Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snowden Documents Show How Well NSA Codebreakers Can Pry

Posted by timothy on from the keeping-you-well-under-surveillance dept.

Der Spiegel has published today an excellent summary of what some of Edward Snowden's revelations show about the difficulty (or, generally, ease) with which the NSA and collaborating intelligence services can track, decrypt, and correlate different means of online communication. An interesting slice: The NSA and its allies routinely intercept [HTTPS] connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month. For its part, Britain's GCHQ collects information about encryption using the TLS and SSL protocols -- the protocols https connections are encrypted with -- in a database called "FLYING PIG." The British spies produce weekly "trends reports" to catalog which services use the most SSL connections and save details about those connections. Sites like Facebook, Twitter, Hotmail, Yahoo and Apple's iCloud service top the charts, and the number of catalogued SSL connections for one week is in the many billions -- for the top 40 sites alone. ... The NSA also has a program with which it claims it can sometimes decrypt the Secure Shell protocol (SSH). This is typically used by systems administrators to log into employees' computers remotely, largely for use in the infrastructure of businesses, core Internet routers and other similarly important systems. The NSA combines the data collected in this manner with other information to leverage access to important systems of interest.

7 of 278 comments (clear)

  1. Re:Do users really care? by Anonymous Coward · · Score: 5, Informative

    Some people care, and you should care, since the information can and will be used to your detriment any time there is profit in it.

    Snowden did us a favor. We owe him one in return.

    Bring Snowden Home

    Sign it.

  2. Anyone can intercept SSH some of the time by phantomfive · · Score: 4, Informative
    If you ever get the warning:

    The authenticity of host '...' can't be established. RSA key fingerprint is .... Are you sure you want to continue connecting (yes/no)?

    That's ssh letting you know that a man-in-the-middle attack could be successfully launched at you, and decrypt all your communication.

    --
    "First they came for the slanderers and i said nothing."
  3. Re:Do users really care? by Anonymous Coward · · Score: 4, Informative

    Unfortunately these days not having a FB account means you are missing out in your social life. It has become the de facto for keeping in touch with friends and family.

    The above is utter bullshit.

    I have friends in five different countries and none of us use Facebook.

    I maintain contact with my family using communications which have nothing
    to do with Facebook.

    Not everyone is as stupid as you so obviously are ( making blanket statements
    which claim that Facebook is somehow necessary for having a social life is proof
    of your stupidity ).

  4. List of safe protocol by Anonymous Coward · · Score: 3, Informative

    those protocols or programs have a major rating (major according to the article means impossible unless someone made a mistake or malware was used)
    OTR
    TrueCrypt

    those protocols have a catastrophic rating (catastrophic for the NSA is a win for US)
    ZRTP
    PGP

    about the SSH thing, it all depend on the cipher used, if you use ssh with a MD2-DES cypher expect it to be decrypted
    if you use something like twofish or salsa20 your probably quite secure

  5. Re:all this info for what? by Bengie · · Score: 4, Informative

    Other country's laws. People don't realize it in the US that Thailand's lese majeste laws apply here? Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties.

    Extradition almost exclusively applies to to laws in other countries that would be also be considered criminal in the USA. Kill someone in Thailand, well murder is criminal in the USA, so they'll extradite you. Slander someone, well, that's not criminal in the USA, so you're safe. The USA also will not extradite if they think the punishment may be considered "extreme".

  6. Re:Again... by WaffleMonster · · Score: 4, Informative

    You are poorly informed.

    About?

    http://www.nytimes.com/2013/09...

    Certificate Authority:
    http://en.wikipedia.org/wiki/D...

    Old news virtually everyone here knows well.

    Loss of Trust:
    Information provided by Edward Snowden

    Trust? What the fuck are you smoking???... The prior US administration LIED and started a goddamn war under completely false pretenses leading to the deaths of hundreds of thousands displacing millions over the course of a decade...not a little privacy invasion or reading love letters...but grand fucking high crimes against humanity. A *DECADE* ago we found out about NSA collection of *ALL* domestic phone records.... As much as I love Ed Snowden there was no trust remaining to lose when he spoke out.

    I trust the Internet was insecure and all kinds of TLA's and assorted bad actors were exploiting to the hilt from the very start. Security is our responsibility...nobody else's.

    Those are singular examples to the issues I spoke of, there are many, many more.
    In addition, only a small percentage of data has been released to the public from the "Snowden Cache", if it was all released maybe people like you would finally STFU

    The only thing you have enumerated was bullshit about SSL and HSTS which were factually incorrect and demonstrate your lack of knowledge of underlying technology. It shows you can read technical articles without having a firm grasp of fundamentals. The rest is just bloviating about enumeration of unspecified this and that's ...you have nothing specific to say.

    If anything what Snowden told us is that the systems we *know* are secure really are a PITA even for the NSA to crack...Snowden himself said as much during a hearing he remotely participated in from Russia and in several televised interviews with reporters earlier in the year.

    The underlying point remains running around yelling "How can you trust anything" ... is not helpful in any way... It spreads FUD and makes no positive contribution.

  7. Re:all this info for what? by Anonymous Coward · · Score: 2, Informative

    > Thanks for the list. This is a good counter to the people who say "if you aren't doing something wrong, what do you have to hide?"

    Here's an example everybody can understand: That time when the FBI tried to blackmail MLK Jr with sex tapes they secretly recorded of him. Just because most of us are unimportant in the grand scheme of things doesn't mean the occasional person who can change society won't be victimized in order to hurt us all.