What worries me most about the NSA fibre issue...

41 points by thesmileyone ↗ HN
Is not that they are monitoring me. I have nothing to hide. Other than the usual, which is encrypted in utorrent, apparently.

What worries me more is, what if they were to perform covert MiTM attacks? They are in the perfect position to do so. Anyone using online banking could be targeted and suddenly they have no money. Or they could transfer money into people's accounts and make them look like money launderers, so they could be arrested.

Yes yes, it is all a bit conspiracy theory-ish... but if I had suggested I thought the NSA was mirroring fibre a year ago you would think the same.

This is what worries me over the debacle, as most data appears to pass through the USA.

28 comments

[ 1.7 ms ] story [ 75.1 ms ] thread
Just an FYI, encrypting your uTorrent downloads won't stop you getting busted if you are down/uploading copyrighted material.

Regards MiTM attacks, yes they could but then again they always could. It wouldn't be 100% undetectable though since they would have to change the key/cert for sites they wanted to MiTM. Certificate pinning may address this issue in future.

> encrypting your uTorrent downloads won't stop you getting busted if you are down/uploading copyrighted material.

Could you elaborate? Assume you mean using a VPN service while downloading.

He most likely meant encrypted data transfer, which it built into many torrent clients.
From what OP said, I understood he meant turning on encryption in the bittorrent client, not using a VPN.

Turning on encryption is a way to work around bandwidth throttling and deep packet inspection, not a method to protect your identity or activity.

Yeah, just the "Forced Encryption". First layer, just to stop my ISP flagging me straight away.

I don't use a VPN, I probably should use a Seedbox or something, not in my name and paid for in cash, but I don't do it often enough to be bothered...yet.

I meant just encrypting transfer of torrent data.
Just wondering: Does MiTM work the same way for VPNs as it does for "regular" connections? Like if I am in country X and connecting to a VPN in country Z, does that impact the MiTM possibilities?
Depends if you are using the CA system or preshared keys to verify the VPN.

OTOH PPTP has it's own set of security problems.

The "nothing to worry about if you have nothing to hide" argument has been debunked countless times and made the front page of HN in the last week at least twice. Privacy is a building block foundation for freedom. You can't have freedom without privacy.

Your utorrent encryption is merely useful to thwart some forms of bandwidth throttling, it is not hiding you or your sharing/downloading.

NSA could do such MiTM attacks, it's been a known possibility for years. but why would they rely on this kind of attacks as they probably have a copy of the private key of the party your communicating with (or something along these lines as was shown with lotus notes).

Also they already have other ways to seize and freeze assets, so you shouldn't have to worry about this specific abuse. There's more than enough to worry about the rest.

It's possible that a MitM like this is feasible. Recall that the author of the Flame malware that targeted Iranian computers used a hash collision attack on the MD5 hash for a trusted certificate, which essentially allowed them to create their own certificate that hashed to the same value as the real certificate. [1]

The SHA-1 hash in your average SSL cert might be more expensive to attack than MD5, but that doesn't make me feel much better.

The mitigating factor here is that it seems like this could only be used on a case by case basis against a small number of people, since it would be found out if widely deployed.

Also, we only have evidence of traffic interception and not tampering. Actually writing to the stream, i.e. performing a MitM on an SSL connection, is probably a lot harder than just copying all traffic.

[1] http://arstechnica.com/security/2012/06/flame-crypto-breakth...

When the forged certificate was created MD5 has been _throughly_ broken for a long time, much more so than SHA-1 even now.
This is silly. a corrupt gov does not need rubegoldberg machines. They have much more efficient ways of jailing you.
More importantly they get more out of publicly screwing you over. You become an example, something that instills fear in the population. The government's treatment of you makes their job easier because people self-censor or adjust their behavior, assuming that they're monitored and would be caught, which means the government needs to tap and monitor less.
"Is not that they are monitoring me. I have nothing to hide."

This is not a valid argument. See http://www.thoughtcrime.org/blog/we-should-all-have-somethin... and http://kottke.org/13/06/you-commit-three-felonies-a-day

tl;dr

- there are too many laws to keep track of - we could potentially violate any of them

- even if you have a squeaky clean record you can still be targeted for blackmail through your circle of friends and family - if they did anything bad - drugs, etc - you are at risk too

- it's a reversal of the presumption of innocence; we are now all potential terrorists plotting in secret

You are right to worry.

> what if they were to perform covert MiTM attacks?

Then you would be pwned.

However, active MitM attacks are generally targeted. They can only get away with so many for so long before they are detected. Their scope can be quite large however. The entire country of Iran was MitM'd for some weeks before a single Chrome user reported seeing a cert error in Gmail. The Flamer malware MitM'd unattended systems apparently for years.

So if I were the target of the NSA, I'd expect them to get me with drive-by malware. A bit of malware is much easier to replace than backbone fiber access if the capability is 'burned'.

However, there are an unlimited number of other attackers out there in the world, most with 'catch as catch can' capabilities. That public Wifi or hotel internet could easily be hostile and the attacker may not have much to lose.

While we should of course be concerned about the privacy implications these programs hold for ordinary American citizens, it's also important to think about the implications these resources have on the class of people who are most likely to be targeted: the immediate competitors and enemies of those who have access to them. While everyone's privacy is threatened by these surveillance tools, there are 300,000,000 everyones. Only a tiny subset of that pool has direct, palpable influence into the political power elite. They are the ones most likely to have this infiltration of their lives used against them.

Those at the top of this informational food chain who are able to abuse it are most likely to abuse it in a way that benefits them most directly by blackmailing and otherwise undermining the influence of their competitors. In this manner it makes the consolidation and perpetuation of political power more efficient by orders of magnitude compared to those who have no access or very limited access to these surveillance programs.

This is dangerously destabilizing to a democratic society. If we have no real competition for authority, there are no real checks on that authority. The US is grooming an autarch.

I was under the impression that they used beam splitters to get a copy of the data going over the fiber. It is my understanding that they can only receive data this way, not send it.
Wouldn't simply owning the DNS be more efficient?
If I was an NSA analyst who could spy on who ever I wanted, I would not be keen to throw people in jail, but seducing women would be fun; I think there is even a movie about it.
Really? Do you know the title? I once worked on developing a romantic comedy along the same lines, but the NSA guy was a matchmaker. I would be interesting to see how such a film did in the marketplace.
(comment deleted)
What worries me most are two things:

1. as was pointed out on an HN top story a week ago, if the surveillance is accepted by the public, then the public will accept regulations prohibiting use of software to avoid surveillance (i.e., most tools useful to software developers). I'm not really looking forward to the day when downloading crypto software requires me to pay certification fees and have an ID verifying that I'm a licensed software engineer.

2. I can't wait for the day when we can type with our brains (and no hands). Maybe we do that with pupil tracking software or facial cues... or maybe via direct brainwave input. Some products like this already exist, but they're in their infancy. One day though, when we all have bluetooth head masks and carpal tunnel is a thing of the past, I don't want every thought I have tracked by guys at an NSA lab... and I doubt the government wants that either, but it's going to be hard to not have them get that data.

... and I guess the third problem is just basically the death of liberty. But that's a harder issues to argue about, amazingly, when people are worried about terrorism.

You think NSA can really fix their budget issues by stealing funds from your ample bank account?
What if they stole 1 dollar from everyone who's online banking passes through the US? That would be roughly $188m in one day...