PRISM

Capt'n Midnight · 12-06-2013 1:06pm

enigmatical wrote: »

The other issue I would be concerned about is that the security services might become over reliant on searching the Internet for leads.

There's a lot to be said for old fashioned detective work too!

+100

You could argue that a lot of Iraq / Afghanistan / etc. was because they relied on signals and third parties instead of having eyes on the ground. Even go as far back as the Shah.

Easily a trillion dollars wasted over bad intel because of penny pinching / belief that electronic interception / aerial reconnaissance was enough in and of itself. Even the Israelis got caught out by Hezbollah just using the simple tactic of not relying on cell phones or if they did using them at a random location 300m away and then only turning on for a short duration pre arranged call, presumably with code words and stuff.

I've said it before during WWII both the Russians and Germans relied heavily on land lines within their borders such that eavesdropping was difficult. So radio interception was really only practical when operating away from their pre-existing net. The French started traffic radio traffic analysis in WWI so people have had nearly a century to learn that having easily identifiable links is not a good thing. ( The French couldn't decode the traffic. Instead they launched an artillery barrage at the station everyone else was talking to.)

The worry is that while the profiling algorithms are getting better they are potentially applied to billions of people so even a tiny false positive rate would mean a lot of nosing around. And if something was found contrary to US law then an excuse could be ret-coned to "discover" the data in a "legit" way. Thing is US law isn't the same as ours. You could be investigated / sold down the river for doing something perfectly legal here, or at the very least you are now on their radar.

Prodigious · 12-06-2013 1:09pm

enigmatical wrote: »

I'm not even sure they have the technical ability to do that.
I could see this bring appealed.

Hopefully UPC will appeal it, they have fought orders in the past.
They have the ability to block it to the same extent as eircom, but a simple vpn/proxy will step around it with no issues.

silentrust · 12-06-2013 1:14pm

enigmatical wrote: »

I'm not even sure they have the technical ability to do that.
I could see this bring appealed.

It's been blocked already in the UK, although the EFF are contesting this in the courts as the power to block websites would be too easy to be abused. Of course the minute the Pirate Bay's main site was blocked up around a hundred mirrors sprung up cf. and the media coverage meant the number of users shot up by millions cf. Streisand effect.

enigmatical · 12-06-2013 1:14pm

Well, law either side of the Atlantic has its positives and negatives.

Irish and British law isn't all that great on freedom of speech, especially due to rather draconian defamation laws that hinder journalism.

We've also for pretty extensive data retention laws on the books and a very negative history of censorship.

Bear in mind we actually had a ludicrous situation where SF politicians had to be voiced by an actor on TV in the 80s and early 90s in both the UK and Ireland.

Ireland also had extremely harsh censorship of and books and magazines and the UK even banned the Life of Brian!

US law tends to be a bit better if you're blogging, tweeting or a journalist.

jmcc · 12-06-2013 1:14pm

silentrust wrote: »

Surprised that no one seems to have mentioned PGP or GPG - you know that can be used to encrypt your e-mails easily and is for all intents and purposes unbreakable provided your key is strong enough?

Never underestimate the capabilities of an organisation that employs thousands of mathematicians and has acres of computing power on tap. The history of cryptography is littered with people who thought they were using unbreakable systems.

Regards...jmcc

silentrust · 12-06-2013 1:15pm

Prodigious wrote: »

Hopefully UPC will appeal it, they have fought orders in the past.
They have the ability to block it to the same extent as eircom, but a simple vpn/proxy will step around it with no issues.

I would imagine they'd block it via DNS resolution so simply switching to OpenDNS would probably be a good workaround. I timed myself last time I programmed my router to use OpenDNS instead, took all of 50 seconds, not a bad price to pay for freedom of expression.

Prodigious · 12-06-2013 1:16pm

If theres a code to break, it's Bitcoin's. Cannot see it being done.

silentrust · 12-06-2013 1:19pm

jmcc wrote: »

Never underestimate the capabilities of an organisation that employs thousands of mathematicians and has acres of computing power on tap. The history of cryptography is littered with people who thought they were using unbreakable systems.

Regards...jmcc

Well said jmcc in fact that is actually Schneier's* first law of computer security in that anyone can invent a security system that they themselves can't break.

It's actually fairly trivial for an ISP to block access to specific websites - this happens in China all the time by placing a "transparent" proxy between them and the rest of the internet meaning they can't access Western news outlets like the NY Times or indeed social media like Facebook.

Your best defence is probably not to rely on your ISP to resolve domain names (use OpenDNS) and use Tor/VPNs to access blocked sites. Of course the goverment will rely on the fact that most people aren't sufficiently computer literate to be able to do this, which is a shame.

*Bruce Schneier for those who don't know is the Chuck Norris of IT Security.

silentrust · 12-06-2013 1:21pm

Prodigious wrote: »

If theres a code to break, it's Bitcoin's. Cannot see it being done.

Not so far - theoretically if someone were to gain control of over half the network they could reverse transactions or slow it down considerably but there's no quick and easy way to create Bitcoins due to the cryptographic hash functions a computer has to work through - I did wonder though if the NSA have some supercomputers one way they could undermine the Bitcoin would be to use them to generate large amounts of the currency and then release them en masse, causing it to plummet in value, buy them up, rinse repeat. :-D

enigmatical · 12-06-2013 1:26pm

I honestly think the move towards legal, commercial online streaming services like Spotify is killing physical sales and also killing the need for illegal file sharing.

For the average user, Spotify is reasonably priced, safe and user friendly.

The industry is fighting a losing battle. Nobody wants CDs anymore and DVDs are following suit rapidly.

Ireland is a bit behind the curve as Netflix etc has a relatively poor line up compared to the US and UK.

But on demand services from upc, sky etc and online streaming services will finish off physical disc industry in 12 months max.

It's a dead duck.

Most people I know have moved to Spotify for music and no longer bother with searching peer to peer as it's just too much hassle.

I know that's certainly how I consume almost all my music now. If I really like something I might buy a CD or lossless format copy from iTunes but otherwise I stream everything.

A lot of teens seem to listen to most of their music on YouTube too. It's become the replacement for MTV

I think commercial music radio is going to die too. You can download a cache of hundreds of tracks to your mobile on Spotify and your set up for the day and don't have to listen to annoying djs, ads and endless news when you don't want to hear it.

Irish radio at times has WAY too much talk.

I listen to current affairs when I want to. I don't need hourly bulletins

The business has changed irrevocably.

Khannie · 12-06-2013 1:35pm

jmcc wrote: »

The history of cryptography is littered with people who thought they were using unbreakable systems.

Quote of the day.

12-06-2013 1:35pm

enigmatical wrote: »

And what if this massive database itself were hacked by some unscrupulous organisation or individual?

What a nightmare if another whistle-blower sends gigs of sensitive data/emails to wiki-leaks.

enigmatical · 12-06-2013 1:37pm

900913 wrote: »

What a nightmare if another whistle-blower sends gigs of sensitive data/emails to wiki-leaks.

Or worse, a router or switch with a back door and the whole lot to Beijing!

jmcc · 12-06-2013 2:05pm

enigmatical wrote: »

And what if this massive database itself were hacked by some unscrupulous organisation or individual?

It should not be considered a single database as most people know them. Perhaps a good analogy would be a federated database model ( http://en.wikipedia.org/wiki/Federated_database ) that makes it possible to search multiple databases simultaneuously. Some of the datasets would be extremely large (especially when compared to the database size for the average database backed website on the web).

Regards...jmcc

CrinkElite · 12-06-2013 2:06pm

Has anyone seen this Snowden guy alive since he "checked out" of his Hong Kong hotel?

I find it hard to believe he could've "slipped away" in the night, the place must have been besieged by journalists.

*where did I put that tinfoil hat? hmmm..

silentrust · 12-06-2013 2:07pm

Khannie wrote: »

Quote of the day.

I hardly need to lecture you fine Irish folk about the UK's Human Rights Record but the reason we waited for decades to reveal that we cracked the German Enigma code is because when the Allies overran Germany we actually donated the Wehrmacht's Enigma machines to our newly independent colonies in Africa and the Pacific. We merrily decoded their secret messages for nigh on 25 years before the truth came out.

Makes you wonder if the NSA or some other shadowy organisation have cracked on of the modern algorithms like AES or Serpent. Let's hope not!

Khannie · 12-06-2013 2:17pm

Many's the researcher that has tried to find a flaw in it. You would instantly make an absolutely massive name for yourself if you found a hole in it.

Prodigious · 12-06-2013 2:20pm

Khannie wrote: »

Many's the researcher that has tried to find a flaw in it. You would instantly make an absolutely massive name for yourself if you found a hole in it.

And a few quid I'd imagine.

enigmatical · 12-06-2013 2:27pm

There are a few rules:

1) Don't blog or post online anything you wouldn't publish in a newspaper.
2) Don't tweet / facebook anything you wouldn't be comfortable shouting across a pub or saying on the Joe Duffy phone in.
3) Don't put anything in an unencrypted email that you wouldn't be comfortable writing on a postcard.
4) Don't put anything in an office email that you wouldn't be happy to say directly to your boss' face.
5) Don't IM anything that you wouldn't be comfortable whispering to someone in a very quiet train carriage full of other people.
6) Don't ever assume that you're entirely anonymous online.

It's amazing actually that people don't really see what's going on behind the slick GUI they're being presented with.

I'd be more worried about the vast quantities of copied and pasted code that makes up most software that we use.
It's almost impossible to validate every line in a modern OS and to be entirely sure that none of it is malicious. It's just layer upon layer of code. You're depending on trusting a hell of a lot of pre-written objects, modules, libraries, frameworks etc etc.

The Ulster Bank / RBS fiasco for example just shows that one of the world's largest banks didn't really know how their computer system worked when it really broke down.

The internet, the banking system, the telecommunications system etc etc are all made up of various ramshackle slammed together software and hardware that I seriously doubt anyone really has the full map of how it all works.

A hell of a lot of networks are very much 'plug and pray' systems that just work.

So, in reality your data online is really never 100% safe.

Capt'n Midnight · 12-06-2013 2:33pm

Prodigious wrote: »

If theres a code to break, it's Bitcoin's. Cannot see it being done.

There's always rubber hose cryptography

Seriously bitcoins is either a medium of exchange and thus taxable, or a (recurring) Ponzi scheme (where you get to see the manipulations and runs in real time) or a way of evading tax/the law/the man. And most importantly bitcoins leaves a trail. It's not the same as owning a large chunk of tor exit nodes but allowing bitcoins to run might be useful as a way of IDing people of interest.

enigmatical wrote: »

I honestly think the move towards legal, commercial online streaming services like Spotify is killing physical sales and also killing the need for illegal file sharing.

Netflix is wiping bittorrent in the US but not here. The only real difference is the rights holders not allowing foreign users the same deals. Interestingly this removes a lot of noisy bandwidth so would make surveillance much easier.
http://www.theregister.co.uk/2013/05/14/sandvine_internet_report/

As of the first half of 2013, Netflix accounted for almost a third (32.5 per cent) of downstream traffic on US fixed line networks, followed closely by YouTube (17.11 per cent),
...
The situation was drastically different in Europe, where Netflix didn't appear in the top ten for downstream**, BitTorrent represented 12.22 per cent of download traffic, and the largest aggregate service by share was HTTP, with YouTube coming in second place at 21.27 per cent aggregate.

enigmatical wrote: »

Or worse, a router or switch with a back door and the whole lot to Beijing!

or Tel Aviv or Langley or wherever. India is trying to develop it's own domestic network backbone providers to avoid foreign kit.

silentrust · 12-06-2013 6:35pm

Capt'n Midnight wrote: »

There's always rubber hose cryptography

Seriously bitcoins is either a medium of exchange and thus taxable, or a (recurring) Ponzi scheme (where you get to see the manipulations and runs in real time) or a way of evading tax/the law/the man. And most importantly bitcoins leaves a trail. It's not the same as owning a large chunk of tor exit nodes but allowing bitcoins to run might be useful as a way of IDing people of interest.

I can proudly say I never paid a penny of tax on my Bitcoins nor do I plan on doing so but yes, it's true that technically if you profit from speculating/trading in Bitcoins or sell goods in exchange for them then this is taxable income.

A lot of people believe Bitcoins are a ponzi scheme as it's true that early adopters are better off than people who started buying into them a week ago.

I suppose the important difference between this and a Ponzi scheme is firstly that the Bitcoins are generated by Bitcoin Miners who receive a certain amount of coins related to the number of calculations their computers perform.

It's true to say that people who bought into the scheme early are now reaping the rewards of the Bitcoins higher value. In the same way if you'd bought $10,000 worth of shares at Microsoft's initial public offering in '86 you'd be worth over $34,000,000 by now - there's no scam involved, just people attributing a greater value to it than before.

Trojan · 12-06-2013 7:47pm

jmcc wrote: »

Never underestimate the capabilities of an organisation that employs thousands of mathematicians and has acres of computing power on tap. The history of cryptography is littered with people who thought they were using unbreakable systems.

Costing them more in cycles than the data is worth. Is it worth 1 minute of their available computing power to crack X, Y or Z? I think that's the best defence of those who are concerned with privacy, but don't have anything specific to hide.

silentrust · 12-06-2013 9:08pm

Prodigious wrote: »

And a few quid I'd imagine.

Yes, you'd be the Jesus Christ of modern cryptography if you found a practical way to attack AES - that's the beauty of open source of course, it's out there now being tested by our finest minds.

This is why I dislike proprietary software, even if it's free like Skype - you have to trust their encryption scheme is strong enough and they haven't built in any backdoors.

jmcc · 12-06-2013 9:15pm

silentrust wrote: »

Yes, you'd be the Jesus Christ of modern cryptography

And look what happened to him.

Regards...jmcc

jmcc · 12-06-2013 9:30pm

Trojan wrote: »

Costing them more in cycles than the data is worth.

That's where the whole idea of datamining to build a digital footprint is so useful. It would provide a set of possible targets rather than trying to decrypt everything. Much of cryptanalysis is geared towards reducing a problem from a Brute Force Analysis problem (where every possible key is tried) to a smaller, more clearly defined problem.

Is it worth 1 minute of their available computing power to crack X, Y or Z?

It depends on how the effectiveness of their factoring or cryptanalysis algorithms. If you consider that GCHQ was at least three years ahead on Public Key cryptography algorithms, there is the possiblity of classified algorithms that are faster than some published cryptanalysis algorithms. Then there is the technological advantage. With the amount of technological resources available, some options that would not have been available to less well equipped attacker may be viable. The Germans actually thought that Enigma and Tunny were secure because they could not envision a theory driven technological attack on the system.

Regards...jmcc

silentrust · 12-06-2013 9:42pm

jmcc wrote: »

And look what happened to him.

Regards...jmcc

Shot his mouth off, shame there isn't a "Thou shalt not breach OPSEC" commandment... :-D

Capt'n Midnight · 12-06-2013 11:56pm

jmcc wrote: »

The Germans actually thought that Enigma and Tunny were secure because they could not envision a theory driven technological attack on the system.

The Germans knew Enigma was breakable, they just didn't think anyone would go to all the trouble. And yes you're right the Poles found lots of speed ups and issued in a whole new era of cryptography.

A similar story is the US embassy shredding all the documents before leaving Iran. They reasoned that that while it was possible it would take too much manpower to recover the files. Instead they Iranians used illiterate carpet weavers in school halls to join the pieces together. Low tech and took ages but they recovered a lot of stuff.

There are two levels here. One where they passively decrypt your remote data and comms. Two is where you are of interest and they decide to actively pursue you, the best encryption in the world isn't much use if they can sneak a key logger onto your system.

jmcc · 13-06-2013 12:23am

Capt'n Midnight wrote: »

The Germans knew Enigma was breakable, they just didn't think anyone would go to all the trouble.

Secure does not necessarily mean that a system is unbreakable. A system can be theoretically breakable but operationally secure in that the time taken to break any encrypted message is longer than the time for which the contents of that message may be of value to an enemy. It is the "good enough versus perfect" idea in action. The Germans also considered that they had a moving target (continually changing keys and plugboard patterns) rather than a relatively stationary one like the old book codes.

Doenitz, I think, ordered a number of investigations into the possibility of the system being broken. These investigations considered espionage the more likely reason for the increase in submarine losses. However Doenitz ordered the use of a four wheel Enigma which meant a ten month blackout for the Allies.

And yes you're right the Poles found lots of speed ups and issued in a whole new era of cryptography.

Enigma marked the change from an almost purely theoretical approach to a heavily industrialised approach to cryptanalysis. Most people think of Bletchley Park, Turing etc but don't realise the massive technological change in the process of decryption and cryptanalysis that resulted from highly automated attacks on the system.

A similar story is the US embassy shredding all the documents before leaving Iran. They reasoned that that while it was possible it would take too much manpower to recover the files. Instead they Iranians used illiterate carpet weavers in school halls to join the pieces together. Low tech and took ages but they recovered a lot of stuff.

The US embassy staff were under a lot of stress and were probably not thinking in such terms. But what the Iranians did was the equivalent of a Brute Force Attack and it was quite different to the attacks on Enigma. Some of those Enigma attacks were very elegant but they also used a technological approach based on specially developed hardware. People used to think that DES was almost unbreakable (except for NSA and perhaps the Soviets). However a few papers and the attention of Satellite TV pirates (you may know this given your username

) changed matters. This eventually led to the EFF's Deepcrack approach to breaking DES - another custom hardware hack.

Regards...jmcc

nmop_apisdn · 13-06-2013 2:41am

bedlam wrote: »

The word of the week is metadata, they may not know what you are saying but that will know who you are talking to and that may be enough.

Metadata, what actually gets recorded.

But it's probably more, where it goes.

Amid Data Controversy, NSA Builds Its Biggest Data Farm

The NSA's Utah Data Center will be able to handle and process five zettabytes of data, according to William Binney, a former NSA technical director . Binney's calculation is an estimate. An NSA spokeswoman says the actual data capacity of the center is classified.

"They would have plenty of space with five zettabytes to store at least something on the order of 100 years worth of the worldwide communications, phones and emails and stuff like that," Binney asserts, "and then have plenty of space left over to do any kind of parallel processing to try to break codes."

Khannie wrote: »

SSL is sufficiently difficult to decrypt that you wouldn't bother attempting to unless you had direct access to the keys,.

Guide to how fcuked is SSL?

syklops wrote: »

What I don't understand is why is the security community in such shock and disbelief. I, personally have known about Operation Echelon since the early 90s, as did many people I know. Presumably PRISM is the new name.

http://www.fas.org/irp/program/process/echelon.htm

First story on Prism

silentrust wrote: »

Of course organised criminals know this which is why believe it or not very few drug dealing empires/extortion rackets/terrorist cells are run over Facebook or Yahoo Mail. The only people who stand to lose out are stupid criminals who are likely to get caught anyway and ordinary decent folk like yourselves.

http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.derwesten.de%2Fwirtschaft%2Fdigital%2Fus-beamte-schickten-deutsche-nach-facebook-mails-zurueck-id8041896.html

Finally, the officials baffled Jana submitted a printout of the entire Facebook correspondence with their host-father. My complaint: the young woman wanted to work illegally in the States. The authorities had Janas private messages in the social network Facebook apparently read along for weeks. Jana was not allowed to enter. The next flight brought the 18-year-old returned to Germany.

Bad Translation but reading private Facebook Messages! That's alot of access.

silentrust wrote: »

In that case I used BTGuard because they accepted Bitcoins........................................... such as paying for VPN services - I don't want to use my credit card, it defeats the point of having a VPN in the first place! :-)

No ip stamp record on users with some vpns. Probably lies but...Payment option irrevelant?

Capt'n Midnight wrote: »

science gallery tomorrow luchtime
Rapid Response: The NSA Prism Leak - with Una Mullally
Jun13 13.00 - 14.00

PRISM fallout in Europe: Don’t expect the Commission to save the day

Since then, EU sources have told me that the Commission already knew about PRISM before the current leaks and has raised it “systematically” when talking to U.S. authorities about EU-U.S. data protection agreements, particularly in the context of police and judicial cooperation. Justice Commissioner Viviane Reding apparently spoke about the matter with U.S. Attorney General Holder Eric Holder at a meeting in Washington in April.

“Where the rights of an EU citizen in a Member State are concerned, it is for a national judge to determine whether the data can be lawfully transmitted in accordance with legal requirements (be they national, EU or international).”

That said, according to the Commission, Reding will raise the issue in ministerial talks with the U.S. on Friday (June 14) in Dublin.

:rolleyes:

[-0-] wrote: »

Isn't a new Ubuntu phone coming out soon too?

http://askubuntu.com/questions/282698/when-is-the-expected-stable-release-date-of-ubuntu-phone-and-ubuntu-tablet

silentrust wrote: »

It's been blocked already in the UK, although the EFF are contesting this in the courts as the power to block websites would be too easy to be abused. Of course the minute the Pirate Bay's main site was blocked up around a hundred mirrors sprung up cf. and the media coverage meant the number of users shot up by millions cf. Streisand effect.

Pew pew pew

However, as of this week these proxies are also covered by the same blocklist they aim to circumvent, without a new court ruling.

The High Court orders give music industry group BPI the authority to add sites to the blocklist without oversight.

silentrust wrote: »

Surprised that no one seems to have mentioned PGP or GPG

jmcc wrote: »

Never underestimate the capabilities of an organisation that employs thousands of mathematicians and has acres of computing power on tap. The history of cryptography is littered with people who thought they were using unbreakable systems.

Regards...jmcc

This. I'm curious about GPG, what makes ye guys think it's safe?

If an encrypted file was served up to something like this, China builds the fastest computer ever without even trying, but change the cpu's for gpu's, CUDA-enabled GPGPU app cracks PGP passwords 200x faster than a CPU, and take away the randomness, Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

Would it not fall in no time?????? NSA has systems like that going by stories from recent child pornography cases involving encrypted HDDs in which they were asked to decrypt, but refused.

CrinkElite wrote: »

Has anyone seen this Snowden guy alive since he "checked out" of his Hong Kong hotel?

Edward Snowden: Russia offers to consider asylum request

http://www.guardian.co.uk/world/2013/jun/12/edward-snowden-us-extradition-fight

Snowden claimed that the US had hacked hundreds of targets in Hong Kong – including public officials, a university, businesses and students in the city – and on the mainland. These were part of more than 61,000 NSA hacking operations globally, he alleged.

"We hack network backbones – like huge internet routers, basically – that give us access to the communications of hundreds of thousands of computers without having to hack every single one," he said.
The Post said it had seen a document that, Snowden alleged, supported his claims. The Post said it had not verified the document, and did not immediately publish it.

Snowden said he was releasing the information to demonstrate "the hypocrisy of the US government when it claims that it does not target civilian infrastructure, unlike its adversaries".

s Your Printer Spying On You?

Imagine that every time you printed a document it automatically included a secret code that could be used to identify the printer - and potentially the person who used it. Sounds like something from an episode of "Alias " right?
Unfortunately the scenario isn't fictional.

In a purported effort to identify counterfeiters the US government has succeeded in persuading some color laser printer manufacturers to encode each page with identifying information.

That means that without your knowledge or consent an act you assume is private could become public. A communication tool you're using in everyday life could become a tool for government surveillance. And what's worse there are no laws to prevent abuse.

Revealed: US spy operation that manipulates social media

Military's 'sock puppet' software creates fake online identities to spread pro-American propaganda

Look at all the randomness they are saving!

nmop_apisdn · 13-06-2013 2:45am

silentrust wrote: »

Well said jmcc in fact that is actually Schneier's* first law of computer security in that anyone can invent a security system that they themselves can't break.

Prosecuting Snowden

https://www.schneier.com/blog/archives/2013/06/prosecuting_sno.html?rss=1

I believe that history will hail Snowden as a hero -- his whistle-blowing exposed a surveillance state and a secrecy machine run amok. I'm less optimistic of how the present day will treat him, and hope that the debate right now is less about the man and more about the government he exposed.

PRISM

Comments