Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Comment They're not denying the article really (Score 5, Interesting) 291

They're just claiming again that they assumed the NSA were good people.

This all happened in 2006. RSA adopted DUAL_EC. RSA was sold to EMC. NIST released the standard. Microsoft researchers showed the flaws in DUAL_EC. The flaws in DUAL_EC have been known since 2006, the only thing we didn't know was that they were deliberate.

Also it's interesting to note that an anonymous organization paid for the same DUAL_EC algorithm to be added to Open SSL. With Open SSL at least they didn't make it the default but it's not far off from what RSA did.
http://arstechnica.com/security/2013/12/nsas-broken-dual_ec-random-number-generator-has-a-fatal-bug-in-openssl/

Comment The US has this capability, of course (Score 1) 698

http://www.theinquirer.net/inquirer/news/2290640/germany-warns-against-using-windows-8-due-to-security-risks

You just revoke the keys and suddenly the machine can't boot.

It's funny how the NSA accuses China of inserting back doors but Snowden shows how the NSA inserts back doors. China hacks into systems but Snowden shows the NSA has hacked into tens of thousands of networks. And now the NSA is bragging about preventing a shutdown button when we already know it did the exact same thing.

Comment Re:problem is (Score 1) 841

We can be pretty sure that the NSA data gathering was a part of how General Petraeus was forced to resign.

The NSA shares its data with 11 other federal agencies such as the FBI (crime stoppers), IRS (tax collectors), DEA (drug wars). It may be that the FBI acted alone using already shared metadata information from the NSA. Or it may be that the NSA was more actively involved. If they were involved, that information would be classified.

Petraeus stood a reasonable chance of being elected president. The information was there because the NSA collected it. At a certain point it was decided to force him to resign. That decision was a political one because it has a political impact.

Submission + - Trans Pacific Partnership includes parts of SOPA

Error27 writes: Last month Wikileaks leaked a draft of the Trans Pacific Partnership treaty. Here is Congresswoman Zoe Lofgren's response to the leaked documents. She points out that there several troubling issues with the trade agreement. It locks countries into extremely long copyright terms. It limits fair use. It includes DRM provisions which would make it illegal to unlock your cell phone. These laws come from the Stop Online Piracy Act (SOPA) which Americans already rejected.

Comment That's good news (Score 0) 92

One thing that people talked about was that Alexander knew too much dirt on everyone and couldn't be forced to resign. It makes it easier that he stepped down voluntarily.

If you think about it, the NSA had enough information to force former CIA director David Patraeus to resign. I'm not saying they did, I'm just saying that they had the information and could have done it if they wanted to. But at the same time they were not able to prevent actual terrorists like the ones who attacked Westgate mall. The difference is that it's easier to spy on normal Americans than it is to spy on terrorists.

Comment Re:C/C++ operator = (Score 1) 360

I actually fixed one of these bugs in the kernel last month.

But you are right that these are very rare. I have did a git search of patches which only add a single '=' character and there are normally two kernel bugs like this per year. In other words, we have 50,000 patches per year and only 2 patches have this sort of bug.

I have spent quite a few days auditing for these bugs in the kernel. They were rare the first time I audited in 2002 but these days we have several ways to make them even more rare.

Imagine you have "if (x = foo) {":
1) GCC suggests using extra parenthesis around the assignment like "if ((x = foo)) {"
2) Checkpatch.pl suggests breaking it up into two statements. "x == foo; if (x) {".
3) Static checkers complain about it if foo is a constant, or if the checker is in verbose mode, then it complains if foo is not a function call. (A lot of static checkers complain. It's a favorite thing to look for).

One thing that I have just thought of is that we should have a warning where checkpatch.pl complains if people do: "if ((x == foo) || (x == bar)) {". Sometimes it's hard to know where to add parenthesis for readability, but for comparison operations the parenthesis are obviously bad style.

Comment Re:The truth gets out... (Score 3, Insightful) 81

This isn't the only way or even the main way that the NSA exploits systems.

Things we know:
1) The NSA collects SSL keys.
2) The NSA can generate fake SSL keys.
3) The NSA has performed MiTM attacks against Google and Microsoft.
4) We know where many of the places are that the splice into the undersea cables.
5) US embassies often have Echelon hardware for tracking satellite communication.
6) The GCHQ stores three days of internet traffic (not metadata but everything).
7) The NSA collects metadata from everything. Email. Phone. Letters. Facebook.
8) The NSA planted spies in large corporations.
9) The NSA have influenced/degraded encryption standards.
10) The US government and Israel created stuxnet.
11) The NSA monitors all credit card transactions outside of the US.

We don't know the specifics though. We don't know:
1) If there is a backdoor in Windows or Linux or libssl.
2) If hardware random number generators have been backdoored.
3) If there are backdoors on the motherboard or in the ethernet firmware.
4) How they are tracking in other ways, via license plate readers or sensing your various personal radio devices.
5) How are spy satellites used for domestic surveillance?
6) Just how much information is shared between the agencies to avoid fourth amendment rules. We know that the NSA and the GCHQ share an office. We know that the NSA gave unfiltered data on non-criminals to Israel.

Comment Re:News? (Score 2) 314

That same logic could be applied to anything. "You were mugged on the way to work? That's what muggers do. Boring."

This is interesting because it shows:
1) How the internet changes spy craft.
2) How dangerous it is to aggregate data.

It raises interesting questions:
1) Have other countries infiltrated VISA as well?
2) Has VISA been infiltrated by organized crime as well? Would that be profitable?
3) What personal information is there?
4) Has the private data been used for black mail people in interesting ways?

This revalation requires some actions in response:
1) VISA can't just allow their private data to leak.
2) Other countries where this is illegal might consider a response.
3) The IT industry must take more action to prevent this kind of attack.

There are also legal issues:
1) If this hurts VISA, then can the NSA be sued for the loss in business?

The timeline from now looks like:
1) Next six months: More NSA activity will be uncovered. NSA front companies will be exposed. Techniques will be analyzed.
2) Next few years: Changes to the IT industry such as updated encryption. Finding fixes/replacement for SSL since it has failed completely.
3) Next decade: Countries and corporations will have to update their IT budgets and what tech they buy.

This assumes that Snowden does not leak the 400Gb of data in his insurance file. If that happens then much of the web will have to be shut down for a couple weeks. The stock market will collapse. Government officials in many countries will have to step down as we learn more about their private life.

Comment Re:Suddenly, the money is in hardware. (Score 4, Interesting) 535

Google bought Motorola for the patents. Microsoft bought Nokia because everyone else had almost abandoned Windows phones and Nokia was about to abandon them as well.

Only Samsung and Apple make money from phones. Nokia, HTC, Blackberry, and Motorola all make a loss. Btw, Nokia and HTC are 9th and 10th on the top smartphone list. Blackberry and Motorola aren't in the top ten.

At this point the phone business has turned into the PC business. Phones are a commodity. They all have 300-400 ppi screens. Anything higher than that is silly. The screens are all as large as you can hold comfortably. They all have the same CPU and and the same RAM and the same battery life. It's easy to design a high end phone.

For some reason it's harder to make money with smartphones than with PCs. You have to first become one of the few subsidized phones. I think the phone companies know you have to go through them so they don't pay very well?

Comment Re:Now, for the other angle, is this treason? (Score 1) 367

Snowden's insurance file probably contains actual backdoor information, SSL keys, and millions of collected passwords. The internet would have to shut down for weeks... I think even staunch Snowden supporters would be annoyed.

But Snowden would be dead at that point so he wouldn't care.

Comment Re:No (Score 2) 156

I work in kernel security and I would say we have improved. You can't just tell people "don't make mistakes" and expect security to improve the only way you can improve is by improving the process.

1) We've added a few exploit prevention techniques like hiding kernel pointers.
2) Our fuzz testers have improved.
3) Our static checkers have improved.

But we're not perfect.

For example, we earlier this year we merged user namespaces. Obviously this is tricky code which deals with security. People had been working on it since 2007, but even after five years we all knew there were going to be some security bugs which we had missed. Code has bugs. That's life. But user namespace is a valuable feature and we had done everything we knew how to do.

Actually, in some ways, user namespaces will improve security overall because we can use it to remove a setuid binary from the Chrome browser.

Btw, you can't just look at CVE count. If could be that the bug is old but it was only found recently because of the improved tools. Also two years ago we probably wouldn't have issued a CVE for info leaks like CVE-2013-2148.

Comment Re:If you have nothing to hide... (Score 1) 350

I'm not angry with Snowden. He's like a kid. He doesn't know any better. I'm not angry that the NSA collects information on everyone. They are spies. It's their nature to spy.

I'm angry because the CIA collected the SSL keys to the internet. How on earth did they think it wouldn't be stolen??? As if they hadn't watched the news or looked in out prisons which are full of thieves.

If they had used software bugs to read people's encrypted email that would be ok. That's the vendors fault. But putting a backdoor in is not OK. That's the government actively making life worse for everyone. Some of these systems will be very hard to fix.

What I'm trying to say is that there is a fine line between using existing exploits and deliberately introducing bugs. I would prefer if the government helped fix bugs. I am fine if they use bugs. I get very very angry if they introduce bugs.

Slashdot Top Deals

All Finagle Laws may be bypassed by learning the simple art of doing without thinking.

Working...