News:

Nothing gets wasted around here

Main Menu

Prism and Verizon surveillance discussion thread

Started by Junkenstein, June 06, 2013, 02:19:29 PM

Previous topic - Next topic

Pæs

QuoteThe National Security Agency, working with the British government, has secretly been unraveling encryption technology that billions of Internet users rely upon to keep their electronic messages and confidential data safe from prying eyes, according to published reports based on internal U.S. government documents.

The NSA has bypassed or altogether cracked much of the digital encryption used by businesses and everyday Web users, according to reports in The New York Times, Britain's Guardian newspaper and the nonprofit news website ProPublica. The reports describe how the NSA invested billions of dollars since 2000 to make nearly everyone's secrets available for government consumption.

In doing so, the NSA built powerful supercomputers to break encryption codes and partnered with unnamed technology companies to insert "back doors" into their software, the reports said. Such a practice would give the government access to users' digital information before it was encrypted and sent over the Internet.

"For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies," according to a 2010 briefing document about the NSA's accomplishments meant for its UK counterpart, Government Communications Headquarters, or GCHQ. Security experts told the news organisations such a code-breaking practice would ultimately undermine Internet security and leave everyday Web users vulnerable to hackers.

The revelations stem from documents leaked by former NSA contractor Edward Snowden, who sought asylum in Russia this summer. His leaks, first published by the Guardian, revealed a massive effort by the U.S. government to collect and analyse all sorts of digital data that Americans send at home and around the world.

Those revelations prompted a renewed debate in the United States about the proper balance between civil liberties and keeping the country safe from terrorists. President Barack Obama said he welcomed the debate and called it "healthy for our democracy" but meanwhile criticised the leaks; the Justice Department charged Snowden under the federal Espionage Act.

Published Thursday (local time), the reports described how some of the NSA's "most intensive efforts" focused on Secure Sockets Layer, a type of encryption widely used on the Web by online retailers and corporate networks to secure their Internet traffic. One document said GCHQ had been trying for years to exploit traffic from popular companies like Google, Yahoo, Microsoft and Facebook.

Ad Feedback

GCHQ, they said, developed "new access opportunities" into Google's computers by 2012 but said the newly released documents didn't elaborate on how extensive the project was or what kind of data it could access.
Even though the latest document disclosures suggest the NSA is able to compromise many encryption programs, Snowden himself touted using encryption software when he first surfaced with his media revelations in June.

During a Web chat organised by the Guardian on June 17, Snowden told one questioner that "encryption works." Snowden said that "properly implemented strong crypto systems" were reliable, but he then alluded to the NSA's capability to crack tough encryption systems. "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it," Snowden said.

It was unclear if Snowden drew a distinction between everyday encryption used on the Internet - the kind described in Thursday's reports - versus more-secure encryption algorithms used to store data on hard drives and often requires more processing power to break or decode. Snowden used an encrypted email account from a now-closed private email company, Lavabit, when he sent out invitations to a mid-July meeting at Moscow's Sheremetyevo International Airport.

The operator of Lavabit LLC, Ladar Levison, suspended operations of the encrypted mail service in August, citing a pending "fight in the 4th (U.S.) Circuit Court of Appeals." Levison did not explain the pressures that forced him to shut the firm down but added that "a favourable decision would allow me to resurrect Lavabit as an American company."

The government asked the news organisations not to publish their stories, saying foreign enemies would switch to new forms of communication and make it harder for the NSA to break. The organisations removed some specific details but still published the story, they said, because of the "value of a public debate regarding government actions that weaken the most powerful tools for protecting the privacy of Americans and others."

Such tensions between government officials and journalists, while not new, have become more apparent since Snowden's leaks. Last month, Guardian editor Alan Rusbridger said that British government officials came by his newspaper's London offices to destroy hard drives containing leaked information. "You've had your debate," one UK official told him. "There's no need to write any more."

- AP

http://www.stuff.co.nz/world/americas/9134122/NSA-cracks-web-encryption

Pæs

http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

QuoteGovernment and industry have betrayed the internet, and us.

By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.

And by we, I mean the engineering community.

Yes, this is primarily a political problem, a policy matter that requires political intervention.

But this is also an engineering problem, and there are several things engineers can – and should – do.

One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don't cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers.

We need to know how exactly how the NSA and other agencies are subverting routers, switches, the internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I've just started collecting. I want 50. There's safety in numbers, and this form of civil disobedience is the moral thing to do.

Two, we can design. We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.

We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.

The Internet Engineering Task Force, the group that defines the standards that make the internet run, has a meeting planned for early November in Vancouver. This group needs dedicate its next meeting to this task. This is an emergency, and demands an emergency response.

Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.

Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country.

Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose.

Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground.

Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy.

To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.

Q. G. Pennyworth

Fuckit, emailing the author to ask if I can Big Words that shit. Worst he can do is say no.

Mesozoic Mister Nigel

Quote from: Pæs on September 06, 2013, 02:02:00 AM
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

QuoteGovernment and industry have betrayed the internet, and us.

By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.

And by we, I mean the engineering community.

Yes, this is primarily a political problem, a policy matter that requires political intervention.

But this is also an engineering problem, and there are several things engineers can – and should – do.

One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don't cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers.

We need to know how exactly how the NSA and other agencies are subverting routers, switches, the internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I've just started collecting. I want 50. There's safety in numbers, and this form of civil disobedience is the moral thing to do.

Two, we can design. We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.

We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.

The Internet Engineering Task Force, the group that defines the standards that make the internet run, has a meeting planned for early November in Vancouver. This group needs dedicate its next meeting to this task. This is an emergency, and demands an emergency response.

Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.

Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country.

Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose.

Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground.

Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We've had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy.

To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.

:mittens:
"I'm guessing it was January 2007, a meeting in Bethesda, we got a bag of bees and just started smashing them on the desk," Charles Wick said. "It was very complicated."


Junkenstein

http://www.bbc.co.uk/news/world-us-canada-23981291

QuoteUS and UK intelligence have reportedly cracked technology used to encrypt internet services such as online banking, medical records and email.

Disclosures by leaker Edward Snowden allege the US National Security Agency (NSA) and the UK's GCHQ are hacking key online security protocols.

The encryption techniques targeted are used by popular internet services such as Google, Facebook and Yahoo.

The NSA is said to spend $250m (£160m) a year on the top secret program.

It is codenamed Bullrun, an American civil war battle, according to the documents published by the Guardian in conjunction with the New York Times and ProPublica.

The British counterpart program is called Edgehill, after the first major engagement of the English civil war, say the documents.

I don't want to read anything into the names, but it would be very easy to.

QuoteUnder Bullrun, it is said that the NSA has built powerful supercomputers to try to crack the technology that scrambles and encrypts personal information when internet users log on to access various services.

The NSA also collaborated with unnamed technology companies to build so-called back doors into their software - something that would give the government access to information before it is encrypted and sent over the internet, it is reported.

As well as supercomputers, methods used include "technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications", the New York Times reports.

What this is increasingly looking like to me, is that nothing online is or was ever secure. Ever. It seems more a case of "who do we have the resources and inclination to catch"
Nine naked Men just walking down the road will cause a heap of trouble for all concerned.

The Good Reverend Roger

Both programs are named after civil war battles in their respective countries?

:lulz:
" It's just that Depeche Mode were a bunch of optimistic loveburgers."
- TGRR, shaming himself forever, 7/8/2017

"Billy, when I say that ethics is our number one priority and safety is also our number one priority, you should take that to mean exactly what I said. Also quality. That's our number one priority as well. Don't look at me that way, you're in the corporate world now and this is how it works."
- TGRR, raising the bar at work.

Cain

-

The Good Reverend Roger

I foresee direct application of the LMNO Principle.
" It's just that Depeche Mode were a bunch of optimistic loveburgers."
- TGRR, shaming himself forever, 7/8/2017

"Billy, when I say that ethics is our number one priority and safety is also our number one priority, you should take that to mean exactly what I said. Also quality. That's our number one priority as well. Don't look at me that way, you're in the corporate world now and this is how it works."
- TGRR, raising the bar at work.

Junkenstein

QuoteWhat happens when a secret U.S. court allows the National Security Agency access to a massive pipeline of U.S. phone call metadata, along with strict rules on how the spy agency can use the information?

The NSA promptly violated those rules — "since the earliest days" of the program's 2006 inception — carrying out thousands of inquiries on phone numbers without any of the court-ordered screening designed to protect Americans from illegal government surveillance.

The violations continued for three years, until they were uncovered by an internal review, and the NSA found itself fighting to keep the spy program alive.

That's the lesson from hundreds of pages of formerly top secret documents from the Foreign Intelligence Surveillance Court, released today by the Obama administration in response to a successful Freedom of Information Act lawsuit brought by the Electronic Frontier Foundation.

"Incredibly, intelligence officials said today that no one at the NSA fully understood how its own surveillance system worked at the time so they could not adequately explain it to the court," says EFF activist Trevor Timm. "This is a breathtaking admission — the NSA's surveillance apparatus, for years, was so complex and compartmentalized that no single person could comprehend it

http://www.wired.com/threatlevel/2013/09/nsa-violations/

QuoteIn the most serious incident uncovered today, the NSA set up an automated system to add phone numbers to its data-mining watchlist. That system, called the "alert list process," completely bypassed the court-ordered review process, in which NSA personnel were supposed to ensure that nobody was monitored without "reasonable articulable suspicion" that they were tied to a foreign terrorist group or intelligence agency.

Between 2006 and 2009 some 17,835 phone numbers were queried, but only 1,935 of these were based on a RAS standard, as required by the court's order.

Nine naked Men just walking down the road will cause a heap of trouble for all concerned.

Bu🤠ns


Junkenstein

Nine naked Men just walking down the road will cause a heap of trouble for all concerned.

Bebek Sincap Ratatosk

Quote from: Junkenstein on September 06, 2013, 10:31:07 AM
http://www.bbc.co.uk/news/world-us-canada-23981291

QuoteUS and UK intelligence have reportedly cracked technology used to encrypt internet services such as online banking, medical records and email.

Disclosures by leaker Edward Snowden allege the US National Security Agency (NSA) and the UK's GCHQ are hacking key online security protocols.

The encryption techniques targeted are used by popular internet services such as Google, Facebook and Yahoo.

The NSA is said to spend $250m (£160m) a year on the top secret program.

It is codenamed Bullrun, an American civil war battle, according to the documents published by the Guardian in conjunction with the New York Times and ProPublica.

The British counterpart program is called Edgehill, after the first major engagement of the English civil war, say the documents.

I don't want to read anything into the names, but it would be very easy to.

QuoteUnder Bullrun, it is said that the NSA has built powerful supercomputers to try to crack the technology that scrambles and encrypts personal information when internet users log on to access various services.

The NSA also collaborated with unnamed technology companies to build so-called back doors into their software - something that would give the government access to information before it is encrypted and sent over the internet, it is reported.

As well as supercomputers, methods used include "technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications", the New York Times reports.

What this is increasingly looking like to me, is that nothing online is or was ever secure. Ever. It seems more a case of "who do we have the resources and inclination to catch"

I've been digesting the possibilities for awhile... I really want to know which encryption schemes they broke and which they got backdoors for. I mean, I can see supercomputers brute forcing DES (the 56-bit encryption used for most bank transfers etc throught the 90's and into the 21st century), or likely even 3DES (still in current useage). I can also see finding flaws in SSL 1, 2, 3 and TLS 1.1, because we know there are vulnerabilites in those, perhaps more than have already been found.

It seems unlikely to me that they have found a vulnerability in AES. or that they could brute force the AES key space on a super computer. Now if they have some distributed system running on every PS3, XBOX and windows machine on the net... then I'd say they could probably brute force AES. Even if there's no flaw in the algorithm, I wouldn't be surprised if they were able to influence implementations by major companies to somehow weaken the crypto.

I really really would love to see more info :D
- I don't see race. I just see cars going around in a circle.

"Back in my day, crazy meant something. Now everyone is crazy" - Charlie Manson

tyrannosaurus vex

Quote from: Bebek Sincap Ratatosk on September 12, 2013, 08:34:37 PM
Quote from: Junkenstein on September 06, 2013, 10:31:07 AM
http://www.bbc.co.uk/news/world-us-canada-23981291

QuoteUS and UK intelligence have reportedly cracked technology used to encrypt internet services such as online banking, medical records and email.

Disclosures by leaker Edward Snowden allege the US National Security Agency (NSA) and the UK's GCHQ are hacking key online security protocols.

The encryption techniques targeted are used by popular internet services such as Google, Facebook and Yahoo.

The NSA is said to spend $250m (£160m) a year on the top secret program.

It is codenamed Bullrun, an American civil war battle, according to the documents published by the Guardian in conjunction with the New York Times and ProPublica.

The British counterpart program is called Edgehill, after the first major engagement of the English civil war, say the documents.

I don't want to read anything into the names, but it would be very easy to.

QuoteUnder Bullrun, it is said that the NSA has built powerful supercomputers to try to crack the technology that scrambles and encrypts personal information when internet users log on to access various services.

The NSA also collaborated with unnamed technology companies to build so-called back doors into their software - something that would give the government access to information before it is encrypted and sent over the internet, it is reported.

As well as supercomputers, methods used include "technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications", the New York Times reports.

What this is increasingly looking like to me, is that nothing online is or was ever secure. Ever. It seems more a case of "who do we have the resources and inclination to catch"

I've been digesting the possibilities for awhile... I really want to know which encryption schemes they broke and which they got backdoors for. I mean, I can see supercomputers brute forcing DES (the 56-bit encryption used for most bank transfers etc throught the 90's and into the 21st century), or likely even 3DES (still in current useage). I can also see finding flaws in SSL 1, 2, 3 and TLS 1.1, because we know there are vulnerabilites in those, perhaps more than have already been found.

It seems unlikely to me that they have found a vulnerability in AES. or that they could brute force the AES key space on a super computer. Now if they have some distributed system running on every PS3, XBOX and windows machine on the net... then I'd say they could probably brute force AES. Even if there's no flaw in the algorithm, I wouldn't be surprised if they were able to influence implementations by major companies to somehow weaken the crypto.

I really really would love to see more info :D

ITT, we find out what "Folding @ Home" really does.
Evil and Unfeeling Arse-Flenser From The City of the Damned.

Bebek Sincap Ratatosk

Quote from: V3X on September 12, 2013, 09:48:47 PM
Quote from: Bebek Sincap Ratatosk on September 12, 2013, 08:34:37 PM
Quote from: Junkenstein on September 06, 2013, 10:31:07 AM
http://www.bbc.co.uk/news/world-us-canada-23981291

QuoteUS and UK intelligence have reportedly cracked technology used to encrypt internet services such as online banking, medical records and email.

Disclosures by leaker Edward Snowden allege the US National Security Agency (NSA) and the UK's GCHQ are hacking key online security protocols.

The encryption techniques targeted are used by popular internet services such as Google, Facebook and Yahoo.

The NSA is said to spend $250m (£160m) a year on the top secret program.

It is codenamed Bullrun, an American civil war battle, according to the documents published by the Guardian in conjunction with the New York Times and ProPublica.

The British counterpart program is called Edgehill, after the first major engagement of the English civil war, say the documents.

I don't want to read anything into the names, but it would be very easy to.

QuoteUnder Bullrun, it is said that the NSA has built powerful supercomputers to try to crack the technology that scrambles and encrypts personal information when internet users log on to access various services.

The NSA also collaborated with unnamed technology companies to build so-called back doors into their software - something that would give the government access to information before it is encrypted and sent over the internet, it is reported.

As well as supercomputers, methods used include "technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications", the New York Times reports.

What this is increasingly looking like to me, is that nothing online is or was ever secure. Ever. It seems more a case of "who do we have the resources and inclination to catch"

I've been digesting the possibilities for awhile... I really want to know which encryption schemes they broke and which they got backdoors for. I mean, I can see supercomputers brute forcing DES (the 56-bit encryption used for most bank transfers etc throught the 90's and into the 21st century), or likely even 3DES (still in current useage). I can also see finding flaws in SSL 1, 2, 3 and TLS 1.1, because we know there are vulnerabilites in those, perhaps more than have already been found.

It seems unlikely to me that they have found a vulnerability in AES. or that they could brute force the AES key space on a super computer. Now if they have some distributed system running on every PS3, XBOX and windows machine on the net... then I'd say they could probably brute force AES. Even if there's no flaw in the algorithm, I wouldn't be surprised if they were able to influence implementations by major companies to somehow weaken the crypto.

I really really would love to see more info :D

ITT, we find out what "Folding @ Home" really does.

I can't wait to see the list of companies that colluded with the government to create flaws in stuff sold as 'secure'. The Sony rootkit will look tiny in comparison.
- I don't see race. I just see cars going around in a circle.

"Back in my day, crazy meant something. Now everyone is crazy" - Charlie Manson

Junkenstein

Think every shitty (and some decent) antivirus for one. Think any/all DRM too. I'd assume at this point if it's an encryption you can buy, not built yourself, from scratch and have the resources of a small nation to test it, it's either compromised or can be compromised, if someone were so inclined.

Twitter just announced plans to float on the stock exchange. Pretty much any/all major social media will have NSA oversight by now, and twitter is too universal to just ignore.
Nine naked Men just walking down the road will cause a heap of trouble for all concerned.