Slashdot Mirror
How NSA Spies Stole the Keys To the Encryption Castle
Advocatus Diaboli writes with this excerpt from The Intercept's explanation of just how it is the NSA weaseled its way into one important part of our communications: AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.
When you have the money and will technology and people are easy to get
I'm a consultant - I convert gibberish into cash-flow.
Can we all just agree that the NSA is the most nefarious hacking group, the most dangerous and out of control? That they make all the other so called "black hats" look like innocent little babies?
I think we all need to work together to get rid of this terrible, nasty, unpredictable hacker group -- for the sake of national and international security. They represent a clear and present danger to the future of this country.
If telephones are outlawed, then only outlaws will have telephones.
Under what possible interpretation of the law can this be considered the actions of lawful government?
but of course it won't.
Is this a big deal considering we already have the GSM rainbow tables?
Only the State obtains its revenue by coercion. - Murray Rothbard
It's not just about SIM cards.
Gemalto makes smart card readers etc. Think not just communications, nor banking. Think secure access. We use things like that to ascertain authenticity and inviolability in signed documents, emails etc.
We used.
Remarkable feat! Guys from Bletchley Park — who also intercepted and decrypted everything they possibly could — would've been proud...
In Soviet Washington the swamp drains you.
Proof of Power Principle: You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
Should Gemalto be sued by people who use their cards & other products on the grounds that they did not adequately secure their computer systems and thus let in outside crackers to steal the encryption keys ? That the crack was done by GCHQ/NSA does not really alter things -- they were cracked. The point of this is that successful legal, and expensive, action would make all corporates treat security properly; this would have great benefits -- more than just keeping the spooks at bay.
The only problem is that to sue Gemalto the plaintiffs would need to demonstrate that they have suffered. This might be hard, although insisting that they were all given new SIMs might be a start.
We're not even over the NSA hard drive hacks and now this?
Next you're gonna tell me Americans shove food up people's ass for freedom. Oh wait they do.
HUGE SPY PROGRAM EXPOSED: NSA has hidden software in hard drives around the world
Is the NSA Hiding in Your Hard Drive?
NSA Has Ability To Hide Spying Software Deep Within Hard Drives: Cyber Researchers
Is Your Hard Drive Hiding NSA Spyware?
The NSA hides surveillance software in hard drives
'Breakthrough' NSA spyware shows deep grasp of makers' hard drives
NSA planted surveillance software on hard drives, report says
NSA secret spying software discovered by Russian researchers
NSA Hackers Infected Hard Drives With Impossible-To-Remove Spyware
NSA Has Planted Surveillance Software Deep Within Hard Drives Since 2001: Kaspersky
NSA program is embedding secret spying software in hard drives in Russia, China, Middle East, allowing agency to eavesdrop on most of worldâ(TM)s computers: report
Destroying your hard drive is the only way to stop this super-advanced malware
Hard drives beware, the NSA is coming for you
Kaspersky fingers NSA-style Equation Group for hard drive backdoor epidemic
There's no way of knowing if the NSA's spyware is on your hard drive
The NSA's Undetectable Hard Drive Hack Was First Demonstrated a Year Ago
Actually it is surprising. Many if not most large government IT projects are appallingly run. Vast amounts of money wasted on useless consultants that end up producing very little if anything at all.
As the NSA's budget grows and grows, I suspect this will happen to them. Lots of MBAs that can only organize their own careers, while the crypto-nerds are pushed into the background.
At what point do we start putting these criminals away? They have broken every law on the books.
Oh, I'm sure they can find something. You can't do anything about it -- you can't sue -- because you don't have standing. You'd have to show they were listening to *you*, just to start with, and then you'd have to have a few million to push it through to the supreme court.
And *then* of course you'd be facing the same idiots that think "shall not infringe" means "infringe", "intrastate" means "interstate", article 3 means article 5, and that "no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized" means "as long as we think it's reasonable, we can search and seize to our heart's content", and " no ex post facto Law shall be passed" means "retroactive punishment is no problem."
The only privacy you have at this point is in your own head. Assuming you haven't spoken, written down, or otherwise "shared" your thoughts.
The system is broken. Badly. And very few care -- we're stuck on this downhill-all-the-way roller coaster ride.
I've fallen off your lawn, and I can't get up.
Veterans Today on February 11, 2015
Why the United States Always Loses Its Wars
We are the global village bully that's hated by much of the world.
America loses all its wars because it seems we've always been on the wrong side of history. Morally nor legally should any nation have the right to invade and occupy another sovereign nation, much less believe it can achieve victory in long, protracted wars.
Yet in violation of all ethical precepts and all international laws, the sole global superpower citing its impunity through exceptionalism hypocritically insists it can maintain its moral high ground in its relentless pursuit of regime changes anywhere it so chooses on earth. We are the global village bully that's hated by much of the world.
And it's pure self-aggrandizing bullshit to perpetrate the myth that America is hated because of our "freedom," another rhetorical brainwashing lie. We now live in a fascist totalitarian police state run by a globalized crime syndicate of the central banking cabal. As of last April per a Princeton-Northwestern study the US has officially been designated an oligarchy.
Last year after a group of ethnic Russians living in Crimea voted to become part of Russia, the Russian military claimed control over its own naval base there that the US-NATO had been lusting to steal after the unlawful overthrow of Ukraine's democratically elected sovereign government.
Ever since it's been nonstop lies and propaganda propagated to demonize Putin as the aggressor when in fact all along it's the American Empire that's been recklessly pushing what could end up World War III against nuclear powered Russia. With US-NATO missiles installed on Russia's doorstep in virtually every former Soviet eastern bloc nation, hemming Russia in, who's really the aggressor here?
The WMD lie that was the repeated mantra used as prewar drum beating propaganda to launch a war against humanity in Iraq a dozen years earlier is now being replayed as deja vu all over again to amnesic, dumbed down Americans. Despite defeats in both Iraq and Afghanistan still being dragged out as America's longest running wars in its history, the US-NATO war machine is once again prepping for yet more war raging now in Eastern Ukraine.
The US government's rush to war hit a minor snag the other day when various European nations like France and Germany announced their opposition and refusal to send arms to the Ukraine government, wanting to give peace talks with Russia a chance. Today's headlines state that Obama has been forced to pause in his arms rush, not unlike the world turning against his rush a year and a half ago for air strikes in Syria after the false flag chemical weapons attack that was actually launched by US backed rebels.
So it may not be full speed ahead for US Empire to ship its heavy weaponry to the eastern warfront after all. It is being reported that mercenaries speaking American English, Polish, French and Flemish are fighting for the Kiev government in Eastern Ukraine against ethnic Russians who are fighting for their independence, their home and their very survival. And with their backs up against the wall, recently the eastern Ukrainians have beaten back the Ukrainian government forces. Again, the US has a knack for being on the wrong side of history.
No true victor can emerge from any war on either side. The incessant US aggressor boasting superior firepower as the most deadly, expensive military force on the planet (spending more than the next ten nations combined), America has little to show for itself as it has not won a single war in seventy years!
Neo-colonialism cloaked in imperialism, balkanization, economic exploitation, debtors' theft, indentured servitude and enslavement can never be justified as the spoils of war. It's a losing proposition in every imaginable way, not only for the aggressive American Empire that keeps starting and losing war aft
It's what they'd do.
That's already sort of the case. The NSA and similar agencies in other countries are LOADED with useless incompetent staff and engineers. It has everything to do with their impossible hiring practices combined with it being a shitty unethical job. They don't even pay super well, and anyone competent can make more in the private sector.
This makes the whole thing even more scary to me, because being utterly corrupt and not very bright are pretty much absolute requirements for the job. The fact that they get anywhere at all is because they have a huge budget and federal backing to force companies to play along.
I'm always extremely skeptical of stories that the NSA actually broke something through math. It's way way more plausible that they simply paid someone off on the inside.
I think the points are though, that first, companies do not do a good job of cybersecurity, or security at all for that matter. This is the issue that allowed another party to gain access to the crypto data for the SIM cards and for other security mechanisms in order to defeat them.
And second, while the NSA and the British equivalent might be unweildy bureaucratic monsters where those in-charge might not even know what the appendages are doing, they're well-enough funded that they can afford to buy people off to socially-engineer their way in to places where they wouldn't otherwise have the right to go. That gives them the ability to get into corporate networks or to get data from individuals working for corporations; they buy their way in and the consequences of the actions of the employee are not the NSA's concern. All they want/need is the data, and if they can buy it for cash or buy their way in for cash then they might just do that.
Security is hard. Ultimately it comes down to the individual employee, who has to have access to what he or she works on, but by having that access, also can be a risk. A multimillion dollar system can be compromised by a single technical employee because that employee needs access through those safeguards to do the job. It's really no different than bribing the guards at the castle to get in.
Do not look into laser with remaining eye.
on every US and UK government employee. Let them become life-time victims of identity theft. Let the Chinese and Russian intelligence agencies have a field day. It's the only hope we have that they'll learn.
Why do you think all the recent cell phones that are rated for classified voice, such as the Sectera Edge and Project Fish Bowl all run VoIP for classified communications?
Because they know better than to trust the commercial telephone networks and their voice "security".
Learning HOW to think is more important than learning WHAT to think.
...can we all return the favor by pressuring the government to Grant Snowden Clemency?
If people don't stand up to protect whistleblowers, then there will be no whistle blowers, and government evil will run unchecked.
Sign it.
Here's how I see this. For the average person, if an actual NSA person was paid to follow them or look at them, the NSA would get tied up and bored to death. There are far too many people using Sim cards than there are government employees.
So second, could this private information be used by a rogue NSA employee, say an old college boyfriend to stalk or "peep" into private correspondence? Snowden has absolutely demonstrated that risk, that any of us could be somewhat randomly spied on. But the odds of any single one of us being examined is still as low as previously stated. Annoying but low actual risk.
Could a dictator use this access to information to cow us into subservience? Seems a stretch. In the USA example, if a Democratic/Republican president let slip they were using this info collected by the NSA for political means, the opposing party would hang them with it.
So the most likely use is, as NSA claims, to catch bad guys. Saw John Doe used porn, saw Jane Doe was in AA, but no time or interest in that, they are looking for Bin Laden.
The second most likely use would be a politically active person trying to change the status quo. Like Martin Luther King. If FBI Director J.Edgar Hoover had his hands on this kind of access, the USA would have been screwed. But then again, they assassinated King, and today it would be much harder to cover that up. The FBI directors now have to worry about a Snowden in their midsts, which should keep them more honest.
Mathematically, I'm extremely unlikely to be affected by Bin Laden... the mathematical of terrorist threats is smaller than getting hit by a car (for now). And the likelihood I'd be targeted by a college stalker or NSA agent is also very small. So is the risk that my social security number will be picked off of dropbox. The risk here is that a true intellectual agent of change will be targeted, or that Al Quaeda or ISIS will screw the international banking system so bad that the entire world economy is screwed up and people panic and break into stores and start killing each other. So I sleep at night hoping NSA is as concerned about the latter as much as I am, and hope to God they also fear and realize the precedent set by J. Edgar Hoover.
In the final analysis, I hope people with liberal arts degrees choose to go work for the NSA. The one former employee of NSA that I know personally had a liberal arts degree, and I hope she's not alone. I hope people who care about and worry about the things I worry about are working there, and sometimes I fear the reaction to the NSA is similar to the reaction of hippies in the 60s to business and capitalism... all the agents of conscience were afraid to get their consciences dirty, refused to go into business management, and we had 2-3 decades of business management dominated by assholes. We want more Snowdens in the NSA, and hyperbolizing the agency's "evil" is perhaps the greatest risk.
Gently reply
While I think some of the points, however plausible, are a bit on the side of paranoia, the Libertarians firmly believe that we should have only a defense force and not project power.
The current rational now for IS - or whatever they are called now - is to fight them over there so they don't come over here. They just want control of the Middle East - they are no threat to us. Also, the Arabs, Persians, Kurds, and other people's of the Middle East have been dealing with their ethnic problems for thousands of years. And of course, being there, we the USA are going to fuck things up even more.
Unfortunately, we have a populous who treats our military conquests like a football game. USA! USA! win! It makes small people feel big.
We in the USA are small people who like big guns. We lost the idea of walk softly and carry a big stick.
We bluster, shoot things up and wonder why other peoples hate us.
But this football mentality is how you get people to volunteer to fight in idiotic and unjust wars - get the stupid people to die and get maimed for the elite.
What exactly is your statement based on? The NSA actively recruits math and CS majors with high GPAs (source: I've been approached and I have friends that were as well) and/or unique talents. I'm sure they do have some flunkies working for them, probably mostly among its military population, but your statement is totally out of line.
International corporations owns the US, the corporations want everyone's data so they can destroy their competition. If the US government is actually in charge, all the banks would have been sued after the 2008 financial crisis, but they didn't, the banks and big corps own the US and they own you. That's who the data is for, they want dirt on everyone just in case they one day become a threat to the corps.
Why The NSA Leaks Will Lead To More Economic Espionage Against American Companies
My source.... well... here goes.
Yes, they actively recruit Math and CS majors with high GPAs. That is true. ... probably more steps which I haven't mentioned.
However....
In order to get in you must:
1) Pass a preliminary security interview
2) Pass a polygraph test
3) Pass a drug test (including for marijuana) - this eliminates a LOT of competent people
4) Pass a more in-depth security interview
By the time this is all done, about a year and a half has gone by. A bunch more of their potential recruits will be established at a job they want to stay at at this point. The ones who are still seeking work are unemployed after so much time for a reason - often because they're incompetent.
On top of that, the pool of people morally corrupt enough to even _consider_ working for the NSA is teeny.
GPA is one predictor of competence at work, but it's not a 100% reliable predictor by any means. There are many people who can breeze through academia but who are utterly useless on any real job. People like this _like_ government jobs where they may get a permanent contract and where no one can judge their level of competence.
It REALLY is this way. Every single government security agency on the planet has this same problem and the NSA is no different. Competant people do not work there for long. They will lose their minds or end up the next Edward Snowden.
Here in Finland it has been possible for us to use SIM card based authentication service http://www.mobiilivarmenne.fi/en/faq/ to access medical, tax and social security related information. The alternative is to use online banks as authenticators for the services. I have always been leery of trusting mobile phone operators to do the right thing with regards to security. It will be interesting to see if this news has any impact on the future of Mobile ID applications.
So second, could this private information be used by a rogue NSA employee, say an old college boyfriend to stalk or "peep" into private correspondence? Snowden has absolutely demonstrated that risk, that any of us could be somewhat randomly spied on. But the odds of any single one of us being examined is still as low as previously stated. Annoying but low actual risk.
Actually, that's the terrifying thing about it. The odds are low, but they're not zero. Someday, out of the blue, for no apparent reason, the US Government can make your life living Hell just because of a more-or-less random fluke. Either because some bored drone happened to pick up on some off-the-wall event in your life or because blind statistical methods bumped you into a suspect group. Say, for example that you like pita-bread sandwiches at The Oasis Sandwich shop and you put your kids in a daycare center run by people who send money to Palestine and you subscribe to Chemistry Quarterly and you donate money to the Libertarian Party.
That's the real danger of indiscriminate trawling. It gives them ammo in advance for a war that should never have been fought.
Actually it is surprising. Many if not most large government IT projects are appallingly run. Vast amounts of money wasted on useless consultants that end up producing very little if anything at all.
As the NSA's budget grows and grows, I suspect this will happen to them. Lots of MBAs that can only organize their own careers, while the crypto-nerds are pushed into the background.
Except that this is not an IT project, but an espionage project. It just happened to have an IT component; one very different than the create a web site / database / payroll system project.
I'm a consultant - I convert gibberish into cash-flow.
And, unlike most of us, Snowden actually did something about it. As a result of his revelations, political pressure is being applied to the government from many different directions to get the situation resolved.
Of course, it cost Snowden his job, and his ability to live in his own country, and might still land him in jail or worse.
You could swallow some of that cynicism and at least try to improve things. Maybe ask the government to grant snowden clemency?
Nah. Why exert the effort to click an online petition when it is so much easier to just bitch about how hopeless things are?
Could someone explain where Edward Snowden is getting these kind of leaks and infos from, so long after he fled the NSA?
Or was this information, and the other stuff he claimed in the last couple of months, all part of the package he took with him back then?
If he was sitting on this information, then why wait so long to release it?
Or does he have a new source 'inside'?
What? NSA is consistent with what happens in most companies. In these big corporations is a top management [government] not much aware of the tecky stuff, and takes more or less irresponsible decisions based on incompetence. How a government is supposed to decide the good and bad of actions of which they're totally incapable of understanding the implications? Something that should be understood by any gov that doesn't require much skill is that the more an entity has power, the more it has to exist a counter entity able to control it. The police has such a controlling entity. Why isn't there anything competently controlling the NSA?
Slashdot, fix the reply notifications... You won't get away with it...
And so covered by state immunity. Actually IF we could be confident that the stolen stuff was only going to be used externally, it's probably totally legitimate. The problem is that they demonstrated that they can't be trusted.
As I understand it, the bulk of data he nicked was so huge and complicated that its taking this long to decipher what it means. That and journalist will be releasing it piecemeal to keep putting food on the table.
Theoretically the NSA does have an office that does that. The OIG. In reality of course its the same as the police oversight ineffective. https://www.nsa.gov/about/oig/
Is there any way to know if the NSA has backdoored our processors, BIOS, operating system, drivers, etc?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Re "If he was sitting on this information, then why wait so long to release it? "
All the material is now in the hands of the press. The press can release the material in any way it wants or needs to.
Re "Could someone explain where Edward Snowden is getting these kind of leaks and infos from, so long after he fled the NSA?"
The material released by the press is long term generational projects staff get read into as they need to work on the same projects or with staff who do.
Re the how http://www.bbc.com/news/world-... "Edward Snowden: I was a high-tech spy for the CIA and NSA" (28 May 2014)
"...he said he had worked for the CIA and NSA undercover, overseas, and lectured at the Defense Intelligence Agency."
Domestic spying is now "Benign Information Gathering"
I had no idea that the personalization venders send the actual encryption keys to their customers. This is so very very wrong. That's not how you are supposed to do it.
The correct way is to generate the master keys (separate sets of keys for each customer) inside an HSM (hardware security module). The HSM protects the master keys from being stolen. You then split the key into parts, encode those parts on smart cards, and HAND DELIVER those smart cards to the customer (in this case cell phone carriers or banks) with several different people, each with a piece of the key encoded on the smart card, but who do not know the pin to extract that key, and then you restore the master keys into an HSM located at the customer with aid of additional employees who know the pins but don't have the cards until everyone meets in front of the HSM as a group. Once the keys are restored, you erase the smart cards there on the spot. At no time does any one person have access to the master key. At no time is the master key (encrypted or not) ever available on any computer anywhere for any length of time. Never ever ever.
Once both the personalization vender and the customer have a copy of the master keys, you can then derive the keys that you actually write into the SIM cards. Then, the only thing you need to transmit is the meta data used to generate the keys. This information can be sent in the clear over the internet all day long. Without the master key, the information is all but useless. The customer, once they have the meta data and the master key in their HSM, can re-derive the necessary keys whenever they need to, but usually this is not necessary (and not advised) -- all you need to do is perform a handshake with the SIM card by encrypting some data with the key stored in the card, and the information needed to reproduce that encrypted data. The carrier's HSM can then derive the same value inside their HSM to validate the SIM card. The keys, not even the key inside the SIM card is ever transmitted, stored, or is allowed to exist outside the HSM at any time, other than inside the SIM card itself. This would give NSA no opportunity to steal them.
Sending the actual keys written into the SIM cards over the internet? Really? (sigh)
This should either be the biggest news story on the planet, or the biggest lie of the year, but the public response seems to be "meh". The problem is, Snowden stole too much. Or claims to have stolen too much. There have been so *many* earthshattering Snowden revelations that both the outrage and the fact-checking seems to have evaporated.
This is a big problem either way.
Not shocked, we have seen evidence of things like this for some time, I have good news for people though, I have developed a solution that negates their sim card (and baseband) compromise completely, while still being able to roam cellular networks and I will be bringing it to market now.
But on a smart card, asymmetric cryptography can be used. The private key is generated by the chip on user request. It is not supposed to leak outside of the device.
As I understand, this SIM debacle is only possible because the cryptography used here is symmetric, which means the telephone operator must have a copy of the SIM key.
They think TLS is secure, but the NSA has long stripped TLS from Google's secure comms and added its own. That was how they ran fake Google websites to intercept the data.
From the article: "The only effective way for individuals to protect themselves from Ki theft-enabled surveillance is to use secure communications software, rather than relying on SIM card-based security. Secure software includes email and other apps that use Transport Layer Security (TLS), the mechanism underlying the secure HTTPS web protocol. The email clients included with Android phones and iPhones support TLS, as do large email providers like Yahoo and Google."
Here's a link to the slide showing they add and remove SSL (TLS over https):
http://www.itnews.com.au/News/362533,nsa-captures-google-yahoo-traffic-in-real-time-snowden-docs.aspx
The problem with TLS is it hands trust for a site over to a third party certification company, and those companies are NSA collaborators and can certify false certificates.
They need to use PGP or hand courier them. Also its clear that Gemalto has internet connected systems for delivering the keys, it should have air-gapped machines for generating the keys and a physical delivery. Deliver keys by FTP?? That has to stop.
... and the message is that the NSA is omnipotent and stupid at the same time.
They make a good scapegoat, though.
It little behooves the best of us to comment on the rest of us.
No, he's not.
... Time to build "Silent Phone" into all iPhones.
That's a valid question. I'll try to answer it. Yes, neither act is "theft" in the jargon of the law. But you're asking why people (who aren't lawyers) are treating one as theft and not the other.
One answer is that "we" (generally) don't feel that there is any strong societal contract with the TV/movie corps, so there's little or no "trust" for the pirates to steal (from that social contract). On the other hand "we" do very much feel that there is - or at least should be - a strong societal contract with the government that purportedly represents us. So any hypocritical action taken by the government feels like a betrayal, a "theft of trust" from us.
Another answer is "nobody likes a hypocrite, and they like him even less when he punishes others for doing what he does". For an analogy: your coworker loves to quote scripture, but helps themself to the office stationery; your boss loves to quote company policy and fired your coworker, but helps themself to the office pension plan; your senator loves to quote the constitution but voted for free speech zones and civil forfeiture laws before taking a revolving door VP position at your company and fired your boss only to outsource half of your department and walk away even richer when what was left collapsed. Which of these three would you consider assholes, and which would you consider the worst?
Aside from the feckless fist-shaking at the air, what can the average person really do? Public-key encryption? That gets mentioned every time, and the general consensus is that it's too much work for the average person. Is there any other action that can be taken, or are people just too lazy to care anymore? Maybe there should be more purposeful acts to disrupt the lives of average citizens, to shake them out of their stupor. Wake people up. Perhaps those in power have realized that keeping the populace happy & sedated allows them to do whatever they want. Maybe a full belly and a scratch behind the ears is all we need to become pets to the people running the world now.
Only congress can declare war, and it can be argued that at some point there is barely a difference between a declaration of war by an act of agression and what the NSA and GCHQ is doing.
What way NSA and the like got access into Gemalto's systems? What systems were compromised by them? Was it the Desktop machines and/or Workstations.?
What OS was running on them? I'm affraid that is was MS Windows. If you use these in such an environment you are asking for trouble.
But on a smart card, asymmetric cryptography can be used. The private key is generated by the chip on user request. It is not supposed to leak outside of the device.
It is not supposed to leak outside, and generally there is also no reason to have the private key outside the chip. The use cases are different. So in most cases there should be no (intended) way to get the keys from the chip anyway. And at no point should they have been stored anywhere, by Gemalto or anyone. If talking about secure elements such as TPM and not SIM cards that is..
Gemalto generate a master SIM key with batches of cards shipped to each Mobile Operator. I work on a project for mobile payments, mediated with a STK loaded on each card. A HSM is loaded with all the master keys. If you have the master key, you can decrypt all the communications with the STK app on the SIM card. If the Master key leaks, all payment operations/transactions are fucked.
Yeah, that surprised me a bit.
If you replaced the symmetric key with a genuine private-key smartcard and registering on the network involved a proper negotiation and establishment of an ephemeral session key, things would be a lot more secure.
Oh, and more expensive, 'natch, which is why it's not designed like that - stupid legacy tech.
"Russia had and has no right to Crimea or the Ukraine"
A claim made without evidence can be dismissed without evidence.
"Iraq WMDs: I remind you that Saddam believed he had WMDs."
Wow. Wattanidiot. No, this is why he let Hans Blix and the UN team in: he claimed he didn't have WMDs since the ones he HAD BEEN GIVEN BY THE USA had been destroyed either by time or a result of agreement to destroy them.
Given the above atrocities of rationality, your whine about the parent poster "This is such a warped, confused view of history it's hard to know where to start." is vapourised and dead in the water.
Or Chinese hackers of USA systems and the military posturing of the USA against them and the exhortations for the world community to punish them for hacking.
Explain how you managed to justify invading Iraq and removing the sovereign ruler of that country for committing no crime (since Saddam gets to say what's a crime in his country) but something considered criminal if he'd done it to Americans.
You can't, except by a whitewash answer: It's OK when WE do it!
Considering this audience is pretty much the only one that understands the implications behind these revelations. WE should be the ones raising the issues and getting in the government's face about this, but technologists are notoriously passive when it comes to protesting the government. With that in mind, there's not too much _I_ can do as a Canadian to protest the NSA/GCHQ, but there's definitely the CSE who are one of the "5 eyes" members.
However the easiest response to mass surveillance is mass encryption, and that doesn't involve standing outside for hours shouting at people who couldn't care less or trying to educate the average person about why this isn't just part of the fight on 'terrorism' but it's a direct assault on all of us. Obviously the entire cell phone network design will need an overhaul after these keys have been leaked, and hopefully the overhaul uses better techniques.
Snowden hasn't had any access to the NSA since he fled to Hong Kong.
However, the amazing thing about this dude is he was able to do full blown web crawls of the entire NSA and GCHQ intranets, including dumps/crawls of data he didn't have access to .... all without getting noticed or caught. He appears to have provided the journalists with what is quite literally a snapshot of their internal networks at the time he was operating. It's taking them years to go through it.
...and SIS (Belgium) card encryption that allow access to medical information.
First day of using my Jolla, my provider installed a "convenient" app for me, without letting me know, to do moneytransactions with my smartphone (called "proximenu") along with some other interesting features...my wife now understands why I never use it and why I was so angry that apps are installed when I didn't ask for them.
oh yes he is
Well I've nothing to hide now, you've took it all!
Yes, he is
Actually it is surprising. Many if not most large government IT projects are appallingly run. Vast amounts of money wasted on useless consultants that end up producing very little if anything at all.
As the NSA's budget grows and grows, I suspect this will happen to them. Lots of MBAs that can only organize their own careers, while the crypto-nerds are pushed into the background.
Like a lot of modern practices, consulting is 50% useless and 50% mind-blowing. The problem is you don't know which you are going to get when you go in.
So...spies are known to engage in spying. That should hardly be headline news. What certainly shouldn't be headline news is disclosure of how they do it.
Here's something to ponder....earlier this week, someone was found guilty for conspiring to behead a British soldier. How did the authorities find out about his conspiracy and bring him to justice? By gathering intelligence and building a case against him. The same goes for all of the terrorism suspects that the security services have their eye and ears on.
Let's say for a minute that the authorities didn't have the means to keep track of villains like this....some innocent guy gets attacked and his severed head paraded around. Would you want to be the one to say to his loved ones, "yeah...he got brutally hacked to death in the street just because he wanted to serve his country, but at least the spying agencies aren't doing any spying"?
Get real...the world is in a s**t state, and that means stuff has to get done to try and make it less s**t.
(yes - this is a straight copy/paste of the comment I posted to a similar article on The Register)
Or he could just be making stuff up
Cell phone SIMs are the "Encryption Castle", really? From a practical perspective, they are essentially plaintext, since everything gets fully decrypted at each hop.
Maybe I will start calling my previous car a "Dining Palace" in honor of the epic glorious time that I once ate a chili dog while driving, shifting and making a left turn (alas, this was before I had a cell phone) without getting any chili on my shirt.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
They approach everyone they are interested in, imbecile. Pool is small, money bin large. This isn't hard to understand.
I think you might give me at least a little credit on that score if you were familiar my writing, research and other offerings.
I am signatory.
I've fallen off your lawn, and I can't get up.
I believe what the poster might have been trying to imply was that your anonymous post does not carry the same weight as if you were willing to put your online identity on your words. You'll note that the very petition you refer to requires your name and your email in order to be counted a valid signature. Pretty much the same mindset.
"Some random, unidentified dude supports Snowden" just doesn't have the same impact as "Mergatroid McFutter, AKA mergatroid@mcfutter.com, supports Snowden."
I've fallen off your lawn, and I can't get up.
Anyone else out there curious why we're just hearing about this? Snowden stuff hit a long time ago? Just saving it for a snowed in day or something? What else do we not know that he has?