

What worries me most about the NSA fibre issue... - thesmileyone

Is not that they are monitoring me. I have nothing to hide. Other than the usual, which is encrypted in utorrent, apparently.<p>What worries me more is, what if they were to perform covert MiTM attacks? They are in the perfect position to do so. Anyone using online banking could be targeted and suddenly they have no money. 
Or they could transfer money into people&#x27;s accounts and make them look like money launderers, so they could be arrested.<p>Yes yes, it is all a bit conspiracy theory-ish... but if I had suggested I thought the NSA was mirroring fibre a year ago you would think the same.<p>This is what worries me over the debacle, as most data appears to pass through the USA.
======
tlrobinson
_" Is not that they are monitoring me. I have nothing to hide."_

This is not a valid argument. See [http://www.thoughtcrime.org/blog/we-should-
all-have-somethin...](http://www.thoughtcrime.org/blog/we-should-all-have-
something-to-hide/) and [http://kottke.org/13/06/you-commit-three-felonies-a-
day](http://kottke.org/13/06/you-commit-three-felonies-a-day)

~~~
SkyMarshal
And this:
[http://www.reddit.com/r/changemyview/comments/1fv4r6/i_belie...](http://www.reddit.com/r/changemyview/comments/1fv4r6/i_believe_the_government_should_be_allowed_to/caeb3pl)

------
eminon
The "nothing to worry about if you have nothing to hide" argument has been
debunked countless times and made the front page of HN in the last week at
least twice. Privacy is a building block foundation for freedom. You can't
have freedom without privacy.

Your utorrent encryption is merely useful to thwart some forms of bandwidth
throttling, it is _not_ hiding you or your sharing/downloading.

NSA could do such MiTM attacks, it's been a known possibility for years. but
why would they rely on this kind of attacks as they probably have a copy of
the private key of the party your communicating with (or something along these
lines as was shown with lotus notes).

Also they already have other ways to seize and freeze assets, so you shouldn't
have to worry about this specific abuse. There's more than enough to worry
about the rest.

------
obelos
While we should of course be concerned about the privacy implications these
programs hold for ordinary American citizens, it's also important to think
about the implications these resources have on the class of people who are
most likely to be targeted: the immediate competitors and enemies of those who
have access to them. While everyone's privacy is threatened by these
surveillance tools, there are 300,000,000 everyones. Only a tiny subset of
that pool has direct, palpable influence into the political power elite. They
are the ones most likely to have this infiltration of their lives used against
them.

Those at the top of this informational food chain who are able to abuse it are
most likely to abuse it in a way that benefits them most directly by
blackmailing and otherwise undermining the influence of their competitors. In
this manner it makes the consolidation and perpetuation of political power
more efficient by orders of magnitude compared to those who have no access or
very limited access to these surveillance programs.

This is dangerously destabilizing to a democratic society. If we have no real
competition for authority, there are no real checks on that authority. The US
is grooming an autarch.

------
trunnell
It's possible that a MitM like this is feasible. Recall that the author of the
Flame malware that targeted Iranian computers used a hash collision attack on
the MD5 hash for a trusted certificate, which essentially allowed them to
create their own certificate that hashed to the same value as the real
certificate. [1]

The SHA-1 hash in your average SSL cert might be more expensive to attack than
MD5, but that doesn't make me feel much better.

The mitigating factor here is that it seems like this could only be used on a
case by case basis against a small number of people, since it would be found
out if widely deployed.

Also, we only have evidence of traffic interception and not tampering.
Actually writing to the stream, i.e. performing a MitM on an SSL connection,
is probably a lot harder than just copying all traffic.

[1] [http://arstechnica.com/security/2012/06/flame-crypto-
breakth...](http://arstechnica.com/security/2012/06/flame-crypto-
breakthrough/)

~~~
uh_oh
When the forged certificate was created MD5 has been _throughly_ broken for a
long time, much more so than SHA-1 even now.

------
jiggy2011
Just an FYI, encrypting your uTorrent downloads won't stop you getting busted
if you are down/uploading copyrighted material.

Regards MiTM attacks, yes they could but then again they always could. It
wouldn't be 100% undetectable though since they would have to change the
key/cert for sites they wanted to MiTM. Certificate pinning may address this
issue in future.

~~~
josscrowcroft
> _encrypting your uTorrent downloads won 't stop you getting busted if you
> are down/uploading copyrighted material._

Could you elaborate? Assume you mean using a VPN service while downloading.

~~~
eminon
From what OP said, I understood he meant turning on encryption in the
bittorrent client, not using a VPN.

Turning on encryption is a way to work around bandwidth throttling and deep
packet inspection, not a method to protect your identity or activity.

~~~
thesmileyone
Yeah, just the "Forced Encryption". First layer, just to stop my ISP flagging
me straight away.

I don't use a VPN, I probably should use a Seedbox or something, not in my
name and paid for in cash, but I don't do it often enough to be
bothered...yet.

------
fnordfnordfnord
>but if I had suggested I thought the NSA was mirroring fibre a year ago you
would think the same.

I wouldn't have. Were you unaware of this (from 2006)?
[http://en.wikipedia.org/wiki/Room_641A](http://en.wikipedia.org/wiki/Room_641A)

------
gcb0
This is silly. a corrupt gov does not need rubegoldberg machines. They have
much more efficient ways of jailing you.

------
marshray
You are right to worry.

> what if they were to perform covert MiTM attacks?

Then you would be pwned.

However, active MitM attacks are generally targeted. They can only get away
with so many for so long before they are detected. Their scope can be quite
large however. The entire country of Iran was MitM'd for some weeks before a
single Chrome user reported seeing a cert error in Gmail. The Flamer malware
MitM'd unattended systems apparently for years.

So if I were the target of the NSA, I'd expect them to get me with drive-by
malware. A bit of malware is much easier to replace than backbone fiber access
if the capability is 'burned'.

However, there are an unlimited number of other attackers out there in the
world, most with 'catch as catch can' capabilities. That public Wifi or hotel
internet could easily be hostile and the attacker may not have much to lose.

------
logn
What worries me most are two things:

1\. as was pointed out on an HN top story a week ago, if the surveillance is
accepted by the public, then the public will accept regulations prohibiting
use of software to avoid surveillance (i.e., most tools useful to software
developers). I'm not really looking forward to the day when downloading crypto
software requires me to pay certification fees and have an ID verifying that
I'm a licensed software engineer.

2\. I can't wait for the day when we can type with our brains (and no hands).
Maybe we do that with pupil tracking software or facial cues... or maybe via
direct brainwave input. Some products like this already exist, but they're in
their infancy. One day though, when we all have bluetooth head masks and
carpal tunnel is a thing of the past, I don't want every thought I have
tracked by guys at an NSA lab... and I doubt the government wants that either,
but it's going to be hard to not have them get that data.

... and I guess the third problem is just basically the death of liberty. But
that's a harder issues to argue about, amazingly, when people are worried
about terrorism.

------
rarrrrrr
Chrome include certificate pinning first described here, which offers some
protection for MITM:
[http://www.imperialviolet.org/2011/05/04/pinning.html](http://www.imperialviolet.org/2011/05/04/pinning.html)

------
ethanazir
If I was an NSA analyst who could spy on who ever I wanted, I would not be
keen to throw people in jail, but seducing women would be fun; I think there
is even a movie about it.

~~~
gee_totes
Really? Do you know the title? I once worked on developing a romantic comedy
along the same lines, but the NSA guy was a matchmaker. I would be interesting
to see how such a film did in the marketplace.

------
RKearney
I was under the impression that they used beam splitters to get a copy of the
data going over the fiber. It is my understanding that they can only receive
data this way, not send it.

~~~
ibcnu2
Wouldn't simply owning the DNS be more efficient?

------
gesman
You think NSA can really fix their budget issues by stealing funds from your
ample bank account?

~~~
thesmileyone
What if they stole 1 dollar from everyone who's online banking passes through
the US? That would be roughly $188m in one day...

