
US and UK spy agencies defeat privacy and security on the internet - weu
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
======
mullingitover
Recall how Huawei got raked over the coals in the US congress, and now realize
that every US networking hardware company is going to get the same treatment
in pretty much every country in the world they try to sell to.

~~~
baconner
Nailed it. Here's hoping there's a silver lining to the damage that the us
tech industry will take over this - harder resistance when gov comes calling
with inappropriate requests. Increasing public Opposition and lobbying from
tech giants. More companies willing to speak out despite the legal risk.

~~~
ihsw
> harder resistance when gov comes calling with inappropriate requests

Not at all, now such laws going to be established across the world in order to
"bring us in line with international law." Broad-sweeping and baseless
surveillance is going to be called "nothing new" and "widely utilized for the
benefit of law enforcement."

This is another effect of globalization -- if one government gets an advantage
over another due to lax privacy laws then the rest _have to_ follow suit.

The NSA's bottom line is this: If China has a Great Firewall and we can't have
one, then we must have the capability to decrypt everything.

------
ihsw
And yet full and anonymous disclosure[1] is eschewed for "responsible"
disclosure. Hopefully we can move beyond the insane money-making scheme known
as "whitehat" and "ethical hacking" security research.

The zero-day exploit market[2] deserves fair mention too, especially since a
variety of three-letter agencies across the planet are some of the largest
purchasers. Zero-day exploit purchases and sales haven't had any news
publicity at all, even though it's effectively comparable to trafficking
nuclear warheads.

Both nuclear warheads and zero-day exploits are used as leverage between
competing security organizations and competing nation states, both are being
stockpiled, and both are exceedingly dangerous. We're on the cusp of global
network warfare and it's just starting to become clear how terrifying and
widespread it is. America's rivalry with China is in over-drive now.

I'm not saying that security researchers don't deserve to be paid for their
work, but that we should be plain and honest about their work: it can be for
the good of humanity or it can be for the destruction of humanity, there's
very little inbetween.

And yet what is it for? Fighting terrorists and drug dealers, and protecting
children and intellectual property?

[1]
[http://www.schneier.com/essay-146.html](http://www.schneier.com/essay-146.html)

[2] [https://www.eff.org/deeplinks/2012/03/zero-day-exploit-
sales...](https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-
be-key-point-cybersecurity-debate)

~~~
freehunter
With mutually assured destruction, generally everyone is discouraged from
attacking because they know they will suffer just as much. However, all it
takes is a single rogue state to trigger a free-for-all. We almost saw it in
the Cold War, we _did_ see it (and are currently seeing it) in the phone
patent arena, and we could end up seeing it in security vulnerabilities sooner
rather than later.

~~~
ihsw
The distinction is that reconnaissance/espionage can be done quietly without
destroying any hardware or disrupting data integrity, and it's far more
difficult to pinpoint who is responsible for offensive/exploitative network
operations. The number of organizations across the world that have nuclear
capabilities is quite small, however the number of those with offensive
security operations capabilities is quite high. The anonymity provided by the
depth of the internet is a double-edged sword.

Furthermore the splash damage from Stuxnet/Flame is a testament to the
distinct lack of surgical precision normally afforded by missiles.

Also, zero-day exploits can retain their usefulness even after it's been
deployed, meanwhile a missile is gone when deployed.

------
McGlockenshire
So, we all knew that this was probably going to be announced at some point or
another, but I find myself amazingly dissatisfied by this article.

I was expecting more detailed evidence. How did they break SSL? Do they just
have root certificate copies, or just the certs used for the certain specific
sites that they're monitoring data transfer on passively?

The article claims that many VPN technologies are broken, but which ones? Are
they talking about specific products here, or actual technologies in use?

~~~
jacquesm
The newspaper is walking a very fine line between writing this up and
disclosing things that would give ammo to those that would rather shut these
things down under any pretext including 'helping the enemy'. The things you
are asking for are exactly in that direction.

~~~
krisdol
The problem I have with that is that the things asked for affect myself and a
significantly large number of ethical and/or law-abiding individuals and
businesses. If revealing this info would help the enemy, and if many of us
would benefit from knowing this information, doesn't that make many of us part
of "the enemy"?

~~~
john_b
The catch-22 here is that revealing specific details might both "aid the
enemy" and aid ordinary people to protect their privacy. Because the
government only cares about the former, any appeal to the merits of the latter
will fall on deaf ears. The Guardian & NYT know this and the pertinent
individuals don't want to end up in court getting the Manning treatment.

The government wanted to use its treatment of Manning to deter leaking of
future information, and it has already succeeded in doing so here. It's rule
by intimidation, making our government little more than a well organized
mafia.

------
etiam
"Intelligence officials asked the Guardian, New York Times and ProPublica not
to publish this article, saying that it might prompt foreign targets to switch
to new forms of encryption or communications that would be harder to collect
or read.

The three organisations removed some specific facts but decided to publish the
story because of the value of a public debate about government actions that
weaken the most powerful tools for protecting the privacy of internet users in
the US and worldwide."

Was there a fuller version of this article available to the public at some
point?

~~~
aspensmonster
Probably not. Apparently they're running all these articles by the NSA, GCHQ,
etc first. Which I think is beyond ridiculous at this point. This is probably
the most damning article of them all so far, and we all deserve to know the
precise scope of these organizations' cryptanalytic capabilities that regard
the public as "adversaries."

~~~
samstave
So this whole thing is one big "limited hangout" \- designed to get some info
out there and let the angst swell, then subside -- alowing for nothing to
change.

It's basically one globally conditioning effort to reveal and get the world to
accept, there is utterly zero privacy. Everything you do is monitored and
watched. Period. Oh - and we forcefully and violently protect our stealing of
your income to fund this.

------
devindotcom
As untog noted
([https://news.ycombinator.com/item?id=6336178](https://news.ycombinator.com/item?id=6336178))
in the discussion of the NYT piece on this topic, it's important to note that
it's not like our security measures put up a fight and were defeated. They
were mooted by a total circumvention. They never came into play. This is what
I was talking about in an opinion piece recently on tc
([http://techcrunch.com/2013/08/25/the-maginot-
line/](http://techcrunch.com/2013/08/25/the-maginot-line/)).

Laws need to be improved, but we may be able to find good point to point
methods that don't rely on security methods with vulnerabilities baked into
the silicon.

------
aspensmonster
>CA Service Requests

Take one wild guess at what that means.

------
vesinisa
> "Project Bullrun deals with NSA's abilities to defeat the encryption used in
> specific network communication technologies. Bullrun involves multiple
> sources, all of which are extremely sensitive." The document reveals that
> the agency has capabilities against widely used online protocols, such as
> HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online
> shopping and banking.

Wonder what this means?

~~~
Thereasione
More about project:
[http://www.theguardian.com/world/interactive/2013/sep/05/nsa...](http://www.theguardian.com/world/interactive/2013/sep/05/nsa-
project-bullrun-classification-guide)

~~~
aspensmonster
Greenwald needs to release Appendix A.

[https://s3.amazonaws.com/s3.documentcloud.org/documents/7840...](https://s3.amazonaws.com/s3.documentcloud.org/documents/784047/bullrun-
guide-final.pdf)

>Appendix A lists specific BULLRUN capabilities.

------
pdonis
If what the US and UK are doing "undermines the fabric" of the Internet, what
about what China and Russia are doing? Should we not bother worrying about
them because we just expect them to be evil?

~~~
anentropic
We can't do anything about what they're doing, our responsibility is for our
own countries. Fundamental principle.

