What The CIA WikiLeaks Dump Tells Us: Encryption Works

"If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that data-scrambling encryption works," writes the Associated Press, "and the industry should use more of it." An anonymous reader quotes their report: Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents must go to great lengths to circumvent encryption they can't break. In many cases, physical presence is required to carry off these targeted attacks. "We are in a world where if the U.S. government wants to get your data, they can't hope to break the encryption," said Nicholas Weaver, who teaches networking and security at the University of California, Berkeley. "They have to resort to targeted attacks, and that is costly, risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do stuff like this should reassure civil libertarians that the situation is better now than it was four years ago"... Cindy Cohn, executive director for Electronic Frontier Foundation, a group focused on online privacy, likened the CIA's approach to "fishing with a line and pole rather than fishing with a driftnet."
The article points out that there are still some exploits that bypass encryption, according to the recently-released CIA documents. "Although Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents, it's not known how many holes remain open."

When can we expect a ban?

[Evtim]

Now the powers to be really have an incentive to outlaw encryption. Great!

Re:When can we expect a ban?

[bartjan]

The CIA is supposed to spy on foreign subjects. How will the US manage to ban encryption for foreigners?
Banning the export of encryption already has been tried, and we see how effective that was.

Re:When can we expect a ban?

the cia just outsources domestic spying to other agencies... and even *to other countries* in data swapping arrangements.

Re:When can we expect a ban?

[PolygamousRanchKid+]

How will the US manage to ban encryption for foreigners?

How will the US manage to ban foreigners?

The US government is working on banning foreigners. And they would have gotten away with it by now, if it wasn't for those meddling courts, with their Mystery Machine and the dorky dog.

"I think we should tax foreigners, living abroad." -- Monty Python

"I think we should ban foreigners, living abroad." -- Uncle Sam

Re:When can we expect a ban?

Same way they manage to store nukes in nuke-free Germany: arm twisting and pointing to aggressive Russia.

Re:When can we expect a ban?

[hey!]

Oh, they always did. You just know about it now, but you should have suspected it all along.

Unless, of course, the leak is a plant, which you always have to consider the possibility of. If there's going to be leaks, why not engineer one that claims you can't, say read encrypted WhatsApp messages, when you actually can. While it's near impossible to break encryption algorithms, implementations are often if not usually significantly weaker than their algorithms are on paper.

Re:When can we expect a ban?

>The CIA is supposed to spy on foreign subjects.
>supposed to :)

Re:When can we expect a ban?

[cdrudge]

How will the US manage to ban foreigners?The US doesn't want to ban foreigners. Just the non-white non-Christian non-nationalists.

Re:When can we expect a ban?

Not necessary.

Once the Quantums are online most of our current encryption schemes will be dead in the water anyway.

Re:When can we expect a ban?

You believe this? How do you know its not a CIA analyst's submission? It would benefit the CIA for everyone to believe what the CIA wants them to believe - that our status quo is enough to keep the CIA at bay.

"Encryption causes us big problems," the CIA analyst snickers.

Re: When can we expect a ban?

Yet Saudi Arabia isn't on the list, arguably the biggest terrorist-proucing country on the planet.

Re: When can we expect a ban?

[Killall+-9+Bash]

False dichotomy.

We don't need the CIA reading my texts and emails to prevent America from turning into the 3rd world shitstorm Europe is becoming. We just need to think carefully about our immigration / refugee policy.

Re:When can we expect a ban?

[Curunir_wolf]

No need. They are just putting in backdoors in the firmware instead. Intel chipsets have been using encrypted binary blobs for years, and the new AM4 from AMD will have the same thing.

Re:When can we expect a ban?

[j35ter]

Only the Asymmetric ones.
Symmetric encryption schemes should be OK for the time being.

Re:When can we expect a ban?

[MightyMartian]

You can't ban mathematics.

Re:When can we expect a ban?

[K.+S.+Kyosuke]

And by "most", you mean "some".

Re:When can we expect a ban?

AP is a CIA mouthpiece. If you believe that the powers that be do not already have the ability to decrypt your encryption your really not paying attention to the past very well.

What this means is it was easier to wedge prior to encryption for 1 guy writing the hacks vs hacking each app's encryption and changes in the future.

If AP is printing it, its probably lies, beware.

Re:When can we expect a ban?

[Khashishi]

How long until foreigners just stop using US-designed chips?

Re:When can we expect a ban?

[Maritz]

They're going to outlaw multiplying large primes together? Sounds kinda.... dumb.

Re: When can we expect a ban?

[Maritz]

You've swallowed the "you're in danger" bullshit, and outed yourself as a gullible and cowardly fool. Well done you.

Re: When can we expect a ban?

[Maritz]

Europe's doing fine, despite your desperate desire for the contrary. At least we don't have a reality TV narcissist running things.

Re:When can we expect a ban?

[Maritz]

You should learn about what a 'leak' is.

Re:When can we expect a ban?

[cellocgw]

You can't ban mathematics

You obviously haven't read enough dystopian SciFi. Heck, Even the relatively benign world(s) of Anathem put all the mathematicians into a locked-down monastery.

Re: When can we expect a ban?

i.e. whites only.

Re:When can we expect a ban?

[Bob+the+Super+Hamste]

Well they have been actively working to vilify encryption. The really sad part is that those in the US government have told us exactly what they want to do. Here are a couple of examples. Before the Paris Attacks, and the San Bernardino attack Robert S. Litt (the second General Counsel of the Office of the Director of National Intelligence) said:

it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.

That same Washington Post article also has FBI Director James Comey saying he is:

"focused on trying to get the law changed" so that companies would be required to unlock data and devices for law enforcement

Fast forward to the terror attacks on Paris and the line in media was all about how the terrorists used encrypted communication, a line that was total BS but is what was initially widely reported so that is what the general public believes. Then go forward a little more to the San Bernardino attack and that fucking encrypted iPhone. It was a problem because it was encrypted, but it turns out nothing of value was found on it.

Go forward a bit more to the latter part of last year and you again have FBI Directory James Comey stating that he is preparing to have an "adult conversation" on encryption next year. So I would expect that anything that can be done to vilify encryption in the public eye will be done. At this point it seems like the CIA leak may be used to help do this as a way to get some benefit of the leak, and I don't believe that this was some sort of false flag but probably an insider. So I would recommend keeping an eye out for vilification of encryption or those who are pro encryption (Friday March 10th 2017 stream of the Brokaw Report sounds strangely like a short calm version of InfoWars with Tom Brokaw playing the part of Alex Jones).

Re:When can we expect a ban?

[Bob+the+Super+Hamste]

But they sure as hell have tried

Re:When can we expect a ban?

[MightyMartian]

There are too many competing interests to ever hope to do that, and really, a lot of the actual encryption theory is decades old, so that cat has been out of the bag for a very long time.

Re:When can we expect a ban?

[Bob+the+Super+Hamste]

Not even close. With symmetric key encryption and ideal quantum computers you would still need total annual US energy production levels of energy instead of mass energy of a star levels of energy. That assumes an ideal computer which even our best ones are many orders of magnitude worse than. Also for asymmetric crypto there is always lattice-based crypto as a replacement.

Re: When can we expect a ban?

How many attacks were by Americans in the last few years?

There's preventing attacks abroad by reading their email, and preventing US by reading American email.

Re: When can we expect a ban?

[AutodidactLabrat]

How about we end our FIRST WORLD VIOLENCE first?
It wasn't the third world that WMD LIED 1 million innocent Iraqis to death!

Re: When can we expect a ban?

[AutodidactLabrat]

You may beg, but all of them assembled don't equal America's daily home grown murders and terrorism

Re: When can we expect a ban?

[slashdotwannabe]

Sorry, but you don't get throw OUR Fourth Amendment under the bus just because you're a pussy that's so bad at math you don't realize you're about a thousand times more likely to get bit by a shark and then struck by lightning than to die from a terrorist attack. Go cower in the corner and shut the fuck up. That's what cowards are good for.

Re:When can we expect a ban?

[alexandru_preoteasa]

How long = heat death of the universe, because nobody's producing anything better.

Re:When can we expect a ban?

[mrchaotica]

To be honest, people like OP are right to be suspicious. It really is always a possibility any sort of claim about an adversary's capabilities could be a ruse to lull you into a false sense of security.

However, when the claim matches up with the independently-verifiable evidence (in this case, the mathematical proof that the algorithm is unbreakable before the heat-death of the universe), I tend to believe it.

"if the U.S. government"

[Nutria]

This is what really pisses me off: the unstated assertion that *only* the US gubmint has these techniques.

Re:"if the U.S. government"

In fairness the leaks were of US government agency documents, so although you can presume non-US agencies have the same issues we don't have comparable document leaks to prove that.

Re:"if the U.S. government"

What is it exactly what you are trying to say? Where's that "unstated" assertion to be found?

Ah, it's unstated. So we can't see it, but it's there or something. Very clever.

Perhaps it is just in your head? Last time I saw a behaviour like that was in a conversation with a schizophrenic.

Re:"if the U.S. government"

Where does it say *only* the US government?  Has American education failed you so much that you don't have reading comprehension? 

Re:"if the U.S. government"

Since when was not being able to do something considered a technique? "Yes, I am skilled in the art of not driving."

Oh, I get it, you stopped reading right at the end of "We are in a world where if the U.S. government wants to get your data" and simply assumed that the rest of that line explained how they would do that, whereas back in reality, what it actually went on to say was "they can't hope to break the encryption".

Re: "if the U.S. government"

It's a really shitty backdoor if you're not the only one with the key.

So if you think they forced the MFG to put in an intentional backdoor, then implemented correctly, they would only have access. This is different than an exploited bug and the two shouldn't be conflated as the same.

Truecrypt..

So is this the real reason why truecrypt was suddenly killed off ?

Re:Truecrypt..

If you look in the Wikidump you can see plain as day that NSA owned TrueCrypt, and it was backdoored the entire time using obfuscated code (written by a former obfuscated C-code contest winner - and of course we now know that the contest has been an NSA activity also since day 1).

What shut down TrueCrypt was that someone found the code and reported it and the NSA immediately scuttled the project.

Re: Truecrypt..

[heypete]

[citation needed]

Sarcasm aside, I'm really interested in reading more about that.

Re: Truecrypt..

[TheOuterLinux]

VeraCrypt is it's open source replacement.

Re:Truecrypt..

I wonder why this post was flagged as Interesting, when this is obviously a funny sarcastic comment.

Re:Truecrypt..

There is literally no evidence to support any of what you claim. Please cite 1) Where it's plain as day the NSA owned it 2) Any evidence of a backdoor, especially given that we have the source code and people have compiled that source to match the published binaries 3) Who wrote it including when they won an obfuscated C contest

Stop spreading your infowars-esque conspiracy theory bullshit, people are libel to think you know what you are talking about.

Re: Truecrypt..

Interesting arguments.. But to degrade Infowars? Go, listen, then, just take out the bad liberal and replace the word with conservative, replace the word Soros with any conservative leader, and you have the real bad guy.
Encryption, is easily defeated, a keylogger. Remember, keyloggers have been found down to the BIOS level. And American only, bs, those tools are from everywhere, worldwide. Including the colleges and the script kiddies.

Re:Truecrypt..

obfuscated C-code contest winner - and of course we now know that the contest has been an NSA activity also since day 1

interesting? hell-o?
mods, i have a bridge to sell you.

Re: Truecrypt..

Keyloggers only work if you're using a password and/or actually typing in your password. If you're using an isolated password such as the hash of a particular file, or even an onscreen keyboard, then the keylogger problem goes away.

However if they got sufficient access to install a keylogger, god only knows what else they got.

Re:Truecrypt..

You should always view comments down to -1 and not pay attention to what scores some potential morons may have applied.

Re: Truecrypt..

VeraCrypt is it's open source replacement.

Why does the open source replacement begin with a female's name, "Vera"? To a real engineer, females are nothing more than bipedal, autonomous surveillance platforms, to be avoided at all reasonable costs.

Re: Truecrypt..

[NatasRevol]

LOL, deflection to protect infowars.

That's great.

Re: Truecrypt..

[Githaron]

So am I.

Re: Truecrypt..

To the true greybeard, all other humans are a vulnerability; we need a name that reflects the unfeeling, incorruptible mind of a robot. I suggest RobbieCrypt.

Re:Truecrypt..

[fuzzyfuzzyfungus]

Without further evidence I'm inclined to be skeptical; but (while the TLAs seem to prefer more whiz-bang techniques when they have the option); I'd imagine that good, old fashioned, human infiltration is both likely to be effective and likely to be pretty low risk; which makes it a concern.

Both proprietary and OSS software have to be written and reviewed by somebody; and ensuring that your people end up as some of the important 'somebodys' is likely to be pretty doable if you have competent employees available; and they are willing to accept not-wildly-competitive salaries or do unpaid maintainer shit work because you are also paying them.

There is some risk of discovery, it's hard to obfuscate perfectly while still leaving useful backdoors and exploits; but there's the handy feature that it's not as though the LKML or Facebook get to shoot people for treason and espionage; so the worst-case is being blackballed by part of the tech industry and having to go back to working on internal projects, or get a job with Booz Allen Hamilton; which isn't too terrifying a prospect by espionage standards.

Re:Truecrypt..

[MightyMartian]

I think the GP is just being an ass, but something pretty goddamned odd happened with TrueCrypt.

Re:Truecrypt..

people are libel to think you know what you are talking about

They're also liable to think you don't know how to spell.

Re: Truecrypt..

[K.+S.+Kyosuke]

VERAcity? TRUth? Perhaps?

Re: Truecrypt..

[Carewolf]

Interesting arguments.. But to degrade Infowars?

Infowars is a conspiracy site, it is not even conservative, it is just badshit insane.

Re:Truecrypt..

[nitehawk214]

Funny sarcastic comments can be interesting.

Re: Truecrypt..

[Maritz]

But to degrade Infowars?

Mhmm, there really is no need to 'degrade' infowars.

Re: Truecrypt..

[Maritz]

Interesting arguments.. But to degrade Infowars?

Infowars is a conspiracy site, it is not even conservative, it is just badshit insane.

Now now, that's the chemtrails talking.

Re: Truecrypt..

[Maritz]

Latinate prefix indicating truth, fidelity. Same root as veracity. If you're making a very clever joke I'm afraid you'll need to take it down two or three notches because nobody is getting it. ;)

Re:Truecrypt..

[GuB-42]

Putting IOCCC-style code in the middle of an opensource project is an excellent way of getting everyone's attention.
What you are looking for is the underhanded C code contest where the point is to hide evil stuff in clean looking code.

Re: Truecrypt..

[TheOuterLinux]

"VeraCrypt is a free disk encryption software brought to you by IDRIX (https://www.idrix.fr) and that is based on TrueCrypt 7.1a." -- https://veracrypt.codeplex.com.... It says "based on," but it has been around for a while now and nowhere near as vulnerable. Even the TrueCrypt (discontinued) creators say to use TrueCrypt ONLY to decrypt what you have so you can use something else.

Lies

I know Apple has backdoors and shit because Apple is evil. And I know it because I believe it with all my heart.

Re:Lies

[slugstone]

is that you Mr Trump?

Re:Lies

is that you Mr Cook?

Re:Lies

[micahraleigh]

There are no facts, just opinions. Nietchze

Re:Lies

[Mariner28]

Can't be. Mango Mussolini doesn't have a heart. ;-)

Clever crafted dump

Falling right into their line of thinking. This dump is too lacking in content to be real.

I saw some nice C tricks in the wiki pages, not much else that wasn't lightly covered content-lacking confirmations of a bunch of code words that were mostly already leaked when the nsa ant catalog pdf was leaked years ago.

Seems to be a lot of work to make the files all appear to be horridly named junk you'd find a corporate shared drive. Yet other leaks showed a more formal naming structure and folder discipline. This just seems too "uncontrolled" to be real. It's a very chaotic mess that paints a picture of the organization which seems smart in an "Art of War" sense.

Kind of like an army intentionally looking weak so the enemy lowers their OpSec. Be careful what you think you can infer from this dump. Only use it to learn new things that are broken but do not trust any indication of something *not* being broken. That is where the honeypot is so simply use the small bits of real info that were sacrificed in their attempt to make you buy the BS bits about things being secure.

My 2 cents....

Re:Clever crafted dump

This dump is only 1% of what Wikileaks has, according to Assage.

Obligatory: Intel CPU Backdoor Report

Intel CPU Backdoor Report (Updated Mar 12, 2017)

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware

[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:

The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:

The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:

The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocesso

Re:Obligatory: Intel CPU Backdoor Report

Will you please stop pasting this bullshit into every thread dealing with processors and security? It's written in the style of a paranoid conspiracy theorist which ensures that nobody will read it or click the links. All you're doing is making people scroll a lot to get past your bullshit so that they can read comments that are actually about the article.

Re:Obligatory: Intel CPU Backdoor Report

I use an IBM POWER machine you insensitive clod!

Re:Obligatory: Intel CPU Backdoor Report

[TheRealMindChild]

It is APK. You can't expect much different

Re:Obligatory: Intel CPU Backdoor Report

What do you mean by scroll a lot?

Full post don't even get expanded until Score:3, wait, are you one of those noobs who enable Javascript?

Re:Obligatory: Intel CPU Backdoor Report

[K.+S.+Kyosuke]

Are you sure? It seems too coherent for APK.

Re:Obligatory: Intel CPU Backdoor Report

3. Onboard ethernet and WiFi is part of the backdoor:

The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system

If your CPU has Intel Anti-Theft Technology enabled, it is also possible to directly access the backdoor from cell towers using 3G.

Serious question that I seriously want the answer to and should not be taken as "proof" that you are wrong.
If the ME has its own MAC and IP address, why do I not see more MACs/IPs connected to my router than I would expect?

Re:Obligatory: Intel CPU Backdoor Report

[Maritz]

It has hints of APK but not shrill enough. Not enough scare quotes or sudden exclamations of LOL.

Re:Obligatory: Intel CPU Backdoor Report

[Bob+the+Super+Hamste]

Just let APK have his fun. It isn't often that one of his alter ego's can be semi on topic with his batshit insane rantings.

Re:Obligatory: Intel CPU Backdoor Report

[Bob+the+Super+Hamste]

It also lacks the petty name calling and swearing that APK puts in when someone calls him on his rantings. Further more APK at least claims his rantings.

Re:Obligatory: Intel CPU Backdoor Report

Naw, it's definitely not APK. He always signs his posts with his initials because he thinks he's well respected and that adds weight to his rants. He often calls others out for posting anonymously, even though in his case it's only frustration that he can't stalk an AC.

Quantum computers

[DatbeDank]

Once the government figures out that quantum computers can be used to easily crack conventional encryption, you can bet that those new machines will be locked up behind a top secret order that's about 30 pieces of paper thick.

Re:Quantum computers

[ledow]

There are already defences against this.

I'd be rather disappointed if military encryption specialists weren't already designing more and even using them in practice already.

still nice

this helps everyone but there are otheruser methods that criminals and people that need more security assurances or just a hobbie.

What it also tells us...

... is that, with the cat out of the bag, Congress will be working hard to criminalize consumer encryption like it has been done in so many other totalitarian dictatorships.

One thing has been made clear by all of this though: we are not free. We do not live in the land of liberty. And, the government is completely out of our control.

Re: What it also tells us...

I thought a good percentage of the US had guns and argue to keep them specifically to stop such a thing in its tracks.

Re: What it also tells us...

Well, the intent of the second amendment was that The People be just as well-armed as the government, so that in the case of an out of control government, the people could throw it off by force if necessary.

But, the government, being interested in perpetuating itself at all costs, was successful in neutering the second amendment with the courts, so that it could not accomplish its stated intent.

All the handguns in the world are not going to overthrow a government armed with .50 caliber machine guns, attack vehicles, chemical weapons, and other arms The People have been illegally denied their right to keep and bear.

Re: What it also tells us...

[1369IC]

I won't get into whether the government neutered the second amendment, because even if you're right there, your next statement is wrong. The U.S. has, for a lot of various and obvious historical reasons, decided that it had to outpace the rest of the world with military technology. It spends billions on R&D every year and tens of billions on acquiring equipment. The result is weaponry that civilians couldn't hope to own even if it were legal to do so, and equipment that demands highly trained crews and highly trained repair and other support personnel to operate successfully even once in a while, much less keep running and keep current -- which adds up to tens or hundreds of billions more. In other words, in order to keep ahead of -- name your adversary of choice -- the U.S. built a military that no civilian or group of civilians could keep up with no matter what happened with the second amendment. And if you look at the history of how technological advancement is connected to war and military spending, you might come to the conclusion that it was inevitable that it would eventually turn out that way.

And if it hadn't happened that way the most likely result is that we'd be a second- or third-rate power getting pushed around by the Soviet Union or China or whoever, and our lives would be a lot worse and you'd be bitching about how our politicians didn't keep us ahead of our adversaries so we could stay safe and free and so on.

Re: What it also tells us...

You don't need a handgun to fight a tank. It's enough to handle the driver, or better yet, the civilian criminal ordering that tank to violate the constitution if you feel that way.

Re: What it also tells us...

But you're not safe and free. You're scared little girls wetting your pants, crying about terrorists.

Re: What it also tells us...

[1369IC]

I don't see how you can say we're crying about terrorists when obviously we're killing them all the time. In fact, the real problem is we're killing too many people around them. We take over other countries at will, level them, build them back up and then level them again. The only problem we have is we don't know how to quit and go home. You've got to learn to understand the difference between people who are saying things and making noise for a reason -- to get a vote or a donation -- and reality.

I've lived in and visited a lot of places in the world, and we're as safe and free as any major country. You give up some freedom to get orderliness and predictability so you can call the police when somebody tries to make a might vs right argument with you, and trust that your doctor has been to a school that teaches doctoring, etc. They might be freer in some parts of Somalia or something, but they pay a high price for that freedom. Despite all the BS on the internet things haven't changed for people on the ground unless you're an immigrant or you share a few habits that criminals are known to have.

Re: What it also tells us...

[1369IC]

Spoken like someone who has never spent time around tanks.

Re: What it also tells us...

This is The Point: ----->
This is your pointy head: ^

  ----->
    ^

No it doesn't

[TheRaven64]

The leaks tell us that encryption only works if the endpoints are secure, which they are not.

Re:No it doesn't

[bsDaemon]

Well, yes and no. Providing data-in-transit protection between two endpoints only mattes if both end points are of an equally trustworthy nature. Hat is a combination of security of the device, assumption that it has not already been compromised, and that the operator is operating in good faith.

Sending a confidential message via trusted channel to another terminal being operated by Loud Howard who will read the message out loud to himself subverts all the technical controls, too, if he is being listened to.

Re:No it doesn't

[110010001000]

Exactly. Most of the surveillance is gone by tapping one of the endpoints. All your "cloud" data (email, voice, whatever) is unencrypted on the server side and there is API access. On the client side, security is horribly broken because the client side software keeps changing and every change introduces new holes.

Re:No it doesn't

[Registered+Coward+v2]

The leaks tell us that encryption only works if the endpoints are secure, which they are not.

That has always been true, even before electronic devices became common place. The person is always the weakest link, and thus the best target; and not necessarily the important person but the one near him or her that has access to their correspondence, devices and files. Ge to them and the door is open to bigger targets; and the are often an easier target to turn. Now, you may be able to install a desired program without help, but you still target a person as the vector to the device.

Re:No it doesn't

[AmiMoJo]

Security is more about defence in depth than worrying about one compromised endpoint. Encryption makes bulk interception not work, they have to expend far more effort going after the endpoints if they want to listen in. Going after endpoints is not without risk - all the really good zero day exploits are too valuable to waste on the little guys.

Re:No it doesn't

[bsDaemon]

I couldn't agree more. However, a lot of security technologies and methodologies seem to be predicated on the assumption that both terminals in a communication remain uncompromised or, in some (older, more troubling models), the assumption that by connecting two untrusted peers together over a trusted channel that the peers somehow inherit a general trust property, rather than just the trust implicit in authentication between endpoints.

That said, most of the public discussion seems to be go like this: either a), "crypto is great and as long as we use crypto, we're totally secure!" -- ignoring the fact that one compromised endpoint compromises the confidentiality of the channel, or b) "z0mg!! the endpoints can be compromised, so what good is encryption!? Signal is defeated!!", which is equally absurd.

People freak out about the ability of the CIA to conduct targeted operations because it is in the news, and people are bad at risk estimation and therefor threat modeling, especially if they aren't security professionals (i.e., most people). The CIA isn't necessarily in my threat model. However, mass surveillance is, because I'm part of the masses. Targeted actions by non-US foreign intelligence services have been, due to employment. So has industrial espionage, criminal hacking, and hacktivism. One can assume, however, that any non-US threat actors have at least the same level of sophistication for targeted endpoint compromise, even if they don't have the sophistication to suck all the comms out of the air.

So, absolutely defense in depth. But part of that is recognizing that if I put two untrusted endpoints together with a trusted channel, I don't magically get two trusted systems. I get two suspect systems that are able to exchange messages of dubious quality over an overt channel that is less susceptible to passive attack.

Re:No it doesn't

[omnichad]

All your "cloud" data (email, voice, whatever) is unencrypted on the server side

Not all cloud data is like this. Many require your password in order to decode the decryption key. At least plenty of online backup services adhere to this - if you forget your password and don't have a backup of your encryption key, your cloud data is useless.

Re:No it doesn't

[TheRaven64]

It's a bit different, because it's now not the person that you're attacking, it's something that the user views as part of the communication channel. The analogy would be sending a message in a sealed box in an armoured car with an armed escort and then delivering it to someone's unlocked mailbox where anyone off the street could grab it and make a copy.

Re:No it doesn't

[Freischutz]

Exactly. Most of the surveillance is gone by tapping one of the endpoints. All your "cloud" data (email, voice, whatever) is unencrypted on the server side and there is API access. On the client side, security is horribly broken because the client side software keeps changing and every change introduces new holes.

No, most of the surveillance was done by tapping the largely unencrypted data being sent over the internet backbone and warehousing it. The resulting database could then be data mined at the NSA/FBI/CIAs leisure. Once your data is encrypted they can't easily do that anymore because it isn't as simple anymore. Previously all they had to do was just sit there, watch a system management console while they warehoused insane amounts of unencrypted data and could implement deep intercepts of somebody's entire unencrypted communications with few mouse clicks in a web interface. With encryption they now have to seek out one or both parties in an encrypted data exchange and hack their computers which is a whole lot more hassle while wholesale warehousing and data mining of internet, voice and video traffic (the wet dream of the NSA/CIA/FBI and the politicians) is out of the question unless they can decrypt the vast majority of encrypted communications on the fly. I've heard figures of up to 20% of some HTTPS traffic being decryptable in bulk by the NSA because of encryption weaknesses but I'm having real trouble believing they'll be able to decrypt 90-100% of all encrypted traffic on the fly and warehouse it any time soon however much they'd like to.

Re:No it doesn't

[Registered+Coward+v2]

It's a bit different, because it's now not the person that you're attacking, it's something that the user views as part of the communication channel. The analogy would be sending a message in a sealed box in an armoured car with an armed escort and then delivering it to someone's unlocked mailbox where anyone off the street could grab it and make a copy.

While I get your point, I still contend the person remains the weak link; it's more like sending it to a locked mailbox where someone can be convinced to lend out the key (akin to opening that pdf that came as an attachment) or putting it in a locked dropbox that either has a default password that can be determined or you pay the courier to give you access. While it is a communications channel the two end points tend to be the weakest links because of human behavior; and subject to coercion, blackmail, money or other enticements to allow you to gain access.

Re:No it doesn't

[AmiMoJo]

That said, most of the public discussion seems to be go like this: either a), "crypto is great and as long as we use crypto, we're totally secure!" -- ignoring the fact that one compromised endpoint compromises the confidentiality of the channel, or b) "z0mg!! the endpoints can be compromised, so what good is encryption!? Signal is defeated!!", which is equally absurd.

I agree, but earlier you talk about trusted and untrusted terminals. Trust isn't binary and in reality no terminal is every fully trusted if you are sending remote messages to it. You should take your own advice :-)

Re:No it doesn't

[bsDaemon]

Yup, nothing is ever fully trusted. Unfortunately, trust is a much-used word in security, and govt tends to shove it into terms of art, such as "trusted channel" or "trusted path," which show up in common criteria.

One of the major issues I have with CC is that there is a lot of hand waving in the threats and assumptions section, including the assumption that the device is being administered or used by people who aren't actively hostile or incompetent. That's an awful lot of hand waving, and then leads to a situation where in technical terms we can talk about trust, but in any meaningful way we really can't. I can provide assurances around the abilities and configuration of two devices. They can talk over a "trusted channel," (i.e., a cryptographicaly secure channel with authentication by certificate or PSK, between processes on two devices) and be administered by trusted path (a similarly cryptographically secure channel between a remote administrator and the device).

A bad actor leveraging SSH to remotely connect to a device and do bad actor things is leveraging a "trusted path" just as much as the good actor.

So, yes, while "trust" may be a technical term/term of art, absolutely take with a grain of salt the trustworthiness of the secrecy of the communication based on factors such as strength of cryptography providing the confidentiality, integrity and authenticity of the channel, the likelihood that the endpoint (including your own) is compromised, and the likelihood that the remote terminal operator is compromised in some what (being blackmailed, actually a mole, has been replaced with someone else, etc.).

End of the day, though, "good enough" is probably usually good enough, residual risk will never be removed, and at some point you just need to live your life without being overly paranoid all the time.

Re:No it doesn't

[TheRaven64]

People are usually the weakest link, but they're also not ideal for an attacker because they're rarely in control of a lot of communication channels. Stagefright, for example, was a vulnerability that made it possible to install malware (with root privilege - more privilege, in fact, than the owner of the device) on 100% of Android phones that visited a malicious URL for about a week and around 30% of them for several months (it took a really long time to roll out the patch). Malware installed via that vector could protect itself from removal by updates and could compromise all encrypted communication to or from that device. It's unlikely that you can find a human that could give the same level of access.

Re:No it doesn't

[Registered+Coward+v2]

People are usually the weakest link, but they're also not ideal for an attacker because they're rarely in control of a lot of communication channels. Stagefright, for example, was a vulnerability that made it possible to install malware (with root privilege - more privilege, in fact, than the owner of the device) on 100% of Android phones that visited a malicious URL for about a week and around 30% of them for several months (it took a really long time to roll out the patch). Malware installed via that vector could protect itself from removal by updates and could compromise all encrypted communication to or from that device. It's unlikely that you can find a human that could give the same level of access.

I think we are basically on the same page here; my only point was by getting a human, either deliberately or by subterfuge, to visit the URL you have exploited the weakest link - the human vs being able to remotely enter a machine and install the malware; although that type of attack is also certainly possible with some malware.

Sigh.

[ledow]

Not surprising, really, given that's exactly what encryption was invented for. To military standards. For military purposes. To prevent other militaries doing exactly what you don't want them to do.

All the scaremongering around encryption "being broken" by these "acres of datacentre" junk is just that - scaremongering. Hell, didn't the NSA recently ask for help breaking Skype? I'm sure there's a certain amount of misdirection there (I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves), but nobody has yet shown practical attacks against large enough primes used in PKE.

So far, everything they've done is via side-channel attacks and those are present in every system anyway. And when you have these organisations paying for tools that can open up iPhones, you know that they are struggling to cope.

If you want to secure data, encrypt it and abide by all the necessary precautions for it (i.e. don't enter the passphrase on untrusted computers, etc.).

The whole point of encryption is that you can publish your data on the web and point EVERYONE at it (e.g. Wikileaks insurance file) and nobody can access it without the key. If you don't trust Google or similar to hold your files, only allow them access to the encrypted containers and not the decrypted files.

It's quite clear that encryption is doing its job. And if it wasn't, it would be fixed quite quickly (e.g. we're already preparing against quantum computing attacks).

Re:Sigh.

[AmiMoJo]

Hell, didn't the NSA recently ask for help breaking Skype?

It's the difference between being able to break a single Skype connection with a legal request to Microsoft, and being able to record every Skype connection all the time. They are not satisfied with the former, and can't be allowed to have the latter.

Re:Sigh.

[swillden]

I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves

There's nothing wrong with ECC. It has significant advantages over RSA, especially on low-power devices. There is a remote possibility that the NIST curves are weak in some way known to the NSA and not to the rest of the world, but if you're concerned about that you can simply choose different curves. Edd25519 is a particularly good choice (though Edwards curves work a little differently, so it's not a drop-in replacement for the NIST curves).

Personally, I have no real concerns about the NIST curves. Mostly because I think that if they were weak, the academic community would have discovered it by now, but also because if the NSA can crack them it's a closely-held secret which is used very sparingly, and nothing I encrypt or sign is that important.

IMO, the biggest problem with ECC is the lack of standardization around how to use it to encrypt. ECDSA is very well-standardized, but ECIES has too many free parameters (choice of KDF being the biggest) which makes interoperability hard.

Honestly, if I put on my tinfoil hat I'm more worried about what the NSA knows about how to break RSA than ECC. Not because I think they can factor products of large primes, but because there are so many subtle ways to screw up RSA and make it exploitable, and because the NSA really seems to discourage use of ECC for encryption. Not only have they not set out clear standards for ECIES, an odd exception to the normal thoroughness of the NIST standards which hinders interoperability and discourages use, but last year they even told the world not to bother with ECC and to stick with RSA until practical post-quantum algorithms are available.

nobody has yet shown practical attacks against large enough primes used in PKE

RSA != PKE. And, actually, there are lots of practical attacks, if you consider the space of the ways people screw up RSA. In addition, RSA's expensive key generation function makes forward secrecy impractical in most cases, which makes logged traffic vulnerable to subpoena attacks. This is the primary reason why all TLS security evaluations issue bad grades for any web server configured to use RSA. DH or ECDH are much better.

Every cryptographer I know recommends against using RSA. For encryption, pick your ECIES parameters and use it, with an authenticated encryption mode, e.g. AES-GCM. For signatures, use ECDSA. In both cases, if you're worried about backdoored curves use Brainpool curves, or Edd25519.

Re:Sigh.

[jittles]

I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves

There's nothing wrong with ECC. It has significant advantages over RSA, especially on low-power devices. There is a remote possibility that the NIST curves are weak in some way known to the NSA and not to the rest of the world, but if you're concerned about that you can simply choose different curves. Edd25519 is a particularly good choice (though Edwards curves work a little differently, so it's not a drop-in replacement for the NIST curves).

One should also note that when DES was being rolled out the NSA had specifically requested some tweaks be made to the algorithm that people were very skeptical of. Everyone thought the NSA was trying to do something sneaky then, too. It turned out that a known attack vector was discovered in the early 1970s and was not known to the public until the early 1990s. Whether or not the NSA is helping or hurting is something for the history books. There is no way for us to know at this point in time.

Re:Sigh.

Unfortunately, you're talking out of your ass and have no access to evidence.In other words, you don't know what you're talking about.

Re:Sigh.

[swillden]

I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves

There's nothing wrong with ECC. It has significant advantages over RSA, especially on low-power devices. There is a remote possibility that the NIST curves are weak in some way known to the NSA and not to the rest of the world, but if you're concerned about that you can simply choose different curves. Edd25519 is a particularly good choice (though Edwards curves work a little differently, so it's not a drop-in replacement for the NIST curves).

One should also note that when DES was being rolled out the NSA had specifically requested some tweaks be made to the algorithm that people were very skeptical of. Everyone thought the NSA was trying to do something sneaky then, too. It turned out that a known attack vector was discovered in the early 1970s and was not known to the public until the early 1990s. Whether or not the NSA is helping or hurting is something for the history books. There is no way for us to know at this point in time.

The NSA changed the DES S boxes to make them resistant to differential cryptanalysis, but it also shortened the key length. Had DES been standardized with IBM's original 128-bit key length (but with fixed S boxes), it would still be quite secure. So the NSA's role in DES was a mixed bag. They fixed a non-obvious flaw while introducing an obvious weakness (short keys) that would enable practical attacks in the future. The short key weakness wasn't what anyone could call a "back door", though, since it was obvious to everyone.

Re:Sigh.

I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves

The NSA trusts those curves for its own data. They're dogfooding the crypto they recommend:

* https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography

They're worried about quantum computing, but so are most civilian crypto folks.

Re:Sigh.

>The whole point of encryption is that you can publish your data on the web and point EVERYONE at it (e.g. Wikileaks insurance file) and nobody can access it without the key.

That really isn't the whole point of encryption.

Re:Sigh.

[ledow]

Yes it is.

That's exactly the point.

Because whether your data is on the front page of the evening news, flying across monitored connections all round the internet, broadcast in morse code over the airwaves, or stored in a file in your enemy's data capture centres, you can transmit your data (and they can capture and store it) over plaintext channels and yet THEY STILL CAN'T READ IT. Because they don't have the private key.

Hell, they can even send you a message (using your public key) and nobody but you can read it.

This is PRECISELY the point of encryption.

The only other element is to make the encrypted data have no detectable pattern (i.e. be indistinguishable from random data) but that's really a consequence of "your enemy not being able to work out the key" - if they could find a pattern, they've found a weakness in your encryption.

Re:Sigh.

[ledow]

Go read the history of DES.

First, they admitted lowering the key size.
Then they asked IBM to keep quite about attacks on it.

Sure, at a later date, they were making changes to strengthen it but you are assuming that they still have the same intention.

When an agency keeps secrets about an attack on the algorithm secret for 20+ years, while it was still an "authorised" algorithm, they aren't working in your interest.

Re:Sigh.

[Maritz]

They are not satisfied with the former, and can't be allowed to have the latter.

I wonder how long that will go on for. Your head honcho seems pretty obsessed with 'terrorists' both real and illusory. Poor Sweden.

False assumption

[Dunbal]

Just because I choose to go around the mountain does not mean I cannot go over the mountain. Do not assume that encryption cannot be broken. It's just easier/cheaper to avoid having to do it if possible.

Re:False assumption

[MMC+Monster]

And that's the point of the argument.

If breaking the encryption was easy, they could just decrypt everything they get off of the wire and not have to insert back doors into software and target into a suspect's OS.

But since encryption is (financially/time/computationally) expensive, it's cheaper to exploit flaws in software.

Re:False assumption

The point in this article is that, since the CIA seems to be choosing the harder/costlier option, the easier/cheaper one isn't available to them.

Re:False assumption

[JanneM]

The point is, getting around encryption is too costly to do it on a mass scale, so they can only really do it for the small portion of targets judged worth it.

It's like with door locks. Your door lock is good at stopping casual probing, but pretty much useless against a determined attacker. If a government agency (any government) decides that they really need to enter your home then they will enter. It may be with a warrant, with an armoured bulldozer or with a covert penetration team. But it's much too costly and much too risky to do so unless you have really good reason. They can't do it for every house in the city, on the off chance somebody might have something interesting stashed away somewhere.

Same thing with crypto: it may not stop them if they decide you are a high-value target. But it stops mass surveillance dragnets in their tracks.

Re:False assumption

[gnasher719]

The point is, getting around encryption is too costly to do it on a mass scale, so they can only really do it for the small portion of targets judged worth it.

As an example, when you use https some secret code is negotiated between you and the server. There are some random numbers that should be used in the process, and apparently lots of servers use the same random numbers and don't change them. As a result, about 10% of all https at some point used the same random numbers.

In this particular case, there is an unconfirmed rumour that the NSA with an investment > $100 million managed to "crack" this one random number so that any https using one of those servers becomes crackable. That's $100 million, and that investment can be wiped out in a second by using a different random number. That gives you an idea of the cost of breaking encryption.

Re: False assumption

[bill_mcgonigle]

^ this guy gets it. Security is primarily applied economics; cryptography is one tool employed in the Spy vs. Spy game, but you better not bet your life on your crypto's implementation being attack-proof. Yeah, they probably know about holes in e.g. Android FDE but it's so damn easy to just text you a bogus .mp4 and 0wn your device that there's no reason to spend the time attacking your FDE.

Re:False assumption

On the other hand there also this: If NSA has some complately crazy breakthrough in its backpocket, they are most likely going to be fairly paranoid about it. They would go as far as to delibarately not take advantage of information gathered that way in order to not expose a slightest hint of that.

Re:False assumption

[Maritz]

Perhaps they should vet their agency staff better.

What's the use of crypto when....

... CIA say it is easier to get control of the input/output devices?

Whatever the quality of your crypto, it is useless on a computer whose peripheral you cannot trust. /me goes back to work on a network based on SD sent by pigeon carriers.

CIA != NSA

[techsoldaten]

While it may be tempting to think of the recent leaks as evidence of some broader point about cryptography, please realize the CIA is not the NSA. The only thing this proves is there is a huge gap in the capabilities of different agencies.

old stuff

Amazing all of this 10-20 year old stuff being taunted like it's new by Wikileaks. Type in google search engine "FBI MAFIA CELL PHONE" and notice the date. That's right, the FBI been doing this for about a decade now. As far as the television goes that is old news too but one thing missing, Try video recording as well. Getting away from government spying when the information makes so many people so rich and powerful by knowing how to control millions of people is a very daunting task indeed. Good luck. But I am truly disappointed in wiki leaks for such old and simple stuff when in today spy world they are using nano technology for far more sophisticated ways of doing business. Almost, like they started all this commotion as a simple political favor because there is no real news or at least no new news in all of this. As far as encrytion....pleaseeeee! The big boys stay in business because they cooperate with the Government and who do people think invented it to start with.

Re:old stuff

[Maritz]

This one knows too much. Send extra chemtrails over his house boys.

It also tells us

[freax]

They are using git, have troubles with idiots who put binaries in git, know about Git-Flow (my favorite branching technique), are doing retrospectives (so Scrum sprints), are trying to do something that looks like semver.org for release numbering (although most of it is quite wrongly numbered). All in all, quite a typical software development company. Okayish in software development processes and practices. Could be better here and there.

We knew that

[110010001000]

We knew that strong encryption works, because "math and stuff" that lawyers never learned. The point is that the mega companies are WILLINGLY giving your data away to anyone that pays. They provide an unencrypted endpoint to your data, so encryption of data in transit doesn't matter. We are much worse off than we were four years ago, and the cloud is doing to make it worse(er).

Re:We knew that

We knew that strong encryption works, because "math and stuff" that lawyers never learned. The point is that the mega companies are WILLINGLY giving your data away to anyone that pays. They provide an unencrypted endpoint to your data, so encryption of data in transit doesn't matter. We are much worse off than we were four years ago, and the cloud is doing to make it worse(er).

I always found the FreedomBox project interesting, but it looks like progress stopped about half a year ago. I don't use it, because I can manage my own server, but for laymen, FreedomBox would be a really great thing for the world.

Re:We knew that

" They provide an unencrypted endpoint to your data..."

What the hell does that mean? End to end encryption is two points, both encrypted. Not three points, one unencrypted.

Re:We knew that

[110010001000]

But your data is not end to end encrypted, only maybe encrypted in transit. Your mail, cloud storage, etc is open and for sale to the highest bidder. Google, Microsoft, etc all provide API access to your unencrypted data. Why do you think gmail is "free"?

Re:We knew that

[swillden]

The point is that the mega companies are WILLINGLY giving your data away to anyone that pays.

Cite?

We know that AT&T was providing lots of data for years. There's some evidence that Microsoft was a bit more cooperative than they needed to be, though they seem to have changed their approach in recent years. I've seen no evidence that Apple, Google, Amazon or any other major tech company provides any data at all to government agencies, except pursuant to a valid and properly-construed warrant or subpoena. And none that payment is either demanded or accepted in exchange for user data. AFAICT, the government doesn't even compensate companies for the time and effort they have to spend to comply with legal demands.

I know of some big non-tech companies that DO give data to anyone who pays: The banks that issue credit cards. At least some of them. Unfortunately, I can't point you to published documentation because I learned it from being present at negotiations where it was discussed. I should point out that this experience was prior to my employment at Google.

Do you have evidence of pay-for-data schemes by the big tech companies? If so, I'd very much like to see it.

Re:We knew that

My link was bad or stripped.

Re:We knew that

[darkmeridian]

That's not true. Definitely not true. The "cloud" hasn't weakened encryption because WhatsApp and Signal (more Signal than WhatsApp) use an open-source protocol that is zero-knowledge through transit. The guys running the servers don't know the contents of the communications. (I believe that WhatsApp collects metadata but Signal does not.)

Google's Android and Apple's iOS are not being deliberately bugged with back doors. For fuck's sake, Android is open-source. It is possible to compile Android from the source code to make sure there aren't back doors. Apple patched iOS ten days after it learned that a private spy company had compromised iOS. When the FBI wanted to force Apple to hack the iPhone, Apple went to court to stop them, and finally forced the FBI to pay a private company to break the phone.

https://www.nytimes.com/2016/0...

Re:We knew that

Yahoo

https://duckduckgo.com/?q=yahoo+backdoor+email+nsa&t=hc&ia=web

Re:We knew that

[swillden]

Yahoo

https://duckduckgo.com/?q=yahoo+backdoor+email+nsa&t=hc&ia=web

Point. Though the OP said "mega companies", which IMO excludes Yahoo.

Re:We knew that

[Maritz]

He's saying that when it gets to the other side it gets converted back into cleartext. Often true.

You piss off

Only a fucking shill would calls well researched facts, CCC live hack and RMS conspiracy theorists.

Sysadmins need to know what's going on in their system. A lot of them still have no idea what Intel have been doing on their chips.

Educating the public is more important than your personal feelings, I don't give a fuck what you think, piss off.

Re:You piss off

[Dog-Cow]

Given that IME is for system administrators, the good admins already know about it. The bad ones don't care. So posting this drivel only proves your stupidity and general asshole-ishness.

Re:You piss off

There are young admins new to this, and someone has to tell them. Good admin read about it at some point, that's how they became good admin the first place, stupid idiot.

IME is running on every system, affects everyone, not just admins

Even your premise is idiotic, by your logic, I already know what you feel about this, and I also don't care, so why are you posting your opinion? Your bullshit just doesn't make sense.

You people with IQ below 60 should stop posting on Slashdot, it makes other geeks look bad.

In the vault 7 news I made two exact same post and both got score 5, and people replied ask me to keep posting it, that's how important this is to some people.

I made one post here and wasn't even spamming, stop your crying, you dip shit ungrateful shills just try me, I'll write a bot to post it just to piss you off, I'll might even personally mail it to you just for the special effect.

So posting your personal opinion only to prove your stupidity and general entitlement.

Re:You piss off

[Maritz]

If your goal is to convince you're going about it the wrong way and then some.

Re:You piss off

I simply stated facts and information for others to follow up.

I didn't make any of it up, it's simple facts and logic.

If you're not convinced by facts and logic, then you're simply irrelevant.

Facts are facts regardless of who said it and how, I don't care for your emotional response. Some people will find it useful, some won't, and if you can't handle simple quotes and reference of facts then you are simply too fucking stupid to matter.

Piss off.

Re: You piss off

You don't understand. The content is interesting, the delivery is not. The way you write "facts", is not how this message should be delivered.

If I pictured you saying this in person, I'd expect problems in your appearance and odour, and problems keeping your audio level normal.

Try and project yourself speaking like at a Ted talk, not on the street corner.

New backdoors for old

What makes anybody think that Microsoft, Google, Facebook, ... are only fixing identified vulnerabilities and not adding new ones while they are at it? It is not like they don't have NSA/CIA moles working for them or history of secretly complying with their demands while denying it in public.

One broken, forever broken

[coofercat]

The other thing evident by ommission is that (say) the CIA gets a warrant to hack into your TV. They'll start collecting data, but will they 'unhack' your TV when they're done? Not much to suggest they do, so your TV stays hacked, even though you're not a suspect in some new case they're working on.

Re:One broken, forever broken

[freax]

In the leaks you can find for almost all tools and implants that the developers of the tools provide methods to remove and also auto-remove the implant.

For example, Hive: page 4 of this https://wikileaks.org/ciav7p1/... :
  is the self delete delay (in seconds). Amount of time since last successful beacon or
trigger allowed to pass before self-deletion occurs. If unused, the default value is 60
days in seconds.

There is also an entire section devoted to self-delete, on page 14: 4.1 (S) Self-Delete

Re:One broken, forever broken

[pjt33]

From Development Tradecraft DOs and DON'Ts:

DO provide a means to completely "uninstall"/"remove" implants, function hooks, injected threads, dropped files, registry keys, services, forked processes, etc whenever possible. Explicitly document (even if the documentation is "There is no uninstall for this ") the procedures, permissions required and side effects of removal.

They want to avoid their toys falling into the wrong hands (i.e. anti-malware companies), so they don't want them sitting around for ever on the targetted machines.

Already got rid of a ban

[sjbe]

Now the powers to be really have an incentive to outlaw encryption. Great!

There used to be a ban on exporting encryption software. It was classified as a munition. Of course this preposterous classification relied on the absurd assumption that nobody outside the US could develop software to do useful encryption or that they would be unwilling to distribute it if they did. Eventually the ban was lifted during the 1990s because it was hurting US companies and because it was basically an unenforceable anachronism once the internet became a thing.

That's not to say that the US (or other countries) couldn't make some idiotic laws along the lines of making use of encryption without permission a crime. Sort of the XKCD wrench approach to the problem.

Re:Already got rid of a ban

The government can regulate what products businesses can offer in the country, and Facebook et. al. are businesses. Banning whatsapp etc. isn't going to stop determined people from DIYing their encryption, but 99.999% of criminals don't think that far ahead or put in that much effort (or even know how to install anything not in the default app store).

If tech companies continue to make it difficult/impossible for law enforcement to do basic law enforcement-type things merely for the sake of making extreme, unnecessary obfuscation of your pointless texts a marketing slogan, this is where things will wind up. And with so many idiots out there already shitting themselves over Trump being Super Ultra TurboHitler, there's no incentive to stop the fear mongering any time soon.

Re:Already got rid of a ban

[NatasRevol]

So, you're against the right to privacy. Allowing LE access to everything is not the right answer. Especially with a petty asshole as president.

Re:Already got rid of a ban

[fuzzyfuzzyfungus]

The classification of encryption software as a munition wasn't so much 'preposterious' as it was 'completely futile'.

Unless you adopt an intentionally myopic view of 'munitions' that excludes pretty much everything except the actual component that ends up embedded in your opponent's chest cavity, encryption has at least as good a claim as, say, imaging hardware, ECM, fancy radar absorbent materials, and similar things that don't directly kill anyone; but are enormously useful in either detecting the other guy so you can kill him; or keeping him from detecting you so that he cannot.

It's just that, unlike most of the other items on that list, good cryptographic algorithms can be copied in arbitrary quantities from a single smuggled example by people who wouldn't even qualify as script kiddies(reverse engineering usually makes life easier when trying to clone most hardware; but you still need at least something resembling an industrial base and skilled workforce if you want to take a single fancy night scope or something and start producing equivalents on a useful scale; and you also don't tend to develop mature, high end, hardware without a reasonably long period of incremental progress and refinement of your production capacity.

Even if there weren't a single decent cryptographer or number theorist outside the US(and obviously absurd assumption), nobody expects that you can intercept 100% of the copies; and software is such that any idiot can turn one copy into as many copies as you want, all perfect. Sophisticated physical objects, by contrast, are often quite informative; but even keeping one maintained without access to parts can be tricky; and using one to establish independent manufacture is within reach only of people who already have pretty credible capacity.

Anyone who thought that the munition classification was going to keep crypto out of anyone's hands was an idiot; but the classification itself is reasonably plausible.

Re:Already got rid of a ban

Sort of the XKCD wrench approach to the problem.

The problem with that, is when you give up your password and they find nothing, they can just claim that you have a second, hidden encrypted volume, and the beatings will continue until you give up that second password. Unfortunately, you really did only have the one password to give up, but you can't prove it. So you just gave up your only password for nothing.

Re:Already got rid of a ban

[sconeu]

The US.gov won't re-make the mistake of classifying crypto as a munition, for one simple reason

It gives the crypto community another weapon (pun intended) to fight crypto bans..

To wit: If crypto is a munition, then it falls under the Second Amendment. Thus a crypto ban could be fought on both First and Second Amendment grounds. And while the .gov could try the "national security" defense against the 1Am argument, how could they piss off their base fighting a 2Am argument?

Re: Already got rid of a ban

2nd amendment groups tend not to five a fuck about "not USA" so they won't really care. Especially if it is phrased in a way that makes it seems it will be selectively enforced only on the darkies. Hell, it worked for the PATRIOT act.

Re: Already got rid of a ban

Lol. Like he out there reading the billions of messages sent daily personally. Lol. Grow up.

Re: Already got rid of a ban

[NatasRevol]

Yeah, so sorry I want constitutional protections to stay in place. That's called actually being a grown up. And an American.

Re: Already got rid of a ban

I don't think they stopped the encryption ban, but just allowed more over the years.

I've seen paperwork that required encryption details (no keys, just ciphers used and strength). I've also had to agree to non-export to receive development kits for FPGA/cpu applications.

Re:Already got rid of a ban

[IHTFISP]

The US.gov won't re-make the mistake of classifying crypto as a munition, for one simple reason [...] If crypto is a munition, then it falls under the Second Amendment.

So instead of classifying it as a munition they will simply classify it as an “assault weapon” or a ”tool of terrorism” or ”racist” or ”hate speech” or ”freedom rape” or some such equivalently nonsensical hyperbolic paranoid political sensationalistic alarmist rhetoric. It's what they do. FUD is currency ($) in politics, and all politicians are rife with avarice: FUD = power. Etc.

Economic limitations on surveillance

[sjbe]

it may not stop them if they decide you are a high-value target. But it stops mass surveillance dragnets in their tracks.

And that's really what privacy laws are supposed to be about. If the government has a legitimate good faith reason to be investigating someone they have the tools to do this and to a point should have reasonable rights to investigate. Broad sweeping surveillance however should not provide them the same degree of resolution on any given individual. Law enforcement and defense surveillance should have to jump through some hoops and do some actual work to target any individual. That's the entire point of the 4th Amendment we well as several others. An investigation should be harder than looking up a database record because government's have shown they cannot resist abusing such power when made available to them. The notion that encryption will somehow make it impossible for them to do their job just hasn't been shown to be true in reality.

In practical terms however the reason encryption works isn't a moral one. It works because it keeps the economic cost for police to watch a given individual remains non-trivial so that they have to pick and choose who is worth bothering to watch. It used to be that getting the records and communications required a significant expenditure of resources. With email, modern phone systems, and the internet some of that became much easier. So much easier that it causes all sorts of problems with protecting civil liberties. Encryption balances things back out. They can still come after you if they need to but it has to rise to a certain level of suspicion to make it worth their while.

Some tips everyone can do

[TheOuterLinux]

prints out the tcp packets from eth0 in HEX or ASCII format. So, actual encrypted packets would look like garbage. prints an overview of system audit information, including failed login attempts. traces packets sent from start to finish. A LAN scanner would be good to have too just to see who's on the router. I used to use one to see if my RA was in the building or not. Mistake number one, naming your phone with your actual name or a name at all. Entering a " " actually prevents devices from seeing the phone when using it as a hotspot, so it may have other benefits. Or, just name everything the exact same and let the router assign numbers. They change every so often. Lynis (and Rkhunter) is an open source program built for finding Rootkits on Unix-based systems, ie. Linux and Mac. It also prints out suggestions from what it finds to harden your system. ClamAV is an open source virus scanner; unfortunately, it's front ends are deferent for different operating systems and makes it hard to tell if you're getting the real thing. You should also hide your network if you can. In other words, people driving by your house can't pick it up normally when scanning. I think Kali has tools to circumvent this, which brings me to next point. Kali is a Linux based distro that's been around for a really long time and is designed for ethical hacking and could be used to test your stuff out. Oh and, for the love of God, encrypt your Home directory. Linux has LUKS (SHA512), Mac (not sure) has FileVault, and Window$....not going to matter if running 10. You can also learn how to shred your files to prevent recovery. Emptying the trash doesn't do much good anymore. For Mac users, "srm" (secure file removal) command is built in even though they removed secure empty trash option for whatever reason. It wipes 35 times by default. Linux also has srm available, as well as "shred" built in with wipe number options. There are many others for Linux. Bleachbit for open source cleaning of caches is available for both Linux and Window$, and I think they've been working on a Mac version. And, it never hurts to wipe Swap and RAM every once in a while. Cover your webcam if you don't use it. Skype is a convenient trap. If you only need one-on-one calling, use a Tox client. It's encrypted and is available for just about everything, including phones, and supports video, vocal, text, and file sharing. It connects to a server like a switchboard and then it's all p2p from there. Only mentioning this because I read somewhere that Signal and Telegram where compromised. WhatsApp, the Facebook owned version, should of been a given. Duh. As far as web browsing is concerned, NoScript, Privacy Badger, HTTPS Everywhere, and uBlock Origin. Block and uninstall Flash if you can. Most things are HTML5/MP4 these days anyway. DO NOT USE CHROME. Google digitally fingerprints everyone. Chromium with a user agent spoofer addon is a good alternative. Firefox is still the best though. ;P Not everything mentioned is fool proof, but they are tools available to most OS's and people need to start being more proactive in their computing defense. You may not have anything to hide, but "probable cause" is incredibly vague these days, and it'll get worse because of this. https://theouterlinux.com/priv... if anyone is interested. I need to add more stuff.

Re: Some tips everyone can do

Please learn to love the "enter" key.

And TOR?

It's an imperfect world, and the totally rosy picture of encryption you paint there isn't the messy reality.

TLS is a joke at this point, remember Bluecoat? Symantec giving them the ability to forge any certificate. We can't trust TLS because it was systematically undermined.

Also TOR, so much effort has been put into backdooring TOR, some of the decisions done by TOR (e.g. run Javascript! Send obsfuction nodes via PRISM friendly gmail, fail to notice attack nodes attacking when testing TOR server ) suggest it's backdoored at an organizational level rather than from outside. The result is a lack of trust in TOR. I'm sure NSA/CIA/FBI pat themselves on the back at that success, but can you imagine any Russian leaker trusting it? At a time where Russians are getting arrested for treason, they have no trusted connection to leak, and no trusted end target to leak to.

And if you think that's the only two, think again. Updates are often done via TLS so update software is compromised.

It's not a good situation, and Assange has promised more Wikileaks soon (presumably timed to distract from March 20th hearing, so it won't be long to wait).

It's a pity they took the General Alexander route, because they left the US open to attack from outside bad actors while keeping those backdoors open for themselves.

Re:And TOR?

[ledow]

TLS has nothing to do with the underlying encryption. That hasn't been broken, but the trust put into the people verifying identities has been misplaced. That's an entirely different matter.

It's easy

... that is costly, risky and the kind of thing you do only on targets you care about ...

That is why the UK has 'hand-over your password' laws and the US courts are declaring, if the police guess you've got something, you have to hand-over whatever they want. See, it's not costly and risky anymore, so the authorities can fish in your data as they please.

Re:It's easy

[craigminah]

Other than those pesky Amendments such as the 4th against illegal searches and the 5th against self incrimination...

Re:It's easy

[Maritz]

You're scared shitless of largely illusory terrorists. Expect 'safety' to win in the end. That's what helped get Donnie in.

Devil's advocate

[Dan+East]

Let me play devil's advocate here. Let's say for a moment that the CIA does indeed have whatever hardware is required to easily brute force modern encryption with the current key lengths we are using. Maybe that's some sort of quantum device or perhaps they have access to standard computing power beyond what anyone imagines. That part doesn't matter for the sake of this argument.

What would you do if you were the CIA? How about release exactly the information we see here - information about some actual tools of some value, in addition to misinformation that makes appear they are stymied by the encryption and must instead go after the endpoints. So we feel all smug and secure, while in reality they can simply access the data in transit. They then use these tools and methods described in the leak as the smokescreen in court (when needed) to show standard methods for acquiring data that is more traditional and highly targeted to a specific device, both to keep their data legal as admissible evidence and to hide their true capabilities.

Or am I giving the CIA way, way too much credit here?

Re:Devil's advocate

[tyme]

Yes, you are giving the CIA way too much credit. However, this is exactly what the FSB would do in order to 1) discredit the CIA, and 2) cover their own tracks. The data dump came through a source known to be associated to, and supportive of Russian interests, so we should actually assume that any misdirection is on the part of the FSB, or other Russian interests. Maybe the CIA, or the NSA, or some other U.S. TLA, has capabilities beyond what are exposed in the Wikileaks data dump, but we should assume that the actual action is elsewhere.

That said, we should all be using strong encryption: no need to make things easy for the bastards.

Re:Devil's advocate

[MobyDisk]

This is a valid theory and is worth considering. But Occam's Razor leads me to choose the simpler theory: that encryption is working. This is because the contents of this leak are consistent with other public information. Public discussion indicates that D-wave's quantum annealing computers can't run Shor's algorithm, so they are not useful for this (yet). There aren't attacks on AES that make it practical to break on classical computers (yet). So what we see the CIA doing is consistent with the current state-of-the-art encryption research. We see police using Stingrays, rather than decrypting traffic directly.

The other option requires that the CIA be suppressing encryption research from multiple companies and universities across multiple countries. It requires that they are requiring researchers to release fake papers. It requires them to not be using their encryption super-powers very much. All that is certainly possible - when the Allied Powers broke enigma they made sure to keep its use secret. But that would be much harder to do today. So I choose the simpler more consistent view as the real one.

Re:Devil's advocate

Let's say for a moment that the CIA does indeed have whatever hardware is required to easily brute force modern encryption with the current key lengths we are using.

Huh? How about they brought most of the best mathematicians and engineers of the world (not even counting the ones from friendly governments willing to share them and their discoveries), and either designed the algorithms to be broken in some way not found yet by the few civil mathematicians and engineers left (it might have been by the ones from some unfriendly governments -if there are any-, who didn't publish the find, so they could use it too), or largely broke it since then...?

WTH people? Governments aren't just little toy viruses on USB sticks... They aggressively tap undersea cables, they tap telcos in their own buildings in dedicated rooms, they can target registrars, the entire DNS system, certificate authorities, gateways, software vendors (how is your last targeted Windows update doing?), hardware vendors, they can see your screen and what you type on your keyboard from the street... Hello, 20, 30 years ago, and probably much longer?

They know your IP and email address from Amazon, they backdoored your system with ads from Google (and good luck cleaning all your firmwares, AdBlock ain't working through time... and if needed, they'll just infiltrate some random website, or MitM'ing you with proper DNS records and SSL certificates), you're reading their very own Slashdot right now! Your private messages are on Cloudflare!

Or am I giving the CIA way, way too much credit here?

What people are underestimating isn't the CIA itself (who cares about the CIA? governments have thousands of compartimentalized structures for everything...), but the money, pressure points, specialists and time, that many governments possess, and use, and abuse. Most relevant researches around the world are funded by governments or their friends. How the heck is anyone here thinking they're not 10, 20, or 30 years in advance, if not more, on many subjects? They initiate, they infiltrate, they buy, they blackmail, they kill, all the time. They've done it for decades, and they've done it for centuries and millennia without the computers.

Does anyone here think governments cannot pay 10 competent people for 5 years at $300,000/year, working fulltime on finding holes in one single piece of important software and hardware, and they cannot multiply this by 200? That's only $3 billion. The US is in debt for $14 trillion today. That's 0.02% of the debt. I'd say there is far enough margin for doing what I said, and one hundred times worse. 2% of the debt, for owning worldwide software and hardware. So freaking cheap.

And I'm not even talking about placing the holes... Sure some will be found out by chance, and quickly patched out (generally without much fuss from anyone)... But you have unlimited money, and most of the competent people...

It's actually almost a wonder why they haven't brought _everyone_ yet...

My conclusion is they probably have been doing most of what you can imagine, for a long time... And if they haven't, they definitely could... Thus the point is not the present, and even less the past, but the future... What sort of society would make all this insanity, not impossible (it cannot, and trying bears terrible consequences), but simply pointless? How could we reach it despite everything and everyone?

Another place, another time...

Re:Devil's advocate

[Maritz]

Or am I giving the CIA way, way too much credit here?

Yep. It's a leak, an embarrassing one, and the resulting purge will be horrible for morale. Not worth it just to make the world think they're incompetent when they're really not.

This was no secret

[OneHundredAndTen]

The intelligence community has given all indications, time and again, that breaking cryptography is not the vector the usually resort to in order to obtain information. Other, more traditional, techniques, today euphemistically (and pretentiously) called "social engineering", are much cheaper and effective, under most circumstances.

And by extension, crypto digital sigs also work

[IHTFISP]

Cryptographic digital signatures are a way to reliably sign the contents of a message or system update packet (and such) so that any attempt to tamper with the data can be easily detected, while any attempt to forge a valid signature on tampered data is extremely difficult. This way, for example, it becomes extremely difficult to broadcast bogus system updates which actually install malware from a third party, since it is easy to detect if the data is corrupted and/or if the signature was not generated by the purported authority.

Moreover, encryption can be cascaded in various ways so that only the authorized sender could have generated an encrypted message (or signature) and only the authorized recipient can decode it (or them)... as well as only authorized intermediaries being allowed to transmit it from them to you (e.g., passed via Gmail to your specific ISP for delivery). This further stymies any efforts at man-in-the-middle attacks or forged document attacks (such as fake update patches).

This, for example, means that a sender can generate a single encrypted update packet to send to all its customers but use a unique cryptographic digital signature per customer message so that each customer in turn, and only that customer, can validate then install the signed update they receive. By using per-customer unique signatures, broad-based “shotgun” approaches to disseminating malware are no longer tenable.

Note that such use of encryption is not just about data privacy, it is also about verifying data integrity (the data was not corrupted) as well as authority/authenticity/provenance (it came from a specific authorized source who is who they claim to be).

Implementation, implementation, implementation

Implementation, implementation, implementation..

"Data Scrambling" Encryption

[gweihir]

Can we please get tech-journalists that at least get the very basic vocabulary right?

Fighting fire with fire

[sjbe]

If tech companies continue to make it difficult/impossible for law enforcement to do basic law enforcement-type things merely for the sake of making extreme, unnecessary obfuscation of your pointless texts a marketing slogan, this is where things will wind up.

Perhaps but I doubt it. See companies like Apple and Google have the money to pay for lobbying, bribes, and thanks to a recent decision by our Supreme Court unlimited campaign contributions. Companies can and do buy politicians.

  Only a clueless idiot things that encrypting my communications is "unnecessary". I don't actually need to have done something wrong for my communications to be used against me. Innocent remarks can be incredibly easy to misconstrue, intentionally or unintentionally. Just because I have nothing to hide doesn't mean I have nothing to fear.

And with so many idiots out there already shitting themselves over Trump being Super Ultra TurboHitler, there's no incentive to stop the fear mongering any time soon.

Don't have to stop it. Just have to fight fire with fire. There is no way to have a secure internet without encryption where only the "good guys" (ahem...) have access to your dirty little secrets. Just point out all the bad things that will happen without encryption and companies (like Apple) will hire all sorts of flesh eating lobbyists and lawyers effectively on your behalf to keep their cash flow going. The best defense against security theater FUD might turn out to be more FUD pointed in the opposite direction.

There also is that pesky little problems of the 4th and 5th amendments. Not the greatest of comfort in the short run but in the long run they do tend to keep the government stooges at bay over sufficiently long time periods.

Ordinary CIA, NSA don't know about their Qu-comp.

Encryption doesn't work, it's just that USAF's 30*50*150 qubit quantum computer is so secret that ordinary CIA/FBI/NSA posse cannot told about it. They sincerely believe 256-bit AES and 2048 bit EC is secure and bearded tenorists or pedo-bears can only be nicked via Stingray and similar worksarounds. Only in the most severe cases (like an impending nuke strike from RUS or an alien spaceship invasion) would the NSA's inner cabal reveal the all-crypto breaking, universal quantum computer capability.

sigh

[eyenot]

it's all about how much time the end-user puts into encrypting their own data. oh, the things you can do with unhelpfully labeled nested zip-splitting...

"Fake Math" [Re:When can we expect a ban?]

[Tablizer]

You can't ban mathematics.

But I wouldn't put it beyond certain politicians to try.

Note The Logic Flaw

All you say is true. However there is a flaw in this whole line of reasoning.

The flaw is, that the citizen must take measures to keep the Three Letter Agencies out of their business. The TLAs actively intrude upon innocent and unsuspecting civilians. It used to be that there was at least some level due process required. Now however, I have no comfort level at all that the TLAs are respecting due process, the constitution, and their (legally!) defined scope and mandate.

Instead the TLAs simply hoover up all they can and complain when a citizen insists upon some privacy rights and due process. The CIA should be relabeled the "Complaining Insistently Agency", the NSA should be relabeled the "Not Secure At-all" Agency, the FBI should be relabeled the "Freely Bullying Innocents" Agency, and GCHQ should be relabeled the "Globally Collecting Here Quietly" Agency.

Re:Ordinary CIA, NSA don't know about their Qu-com

[Maritz]

Very persuasive.

Encryption lessons from CIA and NSA leaks.

[dweller_below]

The CIA and the NSA leaks teach us several important lessons. They include:

• * The Intelligence communities are much better at creating problems than fixing them. They can easily destroy individuals, communities, governments and trust. They don't create anything of lasting value. Nor do they clean up the messes that they create.
• * Secrecy really REALLY isn't security. Secrecy creates and maintains private agendas. Secrecy creates and fosters waste. Secrecy destroys trust. Secrecy interferes with almost all aspects of security and good governance.
• * A large, complex intelligence organization can't keep secrets. They can't keep secrets from hostile governments. They can't keep secrets from organized crime.
• * Finally, we have learned that cryptanalysis can be surprisingly effective, but a full frontal assault on an encryption algorithm is the hardest way to break a crypto-system. There are many easier ways to break or bypass crypto.

There is a huge gap between crypto theory (https://www.cs.princeton.edu/~felten/encryption_primer.pdf) and expressed and implemented crypto reality. This gap provides many opportunities for anybody who wishes to favor attack over defense.

Traffic Analysis/meta data collection provides cheap, effective attack against virtually all current communication channels. Once you know who, when, where, how, and approximately what they are saying, you usually don't need to break their crypto.

The easiest way to weaken crypto implementation is to simply withdraw support for updates and improvements. Good crypto is hard. Defense is expensive. Without constant support, defenses fail. If you wish to weaken crypto defenses, it is usually sufficient to withhold support for good standards and good processes, and fail to eliminate mistakes.

The next most cost effective ways to weaken crypto implementation is to focus on degrading or hindering:

1. 1) Transparency and disclosure;
2. 2) Purchasing standards;
3. 3) Vetting or approval standards;
4. 4) Programming environments and standards.
5. 5) Crypto standard processes;
6. 6) Crypto implementation projects;
7. 7) And crypto standards;

Good crypto implementations are almost indistinguishable from bad crypto implementations. The market will cheerfully purchase poor crypto if it is available, cheap, and the consequences are not immediate.

If an attacker ever needs to access info that is protected by a robust crypto implementation, it is usually faster and cheaper to subvert it's surrounding environment, people, hardware or software.

Reform of the Intelligence agencies should begin by greatly reducing their budget. Currently, they are huge, bloated, unmanageable monsters. They twist government to their whim. They distort the civilian economy. They cause massive incidental damage. A slim, tightly focused agency can be more carefully controlled and managed. A small, efficient CIA or NSA would achieve almost all of OUR important goals with a tiny fraction of the collateral damage.

vague

[surd1618]

Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents,

Of course they would say that, because it's in their interest to claim that they defend their customers' privacy. That's what the whole San Bernardino iPhone debacle was about: Apple wants to keep being perceived as the Mercedes of computers.

Slashdot sucks

How can I prevent the slashsuckers page from having a pop-over advertisement obscure half my screen space from the content I want to actually view rather than annoying slash-advertising.

Bob the SuperWeasel eats his words

"APK doesn't seem to know much about securing systems because if he did he would understand the defense in depth philosophy" - by Bob the WEAK WEASEL ( 1152367 ) on Monday January 30, 2017 @08:44AM (#53765191)

WRONG - I wrote guides on it that even GOT ME PAID https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/

* How'd EATING YOUR WORDS taste talk behind my back BITCH?

APK

P.S.=> No wonder you use a FAKE NAME for your FAKE LIFE motherfucker - you're a BIG MOUTH nobody do-nothing "ne'er-do-well" & you KNOW it fucker - seeing you stick your FOOT IN YOUR MOUTH that way? Priceless & hilarious... lol! Now everyone can see it too, hahahahaha... apk

Re: hacking

Are you in need of real hacking service, or did you need to check your spouse sincerity, contact : dynamichack@yandex.com he is also good at bank acct hacking, emails facebook, website database and more. Email him he would help you..
 

K.S. Kyosuke EATS HIS WORDS

See my subject: Outnumbered ~140++:1 vs. his bullshit directed MY way https://slashdot.org/comments.pl?sid=7804977&cid=50269031/

* Keep on EATING YOUR WORDS you FAKE NAME for FAKE LIVES puppets...

(It's ALL you'll EVER manage vs. me, pure failures on your end)

APK

P.S.=> Just like your lives (huge fails)... apk

Re:K.S. Kyosuke EATS HIS WORDS

[K.+S.+Kyosuke]

Your honour, I rest my case! :)

Maritz = "ne'er-do-well" proof

Maritz you like to talk behind my back (you're a punk bitch) & yet prove you're a "ne'er-do-well" that doesn't do squat of worth in computing here https://science.slashdot.org/comments.pl?sid=9935673&cid=53398581/ like all of the FOOLS here doing what you are - "gossiping" like old ladies as that's all you & "your kind" are capable of vs. myself doing things of value in programs even /.ers LIKE & USE https://tech.slashdot.org/comments.pl?sid=10344969&cid=54008683/

* "Your kind" playing "forensic analyst of writing" pseudo detective NEVER will...

APK

P.S.=> By the way, lastly - I'm not the INTEL Management Engine guy posting that (but it IS an interesting read nevertheless - one that's doubtless beyond the comprehension of an unaccomplished undereducated DOLT like yourself & others here gossiping about me behind my back)... apk

Proof I get respect "your kind" NEVER will

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

APK is kinda right. I've tried his hosts file generating software. It works by bmo

I like your host file system by Karmashock

I find your hosts file admirable by vel-ex-tech

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

* Recommended & hosted by Malwarebytes' hpHosts!

APK

P.S.=> See subject: You (unidentifiable ac) & FAKE NAME online for FAKE LIVES fools along w/ you gossiping behind my back NEVER will... apk

Why didn't you answer this question? LOL!

See my subject & "See K.S. Kyosuke run" https://ask.slashdot.org/comments.pl?sid=10024927&cid=53534393/

* I rest MY case (with proof)...

APK

P.S.=> What's it like KNOWING you can't get the better of me & are resorting to acting like a bitch talking BEHIND MY BACK? You're a "ne'er-do-well" is why... apk

WRONG: It's not me & wrong again too

See subject (I told other trolls like you the same) & you're WRONG again on Delphi - starter editions ARE free https://slashdot.org/comments....

(You fail).

APK

P.S.=> No small wonder you hide online behind a FAKE NAME for your FAKE LIFE - you ALWAYS fail in everything you do apparently... apk