Most Tor Keys May Be Vulnerable To NSA Cracking 236
Ars Technica reports that security researcher Rob Graham of Errata Security, after analyzing nearly 23,000 Tor connections through an exit node that Graham controls, believes that the encryption used by a majority of Tor users could be vulnerable to NSA decryption: "About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key," rather than stronger elliptic curve encryption. More from the article: "'Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys,' Graham wrote in a blog post published Friday. 'Assuming no "breakthroughs," the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips.' He went on to cite official Tor statistics to observe that only 10 percent of Tor servers are using version 2.4 of the software. That's the only Tor release that implements elliptical curve Diffie-Hellman crypto, which cryptographers believe is much harder to break. The remaining versions use keys that are presumed to be weaker."
Re:well (Score:5, Insightful)
I recommend a "zero time pad" : if you want it secret, don't put it on a computer.
Getting tired here (Score:3, Insightful)
The more I read of Slashdot (and to an extend Ars Technica), the less I want to continue reading. All it is these days is NSA, NSA, NSA. It's too damn depressing and what's worse, it's one of those situations where it's
(a) an intangable threat (you will probably never suffer directly because of what they're doing, but it still feels wrong)
(b) related to (a), it's something that the wider public doesn't know about and would be hard-pressed to convince is a threat without sounding like a looney
(c) cannot be overcome (moving to Linux for example doesn't change much if the network can still be tapped, and evidently TOR is now comrpomised), short of abandoning technology and reverting to primitive technology for, again, a hypothetical threat that will probably not ever affect us DIRECTLY, but still something we know shouldn't be happening.
I just want to read about science and technology, interesting shit. Seems impossible to do that anymore since clearly NSA stuff rates rather highly.
TL:DR - what's the point of knowing how evil things are if tangible, WIDESPREAD changes aren't going to happen due to our lack of power? You just become miserable, while everyone else is (relatively) happy because they don't know. There's a reason ignorance is bliss is a saying.
Re:Other than a few uber nerds (Score:5, Insightful)
What's this "have to hide" bullshit? What if you want to hide? A large percentage of the population are introverts, and a significant proportion of both those (among others) don't have any desire to share anything personal with anyone, at least aside from those they choose to. Some people like privacy, like anonymity, like not being seen by others. Hell - I get a serious case of anxiety if someone is merely standing behind me, no matter how innocuous my activities.
Please, don't start with this "if you have nothing to hide, you have nothing to worry about" utter crap. The next step to that is "if you have anything to hide, you're probably a pedophile" which you're already alluding to. No, we just don't like oxygen-wasting cretins sticking their nose into our lives. Considering such a vast number of people value their privacy in exactly the same way, this behavior is *natural*.
I make very little effort to hide my presence online. But if I did choose to, then by no means does anyone have any justification to suggest that there's something wrong with wanting to hide. It's part of the human condition - some people like being seen, being known, being pored over - some people prefer the exact opposite.
You might suggest this is an over-reaction, that you're merely pointing out that the internet isn't for people who want to hide. But the point is, it should be. You should be directing your energies to fixing the problem - not just throwing your hands up and saying 'don't bother trying to hide even if you want to'.
Re:Getting tired here (Score:1, Insightful)
Oh fuck you. My post was basically a cry for help and you come here with your superiority complex. Maybe I'm suffering a bit of disillusion here because I'm helpless in a shit world. Could have given some advice you know.
Re:Other than a few uber nerds (Score:5, Insightful)
Exactly. Some activities need to stay hidden. For example:
* I don't want someone's Christmas gift to be spoiled for them.
* My neighbors don't need to know how much my electric bill was, or what tier of service I have hooked up to that wireless router.
* I have a very dedicated stalker, whose information is limited because that person can't dig into my email or other accounts to find out what I'm up to.
* If I post on a forum for people who own a particular product, I don't need people to be able to find my house so they can steal it.
* A friend who's hurting after a disastrous breakup might email me something in confidence. That should stay confidential.
* Employment and tax documents, with pay grade information and SSNs and all kinds of other PII.
* Online banking, anyone?
* I may compose some music that isn't ready for release yet, and that needs to stay private until it's been polished.
* Medical records about who has what rash on their what now?
There's just some information that doesn't need to be free. No nefarious intent, just things that shouldn't be public.
Re:Other than a few uber nerds (Score:4, Insightful)
"If you have to hide, the Internet isn't for you."
"pedophiles and botnets"
Are you cutting yourself with that edginess?
You know what, I've yet to see anything worth reading coming from your keyboard and this is your crowning glory - associating people who want some privacy with pedophiles.
Your opinions are worth less than the photons they have been written with.
Ciao. Meet your new status.
--
BMO
Re:Getting tired here (Score:5, Insightful)
So every new story adds to work mentioned in the past. In 30 years this would have been amazing news.
Getting all this crypto and telco news now is going to allow some very creative people to release some new software and hardware.
Re:Getting tired here (Score:5, Insightful)
I just want to read about science and technology, interesting shit.
I feel your pain, but unfortunately, if the NSA/intelligence complex truly can not be reined in (and I'm not optimistic that it can be), I think you're looking at the dark ages for any science or tech that doesn't serve their purposes.
Someone posted the following citation at the New York Times yesterday, which really struck a nerve with me:
"The man who is compelled to live every minute of his life among others and whose every need, thought, desire, fancy or gratification is subject to public scrutiny, has been deprived of his individuality and human dignity. Such an individual merges with the mass. His opinions, being public, tend never to be different; his aspirations, being known, tend always to be conventionally accepted ones; his feelings, being openly exhibited, tend to lose their quality of unique personal warmth and to become the feelings of every man. Such a being, although sentient, is fungible; he is not an individual." Bloustein, Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser, 39 N. Y. U. L. Rev. 962, 1003 (1964).
Don't think for one second that this is an intangible threat. The people who blissfully ignore or accept it are exactly the people who won't be doing the paradigm shifting science or creating disruptive technologies. The people who would do those things are stuck with the same choice you state: acknowledge a really sucky situation and face being miserable, or ignore it as 'intangible' and go about their day, and just focus on uncontroversial science and tech that won't get them in any trouble. Can that possibly be a good thing?
Re:Getting tired here (Score:5, Insightful)
I think their point is that Slashdot (and presumably most tech sites at the time) focused more on tech, developments, hard science and whatnot. Now it's basically more about the politics that goes on in tech, such as data mining, surveillance and patent wars. Sure, the stuff being talked about is serious and worth covering, but it dominates coverage these days and the balance doesn't seem to be there anymore.
Also, if you are a fan of a site, you SHOULD piss and moan about the quality of the articles and discussion. The only reason you'd bother is if it was once great and has devolved, and you're not pleased by it. There seems to be this impression that making noise and complaints about something is a BAD thing. No wonder things are getting worse.
billion dollar terrorists, yeah (Score:4, Insightful)
Yeah, actually if someone is bad enough to make the NSA's top 10 list, it'd probably be good for someone to be reading their email. I have a BIG problem with the fact that the NSA is tracking everyone's emails and phone calls. I've contacted my congressman about that more than once, calling them out very publicly.
The top NSA agents know who the really bad guys are, the guys who will probably be involved in the next 9/11. Maybe they can't publicize the intelligence that proves it, maybe they are missing a few details, but we knew who bin Laden was. I'm fine with invading their privacy.
But but but if they invade anyone's privacy, they'll invade everyone's privacy. If we let them, yes. Ideally what we want is systems, including budgets and oversight, which only allow them to spy on a few people, so they have to pick which ten people they really do need to spy on.
Re:a few hours for one key would be good (Score:0, Insightful)
nice try nsa apologist
Re:Getting tired here (Score:5, Insightful)
I'm going to take a stab at empowering you.
We're in a long term fight for human freedom. Long term means you may have to influence people now who can just possibly help us, or at least you, ten or twenty years down the road. Pick people who are running for minor or local offices, and need a little help, whether it's contributions or getting out the vote or going door to door. You don't have to spend a fortune or put in fifty hours a week on top of your day job to be remembered as one of those people who helped congressman X get his start in politics.
Write letters - you'ld be surprised how many seemingly major pieces of legislation draw two or three letters as they are up for debate, and how getting letters from as few as 10 or 20 people may make a congressman suddenly vote the way he now thinks the vast majority of his constituents want him to vote. Senators and Representitives may see 10,000 e-signatures on a stock electronic petition, but don't usually see even 10 actual letters. A letter thanking them for having done the right thing after it's over is even rarer.
Focus on the persons who seem like they have a good chance of making it to higher office eventually. Find out what a Farley file is, and make sure you end up in a few, in a positive way. Work on your spelling and grammer - An eloquent nutcase may be able to pass as a mainstream voter, but a mainstream voter who writes in all caps and spews sentence fragments, can definitely say something eminently sensible and still be labled a nutcase.
Here's a link for Farley Files. Politicians who make it to high office just about invariably use these, so it's always helpful to know about them. Learning to watch for signs a candidate uses the system is a way of spotting the ones who will go high enough they may someday be able to address issues like the NSA programs. It's also useful to consider in judging what a politician truly considers important rather than what he says in prepared speeches - that is, if he or she is using a file, what do they focus on.
http://en.wikipedia.org/wiki/Farley_file [wikipedia.org]
Re:a few hours for one key would be good (Score:5, Insightful)
I disagree with your assertion that since you're not a terrorist, the NSA has no interest in you and/or what you do. Law enforcement tools are always used to their fullest extent. I mean, it makes sense; law enforcement is a bit hamstrung by rights guaranteed under the constitution - they will use whatever tool is at their disposal to get their job done.
Whether or not you were investigated when the system was new is irrelevant to what law enforcement has started (or will start) using these systems. Also, to obtain a FISA warrant for an investigation related to terrorism is quite trivial and open to interpretation. Any evidence discovered of other crimes in that warrant is usable in court. I have seen it first-hand while siting on a federal jury last summer. A US khat-selling ring's sending money overseas was investigated by DHS due to concerns about possibly funding terrorism. It wasn't, but the multi-million dollar investigation had to net something - so I sat on a jury for 5 weeks and sifted through mountains of wiretap transcripts so the federal government could incarcerate a bunch of taxi cab drivers who wanted to chew some khat so they could work a little later and make a little bit more money.
I hate to be the slippery slope guy...but this is typical. It's only a matter of time until these law enforcement tools are used on a wholesale basis (if they aren't being already). After reading about the extremes that the Soviets would go to under Stalin (if you were being investigated, you must be guilty of something), I feel like I have a fair understanding for how far things can go. I'm not suggesting that America is going that way...but why give her the chance, especially when we can do something now? Why not start setting some limits on this stuff? I think that the risks of what's going on outweigh the benefits. Is it unreasonable to do an honest analysis of the real risks of terrorism against the security measures that our government is putting in place?
Re:a few hours for one key would be good (Score:5, Insightful)
I disagree with your assertion that since you're not a terrorist, the NSA has no interest in you and/or what you do. Law enforcement tools are always used to their fullest extent.
National security agencies will use their tools not only against criminals, but against their political enemies who are engaging in Constitutionally-protected activities. For example, J. Edgar Hoover used to tap Martin Luther King's telephones, and then spread personal information about King's sex life to try to harm the integration movement.
Or a recent example. Eliot Spitzer was the Democratic governor of New York, and he was an effective governor who was aggressive about shaking things up. Banks have to report every transaction by every customer of $10,000 or over to federal authorities, and every transaction under $10,000 that looks "suspicious." So the feds get this huge flow of reports. One of the reports was on Spitzer. They investigated and found out as the result of this fishing expedition that he had used an escort service, which was probably legal and almost never prosecuted. Nonetheless, the Republican Attorney General decided to prosecute Spitzer for this, and leaked his name to the press. The Republican AG offered Spitzer a "deal" -- if the effective Democratic governor resigned, the Republican AG wouldn't prosecute him. Spitzer resigned, and was replaced by David Patterson, who didn't want the job and nobody, including Patterson, thought was qualified.
So there you have a partisan use of confidential information that a federal agency got through its financial monitoring process, that a Republican AG used to get rid of an effective Democratic governor.
The more electronic monitoring we have, the more it will be used improperly by politicians to damage their enemies.