Slashdot Mirror
What The CIA WikiLeaks Dump Tells Us: Encryption Works (ap.org)
"If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that data-scrambling encryption works," writes the Associated Press, "and the industry should use more of it." An anonymous reader quotes their report:
Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents must go to great lengths to circumvent encryption they can't break. In many cases, physical presence is required to carry off these targeted attacks. "We are in a world where if the U.S. government wants to get your data, they can't hope to break the encryption," said Nicholas Weaver, who teaches networking and security at the University of California, Berkeley. "They have to resort to targeted attacks, and that is costly, risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do stuff like this should reassure civil libertarians that the situation is better now than it was four years ago"... Cindy Cohn, executive director for Electronic Frontier Foundation, a group focused on online privacy, likened the CIA's approach to "fishing with a line and pole rather than fishing with a driftnet."
The article points out that there are still some exploits that bypass encryption, according to the recently-released CIA documents. "Although Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents, it's not known how many holes remain open."
The article points out that there are still some exploits that bypass encryption, according to the recently-released CIA documents. "Although Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents, it's not known how many holes remain open."
Now the powers to be really have an incentive to outlaw encryption. Great!
This is what really pisses me off: the unstated assertion that *only* the US gubmint has these techniques.
"I don't know, therefore Aliens" Wafflebox1
So is this the real reason why truecrypt was suddenly killed off ?
I know Apple has backdoors and shit because Apple is evil. And I know it because I believe it with all my heart.
Once the government figures out that quantum computers can be used to easily crack conventional encryption, you can bet that those new machines will be locked up behind a top secret order that's about 30 pieces of paper thick.
... is that, with the cat out of the bag, Congress will be working hard to criminalize consumer encryption like it has been done in so many other totalitarian dictatorships.
One thing has been made clear by all of this though: we are not free. We do not live in the land of liberty. And, the government is completely out of our control.
The leaks tell us that encryption only works if the endpoints are secure, which they are not.
I am TheRaven on Soylent News
Not surprising, really, given that's exactly what encryption was invented for. To military standards. For military purposes. To prevent other militaries doing exactly what you don't want them to do.
All the scaremongering around encryption "being broken" by these "acres of datacentre" junk is just that - scaremongering. Hell, didn't the NSA recently ask for help breaking Skype? I'm sure there's a certain amount of misdirection there (I'm still not convinced on EC cryptography, which was brought along with the help of the NSA choosing certain curves), but nobody has yet shown practical attacks against large enough primes used in PKE.
So far, everything they've done is via side-channel attacks and those are present in every system anyway. And when you have these organisations paying for tools that can open up iPhones, you know that they are struggling to cope.
If you want to secure data, encrypt it and abide by all the necessary precautions for it (i.e. don't enter the passphrase on untrusted computers, etc.).
The whole point of encryption is that you can publish your data on the web and point EVERYONE at it (e.g. Wikileaks insurance file) and nobody can access it without the key. If you don't trust Google or similar to hold your files, only allow them access to the encrypted containers and not the decrypted files.
It's quite clear that encryption is doing its job. And if it wasn't, it would be fixed quite quickly (e.g. we're already preparing against quantum computing attacks).
Just because I choose to go around the mountain does not mean I cannot go over the mountain. Do not assume that encryption cannot be broken. It's just easier/cheaper to avoid having to do it if possible.
Seven puppies were harmed during the making of this post.
... CIA say it is easier to get control of the input/output devices?
Whatever the quality of your crypto, it is useless on a computer whose peripheral you cannot trust. /me goes back to work on a network based on SD sent by pigeon carriers.
While it may be tempting to think of the recent leaks as evidence of some broader point about cryptography, please realize the CIA is not the NSA. The only thing this proves is there is a huge gap in the capabilities of different agencies.
They are using git, have troubles with idiots who put binaries in git, know about Git-Flow (my favorite branching technique), are doing retrospectives (so Scrum sprints), are trying to do something that looks like semver.org for release numbering (although most of it is quite wrongly numbered). All in all, quite a typical software development company. Okayish in software development processes and practices. Could be better here and there.
We knew that strong encryption works, because "math and stuff" that lawyers never learned. The point is that the mega companies are WILLINGLY giving your data away to anyone that pays. They provide an unencrypted endpoint to your data, so encryption of data in transit doesn't matter. We are much worse off than we were four years ago, and the cloud is doing to make it worse(er).
Will you please stop pasting this bullshit into every thread dealing with processors and security? It's written in the style of a paranoid conspiracy theorist which ensures that nobody will read it or click the links. All you're doing is making people scroll a lot to get past your bullshit so that they can read comments that are actually about the article.
Given that IME is for system administrators, the good admins already know about it. The bad ones don't care. So posting this drivel only proves your stupidity and general asshole-ishness.
The other thing evident by ommission is that (say) the CIA gets a warrant to hack into your TV. They'll start collecting data, but will they 'unhack' your TV when they're done? Not much to suggest they do, so your TV stays hacked, even though you're not a suspect in some new case they're working on.
Now the powers to be really have an incentive to outlaw encryption. Great!
There used to be a ban on exporting encryption software. It was classified as a munition. Of course this preposterous classification relied on the absurd assumption that nobody outside the US could develop software to do useful encryption or that they would be unwilling to distribute it if they did. Eventually the ban was lifted during the 1990s because it was hurting US companies and because it was basically an unenforceable anachronism once the internet became a thing.
That's not to say that the US (or other countries) couldn't make some idiotic laws along the lines of making use of encryption without permission a crime. Sort of the XKCD wrench approach to the problem.
it may not stop them if they decide you are a high-value target. But it stops mass surveillance dragnets in their tracks.
And that's really what privacy laws are supposed to be about. If the government has a legitimate good faith reason to be investigating someone they have the tools to do this and to a point should have reasonable rights to investigate. Broad sweeping surveillance however should not provide them the same degree of resolution on any given individual. Law enforcement and defense surveillance should have to jump through some hoops and do some actual work to target any individual. That's the entire point of the 4th Amendment we well as several others. An investigation should be harder than looking up a database record because government's have shown they cannot resist abusing such power when made available to them. The notion that encryption will somehow make it impossible for them to do their job just hasn't been shown to be true in reality.
In practical terms however the reason encryption works isn't a moral one. It works because it keeps the economic cost for police to watch a given individual remains non-trivial so that they have to pick and choose who is worth bothering to watch. It used to be that getting the records and communications required a significant expenditure of resources. With email, modern phone systems, and the internet some of that became much easier. So much easier that it causes all sorts of problems with protecting civil liberties. Encryption balances things back out. They can still come after you if they need to but it has to rise to a certain level of suspicion to make it worth their while.
prints out the tcp packets from eth0 in HEX or ASCII format. So, actual encrypted packets would look like garbage. prints an overview of system audit information, including failed login attempts. traces packets sent from start to finish. A LAN scanner would be good to have too just to see who's on the router. I used to use one to see if my RA was in the building or not. Mistake number one, naming your phone with your actual name or a name at all. Entering a " " actually prevents devices from seeing the phone when using it as a hotspot, so it may have other benefits. Or, just name everything the exact same and let the router assign numbers. They change every so often. Lynis (and Rkhunter) is an open source program built for finding Rootkits on Unix-based systems, ie. Linux and Mac. It also prints out suggestions from what it finds to harden your system. ClamAV is an open source virus scanner; unfortunately, it's front ends are deferent for different operating systems and makes it hard to tell if you're getting the real thing. You should also hide your network if you can. In other words, people driving by your house can't pick it up normally when scanning. I think Kali has tools to circumvent this, which brings me to next point. Kali is a Linux based distro that's been around for a really long time and is designed for ethical hacking and could be used to test your stuff out. Oh and, for the love of God, encrypt your Home directory. Linux has LUKS (SHA512), Mac (not sure) has FileVault, and Window$....not going to matter if running 10. You can also learn how to shred your files to prevent recovery. Emptying the trash doesn't do much good anymore. For Mac users, "srm" (secure file removal) command is built in even though they removed secure empty trash option for whatever reason. It wipes 35 times by default. Linux also has srm available, as well as "shred" built in with wipe number options. There are many others for Linux. Bleachbit for open source cleaning of caches is available for both Linux and Window$, and I think they've been working on a Mac version. And, it never hurts to wipe Swap and RAM every once in a while. Cover your webcam if you don't use it. Skype is a convenient trap. If you only need one-on-one calling, use a Tox client. It's encrypted and is available for just about everything, including phones, and supports video, vocal, text, and file sharing. It connects to a server like a switchboard and then it's all p2p from there. Only mentioning this because I read somewhere that Signal and Telegram where compromised. WhatsApp, the Facebook owned version, should of been a given. Duh. As far as web browsing is concerned, NoScript, Privacy Badger, HTTPS Everywhere, and uBlock Origin. Block and uninstall Flash if you can. Most things are HTML5/MP4 these days anyway. DO NOT USE CHROME. Google digitally fingerprints everyone. Chromium with a user agent spoofer addon is a good alternative. Firefox is still the best though. ;P Not everything mentioned is fool proof, but they are tools available to most OS's and people need to start being more proactive in their computing defense. You may not have anything to hide, but "probable cause" is incredibly vague these days, and it'll get worse because of this. https://theouterlinux.com/priv... if anyone is interested. I need to add more stuff.
TLS has nothing to do with the underlying encryption. That hasn't been broken, but the trust put into the people verifying identities has been misplaced. That's an entirely different matter.
Let me play devil's advocate here. Let's say for a moment that the CIA does indeed have whatever hardware is required to easily brute force modern encryption with the current key lengths we are using. Maybe that's some sort of quantum device or perhaps they have access to standard computing power beyond what anyone imagines. That part doesn't matter for the sake of this argument.
What would you do if you were the CIA? How about release exactly the information we see here - information about some actual tools of some value, in addition to misinformation that makes appear they are stymied by the encryption and must instead go after the endpoints. So we feel all smug and secure, while in reality they can simply access the data in transit. They then use these tools and methods described in the leak as the smokescreen in court (when needed) to show standard methods for acquiring data that is more traditional and highly targeted to a specific device, both to keep their data legal as admissible evidence and to hide their true capabilities.
Or am I giving the CIA way, way too much credit here?
Better known as 318230.
It is APK. You can't expect much different
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
The intelligence community has given all indications, time and again, that breaking cryptography is not the vector the usually resort to in order to obtain information. Other, more traditional, techniques, today euphemistically (and pretentiously) called "social engineering", are much cheaper and effective, under most circumstances.
Cryptographic digital signatures are a way to reliably sign the contents of a message or system update packet (and such) so that any attempt to tamper with the data can be easily detected, while any attempt to forge a valid signature on tampered data is extremely difficult. This way, for example, it becomes extremely difficult to broadcast bogus system updates which actually install malware from a third party, since it is easy to detect if the data is corrupted and/or if the signature was not generated by the purported authority.
Moreover, encryption can be cascaded in various ways so that only the authorized sender could have generated an encrypted message (or signature) and only the authorized recipient can decode it (or them)... as well as only authorized intermediaries being allowed to transmit it from them to you (e.g., passed via Gmail to your specific ISP for delivery). This further stymies any efforts at man-in-the-middle attacks or forged document attacks (such as fake update patches).
This, for example, means that a sender can generate a single encrypted update packet to send to all its customers but use a unique cryptographic digital signature per customer message so that each customer in turn, and only that customer, can validate then install the signed update they receive. By using per-customer unique signatures, broad-based “shotgun” approaches to disseminating malware are no longer tenable.
Note that such use of encryption is not just about data privacy, it is also about verifying data integrity (the data was not corrupted) as well as authority/authenticity/provenance (it came from a specific authorized source who is who they claim to be).
Error: NSE - No Signature Error
Other than those pesky Amendments such as the 4th against illegal searches and the 5th against self incrimination...
Implementation, implementation, implementation..
Can we please get tech-journalists that at least get the very basic vocabulary right?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If tech companies continue to make it difficult/impossible for law enforcement to do basic law enforcement-type things merely for the sake of making extreme, unnecessary obfuscation of your pointless texts a marketing slogan, this is where things will wind up.
Perhaps but I doubt it. See companies like Apple and Google have the money to pay for lobbying, bribes, and thanks to a recent decision by our Supreme Court unlimited campaign contributions. Companies can and do buy politicians.
Only a clueless idiot things that encrypting my communications is "unnecessary". I don't actually need to have done something wrong for my communications to be used against me. Innocent remarks can be incredibly easy to misconstrue, intentionally or unintentionally. Just because I have nothing to hide doesn't mean I have nothing to fear.
And with so many idiots out there already shitting themselves over Trump being Super Ultra TurboHitler, there's no incentive to stop the fear mongering any time soon.
Don't have to stop it. Just have to fight fire with fire. There is no way to have a secure internet without encryption where only the "good guys" (ahem...) have access to your dirty little secrets. Just point out all the bad things that will happen without encryption and companies (like Apple) will hire all sorts of flesh eating lobbyists and lawyers effectively on your behalf to keep their cash flow going. The best defense against security theater FUD might turn out to be more FUD pointed in the opposite direction.
There also is that pesky little problems of the 4th and 5th amendments. Not the greatest of comfort in the short run but in the long run they do tend to keep the government stooges at bay over sufficiently long time periods.
Encryption doesn't work, it's just that USAF's 30*50*150 qubit quantum computer is so secret that ordinary CIA/FBI/NSA posse cannot told about it. They sincerely believe 256-bit AES and 2048 bit EC is secure and bearded tenorists or pedo-bears can only be nicked via Stingray and similar worksarounds. Only in the most severe cases (like an impending nuke strike from RUS or an alien spaceship invasion) would the NSA's inner cabal reveal the all-crypto breaking, universal quantum computer capability.
Are you sure? It seems too coherent for APK.
Ezekiel 23:20
it's all about how much time the end-user puts into encrypting their own data. oh, the things you can do with unhelpfully labeled nested zip-splitting...
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
If your goal is to convince you're going about it the wrong way and then some.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
It has hints of APK but not shrill enough. Not enough scare quotes or sudden exclamations of LOL.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
But I wouldn't put it beyond certain politicians to try.
Table-ized A.I.
This one knows too much. Send extra chemtrails over his house boys.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
You're scared shitless of largely illusory terrorists. Expect 'safety' to win in the end. That's what helped get Donnie in.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
Very persuasive.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
There is a huge gap between crypto theory (https://www.cs.princeton.edu/~felten/encryption_primer.pdf) and expressed and implemented crypto reality. This gap provides many opportunities for anybody who wishes to favor attack over defense.
Traffic Analysis/meta data collection provides cheap, effective attack against virtually all current communication channels. Once you know who, when, where, how, and approximately what they are saying, you usually don't need to break their crypto.
The easiest way to weaken crypto implementation is to simply withdraw support for updates and improvements. Good crypto is hard. Defense is expensive. Without constant support, defenses fail. If you wish to weaken crypto defenses, it is usually sufficient to withhold support for good standards and good processes, and fail to eliminate mistakes.
The next most cost effective ways to weaken crypto implementation is to focus on degrading or hindering:
Good crypto implementations are almost indistinguishable from bad crypto implementations. The market will cheerfully purchase poor crypto if it is available, cheap, and the consequences are not immediate.
If an attacker ever needs to access info that is protected by a robust crypto implementation, it is usually faster and cheaper to subvert it's surrounding environment, people, hardware or software.
Reform of the Intelligence agencies should begin by greatly reducing their budget. Currently, they are huge, bloated, unmanageable monsters. They twist government to their whim. They distort the civilian economy. They cause massive incidental damage. A slim, tightly focused agency can be more carefully controlled and managed. A small, efficient CIA or NSA would achieve almost all of OUR important goals with a tiny fraction of the collateral damage.
Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents,
Of course they would say that, because it's in their interest to claim that they defend their customers' privacy. That's what the whole San Bernardino iPhone debacle was about: Apple wants to keep being perceived as the Mercedes of computers.
Just let APK have his fun. It isn't often that one of his alter ego's can be semi on topic with his batshit insane rantings.
Time to offend someone
It also lacks the petty name calling and swearing that APK puts in when someone calls him on his rantings. Further more APK at least claims his rantings.
Time to offend someone
Your honour, I rest my case! :)
Ezekiel 23:20