Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment NIST 2006 (Score 1) 607

They censor the names of the algorithms for the NSA but mention one was adopted by NIST in 2006 and later by ISO. That would be AES ladies and gentlemen. The article strongly implies they can decode all SSL and AES in real time as it flies over the fiber... You aren't using AES anywhere are you ladies and gents?

Comment Re:So it has come to this (Score 1) 531

... but while the ACLU pursues matters through leveraging law, the NRA advocates remedying government amok with a more pointed (or hollow pointed) approach.

There's a big difference between advocating and pursuing.

I continue to maintain that the position that the best way to protect your rights is BEFORE you get pushed to the point where you have to break out the arms caches. I know there are those who have wet dreams about being the backwoods guerilla patriots against the tank-and-drone forces of an overbearing US Government, but I'm not one of them. I'd rather order pizza delivery, pick up the UPS package with the latest electronic toy in it, and play with it, thanks to those who pursued instead of just advocating.

Talk, as they say, is cheap.

The NRA has made a very long and vocal habit of defending the rights of everyone to have their guns. Apparently trying to put a good scare into creeping government control of any and every other aspect of life hasn't deserved anything like Charlton Heston waving his gun around after the Columbine shootings and claiming they could have it when they pried it from his cold, dead hands.

Really, I think we're seeing the true colors here. The 2nd Amendment is really about collecting a lot of pointy bang-sticks.

Comment Re:So it has come to this (Score 1) 531

"... but while the ACLU pursues matters through leveraging law, the NRA advocates remedying government amok with a more pointed (or hollow pointed) approach."

Absolute nonsense. The NRA is the biggest and richest lobbying organization in the United States. They fully advocate having and following reasonable laws.

It is true that many members of the NRA would have us use force against a government run amok, but it is also true that nearly all of them view that as an absolute last resort. Not the first, as you imply.

The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants - Thomas Jefferson.

Comment Re:Uh... okay (Score 3, Informative) 607

There's nothing in the articles that implies this. Backdooring a CA only helps if several things hold:

1) They can not only intercept but also rewrite traffic on the fly. Possible, but if so, not yet mentioned in any leaks.

2) They're willing to take the chance that someone might notice.

So an operation against a single site, definitely possible. But they are clearly desperate to grab everything, all the time! Their whole MO is not targeted investigations but to spy on everyone simultaneously. You can't use a rogue CA to do that. They'd be detected immediately, if only by geeks setting up SSL for their new personal VPS and suddenly noticing the CA their browser gets isn't the one they installed.

The problems with SSL are not that CAs exist. The model holds against the global adversary who wants to decrypt everything. The problems with SSL are almost certainly more prosaic - many websites can be automatically hacked and their keys stolen without the owners ever knowing. In the default config that allows you to then decrypt all past traffic as well. Some implementations will use old, weak keys that were strong once upon a time but have since become obsolete. Some implementations will have bad random number generators. Some implementations will run on VPS providers and are subject to side channel attacks by colocated VMs. Some keys can be subpoenad and others can be obtained by covert agents. And of course you still leak traffic metadata even when SSL works perfectly.

There are lots of ways to attack SSL that will work some of the time, and that's exactly what the leaks imply - they can beat encryption sometimes but they don't have a magic skeleton key to everything.

Comment Re:SSH? (Score 5, Informative) 607

Certificate authorities never see private keys so you are dead wrong about that. What's more, even if a rogue CA was minting bad certs on the fly to attest that the NSA was really, that would have been noticed. Remember that secrecy is something they value insanely highly. They wouldn't ever do something so easily noticed and the articles do not imply any kind of CA compromise.

In fact if you read all the stories (they overlap largely but not entirely) you can get a vague picture of what's going on. Firstly, they record all encrypted traffic in case they can decrypt it later. Secondly, they have a database of public to private keys, populated via any means they can. Thirdly, they obtain keys in lots of ways (hacking, subversion, bogus court orders, brute forcing old/weak keys etc) but they don't seem to have a magical solution to all strong crypto. The closest that the leaks come to this is discussion of some amazing cryptoanalytic breakthrough, which could possibly mean they're able to break some kinds of RSA? Perhaps they're ahead of Joux et al by some years?

Regardless, what it is, it can't be a solution to all crypto, because these governments apparently asked the newspapers not to publish on the grounds that people might switch to stronger systems that worked.

Comment Re:perspective (Score 1) 607

That's fine and well in a ballbearing factory where the defective ballbearings are simply rejected and not used. But the NSA is not a ballbearing factory, and instead of being defective, each of those 22,000 violations of constitutionally guaranteed civil rights is a large problem that does not simply disappear due to "reporting and correcting" them. So I'm sorry, but your argument doesn't hold up.

Comment Re:you know hell has frozen over (Score 1) 531

The problem I have with the NRA and 2nd Amendment people who totally buy into this Militia thing is this: Who is calling the ... ahem ... shots? Who is in command of these militias? By what authority?

Anyone who thinks the United States is civilised, hold onto your hats, if it did come down to militias you better believe there will be score settling and such which would make the Middle East look like a controlled situation in comparison.

The people who drew the colonists together were well off and educated. Who would be doing that these days? Just the implication of that should scare the heck out of any rational citizen.

Comment Re:So it has come to this (Score 3, Insightful) 531

but while the ACLU pursues matters through leveraging law, the NRA advocates remedying government amok with a more pointed (or hollow pointed) approach.

The NRA is a citizen funded organization that takes on legal issues through legislation and litigation. I haven't seen any evidence that backs up your assertion the NRA advocates for violent resolution of issues.

If the NRA does not use it's constitutional right to seek redress in this matter, I really and forced to wonder exactly what would the government need to be doing for them to actually dust off their rifles and defend their liberties. This isn't about gun owner rights, its about the government running amok.

This isn't the first time the US government has run amok. I keep having this feeling the 2nd amendment defence is all about collecting toys, collectors items, things to shoot Stop signs with, etc. and has nothing to do with confronting an unjust government.

Comment Re:Botnets and Tor (Score 2) 55

No offence, but there absolutely is reason to believe you're incorrect. The reasons are in the Tor mailing lists which I've been keeping up with for the past few weeks.

Firstly, exit traffic has hardly moved, despite massive increase in Tor usage overall. This is consistent with the bots getting instructions from a hidden service. So exit node operators can't do much here.

Secondly, the whole point of the hidden service protocol is that relays don't know the IP of the hidden service. That's why there are rendezvous nodes that join user and service together via two 3-hop circuits. De-anonymizing such a service is very hard and requires you to control large numbers of nodes over a period of many months, according to the latest research. It's not something the Tor community can just do.

If you think you know of a slick way to resolve this problem, I suggest taking it to the Tor developers, because all the evidence I see from their lists is that right now they don't have any great ideas.

Slashdot Top Deals

People are always available for work in the past tense.