Slashdot Mirror
Snowden Documents Show How Well NSA Codebreakers Can Pry
Der Spiegel has published today an excellent summary of what some of Edward Snowden's revelations show about the difficulty (or, generally, ease) with which the NSA and collaborating intelligence services can track, decrypt, and correlate different means of online communication. An interesting slice: The NSA and its allies routinely intercept [HTTPS] connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month.
For its part, Britain's GCHQ collects information about encryption using the TLS and SSL protocols -- the protocols https connections are encrypted with -- in a database called "FLYING PIG." The British spies produce weekly "trends reports" to catalog which services use the most SSL connections and save details about those connections. Sites like Facebook, Twitter, Hotmail, Yahoo and Apple's iCloud service top the charts, and the number of catalogued SSL connections for one week is in the many billions -- for the top 40 sites alone. ...
The NSA also has a program with which it claims it can sometimes decrypt the Secure Shell protocol (SSH). This is typically used by systems administrators to log into employees' computers remotely, largely for use in the infrastructure of businesses, core Internet routers and other similarly important systems. The NSA combines the data collected in this manner with other information to leverage access to important systems of interest.
this is truly disgusting
Before we all get too hysterical, from the article itself:
In other words, the NSA, GCHQ and other intelligence services are probably only able to crack badly configured or unpatched and badly out of date systems. That doesn't stop them from using out of band vulnerabilities like hacking into someone's PC or forcing some online service to open up the decrypted data, but it seems likely that if you have a well-managed cert chain and your systems are kept up to date and patched, the odds of anyone, government or otherwise, busting into your encrypted data seems pretty low.
My big fear out of all this isn't the unlikely hacking of mainstream encryption schemes, but rather that those that do use encryption may end up being targets of other methods; like malware, to get at their critical data.
The world's burning. Moped Jesus spotted on I50. Details at 11.
So that if anyone becomes a threat, it's easy to find a law they've broken, something embarrassing about them, or whatever. For most people, it is of no consequence. But for the very few who try to rock the status quo, this'll ensure they can't.
Richelieu said, "Give me six lines written by an honest man, and I will find something in it with which to hang him." Well, this just makes sure that the six lines have been collected in advance.
#1 financial information
#2 any idea they want to steal
#3 retroactive imprisonment, yeah it's not a crime today but tomorrow it is and they have all the evidence.
Remember who they share this info with.
"If any question why we died, Tell them because our fathers lied."
It's time to stop sending keys using dumb methods. Time to start generating keys and physically swapping/installing them.
Maybe live thousands miles away from your friends and family. Maybe your friends and family do not share the same principles like you do.
Who gives a shit what they do? You think being "social" is about reading petty nonsense that they post online, and perhaps responding? I don't think that's socialization at all. If I was a "social" person, I would just do it the old fashioned way: Find some decent people to hang out with in real life. If my family lived too far away, too fucking bad; I don't need to know about them. Maybe you could even occasionally use something called a phone or send a letter. No, that's simply impossible; you need to know every thought that pops into their heads.
Like it or not social networking is an amazing way to keep in touch and follow peoples life.
That's worthless, especially for actual nerds. And all you'll get is useless information.
It seems that too many people readily sacrifice everything for convenience.
You sound like a real joy to spend time with.
Facebook is intolerable to anyone with actual principles. That's just a fact. Maybe having principles isn't popular, but then again, I don't really want to hang out with people who use Facebook anyway.
If you love to be an extremely social fool (and I don't, personally), then there are plenty of options besides Facebook, which I've already mentioned.
#1 financial information
#2 any idea they want to steal
#3 retroactive imprisonment, yeah it's not a crime today but tomorrow it is and they have all the evidence.
Remember who they share this info with.
That is actually just the start. I'll be happy to give some more examples:
1: A DA going on a fishing expedition. That data, plus parallel construction, plus civil asset forfeiture ensures that they will have a packed jail and prison system, ensuring the campaign donations from private prison corporations keep on coming. Remember: 48 states have signed an agreement with Corrections Corporations of America to keep their jails at 90% bed space or else face fines hourly.
2: Lawsuits. People may have forgotten the MPAA and RIAA lawsuits, suing people for millions. It wouldn't take much for copyright law to be amended, forcing people to have to "prove" ownership of IP, just as businesses have to cough up proof when the BSA guy comes around, or else the BSA guy will be back with the constable and lawyers with a motion of discovery. Even the mention of "hey, dude, listen to this band!" that is logged, may be enough to get a IP infringement lawsuit going. Don't forget libel and slander lawsuits. It wouldn't take much for a lawyer to go through, say Slashdot's postings, and file hundreds of thousands of lawsuits on anyone bashing Sony.
3: Other country's laws. People don't realize it in the US that Thailand's lese majeste laws apply here? Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties. Same with Turkey and the Kingdom of Saudi Arabia. In theory, someone handing out events for their pagan festival or church bulletins can be shipped over there to be executed, due to violating Islamic sharia laws. Privacy is important, since it isn't just domestic LEOs, but LEOs of foreign countries who can press charges and have US citizens answer for them. Right now, it tends not to be enforced, but the laws are on the books, and the pastor who was televised burning a Koran might find himself in Riyadh facing an imam and a crowd with rocks and a can of gasoline.
4: Laws created by treaties. The gun nuts fear the UN gun ban treaty that went into in effect last Christmas Eve. It wasn't ratified in the US... but that can change, and even though it didn't affect gun sales inside the US... it had a clause saying that UN could act as an enforcement agency within the US, operating independently from other LEOs. Now, think about this a minute. A law enforcement group with the power to use deadly force and enforce laws that were never put on the books by domestic lawmakers, with no way to contest their decisions. It might be something 3 percenters talk about now on talk radio... but do people remember how close ACTA came to being passed? It wouldn't be surprising to see another law like this come on the books under "anti-hacking statues" that would allow the UN to detain "hackers" under their own law, and under their own opinion.
5: Ex wifes/husbands. An acquaintance of mine lives in California, had a bad marriage, with the wife divorcing him for someone richer. Well, she had a good attorney (courtesy her new BF), and got a pretty insane alimony settlement. Well, the husband was out of work at the time, couldn't pay the payments... so the judge tossed him in for nonpayment for six months. He got out after that, two years later, was back in (as in California, unemployment isn't a good enough reason to not pay alimony costs.) Well, this shit went on for about two years, until this guy, once he got released, booked it to Mexico. Now, the ex wife is offering a bounty for anyone to find him and bring him to "justice". Not that she needs the money, but just out of pure malice. Without privacy, people who just had a bad relationship with a sadistic other can be killed.
6: Insurance companies. I've read cases on Slashdot where people have walked into a humidor at a Spec's, someone takes a
Oh, shut up already.
No. Facebook is an awful company and no one should deal with them. Giving your information to such a company only ensures it will be abused.
It's outrageously unreasonable to suggest that I ditch them now because they have an account on a website.
You don't need to ditch them, but at least don't follow them in getting a Facebook account unless you want to join them in being unprincipled ignoramuses who sacrifice massive amounts of privacy for convenience.
Surely they don't expect them to judge me on having an account on /.
Is Slashdot evil like Facebook? No. Facebook is designed to violate people's privacy and sell information to advertisers.
... but then again, I don't really want to hang out with people who use Facebook anyway.
If you love to be an extremely social fool (and I don't, personally), then there are plenty of options besides Facebook, which I've already mentioned.
LOL what?
If you reject people with facebook and similar stuff and people don't share your principles, you've just rejected 99.9% of the human population. You must be a very lonely boy.
For those of us 'extremely social' people who you know actually have a few friends and get along with acquaintances, we can't go scorched earth on everyone.
It's not that we're not tempted, it's that the cost benefit analysis of a scorched earth policy sucks donkey balls. No matter how you slice it, being a shut-in is very sad.
Liberty.
The SSL protocol is broken. Manipulating servers into lowering their cryptographic standard is possible through this. However: with properly encrypted data it's downright impossible for anyone including the NSA to decrypt it. This is not the 70's anymore. Academia is very much on par with the intelligence community when it comes to crypto. Too many big interests involved now. And they can't make a dent in AES-128. Fortunately mathematics is a-political.
That's just a fact.
You keep using that word. I don't think it means what you think it means. That's an opinion.
Facebook is intolerable to anyone with actual principles.
"Actual" principles being the principles that you hold, and no one else's principles being "actual", No True Scotsman style.
Social networking is an option for socialization. Almost no one uses it to the exclusion of more traditional social activities, although I agree that Internet socialization is a mere shadow of in-person socialization.
You've either got an oversimplified black-and-white view of the world, or you're just getting a kick out of trolling everyone. Either way, I hope it works out for you. The way I'm living my life is working out wonderfully for me, in spite of our differences of opinion.
You can continue being all "stop liking what I don't like!" I'm gonna get back to talking to my friends and spending time with my wife.
It is pitch black. You are likely to be eaten by a grue.
The article mentions:
Uh, Linux geek since 1999.