Snowden Documents Show How Well NSA Codebreakers Can Pry

Der Spiegel has published today an excellent summary of what some of Edward Snowden's revelations show about the difficulty (or, generally, ease) with which the NSA and collaborating intelligence services can track, decrypt, and correlate different means of online communication. An interesting slice: The NSA and its allies routinely intercept [HTTPS] connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month. For its part, Britain's GCHQ collects information about encryption using the TLS and SSL protocols -- the protocols https connections are encrypted with -- in a database called "FLYING PIG." The British spies produce weekly "trends reports" to catalog which services use the most SSL connections and save details about those connections. Sites like Facebook, Twitter, Hotmail, Yahoo and Apple's iCloud service top the charts, and the number of catalogued SSL connections for one week is in the many billions -- for the top 40 sites alone. ... The NSA also has a program with which it claims it can sometimes decrypt the Secure Shell protocol (SSH). This is typically used by systems administrators to log into employees' computers remotely, largely for use in the infrastructure of businesses, core Internet routers and other similarly important systems. The NSA combines the data collected in this manner with other information to leverage access to important systems of interest.

this is disgusting

this is truly disgusting

Re:this is disgusting

And disgustinger it gets. Entropy added to Kunfuse the National Service Administration. Hust didding myself.

Re:this is disgusting

[bigfoottoo]

I give the NSA a lot of credit though. They're tough competitors. A real class act.

Re:this is disgusting

Yes. Thank you America. You fucked up the worlds shit again. Assholes.

Re:this is disgusting

[gatkinso]

Why the hate? They are just trying to make your comms more secure, after all.

Re:this is disgusting

[micahraleigh]

Without America the internet would be a small network used by a handful of university kids.

The govies are responsible for this. And people like me are being required to pay for it !!

Do users really care?

I am playing the devil's advocate here.

Do users really care who reads their data? I mean they are anyway happily giving away all their data and communications to Facebook anyway.

Or do we say we trust Facebook more than the government?

Re:Do users really care?

Some people care, and you should care, since the information can and will be used to your detriment any time there is profit in it.

Snowden did us a favor. We owe him one in return.

Bring Snowden Home

Sign it.

Re:Do users really care?

If I don't want Facebook looking at my shit I can stop using them. When it comes to the NSA I have no say.

Re:Do users really care?

I am the parent AC. I do care myself. I am just wondering about the majority of the people.

Re:Do users really care?

I wish it was so simple my fellow AC. Unfortunately these days not having a FB account means you are missing out in your social life. It has become the de facto for keeping in touch with friends and family.

Re:Do users really care?

Unfortunately these days not having a FB account means you are missing out in your social life.

No, it doesn't. For instance, you could always hang out with people not dumb enough to use Facebook, or reject 'social' nonsense. Or, you know, actually hang out with people if for some reason you actually want to be a social tool.

Re:Do users really care?

I would love to agree with you, but life is not black and white. Maybe live thousands miles away from your friends and family. Maybe your friends and family do not share the same principles like you do. There are so many reasons. Like it or not social networking is an amazing way to keep in touch and follow peoples life. Too bad that the only option is Facebook.

Re:Do users really care?

[Free+Censorship]

Maybe live thousands miles away from your friends and family. Maybe your friends and family do not share the same principles like you do.

Who gives a shit what they do? You think being "social" is about reading petty nonsense that they post online, and perhaps responding? I don't think that's socialization at all. If I was a "social" person, I would just do it the old fashioned way: Find some decent people to hang out with in real life. If my family lived too far away, too fucking bad; I don't need to know about them. Maybe you could even occasionally use something called a phone or send a letter. No, that's simply impossible; you need to know every thought that pops into their heads.

Like it or not social networking is an amazing way to keep in touch and follow peoples life.

That's worthless, especially for actual nerds. And all you'll get is useless information.

It seems that too many people readily sacrifice everything for convenience.

Re:Do users really care?

... means you are missing out in your social life

You say that like it's a bad thing.

...It has become the de facto for keeping in touch with friends and family.

What, telephone calls and e-mail aren't hip enough for you?

Re: Do users really care?

You sound like a real joy to spend time with. Have you actually found anyone to socialize with?

Re:Do users really care?

I am the AC that posted child to the post referred to as "parent" in the post that is parent to this post.

I am glad to know you care. The "you" in my post was intended to be ambiguous as to whether it referred to you specifically or whoever was reading the post. But text as a form of communication always leaves a bit to the imagination.

I just hope that my post gets modded up enough that people actually read it, as the petition is close to completion, and I can only sign it once myself. I am sad that the American public has drug its feet so badly on protecting the interests of someone that made such sacrifice on their behalf.

Re: Do users really care?

[loftarasa]

Oh, shut up already. Not everyone is a 45-year-old neckbeard troll living in their mom's basement with greasy Doritos hands and Mountain Dew stains on their shirts. I know and like my friends since before they joined Facebook. It's outrageously unreasonable to suggest that I ditch them now because they have an account on a website. Surely they don't expect them to judge me on having an account on /. Facebook allows us to communicate on some aspects of our lives, perhaps today most commonly through sharing pictures, much as people used to do with postcards and snail mail. It isn't meant to replace face-to-face conversations. There may be something to be said about people who exclusively rely on Facebook, or who share TMI. But instead of ranting aimlessly like an old fart, I just unsubscribe to their feed. Not everyone can afford or is willing to end friendships based on social network memberships. Facebook's success in particular and the emergence of so many networks in general are evidences to that. Your dogmatic view on social relationships is neither correct nor necessary nor relevant nor required.

Re:Do users really care?

Unfortunately these days not having a FB account means you are missing out in your social life. It has become the de facto for keeping in touch with friends and family.

The above is utter bullshit.

I have friends in five different countries and none of us use Facebook.

I maintain contact with my family using communications which have nothing
to do with Facebook.

Not everyone is as stupid as you so obviously are ( making blanket statements
which claim that Facebook is somehow necessary for having a social life is proof
of your stupidity ).

Re: Do users really care?

Facebook is NOT the only option. It happens to be one that a lot of uninformed people choose. You can choose to inform them better or decide how much you really need to communicate with whoever.

I've essentially lost a bunch of friends because of not using Facebook, but so be it.

Re: Do users really care?

[Free+Censorship]

You sound like a real joy to spend time with.

Facebook is intolerable to anyone with actual principles. That's just a fact. Maybe having principles isn't popular, but then again, I don't really want to hang out with people who use Facebook anyway.

If you love to be an extremely social fool (and I don't, personally), then there are plenty of options besides Facebook, which I've already mentioned.

Re: Do users really care?

[Free+Censorship]

Oh, shut up already.

No. Facebook is an awful company and no one should deal with them. Giving your information to such a company only ensures it will be abused.

It's outrageously unreasonable to suggest that I ditch them now because they have an account on a website.

You don't need to ditch them, but at least don't follow them in getting a Facebook account unless you want to join them in being unprincipled ignoramuses who sacrifice massive amounts of privacy for convenience.

Surely they don't expect them to judge me on having an account on /.

Is Slashdot evil like Facebook? No. Facebook is designed to violate people's privacy and sell information to advertisers.

Re: Do users really care?

[7-Vodka]

... but then again, I don't really want to hang out with people who use Facebook anyway.

If you love to be an extremely social fool (and I don't, personally), then there are plenty of options besides Facebook, which I've already mentioned.

LOL what?

If you reject people with facebook and similar stuff and people don't share your principles, you've just rejected 99.9% of the human population. You must be a very lonely boy.

For those of us 'extremely social' people who you know actually have a few friends and get along with acquaintances, we can't go scorched earth on everyone.

It's not that we're not tempted, it's that the cost benefit analysis of a scorched earth policy sucks donkey balls. No matter how you slice it, being a shut-in is very sad.

Re: Do users really care?

Actually stupidity is lack of intellectual. Like someone saying "missing out on your social life", and you understanding "not having asocial life".

Re: Do users really care?

[Cloudaki]

If you don't like FB there are alternatives out there. Just saying...

Re: Do users really care?

Lol. Facebook "evil". I'm sure you would think that of anything as long as it grows so big it becomes mainstream.

Things are the way they are because of a long string of events, handled by people oblivious to 90% of what's relevant because it's just too much for a single individual.

Just think about it for a minute and you'll realize that individually, even though I'm generalizing and there will be obvious exceptions, every action taken by Big Corp is justifiable and reasonable. It's not one evil individual just saying "let's make a super popular product and then sell people's information to make loads of monies". That's not how the big picture works.

Re:Do users really care?

[jemmyw]

I couldn't agree more. FB is joyless. I've moved around the world a fair bit, and I've friends and family "thousands of miles away" who I don't need to communicate with on a day to day basis and read the minute of their lives. What do you talk about when you do get together?

Also, everyone does the same stuff anyway. Get together with someone, have kids, get married, buy a house, hop jobs. It could be anyones partner/kids/house, how would I even know? Until you're actually seeing them, it does not impact you, so you may as well keep the surprise.

Re:Do users really care?

Those of us who choose to live off that grid might have fewer friends. But the friends we do have are real friends.

We might have to use text, email, skype, ventrillo, teamspeak, in-game chat, phone calls, paper mail, or face-to-face communication to stay in touch. But we will see these as worth the effort, because we actually care about each other, rather than see each other as followers that make us feel important.

Maybe only paranoid geeks will abstain from Facebook, but we paranoid geeks are willing to accept the costs, and consider the benefits to be worth it.

Re:Do users really care?

It is not in the best interest of Mr. Snowden to re-enter the United States. He can be at his most effective and most free outside of U.S. possessions and territories, and any country with an extradition treaty with the U.S. Even with a presidential pardon his life Stateside would not be easy.
On the other hand, if Bill Clinton can pardon Mark Rich, then Barack Obama can pardon Edward Snowden. It would be a great litmus test for the 2016 presidential candidates.

Re: Do users really care?

[Free+Censorship]

"Lonely" implies that you feel sad due to a lack of interaction with others. That's not accurate for a lot of people.

For those of us 'extremely social' people who you know actually have a few friends and get along with acquaintances, we can't go scorched earth on everyone.

Then just don't use a Facebook account if you don't want to go that far.

No matter how you slice it, being a shut-in is very sad.

What is and is not sad is completely subjective, so no. And I reject the notion that you can't find people who don't use Facebook; others participating in this discussion have said as much.

Re:Do users really care?

Bwahahahahaaaa! What an utter crock of shit! My fellow AC, you should try and spout that sort of horseshit in my local pub, where my friends and family meet and drink. You'd be laughed out of the establishment. We all *loathe* fecesbook with a passion, and we all have a very healthy and happy social life. We prefer actual reality to virtual reality any day of the week. And for those friends and family who are far away, well, I don't want to worry your shareholders, my fellow AC and obvious fecesbook shill, but we have email and other forms of communication for that.

"It has become the de facto for keeping in touch"
It has become the de facto WHAT for keeping in touch? De facto malware? De facto spyware?

Facebook will wither into insignificance just as myspace did. Hopefully it will not take too long to do so.

Re:Do users really care?

Signed.

Re: Do users really care?

[Free+Censorship]

I'm sure you would think that of anything as long as it grows so big it becomes mainstream.

Popular or unpopular, evil is evil to me, so your confidence is misplaced.

every action taken by Big Corp is justifiable and reasonable.

I think about the larger picture, not necessarily about individuals, so again, no.

Re:Do users really care?

Also, everyone does the same stuff anyway. Get together with someone, have kids, get married, buy a house, hop jobs.

Well, not everyone, but I agree with the general point. How many times do you need to hear that completely mundane thing X happened, really?

Re: Do users really care?

[Cloudaki]

"Facebook will wither into insignificance" only to be replaced by something else. It's up to us to make sure it will be replace by something "better".

Re:Do users really care?

He needs a presidential pardon; very, very badly!

Get signing people if you care about your rights..

Re: Do users really care?

If you reject people with facebook and similar stuff and people don't share your principles, you've just rejected 99.9% of the human population

99.9?? Seriously? You, sir or madam, are someone who knows nothing about the actual statistics, or a shill, or a fuckwit. 99.9 percent. Hah!

In my busy local pub, the group with whom I am closest all strongly dislike facebook. I have other friends in the pub who do use facebook, and good luck to them, but I find I get along better with the people who simply ignore 'social' online bollocks. We have more in common. And we are not a small group within that pub.

Re: Do users really care?

Well said.

I sniff a bit of facebook shilling going on in this thread, and I'm glad people like you put them in their place.

Re:Do users really care?

"Bring Snowden Home" ... folks at the NSA would like nothing more than that. "Pardon Snowden" would be a better title.

Re: Do users really care?

And you sound like a whiny pain in the arse.

I'd socialize with Free Censorship (3961451) any day of the week, because they demonstrate an insightful, thinking mind. Whereas, you, you judgmental fool, I shudder at the thought of socializing with you for even a nanosecond.

Re: Do users really care?

Oh, shut up already. Not everyone is a 45-year-old neckbeard troll living in their mom's basement with greasy Doritos hands and Mountain Dew stains on their shirts

Nice personal attack there. Classy. You twat. (Sorry that's not up to your florid standards, but I didn't want to waste my time on you.)

Re:Do users really care?

Too bad that the only option is Facebook.

Bwahahahahaaa! Do you really think that? Are you really that stupid?

Re: Do users really care?

[umghhh]

assuming human population being at 7b, rejecting 99.9% means you still (can) socialize with .1% which is 7m. Pretty social or?
Why so aggressive. There are social people. Then there are owners of super male brain. Then there are sociopaths, or just simple assholes etc. There is very small chance that the social people will ever understand what super male brain actually means. I know because I tried to explain it to my mom, my concerned friends etc. Some people like me because I am good at discussing things (I suppose). All my relationships ended badly which made me research(!) and the result was exactly this. I am maybe not very intelligent but then I am not very social either. I still can hold to few friends that accept that I need some distance and ask nicely from time to time how is it going and then accept complex answer that they get (I guess some of them have the same problem as I do). Keeping a distance is a key not be become a major asshole which works well but not with women.
Ease up a bit - let it go. Some people do not need cuddling and talking about weather. For them discussion about some technical matter instead of weather is very social even if done over IM. It is also better if you talk to them in a way that they can understand i.e. certain procedures of social interaction make chances of professional and date success higher, some not. Please quote relevant statistics and reports.

Re: Do users really care?

A very good point. Please mod parent up. Insightful would be my mod.

An open source version of facebook, run by the people, for the people, and one that would not abuse the privacy of its members, would be a very good thing indeed. I just cannot see it happening, I'm sad to say.

Re:Do users really care?

It seems that too many people readily sacrifice everything for convenience.

hyperbole much?

Re: Do users really care?

Facebook is intolerable to anyone with actual principles. That's just a fact. Maybe having principles isn't popular, but then again, I don't really want to hang out with people who use Facebook anyway.

"This is just a fact". hmm. classic weasel words. would you care to share which principles everyone must share that are violated by having a fb account? i don't happen to have one, but your posts are just extreme opinion. you have posted nothing so far that i can see could argue for your opinion.

how about an actual argument, or stfu.

Re:Do users really care?

I live literally on the opposite side of the world from my friends and family. We literally couldn't get any further apart, physically, short of me becoming an astronaut.

I don't have a Facebook account. Never have.

We keep in touch just fine with email and SMS. We each have our own blogs, and occasionally comment on each other there - outside the walled garden of any "social network". And we use Skype.

Honest, it works fine.

Re: Do users really care?

[Feral+Nerd]

... but then again, I don't really want to hang out with people who use Facebook anyway.

If you love to be an extremely social fool (and I don't, personally), then there are plenty of options besides Facebook, which I've already mentioned.

LOL what?

If you reject people with facebook and similar stuff and people don't share your principles, you've just rejected 99.9% of the human population. You must be a very lonely boy.

For those of us 'extremely social' people who you know actually have a few friends and get along with acquaintances, we can't go scorched earth on everyone.

It's not that we're not tempted, it's that the cost benefit analysis of a scorched earth policy sucks donkey balls. No matter how you slice it, being a shut-in is very sad.

Eh?? 99.9% of the human population?? In which parallel universe do you live where all but 0.01% of the population is a hopeless Facebook junky? I can't possibly be the only person outside of stone age communities in places like the deep Amazon jungle or the great Namib desert who manages to make friends without involving Facebook?!? You don't have to be a bitter bomb making, manifesto writing recluse to be irritated by the sort people who can't seem to interact with the rest of humanity unless they do it though E-mail, chat programs, SMS, Facebook, a Bluetooth headset, Twitter, Google+ or something similar...

Re: Do users really care?

[khellendros1984]

That's just a fact.

You keep using that word. I don't think it means what you think it means. That's an opinion.

Facebook is intolerable to anyone with actual principles.

"Actual" principles being the principles that you hold, and no one else's principles being "actual", No True Scotsman style.

Social networking is an option for socialization. Almost no one uses it to the exclusion of more traditional social activities, although I agree that Internet socialization is a mere shadow of in-person socialization.

You've either got an oversimplified black-and-white view of the world, or you're just getting a kick out of trolling everyone. Either way, I hope it works out for you. The way I'm living my life is working out wonderfully for me, in spite of our differences of opinion.

You can continue being all "stop liking what I don't like!" I'm gonna get back to talking to my friends and spending time with my wife.

Re:Do users really care?

[Bengie]

Being "social" is all about interacting. If you don't interact, you're not social and may as well not be a human. Until humans figure out a way to reproduce asexually, we'll need to interact. Even asexual organisms are still social because there is safety in numbers. I guess what I'm saying is that what others are doing is logical, you're the illogical one. Don't be so eager to pass judgement.

Re: Do users really care?

[ColdWetDog]

LOL what indeed. Even in my little town of 8000 people, .1% of the population gives me plenty of people to regularly interact with. People that I might want to interact with. Of course, YMMV and if you think happiness revolves around Facebook (or Slashdot or whatever) then good for you.

I personally don't like all that many folks on my lawn.

Re: Do users really care?

[duke_cheetah2003]

If you reject people with facebook and similar stuff and people don't share your principles, you've just rejected 99.9% of the human population.

You say this like it's a bad thing?

Re:Do users really care?

[Free+Censorship]

No, not really. Especially considering the article.

Re: Do users really care?

[Free+Censorship]

"This is just a fact". hmm. classic weasel words.

"classic weasel words". Hmm. Classic weasel words.

would you care to share which principles everyone must share that are violated by having a fb account?

It almost always comes at the cost of trading privacy for convenience, and enabling Facebook's privacy-invading behavior.

you have posted nothing so far that i can see could argue for your opinion.

Facebook's policies are well-known. If you don't know about them, then get out of your cave.

Re: Do users really care?

[Free+Censorship]

You keep using that word. I don't think it means what you think it means.

It means exactly what I think it means.

"Actual" principles being the principles that you hold, and no one else's principles being "actual", No True Scotsman style.

I don't consider sacrificing privacy for convenience to such a degree and enabling Facebook's behavior by using it to be a very principles move.

or you're just getting a kick out of trolling everyone.

Erm... I would hope that my opinion wouldn't anger anyone on a website for nerds like Slashdot. My opinion should be nearly universal given all the unethical things that Facebook does, and considering the nature of social networking trash.

Re:Do users really care?

[Free+Censorship]

Being "social" is all about interacting. If you don't interact, you're not social and may as well not be a human.

Not much real interaction from Facebook, and certainly not of the sexual variety. Also, individuals are social to varying degrees.

Until humans figure out a way to reproduce asexually, we'll need to interact.

I guarantee you that the human race could survive without Facebook. You used the more general term "interacting," but the topic is about Facebook, so nice try.

I guess what I'm saying is that what others are doing is logical, you're the illogical one.

Incorrect. I'm only illogical if I'm violating my own principles, which I am not. There is nothing inherently logical about desiring to live, and nothing inherently illogical about desiring the opposite. Not that I do, since you rather missed the point of all these comments, but your statement itself was so illogical that I couldn't overlook it.

No, using Facebook isn't inherently logical or necessary. It certainly isn't principled, and giving an unethical company like Facebook attention is just enabling its behavior.

Re: Do users really care?

It's the online equivalent of reality TV, except it stars your friends and neighbors. Pathetic that our culture has become one of voyers. Also, hi NSA!

Re: Do users really care?

[zennyboy]

I'm British but I live in Spain. Should I not know what is going on in the lives of people in the UK? Or get them to e-mail me everything? Or convince them all to sign up for a service I consider to be 'better'?

Re:Do users really care?

Snowden. The gift that keeps on giving.

Every time you think the bottom of the manure pile has been reached...

Re: Do users really care?

[khellendros1984]

Judging from the responses to your posts, your opinion isn't as popular as you might have expected. It's certainly a more extreme position than I'd take.

I don't consider sacrificing privacy for convenience to such a degree and enabling Facebook's behavior by using it to be a very principles move.

To which degree? Providing a fake name, birthdate, and other information, blocking image tags, and posting untagged text information? I suppose that they can extract a fair amount of info about me from information that my friends post, but if I didn't have an account, Facebook has algorithms that would infer most of those connections anyhow.

Facebook is a tool that encourages incorrect use. Kind of like a bank, or a credit card. Still, I enjoy the conveniences of direct-deposited paychecks, not carrying around the amounts of cash that would encourage the police to seize it, and paying for things that are difficult to get by cash. Facebook has less utility than a credit card, of course. Therefore, they have less information about me. Although they've done things that I consider annoying, I haven't actually been harmed in a way that I can measure. Part of that is because I haven't given them sufficient leverage to do so.

Re: Do users really care?

[Free+Censorship]

To which degree? Providing a fake name, birthdate, and other information, blocking image tags, and posting untagged text information?

By even using Facebook, you grant their service legitimacy, and enable (albeit only slightly, but change has to start somewhere) their unethical behavior. You mention algorithms that Facebook uses to infer connections, which is yet another evil.

Re:Do users really care?

[AK+Marc]

IT's not about missing out on the social life. If you don't have FB, then FB isn't bound by their TOS for how they handle your information, and they are collecting information on you. Your friends can tag you and you'll be in pictures, but have no ownership or say in how your information is treated or used, unless there are law changes, or you sign up for your own account.

Re:Do users really care?

Being "social" is all about interacting. If you don't interact, you're not social and may as well not be a human.

Only if the semantics of "social" are stretched beyond any usefulness. For the vast majority of FB users, their interactions are best described as "mutual voyeurism" rather than "socializing". I eschew FB; my wife uses it, but in a way that could easily be replaced by a variety of decentralized approaches to keeping in touch with friends/family. We have no trouble interacting with friends/family, both near and far, therefore the necessity is only in the minds of too many FB users who confuse necessity with a dangerous convenience.

- T

Re:Do users really care?

[AK+Marc]

Yeah, except nearly all of my high school classmates have an account, and have posted prom and group pictures with people in them that don't have accounts. And what about family? Not a single family member has an account? I don't believe you. There are plenty of grandmas with accounts these days.

Re: Do users really care?

[AK+Marc]

Facebook is intolerable to anyone with actual principles.

And let me guess, "actual" principles means "exactly my" principles, right?

Re: Do users really care?

[Free+Censorship]

It means that I don't believe sacrificing privacy to a greedy company that has shown itself to be wildly unethical for convenience and/or enabling it by using the service is a very principled move.

Re: Do users really care?

[AK+Marc]

So does that list include Wal-Mart, Sony, Ford, GM, Chrysler, MS, and countless others, or are you just anti-facebook and not principled?

Re: Do users really care?

[Hussman32]

While there will be a certain amount of collateral damage, Facebook users ultimately control what they post, and that is where they can manage what they reveal in on-line surveillance. Admittedly recent tracking methods linking Amazon purchases to Facebook feeds are getting really creepy, but it would be hard for the NSA to have anything suspicious about me considering I post pictures of my kids and a few inoffensive jokes (not that there is anything suspicious).

One observation on this thread, the percentage of ACs are much higher than normal.

Re: Do users really care?

[Free+Censorship]

It includes many, where it is actually viable. It's trivial to avoid Facebook (and I would say the ones you listed, too) despite excuses of peer pressure or not knowing how else to communicate.

Re: Do users really care?

[Free+Censorship]

While there will be a certain amount of collateral damage, Facebook users ultimately control what they post, and that is where they can manage what they reveal in on-line surveillance.

But they don't ultimately control what Facebook does with the data they have, which is to use it in privacy-violating ways. You shouldn't legitimize an unethical service by using it.

Admittedly recent tracking methods linking Amazon purchases to Facebook feeds are getting really creepy, but it would be hard for the NSA to have anything suspicious about me considering I post pictures of my kids and a few inoffensive jokes (not that there is anything suspicious).

Are you under the delusion that they need anything "suspicious" to flag you? You can get in trouble just by making a joke or using sarcasm that the authorities don't understand. It's not only malice that you must watch out for, but incompetence too. In addition, if you happen to post anything disagreeable, they could flag you and conduct surveillance on you more closely. Better hope you don't make any 'mistakes' (including posting something considered taboo or possibly illegal).

Re: Do users really care?

[AK+Marc]

How do you avoid facebook when any picture posted of you makes a stealth profile? You have more rights and "power" as a user, than a non-user-datapoint. So avoiding it is worse than accepting it.

Re:Do users really care?

[Bite+The+Pillow]

You sound autistic.

I don't know a better way to describe it. I get why people use social networks to keep in touch, and "too fucking bad" is not something that normal, social people would say.

Keep in mind that, since at least the agrarian revolution, it has been a beneficial trait to give at least one, admittedly estimated, tenth of a damn, about what other people think and why they think it.

As a privacy advocate I agree with your sentiment. But your reasoning is flawed, and your understanding destructively so.

Re:Do users really care?

[Free+Censorship]

You sound autistic.

You sound like an Internet psychologist.

Keep in mind that, since at least the agrarian revolution, it has been a beneficial trait to give at least one, admittedly estimated, tenth of a damn, about what other people think and why they think it.

Giving a damn about important events != needing to read their every worthless thought on Facebook. There are many, many alternatives to Facebook (email, blogs, phone, letters, etc.). People were fine before Facebook and such existed, and they'll be fine now.

More importantly, privacy is what matters. "too fucking bad" is an appropriate response.

But your reasoning is flawed, and your understanding destructively so.

My reasoning (Facebook is unethical and therefore you shouldn't use it) is not flawed, and I understand why people use Facebook, but privacy is more important.

Re: Do users really care?

[Free+Censorship]

How do you avoid facebook when any picture posted of you makes a stealth profile?

Assuming that happens to you, it's still no reason to get an account and likely give them even more information. And with how these unethical companies act, the TOS means very little.

So avoiding it is worse than accepting it.

Accepting it gives the appearance that the service is legitimate and that using it is inevitable, and that's something I am not willing to do.

Re: Do users really care?

[7-Vodka]

I see a lot of similar comments, but I liked yours so I'll address the themes here.

First, facebook is not the only problem. You're kidding yourself if you think it is. The list of technology companies that sucker their users are as long as the list of technology companies that sell 'the cloud'. Google, Yahoo, Microsoft etc.

Worse than this, the evil is not marketing. The real evil is the secret pact between the tech companies and the government's monopoly on the initiation of force, for the benefit of a minority of oligarch families. The elite's technology branch

The real evil is the patriot act, the capture of government, the capture of industry and the subversion of the constitution. All tech companies are a part of this, most willingly, some unwillingly or unwittingly and the only honest ones are forced to shut down.

The capture of the government and industry is nothing new, but it reached tremendous success in the 20th century. First they captured the congress and the judicial, then the executive, then the monetary system and then they really captured the executive with the JFK assassination. Don't forget where some of the recent oligarchs originated.

• Are you against marketing?
• are you for privacy?
• are you for honesty as a virtue?
• are you for Free Software?
• are you for the constitution?
• do you believe in free will? (or that you should act as if it exists)
• do you believe in the traditional family?
• are you religious?
• are you for sound money?
• are you an Austrian or a keynesian?
• do you believe that there really is a 2 party system in the USA?

Do you see it yet? if you rule out the vast majority of the population based on internet usage, you're out of whack. Firstly because that's not the real problem.

Also, you might have MUCH MORE in common with someone who uises fb daily than on someone who doesn't, based on your OTHER principles and virtues.

It's like saying, "I'll only hang out with people who are atheists.". That's not enough. In 10 years time that could still be all you have in common. Or they could change their minds.

Finally I would just like to remind people that not only is the USA responsible for millions of deaths around the world, it now tortures people.

If you refuse to interact with people who support these acts, how will you ever change their minds?

Oh and just for good measure. A fucking surveillance blimp. The internet of things is coming to spy on you from the sky 24/7. Is it not enough that you've captured the mass media? If you were to only hang out with people who share all your principles or most important beliefs, you would not hang out with anyone.

Furthermore, having intelligent debate with people who disagree with you (and are virtuous enough to have an intelligent debate) is the only way that you can make any sort of real progress in self discovery and discovery of the universe. If your ideas an principles are not challenged, if you don't go back to first principles to figure what what's really important, if you don't re-assess your beliefs in the face of new evidence, you'll never improve.

Re:Do users really care?

[NotSanguine]

Too bad that the only option is Facebook.

Actually, that's not true. It's because of people like you that distributed/non-commercial social networks don't make much headway.

Re:Do users really care?

[sirlark]

You should be allowed to care

Re:Do users really care?

We might have to use text, email, skype, ventrillo, teamspeak, in-game chat, phone calls, paper mail, or face-to-face communication to stay in touch.

ventriloquism. don't forget ventriloquism.

Re: Do users really care?

[mSparks43]

my gf doesn't have a Facebook account and she's a hullava lot more social than me.

I only use Facebook for sharing holiday snaps and agreeing to meet up once in a while. nothing really social about that.

Re:Do users really care?

[Angeret]

What does he need a pardon for? He's done nothing to require one. What he needs is a big shiny medal - the sort that says "you done a good thing there, thank you" and a great big "anybody touches him is in a whole truckload of trouble" award.

Re:Do users really care?

[mod+prime]

Hurray, let's dehumanize the likes of the schizotypal!

Re: Do users really care?

[Lt.Hawkins]

Rejecting people who disagree with you is a bad thing. Taken to an extreme, you have Kim Jong *. But even in normal western society, just because someone doesn't match 100% with what you believe doesn't make them a bad person, or not worth your time. Maybe there are intelligent people who have come to *their* set of opinions and principles because they grew up in a different environment, or have different priorities. Maybe some of these people can challenge your set of principles; maybe you can change their mind on a few things, maybe they can change yours.

Without the possibility of that back and forth, you end up with Congress.

Re: Do users really care?

[Lt.Hawkins]

So "what is and is not sad" is subjective, yet what is "intolerable to anyone with principles" is just a fact.

I see.

Re:Do users really care?

[GuB-42]

Sign it.

And what will signing it do ? I've yet to see a petition actually change anything. Even officially sanctioned "we the people" petitions only trigger nicely written reports and possibly reminders of the changes they already planned or done before the petition.
What if might do is help the government refine their algorithms monitoring public opinion. And there is a very small chance that by signing the petition, they may consider clemency as a move that will get them more votes. It may also have the opposite effect : they may notice that very few of a class of people they thought were pro-Snowden signed the petition.
What Snowden revealed is that, as suspected, the government already knows a lot of things about you, and it includes your opinion about all this affair. And to be clear, the "you" I am talking about is not you personally, it is "you" as part of the voting population : they don't need 100% accuracy about a person as long as the errors balance out when the numbers are added up.

Re: Do users really care?

[Free+Censorship]

I would think that intelligent people would care more about privacy and ethics, is all, especially on a site supposedly for nerds.

Re: Do users really care?

[Free+Censorship]

First, facebook is not the only problem. You're kidding yourself if you think it is. The list of technology companies that sucker their users are as long as the list of technology companies that sell 'the cloud'. Google, Yahoo, Microsoft etc.

Of course it's not the only evil. Don't deal with any of those companies, either.

Worse than this, the evil is not marketing. The real evil is the secret pact between the tech companies and the government's monopoly on the initiation of force, for the benefit of a minority of oligarch families.

Facebook's evil does not stop at mere marketing, though those practices are something I'm definitely against.

Do you see it yet? if you rule out the vast majority of the population based on internet usage, you're out of whack.

"rule them out"? What you can do is try to cure their ignorance.

Re:Do users really care?

[cyberchondriac]

I would venture to say most users here care very much.
But you're right, the average household tumblr/facebook/instagram/imgur/twitter teen or soccer mom won't really care, as long as they still get attention. I suspect the Internet, to a lot of people, is the easy road to their 15 minutes of fame.

Re: Do users really care?

[CimmerianX]

Can I drink with you?

Re: Do users really care?

[cyberchondriac]

None I've really found viable or as popular, unfortunately. Which is a shame, because I hate Facebook's godawful interface. They change it around often enough to probably dissuade people from setting better privacy controls, and getting to the right menu or setting you want is anything but clear or intuitive. It could be so much better. It'd also be nice if you had more control over who saw your comments to another's post, but nope. I even hate the fact that whenever I change my profile pic, it has to announce it on my wall. OMG who cares? Supposedly you can change who sees that, but again, it's murky waters.

Re:Do users really care?

If you don't have FB, then FB isn't bound by their TOS for how they handle your information, and they are collecting information on you.

In the EU, this is almost certainly illegal under data protection laws; when enough lawsuits establish this in precise ways, they will be forced to stop.

Re: Do users really care?

[currently_awake]

In Business you have an ethical race to the bottom. Those who ignore morality do better than those who don't. Therefore the most popular/used/successful businesses will always be the most immoral ones.

Re:Do users really care?

What does he need a pardon for? He's done nothing to require one. What he needs is a big shiny medal - the sort that says "you done a good thing there, thank you" and a great big "anybody touches him is in a whole truckload of trouble" award.

He needs a pardon to stop what happened to Bradley Manning from happening to him. Please only comment when you're sober, I know it's Christmas but that isn't an excuse.

Re:Do users really care?

[hughbar]

Oh exactly. I don't use Facebook, mind you I'm a geek, an only child, quite old and I can do without a lot of superficial non-communication. I talk to my friends and have dinner with them, once or twice a week in meatspace. There's probably a camera in my curry, isn't there? Just a joke.

Re: Do users really care?

[Hussman32]

But they don't ultimately control what Facebook does with the data they have, which is to use it in privacy-violating ways. You shouldn't legitimize an unethical service by using it.

Are you under the delusion that they need anything "suspicious" to flag you? You can get in trouble just by making a joke or using sarcasm that the authorities don't understand. It's not only malice that you must watch out for, but incompetence too. In addition, if you happen to post anything disagreeable, they could flag you and conduct surveillance on you more closely. Better hope you don't make any 'mistakes' (including posting something considered taboo or possibly illegal).

I've seen Brazil.

I don't see Facebook as a binary 'good/evil' service. Much of it is useful, and a lot of their monetization strategies are unethical, but they are the conduit, not the source of the problem. Frankly, I worry more about my usenet history than I do Facebook. The source of the problem is the permanent archive of every keystroke, and this belief that every thought is indicative of intent.

Re:Do users really care?

I have to agree.
I use facebook strictly because it's the only way I can keep communication with people. If I didn't use things because of something they did, I'd be locked in a cardboard box behind a goodwill.

Re:Do users really care?

You're quite the snarky little fella. I sure am glad I'm not friends with you, please stay off of facebook.

Re:Do users really care?

[doccus]

Well, not exactly.. WHat he did was noble, a breath of fresh air, and I think, considering the lifelong threat on his life from now on, pretty brave. It was, however, also treason, Just like the treason the nation's founders committed during the war for independance. I'm not sure BO *can* even pardon him, although, frankly, he's guilty of far worse treason against the nation than Snowden, for his , totally selfish, actions weren't intended to uphold the constitution, but bypass it. Or dismantle it altogether, in some instances. Perhaps he ought to pardon himself, except he really doesn't deserve it. In any case, as I implied earlier, I do not know if it is possible to pardon someone for treason at all.

Re: Do users really care?

[Free+Censorship]

I don't see Facebook as a binary 'good/evil' service.

They have too many unethical practices to be worth using.

Much of it is useful

Only if you consider lots and lots of useless, mundane information to be useful, and don't know of any alternatives (phones, email, voice chat, and pretty much any method of communication).

but they are the conduit, not the source of the problem

They are the source of many problems.

Frankly, I worry more about my usenet history than I do Facebook.

I worry about the NSA more than I do Facebook, but that doesn't mean Facebook and their ilk aren't a problem. I just don't use it.

Re:Do users really care?

[Free+Censorship]

I use facebook strictly because it's the only way I can keep communication with people.

How can anyone be so ignorant as to suggest that Facebook is the only method of communication? It's not even the only method of long-distance communication. Not that it's even important to hear all of someone's mundane thoughts anyway.

I would expect Slashdotters to be smarter than this; come on.

If I didn't use things because of something they did, I'd be locked in a cardboard box behind a goodwill.

That makes no sense whatsoever.

Re: Do users really care?

[khellendros1984]

"Evil" is a very loaded word, and I wouldn't include data-mining under that label. As far as censorship goes, I think you've got to look at their motivation. Is it their intent to suppress speech? No, it's their intent to play a sophisticated game of "Cover Your Ass".

Want to make a real change? Build up a social network where all income comes through subscription fees rather than advertising and selling information. Don't be a citizen of a country that will require you to put backdoors into the network, and don't host any part of it in such a country. Build it so that it provides every functional benefit that Facebook has, without any of the drawbacks. Until you've got a workable alternative, people will continue using what works for them. You don't find the price acceptable, and neither does Stallman (no surprise there), but the herd won't follow until it's made clear to every one of them exactly what they're paying, and to whom...*and* you get a critical mass of users to move to something else.

You can rail against something that you don't like as much as you want, but it's not going to do any practical good.

Re:Do users really care?

I totally agree that he should be allowed to return home, for that matter he should be hailed as one of the heroes of the 21st century... Snowden has opened all our eyes to the real scope and severity of the problem. People make comparisons to "1984" all the time, the NSA, its programs and the affiliate countries referred to as the "Five Eyes" are FAR more invasive, far more dominant than anything Orwell could have come up with in his worst nightmares.

That being said, he should not return to the US under any circumstances.

Why? Take a look at the 6000+ CIA torture report, that's why. Based on MILLIONS of documents and witness testimonials...these people were so confident they'd never be caught they actually recorded their crimes. They're so confident they'll never be prosecuted you have people like Bush and Cheney proudly beating their chests saying they'd do it all over again if they had the chance. If Snowden returns to the US, he'll either "disappear" or be outright assassinated MLK-style. That's the sad reality; that America is starting to resemble the tin-pot dictatorships that they're trying to convince the rest of the world are so much worse than themselves.

Fuck America. Snowden got out of there while he had the chance, if he values his life he'll never return because the people he's exposed WILL kill him for it.

Re: Do users really care?

[Free+Censorship]

You can rail against something that you don't like as much as you want, but it's not going to do any practical good.

I'm not only railing against it, I'm *not using it*. Facebook to me is useless and harmful, and the company is unethical.

Building an alternative would be a noble goal, but I don't care about 'social networking.' But there is a deeper problem: The willingness to sacrifice your privacy and ignore unethical decisions by companies for the sake of convenience. As long as the willingness to make these tradeoffs exists, we will continue to end up with things like Facebook, and also things like the NSA's mass surveillance, the TSA, and the numerous other things that violate our privacy and constitution. The problem is that people are not principled when it comes to liberty or privacy.

Re: Do users really care?

[khellendros1984]

You don't care about social networking, but you care about what you consider to be others' unprincipled actions. A tool is a tool...you don't care about the tool itself, you care about the results that it gets you. If starting a social network that you'd consider "principled" would fix everyone else's behavior, then that's the tool that you'd use. It doesn't matter that you "don't care" about social networking, because a great mass of other people do.

Re:Do users really care?

I'm not sure BO *can* even pardon him

I wonder why you think that...

From another poster here:

if Bill Clinton can pardon Mark Rich, then Barack Obama can pardon Edward Snowden. It would be a great litmus test for the 2016 presidential candidates.

Re:Do users really care?

[Angeret]

I've noticed a disturbing trend over the last few months from commenters on various forums to first make a point opposing the previous comment then top it off with a personal dig. I foresee an interesting 2015 as people spend more time throwing insults, epithets and derision than actually making a point.

My point about not needing a pardon is that Snowden didn't give information to the enemy - he told the world. According to the way the intelligence & military communities are portrayed in the released documents that means *us*. All of us, be it communist, capitalist or just plain don't give a fuck. I don't consider myself an enemy and I'm pretty sure you aren't as you've done me no harm. The real enemy is the intelligence & military community. Remove them - and their paranoia and lust for secrecy & big shiny toys that go boom - from the scene (and the religious zealots, etc, etc) and the world might be a slightly better place.

And I'm teetotal. What's your excuse?

Re: Do users really care?

[riondluz]

Hopefully, that it will happen when ISP's are prodded into letting non-business accts run servers of their own and the new thing will be a turnkey, out of the box, 'face-book-like' app curated by the end-user and by invite only.

Re: Do users really care?

[Free+Censorship]

If starting a social network that you'd consider "principled" would fix everyone else's behavior, then that's the tool that you'd use. It doesn't matter that you "don't care" about social networking, because a great mass of other people do.

Well, yes, *if* it would fix everyone's unprincipled behavior. But in practice, they'd use it for all the wrong reasons. Only education can fix this problem.

And certain tools can be objectionable, like proprietary software, so results aren't always the only thing on my mind.

Re: Do users really care?

Not everyone is a 45-year-old neckbeard troll living in their mom's basement with greasy Doritos hands and Mountain Dew stains on their shirts.

At least he has Mountain Dew stains on his shirts, and not cum stains.

Now, go wash up you filthy little peon.

Re:Do users really care?

You haven't addressed my point which was about Bradley Manning and what has happened to him which would suggest that Snowden would need pardoning otherwise he risks the very same treatment.

And I'm teetotal. What's your excuse?

Same here.

Re:Do users really care?

Typical Slashdot mentality, downvote people rather than create a meaningful reply.

Re: Do users really care?

[Cloudaki]

Check out https://www.kickstarter.com/pr.... That's exactly what we are trying to do. We are still long way to go, but we will get there.

Re: Do users really care?

Thanks for the reply and sad to see the effort cancelled as any effort is better than none.
I would think a customized linux distro that has the applications and easy gui frontends (zenity-like) would mostly suffice; provided the ISP is
held to 'true' net-neutrality in allowing end-users to run servers. Sometimes i day-dream about proxy-port servers and removing the need for services
to run on commonly assigned ports.

I've never like the cathedral over the bazar, the monolithic over the distributed.... and feel the next gen of 'social' will be when everyone has their
very own personal server-box running a 'facebook' like social app; w/all the GPG/TLS goodness that smtps, https, ejabberd, tor/i2p, etc... can provide.
Removing the dependency of a user from their upstream connection.

For starters, automatic creation of signing keys and uploading them to a key-server then defaulting to encrypted and signed emails.
I wonder if there is not even a place for NNTP where each home user could setup a few of their own newsgroups, locally served, that people in their
'circles' would be able to access in their fav news-reader (incorporated into their FB-like app). I remember DNews was a pretty easy setup.
That NNTP got so overlooked as a solution is beyond me. The protocol is unmatched for its resilience in distributed computing.

Good luck w/your projects!

Re:Do users really care?

My point about not needing a pardon is that Snowden didn't give information to the enemy - he told the world. According to the way the intelligence & military communities are portrayed in the released documents that means *us*. All of us, be it communist, capitalist or just plain don't give a fuck. I don't consider myself an enemy and I'm pretty sure you aren't as you've done me no harm. The real enemy is the intelligence & military community. Remove them - and their paranoia and lust for secrecy & big shiny toys that go boom - from the scene (and the religious zealots, etc, etc) and the world might be a slightly better place.

Revisiting this old thread...

You doesn't seem to understand the gravity of the situation, he would still need a pardon because the US still consider him an enemy for the very reasons you just said, yet you don't claim he needs one! That's a non-sequitur.

Oh, and don't bother modding me down just because you don't like people who you think disagree with you, that's very childish.

all this info for what?

how come so much stuff still happens even with all this collection going on? if it's anything like my local town's CCTV no one is even watching. unless there's some tits. or a spouse to spy on.

Re:all this info for what?

So that if anyone becomes a threat, it's easy to find a law they've broken, something embarrassing about them, or whatever. For most people, it is of no consequence. But for the very few who try to rock the status quo, this'll ensure they can't.

Richelieu said, "Give me six lines written by an honest man, and I will find something in it with which to hang him." Well, this just makes sure that the six lines have been collected in advance.

Re:all this info for what?

[koan]

#1 financial information
#2 any idea they want to steal
#3 retroactive imprisonment, yeah it's not a crime today but tomorrow it is and they have all the evidence.

Remember who they share this info with.

Re:all this info for what?

#1 financial information
#2 any idea they want to steal
#3 retroactive imprisonment, yeah it's not a crime today but tomorrow it is and they have all the evidence.

Remember who they share this info with.

That is actually just the start. I'll be happy to give some more examples:

1: A DA going on a fishing expedition. That data, plus parallel construction, plus civil asset forfeiture ensures that they will have a packed jail and prison system, ensuring the campaign donations from private prison corporations keep on coming. Remember: 48 states have signed an agreement with Corrections Corporations of America to keep their jails at 90% bed space or else face fines hourly.

2: Lawsuits. People may have forgotten the MPAA and RIAA lawsuits, suing people for millions. It wouldn't take much for copyright law to be amended, forcing people to have to "prove" ownership of IP, just as businesses have to cough up proof when the BSA guy comes around, or else the BSA guy will be back with the constable and lawyers with a motion of discovery. Even the mention of "hey, dude, listen to this band!" that is logged, may be enough to get a IP infringement lawsuit going. Don't forget libel and slander lawsuits. It wouldn't take much for a lawyer to go through, say Slashdot's postings, and file hundreds of thousands of lawsuits on anyone bashing Sony.

3: Other country's laws. People don't realize it in the US that Thailand's lese majeste laws apply here? Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties. Same with Turkey and the Kingdom of Saudi Arabia. In theory, someone handing out events for their pagan festival or church bulletins can be shipped over there to be executed, due to violating Islamic sharia laws. Privacy is important, since it isn't just domestic LEOs, but LEOs of foreign countries who can press charges and have US citizens answer for them. Right now, it tends not to be enforced, but the laws are on the books, and the pastor who was televised burning a Koran might find himself in Riyadh facing an imam and a crowd with rocks and a can of gasoline.

4: Laws created by treaties. The gun nuts fear the UN gun ban treaty that went into in effect last Christmas Eve. It wasn't ratified in the US... but that can change, and even though it didn't affect gun sales inside the US... it had a clause saying that UN could act as an enforcement agency within the US, operating independently from other LEOs. Now, think about this a minute. A law enforcement group with the power to use deadly force and enforce laws that were never put on the books by domestic lawmakers, with no way to contest their decisions. It might be something 3 percenters talk about now on talk radio... but do people remember how close ACTA came to being passed? It wouldn't be surprising to see another law like this come on the books under "anti-hacking statues" that would allow the UN to detain "hackers" under their own law, and under their own opinion.

5: Ex wifes/husbands. An acquaintance of mine lives in California, had a bad marriage, with the wife divorcing him for someone richer. Well, she had a good attorney (courtesy her new BF), and got a pretty insane alimony settlement. Well, the husband was out of work at the time, couldn't pay the payments... so the judge tossed him in for nonpayment for six months. He got out after that, two years later, was back in (as in California, unemployment isn't a good enough reason to not pay alimony costs.) Well, this shit went on for about two years, until this guy, once he got released, booked it to Mexico. Now, the ex wife is offering a bounty for anyone to find him and bring him to "justice". Not that she needs the money, but just out of pure malice. Without privacy, people who just had a bad relationship with a sadistic other can be killed.

6: Insurance companies. I've read cases on Slashdot where people have walked into a humidor at a Spec's, someone takes a

Re:all this info for what?

[ShaunC]

Thanks for the list. This is a good counter to the people who say "if you aren't doing something wrong, what do you have to hide?"

Re:all this info for what?

[Bengie]

Other country's laws. People don't realize it in the US that Thailand's lese majeste laws apply here? Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties.

Extradition almost exclusively applies to to laws in other countries that would be also be considered criminal in the USA. Kill someone in Thailand, well murder is criminal in the USA, so they'll extradite you. Slander someone, well, that's not criminal in the USA, so you're safe. The USA also will not extradite if they think the punishment may be considered "extreme".

Re:all this info for what?

[koan]

You could tie 1 and 2 together, keep the prisons and work camps full with "pirates".

Hell.. they are probably reading this and gleefully rubbing their hands together at the idea.

Re:all this info for what?

[maccodemonkey]

3: Other country's laws. People don't realize it in the US that Thailand's lese majeste laws apply here? Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties. Same with Turkey and the Kingdom of Saudi Arabia. In theory, someone handing out events for their pagan festival or church bulletins can be shipped over there to be executed, due to violating Islamic sharia laws. Privacy is important, since it isn't just domestic LEOs, but LEOs of foreign countries who can press charges and have US citizens answer for them. Right now, it tends not to be enforced, but the laws are on the books, and the pastor who was televised burning a Koran might find himself in Riyadh facing an imam and a crowd with rocks and a can of gasoline.

Errrr, no, that's totally wrong. Where did you learn this stuff?

If you commit an illegal activity in Thailand, and then enter the United States, there is a chance that the US could return you to Thailand. If you do something that is illegal in Thailand but not illegal in the United States in the United Staes, then it does not matter at all. Only US law applies to acts committed in the US.

I don't know where you learned your understanding of extradition laws, but this is so far out in right field. Maybe you should lay off the internet conspiracy crack for a while.

Seriously, learn a few things about extradition. It only applies to crimes committed in the country trying to get their hands on the person.

Re:all this info for what?

[Bite+The+Pillow]

Remember: 48 states have signed an agreement with Corrections Corporations of America to keep their jails at 90% bed space or else face fines hourly.

Is this the same as paying wait staff $2.13 an hour plus tips or face fines hourly in the form of minimum wage? If not, specify.

It wouldn't take much for copyright law to be amended,

Holy shit, just go ahead and try. I wish you the best of luck, because it needs to happen. But man, that smells like ignorance and idealism stirred into a nice horseshit.

Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties

In theory, maybe. In reality, you have to already be there and there's no shipping off. You are clearly brainwashed, or ignorant.

: Laws created by treaties

Like Kyoto? The opposition generally falls along the lines of states being on the hook for following a treaty, and the feds not being able to agree on behalf of the states. So while you have a valid point, you have an unlikely point. Hardly worth giving you any benefit of any doubt.

#5.. While bad, I don't see how privacy matters here. Spousal privilege is not an issue in a divorce. Surely you can do better than that.

#6 I don't remember that one, but I do remember people claiming to be incapable of the things they are photographed doing. My lenience is growing thin.

#7.. Who the fuck keeps a racist list? And who.. you know what, you hang out with idiots.

#8.. It isn't happening right now. That's what you said, and I no longer care.

#9, "nearly"

Look, privacy is VERY important. But you're actually not helping with this list. You sound like a paranoid lunatic, especially when far better arguments exist. You, and the 5 people who spared mod points for you, need to get your heads out of your asses and make actually helpful arguments based on facts, and not anecdotes or what might happen.

I'm not going to spend the time to rewrite your argument, because that's on you. But you are making me look like an idiot by association.

Re:all this info for what?

> Thanks for the list. This is a good counter to the people who say "if you aren't doing something wrong, what do you have to hide?"

Here's an example everybody can understand: That time when the FBI tried to blackmail MLK Jr with sex tapes they secretly recorded of him. Just because most of us are unimportant in the grand scheme of things doesn't mean the occasional person who can change society won't be victimized in order to hurt us all.

Re:all this info for what?

... and an American can get shipped over there for breaking them, due to extradition treaties ...

When has the USA honoured a demand for extradition of a US citizen? At worst, a citizen is fined by the US DOJ for breaking the law of another country.

Many treaties are designed, like so many international treaties, so that the USA can do as it pleases, while other partners do as they're told.

... It wasn't ratified in the US ...

See previous paragraph.

... but just out of pure malice.

Plus a very accommodating court system. A year ago, someone posted an article about an ex-husband who has been in a US jail for 14 years for refusing to pay $2 million, claimed as compensation by his ex-wife. He claims he didn't have the money. Maybe, if the US cared about rehabilitation and actual damages, the "tough on crime" mandate would be useful.

Re:all this info for what?

since the usa has the dead penalty and also tortures people, I guess that last part of the sentence only applies to other countries.

Re:all this info for what?

Extradition doesn't always work the way you say it does in the US. e.g. Australian man Hew Griffiths was extradited to the US for a crime he committed while in Australia, his country of residence.

Re:all this info for what?

[rainer_d]

Isn't there a law that makes threatening the POTUS a crime/felony?
One could argue that slandering the King of Thailand is like threatening the POTUS. Boom, you're on a plane to Bangkok for an unforgettable holiday...

Re:all this info for what?

[currently_awake]

If you insult the King of Whateverstan on the internet, then your post happens in that country. It's just like going there for a visit and publicly insulting their king. The USA used exactly that argument to arrest some guy from England for hacking, and the former president of Panama was extradited to the USA for breaking American drug laws (done remotely).

Re:all this info for what?

[firewrought]

Great list! People can be really clueless about how information can be used against them.

As one more example, consider something as mundane as buying a new car. Your browsing habits could reveal (1) how badly you want a particular car, (2) how much you've looked at competing cars/dealerships, (3) how much pricing research you've done (KBB, NADA, etc.), (4) your intentions w.r.t. a trade-in, and (5) hints as to your disposable income. That's tactical knowledge that could cost you thousands of dollars in the hands of a savvy salesman.

As others have pointed out, you aren't going to be extradited for Thailand's lese majeste laws. However, it could be a problem if you ever want to travel there. Or if your plane is forced to make an emergency landing there.

Re: all this info for what?

this is simply not true.

your saying if I call the queen of England a cunt on Facebook, it automagically means I called her a cunt to her face and can be arrested regardless of where I posted it from. that's a stretch.

Re:all this info for what?

[hairyfeet]

I think the more relevant quote would be this..."There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted - and you create a nation of law-breakers - and then you cash in on guilt. Now, that's the system, Mr. Rearden, that's the game, and once you understand it, you'll be much easier to deal with." Atlas Shrugged.

Re:all this info for what?

[arglebargle_xiv]

Remember: 48 states have signed an agreement with Corrections Corporations of America to keep their jails at 90% bed space or else face fines hourly.

Actually that was merely a proposal by CCA, zero states signed up. There are occupancy clauses in contracts with some private prison operators, but it's on a case-by-case basis, and given the number of hideously expensive empty prisons in the US you can see why they'd want some sort of guarantee that they'll get a return on their investment.

(The problem isn't so much CCA or similar operators, it's the concept of running prisons as private for-profit operations).

Scary

And there's basically nothing we can do for a long-term solution.

Re:Scary

[currently_awake]

I think the government of the USA does not have the legal authority to violate the Constitution, therefore foreign treaties should be limited by the Constitution. If that is true then a Constitutional amendment could block anything you don't like.

Yes, we already know

The US has different sets of laws and standards it applies whenever it wishes. And we all hope it is bad as hell for business. Move on already. The damage is done and will not be undone for at least fifty years.

Re:Yes, we already know

[NatasRevol]

Move on to what? Being complicit in spying? Being ok with it? Kissing goodbye to any shred of democracy left?

Re:Yes, we already know

Maybe move on to doing something about it, protests, lobbying your local and state government representatives, disseminating as much knowledge of the surveillance program to as many people as you can...then fighting back.

In other words doing just about anything other than WHINING LIKE A FUCKING BITCH ON SLASHDOT. Since that's accomplished so very fucking much, hasn't it? Did whining about Jon Katz get any of his articles retracted? No. Does whining about timothy being one of the most incompetent editors actually improve the site content any? Nope. Pointing out the blatant product placement, the little cunts who spend half their time whinging about some nutsack named Hasselton that nobody gives a flying fuck about, has ANY of the complaints about ANY of those problems accomplished anything? AT ALL? No, it fucking hasn't.

Move on means get off your stupid fucking ass and do something about it, if you think it's such a bad thing. You sit back and let it happen, you deserve to be fucking spied on. Maybe the NSA might come up with some reason for why the American public is made up of overweight, apathetic fucktards who are more concerned with their shiny toys than the values they supposedly stand for.

fuck the nsa

fuck the nsa and ya know what we all should do is unite against them and hammer the fuck out of the us govt until it stops this bullshit

they have declared war on all of us

Again...

[koan]

I'll point out that SSL is meaningless when the MITM can record it all and decrypt later, or possibly decrypt on the fly.
And HSTS is meaningless as well, so don't bother bring up that nugget.

I doubt there is any readily available encryption that can protect you at this point.

Re:Again...

[MightyMartian]

Properly configured systems with a well-implemented certificate infrastructure are very hard, if not outright impossible, to inject a MITM attack into.

Re:Again...

What MITM? Good friggin' luck faking my private CA and having me not notice.

Re:Again...

[fustakrakich]

I doubt there is any readily available encryption that can protect you at this point.

No, there isn't. I've been saying that for years (to no effect of course), and the entire subject has become tiresome, aside from the object of cracking theirs :-)

Privacy is a fantasy. Everything going through their wire is being recorded.

Re:Again...

They don't inject. Just act as a repeater, and record everything. Then they crack the encryption later to read all the information.

Re:Again...

[koan]

What makes you think they haven't broken the encryption, what makes you think they don't have full access to all certificates, what makes you think you can trust anything.

Re:Again...

[MightyMartian]

If the encryption is properly implemented, I'd say it is highly unlikely that they will crack it any time soon.

Re:Again...

[MightyMartian]

Largely because if the article, despite /.'s hysterical headline, states that well configured encryption systems remain secure. And how exactly is the NSA going to crack into my self-signed certs, with the CA sitting on a box with no connection to the Internet? Short of breaking into the location where the computer is, I'd say with reasonable certainty that the NSA cannot crack the certs that are used for my interoffice VPN. Now maybe the VPN software has a vulnerability, and that is always a a worry, but the actual implementation itself is as sound as I can imagine it being.

Re: Again...

I'm not a schitzophrenic.

Re:Again...

[phantomfive]

If the encryption is properly implemented,

I think that's the point, SSL is broken, which is why (part of) the world has moved on.

Re:Again...

The whole "broken the encryption" argument is irrelevant when you understand bureaucrats. They don't care if they can decrypt it or not, they just want an excuse to capture and store communications. It's at matter of more money and more staff for their programs and themselves. Having term limits for politicians and bureaucrats both is the only way to limit the "necessary tumor" that is government.

Re:Again...

[koan]

You're deluded IMO, you're the guy that would have said "you're paranoid" if I pointed out 5 years ago that the NSA might be recording all communications, you were the guy that said Echelon didn't exist, you were the guy that said you couldn't get exploited just by previewing an email.

I've seen your type for close to 2 decades, and they are always wrong.

If they want your stuff they will come and get it, and I would imagine cracking it is within their abilities as well.

Re: Again...

[kramulous]

Article talks about VPN being no problem ... surveil 20,000 vpn connections per hour in 2011.

Re:Again...

[koan]

It's always struck me as odd that some many people here on /. want to argue against that point.

Re:Again...

Properly configured systems with a well-implemented certificate infrastructure are very hard, if not outright impossible, to inject a MITM attack into.

It is actually very simple. Amazing that people have so much faith in their inherently insecure certificate systems. If you want security then shared secrets are the only way.

Re: Again...

[MightyMartian]

If the VPN traffic is encrypted properly, and they don't have access to either end point, how is it you propose they crack it? Magic?

If there is a vulnerability in the software, which that delightful OpenSSL bug provided (thank goodness I stuck with Debian 6 so long) then you have a point. But not even the NSA, as the article makes clear, has some means to break into a properly encrypted stream.

Re:Again...

[MightyMartian]

I think you need a new tinfoil hat.

Re: Again...

[kramulous]

Exploited routers, pry the handshake where you know keys are being exchanged, collection and brute force. An organisation with the budget, people, knowledge and will can make magic happen.

Article even talks about placing stooges in security and standards groups to subterfuge weaker methods (by weaker, i mean in the first three of the NSA's five level rating).

Re: Again...

[whoever57]

Article talks about VPN being no problem ... surveil 20,000 vpn connections per hour in 2011.

The article contradicts itself. It states that

The most widely used ones are called Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol Security (Ipsec). Both seem to pose few problems for the NSA spies if they really want to crack a connection.

But, later, explains that for IPSEC:

Ipsec (sic) as a protocol seems to create slightly more trouble for the spies. But the NSA has the resources to actively attack routers involved in the communication process to get to the keys to unlock the encryption rather than trying to break it, courtesy of the unit called Tailored Access Operations

So, for IPSEC, they break into the router, rather than the tunnel itself. Can they break into a properly secured Linux (or *BSD) box that acts as the endpoint for the tunnel? Or is this really only a danger of using closed-source technologies for the VPNs?

PPTP seems to present no problems for the NSA.

Re:Again...

[Marillion]

Let's not forget that the Snowden documents are now a year and a half old. A year and a half ago, everyone thought the ciphers and protocols were good enough. Fast forward to the eve of 2015 and we know better. We have a new sense of what is state of the art. We know not to use ciphers with static keys that could be subject to subpoena requests and so on a so forth. I'm not so naïeve to believe that new ciphers will stop them in their tracks. The still have incredible resources to draw upon. We just have new speed bumps.

Re: Again...

I think it's more likely you're just a paranoid idiot. No one is recording petabytes per second; the sheer size of the Internet makes it impossible to sniff everything, and even if you could it's more efficient to attack the big data stores like Gmail and Facebook. Also there's still no evidence that proper encryption is crackable. It's always bizarre how the same people who criticize the government for wasteful inefficiency are willing to ascribe it nefarious powers that verge on breaking the laws of physics. There is also one thing that you should really keep in mind, and that is that even for the NSA, the American people are not the enemy. Their job is to go after the enemies of the country, and that does not mean going after everyone indiscriminately. That would be a spectacular waste of money, for no purpose. The NSA is not both the smartest and dumbest agency on the planet. They are definitely collecting information on Joe and Jane Average, but not explicitly or on purpose. Only when it's convenient. For the most part, aside from loveint, the NSA is trying to concentrate on the foreign part of "foreign and domestic". So yeah, there's a dragnet, but it's not snooping on your https connection to Amazon even if they have that ability. No one gives a shit. Please seek therapy.

Re:Again...

The SSL protocol is broken. Manipulating servers into lowering their cryptographic standard is possible through this. However: with properly encrypted data it's downright impossible for anyone including the NSA to decrypt it. This is not the 70's anymore. Academia is very much on par with the intelligence community when it comes to crypto. Too many big interests involved now. And they can't make a dent in AES-128. Fortunately mathematics is a-political.

Re:Again...

[WaffleMonster]

I'll point out that SSL is meaningless when the MITM can record it all and decrypt later, or possibly decrypt on the fly.

Decrypting later after you've obtained keys can be defeated by enabling forward secrecy. With most SSL toolkits your looking at a few extra lines of code tops. No rocket science required.

And HSTS is meaningless as well, so don't bother bring up that nugget

The HSTS latch is one small but important piece of the puzzle. It isn't meaningless it just offers limited intrinsic value.

Obviously it remains possible to trick people or launch attacks using convincingly or homographically similar names gleaned from insecure information sources. Not HSTS's fault.

HSTS works if you enter site manually and forget to add 'https' or set a bookmark to reference non-secure version of the site. The way it fails is when you use a search engine over insecure channel and provided the wrong address to the wrong "secure" site by an attacker. GIGO.

I doubt there is any readily available encryption that can protect you at this point.

Protect who from what?

Re:Again...

[WaffleMonster]

What makes you think they haven't broken the encryption, what makes you think they don't have full access to all certificates, what makes you think you can trust anything.

What makes you think doubting everything in the absence of specific affirmative evidence is at all a useful exercise?

Re: Again...

[F.Ultra]

According to what we know about TAO they use zero day exploits so it doesn't look like hidden hack doors in closed source software/hardware. That PPTP is insecure has been known since at least 1998: https://www.schneier.com/pptp.... That Microsoft still promotes it is beyond me.

Re: Again...

[WaffleMonster]

Article talks about VPN being no problem ... surveil 20,000 vpn connections per hour in 2011.

Not surprising given the number of clueless operators still using VPN technology WELL KNOWN to be insecure for going on two decades now.

Re: Again...

[thejynxed]

They don't even need to do that. All they need to do, is get together with their counterparts in the CIA, FBI, etc, decide exactly what they need and want to happen, then take it to the Congressional Intelligence and related committees to make it happen.

We've already seen at least the FBI chirping in on this with commentary about Apple/Google and their upcoming mandatory default encryption on phones.

Re:Again...

[WaffleMonster]

It is actually very simple. Amazing that people have so much faith in their inherently insecure certificate systems. If you want security then shared secrets are the only way.

Like most things it is in the implementation rather than underlying technology where things fail and people run into trouble. Punting to PSKs has its own set of operational problems which can ultimately be less convenient and more difficult to manage vs proper deployment of PKI.

Or to take it a step further if you want security then OTP pools are the only way... except few actually want it that bad.

Re: Again...

[Bengie]

With current understanding of handshakes, having access to controlling the hand shake gains you nothing. Both ends can still detect something is wrong. The only real way to MITM is to have access to the certs, magical computers, or knowledge of a flaw/bug in the protocol or implementation.

Re: Again...

[Bengie]

So, for IPSEC, they break into the router, rather than the tunnel itself. Can they break into a properly secured Linux (or *BSD) box

So they can "break" IPSEC by compromising the end nodes? Isn't that like saying "We can break into your house if we can get inside of it"?

Re:Again...

[koan]

Argumentum ad hominem – the evasion of the actual topic by directing an attack at your opponent.

Re:Again...

[koan]

You are poorly informed.
Encryption:
http://www.nytimes.com/2013/09...

Certificate Authority:
http://en.wikipedia.org/wiki/D...

Loss of Trust:
Information provided by Edward Snowden

Those are singular examples to the issues I spoke of, there are many, many more.
In addition, only a small percentage of data has been released to the public from the "Snowden Cache", if it was all released maybe people like you would finally STFU.

Re:Again...

[rtb61]

Digital privacy is of a different order all together. Now they know when you 'do not' have an alibi and the ability to fabricate all the digital evidence. They can destroy you life in an instant for what ever political, commercial or private reason they want. You are accepting the idea that out of control psychopaths in the various intelligence agencies around the globe will become the richest and most powerful people on the planet as they remove all competitors one after another.

Re:Again...

[Bengie]

if I pointed out 5 years ago that the NSA might be recording all communications

Since world wide harddrive storage being created is about 40 exabytes per year and the Internet has about 50 exabytes of traffic per month, I would still say you're crazy to think that all traffic is recorded. They have to be filtering out a decent amount of it. According to the NSA, how ever much you can trust this, they only inspect about 1.5% of all traffic, of which storage is only a subset. So they're not recording anywhere near "all" traffic.

Maybe we need to start padding stuff like SSH sessions to increase bandwidth usage to consume "idle" bandwidth. I'm not sure how one would implement this, but it would dramatically increase how much data needs to be stored.

Re:Again...

[WaffleMonster]

You are poorly informed.

About?

http://www.nytimes.com/2013/09...

Certificate Authority:
http://en.wikipedia.org/wiki/D...

Old news virtually everyone here knows well.

Loss of Trust:
Information provided by Edward Snowden

Trust? What the fuck are you smoking???... The prior US administration LIED and started a goddamn war under completely false pretenses leading to the deaths of hundreds of thousands displacing millions over the course of a decade...not a little privacy invasion or reading love letters...but grand fucking high crimes against humanity. A *DECADE* ago we found out about NSA collection of *ALL* domestic phone records.... As much as I love Ed Snowden there was no trust remaining to lose when he spoke out.

I trust the Internet was insecure and all kinds of TLA's and assorted bad actors were exploiting to the hilt from the very start. Security is our responsibility...nobody else's.

Those are singular examples to the issues I spoke of, there are many, many more.
In addition, only a small percentage of data has been released to the public from the "Snowden Cache", if it was all released maybe people like you would finally STFU

The only thing you have enumerated was bullshit about SSL and HSTS which were factually incorrect and demonstrate your lack of knowledge of underlying technology. It shows you can read technical articles without having a firm grasp of fundamentals. The rest is just bloviating about enumeration of unspecified this and that's ...you have nothing specific to say.

If anything what Snowden told us is that the systems we *know* are secure really are a PITA even for the NSA to crack...Snowden himself said as much during a hearing he remotely participated in from Russia and in several televised interviews with reporters earlier in the year.

The underlying point remains running around yelling "How can you trust anything" ... is not helpful in any way... It spreads FUD and makes no positive contribution.

Re:Again...

[koan]

What makes you think doubting everything in the absence of specific affirmative evidence is at all a useful exercise?

So I give you examples of "specific affirmative evidence" and how do you respond?

Old news virtually everyone here knows well.

Well if it's old news that "everyone here knows well" why did you make the first statement?

You try to change the focus of the conversation, you use fallacious arguments and contradict your own statements, you can't carry a coherent thread, you have no point.

I won't respond to anymore of your post, you're an idiot.

Re:Again...

[koan]

You're correct in one sense, they aren't recording (storing) literally everything, of course you knew that and chose to nitpick a conversational error.

The data center is alleged to be able to process "all forms of communication, including the complete contents of private emails, cell phone calls, and Internet searches, as well as all types of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital 'pocket litter'."[7]

http://en.wikipedia.org/wiki/U...

I don't know what it is with people like you, you seem to want to argue over scraps of nothing, ignoring the real point.
I've discussed this sort of behavior with numerous people and they see it too, people like you and your type of thinking seem to be growing in number, this inability to do anything long term, to focus on the actual discussion, or read anything more than 145 characters.

You know as well as I do they aren't recording literally everything, they aren't recording that YouTube video you just watched, but they probably do know which one, and when, and from what IP, those sorts of details.
They have exabyte capacity at one data center, God knows how much more...

But you, you want to focus on the word "everything" to take it literally and they say "you're crazy" as though that invalidates the entire point I was trying to make.

Morons...

Re:Again...

[ardor]

Instead of writing some vague stuff about an almighty NSA, do tell how they are supposed to break properly configured encryption algorithms? Do you think they have magical quantum computers in their basement which can crack AES-128 during coffee break?

The actual NSA attacks are most likely focused on exploiting improper configurations (which are unfortunately far more common than one would think), side channel attacks, or outdated and broken encryption algorithms. Or they simply wrestle US CAs into forging certificates and then do a MITM attack.

Always remember http://xkcd.com/538/ .

Re:Again...

[ultranova]

And how exactly is the NSA going to crack into my self-signed certs, with the CA sitting on a box with no connection to the Internet? Short of breaking into the location where the computer is, I'd say with reasonable certainty that the NSA cannot crack the certs that are used for my interoffice VPN.

Malware. If your machines don't get updated, they're vulnerable due to unpatched holes, and if they do get updated, they're vulnerable to malicious code insertion through those updates.

Re:Again...

[boa]

"Since world wide harddrive storage being created is about 40 exabytes per year and the Internet has about 50 exabytes of traffic per month, I would still say you're crazy to think that all traffic is recorded."

I'm not claiming that they record everything, but want to point out that half of the 50 exabytes are generated by Netflix and youtube. IOW, no need to store it, or at least not store it more than once.

Also, it should be safe to assume that lots of internet traffic is redundant (web sites serving the same page over and over again), so
a neat combination of compression and a hash file system should reduce storage requirements quite a lot.

Re:Again...

[currently_awake]

If the people who make updates for your OS want to access your encrypted communications I think they could.

Re:Again...

[currently_awake]

A great deal of the internet traffic is streaming video. Once you de-dupe that it should drop down to manageable levels.

Re: Again...

There is also one thing that you should really keep in mind, and that is that even for the NSA, the American people are not the enemy.

No, it's true they don't see the entire American people as enemies - just that subset of the American people who understand roughly what they are doing and what its implications are for their future subjugation to the budding police state. They are most definitely the enemy of the NSA. The NSA and their counterparts may consider many people enemies but their number one priority has been and always will be anyone who could reduce their powers or cut their budget due to their unconstitutional (and immoral) behaviour. And the only people who can do that are patriotic Americans who see them for what the are, as a worse threat to freedom than 'the terrorists'.

Re:Again...

[micahraleigh]

"The prior administration LIED"

All caps has the distinct connotation of trying to ram something down people's throats.

I'm not ready to swallow that Bush told us something he didn't himself believe ("It's not a lie if you believe it" cf. G. Costanza), but if I could do that how is our current WH exempt from:

(1) having the IRS agitate against people for one side of political beliefs and not the other

(2) broad, open warrants

(3) ordering the Syrian embassy security to an artificially low level (Paris had more security on deck)

And then call all of these things "phony scandals"?

I think you are using all capital letters because you realize you are in a little over your head here with your claims.

Re:Again...

[WaffleMonster]

All caps has the distinct connotation of trying to ram something down people's throats.
I'm not ready to swallow that Bush told us something he didn't himself believe ("It's not a lie if you believe it" cf. G. Costanza), but if I could do that how is our current WH exempt from:

Caps was only intended as emphasis if you took it to mean something else I apologize.

In my mind the matter is settled. We have interviews with low level intelligence folk, we have downing street memo, we have Rumsfeld memo...that so many separate threads of dubious evidence... evidence known at the time to be strenuous at best paraded before the country and world as solid fact when no serious subject matter expert believed such at the time is no accident. It is impossible to know everything that went on or what people believed or knew what. I've seen enough BS to make up my own mind quite comfortably.

(1) having the IRS agitate against people for one side of political beliefs and not the other

  (2) broad, open warrants

  (3) ordering the Syrian embassy security to an artificially low level (Paris had more security on deck)

  And then call all of these things "phony scandals"?

  I think you are using all capital letters because you realize you are in a little over your head here with your claims.

I have never in my life said anything about any of the above topics. Please add signature drone strikes to Obama's list.

Re:Again...

[micahraleigh]

What's your take on the recent claim that WMD's were found, but W hid the discovery because they were manufactured in the US? It was on \.

I'm not sure what to make of that. I'm wondering if you either don't buy it or haven't heard that one.

Hysteria

[MightyMartian]

Before we all get too hysterical, from the article itself:

The digitization of society in the past several decades has been accompanied by the broad deployment of cryptography, which is no longer the exclusive realm of secret agents. Whether a person is conducting online banking, Internet shopping or making a phone call, almost every Internet connection today is encrypted in some way. The entire realm of cloud computing -- that is of outsourcing computing tasks to data centers somewhere else, possibly even on the other side of the globe -- relies heavily on cryptographic security systems. Internet activists even hold crypto parties where they teach people who are interested in communicating securely and privately how to encrypt their data.

In other words, the NSA, GCHQ and other intelligence services are probably only able to crack badly configured or unpatched and badly out of date systems. That doesn't stop them from using out of band vulnerabilities like hacking into someone's PC or forcing some online service to open up the decrypted data, but it seems likely that if you have a well-managed cert chain and your systems are kept up to date and patched, the odds of anyone, government or otherwise, busting into your encrypted data seems pretty low.

My big fear out of all this isn't the unlikely hacking of mainstream encryption schemes, but rather that those that do use encryption may end up being targets of other methods; like malware, to get at their critical data.

Re:Hysteria

[phantomfive]

The article is merely listing tools. I expect that if we have a spy agency, they will use the tools available to spy. That is what a spy agency does. If you're outraged that a spy agency actually does spy, then you're probably addicted to outrage or something.

The problem with the NSA isn't that they are spying, it isn't that they know how to decrypt SSL or mount a MITM attack; the problem with the NSA is they are spying on everybody. Limit the spying to only enemies of the US, and only the paranoid will be outraged.

Re:Hysteria

Before we all get too hysterical ... the NSA, GCHQ and other intelligence services are probably only able to crack badly configured or unpatched and badly out of date systems. That doesn't stop them from using out of band vulnerabilities like hacking into someone's PC or forcing some online service to open up the decrypted data, but it seems likely that if you have a well-managed cert chain and your systems are kept up to date and patched, the odds of anyone, government or otherwise, busting into your encrypted data seems pretty low.

So, in other words, the NSA, GCHQ, and other intelligence services are probably on the same footing as most other cyber criminal hackers? Yep, nothing to be "hysterical" about grouping all those together.

Re:Hysteria

[fnj]

Limit the spying to only enemies of the US

Well, anyone with a functioning brain stem who has not been brainwashed is opposed to the shithole that the US rulers have turned the US into. And it's only an easy step for tyrants and their dogs to turn "opposed to the entrenched shadow regime and its sickening views and practices" into "enemy of the state". So I don't get quite such a rosy feeling from "spying on the enemies of the US" as you seem to.

Re:Hysteria

Before we all get too hysterical, from the article itself:

The digitization of society in the past several decades has been accompanied by the broad deployment of cryptography, which is no longer the exclusive realm of secret agents. Whether a person is conducting online banking, Internet shopping or making a phone call, almost every Internet connection today is encrypted in some way. The entire realm of cloud computing -- that is of outsourcing computing tasks to data centers somewhere else, possibly even on the other side of the globe -- relies heavily on cryptographic security systems. Internet activists even hold crypto parties where they teach people who are interested in communicating securely and privately how to encrypt their data.

In other words, the NSA, GCHQ and other intelligence services are probably only able to crack badly configured or unpatched and badly out of date systems. That doesn't stop them from using out of band vulnerabilities like hacking into someone's PC or forcing some online service to open up the decrypted data, but it seems likely that if you have a well-managed cert chain and your systems are kept up to date and patched, the odds of anyone, government or otherwise, busting into your encrypted data seems pretty low.

My big fear out of all this isn't the unlikely hacking of mainstream encryption schemes, but rather that those that do use encryption may end up being targets of other methods; like malware, to get at their critical data.

Since they mentioned cracking the SSH protocol, this should encourage everyone who cares about their systems, to use a bigger key just as a precautionary measure, because, well; fuck the NSA.

Re:Hysteria

[phantomfive]

Well, anyone with a functioning brain stem who has not been brainwashed is opposed to the shithole that the US rulers have turned the US into

What a purely coherent basis and sound philosophical foundation from which to make decisions. I'll bet you're a whole bundle of good ideas.

Re:Hysteria

> The problem with the NSA isn't that they are spying, it isn't that they know how to decrypt SSL or mount a MITM attack

It absolutely is a problem that they can do those things because the NSA has two roles -- to spy but also to secure. The fact that they are aware of exploitable vulnerabilities but do not take action to correct them means that they are failing to do their job. They leave these bugs unreported and unfixed so as to maintain their ability to spy while simultaneously leaving everyone they are supposed to be protecting vulnerable to anyone else who has discovered (or purchased) the ability to exploit those same vulnerabilities.

It is a vicious circle where their belief that our nation is vulnerable and thus requires proactive spying to protect actually creates that vulnerability in the first place. It is classic reflexive thinking in action - because they think their kind of spying is necessary they set up a feedback loop that amplifies the need for them to spy. For example, nobody would give a damn about the NSA figuring out who hacked Sony if Sony had been sufficiently secured to begin with.

Re:Hysteria

[Bite+The+Pillow]

Define badly configured?

Are you familiar with the POODLE attack on SSL? Were you familiar before Google researchers publicised it? Was the collective of Five Eyes aware? Would you have called that malware regardless of who used it?

I've defended the benefit of the doubt before, but I would hardly call this unlikely.

According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012

That's my big fear out of all of this. That they did, and that they will continue. Your fear is a given - my fear is not even suspected by the majority of the 5 eyes citizens. Yet here it is, standard operating procedure.

I suppose I could be afraid of death by old age, but in my case that's not what will kill me. I'd rather spend my life concerned with what will, in my lifetime, affect me personally. And I don't even have critical data to be concerned with. If I lived in Colorado, that would be enough to suspect me of subverting federal law - and that's enough for me to want to conceal where I live at all times. Even if it's not Colorado.

Re:Hysteria

[Glarimore]

His point, which I think is a fair one, is that the definition of what constitutes an "enemy of the US" is going to vary a lot depending on who you ask. The US government, with the help of the media, has painted many groups/bodies, both foreign and domestic, as dangerous enemies of the state. And I, like GP, don't trust the US government and/or the NSA to define who is an "enemy of the US" in a reasonable way or with the proper checks/balances in place.

Re:Hysteria

[phantomfive]

His point, which I think is a fair one, is that the definition of what constitutes an "enemy of the US" is going to vary a lot depending on who you ask.

That is a fair point, however I'm not convinced that was his point lol.

If you don't like how the US government chooses enemies, vote them out. If you can't vote them out because other people vote in favor of those politicians, then well, democracy sucks, but so does living with people in many other ways.

Re:Hysteria

[FMtRIS]

But according to standards of listing "enemies of the state" or those that are worthy of being intercepted, and this is according to the FBI, are those interested in “libertarian philosophies,” “Second Amendment-oriented views,” interest in “self-sufficiency,” “fears of Big Brother or big government,” and “Declarations of Constitutional rights and civil liberties.” The document (Authorization For Use of Military Force) that details those who are associated with terror organizations is also open ended and has been used by the NSA in use of electronic surveillance without prior court authorization as required by the constitution. So, if you are interested in the founding of what the United States was based upon and don't follow the rest of the flock of good little tax bases who shut up and don't make waves and waive their rights, then you are deemed suspicious and possible enemies of the state.

Re:Hysteria

[phantomfive]

Well then, that's a problem, but if you are outraged that a spy organization actually does spy, then I will mock you openly.

Re:Hysteria

You're certainly a bundle of submission and obedience. You're a lapdog, someone who pretends to live in the land of the free as one of the brave.

Re:Hysteria

[chihowa]

What if agitating against those who choose the enemies makes you and your supporters enemies, a la COINTELPRO?

Re:Hysteria

[phantomfive]

Then you better make sure you're strictly staying within the law, so that they can't get you.

Frankly though, this is the most important reasons for allowing free speech, and why free speech is more important in a democracy than voting.

Most unfortunately, if the population supports COINTELPRO, there is nothing you can do, except sit quietly until the population is a little more sane.

No more soft touch.

[DMJC]

It's time to stop sending keys using dumb methods. Time to start generating keys and physically swapping/installing them.

Re:No more soft touch.

Well, that's practical on billions of devices.

Re:No more soft touch.

Why don't we just have two physical systems, key exchange happens over the satellite system, encrypted contents over the fiber. I don't see why this would be so hard to set up. Is there some problem with it?

Re:No more soft touch.

My friends and I don't have billions of devices.

Re:No more soft touch.

There are tools out there to swap keys securely. Alas - I dont see much evidence of people taking their security seriously in the first place.

Re:No more soft touch.

[thedonofdons]

Yeah! and ask the government to pay conveyance bills for the travel. :P
http://popularbloggingtopics.c...

Anyone can intercept SSH some of the time

[phantomfive]

If you ever get the warning:

The authenticity of host '...' can't be established. RSA key fingerprint is .... Are you sure you want to continue connecting (yes/no)?

That's ssh letting you know that a man-in-the-middle attack could be successfully launched at you, and decrypt all your communication.

Re:Anyone can intercept SSH some of the time

Or it could mean you did a fresh install and the daemon's key changed.

Or for whatever the reason the physcial host on that IP address changed.

I see it all the time when I move servers around or rebuild them.

Re:Anyone can intercept SSH some of the time

[phantomfive]

Those are reasons the message shows up. And all of those reasons you list are an opportunity for the NSA to sneak in and start reading your traffic.

Re:Anyone can intercept SSH some of the time

[AmiMoJo]

This attack looks like something else though, judging by the numbers they are attacking. I speculate:

- They have fake certificates from trusted authorities for some major sites, and use MITM attacks to serve up fake pages with them. We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them. We can also potentially defend against this by using more certificate pinning and warnings which certificates change unexpectedly, as well as distributed certificate checks (to make sure the one you get is the same one everyone else gets).

- They capture a lot of encrypted data but don't decrypt all of it. They store the data and crack it later if it seems interesting. Much of the cracking probably relies on flaws in the implementation of the encryption - small RSA keys, bad PRNGs (we know that the NSA compromised at least a few of them) and the like. They seem to have massive amounts of computing power available too, which is hardly surprising given what we know of their budget and data centres (really supercomputing centres dedicated to violated your privacy and various laws).

Re:Anyone can intercept SSH some of the time

[phantomfive]

They have fake certificates from trusted authorities for some major sites, and use MITM attacks to serve up fake pages with them. We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them. We can also potentially defend against this by using more certificate pinning and warnings which certificates change unexpectedly, as well as distributed certificate checks (to make sure the one you get is the same one everyone else gets).

I don't think so because not many people use trusted authorities with SSH. (In fact I've never heard of anyone doing that, but surely there are people who do). Most likely the NSA just sits there sniffing traffic that goes by, waiting until there's an SSH to a new box (which actually happens a lot, every time you reinstall or something), then begin sniffing. After that they have the password and everything, so the attack can expand.

Re:Anyone can intercept SSH some of the time

[fnj]

Most likely the NSA just sits there sniffing traffic that goes by, waiting until there's an SSH to a new box (which actually happens a lot, every time you reinstall or something), then begin sniffing. After that they have the password and everything, so the attack can expand.

Do you have slightest idea how ssh logon works?

Re:Anyone can intercept SSH some of the time

[Uecker]

I doubt this. There are people who verify the fingerprints. And even if you do this only sometimes this is useful. So a large scale MITM attack on ssh would be very obvious. Also if you do a MITM on ssh you would not be able to obtain the password, because it is not transmitted. So to expand the attack they would need to MITM the ssh connections and then use this to install a backdoor. I would say this is far to intrusive to do on a large scale.

Re:Anyone can intercept SSH some of the time

[phantomfive]

Do you have slightest idea how ssh logon works?

Why yes, yes I do.

Re:Anyone can intercept SSH some of the time

[phantomfive]

It doesn't say they are doing SSH attacks on a large scale. It says sometimes they can do it.

Re:Anyone can intercept SSH some of the time

The ultimate way of ensuring that you're connecting to the server in question is to take the PC (or laptop) that you'll be remote connecting with, to the datacenter where the server is and connect locally for the first time to get the fingerprint because the NSA could be trying a MITM at your ISP and if you store that, you're fucked.

Re:Anyone can intercept SSH some of the time

[F.Ultra]

Doesn't sound like it though. There is no window of opportunity with SSH even with a new install.

Re:Anyone can intercept SSH some of the time

While SSH supports many different authenication methods, the final fallback does indeed send the password to the server. While this is fine if you trust the server, if you are connected to the wrong computer (either due to not properly verifying the fingerprint of a MITM or simply due to typing in a different hostname than you meant) then that method will in fact send your password to that computer. One of the many reasons why you should always disable password login on your SSH servers (unless you have a good reason why you need it).

Re:Anyone can intercept SSH some of the time

[Uecker]

It seems you are right about the password authentication. Somehow I thought SSH would do something more clever where the password is not sent over the network, but this does not seem to be the case. In this case public key would still be safer (two factors), but SSH would not leak your password during a MITM attack.

Re:Anyone can intercept SSH some of the time

[lawaetf1]

With a new install you've got a perfect opportunity for a MITM attack.

Re:Anyone can intercept SSH some of the time

[StormReaver]

That's ssh letting you know that a man-in-the-middle attack could be successfully launched at you, and decrypt all your communication.

ssh issues that message for other reasons, too, such as when you install a new network adapter. In that case, there is nothing wrong.

Re:Anyone can intercept SSH some of the time

[phantomfive]

The message is there when you install a new network adapter. SSH is telling you that when you install a new network adapter like that, it has no way of detecting if the NSA is doing a MITM attack. You're on your own in that case.

Re:Anyone can intercept SSH some of the time

[phantomfive]

There is no window of opportunity with SSH even with a new install.

Oh really? Please tell me what magic you use with SSH. Are you copying your keys over manually or something?

Re:Anyone can intercept SSH some of the time

And SSH is clearly a legitimate target as system administrators are terrorists, so stop whining, your government is just protecting you.

Re:Anyone can intercept SSH some of the time

I wonder how possible it is to detect if a connection is likely to throw that error "honestly". I've clicked through it many times without actually checking if the fingerprint matched...

Re:Anyone can intercept SSH some of the time

[dweller_below]

Protecting SSH communications for your organization is fairly straightforward if you do some work. You need to use multiple layers. Here is our guide to protecting SSH:

https://it.wiki.usu.edu/ssh_de...

We try to use multiple overlapping security layers to protect SSH:

• * If possible, use firewalls to limit the vulnerable scope of SSH to a few trusted hosts.
• * Configure firewalls to limit credential guessing by rate-limiting connections to the SSH port.
• * If possible, treat the SSH Port as a shared secret. Then, only interesting, targeted attacks find the SSH server. In many situations, this gives you very real protection. This protection is based on the very real increase in cost for an attack to find and attack an SSH server on an alternate, properly obscured port.
• * The SSH server should not allow known usernames including root. The attacker must find a username.
• * Motivated admins should use 2-factor authentication to access their critical SSH servers.
• * Admins are trained to create good passwords for their usernames.
• * SSH users should verify the identity of their systems when they first connect.
• * System admins must regularly review the activity of their SSH servers.
• * Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
• * We have SSH Honeypots that help us track, understand and respond to SSH attack. These Honeypots allow us to track which credentials are being attacked. They give us advance warning when a institutional credential is attacked. And, analyzing the use of unique credential lists gives us insight into our attackers.

Much of this work can be automated. The rest is excellent training material for new security recruits and interns.

Looking back, the main change I should have made to improve our SSH protections would be to default block incoming TCP/22 at the border years ago. Then, only allow it for groups that can show they use it to provide services to a large community. Anybody using SSH for administration can change the SSH port.

Re:Anyone can intercept SSH some of the time

[Uecker]

Something like this: http://srp.stanford.edu/links....
I wonder why this has never been implemented in openssh. (There are patches and it is supported by lsh).

Re:Anyone can intercept SSH some of the time

[elgaard]

Anyway, they would get your password the first time you did a sudo command.

And when you ssh to the next computer, they get that password too.

Re:Anyone can intercept SSH some of the time

[elgaard]

* SSH users should verify the identity of their systems when they first connect. ...
* We have SSH Honeypots that help us track, understand and respond to SSH attack.

You should have user honeypots. Once in a while present a fake certificate. If the user ignore the wrong fingerprint and type in the correct password, reset the account password.

Re:Anyone can intercept SSH some of the time

[drolli]

I find the AWS setup quite secure. No password for login, and you can read the fingerprint from the console in the web.

Re:Anyone can intercept SSH some of the time

[phantomfive]

This guide doesn't recommend disabling passwords. That's a huge omission.

Re:Anyone can intercept SSH some of the time

[dweller_below]

You should have user honeypots. Once in a while present a fake certificate. If the user ignore the wrong fingerprint and type in the correct password, reset the account password.

That is an interesting idea. It is easy to MITM our SSH client connections. But, this control comes with a large expense. Because it is easy for our clients to see Security's actions, and it is hard for them to see the actions of attackers, they will conclude that Security is being evil for no good reason. This will greatly reduce our effectiveness by isolating Security from our community. Other controls may mitigate this problem with less expense.

For example, we are currently pushing our people to adopt widespread 2-factor authentication. Our people are ready to accept 2-factor. They understand it's value. They are familiar with it's use. We have multiple cheap 2-factor solutions. 2-factor somewhat mitigates MITM and also helps other issues.

That said, I think we really need a simpler form of SSH for trusted point-to-point communications. It should exclusively use pre-distributed one-time pads for it's authentication and encryption. We can now generate and distribute 100+ Gigabyte files of true-random data. This data can be used to authenticate. It can be used to generate secure symmetric encryption keys. We can handle millions of secure connections before we need to redistribute pads again.

Since I am not a cryptographer, this idea has many problems. But I believe that securely using these huge one-time pads could be as easy as:

• Ask Schneier for a good, symmetric encryption algorithm :)
• Select a key-size that is twice as long as Schneier thinks we need :) So, if Schneier thinks 512bits are fine, we use 1024 bit keys. This is only 128 bytes.
• Generate about 128 Gigabytes of random data from a truly random noise source. Use 64Gigs of it for connection keys. That will allow about 512 million connections. This may be excessive and need to be adjusted.
• Use the rest of the Random data 2 Gigs at a time. This gives you 32 records. The server always gets the first copy/install of the file. The server always uses the first record. Each subsequent client copy/install uses the data in it's record for install identification and session identification. This may not be enough records. It may need to be adjusted. But, it probably should not increase to hundreds. If there are too many copies, it is impossible to protect confidentiality.
• Throw away the first key record. You can spare some. Use that space to write down the GMT time-stamp when this file was created and the number of times the file has been copied.
• Use the next key record as the FileID for this file.
• The server only tries to use uses 1 pad file at a time.
• When the server starts up, it skips down the number of keys indicated by it's current key index or the number of minutes since pad creation, whichever is greater. If the server detects that GMT time is running backwards, it should terminate with a descriptive error message.
• Every minute, it switches to the next key in the list. Don't worry, this will only use up 10 million of your possible keys in 20 years. The server should not attempt to respond to more than one connection attempt per second.
• Whenever the server has authenticated a successful connection, it switches to the next key in the list.
• When something pokes it's port, the server assembles a message that says something like: Number of non-padding bytes in message. Message Type 0. Server Message#1. I have received 0 of your messages. I am copy 1 of the file with the ID of #FileID. My Copy ID is (the first field in my Copy ID Record). The local time is (current time). The number of times I have incremented keys is: (CurrentKeyIndex). The number of successful connections is (ConnectionNumber). The authentication number for this connection is (use ConnectionNumbe

Re:Anyone can intercept SSH some of the time

[dweller_below]

This guide doesn't recommend disabling passwords. That's a huge omission.

Thanks. I figured that was obvious enough to not need explanation. So I decided it was out of scope. But, I am wrong all the time.

I am assuming you feel that we should teach our admins to test all their SSH passwords against standard attack dictionaries and disable/notify any that fail. This is a good idea. I will try to add it tomorrow.

Are there other conditions that are detectable by SSH admins that require disabling passwords?

Re:Anyone can intercept SSH some of the time

[AmiMoJo]

Sure, I was referring to HTTPS there, should have made that clear. Almost everyone trusts certificate authorities for HTTPS, and proceeds to send their password over it every time they log in to their bank or webmail etc.

Re:Anyone can intercept SSH some of the time

That shouldn't be the problem.. unless of couse you are generating the keys on a different machine and copying both over the internet. Otherwise you should only be copying over the public key.
If I were doing it I would install a virus ( or require MS - search / Apple - spotlight /RedHat/Debian - systemd to do so ) that would look for keys on a users machine and then encrypt and camoflage them as something else before sending them somewhere I could sniff them as they fly by on the internet. Maybe even in something as commonplace as the DNS traffic.

Re:Anyone can intercept SSH some of the time

[F.Ultra]

Not with SSH unless you set the machines password to something that is suspectible to online brute forcing instead of using public keys. And even then it's highliy unlikely that some one manages to brute force your stupid password and have time to add an entry in .ssh/authorized_keys before you had time to scp over the new keys and changed the ssh config to only allow public keys. AND if you for some strange reason do this over the Internet.

Re:Anyone can intercept SSH some of the time

[F.Ultra]

A fresh install of SSH will not just let anyone in, by default you would need a password which with SSH is never sent on the wire. Curious though who sets up something like SSH remotely, how do you connect to that machine before ssh is set up?

Re:Anyone can intercept SSH some of the time

Or you have migrated servers / re-created the hosts SSH key

Re:Anyone can intercept SSH some of the time

A great list of items and indeed my impression is that all of this will protect you from nearly all dedicated and skilled individuals trying to get onto your server. You obviously know your stuff, however, when defending against a Nation State the game changes *so much*!!

Here are some of my own comments, with extra info included for the bystanders...

>* If possible, use firewalls to limit the vulnerable scope of SSH to a few trusted hosts.

Traffic analysis at the router and backbone level will instantly reveal what hosts are trusted to access your machine. Spoofing them is still challenging, but the hard part (working them out) is over.

>* Configure firewalls to limit credential guessing by rate-limiting connections to the SSH port.

The Nation State is not going to bother brute-forcing your credentials, they have other means...

>* If possible, treat the SSH Port as a shared secret. Then, only interesting, targeted attacks find the SSH server. In many situations, this gives you very real protection. This protection is based on the very real increase in cost for an attack to find and attack an SSH server on an alternate, properly obscured port.

Again, traffic analysis will instantly reveal the ports to a Nation State with sufficient resources.

>* The SSH server should not allow known usernames including root. The attacker must find a username.

This is good, but the Nation State attack will revolve around MITM (or similar) to target the SSH traffic directly. So they'll be able to pull the username from the SSH traffic.

>* Motivated admins should use 2-factor authentication to access their critical SSH servers.

Agreed!!! Question is, what 2-factor authentication is the most reliable and realistic for remote administration of servers? What advice is there for key generation and key distribution?

>* Admins are trained to create good passwords for their usernames.

This is good advice, but does not protect against the hypothetical Nation State attack I am outlining here...

>* SSH users should verify the identity of their systems when they first connect.

Absolutely. But, the Nation State can record all network traffic to your system. The premise of SSH key exchange and host fingerprinting is that by default the fingerprint is blindly trusted just *once*. From that point forward the fingerprinting should reveal a MITM attack. *However* if the Nation State has recorded all of your network traffic then they can go back and replay that initial exchange and get the fingerprint themselves. Now they can use that to MITM and you won't know. Some other posts here mentioned that SSH does fall back to sending the password on the first connection. If that is true then the Nation State already has that recorded and can simply extract it from the logged packet data.

>* System admins must regularly review the activity of their SSH servers.

Absolutely.

>* Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.

>* We have SSH Honeypots that help us track, understand and respond to SSH attack. These Honeypots allow us to track which credentials are being attacked. They give us advance warning when a institutional credential is attacked. And, analyzing the use of unique credential lists gives us insight into our attackers. Much of this work can be automated. The rest is excellent training material for new security recruits and interns.

I don't have any more comments to make except this: I believe that in the security of my effects and possessions I have a right to keep them away from the prying eyes of any government. I will submit to a search of my physical effects if a suitable warrant is produced. And if that ever occurs I will be reviewing the legality of that warrant with all of my legal resources, however meager they may ultimately be.

I believe that my digital effects, which includes servers that I pay money to lease and in

Re:Anyone can intercept SSH some of the time

[phantomfive]

...a password which with SSH is never sent on the wire.

You're wrong, it is sent over the wire unless you've disabled password login. But then you can't type your password.

Curious though who sets up something like SSH remotely, how do you connect to that machine before ssh is set up?

Mostly people don't do it, but you can transfer the key over with a USB stick or something. If it's not a completely new server, you can send the key over an already trusted channel (which is what github does).

Re:Anyone can intercept SSH some of the time

[phantomfive]

Yeah, https is easier to break through.

Re:Anyone can intercept SSH some of the time

[phantomfive]

I am assuming you feel that we should teach our admins to test all their SSH passwords against standard attack dictionaries and disable/notify any that fail. This is a good idea. I will try to add it tomorrow. Are there other conditions that are detectable by SSH admins that require disabling passwords?

Nah, that's not what I meant, but it's a good idea too. You can disable password login in your sshd_config by adding the line PasswordAuthentication no. From there, anyone who logs in will need to use a public/private key, which is much more secure, because it essentially blocks all brute-force password guessing attacks.

Re:Anyone can intercept SSH some of the time

If that happens you'd get a prompt from SSH the next time if they don't keep MITMing you.

I don't know about you, but I'd notice that.

Re:Anyone can intercept SSH some of the time

[phantomfive]

That's only true if they modify the traffic en route.

Re:Anyone can intercept SSH some of the time

[IamTheRealMike]

They have fake certificates from trusted authorities for some major sites

I believe at this point I have read all Snowden documents, especially all that are relevant to SSL. Only one of them has even mentioned fake certificates, and that was a GCHQ presentation saying that they spotted the Iran attack using the hacked DigiNotar certs in their metadata databases.

So far there is zero evidence that western IC's are compromising certificate authorities. I know that this was the favourite conspiracy theory of the last ten years, but Snowden happened, and it turned out to be false.

What there is LOTS of, is talk about stealing the private keys through hacking and decrypting TLS intercepts that way.

We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them.

You are referring to QUANTUM INSERT. There is no requirement to break SSL for this system to work, because it relies on browser exploit kits. It just waits until you visit a non-SSLd protected website (any will do) and redirects you to an exploitation server.

That said, I anticipate that NSA/GCHQ might be tempted to start using forged certificates in future as strong TLS becomes more widespread and they keep losing visibility into consumer web traffic. There wasn't much incentive until now because most encrypted traffic they cared about is VPN traffic where there are no CAs anyway, it's all pre-shared keys. But this is what certificate transparency is for. It forces CAs to make public logs of all certificates that can then be data mined by anyone.

Re:Anyone can intercept SSH some of the time

[F.Ultra]

The password is sent over the encrypted channel that ssh sets up so it's never sent in clear text as in say telnet. Then of course no one is using passwords since everyone should be using public keys instead anyways.

Re:Anyone can intercept SSH some of the time

[phantomfive]

The password is sent over the encrypted channel that ssh sets up so it's never sent in clear text as in say telnet.

Yes, that's exactly right. It's much better than sending it in cleartext. But if the NSA has a MITM attack, they can decrypt it, which is why SSH gives you that warning. If they don't catch it the first time though (when SSH gives you the warning), they can't decrypt it later. They have to MITM the first time you connect.

Then of course no one is using passwords since everyone should be using public keys instead anyways.

Yeah, you are right, that would stop this attack, but only if you transfer your public key before connecting.

Re:Anyone can intercept SSH some of the time

[chihowa]

And do you follow up on the message or just blindly type 'yes'?

Anyway, RFC 4255 and 6594, along with DNSSEC mitigates this threat. You can even sign your keys with your CA using 'ssh-keygen -s cakey' if you like.

Layers, people.

Re:Anyone can intercept SSH some of the time

[F.Ultra]

Yes failing to properly validate that first warning is one really nasty way to open up for a MITM. Which is why when I built a competitor to Amazon EC2 I made the newly started instance to upload the ssh public key to the meta-server so customers could verify that the warning message matched what they could pull from the web service (always curious why Amazon never thought about that) since one doesn't have physical access to the server when running in "the cloud".

Re:Anyone can intercept SSH some of the time

When you have your browser open and are sending your rsa_id.pub over to the remove server to setup ssh authorized keys, it could and probably is intercepted over the transmission. They now have a copy of the public key. However, they do not have a copy of the private key which the public key is validated against as the private key never transmits over the internet. Having only the public key does not give them access. Since the keys are one way generated they cannot reverse a private key from the public key, but can be done if enough computing power was put towards it, (Quantum Computing if it truly exists would be viable) could spit out private keys until it validates with the public key in a Brute Forcing manner. Without "TRUE" Quantum computing though, it would take 1 million years to accomplish this. (By True Quantum Computing I'm talking about running a PC inside of a quantum bubble outside of space-time which inside the bubble would run for 1 million years, generate a priv key that would validate the public key, but would only appear as seconds to us, and spit out the valid priv key outside the quantum bubble.) Hard to wrap your brain around I know, but the theory is possible. This is why "TRUE" Quantum computing is not a reality yet as we have not conquered space-time scientifically, though read up about John Titor, Time traveler who now has a US Patent for creating such a bubble. So maybe someone has cracked it already and are keeping it top secret.

Case in Point: Unless the NSA can make their own quantum bubble in which to brute force a private key to validate against the public key, SSH is unbreakable.

Re:Anyone can intercept SSH some of the time

[johncandale]

We can also potentially defend against this by using more certificate pinning and .....

The only way to defend against this is to nuder the NSA or shut it down. Once you have ISP line access, everything else is trivial and the NSA (read the government) will always have that.

The time after the end of world war 2 was the beginning of the end for the united states "as the best hope for the world". That is when all these national police state departments were formed. The FBI, the CIA, and the NSA. Things like Hoovers lists, CIA repeatedly over throwing south American governments, etc. None of these things were really necessary. Intelligence should have stayed a department of the military. FBI was also unnecessary. Police departments were already learning how to work together across state lines. The FBI was just a power grab at the federal level. The checks and balance system doesn't really work on departments like the FBI or NSA. It is too slow. and they are too big.

SSH and "employee's" computers

This is typically used by systems administrators to log into employees' computers remotely ...

SSH is normally used to log into company servers, not employee's computers.

very well said

very well said.

I am safe

[houghi]

The company I work for asks me to change my password every month, so I am safe. Right?

Re:I am safe

[Bengie]

Nope, you're at more risk because of the common password changes. I think it's 3-6 months. Should be using 2 factor.

Re:I am safe

[thedonofdons]

You are as long as you don't keep repeating passwords at the allowed repeat frequency! Never repeat any old passwords.
http://popularbloggingtopics.c...

Re:I am safe

[philmck]

A password is only safe for about 8 seconds (http://news.bbc.co.uk/1/hi/programmes/click_online/4423733.stm). A responsible company really should be asking you to change passwords more often than that. Forcing you, really.

Re:I am safe

Correction, you should use 2 factor + 8 digit pin. 2 factor alone has been cracked by NSA. Plus RSA who makes the 2 factor technology had the private keys stolen recently, so all Current key fobs are vulnerable. If you add a server that also requires 8 digit pin plus the numbers on the 2 factor, this is a safe practice.

My father-in-law invented 2 factor authorization, so I know what I'm talking about.

List of safe protocol

those protocols or programs have a major rating (major according to the article means impossible unless someone made a mistake or malware was used)
OTR
TrueCrypt

those protocols have a catastrophic rating (catastrophic for the NSA is a win for US)
ZRTP
PGP

about the SSH thing, it all depend on the cipher used, if you use ssh with a MD2-DES cypher expect it to be decrypted
if you use something like twofish or salsa20 your probably quite secure

I wonder

[MakersDirector]

Does this Snowden character have a BLOG? I bet hearing his voice directly might be interesting....

Flying Pigs. Cute!

Open source for the win

[mrflash818]

The article mentions:

Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed.

Re:Open source for the win

[ssufficool]

Except for those doors inserted by your hacked compiler

Re:Open source for the win

[Areyoukiddingme]

Except for those doors inserted by your hacked compiler

As long as there is more than one independent open source compiler, this can be eliminated as a threat vector by chains of compilers compiling compilers. Overt backdoor insertion routines can be easily detected and removed from a compromised open source compiler. That leaves only extremely subtle backdoors. Those can be defeated by having compilers compile themselves and each other, to break the subtlety.

If you can afford to perform detailed audits of gcc and clang, then follow the correct procedure, this isn't a concern, at least for the foreseeable future. If you trust the open source community to have found and removed or otherwise prevented all overt compiler comprises, you can pick a random selection of different versions of the various open source compilers and compile them from source yourself, with gratuitous extra or oddly variant flags. Cross compiling somewhere in that chain is also a helpful method of breaking some of the theorized mechanisms.

You can reduce the odds of being caught by a compromised compiler far enough that your odds of being struck by a meteor are higher. That should be good enough.

Security by obscurity good after all?

[iamacat]

Say, I further "encrypt" my https sessions using ROT13. If NSA is on to me specifically, they will have no problem figuring it out. But if they opportunistically monitor main internet pipes for vulnerable traffic, I should be safe. What if web browsers encrypted data with one of hundreds of algorithms independently developed by smart people worldwide *before* standard https? At least some of them will prove resistent to cryptanalysis and even vulnerable ones will consume some of NSA's computing power and employee time to crack.

Short term vs long term

And there's basically nothing we can do for a long-term solution

The only thing that is scary is that if everyone says what you say, then the future for the Western countries, including the United States of America, England, and the rest of Europe, will be very bleak

In short term of course, what the people can do is very limited, as the spooks have had decades of investments (in hardware as well as in hiring/training of their talents) and the infrastructure in place is indeed very hard to go against

In the long term, however, it is up to the people to decide whether or not they hand over their rights to the spooks, or the people demand that the spooks (and TPTB who supports the spooks) retreat from what they have been doing, and return the people their full rights

Nice if it was true, but it takes a court for that

[sethstorm]

Until Snowden and his co-conspirators are brought to a US court of law, this means nothing. It's (at best) a Schrodinger's Unauthorized Disclosure.

re: Facebook and your info for sale ....

[King_TJ]

Actually, I've had a Facebook account for years and I use it regularly.

Of course I'm well aware that they sift through all of my information and try to resell it. But IMO, it's a pretty well understood trade, and one that I don't have a big problem with. The fact remains, Facebook will only have the information that I willingly provide by way of posting it up there or filling out fields on the site. And meanwhile, they're enabling ME to obtain information on all of my friends and other online connections too.

I don't share or say anything on FB that I'm not already comfortable sharing with other people, so it's not like huge secrets are being revealed. Things I do get out of Facebook include using local buy/sell/trade type groups that people have set up (no fees to post listings or fees owed to the site operator upon successful sales) and special interest groups, such as one for one of the cars I own.

I've also been able to keep in touch with a number of old friends who I probably wouldn't keep up with otherwise, after moving. (And let's face it... that's primarily because there's nothing critical or earth-shattering to be gained by keeping up with these people's daily lives when you don't even live in the same city as them anymore. But when it's free and as easy as checking in on FB, it makes for a mildly enjoyable way to kill some time while better preserving those old friendships. You never know when you're going to visit a place you used to live, and it's nice not to do so without having to wonder if those people you "used to know" still live at the same address, etc.)

If Facebook does nothing for you, great. Don't use it! But I see so much bashing of the site that I think is unwarranted. Did FB ever so much as beg for donations from you to keep it operational, or limit how much time you could spend using it each month or day? Nope! And yet, you're even free to create new groups (even closed, private ones) without owing a dime. IMO, there's a lot of value to be wrung out of using the site -- despite knowing they're trying to cull value out of the content you put out there.

Wont help him, will hurt him more

[sethstorm]

It won't change the need for justice exacted on him, just the method.

"But I have diplomatic immunity^w^w a pardon!" comes to mind when Snowden and his helpers find out the unfortunate error of their ways.

Re:Wont help him, will hurt him more

Pardons are from the president, that White house thing that stands in Washington D.C, are you seriously suggesting that the NSA or its minions somehow operate higher than the president? That would need some serious proof if so, and no, paranoid conspiracy theories don't count.

Re:Wont help him, will hurt him more

Evidently, the NSA thinks it's above the constitution.

Edward Snowden

I hope that Edward isn't found dead and that when an autopsy is performed they don't find the lining of his trachea torn and bloodied from all of the screaming before he died. The kind of damage that only involuntary, reflexive staccato shrieking could cause. That would be VERY sad and just terrible. :(

Digital Fortress!!!

[thedonofdons]

Yet another digital fortress!!!
http://popularbloggingtopics.c...

Re: Facebook and your info for sale ....

[Free+Censorship]

But IMO, it's a pretty well understood trade, and one that I don't have a big problem with.

Okay, then, we're done. Good job enabling their unethical behavior.

It's the damn NSA!

[zero_nzyme]

And people think hackers are that stupid to carry out these recent attacks. It's the NSA stupid! It's a way to manufacture consent through the populace so they can pass internet controls in the form of regurgitated bills formerly know as PIPA and SOPA!

LIAR

[SwabianEngineer]

You are WHITEWASHING them. NSA+GCHQ are interested in the latest "emissions" of humans. The TEXT of your emails, you SMSs, the transcription of your phone, skype conversations. The TEXT you type into FarceBook. And SURE AS HELL, they have the storage capacity to record every single soul on this planet. Do the maths and you will figure. Most people do not generate more than 10kBytes of text per day. All that TEXT is then stored in a Google-esque Data Mart and ready to be queried and minded - just like you query the google index. That TEXT can be fed into AI systems in order to do all sorts of stuff. Like predicting who will be the next president or whether the plebs like your Next New War. And they can store this TEXT FOREVER. DO the math. What they can do, they will. It can be used as KOMPROMAT AS LONG AS YOU LIVE. And as long as you allow yourself to be intimdated by that, of course. They are running an ELECTRIC CHECKA, just without widespread torture and killing of their compatriots. Wait for that to happen, because they have already accustomed themselves to that during the 9/11 craze FOR THE WAR INDUSTRY.

More Likely

[SwabianEngineer]

...they have some built-in stuff, which (just as one example) works like this: You browse with your FreeBSD user "mike" to slashdot.org. They intercept traffic and insert a nice little exploit for FF. The exploit will run with FF privileges and exfiltrate the ssh key to NSA. This works on 99% of users. The 1% of the rest will be had by other means, some of which might reside in the kernel and/or the CPU itself. How difficult is it to insert a crack developer into a FOSS project in order to lay some easter eggs ? How difficult is it to insert a crack EE into Intel ? With the SSL crappile they have done it to the standard and major implementations themselves. Simply too complex to do properly.

Re:More Likely

[SwabianEngineer]

And dont tell me "open source can be inspected". They have folks like Larry Wall on their payroll and many of these bastards dont have moral qualms to devise very sophisticated bugs which are non-trivial to spot. Some CS folks need motivgational talk ("terrorist", "threat to your nation", "superbad russkies who threaten NY interests") in order to do the dirty work. Military people know how do this BSing and most CS folks wont even realize they are being had.

Re:More Likely

[ardor]

And none of this counters anything I said. "They intercept traffic and insert a nice little exploit for FF" is exactly what I mentioned. They do not crack the encryption itself, they use loopholes, side channel attacks, improper configurations, and exploits to get to you. Also, intercepting won't work with HTTPS, unless they take control over the CAs. This may work with CAs from the US, but not with overseas CAs.

Self Driving Crash Test Dummies

[outofluck70]

Didn't see this posted but what the hell. Would this be a good opportunity to push self driving cars forward? These DUIs need to get to work, we need real world testing of these steering wheel-free Google cars. Might save a few folks who made a mistake from falling into a hole they can't crawl out of. Morally superior types have their Scarlet Letter in the form of the Google Dorkmobiles. Cameras everywhere inside/out to make sure the system isn't gamed. I'm sure I've ludicrously simplified the issues, but think there is an opportunity here.