Recall how Huawei got raked over the coals in the US congress, and now realize that every US networking hardware company is going to get the same treatment in pretty much every country in the world they try to sell to.
Nailed it. Here's hoping there's a silver lining to the damage that the us tech industry will take over this - harder resistance when gov comes calling with inappropriate requests. Increasing public Opposition and lobbying from tech giants. More companies willing to speak out despite the legal risk.
> harder resistance when gov comes calling with inappropriate requests
Not at all, now such laws going to be established across the world in order to "bring us in line with international law." Broad-sweeping and baseless surveillance is going to be called "nothing new" and "widely utilized for the benefit of law enforcement."
This is another effect of globalization -- if one government gets an advantage over another due to lax privacy laws then the rest have to follow suit.
The NSA's bottom line is this: If China has a Great Firewall and we can't have one, then we must have the capability to decrypt everything.
And yet full and anonymous disclosure[1] is eschewed for "responsible" disclosure. Hopefully we can move beyond the insane money-making scheme known as "whitehat" and "ethical hacking" security research.
The zero-day exploit market[2] deserves fair mention too, especially since a variety of three-letter agencies across the planet are some of the largest purchasers. Zero-day exploit purchases and sales haven't had any news publicity at all, even though it's effectively comparable to trafficking nuclear warheads.
Both nuclear warheads and zero-day exploits are used as leverage between competing security organizations and competing nation states, both are being stockpiled, and both are exceedingly dangerous. We're on the cusp of global network warfare and it's just starting to become clear how terrifying and widespread it is. America's rivalry with China is in over-drive now.
I'm not saying that security researchers don't deserve to be paid for their work, but that we should be plain and honest about their work: it can be for the good of humanity or it can be for the destruction of humanity, there's very little inbetween.
And yet what is it for? Fighting terrorists and drug dealers, and protecting children and intellectual property?
With mutually assured destruction, generally everyone is discouraged from attacking because they know they will suffer just as much. However, all it takes is a single rogue state to trigger a free-for-all. We almost saw it in the Cold War, we did see it (and are currently seeing it) in the phone patent arena, and we could end up seeing it in security vulnerabilities sooner rather than later.
The distinction is that reconnaissance/espionage can be done quietly without destroying any hardware or disrupting data integrity, and it's far more difficult to pinpoint who is responsible for offensive/exploitative network operations. The number of organizations across the world that have nuclear capabilities is quite small, however the number of those with offensive security operations capabilities is quite high. The anonymity provided by the depth of the internet is a double-edged sword.
Furthermore the splash damage from Stuxnet/Flame is a testament to the distinct lack of surgical precision normally afforded by missiles.
Also, zero-day exploits can retain their usefulness even after it's been deployed, meanwhile a missile is gone when deployed.
So, we all knew that this was probably going to be announced at some point or another, but I find myself amazingly dissatisfied by this article.
I was expecting more detailed evidence. How did they break SSL? Do they just have root certificate copies, or just the certs used for the certain specific sites that they're monitoring data transfer on passively?
The article claims that many VPN technologies are broken, but which ones? Are they talking about specific products here, or actual technologies in use?
The newspaper is walking a very fine line between writing this up and disclosing things that would give ammo to those that would rather shut these things down under any pretext including 'helping the enemy'. The things you are asking for are exactly in that direction.
The problem I have with that is that the things asked for affect myself and a significantly large number of ethical and/or law-abiding individuals and businesses. If revealing this info would help the enemy, and if many of us would benefit from knowing this information, doesn't that make many of us part of "the enemy"?
The catch-22 here is that revealing specific details might both "aid the enemy" and aid ordinary people to protect their privacy. Because the government only cares about the former, any appeal to the merits of the latter will fall on deaf ears. The Guardian & NYT know this and the pertinent individuals don't want to end up in court getting the Manning treatment.
The government wanted to use its treatment of Manning to deter leaking of future information, and it has already succeeded in doing so here. It's rule by intimidation, making our government little more than a well organized mafia.
I agree with your point: the Times and The Guardian should avoid getting shut down over "helping the enemy".
However, some folks will want to know what's compromised to avoid becoming part of the collateral damage. I do, for example. Some other folks would like to know this in order to do some Forensic Economics. Like the mid-50s Central American coups, I imagine insiders could profit off this sort of thing in a big way.
It would be nice to know if the NSA has pushed Microsoft products solely because of the ability to influence weird little design decisions that could become trapdoors. That way, we could relieve the Linux people's big question about why the "Year of the Linux Desktop" never arrived.
The year of the Linux Desktop for me was 2004... It doesn't arrive at the same point in time for everybody, but the NSA had very little to do with it arriving for me.
The NSA does not hold control over the purchasing decisions made in countless governments and companies all over the world, for that to be a legitimate worry you'd have to show that in America linux was used substantially less where it should have been used compared to other countries. I doubt you could make that case convincingly.
My guess:
-SSL protects only as far as the cloud; they sits after decryption and can get the clear text data
-They can hack into people's computers (using zero day) and read the data before it's ever encrypted
-SSL/TLS do not offer forward security, so the encrypted data can be stored and then cracked if/when the keys become available later
-Man-in the middle attacks that substitute fake keys to both sides and capture the data anyway. It hepls if they captured one or more certificate authorities.
-Brute-force attacks against poorly-configured keys (too short) for SSL and VPNs.
* direct (yet coerced) cooperation by the corps (goog, fb, etc)
* RNG prediction based on planted flaws in various components
* direct backdoors placed in certain mfr chips (see my comment about being told cisco was required to provide backdoors as early as 1997)
---
You're correct - that we knew that this was going to be revealed. We did not know if it was going to be "NSA's quantum computer the size of a datacenter cracks all encryption in real-time" or the above multi-vector attack.
What is important to see here though is that there is, effectively, absolutely NO escape from NSA eyes.
If you encrypt, they will get you. If you refuse them, they will shut you down. If you build a whole new service to thwart them - maybe they could even lean on PayPal to freeze your funds as well /tin-foil....
"Intelligence officials asked the Guardian, New York Times and ProPublica not to publish this article, saying that it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read.
The three organisations removed some specific facts but decided to publish the story because of the value of a public debate about government actions that weaken the most powerful tools for protecting the privacy of internet users in the US and worldwide."
Was there a fuller version of this article available to the public at some point?
Probably not. Apparently they're running all these articles by the NSA, GCHQ, etc first. Which I think is beyond ridiculous at this point. This is probably the most damning article of them all so far, and we all deserve to know the precise scope of these organizations' cryptanalytic capabilities that regard the public as "adversaries."
So this whole thing is one big "limited hangout" - designed to get some info out there and let the angst swell, then subside -- alowing for nothing to change.
It's basically one globally conditioning effort to reveal and get the world to accept, there is utterly zero privacy. Everything you do is monitored and watched. Period. Oh - and we forcefully and violently protect our stealing of your income to fund this.
I agree it's ridiculous. However, given what happened to Chelsea Manning, and given that the Guardian, NYT, etc can't always know in advance what could be construed as "aiding the enemy" it's sensible (in a self-preserving sense of the word) for them to get a NSA/GCHQ opinion on what pieces would "aid the enemy" and what wouldn't. They don't necessarily have to listen to the NSA or GCHQ, but later in court they can legitimately claim that they made an honest effort to avoid divulging information that would aid the enemy.
Actually it's a good thing they are able to get a response from agencies about their information. Their response in this case supports that the leaked information is real and also that the agencies care about its release. This just strengthens the case against them and reinforces the idea that they are the bad guys in the story.
Nope. Newspapers working with leaked documents like this usually give governments a heads-up that they will be running such and such a story and they ask for input on what should or shouldn't get published. They then take that into consideration.
As untog noted (https://news.ycombinator.com/item?id=6336178) in the discussion of the NYT piece on this topic, it's important to note that it's not like our security measures put up a fight and were defeated. They were mooted by a total circumvention. They never came into play. This is what I was talking about in an opinion piece recently on tc (http://techcrunch.com/2013/08/25/the-maginot-line/).
Laws need to be improved, but we may be able to find good point to point methods that don't rely on security methods with vulnerabilities baked into the silicon.
> "Project Bullrun deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." The document reveals that the agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.
If what the US and UK are doing "undermines the fabric" of the Internet, what about what China and Russia are doing? Should we not bother worrying about them because we just expect them to be evil?
