Snowden Documents Show How Well NSA Codebreakers Can Pry

Der Spiegel has published today an excellent summary of what some of Edward Snowden's revelations show about the difficulty (or, generally, ease) with which the NSA and collaborating intelligence services can track, decrypt, and correlate different means of online communication. An interesting slice: The NSA and its allies routinely intercept [HTTPS] connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month. For its part, Britain's GCHQ collects information about encryption using the TLS and SSL protocols -- the protocols https connections are encrypted with -- in a database called "FLYING PIG." The British spies produce weekly "trends reports" to catalog which services use the most SSL connections and save details about those connections. Sites like Facebook, Twitter, Hotmail, Yahoo and Apple's iCloud service top the charts, and the number of catalogued SSL connections for one week is in the many billions -- for the top 40 sites alone. ... The NSA also has a program with which it claims it can sometimes decrypt the Secure Shell protocol (SSH). This is typically used by systems administrators to log into employees' computers remotely, largely for use in the infrastructure of businesses, core Internet routers and other similarly important systems. The NSA combines the data collected in this manner with other information to leverage access to important systems of interest.

Re:Do users really care?

Unfortunately these days not having a FB account means you are missing out in your social life.

No, it doesn't. For instance, you could always hang out with people not dumb enough to use Facebook, or reject 'social' nonsense. Or, you know, actually hang out with people if for some reason you actually want to be a social tool.

Re:Hysteria

[phantomfive]

The article is merely listing tools. I expect that if we have a spy agency, they will use the tools available to spy. That is what a spy agency does. If you're outraged that a spy agency actually does spy, then you're probably addicted to outrage or something.

The problem with the NSA isn't that they are spying, it isn't that they know how to decrypt SSL or mount a MITM attack; the problem with the NSA is they are spying on everybody. Limit the spying to only enemies of the US, and only the paranoid will be outraged.

Re:Anyone can intercept SSH some of the time

[phantomfive]

They have fake certificates from trusted authorities for some major sites, and use MITM attacks to serve up fake pages with them. We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them. We can also potentially defend against this by using more certificate pinning and warnings which certificates change unexpectedly, as well as distributed certificate checks (to make sure the one you get is the same one everyone else gets).

I don't think so because not many people use trusted authorities with SSH. (In fact I've never heard of anyone doing that, but surely there are people who do). Most likely the NSA just sits there sniffing traffic that goes by, waiting until there's an SSH to a new box (which actually happens a lot, every time you reinstall or something), then begin sniffing. After that they have the password and everything, so the attack can expand.

Re:Do users really care?

It is not in the best interest of Mr. Snowden to re-enter the United States. He can be at his most effective and most free outside of U.S. possessions and territories, and any country with an extradition treaty with the U.S. Even with a presidential pardon his life Stateside would not be easy.
On the other hand, if Bill Clinton can pardon Mark Rich, then Barack Obama can pardon Edward Snowden. It would be a great litmus test for the 2016 presidential candidates.

Re: Do users really care?

[7-Vodka]

I see a lot of similar comments, but I liked yours so I'll address the themes here.

First, facebook is not the only problem. You're kidding yourself if you think it is. The list of technology companies that sucker their users are as long as the list of technology companies that sell 'the cloud'. Google, Yahoo, Microsoft etc.

Worse than this, the evil is not marketing. The real evil is the secret pact between the tech companies and the government's monopoly on the initiation of force, for the benefit of a minority of oligarch families. The elite's technology branch

The real evil is the patriot act, the capture of government, the capture of industry and the subversion of the constitution. All tech companies are a part of this, most willingly, some unwillingly or unwittingly and the only honest ones are forced to shut down.

The capture of the government and industry is nothing new, but it reached tremendous success in the 20th century. First they captured the congress and the judicial, then the executive, then the monetary system and then they really captured the executive with the JFK assassination. Don't forget where some of the recent oligarchs originated.

• Are you against marketing?
• are you for privacy?
• are you for honesty as a virtue?
• are you for Free Software?
• are you for the constitution?
• do you believe in free will? (or that you should act as if it exists)
• do you believe in the traditional family?
• are you religious?
• are you for sound money?
• are you an Austrian or a keynesian?
• do you believe that there really is a 2 party system in the USA?

Do you see it yet? if you rule out the vast majority of the population based on internet usage, you're out of whack. Firstly because that's not the real problem.

Also, you might have MUCH MORE in common with someone who uises fb daily than on someone who doesn't, based on your OTHER principles and virtues.

It's like saying, "I'll only hang out with people who are atheists.". That's not enough. In 10 years time that could still be all you have in common. Or they could change their minds.

Finally I would just like to remind people that not only is the USA responsible for millions of deaths around the world, it now tortures people.

If you refuse to interact with people who support these acts, how will you ever change their minds?

Oh and just for good measure. A fucking surveillance blimp. The internet of things is coming to spy on you from the sky 24/7. Is it not enough that you've captured the mass media? If you were to only hang out with people who share all your principles or most important beliefs, you would not hang out with anyone.

Furthermore, having intelligent debate with people who disagree with you (and are virtuous enough to have an intelligent debate) is the only way that you can make any sort of real progress in self discovery and discovery of the universe. If your ideas an principles are not challenged, if you don't go back to first principles to figure what what's really important, if you don't re-assess your beliefs in the face of new evidence, you'll never improve.