Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment Re:What about SSL/TLS keys? (Score 2) 93

What "hand it over"? Do you have any belief that there is not effectively an auto-copy escrow feature sitting at Verisign and GoDaddy and all the other SSL key vendors, for precisely this sort of access? And if there wasn't one planned, that there's not one embedded by the NSA and every other security agency that can afford a few bribes and a laptop p0wned inside their firewall?

I don't think SSL/TLS works the way you think it does.

These companies don't by "SSL keys", they buy signatures on their own public keys. No one should be giving their private keys over to a certificate authority in order to get a signed certificate.

Now, if you meant the CAs may have provided some sort of intermediate CA to the government so it could sign their own certs and masquerade as anyone and act as a MITM, than that is more likely.

Comment Re:What about SSL/TLS keys? (Score 2) 93

I'm be more interested to know if they shared their private key for SSL/TLS. Since Apple's Safari (to the best of my knowledge) does not support perfect forward secrecy (PFS), someone recording the encrypted session could later decode the session contents if they ever acquired the private key at any point in the future. The conversation might go like this:


I should point out that IE doesn't support PFS either, so Microsoft could be in the same boat. I think Chromium and Opera support PFS, but I'm not 100% certain.

(This is not my field of study, so if I have this wrong, I'd appreciate a correction.)

PFS is dependent on the cipher suite that is used. Safari and IE both *do* support some PFS suites, but not all PFS capable cipher suites. And for those they do like, they seem to prefer them less than some non PFS cipher suites. Safari seems to be better than IE at this as they support more suites but the non-elliptic-curve ones are used only as a last resort. So, the problem is web servers respecting the browser's preferences will end up selecting a non-PFS cipher suite even if the web server itself does support some PFS cipher suites.

So Safari/IE need to start favoring the PFS ones and/or web servers need to start only accepted the PFS suites.

Netcraft has some good research on the area.

Comment Re:He should just go to America and face the music (Score 1) 205

What investigation is the data collection relevant to? The government admits they are collecting the data to search through it in the hopes of finding something to investigate.

Regardless, the constitution is the supreme law of the land. Any law or action that violates the constitution is itself illegal. The government's actions clearly violate the fourth amendment.

I hope the ACLU suit succeeds or that Congress decides to fine tune the law (lol). But from the NSA's perspective, (or so I've heard from a talk by Gen. Alexander) they believe they are authorized to collect the data, but they "have a system in place" to protect access to the data. They require some sort of FISA court approval to actually search and use the data (which as I understand, the FISA court is basically a rubber stamp). He also referenced a specific number of times it had been accessed and how many terrorist events it provided information on (51 or so I think, don't remember the other numbers).
The fourth amendment isn't even being considered seriously because in 1989 the Supreme Court already ruled that a minimal invasion of privacy was justified in the government's need to combat an overriding public danger (the case was about drug testing of railway workers), but it has been interpreted, well.. broadly. The FISA judges have ruled that the NSA's collection and examination of communications data to track potential terrorists doesn't run afoul of the fourth amendment.
I don't see a clear path would put this in front of the Supreme Court to challenge it on constitutional grounds. Nobody can claim they have standing unless they know their information was accessed and no one knows that because the info is classified. catch-22 of sorts.

Comment Re:He should just go to America and face the music (Score 1) 205

Ammendment IV of the constitution: "Every subject has a right to be secure from all unreasonable searches, and seizures of his person, his houses, his papers, and all his possessions."

Blanket storage of metadata easily falls under this by any honest interpretation of its meaning. Therefore cannot be authorized by anything, not even an act of congress. These people have betrayed us, along with everyone who follows their illegal commands.

Then it should be challenged in court (the Patriot Act). Another commenter posted that the ACLU is challenging the NSA over its interpretation of the Patriot Act, but no one is challenging the activity on constitutional grounds (largely because of a 1989 Supreme Court "finding that a minimal intrusion on privacy was justified by the government’s need to combat an overriding public danger.")
Devils advocate for the NSA: Actually, this is from Gen. Alexander of the NSA directly when he spoke at an AFCEA conference I was attending: They are only collecting the data. In order to access or search it, they require a FISA court approval. (but which they almost always get)

Comment Re:He should just go to America and face the music (Score 1) 205

A traitor to whom? The only people he betrayed are the ones who betrayed the people by spying on them. He did nothing but expose traitors.

Maybe I'm missing something, but where did he reveal anything illegal going on? Everything was authorized by the Patriot Act (section 215 and others) and FISA. And really, what is so shocking about the agencies using the powers that Congress explicitly gave them? Traitors? Seems harsh, but if you are going to throw that around, maybe toss it towards the congresscritters that created those laws and the administrations that keep signing off on it.

Comment Re:HTTPS (Score 1) 90

It's SUPPOSED to be carried over https.

Unfrotunately people rarely go to websites by typing in a https url. They go to websites by typing something in a search box or by typing in a url without protocol (which for historical reasons defaults to http). This gives an attacker an opertunity to hijack things before the user switches to https and keep the client on plain http as the connection from attacker to server switches to https.

Exactly, and it is trivially easy to accomplish these attacks with man in the middle tools like SSLstrip and the Middler

Comment Re:Fantastic. (Score 1) 261

Oh how naive! Where have you been all last year ...

Counter-example: Blizzard's Diablo 3 Directory Jay Wilson

Sigh, I just started playing this game and reading the forums some. You are pretty spot on, but at least recently they have given in a little on some minor issues with the latest patch 1.0.8 coming out. I think some of the developers are pretty sympathetic.

Comment Re:Sadly, no... (Score 1) 153

I don't think you know how things work in encryption these days...

You don't need the username/password information to encrypt things. iMessage and most of the communication of short messages between Apple devices and between Apple's cloud and the devices is based on the XMPP system which uses simple S/MIME to encrypt similar to how e-mail encryption works. It's end-to-end encryption. Could Apple build-in something to transfer the private keys from the client to the server and intercept it there - sure - but that would be 1) against the XMPP standard, 2) easily noticed and exploitable, 3) may even be illegal.

Where did you read that iMessage is using the S/MIME Encryption extension to XMPP or that it is using XMPP? I haven't seen anything to suggest this. I suspect this is simply that iMessage is properly using TLS/SSL connections to their servers making snooping difficult. They can probably still snoop by subpoenaing Apple for the records. According to wikipedia and other sources, the protocol is actually a binary protocol based on Apple Push Notification Service.

Comment Re:To be fair... (Score 2) 434

Use tax is arguably unconstitutional due to the interstate commerce clause, and that is why states do not enforce it. They can wield the moral force of "this is the law" to those that don't know better and get them to put it on their tax returns, but they won't go after those who don't pay because they're afraid to lose. The states' end game has been a federal authorization for the states to collect sales tax because it would put them on much more solid legal ground.

The use tax on the residents within a state by that state is perfectly constitutional according to the Commerce clause because it places the burden of payment equally on everyone in the receiving state. The sales tax charged by one state to a seller in another state is unconstitutional (according to the Commerce clause) because it places the burden on the seller in the other state.

Comment Re:No Tax or Duty shall be laid on Articles export (Score 1) 434

Yeah there is already Use Tax where your home state charges you for stuff you buy outside of the state.

Use taxes are constitutional because they place the burden equally on everyone in the state as opposed to sales tax which would put an unconstitutionally undue burden on the out of state seller (according to the Commerce clause).

Comment Re:Can somebody please explain... (Score 1) 33

I get that the US is up there, France & Germany have a surprising amount of requests, but I'm pretty sure at least France is a firewall country. But Turkey... what? They have 11k legit internet users?

They are right up there w the states at 11k, there is no reference to Turkey anywhere in my knowledge of IT and how it applies to the world, so why would they have so many requests.

I found that curious as well. It may be related to the fact that Turkey has a lot of "laws that limit speech deemed insulting to Turkishness, and expressions of political extremism". They are fairly heavy into Internet censorship as well and even blocked all of YouTube for a long time. There are a lot of topics that aren't allowed to report about and they have ongoing legal proceedings against lots of online journalists.

Comment Re:Google Keep (Score 3, Informative) 205

It would be nice if Evernote's local database was in an open format - if it is, it's not obvious (there is an API, but I haven't investigated to see if there's a way to use it should the cloud side of the service go AWOL tomorrow). It's easy enough to export all of the notes into HTML, though, and doing that from time to time as a backup is probably a good idea.

The Evernote client already has a feature to export all the data from the locally stored notebooks/databases to HTML or to an Evernote XML file (which isn't that hard to parse). This is independent of the cloud export features. It includes notes and attachments. If that isn't enough, it looks like the local database is really just some SQLite DB's, so it wouldn't be that hard to write something to pull the data out directly.

Slashdot Top Deals

Is a computer language with goto's totally Wirth-less?