“The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users’ private Web communications from eavesdropping. These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users.” Well. “And where once you had the freedom to object, think, and speak as you saw fit, you now have censors and systems of surveillence coercing your conformity and soliciting your submission.” When quoting a work of fiction befits the state of reality better than reality itself, shit has officially hit the fan.
At some point too much shit will accumulate and everything will explode, it’ll probably end in blood, as usual.
I think all of this will come to a head pretty quickly and congress will shut them down for now. Then some big attack will happen because “they” let it happen to prove their point, and then everything will kick back into high gear again since everyone will be ready to give up their freedoms for safety from the bad guys.
Terrorism is an evil word at every angle it seems.
Edited 2013-07-25 16:57 UTC
Noone fears terrorislm any more. Next attack will be enviromental.
What do you mean by that?
Nice cut’n’paste from Slashdot there. Again.
?
You do understand that Slashdot links to the same article at Cnet, and copies the same intro, right? The rest of the item here is copied from a movie.
You really do not understand this? Seriously?
Wow, you think there are other editors lazier than slashdot’s? That’s like, a whole new level of laziness heretofore unknown to science. You could win a Nobel for that kind of a discovery.
It could simply be some shorthand or confusion in my reading of the article, but I don’t think it would make sense to approach Google or Microsoft for encryption keys. The really useful keys are the root signing keys held by the Certification Authorities such as Symantec (VeriSign). This would allow someone to perform the man-in-the-middle attacks discussed later on.
The article also mentions the use of SSL for GMail and Hotmail, which I think is also a red herring (since all this really protects is your email pasword, given the email will be relayed in cleartext).
Any data that’s sent to a company and that’s readable by that company is basically open to access by the authorities (e.g. with a warrant). I don’t think SSL/TLS was intended to solve this. The obvious solution for email is to use something like PGP/GnuPG.
They’re not giving up that easily:
http://www.informationweek.com/security/government/want-nsa-attenti…
Apparently, they are storing all encrypted communication indefinitely, so they can crack it later.
Edited 2013-07-25 17:53 UTC
That is why more and more companies are deploying:
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
Imagine the Americans if it was revealed that the Chinese government tried to do the same.
They probably are trying to do the same.
Oh, wait…
Everyone that is spazzing out about data protection … there is no way to collect this amount of data and properly analyse it.
Google has a better budget probably than the feds and they can’t do it effectively 100% of the time.
Data Mining is really complicated … Considering I worked for Government and large orgs, everyone is assuming everyone has a single purpose that aligns with the organisations is just unrealistic. Especially considering the number of people involved and the amount of data.
Edited 2013-07-25 20:36 UTC
Yes data mining is hard, if you want to glean information not directly on hand, such as trends, circles of influence and such. However, data mining is easy if you are just looking for dirt to smear someone’s reputation, or find them or someone they know. We have already seen data mining fail to stop an attack. The Boston bombers used cell phones to talk to Russia, had web presences and we still didn’t have a clue.
Well if it is used to smear then its (lack of) value would be obvious.
At this point, I have ZERO trust in the U.S. government to respect our privacy even in the slightest bit. Makes be disappointed to be a citizen of this clearly corrupt-at-the-core “representative democracy.” And you’ve got Obama and his administration, as well as other assholes in higher-up positions in government claiming that it’s all alright. And all they can give is downright bullshit: lies and an empty insistence that it is working great, and that now that the top-secret programs are public, we should just trust them to continue their sleazy business as usual.
We have officially shat on our Founding Fathers’ vision years ago, and the worst of it is only now being revealed thanks to Edward Snowden.
I’m seriously considering starting to use my own cryptography at some point, because it’s becoming clear that the encryption provided by big businesses for their services is about as good as nothing at all. As soon as private key is known by the government, it is effectively good only for protection from regular, non-government hackers. At that point, you might as well just be communicating in the clear.
Edited 2013-07-25 23:04 UTC
Question is, what are you doing that’s so goddamn secretive? I’m not accusing you of anything; in fact, I bet the answer to that question is, probably nothing. As is the case for 99.9% of Americans. I’m not one to say “If you’re not doing anything wrong, you don’t have anything to hide”, but should I really be expected to give a shit if the government might have access to my grocery lists or exercise routines that I have stored in the cloud?
If I’m going to store anything sensitive in the cloud (which seems like a dumb idea on the face of it), I’m going to make sure that the only person who has the decryption key is me, and possibly whoever else I need to look at it. Then I don’t have to worry about the government looking at my stuff.
My grocery list is no one’s business but mine. If you are OK with the governments having access to all your data, how about remotely-controlled cameras and microphones in every room of your apartment or home?! That is also coming, I can hear it now, “Think of the children!”
I didn’t say I was ok with the government having access to all of my data. I said I don’t care if they have acccess to stuff I have posted online, because I don’t post stuff that I wouldn’t want them looking at. Doesn’t mean I’m HAPPY about it, but I don’t lose sleep over it either.
To use an analogy, when I’m at work, I might leave a pen unattended on my desk, because I really don’t care if it gets stolen. Does that mean that someone has the right to come and take it, or that I would be ok with them doing so? Of course not, esp if I bought it. But if somebody does take it, I’m not going to complain to HR and start going desk-to-desk to find out who took it.
Would I be as nonchalant about somebody taking a $500 Rolex off my desk, assuming I had one? Of course not. On the other hand, I wouldn’t leave something like that out on purpose, and then get pissed when somebody takes it. If I need to leave it at my desk, I lock it in a drawer. I tend to treat online data the same way. If you don’t want people (whether it be the government or somebody else), looking through your shit, don’t post it on somebody else’s server. THAT is the message we should be sending to people.
Edited 2013-07-26 00:44 UTC
It’s not that I desire total secrecy; if I did, I wouldn’t be using and posting this on a public message board right now. I just want people to keep their damn nose out of my business when they have no business peaking in there to begin with. The government, especially, has its own legal procedures–obtaining a warrant through probable cause–which it is supposed to have to go through. It shouldn’t just be sucking everything I do up and storing it for later decryption as it wants. That’s a blatant violation of the Constitution itself–it is supposed to be protecting us from this kind of government behavior.
When I go to Google and check my Gmail or do a web search over an SSL/TLS connection, I am *not* asking the government to butt in and spy on me. In fact, the encryption specifically means to keep out–no one has any business intercepting the communications on that channel or collecting it for future decryption. The simple fact is, I don’t really trust the U.S. government any more than just some random hacker, and they can keep themselves out of the picture.
Edited 2013-07-26 00:23 UTC
That’s true today but there are some extremely difficult times ahead. Governments around the world know it very well but by now it is simply impossible to avoid the turmoil.
Surveillance is a great tool for the government during such times so expect more of it. Internet is a great tool for the people – expect less, especially in p2p and freedom of information areas. We don’t know yet how these tools will be used against us in the future but I can assure you Soviets didn’t have them.
I feel like I say this all the time lately. Working in law enforcement, I have a unique perspective on the government and the public’s expectation of privacy. Basically, the law enforcement community loves it when an activity that was once considered legal is rendered illegal by the courts. That’s one more charge to add to the docket, one more source for probable cause. So, that online activity that you currently enjoy because it’s legal today might be used against you in the future, and if they have records of you doing it you can be sure it will be fuel for the fire.
It’s one of many reasons I’m looking forward to a career change very soon. I hate being a part of an establishment that views the people it is meant to protect as the enemy.
I applaud you for taking a personal stand; I think most people wouldn’t do that, blaming all the bad stuff at “others”
WorkNMan: The problem isn’t what your doing now. Its that they keep the info forever. Maybe someday you run for a political office. Maybe you stand for a platform that the mainstream group think doesn’t like. How many of us can say we have never done anything embarrassing? Or been involved with someone and the other person go a little off the deep end? Point is, the information gathered now that doesn’t matter may mean a great deal at some point in the future. It gives those collecting the information power to control anyone they want in the future. Saying that you have nothing worth collecting now is just short sighted. I am sure Paula Dean didn’t think much about her comments when she made them either. Look how that came back to bite her in the ass.
That’s EXACTLY what I like about it. If it makes people think twice before doing or saying something incredibly stupid, I’m all for it
The NSA is also now sending requests for password databases from large corps, along with algorithms, and salts. They want to store every password you ever used because people are creatures of habit. They know that you use the same password for a lot of stuff, and that cuts down on their decryption time.
Not that I don’t believe you, because it’s certainly plausible given all the revelations lately, but can you cite sources for that information? I’d love to read more about it.
Bush gives us the Patriot Act and Gitmo, and that wasn’t cool. Then Obama gave the impression he’d be different, but he’s not been so much, and that’s also not cool.
I swear, these guys must be getting into office, getting their secret terrorism briefing which is apparently telling them there’s a guy with a dirty bomb under every rock, and thus they must have any and all communications available to them to keep track of these gazillion terrorists that infest our land, right? Or is there a chance, just maybe, they’re blowing the threat out of proportion, maybe a smidge? And if not, is this heightened status of security supposed to be active until terrorism no longer exists? You really have to wonder.
Terrorism has existed since the first protohumans threatened each other over food and shelter hundreds of thousands of years ago. It is part of nature, and part of human nature, and it will never go away no matter how much we track and record and spy on one another.
The fact that the US government, my government, is using it as an excuse to poop all over the Constitution makes me sick. But there’s nothing I can do about it except sit back and watch the whole ship slowly go down.
This whole US eavedropping of Internet by twisting US Web companies arms to protect US’s interests is slowly but surely starting to do the exact opposite: people will use more and more encrypted communications everytime it’s possible and, even better, switch to Web services not under US companies ownership, a little bit more away from US control arm.
Nice job, guys, and thanks for pushing people away from the most US profitable economy field.
I have a hunch that for this tendency towards the ‘state of police’ to be stopped the only hope is that US companies in the IT sector start to lobby because of lost profits due to customers moving their businesses elsewhere, not because those-in-power get to realize that the surveillance mandate has gone too far (in constitutional terms).
Decentralize more and get rid of ICANN for good. There should neve have been warrant for all this shit. And there should be no master key.