Prism and Verizon surveillance discussion thread

[Junkenstein]

He's basically monetized what should be public information.

There's more to it than just that though. By his own statements this is incredibly important information that should be freely available to the public. This is a proto-version of for-profit whistleblowing and the potential implications of that are interesting to say the least.

The various NSA data is incredibly valuable, there's no question about that. The problem is that until now it was valuable in the same way as ancient art or beauty. Now it's valuable in the same way a new car is. Very, for a very short time and worthless not long after.

[Junkenstein]

Not strictly related now, but I bet this will be in the next few years:
http://www.bbc.co.uk/news/technology-26222424

Google has acquired SlickLogin - an Israeli start-up behind the technology that allows websites to verify a user's identity by using sound waves.

It works by playing a uniquely generated, nearly-silent sound through computer speakers, which is picked up by an app on the user's smartphone.

The app analyses the sound and sends a signal back to confirm the identity.

The technology can be used either as a replacement for a password or as an additional security layer.

"The more uniquely a technology identifies the user, the safer the system would be against any potential hacks," Sharat Sinha, a vice president with Palo Alto Networks, a firm specialising in enterprise security told the BBC.

The other side to that is that the more uniquely a technology ID's a user, the more power you have if you gain unauthorised access. So while you may be "safer" on the one side there's a host of other vulnrabilites that are exposed if it gets beaten. "Beaten" in this context means that someone steals your phone which never occurs in modern society at all.

[Junkenstein]

More directly related:
http://www.bbc.co.uk/news/world-europe-26210053

German Chancellor Angela Merkel is proposing building up a European communications network to help improve data protection.

It would avoid emails and other data automatically passing through the United States.

In her weekly podcast, she said she would raise the issue on Wednesday with French President Francois Hollande.

This could get funny.

A foreign policy spokesman for Mrs Merkel's Christian Democrats, Philipp Missfelder, recently said revelations about US spying had helped bring relations with Washington down to their worst level since the US-led invasion of Iraq in 2003.

Germany has been trying to persuade Washington to agree to a "no-spy" agreement but without success.

Lots of popcorn potential here.  The UK position will no doubt be hilarious, whatever that position is. 

[Junkenstein]

http://www.bbc.co.uk/news/technology-26240140

Game maker Valve has sought to defuse a row over data it gathers about people who play its games.

The row started on social news site Reddit after someone reverse-engineered the software Valve uses to spot cheats.

Screenshots of data logged by the software suggested Valve was building a list of every website players visited.

Valve boss Gabe Newell said it did grab data but only in a very small number of cases to help ban those people who used specially-written cheat software.

Mr Newell said that Valve's anti-cheat system looked at that Windows log for the names of servers known to be used by people and groups that sell cheats.

These servers check that a person has actually paid to use a cheat.

Only if a PC was spotted contacting one of these servers was information passed to Valve, said Mr Newell in his message. The data was passed to Valve so it could then ban a player.

Some 570 people had been banned by this server-checking system, he added.

Cheat makers had now moved on from using this server-based system, largely because Valve had tackled it, he said.

In the closing sentences of the message, Mr Newell categorically denied that Valve was gathering information about where people go online.

He added that it was in the interest of cheaters to throw doubt on the trust people place in Valve, as that would help them get more customers.

"Is Valve using its market success to go evil? I don't think so, but you have to make the call if we are trustworthy," he wrote. "We try really hard to earn and keep your trust

It can be reasonable to assume that Valve and more particularly Steam are of interest to the NSA given the nature of the services and communication channels they contain. It would therefore be reasonable to assume that they are already being monitored in some ways.

Is valve potentially complicit in the activities? Well, I'd have preferred an outright denial compared to the above statement. Let's just say if he is, I won't be shocked. 

[Pæs]

The explanation by Gabe seemed decent, IMO. People who make hax build in anti-theft systems because those who use hax for games are unlikely to buy them if they're freely available. Those anti-theft systems phone home to say "Hey, am I a registered copy?".

His explanation claimed that only if Valve's anti-cheat systems detects a cheat does it then checks your DNS cache to see if your machine has been contacting those servers. If it finds that your machine has been contacting those cheat servers, it hashes the DNS entry and sends it to Valve.

[Junkenstein]

This feels related:
http://www.bbc.co.uk/news/technology-26954540

The Yahoo blogging platform Tumblr has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking".

Security advisers have given similar warnings about the Heartbleed Bug.

It follows news that a product used to safeguard data could be compromised to allow eavesdropping.

OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.

If an organisation employs OpenSSL, users see a padlock icon in their web browser - although this can also be triggered by rival products.

Those affected include Canada's tax collecting agency, which halted online services "to safeguard the integrity of the information we hold".

However, experts stress that they have no evidence of cybercriminals having harvested the passwords and that users should check which services have fixed the flaw before changing their login.

It may be paranoia, by when I read about things like this, I have to wonder if the flaw was in fact deliberately designed. It would seem ideal to harvest the exact kind of data that government agencies want so much. Of course, there would be no benefit in alerting the public to its existence in that case. Unless someone else either already knew about it and was exploiting it (Russia?) or you had something in the works that serves the purpose even better.

Of course, this is lunatic speculation with no basis in reality at all.

[Faust]

this is lunatic speculation with no basis in reality at all.

See pre Snowden this was a reasonable thing to say. It's not any more, we have allegations that the NSA deliberately weakened certain encryption standards.

We've known for a while that they have had access to the sites private keys but it was assumed they were requested/demanded. It seems reasonable to speculate that they had alternative means of extracting them in light of this bug.

[Junkenstein]

Keeping the funny flowing: GCHQ investigates self, amazingly finds no problems at all:
http://www.bbc.co.uk/news/uk-26936116

He found that even though so-called "general warrants" provide for large-scale collection of material, this was primarily focused on foreign traffic, and GCHQ could not indiscriminately trawl through it.

As a result, he said, there was no "sentient" intrusion into the private affairs of UK citizens - in others words, by a person rather than in automated fashion by a computer.

He also said he had found no evidence that GCHQ was circumventing the law by getting material from the US that it did not have the power to access itself.

Home Secretary Theresa May said the report "makes clear the intelligence agencies, law enforcement agencies and other public authorities operate lawfully, conscientiously and in the national interest".

Seems to imply there is in fact, non-sentient intrusion into all UK (at a minimum) communications and private affairs. It's only when you become interesting that they let a person look through it all.

Foreign Secretary William Hague, the minister responsible for GCHQ, said: "A senior and fully independent judge has looked in detail at whether the interception agencies 'misuse their powers to engage in random mass intrusion into the private affairs of law abiding UK citizens'.

"He has concluded that the answer is 'emphatically no'.

He further went on to state "Shut up."

[Junkenstein]

this is lunatic speculation with no basis in reality at all.

See pre Snowden this was a reasonable thing to say. It's not any more, we have allegations that the NSA deliberately weakened certain encryption standards.

We've known for a while that they have had access to the sites private keys but it was assumed they were requested/demanded. It seems reasonable to speculate that they had alternative means of extracting them in light of this bug.

I'm still stumbling on the "Why tell people then?" side though. Most articles seem to indicate it's relatively easy to exploit, once/if you know about it. What's the benefit in making that easier for many unless you've got a secondary system already in place that's more effective?

A more relevant question at this point may be "What ISN'T compromised?" I'm leaning more towards the idea of any kind of security basically being a nice self delusion.

[Faust]

this is lunatic speculation with no basis in reality at all.

See pre Snowden this was a reasonable thing to say. It's not any more, we have allegations that the NSA deliberately weakened certain encryption standards.

We've known for a while that they have had access to the sites private keys but it was assumed they were requested/demanded. It seems reasonable to speculate that they had alternative means of extracting them in light of this bug.

I'm still stumbling on the "Why tell people then?" side though. Most articles seem to indicate it's relatively easy to exploit, once/if you know about it. What's the benefit in making that easier for many unless you've got a secondary system already in place that's more effective?

A more relevant question at this point may be "What ISN'T compromised?" I'm leaning more towards the idea of any kind of security basically being a nice self delusion.

Well there is that, if it is so easy to exploit then so would everyone.

Here's from Snowden a few weeks ago on that exact topic: "They're building in backdoors that not only the NSA can exploit, but anyone else who has time and money to research and find it can then use to let themselves in to the world's communications. And this is really dangerous, because if we lose a single standard, if we lose the trust of something like SSL, which was specifically targeted by the Bullrun program, we will live a less safe world overall."

And it's specific impact on intellectual property, fingering the Chinese as also being able to exploit such a system

"So by reducing the security of our communications, they're not only putting the world at risk, they're putting America at risk in a fundamental way, because intellectual property is the basis, the foundation of our economy, and if we put that at risk through weak security, we're going to be paying for it for years"

https://www.ted.com/talks/edward_snowden_here_s_how_we_take_back_the_internet/transcript#t-72841

It is safe to say that any system is never fully secured especially over long periods of time.

[Cain]

As I recall, there were allegations of this exact thing happening in regard to the Chinese gmail hack.  The NSA put a backdoor into Gmail, Chinese hackers found it, and stole a whole load of emails.

[P3nT4gR4m]

Was wondering about this angle too but not from the "NSA breaking the news cos they no longer give a fuck" angle. Is it possible only the NSA knew of the flaw? Is it possible they somehow infiltrated the dev project and wrote the glitch in themselves, either as one of the team or by hacking the project repo somehow?

Maybe Google did just find the exploit and released it, in the interests of security? Maybe the NSA are suddenly pissed off as motherfuckers 

[Faust]

Hypothetically speaking, if the NSA were to have introduced the bug to allow themselves access, it is probable that they did not release the knowledge of it into the wild, either one of companies that have been bent over the barrel like yahoo, google, etc released it to get rid of another hook that is in their system from the NSA, or far more likely it was discovered in the wild by some random IT guy and made public knowledge.

Either way, if it leads to changes in the SSL standard it could lead to a far more secure web, not just in terms of snooping busybody governments but from all manner of threat.

[P3nT4gR4m]

Hell yeah, it's a good thing. It also appears Google left Yahoo out to dry a bit, pointedly informing a few tech giants a week or so  before they went public but leaving Yahoo off the mailing list. Don't be evil but, y'know, fuck Yahoo

[Faust]

Hell yeah, it's a good thing. It also appears Google left Yahoo out to dry a bit, pointedly informing a few tech giants a week or so  before they went public but leaving Yahoo off the mailing list. Don't be evil but, y'know, fuck Yahoo

Yeah I saw that, they changed their certs on 02/04, but yahoo and Microsoft didn't.