Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re:Misleading title (Score 1) 221

They are making a whole-sale copy of they internet, you simply compel google to give up their certs, replicate their infrastructure and software and have a real-time copy of the same info under your control being fed by shadow copy of the Internet

First, having certs does no good -- which is good because those are public information which Google sends to every browser that asks for them. Perhaps you meant private keys? Giving those keys would constitute providing indirect access, which Google has specifically said it does not do. Google's disclaimers have been pretty thorough; there aren't any significant loopholes. Either Google is lying, the NSA does not actually have access to gmail data, or the NSA has achieved a tremendous espionage coup and managed to keep it secret from Google.

Comment Focus on insiders first (Score 3, Interesting) 381

Not really an answer to the question, but good security design should focus on identifying all of the relevant threats (aka a "threat model") and mitigating all of them to the degree that makes sense -- and any good threat model will inevitably identify insider threats as the highest risks most at need of mitigation, because, by definition, insiders have greater opportunities to conduct attacks, and they have roughly the same motives as external attackers.

If you find that your organization doesn't spend 95+% of its security time, money and effort on foiling insider attacks, it's almost certainly not doing a good job. If it is adequately hardened against insiders it'll be darned near impossible for outsiders.

My impression of the NSA has always been one of an extremely high degree of competence, so the Snowden leaks surprised me. You can't stop insiders from gaining access to the data they need to do their jobs, of course (though you can often segment job responsibilities to minimize it), but you can and should make it a lot harder for them to get access to other sensitive data, and Snowden was apparently able to get a lot of stuff that wasn't relevant to his responsibilities.

Comment Re:practicalities make it impossible.. (Score 1) 770

> Almost everybody simply regurgitates what they see on
> cable TV, or talks about their offspring.

That would actually be an improvement (though, admittedly, a small one). Around here, 92.7% of all conversation, among people over age 30 or so, consists of complaining about medical problems.

I've actually come to the conclusion that children are more interesting to talk to than adults. I don't remember that being the case when I was younger.

Comment Re:Just askin... (Score 1) 221

I just tested it, and an unencrypted search for GOSIP does not redirect to an encrypted session, so no certificate at all. The reason I asked about China is because I think I read something about Google choosing to redirect some searches to HTTPS in order to defeat filtering by the Great Firewall.

Comment Re:Misleading title (Score 1) 221

4. Google is compelled by law to lie.

I don't believe that's possible, and I'm certain that Google would fight it, hard, because of the potential for damage to Google's business.

I doubt the *SMTP* connections delivering mail to/from Google servers are all encrypted, regardless of the webmail interface.

Google uses SMTP over TLS whenever possible. Unfortunately, most other mail providers don't support it, so I believe SMTP traffic to and from Google is often unencrypted. Email from one Google account to another doesn't have that problem, of course.

Comment Re:Just askin... (Score 1) 221

Apparently entering searches in the search bar sent them in the clear

That's certainly possible. It depends on how Firefox's default search engine is configured. If you want to be sure your searches are encrypted, go change the setting to use https://google.com./

Apparently entering searches in the search bar sent them in the clear and certain keywords could trigger a new certificate. Put in the same keyword and nothing happens you need to find a new keyword to trigger a new certificate. I used one of those lists with supposedly sensitive keywords.

That's impossible. The session encryption negotiation is done prior to any data being sent, so the certificate provided by the server, and used to encrypt the session key, is delivered to the browser before Google receives any keywords.

Slashdot Top Deals

A verbal contract isn't worth the paper it's written on. -- Samuel Goldwyn