How NSA Spies Stole the Keys To the Encryption Castle 192
Advocatus Diaboli writes with this excerpt from The Intercept's explanation of just how it is the NSA weaseled its way into one important part of our communications: AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.
No surprise (Score:3, Insightful)
Re:A big surprise (Score:5, Insightful)
Actually it is surprising. Many if not most large government IT projects are appallingly run. Vast amounts of money wasted on useless consultants that end up producing very little if anything at all.
As the NSA's budget grows and grows, I suspect this will happen to them. Lots of MBAs that can only organize their own careers, while the crypto-nerds are pushed into the background.
Re:A big surprise (Score:5, Insightful)
That's already sort of the case. The NSA and similar agencies in other countries are LOADED with useless incompetent staff and engineers. It has everything to do with their impossible hiring practices combined with it being a shitty unethical job. They don't even pay super well, and anyone competent can make more in the private sector.
This makes the whole thing even more scary to me, because being utterly corrupt and not very bright are pretty much absolute requirements for the job. The fact that they get anywhere at all is because they have a huge budget and federal backing to force companies to play along.
I'm always extremely skeptical of stories that the NSA actually broke something through math. It's way way more plausible that they simply paid someone off on the inside.
Re:A big surprise (Score:5, Insightful)
And second, while the NSA and the British equivalent might be unweildy bureaucratic monsters where those in-charge might not even know what the appendages are doing, they're well-enough funded that they can afford to buy people off to socially-engineer their way in to places where they wouldn't otherwise have the right to go. That gives them the ability to get into corporate networks or to get data from individuals working for corporations; they buy their way in and the consequences of the actions of the employee are not the NSA's concern. All they want/need is the data, and if they can buy it for cash or buy their way in for cash then they might just do that.
Security is hard. Ultimately it comes down to the individual employee, who has to have access to what he or she works on, but by having that access, also can be a risk. A multimillion dollar system can be compromised by a single technical employee because that employee needs access through those safeguards to do the job. It's really no different than bribing the guards at the castle to get in.
Re: (Score:3, Insightful)
My source.... well... here goes.
Yes, they actively recruit Math and CS majors with high GPAs. That is true. ... probably more steps which I haven't mentioned.
However....
In order to get in you must:
1) Pass a preliminary security interview
2) Pass a polygraph test
3) Pass a drug test (including for marijuana) - this eliminates a LOT of competent people
4) Pass a more in-depth security interview
By the time this is all done, about a year and a half has gone by. A bunch more of their potential recruits will be es
Re:A big surprise (Score:4, Insightful)
Actually it is surprising. Many if not most large government IT projects are appallingly run. Vast amounts of money wasted on useless consultants that end up producing very little if anything at all.
As the NSA's budget grows and grows, I suspect this will happen to them. Lots of MBAs that can only organize their own careers, while the crypto-nerds are pushed into the background.
Except that this is not an IT project, but an espionage project. It just happened to have an IT component; one very different than the create a web site / database / payroll system project.
Re: (Score:2)
Re: No surprise (Score:2)
Less questions, paper trail, less names involved; more development, practical capability testing⦠Imagine this as weapons development.
Re: (Score:3)
Deniability.
If they steal the keys, there's no public record that they have them.
If they request them from the corporation, even if they use a national security letter, the corporation can announce that they have been requested, or use a warrant canary to stop confirming that they haven't.
Re: (Score:2)
Why would they NEED to steal these keys? Every single cellphone company in America would need the keys so your phone would work (roaming), and American companies have proven that they will hand over anything the US Government pays for.
No need for a warrant, request for the information or dealing with foreign governments, they can simply intercept and decrypt anything of interest; including already collected calls.They can also then provide them to allies that may be able to intercept or have calls of interest in exchange for information. Finally, if they make special secure SIMS that are not used widely, well, those are compromised as well. Finally, collecting intelligence is fun.
Re: (Score:2)
It's the only way they can shake off the last tiny little bit of half-hearted judicial oversite when they want to act outside of their charter and do things that rightfully make them a domestic enemy of the people.
Re: (Score:2)
Re: (Score:2)
Are you one of those people who would have ridiculed anyone claiming the Government can "listen to all of our phone calls any time they want" as a conspiracy theorist?
No. That's not surprising since the NSA has had some pretty serious computing power fro quite some time. The challenge is picking out the conversations of interest since there simply is too much data to sift through and get timely actionable information.
Re: (Score:2)
Are you one of those people who would have ridiculed anyone claiming the Government can "listen to all of our phone calls any time they want" as a conspiracy theorist?
No. That's not surprising since the NSA has had some pretty serious computing power fro quite some time. The challenge is picking out the conversations of interest since there simply is too much data to sift through and get timely actionable information.
I think it has been demonstrated that these activities are as much about having a dossier to comb through after the fact as having timely, actionable intelligence. If a person of interest catches their attention, they can go back through the records to find something to charge that person with. Although stopping terrorism is the stated goal, maintaining the status quo is also a goal and this can be a useful tool.
NSA... (Score:5, Insightful)
Can we all just agree that the NSA is the most nefarious hacking group, the most dangerous and out of control? That they make all the other so called "black hats" look like innocent little babies?
I think we all need to work together to get rid of this terrible, nasty, unpredictable hacker group -- for the sake of national and international security. They represent a clear and present danger to the future of this country.
We are the global village bully (Score:2, Insightful)
Veterans Today on February 11, 2015
Why the United States Always Loses Its Wars [veteranstoday.com]
We are the global village bully that's hated by much of the world.
America loses all its wars because it seems we've always been on the wrong side of history. Morally nor legally should any nation have the right to invade and occupy another sovereign nation, much less believe it can achieve victory in long, protracted wars.
Yet in violation of all ethical precepts and all international laws, the sole global superpower citing its imp
USA! USA USA! (Score:5, Insightful)
While I think some of the points, however plausible, are a bit on the side of paranoia, the Libertarians firmly believe that we should have only a defense force and not project power.
The current rational now for IS - or whatever they are called now - is to fight them over there so they don't come over here. They just want control of the Middle East - they are no threat to us. Also, the Arabs, Persians, Kurds, and other people's of the Middle East have been dealing with their ethnic problems for thousands of years. And of course, being there, we the USA are going to fuck things up even more.
Unfortunately, we have a populous who treats our military conquests like a football game. USA! USA! win! It makes small people feel big.
We in the USA are small people who like big guns. We lost the idea of walk softly and carry a big stick.
We bluster, shoot things up and wonder why other peoples hate us.
But this football mentality is how you get people to volunteer to fight in idiotic and unjust wars - get the stupid people to die and get maimed for the elite.
Re: (Score:2)
> the Libertarians firmly believe that we should have only a defense force and not project power.
Uh, ignoring the few cases of the Police over-stepping their bounds, have you completely forgotten the history of the Police or Firemen and how they have operated in say the last 100 years?
The moto was: To Serve and To Project
They don't go around picking fights. They were originally there to stop them, and to help people.
On the global scene the USA is too busy putting its nose into places where it doesn't be
Re: (Score:2)
On the global scene the USA is too busy putting its nose into places where it doesn't belong. Maybe if they focused more on the mother land and made a dent in idiotic wars like "War on Drugs"...
Excuse me, I believe the propaganda word that has been chosen to pull at our emotions and get us to rally around the State is "homeland". Boy, did my ears perk up when I first heard that word used to describe the United States.
Re: (Score:2)
You might actually want to take a look [criminalgovernment.com] at reality [laissez-fa...public.com] then.
Let's compare the Communist Manifesto and the current state of affairs with the USA.
1. Abolition of private property in land and application of all rents of land to public purpose.
2. A heavy progressive or graduated income tax.
3. Abolition of all rights of inheritance.
4. Confiscation of the property of all emigrants and rebels.
5. Centralization of credit in the hands of the state, by means of a national bank with state capital and an exclusive monopoly.
Re: (Score:2)
Working link:
An Underground History of American Education (PDF) [tripod.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Thanks for the clarification!
I wasn't exactly sure of which direction you were leaning.
Hard to tell with lack of emotes / sarcasm. :-/
Re: (Score:3)
Re: (Score:2)
I considered moderating this down, but I will reply instead. This is such a warped, confused view of history it's hard to know where to start. However; there is such a thing as a just war, international security is hard, and Russia had and has no right to Crimea or the Ukraine. Iraq WMDs: I remind you that Saddam believed he had WMDs. As for the Lusitania, I would remind you Churchill had his hands full with a minor issue called Gallipoli. And in Syria and Libya, there were no good options, and the situation was not of the West's making; it's difficult to know when a market trader's messy suicide will start a regional revolution.
We are lied into every war; every single one. The actual reasons we go to war often have to do with economic or strategic interests. But people don't get ready to fight and die for economic interests. They fight and die for survival. So you make it about survival, and tell the people how the enemy is coming to kill their children in their beds. Or you appeal to their sense of righteousness and tell them how we must save this other poor downtrodden people from the dictator we installed (oops, did I say
Re: (Score:2)
Re: (Score:2)
While we are at it... (Score:3, Insightful)
...can we all return the favor by pressuring the government to Grant Snowden Clemency [aclu.org]?
If people don't stand up to protect whistleblowers, then there will be no whistle blowers, and government evil will run unchecked.
Sign it.
Re: (Score:3, Funny)
We are the NSA. We are Legion. We do not forgive. We do not forget. Expect us.
Re:NSA... what? (Score:2)
Re: (Score:2, Informative)
Hardly, this is their fucking job. I'm glad they did it, and sad that it got publicized.
Re: (Score:2)
Re:NSA... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
I agree. It is becoming increasingly difficult to consider the NSA as anything other than an extremely well-funded criminal organization.
Psssh! They need to get in line behind the CIA.
Re:NSA... (Score:5, Insightful)
You don't seem to get it. No one wants the NSA. The American people have been polled, and overwhelmingly despise the NSA and what it does. Local and state governments have publicly declared their actions criminal, and Congress has overwhelmingly decried their activities. But they're still here and there's literally nothing we can do about it. That should tell you something.
It's like we're all in a coffee shop, and a man armed with a 12 gauge just barged in to rob the place and demanded we all act normally. Even the cashier is nodding and offering him a latte... but in reality we're all glancing at each other wondering who's going to be brave enough to clock him over the head with their coffee mug first. There's one feeling that I think we've all felt in this country over the past 10yrs or so, and I think that feeling is best described as "Unease"
Re: (Score:2)
It's like we're all in a coffee shop, and a man armed with a 12 gauge just barged in to rob the place...
Yeah, in really slow motion, over a four year time period.
The polls are bullshit. Count the votes. only there will you find what people really think. Everything else is just bad theater.
Re: (Score:2)
It's like we're all in a coffee shop, and a man armed with a 12 gauge just barged in to rob the place...
Yeah, in really slow motion, over a four year time period.
The polls are bullshit. Count the votes. only there will you find what people really think. Everything else is just bad theater.
Considering the voter participation rate, I'd say the votes tell us most people think it isn't worth the effort to vote. Though I do vote, I can't really blame them. I vote because I'm acting on principle (I almost always vote third party), not because I think it will make a damn bit of difference. The Us "republic" is unresponsive to the will of the people. The people know this and act accordingly.
Re: (Score:2)
I think we all need to work together to get rid of this terrible, nasty, unpredictable hacker group -- for the sake of national and international security. They represent a clear and present danger to the future of this country.
I think time would be better spent improving systems especially communication systems to deny all adversaries capability to "hack the planet".
Aggregating sources of trust like this is akin to piling gold bars on the street corner, holding a press conference announcing to the world their presence and being surprised when gold turns up missing next morning.
How is this even remotely legal? (Score:5, Insightful)
Re:How is this even remotely legal? (Score:5, Insightful)
"We are the law."
Re:How is this even remotely legal? (Score:5, Insightful)
"We are the law."? No! They invent the law out of thin air. Plus legislators can't be held liable for what they say or vote for in Congress (unless you can prove a bribe or conflict of interest.)
This is the sort of attitude that eventually destroys institutions from within, though it takes awhile.
I do tend to agree that secession is inevitable in the US, just as it seems heading in that direction in the EU. What that will do is return some semblance (notice I said some) to States rights and hopefully smaller government, which currently redistributes about 50% of all earnings in the US. That is double what serfs paid in around a thousand years ago.
Re: (Score:2)
Judge Dredd, is that you?
Legal, schmeagle (Score:5, Insightful)
Oh, I'm sure they can find something. You can't do anything about it -- you can't sue -- because you don't have standing. You'd have to show they were listening to *you*, just to start with, and then you'd have to have a few million to push it through to the supreme court.
And *then* of course you'd be facing the same idiots that think "shall not infringe" means "infringe", "intrastate" means "interstate", article 3 means article 5, and that "no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized" means "as long as we think it's reasonable, we can search and seize to our heart's content", and " no ex post facto Law shall be passed" means "retroactive punishment is no problem."
The only privacy you have at this point is in your own head. Assuming you haven't spoken, written down, or otherwise "shared" your thoughts.
The system is broken. Badly. And very few care -- we're stuck on this downhill-all-the-way roller coaster ride.
Re: (Score:2)
Even if you don't speak or write, you read. They note everything you read, in what order, how long you linger on which articles. They know what goes in your head, which gives them a pretty good idea what stays there.
Snowden cared. (Score:5, Insightful)
And, unlike most of us, Snowden actually did something about it. As a result of his revelations, political pressure is being applied to the government from many different directions to get the situation resolved.
Of course, it cost Snowden his job, and his ability to live in his own country, and might still land him in jail or worse.
You could swallow some of that cynicism and at least try to improve things. Maybe ask the government to grant snowden clemency [aclu.org]?
Nah. Why exert the effort to click an online petition when it is so much easier to just bitch about how hopeless things are?
Re: (Score:2)
And, unlike most of us, Snowden actually did something about it. As a result of his revelations, political pressure is being applied to the government from many different directions to get the situation resolved.
Of course, it cost Snowden his job, and his ability to live in his own country, and might still land him in jail or worse.
You could swallow some of that cynicism and at least try to improve things. Maybe ask the government to grant snowden clemency [aclu.org]?
Nah. Why exert the effort to click an online petition when it is so much easier to just bitch about how hopeless things are?
I'm going to go with "because an online petition won't do a damn thing" for $1000, Alex.
I care too. (Score:2)
I think you might give me at least a little credit on that score if you were familiar my writing, research and other offerings. [fyngyrz.com]
I am signatory.
If I may (Score:2)
I believe what the poster might have been trying to imply was that your anonymous post does not carry the same weight as if you were willing to put your online identity on your words. You'll note that the very petition you refer to requires your name and your email in order to be counted a valid signature. Pretty much the same mindset.
"Some random, unidentified dude supports Snowden" just doesn't have the same impact as "Mergatroid McFutter, AKA mergatroid@mcfutter.com, supports Snowden."
Re: (Score:2)
Dude! Glad to have you on-board. :)
Re: (Score:2)
LOL.
Re:How is this even remotely legal? (Score:5, Informative)
Gemalto is in the Netherlands. It's entirely legal for the NSA and GCHQ to do anything they want outside of their home countries. They were both chartered 60+ years ago to spy on foreign communications. You can certainly argue that this attack was unethical, or a bad idea, and it was definitely illegal under Dutch law- but it was legal under British and American law.
Re:How is this even remotely legal? (Score:4, Insightful)
Re:How is this even remotely legal? (Score:5, Interesting)
British and American laws don't have jurisdiction over computers in the Netherlands.
Re:How is this even remotely legal? (Score:5, Insightful)
http://yro.slashdot.org/story/15/02/18/0239259/russian-man-extradited-to-us-for-heartland-dow-jones-cyberattacks [slashdot.org]. The US seems more than willing to extradite and try someone from a foreign country for hacking US computers. It seems likely the US has an extradition treaty with the Netherlands. It seems likely the Netherlands has laws against hacking computers.
Re: (Score:2)
Sure. Now the Netherlands needs to identify an individual they suspect of the crime and request their extradition. How do you think that will go?
Re: (Score:3, Insightful)
Reverse that. The Netherlands doesn't have jurisdiction over British and American laws. Well, they don't have the weaponry to resist. Might makes right...
Re: (Score:3)
Actually they do. In the EU they can get a European Arrest Warrant for anyone in the UK, including GCHQ staff. They can also investigate crimes that happened in the Netherlands but were committed by people in the UK. International crimes have been going on forever and there are established mechanisms for dealing with them.
It's a shame that The Intercept has not published the names of those at GCHQ who committed these crimes so that they can be brought to justice. They have clear evidence of criminal activit
Re: (Score:2)
That may well be true... but the purpose of the hack is to spy on the US populace - that's the reason to have copies of these keys.
The actual hack may be within their operational remit, but the materiel they gathered using it is clearly for purposes that are not. You can't really justify the operational budget for it in that case.
Re:How is this even remotely legal? (Score:5, Insightful)
if this is true, then the NSA has blatantly broken law, STOLEN property (intellectual property, that's property, right? RIIIIGHT?) and nullified most of the network and systems security we have tried to put in place over the last 10 or 20 years.
they also are using fear and intimidation to keep the population in check. ie, they are terrorists. state sponsored terrorists who steal without regard to their actions.
so, when are they going to be tried for terrorism under the patriot act??
Re: (Score:2, Insightful)
Broken what law? Dutch law, I guess, so the Dutch would have to find and arrest them.
It's not a violation of American law to rob a store in Paris.
Re:How is this even remotely legal? (Score:5, Insightful)
Broken what law? Dutch law, I guess, so the Dutch would have to find and arrest them.
It's not a violation of American law to rob a store in Paris.
I believe the Netherlands have an extradition treaty with both UK and US.
What's been done here is a crime in all 3 nations.. Besides, doesnt US consider hacking an act of war?
Re: (Score:2)
Under what possible interpretation of the law can this be considered the actions of lawful government?
Oh, do you have standing to bring a suit? No? Know anyone who does? No? Well, that's that, then.
Rainbow tables (Score:4, Interesting)
Is this a big deal considering we already have the GSM rainbow tables?
Re: (Score:3, Insightful)
GSM never used end-to-end encryption, so I don't think anyone should have considered it secure.
It is a big deal that the US did this to their European allies.
Re: (Score:3)
Rainbow tables only worked for GSM, which is now decades out of date. Most people are going to be connected to 3G or higher in urban areas (i.e. where all the action is), which isn't so easily hacked. Hence their interest. It's in the article, even.
I think people do not understand how deep it is. (Score:5, Insightful)
It's not just about SIM cards.
Gemalto makes smart card readers etc. Think not just communications, nor banking. Think secure access. We use things like that to ascertain authenticity and inviolability in signed documents, emails etc.
We used.
Re:I think people do not understand how deep it is (Score:5, Informative)
But on a smart card, asymmetric cryptography can be used. The private key is generated by the chip on user request. It is not supposed to leak outside of the device.
As I understand, this SIM debacle is only possible because the cryptography used here is symmetric, which means the telephone operator must have a copy of the SIM key.
Re: (Score:2)
Yeah, that surprised me a bit.
If you replaced the symmetric key with a genuine private-key smartcard and registering on the network involved a proper negotiation and establishment of an ephemeral session key, things would be a lot more secure.
Oh, and more expensive, 'natch, which is why it's not designed like that - stupid legacy tech.
Re:I think people do not understand how deep it is (Score:5, Interesting)
Gemalto generate a master SIM key with batches of cards shipped to each Mobile Operator. I work on a project for mobile payments, mediated with a STK loaded on each card. A HSM is loaded with all the master keys. If you have the master key, you can decrypt all the communications with the STK app on the SIM card. If the Master key leaks, all payment operations/transactions are fucked.
Class action lawsuit ? (Score:5, Interesting)
Should Gemalto be sued by people who use their cards & other products on the grounds that they did not adequately secure their computer systems and thus let in outside crackers to steal the encryption keys ? That the crack was done by GCHQ/NSA does not really alter things -- they were cracked. The point of this is that successful legal, and expensive, action would make all corporates treat security properly; this would have great benefits -- more than just keeping the spooks at bay.
The only problem is that to sue Gemalto the plaintiffs would need to demonstrate that they have suffered. This might be hard, although insisting that they were all given new SIMs might be a start.
Re:Class action lawsuit ? (Score:5, Insightful)
So if somebody breaks into your house, steals your car keys and proceed to run somebody over they should sue you for manslaughter? Because you know you could have put those in a safe inside a vault inside a bunker and not in your spare pair of pants. No, what you describe is pretty much the reason the US legal system is what it is and having a ton of good lawyers on staff is a necessity. And it wouldn't really stop the NSA anyway.
Re: (Score:2)
Your analogy doesn't work. Here is a better one:
Somebody breaks into a combination-lock factory and steals the list of serial-numbers and their associated codes. They then proceed to use this information to break into peoples homes and rifle through all their belongings.
Don't you think that a home-owner who bought this lock thinking it was secure is going to do something about it?
The company selling the locks now has a couple of problems: the public image of their company has been tarnished, all the the loc
This just keeps getting better and better (Score:4, Informative)
We're not even over the NSA hard drive hacks and now this?
Next you're gonna tell me Americans shove food up people's ass for freedom. Oh wait they do [theguardian.com].
HUGE SPY PROGRAM EXPOSED: NSA has hidden software in hard drives around the world [businessinsider.com]
Is the NSA Hiding in Your Hard Drive? [bloomberg.com]
NSA Has Ability To Hide Spying Software Deep Within Hard Drives: Cyber Researchers [huffingtonpost.com]
Is Your Hard Drive Hiding NSA Spyware? [ign.com]
The NSA hides surveillance software in hard drives [engadget.com]
'Breakthrough' NSA spyware shows deep grasp of makers' hard drives [www.cbc.ca]
NSA planted surveillance software on hard drives, report says [cnet.com]
NSA secret spying software discovered by Russian researchers [itproportal.com]
NSA Hackers Infected Hard Drives With Impossible-To-Remove Spyware [inquisitr.com]
NSA Has Planted Surveillance Software Deep Within Hard Drives Since 2001: Kaspersky [ibtimes.com]
NSA program is embedding secret spying software in hard drives in Russia, China, Middle East, allowing agency to eavesdrop on most of worldâ(TM)s computers: report [nydailynews.com]
Destroying your hard drive is the only way to stop this super-advanced malware [pcworld.com]
Hard drives beware, the NSA is coming for you [digitaltrends.com]
Kaspersky fingers NSA-style Equation Group for hard drive backdoor epidemic [theinquirer.net]
There's no way of knowing if the NSA's spyware is on your hard drive [computerworld.com]
The NSA's Undetectable Hard Drive Hack Was First Demonstrated a Year Ago [vice.com]
Time to go back to land lines and cash. (Score:2, Insightful)
At what point do we start putting these criminals away? They have broken every law on the books.
Re: (Score:3)
No, time to go to open source verified-by-security-audit strongly-encrypted VoIP (the kind that at the very least will require the spooks to put a lot of effort into cracking it so they cant just vacuum it all up like they do now) and secure anonymous distributed crypto-currencies that the feds cant easily track (and cant seize as part of a "random" roadside stop on the interstate)
Re: (Score:2)
A lot of nations will now just go back to one time pads and number stations with all the junk Western networks used for quality disinformation.
Re:Time to go back to land lines and cash. (Score:5, Insightful)
At what point do we start putting these criminals away? They have broken every law on the books.
One of the most insidious effects of this sort of Panopticon-level data collection & analysis is that it works as well against prosecutors, judges, AGs, and even SCOTUS justices, as it does some CEO or key IT admin somewhere they're interested in compromising.
Parallel construction is blind, therefor the current US justice system no longer is. Along with every other government agency, bureau, department, etc, all the way down.
Total Information = Total Control
The US Government is under the control of those who control that information. Even if the target is squeaky-clean, they are perfectly capable of planting things like kiddie-porn or any other convenient data on a hard drive such that it would stand up to the type/depth of forensics used in the typical criminal trial.
Threatening to leak damaging private information, especially when it involves an elected official right before a(n) (re)election, works without even involving the justice system or making a public scene.
Strat
Time to Embargo USA and UK (Score:5, Insightful)
Every company should release their private data (Score:5, Interesting)
on every US and UK government employee. Let them become life-time victims of identity theft. Let the Chinese and Russian intelligence agencies have a field day. It's the only hope we have that they'll learn.
Re: (Score:3)
Maybe you didn't hear, but companies do try to make a profit. Throwing your customers to the wolves may not be the simplest way for a company to commit suicide, but it'll do.
Of course... (Score:5, Interesting)
Why do you think all the recent cell phones that are rated for classified voice, such as the Sectera Edge and Project Fish Bowl all run VoIP for classified communications?
Because they know better than to trust the commercial telephone networks and their voice "security".
Where does Snowden get all this information from? (Score:3)
Or was this information, and the other stuff he claimed in the last couple of months, all part of the package he took with him back then?
If he was sitting on this information, then why wait so long to release it?
Or does he have a new source 'inside'?
Re:Where does Snowden get all this information fro (Score:4, Informative)
All the material is now in the hands of the press. The press can release the material in any way it wants or needs to.
Re "Could someone explain where Edward Snowden is getting these kind of leaks and infos from, so long after he fled the NSA?"
The material released by the press is long term generational projects staff get read into as they need to work on the same projects or with staff who do.
Re the how http://www.bbc.com/news/world-... [bbc.com] "Edward Snowden: I was a high-tech spy for the CIA and NSA" (28 May 2014)
"...he said he had worked for the CIA and NSA undercover, overseas, and lectured at the Defense Intelligence Agency."
Re: (Score:2)
Snowden hasn't had any access to the NSA since he fled to Hong Kong.
However, the amazing thing about this dude is he was able to do full blown web crawls of the entire NSA and GCHQ intranets, including dumps/crawls of data he didn't have access to .... all without getting noticed or caught. He appears to have provided the journalists with what is quite literally a snapshot of their internal networks at the time he was operating. It's taking them years to go through it.
They send the ACTUAL keys? REALLY? (Score:2)
I had no idea that the personalization venders send the actual encryption keys to their customers. This is so very very wrong. That's not how you are supposed to do it.
The correct way is to generate the master keys (separate sets of keys for each customer) inside an HSM (hardware security module). The HSM protects the master keys from being stolen. You then split the key into parts, encode those parts on smart cards, and HAND DELIVER those smart cards to the customer (in this case cell phone carriers or
Snowden fatigue (Score:5, Interesting)
This should either be the biggest news story on the planet, or the biggest lie of the year, but the public response seems to be "meh". The problem is, Snowden stole too much. Or claims to have stolen too much. There have been so *many* earthshattering Snowden revelations that both the outrage and the fact-checking seems to have evaporated.
This is a big problem either way.
This info is for us, not the average pleb (Score:3)
Considering this audience is pretty much the only one that understands the implications behind these revelations. WE should be the ones raising the issues and getting in the government's face about this, but technologists are notoriously passive when it comes to protesting the government. With that in mind, there's not too much _I_ can do as a Canadian to protest the NSA/GCHQ, but there's definitely the CSE who are one of the "5 eyes" members.
However the easiest response to mass surveillance is mass encr
The secret is in the message ... (Score:2)
... and the message is that the NSA is omnipotent and stupid at the same time.
They make a good scapegoat, though.
What can we do? (Score:4, Interesting)
Encryption Castle (Score:2)
Cell phone SIMs are the "Encryption Castle", really? From a practical perspective, they are essentially plaintext, since everything gets fully decrypted at each hop.
Maybe I will start calling my previous car a "Dining Palace" in honor of the epic glorious time that I once ate a chili dog while driving, shifting and making a left turn (alas, this was before I had a cell phone) without getting any chili on my shirt.
Re: (Score:2, Insightful)
Yes well they were at war with Germany. Now the government is at war with - the people?
Re: (Score:3)
Who you intercept and who you actually fighting don't have to be the same people. You listen to everybody to find out, who your targets are. This is obvious to all, and the security people — who have huge leeway in interpreting laws — act to perform their mission, which is to keep us safe...
Now, are we — the rest of society — willing to trade our privacy for these gains in security? Does the freed
Re:Remarkable feat (Score:5, Informative)
Remarkable feat! Guys from Bletchley Park — who also intercepted and decrypted everything they possibly could — would've been proud...
These are the "guys from Bletchley Park" -- in the sense that it's the same government organisation.
"During the Second World War, GC&CS was based largely at Bletchley Park ... GC&CS was renamed the "Government Communications Headquarters" in June 1946"
http://en.wikipedia.org/wiki/G... [wikipedia.org]
Re: (Score:3)
SISMI-Telecom scandal https://en.wikipedia.org/wiki/... [wikipedia.org]
Greek wiretapping case 2004–05 https://en.wikipedia.org/wiki/... [wikipedia.org]–05
Cell networks have a very low standard of local encryption thanks to weak junk international standards been set over many years. The results can now be see and understood.
Re: (Score:2)
Re: (Score:2)
Processors seem unlikely, BIOS seems like a target you can hit later (anything that can be flashed and has proprietary reasons why it's secure, is utterly insecure) so probably clean out of the factory, Windows seems likely the others seem less likely, drivers are very plausible because there's a million of them and not much oversight...
I mean, it's hard to guess. We might get more info later, but so far everything hardware has played by some set of rules- aka, nothing leaked implies that your machines sh
Re: (Score:2)
They messed with an algorithm for generating pseudo-random numbers ;
Schneir's article [schneier.com]
TLDR : the suspicion is that they embedded a secret key in the maths of this random number generator algorithm that would let them break any TLS connection after snooping 32 bytes of traffic.
As Bruce takes pains to point out, you can't prove anything. But really, they were pushing an RNG with no obvious advantage over the others in the running (3x slower), known flaws (slight bias in it's output), and this great big whoppin
Re: (Score:3)
That's a valid question. I'll try to answer it. Yes, neither act is "theft" in the jargon of the law. But you're asking why people (who aren't lawyers) are treating one as theft and not the other.
One answer is that "we" (generally) don't feel that there is any strong societal contract with the TV/movie corps, so there's little or no "trust" for the pirates to steal (from that social contract). On the other hand "we" do very much feel that there is - or at least should be - a strong societal contract with th