Snowden Documents Show How Well NSA Codebreakers Can Pry

Der Spiegel has published today an excellent summary of what some of Edward Snowden's revelations show about the difficulty (or, generally, ease) with which the NSA and collaborating intelligence services can track, decrypt, and correlate different means of online communication. An interesting slice: The NSA and its allies routinely intercept [HTTPS] connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month. For its part, Britain's GCHQ collects information about encryption using the TLS and SSL protocols -- the protocols https connections are encrypted with -- in a database called "FLYING PIG." The British spies produce weekly "trends reports" to catalog which services use the most SSL connections and save details about those connections. Sites like Facebook, Twitter, Hotmail, Yahoo and Apple's iCloud service top the charts, and the number of catalogued SSL connections for one week is in the many billions -- for the top 40 sites alone. ... The NSA also has a program with which it claims it can sometimes decrypt the Secure Shell protocol (SSH). This is typically used by systems administrators to log into employees' computers remotely, largely for use in the infrastructure of businesses, core Internet routers and other similarly important systems. The NSA combines the data collected in this manner with other information to leverage access to important systems of interest.

this is disgusting

[Anonymous Coward]

this is truly disgusting

Hysteria

[MightyMartian]

Before we all get too hysterical, from the article itself:

The digitization of society in the past several decades has been accompanied by the broad deployment of cryptography, which is no longer the exclusive realm of secret agents. Whether a person is conducting online banking, Internet shopping or making a phone call, almost every Internet connection today is encrypted in some way. The entire realm of cloud computing -- that is of outsourcing computing tasks to data centers somewhere else, possibly even on the other side of the globe -- relies heavily on cryptographic security systems. Internet activists even hold crypto parties where they teach people who are interested in communicating securely and privately how to encrypt their data.

In other words, the NSA, GCHQ and other intelligence services are probably only able to crack badly configured or unpatched and badly out of date systems. That doesn't stop them from using out of band vulnerabilities like hacking into someone's PC or forcing some online service to open up the decrypted data, but it seems likely that if you have a well-managed cert chain and your systems are kept up to date and patched, the odds of anyone, government or otherwise, busting into your encrypted data seems pretty low.

My big fear out of all this isn't the unlikely hacking of mainstream encryption schemes, but rather that those that do use encryption may end up being targets of other methods; like malware, to get at their critical data.

Re:Hysteria

[phantomfive]

The article is merely listing tools. I expect that if we have a spy agency, they will use the tools available to spy. That is what a spy agency does. If you're outraged that a spy agency actually does spy, then you're probably addicted to outrage or something.

The problem with the NSA isn't that they are spying, it isn't that they know how to decrypt SSL or mount a MITM attack; the problem with the NSA is they are spying on everybody. Limit the spying to only enemies of the US, and only the paranoid will be outraged.

Re:

[fnj]

Limit the spying to only enemies of the US

Well, anyone with a functioning brain stem who has not been brainwashed is opposed to the shithole that the US rulers have turned the US into. And it's only an easy step for tyrants and their dogs to turn "opposed to the entrenched shadow regime and its sickening views and practices" into "enemy of the state". So I don't get quite such a rosy feeling from "spying on the enemies of the US" as you seem to.

Re:

[phantomfive]

Well, anyone with a functioning brain stem who has not been brainwashed is opposed to the shithole that the US rulers have turned the US into

What a purely coherent basis and sound philosophical foundation from which to make decisions. I'll bet you're a whole bundle of good ideas.

No more soft touch.

[DMJC]

It's time to stop sending keys using dumb methods. Time to start generating keys and physically swapping/installing them.

Anyone can intercept SSH some of the time

[phantomfive]

If you ever get the warning:

The authenticity of host '...' can't be established. RSA key fingerprint is .... Are you sure you want to continue connecting (yes/no)?

That's ssh letting you know that a man-in-the-middle attack could be successfully launched at you, and decrypt all your communication.

Re:

[AmiMoJo]

This attack looks like something else though, judging by the numbers they are attacking. I speculate:

- They have fake certificates from trusted authorities for some major sites, and use MITM attacks to serve up fake pages with them. We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them. We can also potentially defend against this by using more certificate pinning and warnings which certificates change unexpectedly, a

Re:Anyone can intercept SSH some of the time

[phantomfive]

They have fake certificates from trusted authorities for some major sites, and use MITM attacks to serve up fake pages with them. We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them. We can also potentially defend against this by using more certificate pinning and warnings which certificates change unexpectedly, as well as distributed certificate checks (to make sure the one you get is the same one everyone else gets).

I don't think so because not many people use trusted authorities with SSH. (In fact I've never heard of anyone doing that, but surely there are people who do). Most likely the NSA just sits there sniffing traffic that goes by, waiting until there's an SSH to a new box (which actually happens a lot, every time you reinstall or something), then begin sniffing. After that they have the password and everything, so the attack can expand.

Re:

[fnj]

Most likely the NSA just sits there sniffing traffic that goes by, waiting until there's an SSH to a new box (which actually happens a lot, every time you reinstall or something), then begin sniffing. After that they have the password and everything, so the attack can expand.

Do you have slightest idea how ssh logon works?

Re:

[phantomfive]

Do you have slightest idea how ssh logon works?

Why yes, yes I do.

Re:

[lawaetf1]

With a new install you've got a perfect opportunity for a MITM attack.

Re:

[phantomfive]

There is no window of opportunity with SSH even with a new install.

Oh really? Please tell me what magic you use with SSH. Are you copying your keys over manually or something?

Re:

[Uecker]

I doubt this. There are people who verify the fingerprints. And even if you do this only sometimes this is useful. So a large scale MITM attack on ssh would be very obvious. Also if you do a MITM on ssh you would not be able to obtain the password, because it is not transmitted. So to expand the attack they would need to MITM the ssh connections and then use this to install a backdoor. I would say this is far to intrusive to do on a large scale.

Re:

[phantomfive]

It doesn't say they are doing SSH attacks on a large scale. It says sometimes they can do it.

Re:

[Uecker]

It seems you are right about the password authentication. Somehow I thought SSH would do something more clever where the password is not sent over the network, but this does not seem to be the case. In this case public key would still be safer (two factors), but SSH would not leak your password during a MITM attack.

Re:

[Uecker]

Something like this: http://srp.stanford.edu/links.... [stanford.edu]
I wonder why this has never been implemented in openssh. (There are patches and it is supported by lsh).

Re:

[elgaard]

Anyway, they would get your password the first time you did a sudo command.

And when you ssh to the next computer, they get that password too.

Re:

[StormReaver]

That's ssh letting you know that a man-in-the-middle attack could be successfully launched at you, and decrypt all your communication.

ssh issues that message for other reasons, too, such as when you install a new network adapter. In that case, there is nothing wrong.

Re:

[phantomfive]

The message is there when you install a new network adapter. SSH is telling you that when you install a new network adapter like that, it has no way of detecting if the NSA is doing a MITM attack. You're on your own in that case.

Re:

[dweller_below]

Protecting SSH communications for your organization is fairly straightforward if you do some work. You need to use multiple layers. Here is our guide to protecting SSH:

https://it.wiki.usu.edu/ssh_de... [usu.edu]

We try to use multiple overlapping security layers to protect SSH:

• * If possible, use firewalls to limit the vulnerable scope of SSH to a few trusted hosts.
• * Configure firewalls to limit credential guessing by rate-limiting connections to the SSH port.
• * If possible, treat the SSH Port as a shared

Re:

[elgaard]

* SSH users should verify the identity of their systems when they first connect. ...
* We have SSH Honeypots that help us track, understand and respond to SSH attack.

You should have user honeypots. Once in a while present a fake certificate. If the user ignore the wrong fingerprint and type in the correct password, reset the account password.

Re:

[phantomfive]

Those are reasons the message shows up. And all of those reasons you list are an opportunity for the NSA to sneak in and start reading your traffic.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Bengie]

Nope, you're at more risk because of the common password changes. I think it's 3-6 months. Should be using 2 factor.

List of safe protocol

[Anonymous Coward]

those protocols or programs have a major rating (major according to the article means impossible unless someone made a mistake or malware was used)
OTR
TrueCrypt

those protocols have a catastrophic rating (catastrophic for the NSA is a win for US)
ZRTP
PGP

about the SSH thing, it all depend on the cipher used, if you use ssh with a MD2-DES cypher expect it to be decrypted
if you use something like twofish or salsa20 your probably quite secure

Open source for the win

[mrflash818]

The article mentions:

Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed.

Re:

[Areyoukiddingme]

Except for those doors inserted by your hacked compiler

As long as there is more than one independent open source compiler, this can be eliminated as a threat vector by chains of compilers compiling compilers. Overt backdoor insertion routines can be easily detected and removed from a compromised open source compiler. That leaves only extremely subtle backdoors. Those can be defeated by having compilers compile themselves and each other, to break the subtlety.

If you can afford to perform detailed audits of gcc and clang, then follow the correct procedure, thi

Security by obscurity good after all?

[iamacat]

Say, I further "encrypt" my https sessions using ROT13. If NSA is on to me specifically, they will have no problem figuring it out. But if they opportunistically monitor main internet pipes for vulnerable traffic, I should be safe. What if web browsers encrypted data with one of hundreds of algorithms independently developed by smart people worldwide *before* standard https? At least some of them will prove resistent to cryptanalysis and even vulnerable ones will consume some of NSA's computing power and em

Re:Do users really care?

[Anonymous Coward]

Some people care, and you should care, since the information can and will be used to your detriment any time there is profit in it.

Snowden did us a favor. We owe him one in return.

Bring Snowden Home [aclu.org]

Sign it.

Re:

[Anonymous Coward]

It is not in the best interest of Mr. Snowden to re-enter the United States. He can be at his most effective and most free outside of U.S. possessions and territories, and any country with an extradition treaty with the U.S. Even with a presidential pardon his life Stateside would not be easy.
On the other hand, if Bill Clinton can pardon Mark Rich, then Barack Obama can pardon Edward Snowden. It would be a great litmus test for the 2016 presidential candidates.

Re:

[sirlark]

You should be allowed to care

Re:

[Angeret]

What does he need a pardon for? He's done nothing to require one. What he needs is a big shiny medal - the sort that says "you done a good thing there, thank you" and a great big "anybody touches him is in a whole truckload of trouble" award.

Re:

[Angeret]

I've noticed a disturbing trend over the last few months from commenters on various forums to first make a point opposing the previous comment then top it off with a personal dig. I foresee an interesting 2015 as people spend more time throwing insults, epithets and derision than actually making a point.

My point about not needing a pardon is that Snowden didn't give information to the enemy - he told the world. According to the way the intelligence & military communities are portrayed in the released

Re:Do users really care?

[Anonymous Coward]

Unfortunately these days not having a FB account means you are missing out in your social life.

No, it doesn't. For instance, you could always hang out with people not dumb enough to use Facebook, or reject 'social' nonsense. Or, you know, actually hang out with people if for some reason you actually want to be a social tool.

Re:

[AK Marc]

Yeah, except nearly all of my high school classmates have an account, and have posted prom and group pictures with people in them that don't have accounts. And what about family? Not a single family member has an account? I don't believe you. There are plenty of grandmas with accounts these days.

Re:

[Free Censorship]

Maybe live thousands miles away from your friends and family. Maybe your friends and family do not share the same principles like you do.

Who gives a shit what they do? You think being "social" is about reading petty nonsense that they post online, and perhaps responding? I don't think that's socialization at all. If I was a "social" person, I would just do it the old fashioned way: Find some decent people to hang out with in real life. If my family lived too far away, too fucking bad; I don't need to know about them. Maybe you could even occasionally use something called a phone or send a letter. No, that's simply impossible; you need to kno

Re: Do users really care?

[loftarasa]

Oh, shut up already. Not everyone is a 45-year-old neckbeard troll living in their mom's basement with greasy Doritos hands and Mountain Dew stains on their shirts. I know and like my friends since before they joined Facebook. It's outrageously unreasonable to suggest that I ditch them now because they have an account on a website. Surely they don't expect them to judge me on having an account on /. Facebook allows us to communicate on some aspects of our lives, perhaps today most commonly through sharing

Re: Do users really care?

[Free Censorship]

Oh, shut up already.

No. Facebook is an awful company and no one should deal with them. Giving your information to such a company only ensures it will be abused.

It's outrageously unreasonable to suggest that I ditch them now because they have an account on a website.

You don't need to ditch them, but at least don't follow them in getting a Facebook account unless you want to join them in being unprincipled ignoramuses who sacrifice massive amounts of privacy for convenience.

Surely they don't expect them to judge me on having an account on /.

Is Slashdot evil like Facebook? No. Facebook is designed to violate people's privacy and sell information to advertisers.

Re: Do users really care?

[Cloudaki]

If you don't like FB there are alternatives out there. Just saying...

re: Facebook and your info for sale ....

[King_TJ]

Actually, I've had a Facebook account for years and I use it regularly.

Of course I'm well aware that they sift through all of my information and try to resell it. But IMO, it's a pretty well understood trade, and one that I don't have a big problem with. The fact remains, Facebook will only have the information that I willingly provide by way of posting it up there or filling out fields on the site. And meanwhile, they're enabling ME to obtain information on all of my friends and other online connections

Re:

[Free Censorship]

I'm sure you would think that of anything as long as it grows so big it becomes mainstream.

Popular or unpopular, evil is evil to me, so your confidence is misplaced.

every action taken by Big Corp is justifiable and reasonable.

I think about the larger picture, not necessarily about individuals, so again, no.

Re:

[jemmyw]

I couldn't agree more. FB is joyless. I've moved around the world a fair bit, and I've friends and family "thousands of miles away" who I don't need to communicate with on a day to day basis and read the minute of their lives. What do you talk about when you do get together?

Also, everyone does the same stuff anyway. Get together with someone, have kids, get married, buy a house, hop jobs. It could be anyones partner/kids/house, how would I even know? Until you're actually seeing them, it does not impact you

Re:

[Bengie]

Being "social" is all about interacting. If you don't interact, you're not social and may as well not be a human. Until humans figure out a way to reproduce asexually, we'll need to interact. Even asexual organisms are still social because there is safety in numbers. I guess what I'm saying is that what others are doing is logical, you're the illogical one. Don't be so eager to pass judgement.

Re:

[Free Censorship]

Being "social" is all about interacting. If you don't interact, you're not social and may as well not be a human.

Not much real interaction from Facebook, and certainly not of the sexual variety. Also, individuals are social to varying degrees.

Until humans figure out a way to reproduce asexually, we'll need to interact.

I guarantee you that the human race could survive without Facebook. You used the more general term "interacting," but the topic is about Facebook, so nice try.

I guess what I'm saying is that what others are doing is logical, you're the illogical one.

Incorrect. I'm only illogical if I'm violating my own principles, which I am not. There is nothing inherently logical about desiring to live, and nothing inherently illogical about desiring the opposite. Not that I do, sinc

Re:

[Bite The Pillow]

You sound autistic.

I don't know a better way to describe it. I get why people use social networks to keep in touch, and "too fucking bad" is not something that normal, social people would say.

Keep in mind that, since at least the agrarian revolution, it has been a beneficial trait to give at least one, admittedly estimated, tenth of a damn, about what other people think and why they think it.

As a privacy advocate I agree with your sentiment. But your reasoning is flawed, and your understanding destructive

Re:

[Free Censorship]

You sound autistic.

You sound like an Internet psychologist.

Keep in mind that, since at least the agrarian revolution, it has been a beneficial trait to give at least one, admittedly estimated, tenth of a damn, about what other people think and why they think it.

Giving a damn about important events != needing to read their every worthless thought on Facebook. There are many, many alternatives to Facebook (email, blogs, phone, letters, etc.). People were fine before Facebook and such existed, and they'll be fine now.

More importantly, privacy is what matters. "too fucking bad" is an appropriate response.

But your reasoning is flawed, and your understanding destructively so.

My reasoning (Facebook is unethical and therefore you shouldn't use it) is not flawed, and I understand why people use Faceboo

Re:

[Free Censorship]

You sound like a real joy to spend time with.

Facebook is intolerable to anyone with actual principles. That's just a fact. Maybe having principles isn't popular, but then again, I don't really want to hang out with people who use Facebook anyway.

If you love to be an extremely social fool (and I don't, personally), then there are plenty of options besides Facebook, which I've already mentioned.

Re:

[7-Vodka]

... but then again, I don't really want to hang out with people who use Facebook anyway.

If you love to be an extremely social fool (and I don't, personally), then there are plenty of options besides Facebook, which I've already mentioned.

LOL what?

If you reject people with facebook and similar stuff and people don't share your principles, you've just rejected 99.9% of the human population. You must be a very lonely boy.

For those of us 'extremely social' people who you know actually have a few friends and get along with acquaintances, we can't go scorched earth on everyone.

It's not that we're not tempted, it's that the cost benefit analysis of a scorched earth policy sucks donkey balls. No matter how you slice it, being a shut-in is very

Re:

[Free Censorship]

"Lonely" implies that you feel sad due to a lack of interaction with others. That's not accurate for a lot of people.

For those of us 'extremely social' people who you know actually have a few friends and get along with acquaintances, we can't go scorched earth on everyone.

Then just don't use a Facebook account if you don't want to go that far.

No matter how you slice it, being a shut-in is very sad.

What is and is not sad is completely subjective, so no. And I reject the notion that you can't find people who don't use Facebook; others participating in this discussion have said as much.

Re:

[ColdWetDog]

LOL what indeed. Even in my little town of 8000 people, .1% of the population gives me plenty of people to regularly interact with. People that I might want to interact with. Of course, YMMV and if you think happiness revolves around Facebook (or Slashdot or whatever) then good for you.

I personally don't like all that many folks on my lawn.

Re:

[duke_cheetah2003]

If you reject people with facebook and similar stuff and people don't share your principles, you've just rejected 99.9% of the human population.

You say this like it's a bad thing?

Re:

[zennyboy]

I'm British but I live in Spain. Should I not know what is going on in the lives of people in the UK? Or get them to e-mail me everything? Or convince them all to sign up for a service I consider to be 'better'?

Re:

[Hussman32]

While there will be a certain amount of collateral damage, Facebook users ultimately control what they post, and that is where they can manage what they reveal in on-line surveillance. Admittedly recent tracking methods linking Amazon purchases to Facebook feeds are getting really creepy, but it would be hard for the NSA to have anything suspicious about me considering I post pictures of my kids and a few inoffensive jokes (not that there is anything suspicious).

One observation on this thread, the percenta

Re:

[Free Censorship]

While there will be a certain amount of collateral damage, Facebook users ultimately control what they post, and that is where they can manage what they reveal in on-line surveillance.

But they don't ultimately control what Facebook does with the data they have, which is to use it in privacy-violating ways. You shouldn't legitimize an unethical service by using it.

Admittedly recent tracking methods linking Amazon purchases to Facebook feeds are getting really creepy, but it would be hard for the NSA to have anything suspicious about me considering I post pictures of my kids and a few inoffensive jokes (not that there is anything suspicious).

Are you under the delusion that they need anything "suspicious" to flag you? You can get in trouble just by making a joke or using sarcasm that the authorities don't understand. It's not only malice that you must watch out for, but incompetence too. In addition, if you happen to post anything disagreeable, they could flag you an

Re: Do users really care?

[7-Vodka]

I see a lot of similar comments, but I liked yours so I'll address the themes here.

First, facebook is not the only problem. You're kidding yourself if you think it is. The list of technology companies that sucker their users are as long as the list of technology companies that sell 'the cloud'. Google, Yahoo, Microsoft etc.

Worse than this, the evil is not marketing. The real evil is the secret pact between the tech companies and the government's monopoly on the initiation of force, for the benefit of a minority of oligarch families. The elite's technology branch [businessinsider.com]

The real evil is the patriot act, the capture of government, the capture of industry and the subversion of the constitution. All tech companies are a part of this, most willingly, some unwillingly or unwittingly and the only honest ones are forced to shut down [theguardian.com].

The capture of the government and industry is nothing new, but it reached tremendous success in the 20th century. First they captured the congress and the judicial, then the executive, then the monetary system and then they really captured the executive with the JFK assassination [youtube.com]. Don't forget where some of the recent oligarchs originated [youtube.com].

• Are you against marketing?
• are you for privacy?
• are you for honesty as a virtue?
• are you for Free Software?
• are you for the constitution?
• do you believe in free will? (or that you should act as if it exists)
• do you believe in the traditional family?
• are you religious?
• are you for sound money?
• are you an Austrian or a keynesian?
• do you believe that there really is a 2 party system in the USA?

Do you see it yet? if you rule out the vast majority of the population based on internet usage, you're out of whack. Firstly because that's not the real problem.

Also, you might have MUCH MORE in common with someone who uises fb daily than on someone who doesn't, based on your OTHER principles and virtues.

It's like saying, "I'll only hang out with people who are atheists.". That's not enough. In 10 years time that could still be all you have in common. Or they could change their minds.

Finally I would just like to remind people that not only is the USA responsible for millions of deaths around the world, it now tortures people [firstlook.org].

If you refuse to interact with people who support these acts, how will you ever change their minds?

Oh and just for good measure. A fucking surveillance blimp [firstlook.org]. The internet of things is coming to spy on you from the sky 24/7. Is it not enough that you've captured the mass media? If you were to only hang out with people who share all your principles or most important beliefs, you would not hang out with anyone.

Furthermore, having intelligent debate with people who disagree with you (and are virtuous enough to have an intelligent debate) is the only way that you can make any sort of real progress in self discovery and discovery of the universe. If your ideas an principles are not challenged, if you don't go back to first principles to figure what what's really important, if you don't re-assess your beliefs in the face of new evidence, you'll never improve.

Re: Do users really care?

[khellendros1984]

That's just a fact.

You keep using that word. I don't think it means what you think it means. That's an opinion.

Facebook is intolerable to anyone with actual principles.

"Actual" principles being the principles that you hold, and no one else's principles being "actual", No True Scotsman style.

Social networking is an option for socialization. Almost no one uses it to the exclusion of more traditional social activities, although I agree that Internet socialization is a mere shadow of in-person socialization.

You've either got an oversimplified black-and-white view of the world, or you're just getting a kick out of trolling everyone. Either way, I hope it works out for you. The way I'm living my life is working out wonderfully for me, in spite of our differences of opinion.

You can continue being all "stop liking what I don't like!" I'm gonna get back to talking to my friends and spending time with my wife.

Re:

[Free Censorship]

You keep using that word. I don't think it means what you think it means.

It means exactly what I think it means.

"Actual" principles being the principles that you hold, and no one else's principles being "actual", No True Scotsman style.

I don't consider sacrificing privacy for convenience to such a degree and enabling Facebook's behavior by using it to be a very principles move.

or you're just getting a kick out of trolling everyone.

Erm... I would hope that my opinion wouldn't anger anyone on a website for nerds like Slashdot. My opinion should be nearly universal given all the unethical things that Facebook does, and considering the nature of social networking trash.

Re:

[khellendros1984]

Judging from the responses to your posts, your opinion isn't as popular as you might have expected. It's certainly a more extreme position than I'd take.

I don't consider sacrificing privacy for convenience to such a degree and enabling Facebook's behavior by using it to be a very principles move.

To which degree? Providing a fake name, birthdate, and other information, blocking image tags, and posting untagged text information? I suppose that they can extract a fair amount of info about me from information that my friends post, but if I didn't have an account, Facebook has algorithms that would infer most of those connections anyhow.

Facebook is a t

Re:

[Free Censorship]

To which degree? Providing a fake name, birthdate, and other information, blocking image tags, and posting untagged text information?

By even using Facebook, you grant their service legitimacy, and enable (albeit only slightly, but change has to start somewhere) their unethical behavior. [stallman.org] You mention algorithms that Facebook uses to infer connections, which is yet another evil.

Re:

[AK Marc]

Facebook is intolerable to anyone with actual principles.

And let me guess, "actual" principles means "exactly my" principles, right?

Re:

[Free Censorship]

It means that I don't believe sacrificing privacy to a greedy company that has shown itself to be wildly unethical for convenience and/or enabling it by using the service is a very principled move.

Re:

[AK Marc]

So does that list include Wal-Mart, Sony, Ford, GM, Chrysler, MS, and countless others, or are you just anti-facebook and not principled?

Re:

[Free Censorship]

It includes many, where it is actually viable. It's trivial to avoid Facebook (and I would say the ones you listed, too) despite excuses of peer pressure or not knowing how else to communicate.

Re:

[AK Marc]

How do you avoid facebook when any picture posted of you makes a stealth profile? You have more rights and "power" as a user, than a non-user-datapoint. So avoiding it is worse than accepting it.

Re:

[Free Censorship]

How do you avoid facebook when any picture posted of you makes a stealth profile?

Assuming that happens to you, it's still no reason to get an account and likely give them even more information. And with how these unethical companies act, the TOS means very little.

So avoiding it is worse than accepting it.

Accepting it gives the appearance that the service is legitimate and that using it is inevitable, and that's something I am not willing to do.

Re:

[Free Censorship]

"This is just a fact". hmm. classic weasel words.

"classic weasel words". Hmm. Classic weasel words.

would you care to share which principles everyone must share that are violated by having a fb account?

It almost always comes at the cost of trading privacy for convenience, and enabling Facebook's privacy-invading behavior.

you have posted nothing so far that i can see could argue for your opinion.

Facebook's policies are well-known. If you don't know about them, then get out of your cave.

Re:

[Free Censorship]

No, not really. Especially considering the article.

Re:Do users really care?

[Anonymous Coward]

Unfortunately these days not having a FB account means you are missing out in your social life. It has become the de facto for keeping in touch with friends and family.

The above is utter bullshit.

I have friends in five different countries and none of us use Facebook.

I maintain contact with my family using communications which have nothing
to do with Facebook.

Not everyone is as stupid as you so obviously are ( making blanket statements
which claim that Facebook is somehow necessary for having a social life is proof
of your stupidity ).

Re:

[AK Marc]

IT's not about missing out on the social life. If you don't have FB, then FB isn't bound by their TOS for how they handle your information, and they are collecting information on you. Your friends can tag you and you'll be in pictures, but have no ownership or say in how your information is treated or used, unless there are law changes, or you sign up for your own account.

Re: Do users really care?

[Cloudaki]

"Facebook will wither into insignificance" only to be replaced by something else. It's up to us to make sure it will be replace by something "better".

Re:

[MightyMartian]

Properly configured systems with a well-implemented certificate infrastructure are very hard, if not outright impossible, to inject a MITM attack into.

Re:

[koan]

What makes you think they haven't broken the encryption, what makes you think they don't have full access to all certificates, what makes you think you can trust anything.

Re:

[MightyMartian]

Largely because if the article, despite /.'s hysterical headline, states that well configured encryption systems remain secure. And how exactly is the NSA going to crack into my self-signed certs, with the CA sitting on a box with no connection to the Internet? Short of breaking into the location where the computer is, I'd say with reasonable certainty that the NSA cannot crack the certs that are used for my interoffice VPN. Now maybe the VPN software has a vulnerability, and that is always a a worry, but t

Re: Again...

[kramulous]

Article talks about VPN being no problem ... surveil 20,000 vpn connections per hour in 2011.

Re:

[MightyMartian]

If the VPN traffic is encrypted properly, and they don't have access to either end point, how is it you propose they crack it? Magic?

If there is a vulnerability in the software, which that delightful OpenSSL bug provided (thank goodness I stuck with Debian 6 so long) then you have a point. But not even the NSA, as the article makes clear, has some means to break into a properly encrypted stream.

Re: Again...

[kramulous]

Exploited routers, pry the handshake where you know keys are being exchanged, collection and brute force. An organisation with the budget, people, knowledge and will can make magic happen.

Article even talks about placing stooges in security and standards groups to subterfuge weaker methods (by weaker, i mean in the first three of the NSA's five level rating).

Re:

[Bengie]

With current understanding of handshakes, having access to controlling the hand shake gains you nothing. Both ends can still detect something is wrong. The only real way to MITM is to have access to the certs, magical computers, or knowledge of a flaw/bug in the protocol or implementation.

Re:

[whoever57]

Article talks about VPN being no problem ... surveil 20,000 vpn connections per hour in 2011.

The article contradicts itself. It states that

The most widely used ones are called Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol Security (Ipsec). Both seem to pose few problems for the NSA spies if they really want to crack a connection.

But, later, explains that for IPSEC:

Ipsec (sic) as a protocol seems to create slightly more trouble for the spies. But the NSA has the resources to actively att

Re:

[F.Ultra]

According to what we know about TAO they use zero day exploits so it doesn't look like hidden hack doors in closed source software/hardware. That PPTP is insecure has been known since at least 1998: https://www.schneier.com/pptp.... [schneier.com] That Microsoft still promotes it is beyond me.

Re:

[Bengie]

So, for IPSEC, they break into the router, rather than the tunnel itself. Can they break into a properly secured Linux (or *BSD) box

So they can "break" IPSEC by compromising the end nodes? Isn't that like saying "We can break into your house if we can get inside of it"?

Re:

[WaffleMonster]

Article talks about VPN being no problem ... surveil 20,000 vpn connections per hour in 2011.

Not surprising given the number of clueless operators still using VPN technology WELL KNOWN to be insecure for going on two decades now.

Re:

[Bengie]

if I pointed out 5 years ago that the NSA might be recording all communications

Since world wide harddrive storage being created is about 40 exabytes per year and the Internet has about 50 exabytes of traffic per month, I would still say you're crazy to think that all traffic is recorded. They have to be filtering out a decent amount of it. According to the NSA, how ever much you can trust this, they only inspect about 1.5% of all traffic, of which storage is only a subset. So they're not recording anywhere near "all" traffic.

Maybe we need to start padding stuff like SSH sessions to

Re:

[koan]

You're correct in one sense, they aren't recording (storing) literally everything, of course you knew that and chose to nitpick a conversational error.

The data center is alleged to be able to process "all forms of communication, including the complete contents of private emails, cell phone calls, and Internet searches, as well as all types of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital 'pocket litter'."[7]

http://en.wikipedia.org/wiki/U... [wikipedia.org]

I don't know what it is with people like you, you seem to want to argue over scraps of nothing, ignoring the real point.
I've discussed this sort of behavior with numerous people and they see it too, people like you and your type of thinking seem to be growing in number, this inability to do anything long term, to focus on the

Re:

[WaffleMonster]

What makes you think they haven't broken the encryption, what makes you think they don't have full access to all certificates, what makes you think you can trust anything.

What makes you think doubting everything in the absence of specific affirmative evidence is at all a useful exercise?

Re:Again...

[WaffleMonster]

You are poorly informed.

About?

http://www.nytimes.com/2013/09 [nytimes.com]...

Certificate Authority:
http://en.wikipedia.org/wiki/D [wikipedia.org]...

Old news virtually everyone here knows well.

Loss of Trust:
Information provided by Edward Snowden

Trust? What the fuck are you smoking???... The prior US administration LIED and started a goddamn war under completely false pretenses leading to the deaths of hundreds of thousands displacing millions over the course of a decade...not a little privacy invasion or reading love letters...but grand fucking high crimes against humanity. A *DECADE* ago we found out about NSA collection of *ALL* domestic phone records.... As much as I love Ed Snowden there was no trust remaining to lose when he spoke out.

I trust the Internet was insecure and all kinds of TLA's and assorted bad actors were exploiting to the hilt from the very start. Security is our responsibility...nobody else's.

Those are singular examples to the issues I spoke of, there are many, many more.
In addition, only a small percentage of data has been released to the public from the "Snowden Cache", if it was all released maybe people like you would finally STFU

The only thing you have enumerated was bullshit about SSL and HSTS which were factually incorrect and demonstrate your lack of knowledge of underlying technology. It shows you can read technical articles without having a firm grasp of fundamentals. The rest is just bloviating about enumeration of unspecified this and that's ...you have nothing specific to say.

If anything what Snowden told us is that the systems we *know* are secure really are a PITA even for the NSA to crack...Snowden himself said as much during a hearing he remotely participated in from Russia and in several televised interviews with reporters earlier in the year.

The underlying point remains running around yelling "How can you trust anything" ... is not helpful in any way... It spreads FUD and makes no positive contribution.

Re:

[MightyMartian]

If the encryption is properly implemented, I'd say it is highly unlikely that they will crack it any time soon.

Re:

[phantomfive]

If the encryption is properly implemented,

I think that's the point, SSL is broken, which is why (part of) the world has moved on.

Re:

[Anonymous Coward]

The SSL protocol is broken. Manipulating servers into lowering their cryptographic standard is possible through this. However: with properly encrypted data it's downright impossible for anyone including the NSA to decrypt it. This is not the 70's anymore. Academia is very much on par with the intelligence community when it comes to crypto. Too many big interests involved now. And they can't make a dent in AES-128. Fortunately mathematics is a-political.

Re:

[Marillion]

Let's not forget that the Snowden documents are now a year and a half old. A year and a half ago, everyone thought the ciphers and protocols were good enough. Fast forward to the eve of 2015 and we know better. We have a new sense of what is state of the art. We know not to use ciphers with static keys that could be subject to subpoena requests and so on a so forth. I'm not so naïeve to believe that new ciphers will stop them in their tracks. The still have incredible resources to draw upon. We just ha

Re:

[WaffleMonster]

It is actually very simple. Amazing that people have so much faith in their inherently insecure certificate systems. If you want security then shared secrets are the only way.

Like most things it is in the implementation rather than underlying technology where things fail and people run into trouble. Punting to PSKs has its own set of operational problems which can ultimately be less convenient and more difficult to manage vs proper deployment of PKI.

Or to take it a step further if you want security then OTP pools are the only way... except few actually want it that bad.

Re:

[fustakrakich]

I doubt there is any readily available encryption that can protect you at this point.

No, there isn't. I've been saying that for years (to no effect of course), and the entire subject has become tiresome, aside from the object of cracking theirs :-)

Privacy is a fantasy. Everything going through their wire is being recorded.

Re:

[rtb61]

Digital privacy is of a different order all together. Now they know when you 'do not' have an alibi and the ability to fabricate all the digital evidence. They can destroy you life in an instant for what ever political, commercial or private reason they want. You are accepting the idea that out of control psychopaths in the various intelligence agencies around the globe will become the richest and most powerful people on the planet as they remove all competitors one after another.

Re:

[WaffleMonster]

I'll point out that SSL is meaningless when the MITM can record it all and decrypt later, or possibly decrypt on the fly.

Decrypting later after you've obtained keys can be defeated by enabling forward secrecy. With most SSL toolkits your looking at a few extra lines of code tops. No rocket science required.

And HSTS is meaningless as well, so don't bother bring up that nugget

The HSTS latch is one small but important piece of the puzzle. It isn't meaningless it just offers limited intrinsic value.

Obviously it remains possible to trick people or launch attacks using convincingly or homographically similar names gleaned from insecure information sources. Not HSTS's fault.

HSTS works if you ente

Re:all this info for what?

[Anonymous Coward]

So that if anyone becomes a threat, it's easy to find a law they've broken, something embarrassing about them, or whatever. For most people, it is of no consequence. But for the very few who try to rock the status quo, this'll ensure they can't.

Richelieu said, "Give me six lines written by an honest man, and I will find something in it with which to hang him." Well, this just makes sure that the six lines have been collected in advance.

Re:

[koan]

#1 financial information
#2 any idea they want to steal
#3 retroactive imprisonment, yeah it's not a crime today but tomorrow it is and they have all the evidence.

Remember who they share this info with.

Re:all this info for what?

[Anonymous Coward]

#1 financial information
#2 any idea they want to steal
#3 retroactive imprisonment, yeah it's not a crime today but tomorrow it is and they have all the evidence.

Remember who they share this info with.

That is actually just the start. I'll be happy to give some more examples:

1: A DA going on a fishing expedition. That data, plus parallel construction, plus civil asset forfeiture ensures that they will have a packed jail and prison system, ensuring the campaign donations from private prison corporations keep on coming. Remember: 48 states have signed an agreement with Corrections Corporations of America to keep their jails at 90% bed space or else face fines hourly.

2: Lawsuits. People may have forgotten the MPAA and RIAA lawsuits, suing people for millions. It wouldn't take much for copyright law to be amended, forcing people to have to "prove" ownership of IP, just as businesses have to cough up proof when the BSA guy comes around, or else the BSA guy will be back with the constable and lawyers with a motion of discovery. Even the mention of "hey, dude, listen to this band!" that is logged, may be enough to get a IP infringement lawsuit going. Don't forget libel and slander lawsuits. It wouldn't take much for a lawyer to go through, say Slashdot's postings, and file hundreds of thousands of lawsuits on anyone bashing Sony.

3: Other country's laws. People don't realize it in the US that Thailand's lese majeste laws apply here? Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties. Same with Turkey and the Kingdom of Saudi Arabia. In theory, someone handing out events for their pagan festival or church bulletins can be shipped over there to be executed, due to violating Islamic sharia laws. Privacy is important, since it isn't just domestic LEOs, but LEOs of foreign countries who can press charges and have US citizens answer for them. Right now, it tends not to be enforced, but the laws are on the books, and the pastor who was televised burning a Koran might find himself in Riyadh facing an imam and a crowd with rocks and a can of gasoline.

4: Laws created by treaties. The gun nuts fear the UN gun ban treaty that went into in effect last Christmas Eve. It wasn't ratified in the US... but that can change, and even though it didn't affect gun sales inside the US... it had a clause saying that UN could act as an enforcement agency within the US, operating independently from other LEOs. Now, think about this a minute. A law enforcement group with the power to use deadly force and enforce laws that were never put on the books by domestic lawmakers, with no way to contest their decisions. It might be something 3 percenters talk about now on talk radio... but do people remember how close ACTA came to being passed? It wouldn't be surprising to see another law like this come on the books under "anti-hacking statues" that would allow the UN to detain "hackers" under their own law, and under their own opinion.

5: Ex wifes/husbands. An acquaintance of mine lives in California, had a bad marriage, with the wife divorcing him for someone richer. Well, she had a good attorney (courtesy her new BF), and got a pretty insane alimony settlement. Well, the husband was out of work at the time, couldn't pay the payments... so the judge tossed him in for nonpayment for six months. He got out after that, two years later, was back in (as in California, unemployment isn't a good enough reason to not pay alimony costs.) Well, this shit went on for about two years, until this guy, once he got released, booked it to Mexico. Now, the ex wife is offering a bounty for anyone to find him and bring him to "justice". Not that she needs the money, but just out of pure malice. Without privacy, people who just had a bad relationship with a sadistic other can be killed.

6: Insurance companies. I've read cases on Slashdot where people have walked into a humidor at a Spec's, someone takes a

Re:all this info for what?

[Bengie]

Other country's laws. People don't realize it in the US that Thailand's lese majeste laws apply here? Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties.

Extradition almost exclusively applies to to laws in other countries that would be also be considered criminal in the USA. Kill someone in Thailand, well murder is criminal in the USA, so they'll extradite you. Slander someone, well, that's not criminal in the USA, so you're safe. The USA also will not extradite if they think the punishment may be considered "extreme".

Re:

[maccodemonkey]

3: Other country's laws. People don't realize it in the US that Thailand's lese majeste laws apply here? Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties. Same with Turkey and the Kingdom of Saudi Arabia. In theory, someone handing out events for their pagan festival or church bulletins can be shipped over there to be executed, due to violating Islamic sharia laws. Privacy is important, since it isn't just domestic LEOs, but LEOs of foreign countries who can press charges and have US citizens answer for them. Right now, it tends not to be enforced, but the laws are on the books, and the pastor who was televised burning a Koran might find himself in Riyadh facing an imam and a crowd with rocks and a can of gasoline.

Errrr, no, that's totally wrong. Where did you learn this stuff?

If you commit an illegal activity in Thailand, and then enter the United States, there is a chance that the US could return you to Thailand. If you do something that is illegal in Thailand but not illegal in the United States in the United Staes, then it does not matter at all. Only US law applies to acts committed in the US.

I don't know where you learned your understanding of extradition laws, but this is so far out in right field. Maybe you s

Re:

[NatasRevol]

Move on to what? Being complicit in spying? Being ok with it? Kissing goodbye to any shred of democracy left?