can pay or otherwise maintain control of their own privacy, i.e. by brute force, have a grossly unbalanced amount of power and tyranny results from the malicious use of that power.
I mean really, if the NSA can break all encryption what exactly leads to the conclusion that everyone can do it? Even in the event that some clever crackers find and exploit whatever backdoors the NSA had placed in some encryption method most people would not have the resources or skills to intercept enough of other peoples traffic to make any real use of that ability. We've been hearing about how the NSA basically stores all, or nearly all, internet traffic. Do you have a tap at ATT&T as well?
Celebrity worship is a poor substitute for Deity worship and costs more to boot.
That reminds me...I have a rock that wards off tigers. I'll sell it to you. You want proof that it works? Well, I don't see any tigers around, do you?
"Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
lol ok not gonna argue with Judas Priest
how do we know that the session keys are chosen securely and not divulged with steganography somehow? I know that products have existed which did exactly that, revealing part of the encryption key in the encrypted data stream (and I know that because the vendor was fairly open about the practice).
If you're going to make such a massive claim, you need to back it up. Name the vendor/manufacturer and equipment, or I, and every other slashdot reader, will consider this bullshit.
Please help metamoderate.
A bit OT. But the first thing that struck me when I got to the NY Times story is a picture of the NSA headquarters that vaguely reminded me of Mecca, particularly the Kaaba, that black building at the center of the Islamic religion. Both buildings appear to rise up from their surrounds like the real life equivalent of the black monolith in 2001: A Space Odyssey.
See for yourself and compare:
https://en.wikipedia.org/wiki/File:Mosqu%C3%A9e_Masjid_el_Haram_%C3%A0_la_Mecque.jpg
https://en.wikipedia.org/wiki/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg
You don't think we won the first Gulf war? Well, it probably depends both on your definition of "war" and "win". We haven't declared war since 1941.
You guys have a good think going!
Only dumb birds land downwind.
Dilbert may have a point
Need an ISP in South Africa?
Be gentle man. You just broke to him that he has a kitchen sink. You insensitive clot!
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
So it's okay if you're spied on by Australians, and Australians are spied on by the USA, and any intelligence is shared?
I read about this one a while back:
http://en.wikipedia.org/wiki/CBU-97_Sensor_Fuzed_Weapon
It's pretty amazing how it works, I didn't know anything nearly this advanced was around until I accidnetly stumled across its wikipedia page.
Children children, there is no need to get emotional or fight about this. Like all technology, the ability to break codes can be used for both good and bad.
The real worry is - when NSA can do it, then there will be other criminals who can as well. You may not like your government, but they are pretty sweet compared to Mexican drug cartels or the Mafia; and even they are notable for their humane touch compared to some of the major gangs in SE Asia.
The reputation of the US has already reached rock bottom. The reason it still has "friends" is the same why the school bully still has "friends". They don't really like him, but by pretending they do they not only don't get beaten up by him, they might even enjoy some of the spoils when he beats up the geeks for their lunch money.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Self Signed Certs are good, if you control both ends of the pipe, as for a corporate VPN. If you only control one end, as for a public web server, then a self signed cert system doesn't confirm the identity of the other end, so you could be talking directly with Edward Snowdon's second cousin twice removed at the FSB and would not know it.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
The famous joke is allready at equilibrium and the site knows this !
BTW, thanks for the link
While you guys are cracking jokes on ROT13, a letter to NYT ( http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?_r=0 ) caught my attention
- - - B Missouri Reader
Missouri
On the one hand, âoeIn the future, superpowers will be made or broken based on the strength of their cryptanalytic programs,â but on the other hand the liberties of Americans are at risk by such programs.
In other words, we face a situation where the strongest, most secure nation can no longer be a nation that guarantees the rights of its citizens.
Privacy is not simply a convenience, but it is intimately linked to free speech and to the future prospects for democracy in America. Key elements of the Constitution provide a framework where incumbents can be challenged in free elections, ensuring that better ideas and better leaders will become available to guide the nation. But nobody can win an election against an incumbent with unlimited access to the communications of its rivals. We're not there yet, but the trend is in that direction.
It is high time that members of both parties in Congress get off of their high horses and address this growing threat to our democracy. Technical and legal hurdles must be cleared, and it may even be necessary to make significant changes in the way the internet works. But time passes very quickly in the technology world, and the clock has already been ticking for quite a long time."
Muchas Gracias, Señor Edward Snowden !
Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about.
He recommend Silent Circle right after saying "the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. "
Silent circle - a US and UK connected commercial company - propriety closed source, and in a sneaky "no we are open, really trust us" sort of way. W T F!???
let me reproduce this message posted to the comment section of the second link you posted.
I usually rate Bruce Schneier highly, except for his faux pas a few years ago when he initially endorsed showing passwords on screen, saying that shoulder surfing is not such a big deal.
But I am not sure about some of the security mobs he is advocating here.
GPG: OK, clever people can read the source code (though most average Joe programmers can't)
Silent Circle: It's USA based, and subject to the same backdoor 'requests' as anyone US-based company. It also employs ex-special forces 'security experts' - just the sort of people who might go and do wiretaps in foreign climes.
Tails: What I have just seen on their website, 'Numerous security holes in Tails 0.19 Posted Mon 05 Aug 2013 12:00:00 AM CEST'. Not exactly the best advert and hardly comforting if one wanted security.
OTR: Same as GPG as the source code is available.
Truecrypt: Well the soruce code is avaiable, so I would put it in the same basket as GPG. It has a choice of algorithms, including one (partly) designed by Schneier.
Bleachbit: Well that is client-side. Anything in the clear across the net (i.e. non encrypted traffic) can be read anywhere along the route.
But the big glaring thing is, at least in the UK, you can be sent to prison for refusing to hand over your encryption keys. And this has happened. People like to talk big, but the prospect of eating porridge with a lot of nasty looking and foul smelling prisoners, does not appeal to most people.
I would say that doing your own encryption, by this I mean using some of the open source tools and not closed source ones (and definitely not American ones) is a good thing.
See my post here in this thread.. I don't understand how Bruce Schneier can recommend Silent Circle right after saying "the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. "
Silent circle - a US and UK connected commercial company - propriety closed source, and in a sneaky "no we are open, really trust us" sort of way. W T F!???
I do. I do give a fuck about people who nerve gas to kill civilians in large amounts. If you don't, you are a sociopath.
Why does "caring about the civilians" have to equate to "bombing Syria"? Bombing Syria is likely to shatter human lives, civilian, military, and political; leaders and followers. How many more civilians need to be killed to punish Assad for killing civilians? It is the leap of faith from compassion to violence that much of the world is unwilling to make. Right now, the US is running around telling everyone that, if we 'allow' Assad to use chemical weapons, we send the message that such use is ok. Every time the US takes more-or-less unilateral military action against a sovereign power, it sends the message that preemptive or punitive military action is OK, and nevermind what the UN says.
The US wants to lead the world? Fine: do it by example. Show us a world of rational, adult politicians capable of building consensus support for carefully considered decisions. Show us a world that respects both sides of a dispute and finds the common ground among all parties. For now, US international policy seems to be stuck in the same uncompromising, do-as-I-say under progressively more violent sanctions, paradigm that characterizes playground bullies. The US is showing the world that bigger, better guns give a nation the right to impose its fickle will on other countries. It's showing the world that possession of a nuclear weapon makes you immune to serious military action.
Your whole post is fucking retarded:
1. Encryption isn't a weapon. Period. Comparing the two is fucking stupid.
You do realize that up until around 1992 cryptography was considered a munition in the US and the export of which was heavily regulated.
Slow Down Cowboy! It's been 1 hour, 47 minutes since you last successfully posted a comment
> better to keep your communications inside your own country.
This is not enough. Just look at Germany.
Transit providers were involved with providing copies of traffic to the NSA or GCHQ (basically a port-mirror) in Germany, there is a compound about 30 kilometers away from the DE-CIX Internet Exchange in Germany.
Here is an introductory article:
http://arstechnica.com/tech-policy/2013/08/seven-telcos-named-as-providing-fiber-optic-cable-access-to-uk-spies/
New things are always on the horizon
Stop writing. Just stop.
Private keys are not sent anywhere, ever. If someone is generating your private key for you, in a browser nonetheless, you are doing PKI wrong. Period.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
George W Bush was not remotely conservative. Dumbass.
You fail at reading comprehension. Nowhere in my comment did I say that.
Um.. huh? You just contradicted yourself. Do you not realize that 'liberal' and 'conservative' - in the political sense, in the U.S. - are words used to describe one's political philosophy on how much power government should have?
They weren't spying on the entire American population's communications the last time conservatives held any significant political power either.
Prat, eh? I presume you're a Brit...
I shall forgive your apparent ignorance of American politics - or perhaps I should have mentioned that I'm a conservative in the context of American politics.
There are differences - some subtle, some significant - between the meaning of liberal and conservative in American vs. British politics.
I define 'big government' by the scope and breadth of its power over its governed. A government so powerful it can record virtually ALL of its citizen's electronic communications - and even decode supposedly private communications - is decidedly 'BIG'. If you disagree with this, fine... but you and I have nothing to discuss. It's not a meaningless phrase, however...
Liberal political ideology leads directly to government having these kinds of unchecked powers - that are sometimes secret and shrouded in mystery... Powers that will eventually be abused - no matter how good the intentions were at the start. Political leaders are not angels - they are humans who, like everybody else, are fallible, imperfect, greedy and power-hungry to one extent or another. Conservatism seeks to limit the scope and power of a centralized government - and guard against too few people gathering too much power unto themselves.
Really, all the things they have been complaining that China was doing, the NSA was also doing, and more. All that encrpytion cracking stuff, just waiting to be stolen by an enterprising hacker. Start sending your bills for identity theft to the NSA
Encryption is no less a weapon than, for example, a bulletproof vest. And though you can buy those on eBay, you must vouch to be an American and promise not to export it...
Oh, but he did... Of course, he retained a perfectly plausible deniability, and there is not enough evidence for a "beyond reasonable doubt" conviction. But there is plentiful "preponderance of evidence" none-the-less...
In Soviet Washington the swamp drains you.
What does your naive ass think the NSA is for? It is for gaining intelligence on foreign countries. Other governments have similar operations.
Why is it so hard to only have politicians for a few years, then have them go away?
If you read the article carefully--I know, that's a stupid thing to say on /.--you'll see that the NSA often simply bypassed encryption entirely by grabbing the data either before it was encrypted or after it was decrypted. So the argument about which encryption is "better" is irrelevant. More importantly, anyone who believed that any of their communications COULD NOT through technical means end up in the hands of the government was/is naive.
Interesting! Thanks for the link. But because I am a child of the 80's, and because it rocks, I'm sticking with the Judas Priest interpretation.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
It is, and was even treated as such until 1992 — when the export bans were abolished because of being impractical.
Absolutely. But if the foreigners were unable to use our algorithms, there would've been no justification for the NSA to seek to undermine and break them. They would've been able to perform their mission — spying on foreigners — while unable to spy on Americans.
As you said, the rest of the world can invent their own methods — and the NSA would be allowed (nay, encouraged!) to covertly break into them. And the American firms would've had the advantage of being able to use American algorithms (even if only with American customers).
But all of this is moot, because it is between simply impossible to keep an algorithm a secret for very long — all the while various implementations of it are in daily use by millions of people.
In Soviet Washington the swamp drains you.
Dear America, The world does not belong to you. You have a pretty big country, to take care of, please mind your own business. We are sure Syrian will come to a solution by themselves, because you know, they are a sovereign country. Best regards, The rest of the World
Yeah. Thing is, the overwhelming majority of Americans agree. But Obama drew a line in the sand last year, and now we have to kill people in order to save face, you know......
Which is probably what actually scares the government. Civilians are generally outgunned by the military (and particularly the US military), however - while sarin etc are not quite as easy - there's a *lot* of stuff that can be made from common chemicals.
They're afraid that not presenting a show of force now will "encourage" further use of such chemicals in the future, which puts their own military at somewhat of a disadvantage. Big guns don't do much against nerve gas, and it's already been shown that basic (component-wise) roadside bombs etc are pretty hard to defend against too.
Totally agree. I'd expect the NSA to be the best at what they're supposed to do. Trouble is, the have no regulation or scrutiny. The rubber stamp FISA court is a joke. The NSA spends a lot of time lying, spying on, and gaming American citizens, when they should be devoting that time and energy to cracking codes from our enemies. Sheesh.
The NSA is the supreme code-cracker of all code-crackers. They basically invented the word encryption as it relates to modern times. If they can access it, I bet they can crack it, (since they wrote most of the algorithms used for encryption). They now read your emails, listen to your cell calls, and probably read your letters. And, they provide that information to the Administration in power. George Orwell was being a fortune teller, he was demonstrating what you get when you give a government that much power. We weren't there in 1984, so his timing was off, but we most certainly are there now. And it is all covered under the blanket of protecting the National Security, and Mr Snowden has tried to show us and the world just exactly what we are paying our government to do. Absolute Power Corrupts Absolutely! Benders
I hate to get into a political philosophy argument since these tend to go around in circles, generating lots of heat but no light so I will just quote William Buckley from the first National Review in 1955. I believe that he can be considered an authority on American Conservatism.
"It is the job of centralized government (in peacetime) to protect its citizens’ lives, liberty and property. All other activities of government tend to diminish freedom and hamper progress. "
Unfortunately, all of this spying is being done in the name of protecting citizens' lives, liberty and property. I see no difference between liberals or conservatives on this issue... they are both corrupt.
I don't read your sig. Why are you reading mine?
Problem is, as everyone likes to ignore, most of the middle east is BEGGING US to do something.
If the wikileaks cables showed the world anything it was the while countries in the middle east 'denounce' America in public, they secretly beg us to fucking help take out their trash.
Funny how people ignore these things, but seem to be too fucking stupid to notice the edits in the whole collateral murder video.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Or maybe I am? Read the piece and let me know what you think. The language does appear to be deliberately vague.P?
If the NSA has referred to encryption as "Digital Scrambling" I think we are just fine.
I've never seen a bomb that doesn't kill EVERYBODY in an area. As I understand you US have invented a bomb which when exploding sends its parts to search for military people?
Whaat? That would be pointless... They are all guilty of something! They shouldn't have done whatever it was they did.
Your party stays in power indefinately, the only things that might end your reign are a split in your party, or killing off so many people that there not enough people left to work and your economy collapses.
In a resource-thin country, that'd be true. In a resource-rich country, the government and people left would raze the country's available natural resources if only in order to survive.
And then, after that, a stronger country, probably a neighboring one, will continue to prop up your government, because that country wants to keep your's stable.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
there is no way to affirm or refute the assertion, by definition. So we're supposed to believe a statement which can't be proved or disproved and which is made by known liars. duh?
aren't these the same people who claimed they were firing 90% of their sysadmins?
bluff, bluff, bluff.
you've got no clothes on, fellas, and people are talking about you.
As a citizen of a foreign country, allow me to be the first to say: fuck you.
Also: I hope you enjoy having every byte of data and second of phone call monitored by the Chinese intelligence services, because you have rather surrendered the moral high-ground and with it any right to complain about your privacy being violated by malicious superpowers.
Say whatever you want. It is my governments job to secure my freedoms from foreign intervention. It is your governments job to do so for you. Your lack of understanding is really cute. Do you go to your boss everyday and list out the things that happened yesterday that "Just were not Fair!"?
Why is it so hard to only have politicians for a few years, then have them go away?
Having a CA public key changed is a real PITA because there is no easy way to update such key in Joe Public's web browser.
Of course in your Intranet you can do whatever you want to Joe Employee's computer, and I am sure proper OSes, where their code can be inspected for added security, can comply with this task.
IANAL but write like a drunk one.