back to article Reports: NSA has compromised most internet encryption

The NSA and the GCHQ have compromised much encryption used on the internet through a potent mix of technological theft, spycraft, and collaboration with major technology companies, according to new reports. In a series of news articles that highlight how the code-breaking crypto-fiddling agencies NSA and GCHQ are doing their …

COMMENTS

This topic is closed for new posts.
  1. RonWheeler

    Private circuits

    Interested to know if BT have given them access to 'private' circuits too.

    As for other crypto...

    Could be tinfoil hat gibberish, could be real. We need the government to tell us what is going on within our shores..

    1. Thorne
      Big Brother

      Re: Private circuits

      "Could be tinfoil hat gibberish, could be real. We need the government to tell us what is going on within our shores.."

      Nothing is happening. Nothing at all. All is good. We are your friends. We're here to protect you from the big bad world. Don't worry your pretty little heads about it. All is good.......

      </brainwashing>

    2. zaax
      Facepalm

      Re: Private circuits

      Why do you think they wouldn't?

      1. John Sanders

        Re: Private circuits

        "Legal interception" anyone?

        Check UK telecoms law.

    3. phuzz Silver badge

      Re: Private circuits

      If BT havn't given GCHQ access to private circuits, it's only because GCHQ isn't interested in whoever is using those circuits.

      BT might be a private company* now, but they used to be part of the government and it's sensible to assume that the government has access to any part of BT and it's infrastructure (for which read; the majority of the infrastructure in the UK) whenever it wants.

      Not to mention that a significant fraction of global internet data flows through UK based hardware, and why would the government NOT want access to that too?

      * or rather, several companies

      1. wolfetone Silver badge

        Re: Private circuits

        So is it safe to assume the safest place in the UK is Hull?

        1. PatientOne

          Re: Private circuits

          Nope, safest place is Scunthorpe: The government porn filters keep the spies away from there, too!

    4. amanfromMars 1 Silver badge

      Re: Private circuits .... and punitive compensatory reimbursement for systems security mis-selling?

      Whenever one is told and realises that there are no private circuits, and the tale told above boldly goes and suggests that such is so and has been for more than just a short while, is everyone's information and shared transferrable thoughts, freely available to any system intelligently designed to listen and metadatabasemine content/SIGINT for intelligence streams which may be of critical and/or strategic and/or tactical import and of overwhelmingly powerful and unbelievably valuable and/or costly export potential. But if the listeners do not possess and exercise the intelligence needed to take advantage of what they have been told/been listening to, is the advantage automatically immediately bestowed upon that which is missed and/or ignored and it be a wanton vulnerability for endless zeroday exploitation ..... and future fortune making for that and those especially adept in its disciplines/IT Fields/AI Methodologies with Virtualised Technologies.

      The following is sitting pending on a number of spooky desks and tests for necessary intelligence in beings that imagine they and IT lead and the world and his dog and its dogs of war follow .......

      Attacks from software bugs and computer viruses target computer devices such as servers, firewalls, desktops, laptops and smart phones. The government owns many such devices. Attacks include gaining unauthorized access, denial of service, malicious code insertion or password cracking. Hackers and other cyber criminals employ the Internet as a delivery means. Such attacks have a limited scope and therefore are seen as carrying geographically containable security risks.http://cryptome.org/2013/09/dod-internet-vuls-cyberspy.pdf

      All SMARTR HeroICQ Environment Operations/CyberIntelAIgent Exploits and Virtual Reality Sorties which can be perceived and mistaken and misunderestimated and classified way above Top Secret/Special Compartment Information and Strictly Need to Know, …. and which are in both true fact and fabulous fiction, a Quantum Communication Offer for/from States of Being[s] with Instant Server Provision of Sublime InterNetwork Supply with FailSafe Monumental Guarantees that Protect One with an Ever Increasing and Reinforcing and Empowering Sanity in Surroundings Dealing Debilitating Madness in Forever Failing Systems of Secretive Falsehoods …… need only target the weak human link, no matter how strong and/or smart that link may be supposed to be in cases, which be fixed twixt keyboard and screen/instruction device and virtually programmed machine interface, to gain unfettered pirate and unknown private access to all systems of command and control, whether SCADA or not.

      Such attacks are unlimited in scope and unhindered and deliver uncontainable security risk and Advanced Information to IntelAIgents and Assets within Active Stealth ProgramMING* for Greater CyberIntelAIgent Games Plays from Global Communications Heads Quarters.

      * … Active Stealth Program Mind Infiltration Network Games …. NEUKlearer HyperRadioProActive IT….. a Novel and Noble Transparency …… AI@ITsWork and on Stirring Sterling Special Stirling Super Source Missions.

      Denying it be so and not a current present enigmatic dilemma to be serviced and servered/stealthily engaged with and silently delivered of its future feeds/seeds/needs, does not alter the fact but it does provide instruction in the best direction in which to proceed and to whom is supply most likely best appreciated.

    5. Michael Wojcik Silver badge

      Re: Private circuits

      We need the government to tell us what is going on within our shores.

      And how would we verify their claims?

      Proving you do have knowledge of a secret is relatively straightforward, even with various constraints.1 Proving you don't have such knowledge is rather more difficult. And it's vanishingly unlikely that any government would ever even worry about making a convincing argument to that end. Some of the populace would believe an unsupported denial; some would never be convinced no matter what statement the government made or evidence it offered. The remaining portion of the electorate is likely to be too small to be of any concern to officialdom.

      1For example, if you want to prove knowledge of the secret without revealing the secret, there are often suitable protocols built around cryptographic primitives such as MACs and ZKPs.

  2. Vimes

    In other news, the likes of the CIA and NSA face an ever bigger problem of dealing with internal threats thanks to employees working for them that have connections to Al-Qaeda (even though the interview process presumably involves looking into their background).

    So much so that they're spending millions of dollars on it apparently.

    Washington post article

    1. Don Jefe
      WTF?

      Really?

      Holy shit! 1 out of 5 job applicants with backgrounds warranting further investigation were found to have links to terrorist or hostile forces. 1 out of 5? That sounds abnormally, insanely, ridiculously high. If there are that many terrorists who straight up apply to the NSA/CIA then there's bound to be some who get through and are currently employed there.

      What it really sounds like is paranoid overreach; finding terrorists behind every leaf, berry and shrub which is insanely dangerous. Well funded paranoid people are far, far more dangerous that a regular dangerous person.

      I say the safest, most economical solution is to take off nuke the lot of them from orbit: Its the only way to be sure.

      1. Anonymous Coward
        Anonymous Coward

        Re: Really?

        What defines a 'link'? I think American laws allow detailed searches on friends of friends of friends. So are they saying here 1-in-5 applicants knows someone who knows someone who knows someone who once went to a radical Mosque somewhere? That I could believe.

        1. Eddy Ito

          Re: Really?

          I'm surprised it isn't higher even going by direct familial ties since it isn't hard really. Regardless of my surname I'm part (not quite half) Irish and little more than a cursory look at the family tree will show a link to the IRA. The Japanese part will undoubtedly find a link to the scourge element circa WW2 who were imprisoned interned in the US and to top it all off, the father in law is a Korean War vet from about the 35 parallel, check the map if you have to. Add it all up and you've got solid links to terrorist or enemy forces and I don't doubt for a minute that a thorough scrubbing won't find worse.

          Hell, even JFK would qualify as one in five by that measure.

          1. CABVolunteer

            Re: JFK @Eddy Ito

            "Hell, even JFK would qualify as one in five by that measure."

            And look what happened to him......

          2. WatAWorld

            Re: Really?

            Yes, but to the Americans it doesn't matter if you are in the IRA, you are only a terrorist if you are Muslim.

            1. Anonymous Coward
              Anonymous Coward

              Re: Really? - it doesn't matter if you are in the IRA,

              Wilson kept us out of Vietnam (for which alone he should stand as one of the greatest Prime Ministers of the 20th century), but a conspiracy theorist might suggest that as a result we got less than enthusiastic support over either the IRA or the Falklands. If by "less than enthusiastic" you include actively allowing the IRA to collect money in places like Boston. By "actively allowing" I mean "with the co-operation of the police", who took a former colleague of mine into "protective custody" when he objected.

              Perhaps we should watch out for the US Marines scaling Gibraltar to give it to Spain.

              1. Eddy Ito

                Re: Really? - it doesn't matter if you are in the IRA,

                ... in places like Boston. By "actively allowing" I mean "with the co-operation of the police"

                In Boston! I'm shocked Whitey Bulger would let such a thing happen on his turf. Certainly not in Southie. Oh wait.

          3. Anonymous Coward
            Anonymous Coward

            Re: Really?

            Yes, but do you plan to overthrow the government of the United States by violence?

            And, given these revelations, if not, why not?

            (I'm British, which means that in American eyes I'm a suspicious person anyway).

            1. amanfromMars 1 Silver badge

              Re: Really? as Posted Friday 6th September 2013 08:17 GMT by ribosome

              Yes, but do you plan to overthrow the government of the United States by violence? .... ribosome Posted Friday 6th September 2013 08:17 GMT

              All governments have problems nowadays, and forever more into the foreseeable future, because they are easily overthrown without violence and with intelligence which cannot be countenanced and countered/identified and denied.

              And to be a right dodgy wannabe puppet master and failed government leader and to actively resist and persist in political office with the proposing and clandestine planning of violence on the agenda, makes one a person of foreign intelligence interest and most likely a terrorist wannabe too, no matter how unlikely that be officially and officiously spun in an opposite direction? That would then render one an unsavoury attraction and unnecessary distraction to be classified in/by intelligence circles/chiefs as a legitimate target for prime executive action and removal from the scenery .... and the Great Game Space Place.

              Capiche?

        2. Allan George Dyer
          Black Helicopters

          Re: Really?

          "are they saying here 1-in-5 applicants knows someone who knows someone who knows someone who once went to a radical Mosque somewhere?"

          Among applicants for Arabic translation jobs, I would expect a far higher ratio.

          @Vimes, the article doesn't mention Al-Qaeda links, but "hostile intelligence services and or terrorist groups", which probably includes journalists in their eyes.

          1. Vimes

            Re: Really? @Allan George Dyer

            From the first line of the article:

            The U.S. government suspects that individuals with connections to al-Qaeda and other hostile groups

            1. Anonymous Coward
              Anonymous Coward

              Re: Really? @Allan George Dyer

              "And other hostile groups." ..

              There are a lot of US homegrown hostile groups. .McVeigh wasn't a loner. .

          2. MJI Silver badge

            Re: Really?

            Easy to do.

            Lets use GCHQ as an example.

            Been there know what they are about. I knew quite a few workers and ex workers. One of my best friends worked there, they know who I am as a real person, I am not a risk, (he had been reported due to a prank and I was mentioned, demonstarting his electronics skills). Lets just say I have a video tape of me standing on a gate holding a TV aerial pointing at my home, and the tape never left my home.

            Now at work we recently took on a Pakastani chap, he knows a few dodgyish people just by being from there.

            Now would that be considered a risk?

            Here no - none whatsoever.

            Elsewhere?

        3. John Smith 19 Gold badge
          Facepalm

          Re: Really?

          "What defines a 'link'? I think American laws allow detailed searches on friends of friends of friends. So are they saying here 1-in-5 applicants knows someone who knows someone who knows someone who once went to a radical Mosque somewhere? That I could believe."

          In fact if you read the autobiography of one ex spook they look to recruit such people as assets

          It's the whole six-degress-of-separation thing. Some one who know "everyone" knows someone who knows someone who can introduce them to their person of interest.

        4. Tim Jenkins

          Re: Really?

          "So are they saying here 1-in-5 applicants knows someone who knows someone who knows someone who once went to a radical Mosque somewhere?"

          Presumably particularly true if you're trying to recruit young male Muslims, who by definition would be the most useful assets to acquire. Kind of like trying to sign up young male Catholics in Belfast or Derry during the '80s and then rejecting everyone who ever lived in the same street as / went to school with / was related to a Provo...

        5. Anonymous Coward
          Anonymous Coward

          Re: Really?

          Once after doing a job in India, I was taken off to the local temple of Ganesh to make an offering so it would be successful (I am not making this up). Perhaps that means that I have a link to an Indian Kashmiri separatist?

          1. Suricou Raven

            Re: Really?

            Local customs.

            There was an incident years ago where one of the many churches in the US hired a European construction company for their new building - Swedish, I think? In accordance with their ancient custom, they hoisted a tree to the top of the building upon completion. It's an old ritual for good luck, originating in pagan customs many centuries ago, and continued for the sake of tradition. The church owners were not approved: They refused to pay, claiming the pagan ritual had desecrated the church and made it unfit for purpose.

      2. Frumious Bandersnatch

        Re: Really?

        It is ridiculously high, but it's no doubt as you said that a combination of paranoia and being able to do such far-reaching network checks tends to throw up many, many false positives.

        Bob Dylan had a song about this. Check out his "Talkin John Birch Blues":

        http://en.wikipedia.org/wiki/Talkin%27_John_Birch_Paranoid_Blues

        http://www.youtube.com/watch?v=AylFqdxRMwE

        OK, it was Communists then, Terrorists now, but plus ça change ...

        1. tom dial Silver badge
          Stop

          Re: Really?

          Exactly why is it "ridiculously high"? The value to a spy of employment at CIA, DIA, NSA, FBI, DHS or others, whether alQaida or other, would be extremely high, and numerous attempts should not be a surprise. Other matters such as poor financial habits and undisclosed sexual activities and preferences that could lead to blackmail possibilities presumably would account for many questionable cases, but a great many of them would self-select out. The attempted moles would not, and therefore would be greatly overrepresented.

        2. Tim99 Silver badge
          Black Helicopters

          Re: Really?

          @Frumious Bandersnatch

          [OK, it was Communists then, Terrorists now, but plus ça change ...]

          Yes, but since then, the Communists were declared to have been beaten, so we need a new bogeyman. The good news for the "intelligence" and military businesses is that the "War on Terror" has no well defined enemy and no way of measuring victory - Now the war can last indefinitely.

          -

          "The purpose of the unwinnable, perpetual war is to consume human labour and commodities, hence the economy of a super-state cannot support economic equality (a high standard of life) for every citizen".

          Ref: the fictional book "The Theory and Practice of Oligarchical Collectivism, by Emmanuel Goldstein" in Eric Blair's "Nineteen Eighty-Four".

          1. psychonaut

            Re: Really?

            Eric Blair? Has history been altered by the miniTruth already? I seem to remember a different author. I should probably be vanished for my heresy

            1. Tim99 Silver badge
              Big Brother

              Re: Really?

              @psychonaut

              Link for Eric Blair - George Orwell

              "Eric Arthur Blair (25 June 1903 – 21 January 1950) known by his pen name George Orwell, was an English novelist, essayist, journalist and critic. His work is marked by lucid prose, awareness of social injustice, opposition to totalitarianism and commitment to democratic socialism".

          2. Robert Helpmann??

            Re: Really?

            Yes, but since then, the Communists were declared to have been beaten, so we need a new bogeyman.

            So what comes next after the terrorists? The Iranians? North Korea? BRIC nations? Baby seals? It's good to have options.

      3. Dan 55 Silver badge
        Alert

        Re: Really?

        Reds under the bed.

      4. Anonymous Coward
        Anonymous Coward

        Re: Really?

        Have a bit of a think about how you might define 'terrorist' or 'hostile force' if you were clinically insane. Then it's not such a stretch.

      5. T. F. M. Reader

        Re: Really?

        To be fair, it's 1 out of 5 among those applicants flagged for some unspecified irregularities, reportedly a small subset of the total - not 1 out of 5 applicants overall. And in this particular case I would expect a bias toward investigating possible false positives.

      6. Chemist

        Re: Really?

        "The CIA found that among a subset of job seekers whose backgrounds raised questions, roughly one out of every five had “significant terrorist and/or hostile intelligence connections,”"

        Where does this state that 1 in 5 of ALL applicants have a connection to terrorism ?

        1. Tom 13

          @ Chemist

          Now, now.

          I would think someone as world-wise as you would know better than to get in front of a two minute hate.

          Did you also notice the weasel phrase "circumvented or cracked" which is quickly shortened to just plain "cracked" and on which the rest of the article focuses? Given national laws, I expect it would be quite simple to circumvent banking encryption by just issuing a National Security Letter.

          1. Chemist

            Re: @ Chemist

            "I would think someone as world-wise as you would know better than to get in front of a two minute hate."

            ??

      7. John Smith 19 Gold badge
        Happy

        "..solution is to take off nuke the lot of them from orbit: Its the only way to be sure."

        That would be America*

        AFAIK CIA entry is only open to US citizens.

      8. This post has been deleted by its author

      9. This post has been deleted by its author

      10. Levente Szileszky
        FAIL

        Calm down, Speedy... Re: Really?

        ...yes, really, it's just your reading comprehension issue, no need for a heart attack:

        “Over the last several years, a small subset of CIA’s total job applicants were flagged due to various problems or issues,” one official said in response to questions. “During this period, one in five of that small subset were found to have significant connections to hostile intelligence services and or terrorist groups.”

        One-fifth OF THAT SMALL SUBSET of all aplicants. Got it?

      11. Richard Jones 1
        Holmes

        Re: Really? No

        It said that 1 in 5 who raised a 'search eyebrow' had suspect connections so lets look at that.

        Say you check 10,000 staff, 9,800 show nothing to worry about (that may or may not be a good thing, have you missed something?).

        It means 200 raise issues which require further investigation, of these 1 in 5 throw up serious doubts i.e. out of the original 10,000 you find 40.

        Now those are made up figures not from official sources, the real ones may be higher or lower but simply show that care is needed when reading statistics.

        1. Intractable Potsherd

          Re: Really? No @ Richard Jones 1

          "It said that 1 in 5 who raised a 'search eyebrow' had suspect connections so lets look at that ... [They] simply show that care is needed when reading statistics."

          You are right - it is important to read exactly what is written, and what is missing. However, it is conceivable that the alphabet agencies intend that the figure will be read as "1 in 5 applications" so that the average punter will think "Gosh, look how many bad people there are threatening our safety! How can anyone question what they are doing?"

      12. John Sager
        Black Helicopters

        Re: Really?

        Looks like the ghost of James Jesus Angleton stalks the halls of Langley again, and Ft Meade.

      13. Gordon 10
        Thumb Up

        Re: Really?

        Cool - the new party game. Six degrees of Al Qaeda. In your face Kevin Bacon.

      14. Skizz

        Re: Really?

        Statistical ignorance strikes again!

        1 out of 5 job applicants with backgrounds warranting further investigation

        That sounds abnormally, insanely, ridiculously high

        What you've missed is the fact that we're not given a figure for the number of "applicants with backgrounds warranting further investigation". If only 1% of applicants warrant further checks then "1 in 5" becomes 0.2% of all applicants. The 1% figure is something I made up, it's probably much lower for a job like this as the initial checks are probably very thorough.

      15. plrndl

        Re: Really? @ Don Jefe

        The agencies need ethnically diverse employees to increase their chances of penetrating terrorist groups.

        The terrorists have a vested interest in getting people inside these agencies.

        Six degrees of separation?

    2. Graham Marsden
      WTF?

      Presenting - The Ghost of Senator Joe McCarthy

      "the nature of the connections was not described in the document."

      Hmm: "Are you, or have you ever been connected to Al Qaeda, Hezbollah, Hamas, or have you ever watched a documentary about them on TV...?"

    3. Anonymous Coward
      Anonymous Coward

      So, 1/5 of the CIA and NSA works with the invoicing of Al-Queda? Bit heavy on the back office, but, someone has to watch the people who watch the people who signs the payslips.

      ... or ... is it that Data Integrity Monster rearing it's olde head, with all the BOFH's having full, untraceable, access and to become any user they need to be for fixing issues which are also sekret?

      BOFH-A narcs on some scheme run by BOFH-B which then retaliates by buying a kilo of Coke for BOFH-A using PHB's platinum AMEX-card on The Silk Road and enrolling BOFH-A's PFY in a few dubious mosques. But to cover the tracks it is necessary to update the secret personnel files of several PFY's, including one's own (who then smell a rat .... e.t.c.).

      PS: BOFH-A gets the coke and is happy, the purchase is traced to PHB but Kilos of Coke is the travel cash for covert operations so no warning is triggered.

    4. BillG

      When Obama said he was going to be have the most transparent presidency in history, what he really meant was WE would be the ones that are transparent.

  3. Paul Crawford Silver badge
    Unhappy

    Such a surprise?

    For those with a good range of metallic headgear, this should come as no big surprise. After all, few bank robberies actually break the safe door, they either get the keys (by bribery or coercion) or they go in via the walls that are weaker.

    It has long been known that the whole concept of SSL is fundamentally broken: compromise any one of the ~600 issuers and you can fake a certificate for man-in-the-middle attacks, and yet no one has serious tried to fix this in spite of the occasional publicised attack.

    Similarly a lot of VPNs use only PPPT as it is MS's favoured option, though known to be also fundamentally broken w.r.t MITM attacks, etc.

    And with MS being on such good terms with the US gov it is hard to avoid the conclusion that they would work with three-lettered agencies to either allow direct access, or not to close useful holes unless the "bad guys" start using them. Why are the likes of skydrive (and Google's offerings) not client-side encrypted by default? Maybe laziness, maybe to help? Who knows, so adjust your hats accordingly...

    None if this means that encryption is not a good way of protecting your privacy, it is. But what it means is you cannot trust most of the current players that should be delivering it to be acting in the interest of you, the customer.

    1. btrower

      Re: Such a surprise?

      Re "man-in-the-middle attacks, and yet no one has serious tried to fix this"

      Really, why? I am not even a crypto expert and I know this whole system of trust is woefully broken in multiple ways. I might not be able to devise a fool-proof system, but I could surely devise one better than our current sorry system.

      1. Destroy All Monsters Silver badge
        Holmes

        Re: Such a surprise?

        > but I could surely devise one better than our current sorry system.

        Please feel free.

        1. tom dial Silver badge

          Re: Such a surprise?

          Face to face exchange of high bit count public keys. This has practical limitations for commerce, but beats trusting Diginotar.

    2. Eddy Ito

      Re: Such a surprise?

      "... acting in the interest of you, the customer."

      Somehow I feel the problem really hit stride was somewhere about the time 'you, the customer' became 'you, the product'.

    3. Charles 9

      Re: Such a surprise?

      There is reason to believe that there may be NO solution to the problem of Alice and Bob establishing trust with each other without help from a third paty (whose trust cannot be guaranteeed). Wasn't there a recent article that noted they had a similar trust problem with quantum encryption (which in turn prevented it from being provably secure)? And it may not be possible (or wise) for Alice and Bob to meet face to face.

    4. Steve the Cynic

      Re: Such a surprise?

      "It has long been known that the whole concept of SSL is fundamentally broken: compromise any one of the ~600 issuers and you can fake a certificate for man-in-the-middle attacks, and yet no one has serious tried to fix this in spite of the occasional publicised attack."

      Not the *whole* concept. You can use SSL in a far less broken way, where you install the server's certificate locally and refuse to connect if the certificate visible to you matches the one you have. This has two main flaws:

      1. It is possible that the server has been compromised internally in some way that allows the real certificate to be used. For politically sensitive data, this is the critical flaw, assuming that the owner of the client machine is some sort of whistleblower, spy, or anti-dictatorial activist.

      2. The solution does not scale to the whole Internet - do you really have time to visit all those companies you do business with? Can you imagine the conversations you'd have with their receptionists?

      1. Paul Crawford Silver badge

        Re: Such a surprise?

        "Not the *whole* concept."

        No, not the certificate system at a basic level, but the fact there are so many signing authorities that are installed and trusted by default by most web browsers and their users.

        There is a need to, somehow, verify that certificates for a given domain are not duplicated or otherwise certified by another issuer and that any changes are flagged and investigated.

        However, this last part (which, for example, is the bit where SSH can reveal an attempted MITM attack or, more often, a re-installed server) is fundamentally broken with all non-paranoid geeks who just see a warning pop up and click "yes, whatever" to see more cat videos.

    5. dajames
      Big Brother

      Re: Such a surprise?

      It has long been known that the whole concept of SSL is fundamentally broken:

      SSL itself isn't broken at all ... SSL lets you say "Because Alice trusts Trent, and Trent tells her that such-and-such a certificate really does contain Bob's public key, Alice is able to use that key to communicate with Bob with confidence".

      That's perfectly true, as far as it goes. SSL allows Alice and Bob to communicate with confidence in the security of their communications because they both trust Trent. The system falls down if Trent proves unworthy of that tust, or if Trent's key has been subverted by Mallory who doesn't have Alice's or Bob's interests at heart, or if Alice and Bob mistake Mallory for Trent and so inadvertently trust Mallory.

      What we're starting to learn is that we should pay more attention to the question of whom we should trust, and whom we should trust to tell us who they trust.

      1. Charles 9

        Re: Such a surprise?

        But that's the big problem. That you basically NEED a third party to vouch Alice to Bob and vice versa. Not even Quantum Encryption can seem to escape from that dilemma. Thing is, in this environment, if Alice can't trust Bob, what reason could they have to trust Trent, whom to Alice is just another stranger? Especially if Alice is in a hostile environment where DTA is the rule of thumb.

  4. Dodgy Geezer Silver badge
    FAIL

    Ah well...

    ...back to the old-fashioned ways.

    A one-time pad and my own implementation of Blowfish. And keys sent by couriers are split into at least three parts. Roll on quantum cryptography.....

    1. Don Jefe
      Happy

      Re: Ah well...

      Psssht. You're going to have to do better than that. Technology is not the answer you're looking for. I've hired two attorneys away from the White House who will be writing all my future communications.

      I will use the governments own tools against it in the form of impossibly dense bureaucratic double speak and unintelligible jargon that references information that can't be accessed, verified or validated.

      I will do this in plain sight, with 100% transparency and invite any and all analysts and pundits to pontificate on the true meaning(s) which lay hidden in plain sight but which are truly visible only to myself and those who are the intended recipients.

      Ha! Beat that with your Blowfish :)

      1. frank ly

        Re: Ah well...

        Maybe if you invented your own 'private language'; I'm thinking of the Navajo code-talkers of WW2 here. Then again, language is a form of encoding of meaning, so can encryption breaking techniques be used to translate an unknown language into your own language?

        1. Anonymous Coward
          Windows

          Re: Ah well...

          Yes. Torture is a most excellent deciphering tool.

          Threats of death to loved ones can also unmask the most fiendish codes too...

          1. Charles 9

            Re: Ah well...

            "Threats of death to loved ones can also unmask the most fiendish codes too..."

            And suppose you're a masochist (torture gets you off) with no friends or family (no other ways to get to you)?

            1. NomNomNom

              Re: Ah well...

              "And suppose you're a masochist (torture gets you off) with no friends or family (no other ways to get to you)?"

              then who gives a shit what you write

            2. Anonymous Coward
              Anonymous Coward

              Re: Ah well...

              Which orifice did you blow that little nugget of brown wisdom (still doesn't answer my question) out of?

              You are aware of waterboarding, sleep deprivation, fluid and food deprivation I assume?

              Just because I am aware of these tactics doesn't mean I enjoy them being used against people.

              Numbnuts..

              Only one of us here with isolation complex issues...

        2. Mike Banahan

          Re: Ah well...

          ISTR (too lazy to check) that the Navajo Code Talkers used Navajo words to transmit still-encoded messages, so even when a Navajo speaker was captured, all he was able to say was something along the line of 'green cheese pickle egg' in response to the demand to decode a message. You would need access to the code books too to figure out that that actually meant 'attack at dawn'. Effectively, the encryption was multi-layered.

          1. This post has been deleted by its author

        3. Anonymous Coward
          Anonymous Coward

          Re: Ah well...

          This is surely more or less a simple substution code? English word for german soldier -> Navajo word for german soldier, plus a bit of Navajo grammar and glue. I think "decrypting" a novel language would not be that much of a challenge if it was used at all extensively since the actions that follow the message will quickly give clues to the language.

          Encryption works partly because there is no correlation between the ciphertext of two messages, even if they say the same thing because different keys are used each time (there are protocols for securely agreeing new keys) and each ciphertext block is usually encrypted using the previous block as part of its input so even a repeat in the plaintext doesn't show up as a repeat in the ciphertext.

      2. This post has been deleted by its author

      3. RobHib
        Meh

        @Don Jefe - Re: Ah well...

        This recent exposure has put the truly serious punters on notice, that's if they weren't so already. They won't use electronic communications except to pass very short encrypted cues (action/go messages) whose meanings have already been previously conveyed in person or by other non-electronic means.

        For instance, 'How's yuh mother's roses' could mean 'go eliminate xyz at such and such at the prearranged time' etc. and this translation never goes via any electronic network or even telephone. Essentially, this is how the British SOE sent messages into the field during WWII, 'innocuous' cue messages were sent out on the BBC into France etc. Today, even the detection of such cryptic messages (i.e. just finding their existence) could be seriously slowed down by obfuscating schemes such as Tor, especially so if only part of the message went by Tor (and even then using steganography) etc. If or when the message is eventually uncovered it'll be too late to do anything about it. Essentially, the true (and really dangerous) professionals are unlikely to be caught--not by message interception anyway.

        However it does seem to me that this vast spying and decrypting effort by the NSA, CGHQ, Oz's Defence Sig. Directorate etc. will have a significant effect on the second-rank players. These include cloud users with encrypted info, encrypted VPNs etc. Such users include corporations both within and outside the US, various governments and their agencies sending all but the most secret info.

        Clearly, by now, all these second-rank players will also be aware that their data is very likely compromised. There'll be suspicion that trade treaties have been compromised by the US, UK etc. as commercial-in-confidence info from other countries will be used to the advantage of the US etc., etc.

        Basically, the US Government gave us an unfettered internet 20 or so years ago and it's realized its mistake. And over the last decade it has surreptitiously brought it back under its control. It's only now we are beginning to realise this and to the extent to which it has been successful.

        I think there's little doubt that this spying has significantly compromised the net, and users will never see it as the place it once was. I think we should have realised this way back in 2001 and when the Patriot Act (and the equiv. laws in the UK, Aust. etc.) were passed. Trouble is the spied-upon will retaliate in kind and this won't be nice.

        As I've said many times, effectively the terrorists have won. They've screwed up our lives and that's what they intended.

        1. This post has been deleted by its author

          1. RobHib

            @ribosome - Re: @Don Jefe - Ah well...

            You're very probably correct. Moreover, I'll bet there's many an inventive scheme that we've never contemplated.

            It begs questions as to whether or not the NSA et al realized that the professional nasties would eventually skip electronic town to avoid detection when they initially invested the billions in this spying venture. If so, then this vast investment will have been aimed primarily (and knowingly) at the second-tier players. If correct, then the ramifications of this, I'd reckon, are quite horrendous.

            If they thought this enormous spying infrastructure (in the absence, say, of Snowden) would never have been exposed and thus the world would never have been spooked [duh, sorry], then such reasoning seems completely fanciful. One only has to look to history for this: when Roosevelt and Churchill met Stalin at Yalta in February 1945, Stalin was already well aware of the primary purpose of the Manhattan Project through his own spies. The fact is, something this big cannot be hidden for very long—anyway, at least the basics of the project and its main purpose cannot.

            Again, this leads us back to the original motives for and the rationale behind this enormous investment in spying, the NSA et al must have known that it wouldn't be long before they'd be outed, and that China and Russia etc. would know exactly down to a tee what they were doing. This obviously leads to the next question: given that you can't hide a project of this size from the security agencies of other governments (China etc.), then did the NSA inform them of the fact on the basis that this enormous increase in effort was specifically for and only to catch terrorists [as a worldwide network already existed for such purposes—simply, was China et al informed by the US of its massive expansion in spying?].

            Seems to me the world now ought to be told answers to these questions. The very covenant that binds the citizenry to the state—that which holds democracy together depends of such answers. Reckon we're in for a pretty bleak time if citizens lose significantly more trust in their governments (as it seems is happening).

            1. Don Jefe
              Pirate

              Re: Ah well!!!

              Ha! Obviously my new strategy for hidden plain text communications, as outlined in my initial reply, is highly effective. A few individuals understood the message while the rest suggested methods by which I could obfuscate my communications.

              1. Charles 9

                Re: Ah well!!!

                The thing is, how can you communicate very precise information in plain english without having first met the other party (which can itself be a tipoff)? And what if the plan changes and you have to send new coordinates or whatever and are unable to meet your second party again?

                Plain english codewords like "birthday party" are only good for very limited scenarios. Once you get to a broader vocabulary, you're going to need something rather more sophisticated.

        2. amanfromMars 1 Silver badge

          @RobHib Re: @Don Jefe - Ah well... Unintended Consequences always Best Deliver Novel Opportunities

          Basically, the US Government gave us an unfettered internet 20 or so years ago and it's realized its mistake. And over the last decade it has surreptitiously brought it back under its control. It's only now we are beginning to realise this and to the extent to which it has been successful. ..... RobHib Friday 6th September 2013 09:07 GMT

          Successfully surreptitiously brought back under its control, RobHib? Methinks currently be that a dream scenario in which the realities of today and tomorrow play no part ....... although with a little extra especial work done, would one not be able to rule out it being so configured for/in the future.

          1. RobHib
            Facepalm

            Re: @RobHib @Don Jefe - Ah well... Unintended Consequences always Best Deliver Novel Opportunities

            Adjectives can be terrible things, they've no extent or measure unless carefully defined.

            Similarly, Control also needs to be defined, and I plead guilty your honour (but 'tis not a PhD thesis either).

            Governments want to do what governments normally do, and that's control and regulate the world around them, and for its first decade the internet had no government control whatsoever. Abiding control envy and the internet being out of regulatory reach was more than they could stand, and it demanded crisis action to rectify.

            ...And they threw billions and billions at it, and the tide eventually turned. And now governments feel much better; and very soon they're hoping to feel even better still, because they've billions and billions to feel much better!

            Now, there's some control, and soon there'll be more, probably much more. Hackers, pedophiles, terrorists and other criminals are now being caught and money laundering detected. Because that's what governments do! Right, the internet's being "brought back under its control", we're seeing it happen now, and NSA and CGHQ leaks confirm that fact.

            Governments want regulatory control and the internet under law, because they want it so. And they're powerful enough to say they can have it so; because in the past they've always regulated everything else, and there's no exception—because that's what governments do. It'd be anathema if governments didn't want it so, with a luscious target the size and scope of the internet, it'd be outrageously stupid to think otherwise. Thousands of years tell us that.

            Do governments want the internet back and under controlling ownership as in the days of ARPANET? Definitely not. But they certainly demand to be its headmaster. Now, Snowden's revelations prove they've gotten the job.

            Sorry, I apologise; I thought all that would have been blindingly obvious.

        3. Vic

          Re: @Don Jefe - Ah well...

          > Essentially, this is how the British SOE sent messages into the field during WWII

          You'd do it in spam messages now.

          Broadcast your spam to the world, with the actual message hidden steganographically in pictures of an Asian-looking bloke in a white coat offering you blue pills.

          You could send the spam to the work email address of the agent supposed to be following you - if it lokos spammy enough, it'll be discarded...

          Vic.

      4. Anonymous Coward
        Anonymous Coward

        Re: Ah well...

        Simple. If man can do it, man can UNdo it. Just use one lawyer skilled in doublespeak to untangle your lawyer's doublespeak.

        As for the one time pad, if I had the capability and knew what was your pad (not the contents, just the existence), I'd find a way to swap it out for MY one-time pad, then MITM you.

      5. amanfromMars 1 Silver badge

        Re: Ah well... @ Don Jefe [Posted Thursday 5th September 2013 23:03 GMT]

        Quite so, DJ. Such AlienSpeak is secure enough to practically get all virtual jobs done in a relative flash and/or flash crash too if the markets are tardy/unresponsive/dumb and dim-witted/paralysed and terrorised.

  5. btrower

    Disinformation is their secret weapon

    Disinformation is their secret weapon. We *know* a one time pad is secure. In essence, this is the target condition of encryption. The tiny keys we are encouraged to use, transparent means of encryption, simplistic structures, defined end-to-end transmission, etc, etc, etc is, in my opinion largely a snow-job to discourage people from using strong encryption and building webs of trust.

    The people that sign SSL keys on the Internet are among the least trustworthy players on the Internet.

    We need to attack this problem both with technology and politically. The fact that powerful adversaries are being funded by our tax dollars and given greater than equal standing when we set standards is disturbing.

    One of the main weaknesses of modern crypto is in generating things like keys and nonces. I would be surprised if the NSA does not have the ability to brute-force most conventional encryption due to weaknesses in the systems that generate keys.

    Modern crypto as currently deployed is not, in my opinion, sufficient.

    1. Charles 9

      Re: Disinformation is their secret weapon

      Even open-sourced ones where the code can be analyzed?

      Also, there's also reason to believe not all algorithms are vulnerable. There's a high-profile case of the FBI trying to obtain evidence off a drug dealer's hard drive, but it was TrueCrypted, and despite a year of brute-forcing, they couldn't get at the data.

      As for web of trust systems, it seems all of them are necessarily complicated and difficult to implement. Freenet has a WoT system using CAPTCHAs, and it's clunky as anything.

    2. Suricou Raven

      Re: Disinformation is their secret weapon

      I'm surprised no-one has released a OTP VPN. It should be quite practical for the common business usage.

      1. HQ fills a portable 2.5" drive with, say, 250GB of randomness. Keeps another copy on their VPN server.

      2. Remote worker goes off on their business trip, keeping the drive on their person.

      3. VPN using the drive as a OTP. Easiest way would be to have one side of the conversation start XORing at the beginning of the drive and one and the end. Erase the OTP from the drive as it's used up, in case of later confiscation.

      4. When worker gets back from the business trip, refill the OTP drive before the next one.

      Obviously you could only send as much data as the drive can hold for the OTP, but 250GB is still quite enough to last a business trip - and if you need more, you can always just take a couple of 1TB drives.

      If the remote worker's laptop has the capacity and the need for VPN transfer low enough, you could do away with the drive and just store the OTP on the internal drive.

    3. MrXavia

      Re: Disinformation is their secret weapon

      While MITM attacks are slightly worrying, to me they are less so when done by GCHQ, but very worrying when done by the NSA (I would expect the gov to protect me against external monitoring, even if they have the ability to 'wire tap' my connection if they need to)

      My biggest concern is when they do this without a warrant, I am a firm believer that NO wire taps, traces, decryption or even a request for encryption keys, should be done without a warrant issued by a judge with good reason as its due to a serious suspected crime (i.e. murder, drugs, people trafficking, firearms, terrorism)...

      Someone needs to implement a way to detect MITM attacks automatically and integrate it into a browser...

      I am sure there MUST be a way to do it, even if that would require again trusting some third party to confirm its all OK...

      1. Charles 9

        Re: Disinformation is their secret weapon

        "My biggest concern is when they do this without a warrant, I am a firm believer that NO wire taps, traces, decryption or even a request for encryption keys, should be done without a warrant issued by a judge with good reason as its due to a serious suspected crime (i.e. murder, drugs, people trafficking, firearms, terrorism)..."

        Even if the mere issuance of the warrant gives the game away (due to moles and the like) and makes the terrorist(s) go to ground?

        1. Intractable Potsherd

          Re: Disinformation is their secret weapon @Charles 9

          Yes, even in those cases. Without due process, the "good guys" are indistinguishable from the "bad" ones.

          Besides, give me a non-movie-plot scenario (i.e. one that is actually likely) in which your case would apply.

    4. Dr Dan Holdsworth

      Re: Disinformation is their secret weapon

      To be honest here, what we're currently using encryption for is vermin control, and it really doesn't take all that much encryption to keep modern crooks out of, say, a banking system. Most of the time we don't need to keep the NSA out, because the average person bumbles along not doing very much of interest to a major spying agency at all. About the most that the average punter gets up to is a spot of marital infidelity or low-level larceny; annoying on a personal level but profoundly uninteresting to the NSA.

      The mistake here is to imagine that shoddily-executed, vermin control encryption is going to keep the big boys' noses out of your data. It isn't; only the sheer banality and uninterestingness keeps them off your back. The only time to start worrying significantly is if or when the NSA starts routinely leaking the data it has sniffed out to other agencies or even commercial companies; as soon as it does this, it joins the ranks of internet vermin.

      Once on the vermin list, I doubt the NSA would ever get off it, and once the world realises that shonky encryption won't do the job, geeks everywhere will start trying to up their game and lock the NSA out. The actual terrorists already do this; face to face meetings and lone-wolf attacks are almost impossible to spot online.

      1. Anonymous Coward
        Anonymous Coward

        Re: Disinformation is their secret weapon

        Perhaps you're correct, but how many ex-NSA employees are, or have been, employed by the banking and finance industries? I know of one who keeps hopping from company to company, and i now am beginning to wonder if he's still employed by the NSA...

  6. Anonymous Coward
    Anonymous Coward

    You'd be...

    ...very naive to not know others have compromised encryption and it ain't the good guys which is in fact the NSA.

    1. Don Jefe
      Meh

      Re: You'd be...

      Good GuysTM do not creep on you in the middle of the night and rifle through your wife and daughters emails, calls, texts and pictures. In fact that's pretty much the opposite of Good GuyTM behavior.

      However noble and just a cause may be, when those who support and follow that cause resort to the tactics, behaviors and attitudes of the Bad GuysTM they have in fact become what they set out to destroy.

      This repulsive idea of "Win At All Costs" has become accepted among so many and it is sad. Your fears are being exploited and encouraging you to twist the meaning of Good within your own mind. Twist it so badly out of shape that you can no longer discern the meanings of Good and Bad yourself. You wait for someone from on high to tell you what it means... You have given up moral discrimination, the single most unique aspect of the Human species.

      1. Dave 126 Silver badge

        Re: You'd be...

        Smiley does not retrieve his Ronson cigarette lighter from the ground, after it is dropped by his nemesis.

      2. tom dial Silver badge

        Re: You'd be...

        We all would like to see your evidence that the NSA does so.

        It really is not all about you, your wife and your children.

        1. Don Jefe

          Re: You'd be...

          You're right. It's about you, your wife and your children and those of your neighbor. The fact that you consistently fail to miss that point is stunning to me.

          Here's the NSA's own admission that spying on the current and ex love interests of agents does take place. This is only those who get caught. Snowden managed to waltz right out of there with tons of information and months later they still don't know what he took. It's fair to say their internal security isn't great and presumably only the stupid or careless get caught.

          http://m.washingtonpost.com/blogs/the-switch/wp/2013/08/24/loveint-when-nsa-officers-use-their-spying-power-on-love-interests/

  7. Anonymous Coward
    Anonymous Coward

    Bruce Schneier has released a couple of essays relating to these docs

    http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

    1. Anonymous Coward
      Anonymous Coward

      well, yes...

      He had a part in the examination of this batch of documents...

  8. dephormation.org.uk
    Thumb Down

    GCHQ are doing their job

    When did it become GCHQ job to spy on *law abiding* citizens unencrypted, let alone encrypted, private/confidential communications?

    Or rather, 'adversaries', to use the new colloquialism?

    These revelations, or rather the fact of the corrupt co-operation between IT industry leaders and these fascists, will do huge damage to public trust in IT people & products.

    1. Anonymous Coward
      Anonymous Coward

      Re: GCHQ are doing their job

      I used to laugh when people talked about 'Police State'. Paranoid nutters, I thought. It doesn't seem as funny now.

      1. sunnyskies
        Big Brother

        Re: GCHQ are doing their job

        Indeed.

        When Hermann Goering formed the Gestapo in the early 1930s, he stated that "he who is of good-will has nothing to fear from the secret State police". He did not deny that mail was being opened, telephones tapped and "disaffected persons" being shadowed.

        1. amanfromMars 1 Silver badge

          @sunnyskies Re: GCHQ are doing their job

          Indeed.

          When Hermann Goering formed the Gestapo in the early 1930s, he stated that "he who is of good-will has nothing to fear from the secret State police". He did not deny that mail was being opened, telephones tapped and "disaffected persons" being shadowed. .....sunnyskies Posted Friday 6th September 2013 06:03 GMT

          Quite so. However, the corollary of that may not be so true, sunnyskies ...... "Secret State police have nothing to fear from they of good-will"

          Indeed, it may very well be that they have everything to fear from that which they ignore and/or dismiss and become so terrified and terrorised by events they monitor and mentor to become paralysed and useless in every form of their being.

    2. Apdsmith

      Re: GCHQ are doing their job

      Dephormation,

      I suspect the answer to your question is "When it became easier to treat us *all* like criminals than think about targeting specific individuals."

      My worry is the old Franklin quote - I suspect that although hoovering up every damned thing has been sold to The Powers That Be as cheaper than performing competent analysis (not that I'm qualified for such, but that's not the point) it's actually not as effective as believed, leaving us all worse off for very little benefit.

      Which to be fair would be about par for a government program conducted in utmost secrecy.

      Ad

    3. MrXavia

      Re: GCHQ are doing their job

      I seriously doubt they are bothering to MITM attack everyone, and the 'black boxes' that idiot MP wanted are not implemented (YET) so no need to get TOO paranoid yet.. and while I get WHY they want to just grab it all into a DB, it does not mean we should be doing it.. We in this country started modern democracy and freedom, we should honour it by not eroding freedom!

      As famously was said by Ben Franklin..

      Those who give up their liberty for more security neither deserve liberty nor security

    4. Intractable Potsherd

      Re: GCHQ are doing their job @dephormation

      It is becoming clear that the powers that be are very frightened of the population. We *are* "the adversary" from their point of view.

  9. Anonymous Coward
    Anonymous Coward

    Backdoors in systems you say ?

    Now I wonder if that includes Windows ?

    Bet your ass it does.

    Glad I use Linux.

    Smug Mode.

    1. Anonymous Coward
      Anonymous Coward

      Re: Backdoors in systems you say ?

      Yes, you're perfectly safe with Linux. Sleep tight, sweet dreams.

    2. Anonymous Coward
      Anonymous Coward

      Re: Backdoors in systems you say ?

      Don't forget that even if you use Linux pr other allegedly trustworthy software, if you're running it under a hypervisor and your hypervisor is part of the NSA Fan Club, whatever is in memory on your Linux box is, in principle, visible to the NSA.

      Also, anybody know what's *really* inside vPRO/AMT etc?

    3. Dan 55 Silver badge
      1. Ian Reissmann

        Re: Backdoors in systems you say ?

        Gosh: open source has bugs ?!

        The point many people (such as Bruce Schneier) are making is that NSA are probably relying on things like back doors and poor security practices to ensure they can breach people's privacy. Open source is much less likely to be vulnerable to these as we know what goes into open source.

    4. tom dial Silver badge

      Re: Backdoors in systems you say ?

      It may or may not include Windows 7 (or 8). It almost surely includes Cisco routers. See:

      https://www.rfc-editor.org/rfc/rfc3924.txt

    5. Anonymous Coward
      Devil

      @AC

      You do realize that a project, enabled by default in the kernel, is called SE Linux and it originates from the NSA itself.

      You were saying?

      FreeBSD suddenly became so much more appealing...

      1. Charles 9

        Re: @AC

        You do realize that by making it a LInux instead of say a BSD the code must be open-sourced (GPL license requires it) and able to be analyzed. And the links of the chain needed to produce the kernel from source (like the compiler) could be obtained from places outside US control. SELinux was something they put in for their OWN benefit, to cover their OWN butts, because as the article notes, anything used here could be turned against them. Thing is, SELinux is a rather complicated way of doing things (no root user), so it's not for everyone.

      2. Paul Crawford Silver badge

        Re: @AC

        The whole point about SElinux (or apparmor, for that matter) is to deal with the problem of internal trust between processes that run with root privileges, or (like web browser or PDF reader) are likely attack routes. That is a big problem in ANY computer system. It is open sourced, so you or anyone else can check it!

        Like the fools who say AES is back-doored because the US use it, it completely misses the point. They want good security for themselves and US gov, as much as they want to break others, as they know Russia, China, etc will be doing the same in return.

        1. robmobz

          Re: @AC

          The old problem between COMSEC and SIGINT.

          If you can read it then so can they but if they cannot read it then neither can you.

  10. Frank Rysanek

    clean OS and hardware is possible

    I believe Linux is generally pretty safe against spyware. That would be a good plaform for an endpoint OS, getting rid of keyloggers and the like. As for clean hardware... suppose that Intel's on-chip IPMI/AMT is compromised. Suppose that the AMT-related autonomous backdoor exists even in Intel CPU and chipset variants that do not openly support AMT (for the sake of sales segmentation). There are other brands of CPU's, without inherent support for IPMI/AMT. And, based on what I've seen so far, I don't think such a backdoor would be very useful and reliable, given how buggy IPMI/AMT is...

    1. Don Jefe

      Re: clean OS and hardware is possible

      Be that as it may, it amounts to fuck all if everything coming and going to the clean OS and hardware is wide open to surveillance. Save yourself some money and hassle and just buy NSA Compliant COTS gear with a decent warranty.

  11. Anonymous Coward
    Anonymous Coward

    Hmmm........... SELinux not so SE, then?

    And I thought Bamford had gone bonkers when he recently said crypto was broken.

    I understand someone wants to have a quick noisy shufty in Arabia to bury this news...

  12. Destroy All Monsters Silver badge

    Dat Citation!

    http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

    "Knowledge that GCHQ exploits these products and the scale of our capability would raise public awareness generating unwelcome publicity for us and our political masters."

    Yesss, master....

    Oh well, time to short cloud providers, then.

  13. h3

    So the real problem with Huawei / ZTE was that they wouldn't agree to this sort of thing.

    1. Suricou Raven

      Or a simple assumption that if the NSA is resorting to pressuring American manufacturers into the use of backdoors, then it's likely their Chinese counterparts are doing exactly the same.

  14. Anonymous Coward
    Big Brother

    How charming!

    I haven't read the NYT article, but CNBC has a really good piece on this that lists Snowden-leaked NSA/GCHQ documents revealing:

    1. How they use their position to water down/penetrate encryption standards as they are made

    2. How they occasionally work with hardware manufacturers to ship back door-laden gear being sold to "targets of interest" (You've got a Dell! It's the same one that Kim Jong-Un ordered!!)

    3. How the GCHQ is working towards penetrating 300 VPN streams

    4. How the NSA's program to help IT product/service providers validate the security of their offerings is also used to engineer NSA-friendly vulnerabilities into those offerings

    5. How the NSA got slapped down in their effort to openly insert a trap door into IT gear with their 90s "Clipper chip" program, and has since been working on a multi-pronged approach to do the same thing surreptitiously.

    It's a good read:

    http://www.cnbc.com/id/101012478

    LYING BASTARDS!!!

  15. XioNYC
    Mushroom

    Change of tactics

    As the NYT noted "Many... rely on such protection every time they send an e-mail, **buy something online**... use a phone or a tablet on a 4G network." (emph. added).

    If you want better privacy, start arguing that the NSA is impeding free trade.

    1. Don Jefe

      Re: Change of tactics

      The financial impact argument is already building steam over here in DC. Even some of the usual government is always good toadies I deal with have talked about "privacy specific" briefings and sales seminars where they're being instructed on how to address clients concerns about US government access to data in their products.

      Of course they all blame Snowden for making their sales jobs harder. Not the government for doing it in the first place. Jackasses.

  16. dan1980

    What baffles me is that this work is not done by politicians or generals or bureacrats, it's done by IT people.

    Now, sure, much of the problem is with the government co-opting mainstream tech companies to force them to use their talent pool to work for the NSA (effectively) but surely much of the unpalatable spying is being effected by IT people hired by and working directly for the NSA - with knowledge of what they are doing.

    Right?

    How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else? Is it that they go in with an attitude that they will make sure they stay ethical and then just slide? Or are there really enough people who actually believe this is a good thing?

    1. Anonymous Coward
      Anonymous Coward

      @dan1980 23:59

      "What baffles me is that this work is not done by politicians or generals or bureacrats, it's done by IT people."

      Why? 5 minutes looking at the OS/mobile phone/processor/anything arguments on The Reg's forums shows that IT people have strong opinions at both ends of an argument. It's no doubt the same for ethical/legal concerns, too.

      Plus, presumably people in the spook world get to play with some cool tech. Geek goggles might make the job more attractive. And in the current climate, having a job at all ...

    2. Anonymous Coward
      Anonymous Coward

      "How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else? Is it that they go in with an attitude that they will make sure they stay ethical and then just slide? Or are there really enough people who actually believe this is a good thing?"

      You don't think a threat of a company getting tagged for ESPIONAGE wouldn't hurt them? If you make an algorithm you can't crack, we have to assume you're helping THE ENEMY (their thought, not mine).

    3. Suricou Raven

      Some of them might me genuine paranoid patriots, believing that the NSA's spying ability is essential to preserve the safety of their country.

      Others might be in it for the money. Well-paid work is hard to find. Do you want to respect freedoms for all people, or do you want to pay the rent? Choose.

    4. Anonymous Coward
      Anonymous Coward

      How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else?

      I would suggest that they are maybe the best and brightest of those who are willingly to destroy the privacy and freedoms of everyone else in order to play with cool technology.

      The best and brightest engineers may actually be engaged in other, more socially useful, activities.

    5. Anonymous Coward
      Anonymous Coward

      Getting paid shed loads to fight the enemy. That's the usual pitch.

    6. This post has been deleted by its author

    7. Anonymous Coward
      Facepalm

      because it is fun and challenging.

      That's why.

    8. Intractable Potsherd

      @dan1980

      Obviously, it isn't just Google that has "rogue engineers" ...

  17. dssf

    Section 31 of the FUture might be impressed with its PAST

    Which is our PRESent....

    Just because I'm paranoid doesn't mean they're NOT watching...

    That will become the normalized sentence....

  18. dssf

    This'll kill a lot of erections..

    Imaigine how many of those m4m sites and phone apps must have a$$load$ of automated agents and the occasional "sampling" human in them. They could be in there just wasting time of those dripping like a dog looking for someone who'll never respond.

    Your sex chats/quest are being enterrupted to prevent acts you WOULD have committed....

    Of course, if that is real, then the NSA and GCHQ will be literal cock-blockers impeding flow of goods and services, hahahah

    1. Don Jefe
      Alien

      Re: This'll kill a lot of erections..

      Man, I've got no idea what you're wanting, but if you take your list of demands to amanfrommars and have him relay the information to us in a human readable format someone here might be able to help you.

  19. Schultz

    Back doors

    So now we know why the US is so afraid of possible back-doors in Chinese hardware. They probably succeeded to get their own bask-doors installed and realized that when they can do it, others can do the same.

    Maybe 'trust' will become an important factor in the future of electronic manufacturing. How to ensure that the infiltrated NSA, GCHQ, or Chinese agent can't subvert the hardware or software of the whole company? How to reassure the customers about it?

    Companies like Kapersky might be able to offer code audits (are they independent enough?), small companies could start building simple but secure devices for communication, things will get much more complicated that they are today. Welcome to the future of the internet -- thanks, NSA, for robbing our delusions about the internet we have.

    1. T. F. M. Reader

      Re: Back doors

      "Companies like Ka[s]persky might be able to offer code audits (are they independent enough?)"

      They are Russian - what do you think? No, I do not mean to disparage them, they may be decent people, but it is even easier to exert pressure on a company in Russia than in the US/UK.

    2. Davehhhhh
      Unhappy

      Re: Back doors

      Good point - we worry about the NSA snooping on journalists with this tech (especially after the UK Home Secretary said it was OK to use terrorist legislation to get data off David Miranda) but of course there are powerful governments with a poor track record on human rights who could already be exploiting these back doors and no doubt in time some of the many contractors will roll off these programs into private security consultancies who work from some rather dubious regimes around the world.

      The next time there are reports of journalists or dissidents being tortured or murdered in Russia, China or some repressive Middle East state perhaps the people arguing that this program to systematically undermine the security of the internet is just for bad guys will stop and wonder how those journalists and dissidents came to be compromised.

  20. Mikel

    On trusting trust

    Don't.

    1. jake Silver badge

      @Mikel (was: Re: On trusting trust)

      Indeed. See mine from April 2009:

      http://forums.theregister.co.uk/forum/containing/470655

  21. json
    Black Helicopters

    Which begs the question..

    we cant really be anonymous even with comments here right?

    1. Anonymous Coward
      Anonymous Coward

      Re: Which begs the question.. @json 03:10

      "we cant really be anonymous even with comments here right?"

      That's always been my presumption.

      "Anon, for obvious reasons" - always makes me snort.

      Oh, I was going to say it should be "raises the question", but on second thought realised you're right :)

      1. Anonymous Coward
        Windows

        Re: Which begs the question.. @json 03:10

        "Anon, for obvious reasons" - always makes me snort."

        Ditto, but the anon icon merely makes it difficult to know who posted something on here, it does not hide your ID from site admins/NSA etc etc. It is a smoke cloak and nothing more.

        More irksome is its use when someone says something a bit risqué or inflammatory then hides behind anon.

        Cowards.

        1. Anonymous Coward
          Anonymous Coward

          Re: Which begs the question.. @json 03:10

          I got a complete de haut en bas telling off from an AC the other day.Personally I feel that I may be not the nicest person out, but if I felt the need to hide behind AC, I shouldn't write it.

          1. WaveyDavey

            Re: Which begs the question.. @json 03:10

            "De haut en bas" - I consider myself pretty literate, but that was a new one to me - what a lovely phrase. Added to vocab store - thank you.

            1. Anonymous Coward
              Anonymous Coward

              Re: Which begs the question.. @json 03:10

              Thank my French teacher.

      2. Anonymous Coward
        Alert

        Re: Which begs the question.. @json 03:10

        Posting as AC is only marginally effective anyway. It only takes a few minutes to determine who it is (whose handle anyway) with a high level of confidence.

        I've also always wondered why AC's always use the Fawkes mask instead of any icon they want. I've sent a few emails to El Reg about both things but never heard anything back.

        1. Anonymous Coward
          Anonymous Coward

          Re: Which begs the question.. @json 03:10

          Don't tell me! You just send an email to the site editor and ask 'Who posted the anon comment on 6 Sep 2013 at 10:22?" Now that's a back door.

        2. richard 7

          Re: Which begs the question.. @json 03:10

          AC's can only use the mask, all other icons are unavailable to them. Try an AC post, dont even need to post, the icons get greyed out.

          1. Anonymous Coward
            Black Helicopters

            Re: Which begs the question.. @json 03:10

            What username and icon do you see for this post?

            1. richard 7

              Re: Which begs the question.. @json 03:10

              http://www.realitytech.co.uk/rich/anon.png

              Something isnt right then...

  22. arkhangelsk

    This kind of governmental cheating

    by all parts of government won't stop because there no penalties are ever imposed. At best when caught the legislature passes the equivalent of a Cease and Desist, and if we are extremely lucky the involved government agency would even follow it for awhile. If it even gets to the point where the head resigns to "take responsibility" ... that's half a miracle (it happens more in Japan, seemingly less in the West).

    What should be passed are new acts that say any governmental agency that gets caught breaking or abusing the rules are subject to decimation (as in 1/10th of the employees get fired, even split between top and bottom post), plus at least a 20% reduction in budget for the next 5 years. With real penalties should come improvements.

    1. Anonymous Coward
      Anonymous Coward

      Re: This kind of governmental cheating

      Fired? Hell no, I think executed would be better.

    2. Charles 9

      Re: This kind of governmental cheating

      "What should be passed are new acts that say any governmental agency that gets caught breaking or abusing the rules are subject to decimation (as in 1/10th of the employees get fired, even split between top and bottom post), plus at least a 20% reduction in budget for the next 5 years. With real penalties should come improvements."

      Ever heard of "Screw the rules, I MAKE them"? That's the problem here. Like it or not, when it's the lawMAKERS (in concert) working against you, you lose.

      1. Don Jefe
        Unhappy

        Re: This kind of governmental cheating

        Part of the philosophy underlying democracy says that lawmakers should not be punished for their actions if it can be shown they believed their actions to be in the best interests of the people. The idea being that if your enemy were elected tomorrow he couldn't prosecute you for your actions while in office, therefore you have nothing to fear from future administrations. It falls back at that point to being the fault of the people who elected that person if that person does something horrible.

        Democracy has many good points but accountability for elected leaders is not one of them. Not only is is not included, it is actively guarded against it ever being included. It kind of sucks.

        1. Anonymous Coward
          Anonymous Coward

          Re: This kind of governmental cheating

          Democracy also pretty much requires an informed electorate. But when one informed vote is overruled by ten mindless sheep, you have a big problem.

          Hate to say it, but universal suffrage was a mistake. Not that denying women was a good thing, either, but it should only be given to those who know what the blank is going on.

  23. jake Silver badge

    DUH!

    Mine from Feb. 2009:

    http://forums.theregister.co.uk/forum/containing/429562

    Also from Feb. 2009:

    http://forums.theregister.co.uk/forum/containing/430421

    1. Anonymous Coward
      Anonymous Coward

      Re: DUH! @jake

      So, a statement of the obvious and another claim about your activities. You desperately want people to applaud you, don't you?

      1. jake Silver badge

        Re: DUH! @jake

        Honestly, AC, I don't care about AC comments slagging me off. But if you get off on it, who am I comment? Enjoy your fun. Maybe, eventually, you'll learn something & find a life. Hopefully I will have helped you along the way.

        1. Anonymous Coward
          Anonymous Coward

          Re: DUH! @jake

          Jake in being-pompous-patronising-ass shocker.

          Different ac.

          1. jake Silver badge

            Re: DUH! @jake

            Having fun, AC 07:29?

            At least I have a face. You do not. Seriously, think about it.

  24. Anonymous Coward
    Black Helicopters

    I wonder

    How many people realize that SE Linux (secured Linux) is in fact: NSA SE Linux?

    For good or bad; I don't know. But it sure got a very weird ring to it as of late.

    1. Michael Habel

      Re: I wonder

      Prepare for massive down Votes....

      The last time 'round I pointed it out. I got like Two Up Votes.... Then it kinda went south from there....

      Like I said then....

      1) "The Code is vetted!"... ~By who? Who watches the Watchmen?~

      2) "Do these People know what every "bit" does?" I mean are those People able to find such cleverly hidden Code?

      1. Charles 9

        Re: I wonder

        1) "The Code is vetted!"... ~By who? Who watches the Watchmen?~

        By people OUTSIDE the US, who can't be influenced by the US.

        2) "Do these People know what every "bit" does?" I mean are those People able to find such cleverly hidden Code?

        You'd be surprised at the thoroughness of some bug hunters, especially if money or prestige are involved.

        1. Anonymous Coward
          Black Helicopters

          @ Charles 9

          How do you know they can't be influenced by the U.S.? Who else who is in league with the U.S. might also be able to influence these people outside the U.S.?

  25. Anonymous Coward
    Anonymous Coward

    Classified TV drama

    When they start co-ordinating program names like "Edgehill" and "Bull Run" for illegal snooping, you have to wonder if you're living in a worse than average Robert Ludlum novel or a 'hard hitting' ITV thriller for which they've pushed the boat out and hired Sean Bean.

    Given the undemocratic, illegal and unwarranted power this gives to a few unelected, unaccountable individuals, I doubt they'd even need black helicopters to cause chaos. Whatever Kleptocracy-by-coup they have in mind, I don't fancy it.

    1. Intractable Potsherd

      Re: Classified TV drama

      When I saw the codename of the GCHQ program is "Edgehill" I got worried. It was the first pitched battle in the English Civil War ... https://en.wikipedia.org/wiki/Battle_of_Edgehill

      1. Anonymous Coward
        Anonymous Coward

        Re: Classified TV drama

        ... as "Bull Run" was the first battle of the American Civil war. Either 'they' know who they're real enemy is, or someone with a perverse sense of humour is pulling the tail of the propeller/tinfoil hatted and anyone else with the most tenuous grasp of history.

        It must all look very omniscient and testosteronally powerful now to the NSA + friends, but then I'm sure the Stasi felt that same sense of invulnerability before their files were opened. History has a habit of biting back in the long run.

  26. Anonymous Coward
    Anonymous Coward

    What I like about all this NSA & GCHQ fiasco is that PRISM has been used to destroy British jobs in favor of US jobs ... I know from reliable sources, top execs, that a big aircraft manufacturer has lost some deals due to PRISM intelligence ... the aircraft manufacturer employs Brits in the UK. It also makes the Brits look like traitors to other EU countries - not that most Brits really care.

    Sorry for the sad news, Tommies...

    1. Anonymous Coward
      Anonymous Coward

      that a big aircraft manufacturer has lost some deals due to PRISM intelligence

      What do you expect? Only a naive British politician would think that the special relationship was bidirectional. And Boeing is part of the MIC that Eisenhower warned about.

      Interesting how Ed Miliband can suddenly become popular by saying "no" to the Americans (who are now trying to humiliate us abroad). Given Farage jumping on the bandwagon (and then claiming to have started it) I do wonder whether anti-Americanism is going to spread from the Middle East to Britain, and feature in the next election.

  27. Anonymous Coward
    Anonymous Coward

    Skype

    I found it odd at the time that Microsoft spent so much on Skype. Did the NSA twist their arm a bit to bring it under US control?

    1. Dan 55 Silver badge

      Re: Skype

      eBay wasn't under US control?

      Although MS can do so much more with it (include it in everything).

  28. T. F. M. Reader

    Solutions?

    I never regarded, say, SSL as secure. Nothing that is based on trusting a third party - or a chain thereof - can be secure. Those third parties can be compromised. It sounds like *open source* PGP/GPG implementations are still secure (modulo heretofore unknown bugs), but only if you encrypt/decrypt on a completely air-gapped computer, sneakernet the encrypted stuff to/from a connected machine, and send/receive from there.

    Even in that case the "adversaries" will still have the metadata. Given how few of your normal correspondents would be willing (or capable) to go through the hassle and never, ever break the routine, you - both of you - are likely to be flagged as "a persons of interest" simply for adhering to the procedure.

    Exchanging keys securely will remain a problem.

    Travel will be very complicated, too - a new pair of computers each time you are stopped at Heathrow?

    Is there a way out at all besides dropping off the grid?

    I repeat the assertion I think I made in these forums once or twice before: laws must be enacted - in those countries where here remains some semblance of an influence by citizens on lawmakers - to make wholesale surveillance without a specific target supported by a judicial warrant completely illegal and severely punishable. We should not be worried about the negative impact on terrorism prevention - terrorism is not a serious threat to begin with, and is incomparable with the threat to privacy that we are all facing.

    If anyone invents a way to read my mind from a distance that should be made illegal, too. I insist.

    1. arkhangelsk

      Re: Solutions?

      We think among similar lines - the problem is that what's doing it is an agency. Even if you do somehow catch them, they would blur the lines of responsibility enough that you won't be able to identify one or a few people to indict, or if that starts to fail in the best, best case they'll throw up some midrank guy senior enough to be vaguely plausible but not powerful enough to be resist or be the Real Culprit (he's following orders himself).

      What do you think of my idea of making agencies truly accountable (as in actually making them bleed) for violations?

      1. T. F. M. Reader

        Re: Solutions?

        An agency cannot be sent to prison, obviously. I think we, as a society, should strive to create a moral and legal environment that will make wholesale surveillance unacceptable. I do think that most of the people at NSA and GCHQ are decent and moral, and I do think that they do a very important job for their countries. Quite a few of them could probably get high-paying jobs elsewhere but their somewhat old-fashioned but commendable values and loyalties tell them that their work is important and worthwhile.

        At the moment, the PRISMs and the Bullruns and the Edgehills are deemed perfectly legal and within the ambit of the agencies' chartered activities, and it is a big step indeed for people who are fundamentally loyal to their countries and their colleagues to betray the loyalty and the oaths and to break the law and do what Snowden did.

        Now, the real problem with the wholesale hoovering up the data and metadata is the possibilities of abuse. Those possibilities are numerous, inevitable, and exist at different levels, from personal to political. Imagine that both the accepted morals and the laws say that if you - a government employee - engage in mass (or targeted, but unauthorized) collection of data (just gathering, not "collection" as defined by Mr Clapper) you are a crook breaking the law, and the agency responsible for national security is not supposed to do it because the activity is actually detrimental to the general security of society. I would hope that it would not be easy to engage in such illegal activities inside spy agencies most of whose employees are not crooks but decent, moral people.

        The above hope may be naive, but it seems to me to be the only hope. If the society and national security agencies are fundamentally indecent and immoral then off the grid we should go, don't you think?

  29. collinsl Bronze badge
    FAIL

    Ironic Much?

    To the bottom-right of this article is an ad for...

    GCHQ recruitment.

    Ironic much?

  30. Guillermo Lo Coco

    Do you remember when kernel.org went down ?

    I start to think about some intrusion & modification in some parts (rnd,crypto,..) to make it in some way nsa-backdoored.

    A kind of such attack will be planned long time before to make sure md5 not fail revealing what was modified.

  31. Mystic Megabyte

    Paypal and Mailpile

    I presumed that PayPal was leaned on by the spooks to hinder the Mailpile project but in an update they have released the money.

    I will be looking for alternative payment methods regardless.

    http://arstechnica.com/business/2013/09/paypal-freezes-45000-of-mailpiles-crowdfunded-dollars/

    As for the NSA/GCHQ situation it all sounds good if you have an accountable government but not if a tyrant takes control. Then you will have the Gestapo with unlimited power to search for and locate you.

    The problem is that we do not really have accountable governments, it just appears to be.

  32. Anonymous Coward
    Anonymous Coward

    Who Exactly is Freaking Out About This?

    I suppose a lot of people do care (I do), but to be honest this isn't exactly an issue my friends are discussing on Facebook. I wonder how much ordinary people feel effected by this? I get the impression most people (despite the media coverage) either think it is a good thing (& trust the government to use it to catch the bad guys) or don't know or care enough. I think you will find every country in the world does this on some level & that it has gone on for a long time. They would want to keep it secret but now it is out in the open I don't think the whole world is going paranoid. Actually there seems to have been rather a mute reaction (though it maybe to do with the fact most British newspapers are ignoring it, either because of government request or because they're not as hysterical about it as the Guardian seem).

    1. Justicesays
      Megaphone

      Re: Who Exactly is Freaking Out About This?

      I'm not sure what country you live in.

      From my POV, GCHQ, my own countries spy agency, knows that almost every COTS encryption used by the British Government, its commercial industries , and by influential people from every walk of life (including MPs) is worthless when used against the NSA (and anyone else who has discovered those back doors via leaks or investigation).

      In the meantime, the NSA watches on as the GCHQ develop the capability to hack large US providers.

      And then what?

      Teams of Americans in the US spying wholesale on everyone of interest in the UK. If they spot any illegal activities by a pleb they flag that up to GCHQ who then go get a warrant (if they still need those). If what they spot is commercially sensitive or potential blackmail material on someone of importance, then they pass that onto the Department of Commerce, or squirrel it away for later use. After all, you never know when you might need a bit more leverage on a British MP (or PM) .

      And of course, lets have the GCHQ perform a similar role for the NSA, except that the GCHQ capability is much more limited and apparently not yet completed. And I'm guessing some quiet words have been had with people in positions of actual power in the US about what not to use. I'm not sure we can say the same about British MPs etc.

      Maybe the NSA revealed this on the proviso that GCHQ wouldn't tell anyone about it , but "promised" not to spy on any non-terrorists in the UK. And if the US gives you a dollar and a promise, well, at least you got a dollar.

      In summary, these spy agencies are colluding with each other to spy indirectly on their own citizens, and don't give a shit about the implications of this for their own citizens security. And as the relationship appears to be a lot more weighted towards the US, it's the UK that is getting screwed over the most.

      Next time we go to war with someone at the US's behest, ask yourself if that decision was influenced by some private bit of embarrassing data somewhere that would make sure someone would never be elected again if it came out.

      And of course you don't have to take the step of blackmailing people in most cases. If you feel someone might not be suitable in a certain position, and would likely go public to reveal the blackmail rather than roll over, then just leak the info anyway , to the press or their party/company. Then watch them vanish, leaving the way open for someone more palatable.

      1. ian 22

        Re: Who Exactly is Freaking Out About This?

        NSA and GCHQ colluding? See UKUSA (http://en.wikipedia.org/wiki/UKUSA_Agreement). This is old stuff, and almost obviated by the PATRIOT act.

  33. Rab Sssss

    well considering

    that gahtering electronic intel is their job working on breaking encryption is something they should be doing.

    This however in no way excuses abusing access, two differnt things.

  34. miket82

    McCarthy

    Here we go again.

  35. Arachnoid

    Yet despite all this

    The world still is a dangerous place so what actual real effect does this all have on real life?

  36. Grahame 2

    Bull Run & Edgehill - Civil War?

    Interesting choice of code names. Bull Run, major early battle of American Civil War. Edgehill, major early battle of English Civil War.

    I think that gives us some insight into whom our respective intellegence agency perceive as the enemy.

    1. This post has been deleted by its author

    2. David Pollard

      Re: Bull Run & Edgehill

      Does the use of Edge Hill as a codename imply that GCHQ only does partial decryption?

      http://www.urbandictionary.com/define.php?term=get%20off%20at%20edge%20hill

    3. Intractable Potsherd

      Re: Bull Run & Edgehill - Civil War?

      I'd spotted the Edgehill significance, but didn't know about Bullrun. Thanks for the information, though it doesn't make me any happier ...

  37. Michael Habel

    I find this about as much of a revelation that, the Sky is still Blue, and the NSA is spying on you.

    1. SD24576

      I guess the knowledge of backdoors in common encryption products etc does reiterate the importance and value of open source software.

  38. Wulfy

    Private circuts

    No such thing as private circuits i've been to the main BT comms center and they were working on bypassing and monitoring secure traffic years back and quiet proud they could see a lot of encrypted content and would happily hand over any data requested via the legal channels so this stuff isnt new at all

  39. Zot

    Neighbourhood has a 'u' in it.

    I thought this was a UK site?

    1. jake Silver badge

      @Zot (was: Re: Neighbourhood has a 'u' in it.)

      You thought wrong, but enjoy your bliss.

    2. This post has been deleted by its author

  40. M7S

    I think Infosec next year will be very interesting

    as vendors of systems try to work out how to prove absolutely that their systems are compromised neither by design (collaboration/back door) nor theft (of the key, difficult at the best of times) nor cracking (insecure/defective standards etc). After all that's what they're trying to sell us so that we can assure our own bosses/customers that we as IT departments are being dilligent.

    I expect to see an awful lot of "we would comply with any lawful request/court order and cannot comment further" type statements to be boilerplated onto their responses, which in light of recent articles should be treated with the contempt they deserve.

    Other interesting consequences of this might be that if the companies/products/technologies are named and (if appropriate) shamed, then as well as a possible drop in sales, there might be some legal actions for refunds from past customers or even possibly, if a key has been (as is alleged) stolen from a security product vendor by the NSA or at least obtained in a less than honest manner (I've no idea of the points to prove in the USA for their equivalent of theft) then maybe there will be a case by a vendor for damages against the NSA (even if only for "damage to reputation"), although given how retrospective legislation apparently allowed the warrantless wiretapping to be swept under the carpet, I'm not exactly holding my breath.

  41. John Smith 19 Gold badge
    Unhappy

    And yet still impossible to crack Sky Digital.

    Seems like it's developers knew WTF they were doing

    1. A J Stiles
      Coat

      Re: And yet still impossible to crack Sky Digital.

      Oh, it's possible alright. But everyone who ever did it somehow disappeared mysteriously.

  42. This post has been deleted by its author

  43. Anonymous Coward
    Anonymous Coward

    Trustwave were doing MITM commercially in 2012

    F* knows how longs the CAs have been doing it for gov/law enforcement

    http://www.theregister.co.uk/2012/02/09/tustwave_disavows_mitm_digital_cert/

    1. Anonymous Coward
      Thumb Down

      Re: Trustwave were doing MITM commercially in 2012

      I hesitate to say it, but I'd guess....day one.

  44. Anonymous Coward
    Anonymous Coward

    NSA inside (your INTEL)

    Take a good look at this: http://semiaccurate.com/2012/05/15/intel-small-business-advantage-is-a-security-nightmare/ and I guess you can see who is behind all this good ideias.

  45. RTNavy

    Of course they would tell us they have us all "cracked", but they still can't find Waldo!

This topic is closed for new posts.

Other stories you might like