You know how the anti-piracy kill switch on Microsoft operating systems will let America turn off a country's computers? GMO foods are the same thing except America can stop your country from eating.
Zambia tried to negotiate an arrangement with Monsanto for situations where America imposed sanctions but couldn't come to an agreement so they banned GMO foods. Banning the import of GMO foods is only fair since the country can't grow GMO foods for national security reasons.
My read of the article is that the problem with Wayland is that the devs were writing specs instead of software. There was lots of planning and no doing. Remember that originally Ubuntu was supposed to be running X-Mir by default in Oct 2013.
Those days were more optimistic times for Ubuntu and they thought they could create a new display server in a year. These days Mir and Wayland seem to be at about the same stage of readiness.
It's not quite as good as the Apple wheel because you just press on the side of the wheel instead of spinning it. That's the only bad thing otherwise it's basically the same.
If you read the article then you'll see that the OpenBSD explicitly rejects FIPS certification as a goal.
FIPS certification is why OpenSSL includes the NSA backdoor DUAL EC pseudo random number generator. The code doesn't work but it's still included and can't be fixed. Anything which leads to an outcome like this... Disgust. Disgust and revulsion.
This code could have easily been detected with static analysis. It's a common failure pattern. You just taint data from the network as untrusted and look for when invalid use cases.
I do static analysis like this on the linux kernel for a living.
It's not clear that USAID was at the front on this opperation. They were funding it secretly through shell companies. When it comes to clandestine operations the CIA has better qualifications. It's just stupid, and more stupid.
The government already has the CIA for this stuff. It was amazingly dumb of USAID to start doing the CIA's job. The head of USAID should resign followed by a full investigation.
But that won't happen because the government has stopped caring about appearances any more.
They didn't have a warrant to read her email, they just hacked into google and made a copy of everyone's email. If you report a crime to the FBI they read your email. Simple as that.
Typically these leaks are very small and are no danger to the public, which is why they are allowed to persist.
You didn't read the article. You didn't even read the summary. There were 12 which were dangerous. They reported them and the gas company had only fixed 3 of them four months later.
RSA has not disputed any of the facts but only argued that they did it out of ignorance. $10 million buys a lot of stupid. $10 million is peanuts for EMC but for RSA at the time, it was quite a bit.
Reasonable people don't believe that Angela Merkel is a terrorist. Instead talking about terrorism, it's more important to talk about how the NSA spying benifits us during trade negotiations.
Technically, I suppose it doesn't benifit all of "us"... Oh well. Sucks to be you I guess.
The NSA documents on this have been leaking for a while. There are ones that dealt with pushing DUAL_EC through NIST. The documents dealing with RSA are separate corroborating documents which fill in some details.
It's likely that the NSA documents on subverting OpenSSL will leak eventually. Anonymous government sources estimate that at the current rate the NSA leaks will take two more years before they have all been released.
They're just claiming again that they assumed the NSA were good people.
This all happened in 2006. RSA adopted DUAL_EC. RSA was sold to EMC. NIST released the standard. Microsoft researchers showed the flaws in DUAL_EC. The flaws in DUAL_EC have been known since 2006, the only thing we didn't know was that they were deliberate.
You just revoke the keys and suddenly the machine can't boot.
It's funny how the NSA accuses China of inserting back doors but Snowden shows how the NSA inserts back doors. China hacks into systems but Snowden shows the NSA has hacked into tens of thousands of networks. And now the NSA is bragging about preventing a shutdown button when we already know it did the exact same thing.
We can be pretty sure that the NSA data gathering was a part of how General Petraeus was forced to resign.
The NSA shares its data with 11 other federal agencies such as the FBI (crime stoppers), IRS (tax collectors), DEA (drug wars). It may be that the FBI acted alone using already shared metadata information from the NSA. Or it may be that the NSA was more actively involved. If they were involved, that information would be classified.
Petraeus stood a reasonable chance of being elected president. The information was there because the NSA collected it. At a certain point it was decided to force him to resign. That decision was a political one because it has a political impact.
It doesn't forbid it. GCC doesn't even warn about it when it silently removes things. In the kernel, we turn most of these optimizations off now but before then it did cause kernel security bugs.
One thing that people talked about was that Alexander knew too much dirt on everyone and couldn't be forced to resign. It makes it easier that he stepped down voluntarily.
If you think about it, the NSA had enough information to force former CIA director David Patraeus to resign. I'm not saying they did, I'm just saying that they had the information and could have done it if they wanted to. But at the same time they were not able to prevent actual terrorists like the ones who attacked Westgate mall. The difference is that it's easier to spy on normal Americans than it is to spy on terrorists.
I actually fixed one of these bugs in the kernel last month.
But you are right that these are very rare. I have did a git search of patches which only add a single '=' character and there are normally two kernel bugs like this per year. In other words, we have 50,000 patches per year and only 2 patches have this sort of bug.
I have spent quite a few days auditing for these bugs in the kernel. They were rare the first time I audited in 2002 but these days we have several ways to make them even more rare.
Imagine you have "if (x = foo) {": 1) GCC suggests using extra parenthesis around the assignment like "if ((x = foo)) {" 2) Checkpatch.pl suggests breaking it up into two statements. "x == foo; if (x) {". 3) Static checkers complain about it if foo is a constant, or if the checker is in verbose mode, then it complains if foo is not a function call. (A lot of static checkers complain. It's a favorite thing to look for).
One thing that I have just thought of is that we should have a warning where checkpatch.pl complains if people do: "if ((x == foo) || (x == bar)) {". Sometimes it's hard to know where to add parenthesis for readability, but for comparison operations the parenthesis are obviously bad style.
This isn't the only way or even the main way that the NSA exploits systems.
Things we know: 1) The NSA collects SSL keys. 2) The NSA can generate fake SSL keys. 3) The NSA has performed MiTM attacks against Google and Microsoft. 4) We know where many of the places are that the splice into the undersea cables. 5) US embassies often have Echelon hardware for tracking satellite communication. 6) The GCHQ stores three days of internet traffic (not metadata but everything). 7) The NSA collects metadata from everything. Email. Phone. Letters. Facebook. 8) The NSA planted spies in large corporations. 9) The NSA have influenced/degraded encryption standards. 10) The US government and Israel created stuxnet. 11) The NSA monitors all credit card transactions outside of the US.
We don't know the specifics though. We don't know: 1) If there is a backdoor in Windows or Linux or libssl. 2) If hardware random number generators have been backdoored. 3) If there are backdoors on the motherboard or in the ethernet firmware. 4) How they are tracking in other ways, via license plate readers or sensing your various personal radio devices. 5) How are spy satellites used for domestic surveillance? 6) Just how much information is shared between the agencies to avoid fourth amendment rules. We know that the NSA and the GCHQ share an office. We know that the NSA gave unfiltered data on non-criminals to Israel.
That same logic could be applied to anything. "You were mugged on the way to work? That's what muggers do. Boring."
This is interesting because it shows: 1) How the internet changes spy craft. 2) How dangerous it is to aggregate data.
It raises interesting questions: 1) Have other countries infiltrated VISA as well? 2) Has VISA been infiltrated by organized crime as well? Would that be profitable? 3) What personal information is there? 4) Has the private data been used for black mail people in interesting ways?
This revalation requires some actions in response: 1) VISA can't just allow their private data to leak. 2) Other countries where this is illegal might consider a response. 3) The IT industry must take more action to prevent this kind of attack.
There are also legal issues: 1) If this hurts VISA, then can the NSA be sued for the loss in business?
The timeline from now looks like: 1) Next six months: More NSA activity will be uncovered. NSA front companies will be exposed. Techniques will be analyzed. 2) Next few years: Changes to the IT industry such as updated encryption. Finding fixes/replacement for SSL since it has failed completely. 3) Next decade: Countries and corporations will have to update their IT budgets and what tech they buy.
This assumes that Snowden does not leak the 400Gb of data in his insurance file. If that happens then much of the web will have to be shut down for a couple weeks. The stock market will collapse. Government officials in many countries will have to step down as we learn more about their private life.
ARM chip designers view hardware as disposable. Why worry about software security updates when you are just going to replace the phone every 18 months?
Cursing about it on LKML is useless though. Linus should start a change.org petition to address this issue.
Slashdot Mirror
Github is only free for tiny projects. You get what you pay for.
We only know about the accident that happened to the non-Google car. It was stopped waiting in the turning lane and someone scraped up along side it.
Two of the accidents were human drivers bumping into cars in the google parking lot. I remember when those happened a couple years back.
You know how the anti-piracy kill switch on Microsoft operating systems will let America turn off a country's computers? GMO foods are the same thing except America can stop your country from eating.
Zambia tried to negotiate an arrangement with Monsanto for situations where America imposed sanctions but couldn't come to an agreement so they banned GMO foods. Banning the import of GMO foods is only fair since the country can't grow GMO foods for national security reasons.
My read of the article is that the problem with Wayland is that the devs were writing specs instead of software. There was lots of planning and no doing. Remember that originally Ubuntu was supposed to be running X-Mir by default in Oct 2013.
Those days were more optimistic times for Ubuntu and they thought they could create a new display server in a year. These days Mir and Wayland seem to be at about the same stage of readiness.
Sony sells a walkman branded mp3 player with a scroll wheel.
http://www.amazon.com/Sony-NWZ...
It's not quite as good as the Apple wheel because you just press on the side of the wheel instead of spinning it. That's the only bad thing otherwise it's basically the same.
If you read the article then you'll see that the OpenBSD explicitly rejects FIPS certification as a goal.
FIPS certification is why OpenSSL includes the NSA backdoor DUAL EC pseudo random number generator. The code doesn't work but it's still included and can't be fixed. Anything which leads to an outcome like this... Disgust. Disgust and revulsion.
This code could have easily been detected with static analysis. It's a common failure pattern. You just taint data from the network as untrusted and look for when invalid use cases.
I do static analysis like this on the linux kernel for a living.
It's not clear that USAID was at the front on this opperation. They were funding it secretly through shell companies. When it comes to clandestine operations the CIA has better qualifications. It's just stupid, and more stupid.
The government already has the CIA for this stuff. It was amazingly dumb of USAID to start doing the CIA's job. The head of USAID should resign followed by a full investigation.
But that won't happen because the government has stopped caring about appearances any more.
Obviously LOVEINT is one example. But more details are coming out about how David Patraues was caught having an affair because of "metadata" collected by the NSA.
http://www.charlotteobserver.com/2013/06/17/4111871/metadata-helped-reveal-gen-petraeus.html#.Utlud2nfqCg
When Jill Kelley first reported getting threatening emails about Patraues, the FBI read all her emails as part of "a routine step".
http://www.nytimes.com/2014/01/06/us/from-petraeus-scandal-an-apostle-for-privacy.html
They didn't have a warrant to read her email, they just hacked into google and made a copy of everyone's email. If you report a crime to the FBI they read your email. Simple as that.
Typically these leaks are very small and are no danger to the public, which is why they are allowed to persist.
You didn't read the article. You didn't even read the summary. There were 12 which were dangerous. They reported them and the gas company had only fixed 3 of them four months later.
The 8 mile thing was an NSA transmitter in a helicopter. It was used to hack someone's system through a bug in their wifi drivers.
The wikipedia entry is good on this:
http://en.wikipedia.org/wiki/RSA_Security#NSA_backdoor
RSA has not disputed any of the facts but only argued that they did it out of ignorance. $10 million buys a lot of stupid. $10 million is peanuts for EMC but for RSA at the time, it was quite a bit.
Reasonable people don't believe that Angela Merkel is a terrorist. Instead talking about terrorism, it's more important to talk about how the NSA spying benifits us during trade negotiations.
Technically, I suppose it doesn't benifit all of "us"... Oh well. Sucks to be you I guess.
The NSA documents on this have been leaking for a while. There are ones that dealt with pushing DUAL_EC through NIST. The documents dealing with RSA are separate corroborating documents which fill in some details.
It's likely that the NSA documents on subverting OpenSSL will leak eventually. Anonymous government sources estimate that at the current rate the NSA leaks will take two more years before they have all been released.
They're just claiming again that they assumed the NSA were good people.
This all happened in 2006. RSA adopted DUAL_EC. RSA was sold to EMC. NIST released the standard. Microsoft researchers showed the flaws in DUAL_EC. The flaws in DUAL_EC have been known since 2006, the only thing we didn't know was that they were deliberate.
Also it's interesting to note that an anonymous organization paid for the same DUAL_EC algorithm to be added to Open SSL. With Open SSL at least they didn't make it the default but it's not far off from what RSA did.
http://arstechnica.com/security/2013/12/nsas-broken-dual_ec-random-number-generator-has-a-fatal-bug-in-openssl/
http://www.theinquirer.net/inquirer/news/2290640/germany-warns-against-using-windows-8-due-to-security-risks
You just revoke the keys and suddenly the machine can't boot.
It's funny how the NSA accuses China of inserting back doors but Snowden shows how the NSA inserts back doors. China hacks into systems but Snowden shows the NSA has hacked into tens of thousands of networks. And now the NSA is bragging about preventing a shutdown button when we already know it did the exact same thing.
We can be pretty sure that the NSA data gathering was a part of how General Petraeus was forced to resign.
The NSA shares its data with 11 other federal agencies such as the FBI (crime stoppers), IRS (tax collectors), DEA (drug wars). It may be that the FBI acted alone using already shared metadata information from the NSA. Or it may be that the NSA was more actively involved. If they were involved, that information would be classified.
Petraeus stood a reasonable chance of being elected president. The information was there because the NSA collected it. At a certain point it was decided to force him to resign. That decision was a political one because it has a political impact.
It doesn't forbid it. GCC doesn't even warn about it when it silently removes things. In the kernel, we turn most of these optimizations off now but before then it did cause kernel security bugs.
My guess is that you didn't read the PDF?
One thing that people talked about was that Alexander knew too much dirt on everyone and couldn't be forced to resign. It makes it easier that he stepped down voluntarily.
If you think about it, the NSA had enough information to force former CIA director David Patraeus to resign. I'm not saying they did, I'm just saying that they had the information and could have done it if they wanted to. But at the same time they were not able to prevent actual terrorists like the ones who attacked Westgate mall. The difference is that it's easier to spy on normal Americans than it is to spy on terrorists.
I actually fixed one of these bugs in the kernel last month.
But you are right that these are very rare. I have did a git search of patches which only add a single '=' character and there are normally two kernel bugs like this per year. In other words, we have 50,000 patches per year and only 2 patches have this sort of bug.
I have spent quite a few days auditing for these bugs in the kernel. They were rare the first time I audited in 2002 but these days we have several ways to make them even more rare.
Imagine you have "if (x = foo) {":
1) GCC suggests using extra parenthesis around the assignment like "if ((x = foo)) {"
2) Checkpatch.pl suggests breaking it up into two statements. "x == foo; if (x) {".
3) Static checkers complain about it if foo is a constant, or if the checker is in verbose mode, then it complains if foo is not a function call. (A lot of static checkers complain. It's a favorite thing to look for).
One thing that I have just thought of is that we should have a warning where checkpatch.pl complains if people do: "if ((x == foo) || (x == bar)) {". Sometimes it's hard to know where to add parenthesis for readability, but for comparison operations the parenthesis are obviously bad style.
This isn't the only way or even the main way that the NSA exploits systems.
Things we know:
1) The NSA collects SSL keys.
2) The NSA can generate fake SSL keys.
3) The NSA has performed MiTM attacks against Google and Microsoft.
4) We know where many of the places are that the splice into the undersea cables.
5) US embassies often have Echelon hardware for tracking satellite communication.
6) The GCHQ stores three days of internet traffic (not metadata but everything).
7) The NSA collects metadata from everything. Email. Phone. Letters. Facebook.
8) The NSA planted spies in large corporations.
9) The NSA have influenced/degraded encryption standards.
10) The US government and Israel created stuxnet.
11) The NSA monitors all credit card transactions outside of the US.
We don't know the specifics though. We don't know:
1) If there is a backdoor in Windows or Linux or libssl.
2) If hardware random number generators have been backdoored.
3) If there are backdoors on the motherboard or in the ethernet firmware.
4) How they are tracking in other ways, via license plate readers or sensing your various personal radio devices.
5) How are spy satellites used for domestic surveillance?
6) Just how much information is shared between the agencies to avoid fourth amendment rules. We know that the NSA and the GCHQ share an office. We know that the NSA gave unfiltered data on non-criminals to Israel.
That same logic could be applied to anything. "You were mugged on the way to work? That's what muggers do. Boring."
This is interesting because it shows:
1) How the internet changes spy craft.
2) How dangerous it is to aggregate data.
It raises interesting questions:
1) Have other countries infiltrated VISA as well?
2) Has VISA been infiltrated by organized crime as well? Would that be profitable?
3) What personal information is there?
4) Has the private data been used for black mail people in interesting ways?
This revalation requires some actions in response:
1) VISA can't just allow their private data to leak.
2) Other countries where this is illegal might consider a response.
3) The IT industry must take more action to prevent this kind of attack.
There are also legal issues:
1) If this hurts VISA, then can the NSA be sued for the loss in business?
The timeline from now looks like:
1) Next six months: More NSA activity will be uncovered. NSA front companies will be exposed. Techniques will be analyzed.
2) Next few years: Changes to the IT industry such as updated encryption. Finding fixes/replacement for SSL since it has failed completely.
3) Next decade: Countries and corporations will have to update their IT budgets and what tech they buy.
This assumes that Snowden does not leak the 400Gb of data in his insurance file. If that happens then much of the web will have to be shut down for a couple weeks. The stock market will collapse. Government officials in many countries will have to step down as we learn more about their private life.
ARM chip designers view hardware as disposable. Why worry about software security updates when you are just going to replace the phone every 18 months?
Cursing about it on LKML is useless though. Linus should start a change.org petition to address this issue.
1 Samsung
2 Apple
3 LG
4 Lenovo
5 Huawei
6 ZTE
7 Sony
8 Coolpad/Yulong
9 Nokia
10 HTC
11 Blackberry
After that then you have a dozen other Asian brands selling Android phones. Samsung and Apple control 50% of the market.