NSA has direct access to tech giants' systems for user data, secret files reveal

Working through the latest data release on XKS, I'm finding the mundane detail extremely useful. Useful to the extent that the clunky reality of distributed RHL Linux clusters and mysql databases, and embarrassingly weak operating security, gives the lie to the references to this stuff as a "repository", fully audited etc - as if it were safe.

These databases are hugely unsafe, a toxic radioactive waste dump. But breaches only harms the proles, not any of the saviors of the nation.

 

One hopes that these NSA systems are effectively air-gapped from the Internet, or at least are reachable only via well-secured VPNs.

 

As the NSA know only too well, the internal threat is quite sufficient.

As for being air-gapped, I think that's unlikely given that they give access to so many people, including contracting companies with their own policies. And apparently allow sys admin access to them.

As for "well-secured VPNs", the stakes are high and they are clearly not infallible. Nor, ultimately, do they have much skin in the game when the systems are breached, nor will we hear about it. I imagine they already have been breaches, many times, and that's not just the lovint.

Radioactive toxic waste dump with dodgy locks is about it, and much incentive to break in. Which is why they should not be storing this stuff at all. If they do full-take, they should select there and then and dump everything else.

 

I can see the headlines: "Chinese ..."

 

The people who work for the NSA are not stupid idiots. They have propriotry software which includes security software you have never heard of and never will.

They obviously build their own Linux Kernal with unkown security features and deploy it. And they would not be easy to breach for even the best skilled hacker.

If you could breach the NSA systems you would most likely be killed by a drone or end up working for them.

 

Of course not, nor are they super-beings. They are human. And as such, represent a huge risk given that insider-jobs are a large proportion of breaches. Make your systems as hard as you like, it's the mistakes of operators and opsec that come round to bite you.

What's more, the information that we have had exposed regarding XKS is hardly inspiring in terms of giving a person confidence about the integrity of these systems. The opposite. It's a distributed system running in many countries with lots of users. There is no way that is going to be as secure as you'd like, it simply isn't in the realm of even research projects to make it so. It is not a solved problem, not even by those who are spending their days attacking our systems rather than hardening them.

Any time when people don't have direct skin in the game regarding breaches, they get careless. What's more, there are some extremely compelling incentives for people working in the NSA - the huge number of them - to go to the dark side. For example, the financial rewards from some insider information which could inform insider dealing trades would be huge, and could easily be gathered through the presumably routine economic espionage they do. Yet there has been not a single case of one of them going to jail for breaches of that sort, and even the loveint criminals get off with a slap on the wrist.

 

I agree with you to a certain extent. But no one knows what tools they have at their disposal. Snowden showed us a lot of good information I agree with that.

But I doubt the really top secret stuff is ever written down in slides or even makes it way onto a public network. I'm just saying they have the resources to do anything and obviously do.

Never discount them as fools or idiots because they are not.

*This post has probably been entered into X-KeyScore LOL*

 

How Dangerous Is End-to-End Encryption?.

-- Tom

 

The analogy busting was fine, but rested on a false premise. Basically, the golden age of surveillance for the LEAs has just had a minor little cloud go in front of it. While they still (unavoidably) have a huge amount of information from the metadata, including detailed location data via mobile etc. and what's more, the clients are "terrifically weak", they might have to do a little bit more work to break into some devices to get the info. Regardless, they have 100x more information than they did 20 years ago.

 

One thing that I am struggling to understand is how introducing backdoors into encryption would physically work. While I can understand how in regular cryptography you can set it up so that more than one key can decrypt the data.
The issue I have is that I cant work out how this work with perfect forward secrecy. Am I missing something or will they have to make perfect forward secrecy illegal in order to implement encryption backdoors?

 

i dont think you can trust anything from any govt any more. its all PR, spin, lies and ~ Snipped as per TOS ~.
(and people on either side of the aisle eat it up, depending on who's in power)
maybe they want you to be so disgusted that you'll be begging for a one world govt.

 

Yes. Or rather, there would only be forward secrecy for adversaries who couldn't use the backdoor.

 

@driekus - that's my understanding PFS is incompatible with any scheme for backdoors - whether that's single or split key or whatever. The nominally Golden Key is there forever.

There are some good resources which demonstrate the reasons (again), why backdoors are such a spectacularly bad idea. Of course, that doesn't stop LEAs and the spooks demanding it, because they do not bear the costs, and they have become lazy with the overwhelming cornucopia of data they can gather. Going dark - bah!

 

UK High court rules data retention and surveillance legislation unlawful

http://www.theguardian.com/world/20...n-and-surveillance-legislation-ruled-unlawful

The UK legislation "Dripa", emergency legislation passed in a day in Parliament last year, has been declared unlawful after a judicial challenge.

But they have been given till March 2016 to put it right, and the government plans to introduce new legislation starting this fall.

 

Interesting development. Just hoping the UK equivalent to the FISA court doesnt step in and say that what they did was legal.

 

A history of backdoors by Matthew Green, cryptographer and research professor at Johns Hopkins University.

-- Tom

 

https://firstlook.org/theintercept/2015/07/24/uk-met-police-snowden-investigation-journalists/

 

https://www.politicshome.com/home-affairs/articles/news/david-cameron-extremism-and-cohesion-speech

What is scaring me at the moment is the rhetoric in the UK and the use of that rhetoric to justify increase in surveillance. They seem to be blurring the line between terrorists and people who have unconventional ideas such as questioning climate change and probably a lot of the views held by people in this forum. Very fine line between protecting the population from terrorists and quelling people who hold views contrary to the government. The government scares me more than the terrorists; the islam threat is almost comical, I have known many many muslims and always have felt safe.

 

Thanks, but I don't see your post as pertinent to the Intercept article you quoted, and I'm sure we're not going to get into political and religious areas, as that's not allowed.

 

Dermot7
I agree with what you have written , and I respect and abide by the forum rules ....
.... but there is sometimes a significant overlap between what is security related and what is political.

Just to give an example , the government of one of the " Five Eyes " actually floated the idea of making it a criminal offense to use encryption !
It was pointed out that it was an idiotic notion , and almost impossible to enforce , and so it was dropped .... but the intention was clearly there.

I've deliberately not stated which government in the hope that I don't cross the line on the "no politics " rule

But if a thread title starts with " NSA .... etc ... " , then surely there is already a "political " angle to it.

 

My take is that we have to regard the actions off corporates, government and criminals as part of the adverse weather we face in attempting to retain privacy. To the extent that we have to understand the prevailing weather, or course that requires a view of politics - the situation we face is nothing if not human-made, and in great part, by governments or influenced by their policies.

I suppose the trick is to leave how we feel about that (which can naturally be strong feelings & outrage), and attempt to accurately analyse how the weather affects our technical attempt to retain some privacy. IOW, dealing with "is" rather than "ought"!

Overall, I think the mods do a good job for the forum, and this thread in particular seems to have more leeway, appropriate to the topic.

 

If we dont get too carried away the mods usually allow it. As long as we are discussing it in the context of privacy which in this case it definitely falls. Maybe I can redefine the relevance as I got sidetracked. In the case of the Snowden reporters they are using a perpetually open criminal investigation to justify monitoring the reporters. In the future of the UK this may not be necessary. The rhetoric in the UK is shifting to justify surveilance for people who hold different views to the government including reporters. I hope the relevance is more clear now.

The above quote concerns me, if you are operating just inside the law you are being lawful. If you are being lawful the government has no right to intervene. This is where the line is blurring and where politics impacts privacy. By broadening the definition of extremist you are broadening who you can conduct surveilance on. The laws poorly define the words like extremist. While we would mostly agree that Osama Bin Laden was an extremist but what about Glen Greenwald?

This thread gets more leniancy but the mods strike a good balance. We wouldnt be here if we werent passionate about privacy, but yes sometimes we get carried away.

 

Obama won't pardon Snowden, despite petition

http://www.pcworld.com/article/2953892/obama-wont-pardon-snowden-despite-petition.html

 

Thanks @driekus ,and I agree with all that you've said. Sorry if I appeared a bit worried, and the moderation of this thread has been tricky at times (I daresay), and much tolerance and understanding has been evident

 

What else is new, the Earth revolves around the Sun? That level of responsibility will not be taken by the US government.