What worries me most about the NSA fibre issue...
Is not that they are monitoring me. I have nothing to hide. Other than the usual, which is encrypted in utorrent, apparently.
What worries me more is, what if they were to perform covert MiTM attacks? They are in the perfect position to do so. Anyone using online banking could be targeted and suddenly they have no money. Or they could transfer money into people's accounts and make them look like money launderers, so they could be arrested.
Yes yes, it is all a bit conspiracy theory-ish... but if I had suggested I thought the NSA was mirroring fibre a year ago you would think the same.
This is what worries me over the debacle, as most data appears to pass through the USA.
28 comments
[ 1.7 ms ] story [ 75.1 ms ] threadRegards MiTM attacks, yes they could but then again they always could. It wouldn't be 100% undetectable though since they would have to change the key/cert for sites they wanted to MiTM. Certificate pinning may address this issue in future.
Could you elaborate? Assume you mean using a VPN service while downloading.
Turning on encryption is a way to work around bandwidth throttling and deep packet inspection, not a method to protect your identity or activity.
I don't use a VPN, I probably should use a Seedbox or something, not in my name and paid for in cash, but I don't do it often enough to be bothered...yet.
OTOH PPTP has it's own set of security problems.
I wouldn't have. Were you unaware of this (from 2006)? http://en.wikipedia.org/wiki/Room_641A
Your utorrent encryption is merely useful to thwart some forms of bandwidth throttling, it is not hiding you or your sharing/downloading.
NSA could do such MiTM attacks, it's been a known possibility for years. but why would they rely on this kind of attacks as they probably have a copy of the private key of the party your communicating with (or something along these lines as was shown with lotus notes).
Also they already have other ways to seize and freeze assets, so you shouldn't have to worry about this specific abuse. There's more than enough to worry about the rest.
The SHA-1 hash in your average SSL cert might be more expensive to attack than MD5, but that doesn't make me feel much better.
The mitigating factor here is that it seems like this could only be used on a case by case basis against a small number of people, since it would be found out if widely deployed.
Also, we only have evidence of traffic interception and not tampering. Actually writing to the stream, i.e. performing a MitM on an SSL connection, is probably a lot harder than just copying all traffic.
[1] http://arstechnica.com/security/2012/06/flame-crypto-breakth...
This is not a valid argument. See http://www.thoughtcrime.org/blog/we-should-all-have-somethin... and http://kottke.org/13/06/you-commit-three-felonies-a-day
- there are too many laws to keep track of - we could potentially violate any of them
- even if you have a squeaky clean record you can still be targeted for blackmail through your circle of friends and family - if they did anything bad - drugs, etc - you are at risk too
- it's a reversal of the presumption of innocence; we are now all potential terrorists plotting in secret
> what if they were to perform covert MiTM attacks?
Then you would be pwned.
However, active MitM attacks are generally targeted. They can only get away with so many for so long before they are detected. Their scope can be quite large however. The entire country of Iran was MitM'd for some weeks before a single Chrome user reported seeing a cert error in Gmail. The Flamer malware MitM'd unattended systems apparently for years.
So if I were the target of the NSA, I'd expect them to get me with drive-by malware. A bit of malware is much easier to replace than backbone fiber access if the capability is 'burned'.
However, there are an unlimited number of other attackers out there in the world, most with 'catch as catch can' capabilities. That public Wifi or hotel internet could easily be hostile and the attacker may not have much to lose.
Those at the top of this informational food chain who are able to abuse it are most likely to abuse it in a way that benefits them most directly by blackmailing and otherwise undermining the influence of their competitors. In this manner it makes the consolidation and perpetuation of political power more efficient by orders of magnitude compared to those who have no access or very limited access to these surveillance programs.
This is dangerously destabilizing to a democratic society. If we have no real competition for authority, there are no real checks on that authority. The US is grooming an autarch.
1. as was pointed out on an HN top story a week ago, if the surveillance is accepted by the public, then the public will accept regulations prohibiting use of software to avoid surveillance (i.e., most tools useful to software developers). I'm not really looking forward to the day when downloading crypto software requires me to pay certification fees and have an ID verifying that I'm a licensed software engineer.
2. I can't wait for the day when we can type with our brains (and no hands). Maybe we do that with pupil tracking software or facial cues... or maybe via direct brainwave input. Some products like this already exist, but they're in their infancy. One day though, when we all have bluetooth head masks and carpal tunnel is a thing of the past, I don't want every thought I have tracked by guys at an NSA lab... and I doubt the government wants that either, but it's going to be hard to not have them get that data.
... and I guess the third problem is just basically the death of liberty. But that's a harder issues to argue about, amazingly, when people are worried about terrorism.