180 comments

[ 4.9 ms ] story [ 213 ms ] thread
THESE DOCUMENTS CONTAIN EVIDENCE OF ATTACKS ON VPN, SSL, TLS, SSH, TOR. What do we do now? No seriously, what do we do?

The full list of documents: http://www.spiegel.de/international/world/nsa-documents-atta...

The accompanying lecture: http://streaming.media.ccc.de/relive/6258/

Also, obligatory: https://eff.org/donate

Stop doing illegal things, and then be glad that NSA are working hard to catch the real bad guys?
You mean cease all opposition to those in power, forget about the security of our information systems, and be glad that the NSA is working hard to catch the real dissidents?

Silly me, should have stayed in Russia.

Is there any evidence that the NSA has targeted dissidents?
Some will say that it’s necessary to balance privacy against security, and that it’s important to find the right compromise between the two. Even if you believe that, a good negotiator doesn’t begin a conversation with someone whose position is at the exact opposite extreme by leading with concessions.

And that’s exactly what we’re dealing with. Not a balance of forces which are looking for the perfect compromise between security and privacy, but an enormous steam roller built out of careers and billions in revenue from surveillance contracts and technology. To negotiate with that, we can’t lead with concessions, but rather with all the opposition we can muster.

http://thoughtcrime.org/blog/we-should-all-have-something-to...

None of those links answers his question...

1 - Is describing activity that happened half a century ago before a whole number of legislative actions to change the way the NSA does business

2 - Is essentially a summary of an Intercept article where Glenn Greenwald shows FBI surveillance of 5 US citizens, not NSA

3 - Talks about trying to break Tor; doesn't describe who is being targeted

4 - Talks about journalists scared about surveillance; no evidence of NSA targeting them

5 - Talks about Glenn Greenwald's husband being held up and searched by UK border control for ferrying classified information

To respond to the GP's question: I've seen a lot of claims that it's obvious that every one of us is being monitored. I've yet to see any evidence backing it up.

> I've seen a lot of claims that it's obvious that every one of us is being monitored. I've yet to see any evidence backing it up.

Huh? That was the first Snowden leak. I summarized it in this article for CNET at the time: http://www.cnet.com/news/nsa-secretly-vacuumed-up-verizon-ph...

TLDR: The leak was a copy of the secret FISA court order allowing the NSA to vacuum up pretty much every American's phone records, including local phone calls, "on an ongoing daily basis." I suspect that most people would view that as monitoring.

That's not counting the separate questions of bulk fiber taps (collect it all) and the Obama administration's secret AG opinion blessing warrantless bulk collection of encrypted communications (decrypt it later), which I wrote about here:

http://www.cnet.com/news/nsa-can-eavesdrop-on-americans-phon... "Another loophole is... "enciphered" data. Communications that contain "enciphered" data, which would likely include PGP but also could mean encrypted Web connections using SSL, may be kept indefinitely."

With regards to the first Snowden leak, there was no context behind it. We've had two independent reports (the Presidential Review Group's[1] and the Privacy and Civil Liberties Oversight Board's[2]) since then detailing exactly what is being done with phone records and what the NSA is allowed to do with them. I wouldn't call the 215 program monitoring at all, unless you're referring to the "seed selectors" that are approved by the FISC. Based on what we know now, the entire premise of the program, which was lacking in the initial reporting, is determining if any numbers on a list of foreign phones belonging to suspected terrorists have called or received calls from US numbers; if so, which numbers were they in contact with. You can call it massive over-collection to achieve those ends and you can say the potential for abuse is frightening, but none of the Snowden documents have actually shown any abuse, datamining or, dare I say, monitoring of regular people.

With your second article, it almost feels like your article and the source documents are talking about two separate things. You start off claiming that the documents are at odds with Obama's claim that the NSA can't listen to American's phone calls or target their e-mails, then go and cite a pair of documents that detail how to avoid collecting American's communications and what to do if they are inadvertently collected? You continue on by saying 'Analysts are expected to exercise "reasonable judgment" in determining which data to use, according to the documents, and "inadvertently acquired communications of or concerning a United States person may be retained no longer than five years."', but omit rest of the paragraph that it comes from:

Personnel will exercise reasonable judgment in determining whether information acquired must be minimized and will destroy inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle at which such communication can be identified either: as clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information); or, as not containing evidence of a crime which may be disseminated under these procedures. Such inadvertently acquired communications of or concerning a United States person may be retained no longer than five years in any event. The communications that may be retained include electronic communications acquired because of limitations on NSA's ability to filter communications.

Why is the beginning and end of that paragraph important but not the fact that NSA analysts are required to destroy any US person communications that couldn't be automatically filtered out and contain no intelligence value or evidence of a crime? It doesn't say anything about a requirement to destroy American's inadvertently collected communications anywhere in the article. You continue by saying 'The documents also refer to "content repositories" that contain records of devices' "previous Internet activity," and say the NSA keeps records of Americans' "electronic communications accounts/addresses/identifiers" in an apparent effort to avoid targeting them in future eavesdropping efforts.' What's the problem with noting that an e-mail address belongs to an American if the stated purpose is to mark it as unsuitable for collection?

You go to quote Jameel Jaffer at the ACLU as saying that "the NSA claims the authority to collect and disseminate attorney-client communications -- and even, in some circumstances, to turn them over to Justice Department prosecutors.", but the actual source document says this:

As soon as it becomes apparent that a communication is between a person who is known to be under criminal indictment in the United States and an attorney who represents that individual ...

> We've had two independent reports (the Presidential Review Group's[1] and the Privacy and Civil Liberties Oversight Board's[2]) since then detailing exactly what is being done with phone records and what the NSA is allowed to do with them.

And in those documents it was confirmed that the NSA was in charge of maintaining a database with all phone records of all Americans and that the limitations on the storage of these records are five years - that limitations on querying them are enforced only at a policy level.

The issue is not about whether there has been abuse. The issue is about the fundamental principles of freedom in our country against suspicion-less search and seizure. An infringement on this is and of itself is an abuse.

It's like saying: "Yeah they have slaves, but there's no evidence that they mistreat them." You're not engaging with the substance of the argument. Unless it is that you depart from the founding principles of freedom established to protect the United States of America, its citizens, and to promote well-being and liberty for all? Do you disagree with these principles, so long as those who govern don't abuse the power so far as the public knows?

> Why is the beginning and end of that paragraph important but not the fact that NSA analysts are required to destroy any US person communications that couldn't be automatically filtered out and contain no intelligence value or evidence of a crime?

First, it seems you agree with the parent? You don't dispute him, just add an addendum about minimization. In response to your addendum: it's clear that the collection is made and then by policy alone it is 'minimized'. The issue is that the collection is done in the first place without a person being suspected of a crime. Their content can be collected, then it can be decided if they are suspect of a crime or not, and then it may possibly be released. This is principally different than how law enforcement is supposed to work in the United States.

Another thing we learned from the Obama Administration oversight panel is that anything within three hops of a target is considered relevant for collection (and the hops are counted across Facebook, Twitter, AIM, Snapchat, LinkedIn, Gmail, phone, geolocation, etc). But we also know that on Twitter alone the average number of hops between any two people has been measured to be 3.43 [1]; and on Facebook it is 4.74 [2]. When every one of these networks is combined, it is almost assuredly close to if not below 3.0, and the number of targets is quite large. Because of this every person's contents are 'relevant to the an authorized purpose of acquisition' because all persons are likely to be within three hops of a request.

> You go to quote Jameel Jaffer at the ACLU as saying that...

I would agree that details are missed in his summary (this is the nature of summaries) but I would also classify his statement as accurate (not misleading). The NSA will collect client-attorney communications. If and when it is recognized as 'protected communication' the NSA will stop but keep the communications it has collected. It can disseminate them (there are processes for it, but it can). Protecting the communications from review and use in criminal prosecution while preserving the intelligence almost reads like... parallel construction...

[1] http://www.aaai.org/ocs/index.php/SOCS/SOCS11/paper/view/403...

[2] http://www.telegraph.co.uk/technology/facebook/8906693/Faceb...

> that limitations on querying them are enforced only at a policy level.

I love it when people throw this out. Virtually every crime is enforced only at a policy level. There are no technical limitations preventing a cop from going from door to door and using his issued weapon to kill everyone inside, but you don't see people crying out to disarm cops to prevent it.

> The issue is not about whether there has been abuse. The issue is about the fundamental principles of freedom in our country against suspicion-less search and seizure.

It's not suspicion-less - it's done to answer specific questions: are any phone numbers on a given list of foreign terrorist numbers in contact with other phone numbers inside the US? If so, which numbers are they in contact with? It was implemented to address a specific fault found by the 9/11 Commission. I'm personally comfortable with the information collected being used for exactly that purpose, and nothing else (although I'm guessing you're going to come back and say you're not). That's why in evaluating the program, it's critical to look at whether the NSA has deviated from guidelines set down by the courts. Neither of the two review groups recommended shutting down the program, they recommended keeping the phone records at the phone companies instead.

> First, it seems you agree with the parent? You don't dispute him, just add an addendum about minimization.

I'm taking issue with cherry picking quotes to make a point.

> The issue is that the collection is done in the first place without a person being suspected of a crime. Their content can be collected, then it can be decided if they are suspect of a crime or not, and then it may possibly be released. This is principally different than how law enforcement is supposed to work in the United States.

This isn't law enforcement, it's foreign intelligence. The document in question pertains to Section 702 collection, which is targeted against specific e-mail addresses/accounts/identifiers used by foreigners. There already has to be a stated foreign intelligence purpose to collect against that specific address to begin with. The document further goes on to direct analysts to destroy any collected information that pertains to US persons is not of foreign intelligence value.

> Another thing we learned from the Obama Administration oversight panel is that anything within three hops of a target is considered relevant for collection (and the hops are counted across Facebook, Twitter, AIM, Snapchat, LinkedIn, Gmail, phone, geolocation, etc).

There's nothing in the PCLOB report that says that. The report makes it pretty clear that the whole three hop process pertains to phone records.

> but I would also classify his statement as accurate

It's inaccurate because he states that the NSA can hand attorney-client communications over to federal prosecutors, when the document he's citing says the exact opposite.

> almost reads like... parallel construction...

How could it be parallel construction if the person is already indicted? The entire point of that section is to protect client-attorney communications - if the purpose was to feed intelligence to US law enforcement by circumventing client-attorney privilege, why would they put in those additional restrictions?

> Virtually every crime is enforced only at a policy level.

No. This is not the case.

Take some of the records (Skype for example) that the NSA had to contact companies with judges signatures to get. This is enforced by a separation of powers.

I'm not sure you addressed the main point, or admitted that in the reports they disclosed that the NSA did have direct full takes of the data (which you had been arguing against).

> It's not suspicion-less - it's done to answer specific questions

This is a false dichotomy. You can try to answer specific questions without suspicion of guilt. This is what is happening. They are answering specific questions, but they don't have suspicion of guilt.

An alternative is to get a warrant on the 'known terrorists' (which in practice is used very rarely for 'terrorist' and very often for other interests) and see directly who they have been contacting without having to see that I called my my babysitter and you called your attorney in the meantime. I mean, if that's all they were doing and that's all they needed, this would be a solution. (It's not all they are doing.)

> I'm personally comfortable with the information collected being used for exactly that purpose, and nothing else

You may want to look into what else is being done with the records. Phone and otherwise.

> I'm taking issue with cherry picking quotes to make your point.

But you didn't. I suggest rereading your comment.

> This isn't law enforcement, it's foreign intelligence.

It's foreign intelligence that is collecting vast swaths of information on American people. This information can be used to investigate Americans without going through normal investigative channels. It is law enforcement, though you can mince words. If you prefer we can call it foreign intelligence so long as we remind ourselves that it is principally different than how foreign intelligence is supposed to work in the United States.

> There's nothing in the PCLOB report that says that. The report makes it pretty clear that the whole three hop process pertains to phone records.

Perhaps I've confused PCLOB revealed information with the technical information revealed in Snowden documents then? I fear we'll need to drag out technical documents to resolve this specific dispute. But even if you don't take the other networks into account three hops is still huge, especially with a large number of targets. It is gross overcollection without selectors.

> It's inaccurate because he states that the NSA can hand attorney-client communications over to federal prosecutors, when the document he's citing says the exact opposite.

Perhaps he should have said attorneys? Were it destined for prosecutors, the intelligence will make its way to prosecutors later (when and if there is a trial).

> How could it be parallel construction if the person is already indicted?

Because parallel construction can be done to collect evidence and because the gathered intelligence can be used in the indictment of other targets - and here the source of the intelligence used to do this remains undisclosed. And because communications (as written below) contain records from before an indictment, which will contain lots of information useful to get an indictment and lots of useful information to a prosecution after an indictment.

Also we should note that the NSA only marks attorney-client communications a no-go after there has been an indictment: attorney-client communications are a confidential and privileged communication whether you are on trial, expect to be indicted, or are talking to your attorney about what you should do to avoid legal trouble because of what your peers are engaged in.

> if the purpose was to feed intelligence to US law enforcement by circumventing client-attorney privilege, why would they put in those additional restrictions?

If we grant that 'the purpose was to......

> I'm not sure you addressed the main point, or admitted that in the reports they disclosed that the NSA did have direct full takes of the data

No, I didn't address, but neither does the linked article - the documents cited state that they can keep encrypted data past 5 years in order to decrypt it. It doesn't say anything about "warrantless bulk collection of encrypted communications". The "warrantless" doesn't make sense in that you don't need a warrant to collect purely foreign communications, and the "bulk" part neither has evidence to back it up nor does it make sense: why would the NSA stored every single piece of encrypted traffic and devote the (expensive) time and energy needed to decrypt it all if they didn't have reason to believe it was of significant value. I'm submitting this comment over HTTPS - there's no reason to store the TCP traffic that accompanies it.

> An alternative is to get a warrant on the 'known terrorists'

They don't need a warrant to collect against foreigners for foreign intelligence purposes; they're not collecting information for use in a criminal indictment.

> This information can be used to investigate Americans without going through normal investigative channels.

Section 702 collection (what I was addressing in my comment and what declan was referring to in his article) can be only be used to target foreigners, not Americans. If there is evidence of them using that legal authority to intentionally target Americans, please do write in to the papers because that's cut and dry illegal.

It seems like you're mixing up the 215 and 702 programs, which collect dramatically different information from completely different groups. 215 is the bulk domestic phone records program - the NSA gets the number called, calling number. date/time, call length and trunk identifier. They don't get the identities behind the phone numbers, locations, etc. 702 is collection against specific foreign targets using US providers - they get the full take on that.

> Perhaps he should have said attorneys?

The relevant part is: "so that appropriate procedures may be established to protect such communications from review or use in any criminal prosecution"

> (It's not all they are doing.)

> You may want to look into what else is being done with the records. Phone and otherwise.

Please enlighten me. My biggest issue with just about all of the reporting that's come out of the Snowden disclosures is that they talk a lot about how the NSA performs collection, but leave out who the who, what and why - often at the same time saying something like "it is unclear whether [or how many] American's communications have been collected". One embarrassing set of articles in particular was the Angry Birds disclosures: the newspapers gawked about how the NSA could be collecting everyone's marital status, incomes, sexual preferences, etc., but it was discovered that the newspapers improperly redacted the documents and the redactions were removed, it turned out that the NSA was using the information to track Al Qaeda in Iraq. I see lots of accusations that the NSA is spying on regular people, but the only disclosures I've seen talking about their targeting are along these lines: http://electrospaces.blogspot.com/2014/09/nsas-strategic-mis...

I've been following this issue closely. To date, I have yet to see any smoking gun showing actual evidence that the NSA is targeting regular Americans or anyone else other than for purposes of gathering foreign intelligence outside the US.

Thank you for your attempt to provide a counterpoint. I think it's important for all points to be part of the discussion.

However, I can't really reply to your comment as it has gotten significantly off the course of the subject material and because you have not given substantive replies to the arguments made therein. I'm not sure if this lack of real substance is on purpose (argument by exhaustion) or because of miscommunication. Either way, I'm out.

I can definitely empathize with your frustration. Thanks for the discussion.
(thanks for the links sandstrom)

There wasn't much public evidence of what J. Edgar Hoover was doing until well after the fact.

Personally, I feel the burden of proof falls on the near-omniscient spy agency that brazenly lies and reinterprets basic diction to sterilize all methods of oversight. Again, silly me.

(comment deleted)
There's a couple of graveyards full of them. How much evidence do you want?
If you are speaking about insurgent groups in the Middle East, it's sort of confusing. I would suggest that even ISIL isn't a terrorist group, at least in the same sense that the word terrorism has been used throughout the past 100 years. ISIL represents 30k mobilized personel, are made up of a huge number of disparate factions (some fighting for a three state solution - which would actually be a great improvement in the organization of the middle east, whose lines right now were drawn by the British and have nothing to do with historical or cultural boundaries), are fighting with traditional armies with traditional warfare weaponry and because they are fighting for political change in a state where authoritarian governments with financial and political ties to outside nations has limited how much they can represent their people. ISIL to me, if I use textbook comparisons, looks more like an grassroots insurgent army fighting for political representation. How could an army of 30k people be 'terrorists'?

'Terrorist' is the new 'communist'. It's a label you put on someone you want your people to fear and hate.

(comment deleted)
Is there any evidence that they actually target terrorists?

Collectively, we all need to keep beating this drum. Fundamentally, there are very very few terrorists. Very very few, if any, are in America. What's the bulk collection failure rate? 99.999999% ? And at what cost? It's astronomically expensive and out of all the leaks, what evidence is there that we've stopped a terrorist in America or any of her close allies' teritory where they are effectively spying on innocent tax paying civilians?

It's just making some contractors wealthy

Reprising a comment.

It's not about terrorism. Never was. That's just how the deep state sells it to voters.

If you look at the Snowden documents (and leaks by others) you'll see essentially nothing other than the international nature of the programs. For example, you'll remember from the Snowden leaks that the NSA hacked the Brazilian oil company PETROBRAS to help American oil companies win offshore oil drilling locations. The hacking of Merkle's cell phone was a big deal because it revealed that the US had information from Germany _during the Eurozone crisis_! Stuxnet was used to destroy Iran's nuclear program. The US also faces the same sort of pressure from other countries. This year alone the DoD was hacked, Wall Street, NASDAQ and JP Morgan were hacked and hundreds of defense contractors were hacked - all with foreign attribution. Israel's Iron Dome designs were hacked by China.

Take a look at the NSA program HACIENTA, which "is used to port scan entire countries" and which uses other compromised (civilian) computers to disguise attribution.

Look at The Intercept reporting (where Glenn Greenwald is right now). He speaks at length about how the US uses NSA operations to benefit the global bargaining posture and competitiveness of US companies. https://firstlook.org/theintercept/2014/09/05/us-governments...

And take the Inspector General's report from the Boston Bombings - a great example of how and when the NSA domestic programs would be used if they were about terrorism. The NSA is hardly mentioned. The Inspector General investigates the failings of the FBI. (http://info.publicintelligence.net/IC-IG-BostonBombingReport...)

"We focused our review on the entities that were the most likely to have had information about Tamerlan Tsarnaev prior to the bombings – the FBI, the CIA, DHS, and NCTC, which maintains the U.S. government’s database of classified identifying and substantive derogatory information on known or suspected terrorists. We also requested other federal agencies to identify relevant information they may have had prior to the bombings. These agencies included the Department of Defense (including the National Security Agency (NSA)), Department of State, Department of the Treasury, Department of Energy, and the Drug Enforcement Administration."

The report on the failures to anticipate/stop the Boston Bombers barely mention the NSA. This is because the Federal Bureau of Investigation and the National Counterterrorism Center are in charge of counterterrorism, not the National Security Agency.

Or go to the NSA's own mission statement. (https://www.nsa.gov/about/mission/index.shtml)

"The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances."

(Nothing to do with terrorism.)

Lots of news recently has called out Executive Order 12333's role in defining the goal and the means of intelligence capabilities. EO 12333 was passed in 1981. The Five Eyes, the key partnership of the NSA, has its origins in the 40's and ECHELON and other leaked programs (eg CARNIVORE/PREDATOR) predate 9/11 by decades.

The Snowden leaks disclose a list with over thirty countries with competing digital intelligence programs.

The NSA is not about terrorism. Never was. Never will be. The NSA and CSS are the intelligence arm of the U...

Given the highly sourced nature of this comment, I would expect a well reasoned argument accompanying a downvote. In case this person missed what they should be replying to:

* Programs for internet surveillance existed before 9/11

* Partnerships with other intelligence services existed before 9/11

* The programs are used for international espionage and sabotage often

* Most of the capabilities of the NSA are not counter-terrorist capabilities

* EO 12333 and the "Foreign Intelligence Surveillance Court" were established in the early 80s

* The inspector general's report on the Boston Bombings excluded the NSA almost wholey from its report

* The NSA's own mission statement and website content focuses almost exclusively on foreign intelligence

There is a domestic nature to NSA programs. But the 'reason for the NSA and it's programs' is not CT.

The most important thing in all of politics is to get to decide which words are used. The moment you use terrorism in the same sentence as data collection, you help spread the propaganda.

Bulk data collection has been done since the advance of fiber optics. They started doing it because they could, and because they had the economic means to. That's it.

The plots that have been thwarted by it are those orchestrated by US agencies to get mentally unstable people to join in, to quickly whisk them away to Siberia^WGuantanamo.

So-called Fusion Centers have, and they get help from way on up high.
I never said anything about leaving our systems insecure. It's in the best interests of America to use security technologies to protect our national infrastructure. We should always be trying to make our country more secure.

We should also be glad that NSA is able to find ways to catch people who abuse these security technologies to hurt our country.

If you're using cryptographic and anonymizing technologies for legitimate and legal purposes, then you should rest easy knowing that NSA is putting the smack down on the abusers. If you're using those technologies for illegal, subversive, or anti-American things, then you should be worried. I hear Federal prison isn't fun.

Look, you're still free to disagree with what the government does and work to change it in legitimate and legal ways. That's what makes America great. That's what NSA is working to protect.

IMHO, it sounds like you should've stayed in Russia.

> If you're using cryptographic and anonymizing technologies for legitimate and legal purposes, then you should rest easy knowing that NSA is putting the smack down on the abusers.

I would rest easy if I knew the attacks they leverage against legitimate and legal users were not effective, so that people with criminal intentions would have a lower success rate.

> it sounds like you should've stayed in Russia.

Personal attacks are not allowed on Hacker News.

C'mon. If the condescension of "Silly me, should have stayed in Russia" is kosher, so should be "Yeah, sounds like you should have."

I'd prefer neither, but you made a point of calling out the latter.

(comment deleted)
> If the condescension of "Silly me, should have stayed in Russia" is kosher

It most certainly is not kosher. It's the sort of acerbic swipe that is far too common here and erodes the discourse to the next level down. But it wasn't a personal attack. That is the next level down.

If I don't comment on every acerbic swipe, don't think it's because they're ok. I wince every time I see one. But to comment on them all is impossible, and one would lose one's marbles if one tried. So personal attacks are where we explicitly draw the line.

My hope for the culture of HN is that more people wake up to how the acid in their comments destroys this community. As someone who used to make such comments myself, I realize that it's often unintentional, more careless than malevolent. If people can figure out that pollution is bad in some places, maybe we can figure out that it's bad in this one.

It would be good if many of us reminded each other not to do this. One moderator can't cut it.

That would be reassuring if we could be confident that truly the activities of the NSA and government agencies were only used as intended to thwart serious crime, in ways that were not harmful or invasive for innocent citizens.
"What do we do now? No seriously, what do we do?"

In addition to encouraging the NSA (and equivalent agencies in other countries) to change its approach, developers will do what we always do and build new secure protocols and tools with the lessons from previous attempts in mind.

It is a cat-and-mouse game that will never cease.

Sure but their job is infinitely easier than ours : they have the resources, unity and will to breach us.

We are a bunch of disorganized folks with no budget and with no agreed goal on what is the best way to achieve this.

Also in defense you have to protect all the walls, in attack you just have to breach one.

I'm not saying we should do nothing, but that they will almost always be several steps ahead of us.

Little do you know about some of these "disorganized" folks. All in due time.

Seems your doubts are what helps the NSA.

One goodie is how they break VPN, inclusive some targets: http://www.spiegel.de/media/media-35515.pdf Airlines: - Iran Air

- Royal Jordanian

- Transaero Airlines

Govs:

- Mexico

- Pakistan

- Turkey

- Afghanistan

Slides 41/42.

I like how slides 24/25 are basically "No means Yes! Yes means Anal!"
Let's adopt a new protocol that is less tested! Oh wait, we can't do that. Let's fix what is broken!
Earlier this year at goto copenhagen I heard a good talk by Tim bray:

http://gotocon.com/cph-2014/presentation/Privacy%20and%20Sec...

Where he argues that even though we can not achieve complete security there is great value in raising the bar. If we continuously make it increasingly harder for NSA, MOSAD, GCHQ and the rest of them to spy on us, we can achieve good enough privacy. Where most communication will be secure. But he also argues that if one of these agencies really wants to target YOU specifically they will get to the information. By breaking into your house and installing cameras, if necessary.

It's Michens' MOSSAD/not-MOSSAD question[1]. Any half-decent encryption will protect you from bulk collection and monitoring, but if you're targeted, you lose.

[1] http://research.microsoft.com/en-us/people/mickens/thisworld...

That has to be the best paper I've ever read
(comment deleted)
I thought you were joking, but I had to click anyway. You're right, this paper is fantastic. I thought Micken's stopped writing, I'm so glad he didn't.
That was fun. I'm going to read all the rest of his stuff now. Thats dangerous linking, username223.
Wow, I think Mickens may oversimplify a few points for comedic effect, but that is a wonderful read!
> If we continuously make it increasingly harder for NSA, MOSAD, GCHQ and the rest of them to spy on us, we can achieve good enough privacy

Right now everyone's digital communications are being collected by those agencies, via fiber optic cable taps [1]. This could be called bulk surveillance. Different people & groups have access to these databases of communications. Some are government employees, some are contractors. Now, what if an activist or a Senator starts speaking out against bulk surveillance? Would those with access to the databases be tempted to run a few queries?

  'SELECT * FROM `sms` WHERE `person_id`="$senator_id"'
Note: Most analysts would never run that query. But it just takes one.

[1] http://www.pbs.org/wgbh/pages/frontline/homefront/interviews...

Although I'm not familiar with the _actual_ operating procedures involved, one would hope/expect this not to be available to lone analysts at their own discretion.
I thought the source of some of this data was Snowden's access at his own discretion, with his own keys and others' that he obtained?

I say "some" since Schneier has stated he now considers there to be at least 3 leakers... https://www.schneier.com/blog/archives/2014/08/the_us_intell...

The other two leakers got their information from somewhere, and it could have also included access at their own discretion.

One can hope. When Binney blew the whistle on the NSA he specifically said that he saw a request for Senator Obama's communications during his time there, as well as other elected officials.
> Although I'm not familiar with the _actual_ operating procedures involved

Their official line is that the data isn't being collected, correct?

FWIW, if I were a senator who was considering taking on the intelligence community I would probably think it through and have my house in order first. Politicians aren't known for being tech savvy, but they aren't known for being stupid either. People took on McCarthy, Hoover and Nixon and they survived.

Most people here don't have a lot of faith in our system of government these days and even less faith in those that do the governing. But the truth is that the american democracy has been around for hundreds of years and it will take more than a SQL statement to bring it down. There are checks and balances and highly motivated and intelligent people with a lot to lose on both sides of every issue. This too shall pass.

> I would probably think it through and have my house in order first

The bulk collection has been going on for at least a decade now.

> Politicians aren't known for being tech savvy, but they aren't known for being stupid either.

I've observed politicians get away with certain behaviors, to a point. For example, Eliot Spitzer, or Bill Clinton. Once they become a target, their trespasses aren't necessarily forgiven.

> This too shall pass.

The Snowden revelations are "The Jungle" of our time. We'll adapt to these issues. Still, our adaption won't be free, and a proactive attitude will benefit us.

Remember that Sinclair aimed for the heart and hit the stomach. His goal was reform of industrialized labor conditions, but he got food purity and safety laws.

To use his book as a metaphor implies that Snowden's leaks will do nothing to stop domestic dragnet surveillance and everything to seal the system against future whistleblower leaks.

I find that I must agree.

>If we continuously make it increasingly harder for NSA, MOSAD, GCHQ and the rest of them to spy on us, we can achieve good enough privacy

Good enough privacy is no privacy.

Anyway, this is completely the wrong mindset. This is a legal problem which requires, not pretty good tech, but clear, strict laws, with whistle-blower protection. We have to stop ceding that this is legal or should be legal.

Otherwise, we've already lost.

Why would laws be sufficient? There are plenty of people who would like to do the same things the NSA would like to do who are not concerned with laws. As Schneier says, "today's top-secret NSA programs become tomorrow's PhD theses and the next day's hacker tools."

Changing economics by deploying more PFS ciphersuites and shifting to technology which requires active attacks instead of passive ones can give real, practical improvements in privacy, even against state actors.

>There are plenty of people who would like to do the same things the NSA would like to do

My comment was specifically with regard to the NSA, as is the topic of this article.

Certainly the NSA should be concerned with laws, and laws should be sufficient.

no laws are going to change the behaviour of the NSA or any other foreign agency with similar capabilities. Once they have it, they will lie, obfuscate and stall to make sure they never lose it. It's time to stop being angry at the NSA and realize than only open-source end-to-end encryption will help us regain some of the privacy that we lost. The web has to become secure by default.
I sincerely don't understand this notion of capitulation to the whims of a rogue government in what is supposed to be a nation of laws. Currently, we don't even have a set of clear laws on the books that outlaw the behavior. This is what enables the current stalling and obfuscation. I am not saying we should simply trust them. Their actions have to be made clearly illegal, with full oversight and robust whistleblower protection. We must start with the law.

I also don't get the idea of "some privacy". It seems to me along the lines of "somewhat pregnant". But, you (and many others) are advocating an approach that says, "let's untether our government from even the pretense of adherence to any laws, allow them to attack us with impunity, and simply do the best we can with what we have to fend them off".

If I were of the lying, obfuscating NSA-worker ilk, what you are advocating is exactly the response that would make me salivate.

I know that many people have this romanticized notion that we will do tech battle against our government and win, but we simply won't. If years of battling virus writers, rootkits, and zero days have taught us nothing, it should have taught us that a determined adversary will own us. Add to that unlimited resources and claimed legal authority to compel cooperation from tech/infrastructure providers.

You really want to unleash the lying, obfuscating NSA and trust that your open-source encryption and ciphers won't be cracked, that your full software and hardware stacks have not been compromised, and that the same is true for everyone with whom you communicate, etc., then patch things up and try again if and when you are made aware of a compromise? Sorry, friend. That's a losing proposition.

Why the need to do anything? Do you think the NSA, etc. cares about you? They don't.
And when some group which fits your definition of "bad guys" finds the same flaws and uses that to attack "good guys"?
We have the Sony hack. Although this was like bad guys attacking unpleasant guys.
How do you explain the fact that they spend hundreds of millions of dollars just to break these protocols then? Enough with this "NSA doesn't care about you" argument already.
That's literally their job. You should want the NSA looking into every protocol. What they do if they find weaknesses is a different question.
I didn't say that's not their job. I'm opposing to what you're saying. Their job is to spy on us, yet you claim they don't care about us. Can you see why I'm confused?

>What they do if they find weaknesses is a different question.

Is it? It's obvious what they're going to do when they find those weaknesses. If they let people know of those weaknesses, they wouldn't be doing their job. Their job is to expose those weaknesses, so they can spy on us and take away whatever we have left, in this case is strong encryption.

Their job is to expose those weaknesses

No...their job is to exploit them, not expose.

Big difference.

(comment deleted)
>EVIDENCE OF ATTACKS ON VPN, SSL, TLS, SSH, TOR. What do we do now?

This is why advocating for technical defenses alone is doomed to fail. It's great to employ as much technology as we can, but playing cat-and-mouse with our own government is a losing proposition. They are determined and have unlimited resources (read our money plus the printing press).

There needs to be much more pressing on the legal front, such that unwarranted breach of privacy is criminally punishable in very clear ways. If an individual is not the subject of an investigation, for which proper warrants have been obtained, then no records of any kind should be collected or maintained. Full-stop. And efforts to decrypt private communications, etc. should be considered criminal acts. All of this needs to be protected with very clear and robust whistle-blower laws.

Otherwise, thinking that we will deploy some tech to permanently stymie our government is fantasy. And over-focus on that aim tacitly cedes that our government is entitled to whatever it can crack.

I do not have confidence in an engineering fix. Fixes will be broken. It's possible to use encryption to thwart marketers or cyber-crime rings, but we'll never have a sustainable edge on intel agencies without policy changes.

That said, better encryption will raise the cost of NSA's surveillance which might eventually lead to policy reform (when budget hawks are forced to act). And it might mean their dragnets have to be more targeted which could slow the expanding the definition of "terrorist".

I think the most effective actions would be to make the public outraged over cracked encryption and surveillance. And even with all these leaks, that hasn't happened IMO (debatable I know). Outrage would happen if people understood how this has real-life effects. Storytelling is what's needed, not white-papers and tech blogs.

edit: wanted to add that Bruce Schneier gave an excellent talk on the topic of your question, https://www.youtube.com/watch?v=3v9t_IoOgyI

"cracked encryption" is not the problem, after all it's their job to do it. The problem is that they use it to listen on non legitimate targets like random civilians.
In the age of information this is how an overpowered super power gets "nerfed":

By "targeting" its information gathering capabilities by providing information about its activities.

Information is power.

Anyone care to explain why the downvotes? I still think all this revelations will lead to a more balanced state of affairs.
I mostly read this thinking "good news". No, seriously, the documents suggest that the NSA hasn't made fundamentally important advances in decryption or uncovered significant weaknesses that academia doesn't know about. Now, that's not too much of a reassurance, because what academia (and the NSA) know is that HTTPS is in pretty terrible state, end-point security remains a significant problem, IPSec is a terrible protocl and so on.

It does raise the question what all the mathematicians are doing at NSA, and why they don't seem to have come up with any meaningful results. Suggests they are a waste of money, but then that's all of the NSA.

I suggest all of you check the original material (powerpoints w/ screenshots). A lot of people here suffer from the action movie mentality where they think the NSA is not like any other government agency, i.e. inefficient, behind the times, filled with horrible middle managers, deadweight, .. you get the idea. Things like the enterprise Java web interface, the CSV mass data export and "genericIPSec_wrapper.pl" can quickly dispel that myth.

Or at the very least they have compartmentalized serious mathematical cryptanalytic capabilities.

For instance:

* We know that the NSA has a novel md5 collision capability since they have used it in their malware. None of the Snowden docs, that I have seen, have talked about this.

* It is likely based on public research that the NSA can break 1024-bit RSA, but this has not showed up in the documents either.

My personal belief is that we are missing compartments dealing with cryptanalysis because Snowden did not have access to them. His work and access were focused on Computer Network Operations and not cryptanalysis.

I would not see any news organizations publishing any leaked document relating to actual technical capabilities. I don't even think that Snowden shared them with the reporters, the only ones who probably seen the besides Snowden are the FSB officers who "debriefed" him once he arrived in Russia. That's actually the thing that worries me the most about this incident, Snowden him self said that he kept the truely "nasty" stuff safe to be released in case something happens to him. But while he might not shared this with the press anyone who thinks he didn't had to buy his freedom in Russia with the full uncensored documents is fooling him self. This means that if he had any operational documents Russia and it's allies (N. Korea, Iran, China) just got a free upgrade to their own computer and communication intelligence apparatus. While people might not like their privacy being violated for the most part the NSA uses it's capabilities against unquestionably bad people, while in places like Russia and Iran it will be used against anything from reporters to political activists with much more severe consequences.
(comment deleted)
It is likely based on public research that the NSA can break 1024-bit RSA, but this has not showed up in the documents either.

It would be expensive though. This is one reason why I consider 1024-bit end entity certificates much less of a threat than 1024-bit CA roots.

I don't totally agree. I think that factoring in the risk of exposure leaves a CA root with a worse price / performance ratio versus an individual cert.

While you could use a faux CA root to sign faux certs for any site you want (ideally ones who are customers of that CA), in practice your use is severely limited. If faux certs are spotted and no one knows where they came from, suspicions are going to be raised. Not only is your faux CA root compromised, but now you may have tipped your hand regarding your capabilities.

To limit that possibility, your attacks would have to be extremely targeted. The more often a fake cert is used and the more people exposed to it, the higher the likelihood that someone will notice what is going on.

It also doesn't help you decrypt the real traffic to the site, or historical traffic, which busting the site's actual SSL key can yield. This presumes that you have a way of intercepting said traffic, but I think it's pretty clear that that is not out of the question (public wifi / ISP cooperation / fiber optic taps / malware). It's more work to bust individual certs, but you're leaving a smaller trail and you aren't sending out examples of your RSA cracking capabilities to your opponents over the public Internet.

Lowering the risk of exposure will let an attacker use the same methods over a much longer period of time, which I think is the goal here.

As to how to combat this: there is a lot of low hanging fruit. Besides the obvious, I would love to see much shorter expiration times for certs become the norm (as in weeks, if not days). For this to realistically happen in a widespread fashion, at minimum CAs need to embrace the concept from a pricing perspective.

Yea, if one was signed for www.google.com it would be a serious problem. If it is targeting specific obscure domain names where the customer is willing to accept the risk, that is a different matter.
"Expensive"

With public funding, lots of hardware and expert math/algorithm experts, it's less expensive

That is, even if the generated key-pair is really 1024-bit strong (and doesn't have any biases known by them)

It's plausible based on public research that any well-funded adversary can break 1024-bit RSA. You should assume 1024-bit RSA is simply broken.
Yes and given that I'm kinda surprised we haven't seen any docs talking about breaking 1024-bit RSA. That should have been their bread and butter, at least as far as DNI is concerned, a few years ago.
What 'yuhong said: it could be expensive, with NSA having the capability to break only one every couple months. They might need to carefully coordinate which keys they break, in which case it would be an important secret which CA keys were broken.
Do you think that the NSA would bother breaking CA keys? We know that they have shadow certificates and have much success infiltrating CAs to steal their keys and that they have been able to forge them without having to break the keys (via the previously unknown MD5 collision - as they did for Stuxnet. Seems to me like there are more valuable certs to go after (diplomats' certs, smartcard certs, OS update certs, ...).
So many "diplomats' certs" are used in machines by Crypto AG from Switzerland. And guess what, they had one major incident years ago - and even people working there have simply no clue who owns and control the company.

I'd say most of commercial crypto systems are rigged. https://pbs.twimg.com/media/B5-aW_8CEAAUzji.jpg:large

Appelbaum also mentioned they have advanced crypt-analytic capabilities against AES, but the evidence right now supports that these advances are not enough to break AES in the general case.
might be of interest in light of possible AES breakage: i have a small project that encrypts/decrypts the whole message with RSA (of course the message is also signed before encryption and result is verified on decryption);

runs on as much cores as available; also for this it goes into some length to avoid multithreading locks in openssl (where possible).

http://mosermichael.github.io/cstuff/all/projects/2014/02/24...

It is about economics. The attacks on crypto systems have complexities, and still at the end of the day they require things like raw calculation power. Could they break even single 16384-bit RSA key pair? Probably yes, but they wouldn't be doing anything else on that year. It would be simply way too uneconomical.

Presented by Spiegel are internal services that are designed on purpose to be more economical. They exploit more bad implementations. It doesn't really matter as long as the dirty tricks get the work done.

Also, NSA seems to troll for targets from the vicinity of their targets of interest. It is again more economical, and can be just as revealing. The risk there is that the broken target has nothing of use. The real movie style "let's break the encryption keys" stuff is done for sure targets when they get the extremely rare high value target on platter.

> Could they break even single 16384-bit RSA key pair? Probably yes

There is no known algorithm that can break a properly generated RSA key of that size - the work required with GNFS is equivalent to brute forcing a symmetric key of something like 280 bits. Anything that could do that should be able to break even 4096 bit RSA keys (~144 bit security) pretty much instantaneously, and their problems with PGP pretty heavily imply they cannot do that.

That, at least, is the case. Specific operational cryptanalytic capabilities are indeed in separate compartments: PICARESQUE, PIEDMONT; focus on PAWLEYS for backdoors in, say, routers. GCHQ use STRAP3 protection measures for their CRYPTO compartments in CESG.

As a sysadmin, Snowden basically had root, and probably had access to pretty much everything that wasn't thoroughly airgapped. However, very few computing resources would have been cleared for that Exceptionally Compartmented Information. The documents he gathered were focused more on activities like mass surveillance and standard undermining, that he sought to blow the whistle on, rather than their targeted cryptanalytic capabilities in general.

640-bit RSA could be broken essentially in real-time by the computing resources available to GCHQ a couple years ago. Of course, they don't actually have to work in real-time, so I suspect that 1024-bit RSA is entirely within their capabilities currently, given that. Diffie-Hellman is slightly harder, but if they're prepared to throw some in the bin or lag behind, they can probably do it, but that's just guesswork.

It doesn't matter how many mathematicians they have, they can't break good encryption. Unless the NSA has a super secret quantum computer that even Snowden didn't know about...
Well until 2 Israeli guys "rediscovered" differential cryptanalysis against DES in the late 80's no one knew about it either, no one with the exception of the NSA and the DES working group at IBM that is, even tho to them that weakness was known for almost 2 decades.

Additionally something like an effective attack against AES, RSA, or any other major encryption standard will probably be so compartmentalized that it won't even have a code word.

But on the other hand S31176 refers to a program which provides cryptanalysis against VPN (IPSEC, SSL and more) and it claims that they can decrypt (some of) the traffic. http://www.spiegel.de/media/media-35515.pdf

Here is yet another example of an unprovoked comment pushed to the top of a forum promoting the idea that three letter agencies like the NSA are incompetent and no better than the public sector at what they do, and that we don't need to worry about them. Go back to bed America, everything is OK.

Just like the rest of the government, the NSA is not a monolithic entity with no separation of concerns. There are people who clean the floor and people who are at the extreme cutting edge of research.

Don't let anyone convince you otherwise.

Of course we need to worry about them? Even by what acamedia knows, it's pretty bad right now for security and encryption in practice.

The belief that the NSA is at the extreme cutting edge and just so far ahead is exactly what stops us from making iterative, simple improvements on the technology we use. It's plain unhelpful, and as the data suggests, probably wrong.

(The separation of concerns part is hilarious. Remember, this is the same agency where Snowden managed to wget -r their wiki and various other databases and then go on an extended vacation unnoticed.)

The only data we have points to that the NSA is ahead of the academic community, from differential cryptanalysis onwards.
Also, most docs are from 2012. Who knows what happened since then. There is a reason, they have an army of mathematicians at hand.

I look forward to the day when they walk away from their jobs.

SSL was sort of expected. There are tons of bad SSL implementations out there using ciphers with RC4 and SHA1, but I don't think virtually all VPNs being bypassed and decrypted is "good news".
Yeah -- a competent organization would have rewritten genericIPSec_wrapper.pl to genericIPsec_wrapper.rb ages ago!
(comment deleted)
This would be a good time to wait and let security professionals analyze the documents and take what you read in this article lightly, as I've found a number of sensationalist examples.

For example, they claim Canada is monitoring hockey sites:

> Canada's Communications Security Establishment (CSEC) even monitors sites devoted to the country's national pastime: "We have noticed a large increase in chat activity on the hockeytalk sites. This is likely due to the beginning of playoff season," it says in one presentation.

But if you look at the actual slide https://i.imgur.com/2GO8H6L.png, it is clearly a fake sample report of what a real one might look like. It even uses the name 'Canukistan' as the country name.

There are 44 slide decks, one of the biggest leaks so far. It will take time to make sense of the noise. And any misinformation from reporting by non-technical journalists doesn't help the cause.

> reporting by non-technical journalists doesn't help the cause

non-technical journalists

Ever heard of a certain Jacob Appelbaum?

That guy you mention in spite of his very technical background also avoided the technical details and possibly also tried to sensationalize: I was worried as he claimed that the SSH is broken, but it seems that there is no document that states that for the passive capture of the SSH traffic (at least the documents are there and everybody can analyse them).

However we already knew for a while that the active attacks are being done:

http://www.theguardian.com/technology/2014/dec/07/north-kore...

The active attack can of course obtain enough information to decrypt the traffic automatically afterwards or even record it unencrypted. It appears that's the context of the SSH decryption in the documents.

When will you guys all wake up? GCHQ does the full take on the cables, and there is no document yet, that claims NSA doesn't.

So, all your sessions are hosed at some point in time. Either now or in the future.

And yes, sensationalize is sometimes necessary to get more folks onboard to work with the documents.

So what if they are stored? There has been a big shift towards using perfect-forward-secrecy as default in the last 18 months.
Can't you see the pattern? Take all, break the crypto later. PFS might be next, who knows.

Yes, for now OTR and PGP is fine. There must be a big speculation on future breakthroughs regarding breaking crypto - otherwise they wouldn't build Bluffdale.

Edit: Instead of downvoting, how about taking position?

It's not that the PFS is known to be broken, it's that it's actually still very rarely used (1)

The present is problematic enough, we don't even need to hypothesize on the future breakages.

1) http://en.wikipedia.org/wiki/Forward_secrecy

"As of December 2014, 20.0% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to web browsers."

IPSEC is also often configured with the disabled PFS, even if the RFC is from 1998 ( http://tools.ietf.org/html/rfc2412 )

"PFS might be next, who knows"? What does that even mean? OTR and TLS PFS are closely related.
Even when the PFS is configured, the defaults can be faulty:

https://www.imperialviolet.org/2013/06/27/botchingpfs.html

"I'm not aware of any open source servers that support anything like that."

The article is from June 2013, has anything changed since?

Most sites that enable PFS do so with solid ECDH. It's hard to find PFS configuration guidelines that will give you breakable conventional DH groups.

The latter half of AGL's post is about systems security, not (really) the cryptographic security of TLS. It's about things you can do that would make NSA owning up your servers a greater or lesser threat to previously encrypted TLS sessions.

(comment deleted)
If Jake Appelbaum had any technical credibility, he would have claimed something other than a break in SSH for his talk. :(
You might want to look at page 19 and 35:

http://www.spiegel.de/media/media-35515.pdf

Did he actually say break?

No, he did not say break in his talk. He said something along the lines of "at one point, the NSA mentions SSH together with SSL and IPsec as technologies which there are methods against" which could mean just about anything. They could break into the host and steal the host keys for example, without having to do costly cryptanalysis.

But the moment he breathed SSH, pretty much all of IRC and the whole Saal 1 could not think of anything else. Everyone and their brother wanted to know what to use instead of SSH now that it's broken. It was a bit of panic in the air.

My suggestion is to go to the leaked slide and make your own conclusions. There are among the most credible people we have behind openssh and the crypto primitives are used in a very straightforward way.

They talk about decrypts of SSH tunnelling as a "potential", if they can later steal the keys. SSH, I note, does have an RSA-based key exchange as well as its usual Diffie-Hellman: if their targets have been using plain RSA, that would make an attacker's life easier for historical decrypts! Based on their typical methodology, I think that is probably what they are talking about, because they mention stealing IPsec pre-shared keys from router configurations in a very similar context.

Of course, all we have is a probably - this selection of documents is not anywhere near as comprehensive as we'd perhaps like here. We're having to fill in the blanks - and there's too many blanks to fill in clearly. There seems to be relatively little in this leak from NSA's PICARESQUE/PIEDMONT, or GCHQ's STRAP3 (which covers specific operational details: purely by way of hypothetical example :-), where individual full-take feed taps actually are in Telehouse North, or specific details about SIGINT enabling via the Cavium Nitrox chips), sadly. Alternative ideas (or leaks!) are welcomed.

Recent versions of OpenSSH have using some non-NIST primitives from djb, including Curve25519-SHA256 key exchange, Ed25519 keys and ChaCha20-Poly1305 transports. I am quite confident neither NSA nor GCHQ have any good cryptanalytic attacks against those primitives.

There is mention of some exploitation against finite-field Diffie-Hellman in TLS (PHOENIX). That lacks context, however, and we can only guess about what's missing. One possibility is it's an active attack which tricks the peers into agreeing keys over an unsafe field (TLS 1.2 has no way to date for peers to suggest or agree on lists of named fields; however, the recent ffdhe draft does provide one) - however active attacks don't really fit the context under discussion in the slides. The TLS Working Group at IETF is currently discussing this, and a suggestion's been made to remove the old finite-field DHE transports due to their poor performance and apparent vulnerability, replacing them with ECDHE over secp256r1 (a NIST curve), and quite possibly in the near future X25519 over Curve25519 (a non-NIST curve). I don't know how that's going to resolve yet.

That TLS thread is nonsense. Take Dan Boneh's latest TLS survey paper [1], and notice that 34% (!) of DHE-supporting servers still support 512-bit ephemeral primes, and virtually every server defaults to 1024 bits. Who needs fancy new cryptanalysis?

Removing DHE is a mistake. The discrete log in prime fields is fine---as fine as RSA is, anyway---and it's a handy PFS backup in the (unlikely) case deployed elliptic curves turn out to be significantly wounded.

[1] http://www.w2spconf.com/2014/papers/TLS.pdf

I know, right? Chilling. I could crack those (the 512-bit ones, anyway). Why on earth would we want to keep those around?

Your first sentence seems to me like an excellent reason to remove DHE altogether from TLS 1.3, considering those servers do not support, and presumably may never support, (the draft) Finite Field DHE parameter negotiation.

Discrete log in prime fields does have the index calculus problem; it won't keep being good forever, and the performance gets worse. I'm banking on having enough different backup between ECDHE over secp256r1 and X25519 over Curve25519 that any elliptic curve difficulty won't be a problem.

When I say DHE, I mean finite field DH in general; I have no beef with replacing the old TLS DHE mechanism by the one from the ffdhe draft, with curated prime fields to work with.

Index calculus. Over prime fields it has seen essentially no major progress (beyond small complexity tweaks, some of which are useful) since 1992 with the number field sieve. Index calculus also exists for elliptic curves, under some conditions: once again, over prime fields things seem fine (modulo MOV, anomalous, etc curves). I suspect we will also have to drop RSA if the index calculus for prime field discrete logs ever improves significantly. Likewise, some efficient attack against P-256 or curve25519 has a good chance to eliminate most or all curves in that size range.

If I didn't know that the government is manipulating social media all the time, I totally would not think you're a shill trying to discredit these news reports by claiming that Jake Appelbaum is a non-technical journalist.

* Revealed: US spy operation that manipulates social media (http://www.theguardian.com/technology/2011/mar/17/us-spy-ope...)

* How Covert Agents Infiltrate The Internet To Manipulate, Deceive, And Destroy Reputations (https://firstlook.org/theintercept/2014/02/24/jtrig-manipula...)

Reprising a relevant comment:

The United States and allies do use the internet to spread Western culture and ideas, start revolutions, and kindle insurrection.

The United States CIA attempted (and nearly succeeded) in inciting a revolution against Castro by pretending to be a series of grassroots movements on a Twitter-like platform and by inciting anti-administration feelings within the Cuban population. That was earlier this year.

"USAID effort to undermine Cuban government with fake ‘Twitter’ another anti-Castro failure" [1]

The United States has an ongoing effort to use Internet media to 'deradicalize' the next generation of Middle Easterners and actively manipulates public opinions in Jordan, Cairo, Syria and other Middle Eastern states. Here are some quotes from one DoD MINERVA paper:

"...it is imperative that we develop empirically-based procedures for countering messages that promote violent extremism and anti-Western beliefs..."

"...Neural predictors of Twitter impact in Cairo (UCLA & Egypt). Our prior work (Falk et al., 2012), indicates that neural responses of a small group can predict which persuasive messages will be more successful in mass media campaigns..."

"... Defense Group Inc. already tracks Twitter trends specific to Egypt and will identify which of the selected Twitter topics went on to be highly influential over the next month and which did not..." - Matthew Lieberman, UCLA, September 30, 2012, Department of Defense MINERVA Initiative [2]

Here's one US company that does it. MARAYA MEDIA - "Driving Intelligent Dialog". [3]

The United States engages in targeted mass media and social manipulation to stir dissent in target nations, and to quell dissent where destabilization would hurt policy objectives. The DoD's MINERVA project specifically looks to understand the cultural components of stability of various countries and mechanisms to encourage or disrupt that stability. Among a great number of social studies you will find DoD research on how to seed information inside of specific Asian countries, including China, for the targeted introduction of instability. I will leave speculations of possible connections to the Hong Kong protests to the reader. [4] During the Iraq war US officials were known to detain Iraqi journalists and bloggers and force them to write articles in favor of the American efforts or to spread misinformation useful to ongoing campaigns. The CIA purposefully slipped misinformation into American media outlets to fool counterinsurgents who were reading American media (the infamous "Fallujah PysOp").

This should not come as a surprise given the history of the US: The United States and allies are known to target media in other countries to stir dissent. Radio Free Europe, "Voice of Iraq" (cough American), the Lincoln Group infiltrations and partnerships, etc.

But now with global interconnectedness it is easy to set up 'foreign media', blogs and other politicizing content to influence other nations' populations.

In the past decade it has become a global issue.

This year Egypt sentenced Al Jazeera journalists that they believed were partnered with geopolitical interests of other states. Putin's administration is now requiring bloggers to register if they have a certain number of readers, so that his administration can curtail international influence. China blocks many American services including Facebook and Google. The usual story in America is that they are censoring free speech. The truth is that they do not want foreign influence to destabilize their population and that they do not want their citizen's data in America's PRISM program (there's a reason it's called the FISA "Foreign Intelligence Surveillance Act" court).

The Snowden revelations showed us how intelligence agencies are involved in PsyOps - the term for 'psychological operations' used by the CIA and others. The GCHQ's BIRDSONG/...

All of this makes seems and is well sourced. But there is a huge difference between inciting revolutions that are beneficial to the US in foreign countries, one of the stated purposes of the intelligence community, and "shilling" comments on hackernews or reddit. Covert US involvement in swaying public opinion against opposing ideologies is a proud tradition that goes back to at least the 1930s and beyond. Using social media is just an extension of that. Most of the sources you provided are about creating fake social media sites to be used in foreign countries or broad discussions about psychological influence techniques that mention social media. There are no detailed plans that mention hackernews, reddit or any other online social news aggregator. It would be incredibly costly for the NSA to have agents posting pro-government comments on every thread that pops up on the hundreds of online tech communities and I don't see how they would benefit from it in any way. The idea is frankly laughable.

It's fun to think that we're so important that the US government cares enough to intervene in our political discussions. But we are not, not a single one of us. If pg himself called for open insurrection in his next essay, no one in the NSA would lift an eyebrow or raise a finger. Until this or any community becomes known as a hotbed for muslim extremism or communist agitation we're simply not on the radar in any way. As far as hackernews and reddit are concerned, "shill" is a synonym for "someone who disagrees with me" and always will be.

We do know that the United States Government and allies manipulate both foreign and domestic press.

I agree with the sentiment that this does not imply reddit or hackernews are subject to influence by the United States Government or allies.

I do not agree that the idea is preposterous or laughable. This is because we do know that the NSA infiltrates domestic technical groups as they did with the IETF to affect standards discussions, that they infiltrate activist groups inside the United States to disrupt them, that they are aware of social contagion theory and its usefulness in affecting public opinion, that they have done studies with at least the UCLA on viral messaging for Americans (to compare to, with and against foreign countries), that political campaigns use social targeting techniques without branding and will comment on news articles (to be 'first to post') to color conversation on hot button issues during the races, and that companies with political interests and who share a revolving door with elected office also advertise political discourse online in this way. Thinkst researchers studied how easy it is to manipulate online social conversation, news media outlets and platforms. We know that the GCHQ have JTRIG capabilities to perform internet manipulation and that there are documents from Snowden that specifically mention their use in derailing conversations on online forums. There have been reports of PR firms of private companies astroturfing reddit and others. And we know that HBGary Federal and other cyberoperations contractors for the US Government sell astroturfing services.

What we don't know is that reddit or hackernews are targeted specifically or for domestic purposes by the US Government. We have a few indications that this is done for large media outlets (recently Judith Miller, Ken Dilanian, CNN on Bahrain) in tandem with other leverage like access to officials, exclusive press passes and permission to report at the edges of no-reporting zones. Unfortunately there isn't enough evidence to be conclusive yet about the reddit/HN case as there have not been leaks that speak directly about it, so any debate in this area is bound to be speculation versus speculation.

You're splitting hairs here. Yes, I don't recall a leak specifically stating "we have sock puppets on US social media sites" however there have been documents leaked describing high level tactics which might logically include US sock puppetry.

Additionally, domestic US propaganda is now legal:

https://www.techdirt.com/articles/20130715/11210223804/anti-...

Further, sock puppetry is an established tactic:

http://www.theguardian.com/technology/2011/mar/17/us-spy-ope...

http://mashable.com/2011/03/17/centcom-social-media-personal...

http://www.fbodaily.com/archive/2010/06-June/24-Jun-2010/FBO...

So the only question is, specifically which sites are targeted and to what ends. If the metadata shows that HN or your favorite sub-reddit has out-sized influence on matters of national concern, then they're probably targeted.

Did you seriously just make an argument that a government would choose not to do something just because it would be expensive and ineffective?

"Incredibly costly" + "I don't see how they would benefit" is only an effective argument against individuals and businesses whose continued existence depends on not wasting money. The state runs on taxes and executive orders.

You may not realize that one of the non-publicized goals of recent executive administrations has been to keep the official unemployment rate of war veterans low enough that it stays out of the public consciousness. This has been accomplished in large part by steering them into make-work jobs with strict citizenship or clearance requirements along with hiring preference points for military service.

The government probably does not care to intervene in our nerd talk, but it can afford to, and if that provides a minor political benefit beyond sticking loyalists in dubious, relatively-high-paying desk jobs, then so be it. If I were to attempt to promote state interests with respect to encryption and network security, HN is certainly one of the sites I would pay my subordinates to read and influence.

Don't assume that just because you think it is stupid and pointless, no one is actually doing it. That doesn't mean that anyone is, but you can't realistically argue that everyone is not.

What if there is a program which can do all of this? The part about posting on HN and Reddit? Just wondering if it is something they, with all their $$$$ and resources, could do.
> Reprising a relevant comment

Please don't reprise comments on Hacker News. This is a place for conversation, not boilerplate.

(Just to be clear, your other comments are part of the conversation and are thus fine.)

There is an EXTREMELY THIN LINE between "sponsored dissent" and "spontaneous dissent"

Shutting down opposing dissent usually means that all your press is now only good as toilet paper (like the Pravda in Cuba)

"inciting anti-administration feelings within the Cuban population"

So, the population love the Castro administration then? And whoever opposes is an US shill, sure...

'spread(ing) Western culture and ideas'? Would you care to expand on that? You presumably disapprove.
See www.corbettreport.com for more information (and the way out of the Matrix). I think I'm shadowbanned already, but maybe you'll see this anyway.
(comment deleted)
So what you're saying is that Canada really is monitoring hockey fans in Canukistan?
What he's saying is: We are being pushed into a total surveillance state without a democratic vote, which means it is not normal to say "don't worry, go back to sleep" unless you're being paid to say that.

(But I guess you knew that already.)

I don't think dmix was quite saying "go back to sleep." My concern is that "The NSA also has a program with which it claims it can sometimes decrypt the Secure Shell protocol (SSH)." (something I'm very much interested in) is in the very next paragraph. And still part of the "Hockey sites monitored" section (why??).

Do I take the ssh claim seriously? Do I just pretend the hockey monitoring paragraph isn't there?

Perhaps I should read the source for myself. http://www.spiegel.de/media/media-35515.pdf

Alas, there's very little in the way of detail. There's exactly one slide (19) dedicated to ssh, which says it can "potentially recover usernames and passwords." That would adequately describe a simple mitm attack where somebody either accepts an unknown server key or uses a client that doesn't even check (e.g. Prompt for iOS). Slides 35 and 36 mention ssh and decryption, but it sounds like they're talking about further processing after decryption. How is that decryption being done?

We have one real "case study":

https://firstlook.org/theintercept/2014/12/13/belgacom-hack-...

Active attacks allow access to the keys, and once the attackers have the keys, unless the PFS is properly used, the old captured streams are readable. But often it's even easier to read the documents on the attacked machine directly.

Still, all this was known before the material we comment now. Which doesn't mean we should let PFS remain unused or wrongly used as it is now and that we shouldn't try to protect us from the active attacks.

If we worry about the decryption of our SSH traffic, do we properly use PFS? What do we do to prevent or detect active attacks?

Prompt doesn’t check the server’s key? That’s incredible. Do you have any sources on that?
I used it. It never showed me the server key or asked to verify it.
Wow. That’s really craptastic.
New attack against AES? - The Tau statistic:

From the Spiegel article: "Electronic codebooks, such as the Advanced Encryption Standard, are both widely used and difficult to attack cryptanalytically. The NSA has only a handful of in-house techniques. The TUNDRA project investigated a potentially new technique -- the Tau statistic -- to determine its usefulness in codebook analysis."

There isn't enough in those documents to really analyze. Apparently all the good malware info is going to be released "in a couple weeks".
Has anyone found which docs say how they attack SSH? The intro slides don't go into any detail. It could just be known SSH-1 vulnerabilities.

My overall impression is that this doesn't reveal any new attacks. They are most likely using known vulnerabilities. For example, they decrypt PSK IPSec by exploiting routers and getting the keys, not breaking the encryption.

In the talk they say that the papers only suggest that it can be broken into.
Domestic spying + Immunity from insider trading laws... It's a good time to be in the government.
You got downvoted. I think people have forgotten "Team Themis", HBGary and JPMorgan Chase.
To give some credence to your comment about insider trading immunity, I performed a quick search. (My guess is that you got downvoted for not providing any evidence to support your, arguably acerbic and snarky, comment.)

http://www.forbes.com/sites/kylesmith/2011/06/01/insider-tra...

The money quote: "There is no limit to how much money you can earn on insider trading in the House or Senate. Lawmakers and their staffers are specifically exempted."

While I would consider it unlikely that NSA feeds senators with free stock market tips, the members of the oversight committee are sure to have an extensive advance view to foreign (and domestic) market-changing intelligence. There has been systematic resistance to reforms - the members probably consider making a quick and safe half-million on the stock market a necessary perk of the job.

(comment deleted)
Older versions of the Adobe Reader plug-in often hangs for example while the PDF is downloading.
Even though we know that the NSA does collect data on Americans, let's assume that they didn't. By using a network such as a VPN or a Tor Node that is located outside of the United States, would they "legally" be able to use the data collected on you received from those networks as if you weren't an US Citizen?
No, but that's where the Five Eyes concept comes into play, previously known as ECHELON. The idea is that agencies such as CIA and NSA can work around the limitations imposed by their own charters by cooperating with foreign agencies who have no such prohibitions. Then, the doctrine of parallel construction takes care of any remaining legal hangups.
The comments that try to reassure the reader seem to have become more frequent. Scary.
The fact that they broke some but not all the OTR messages in the log suggests to me that their attack is not a MITM, but instead a compromise of the 1024 bit DH or CTR mode AES.
Do you really think NSA has compromised AES-CTR? That would have to be a pretty fundamental attack, wouldn't it?
I have little doubt they have compromised some system that reuses keys or nonces (or fails to increment the counter :)). If I were making a powerpoint to brag to my bosses, I would definitely put that on a slide.
I am not trying to draw any conclusions. Just exploring what the data seems to support.

Another alternative (mentioned on otr-dev) is an implementation which uses a low quality rng feeding the ECDH might result in some messages being recoverable and others not.

An attack on CTR would indeed be pretty fundamental. Though some of the other documents appeared to support some level of cryptanalysis capability against some implementations of at least some symmetric ciphers.

Can you think through a scenario in which CTR could be broken? CTR, in particular. What's a hypothetical here?
Sure.

Improve the existing key-recovery attacks (http://research.microsoft.com/en-us/projects/cryptanalysis/a...) on AES from 2^126 to 2^80 (through unknown methods, potentially exploiting the trivial relation of CTR plaintexts), which is a scale at which a state level party could perform computation, especially on specialized hardware. Observe a CTR block on known plaintext and recover the key.

Practical key recovery attacks have existed against many block ciphers. AES is pedantically weaker than it should be (since an attack exists at 2^126).

Do I think this is likely? I don't have enough information to answer, and in the absence of information I'd default to "probably not". It wouldn't be inconceivable, however.

The impression I got was that the person they were monitoring used OTR for some messages and plaintext for others.
One normally does not turn off OTR in the middle of a conversation.
does anyone know why spiegel leaked these docs - and not greenwald via the intercept?
Doesn't Der Speigel have access to different documents and a second leaker? Or are these also Snowden documents?
They were released by Jacob Appelbaum and Laura Poitras who did a 3C31 talk about this too.
As a google security engineer once said, "f-ck these guys"

According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012.

By the end of 2012, the system was supposed to be able to "detect the presence of at least 100 password based encryption applications" in each instance some 20,000 times a month.

Most proprietary and mainstream software and protocols are insecure. If you care about your security use open source and open standards so that security professionals can test and verify its security.

Skype insecure Cloud email popular ones used by end users insecure Whatsapp insecure Facebook messenger insecure Email insecure Dropbox insecure

So in conclusion they are tapping into mainstream communication channels, its their job.

People have become a bit lazy with cloud solutions and proprietary software because of their fast setup and convenience. People pay with their privacy for the convenience/laziness.

WhatsApp's recent integration of TextSecure [1] makes it one of the most secure communication options available to lay users. The vast majority of people simply can't manage without hosted tools. This lack of sophistication shouldn't damn them.

[1] https://whispersystems.org/blog/whatsapp/

One topic I find missing from the privacy and security debate following Snowden's revelations is an explicit consideration of the adequate threat model.

If the public thinks that the most prominent attackers on their privacy, security or identify are the best founded intelligence agencies on the planet, then the likely outcome will be grumpy resignation and consequent failure to protect against more mundane (and more likely) threats. Security and encryption are considered difficult and tricky. Even for software engineers. Raising the bar by highlighting the scale of resources of the most competent attackers is counterproductive.

I think a practical threat model for an average internet user should highlight cyber-criminals, accidental misconfiguration, and careless handling of private information. Not NSA or GCHQ.

Edit: The discussion of mischief by NSA and GCHQ belongs to the debate on public oversight of government agencies. The article above is about using encryption on the internet.

Ok, now that I've finally read the slides. They take usernames and passwords out of SSH.

People, if the private botnets didn't made you disable password authentication already, do it for the NSA.

It makes you wonder if the NSA/five eyes is actively working to keep topics/threads such as this one down played in the media, or even on HN.

I did my part and upvoted the story to get it more exposure here:)