Forum Settings
       
« Previous 1 2 3 4
Reply To Thread

Breaking teh interwebz - NSA styleFollow

#1 Sep 06 2013 at 4:38 PM Rating: Decent
Scholar
***
1,323 posts
Unfortunaltely, Guardian ( and NYT ) decided not to publish the most interesting parts... ie. which parts are irrevocably broken.

I know, I know, you guys are all cool with implants in your asses monitoring your moves 24/7, but I am curious to what extent you are cool with the basic foundation of the internet ( trust ) being broken beyond simple repair. NSA managed to insert itself into standards producing body thus poisoning the entire security well. Any sensible security expert will tell you the simple truth that backdoors are typically a bad idea*.

Bad NSA, and even worse the engineers that participated in this.

*unless you are into that sort of thing, duh

____________________________
Your soul was made of fists.

Jar the Sam
#2 Sep 06 2013 at 4:40 PM Rating: Excellent
Avatar
******
29,919 posts
I have a computer monitor implanted in my ***. It saves time.
____________________________
Arch Duke Kaolian Drachensborn, lvl 95 Ranger, Unrest Server
Tech support forum | FAQ (Support) | Mobile Zam: http://m.zam.com (Premium only)
Forum Rules
#3 Sep 06 2013 at 4:42 PM Rating: Good
Scholar
***
1,323 posts
Dread Lörd Kaolian wrote:
I have a computer monitor implanted in my ***. It saves time.


Personally, at this point, whenever I get a new device, my first question always is: "does it do bjs?"
____________________________
Your soul was made of fists.

Jar the Sam
#4 Sep 06 2013 at 4:44 PM Rating: Excellent
Gave Up The D
Avatar
*****
12,281 posts
Whelp, time to EMP the planet and start over. Like hell am I having a monitor shoved in my ***; that may be Kao's thing but I prefer to have it where I don't have to bend around to see it, like in my urethra.
____________________________
Shaowstrike (Retired - FFXI)
91PUP/BLM 86SMN/BST 76DRK
Cooking/Fishing 100


"We don't just borrow words; on occasion, English has pursued other languages down alleyways to beat them unconscious and rifle their pockets for new vocabulary."
— James D. Nicoll
#5 Sep 06 2013 at 4:46 PM Rating: Decent
Meh. There's always sneakernet for the important stuffs.
#6 Sep 06 2013 at 4:48 PM Rating: Excellent
Avatar
******
29,919 posts
Shaowstrike the Shady wrote:
Whelp, time to EMP the planet and start over. Like hell am I having a monitor shoved in my ***; that may be Kao's thing but I prefer to have it where I don't have to bend around to see it, like in my urethra.


Nah see, it's a touchscreen, so I can ban spammers by eating beans and emitting gas at them! All the forum admins have them these days.
____________________________
Arch Duke Kaolian Drachensborn, lvl 95 Ranger, Unrest Server
Tech support forum | FAQ (Support) | Mobile Zam: http://m.zam.com (Premium only)
Forum Rules
#7 Sep 07 2013 at 1:24 PM Rating: Excellent
Avatar
*****
13,240 posts
So it's fair to say you fart in their general direction?

____________________________
Just as Planned.
#8 Sep 07 2013 at 1:48 PM Rating: Excellent
Avatar
******
29,919 posts
Only if their mother was a hamster.
____________________________
Arch Duke Kaolian Drachensborn, lvl 95 Ranger, Unrest Server
Tech support forum | FAQ (Support) | Mobile Zam: http://m.zam.com (Premium only)
Forum Rules
#9 Sep 08 2013 at 2:50 AM Rating: Default
The All Knowing
Avatar
*****
10,265 posts
BrownDuck wrote:
Meh. There's always sneakernet for the important stuffs.

Don't underestimate sneakernet.

#10 Sep 09 2013 at 7:11 AM Rating: Good
*******
50,767 posts
Dread Lörd Kaolian wrote:
Only if their mother was a hamster.
I've hidden the elderberries.
____________________________
George Carlin wrote:
I think it’s the duty of the comedian to find out where the line is drawn and cross it deliberately.
#11 Sep 09 2013 at 5:34 PM Rating: Default
Encyclopedia
******
35,568 posts
angrymnk wrote:
... I am curious to what extent you are cool with the basic foundation of the internet ( trust ) being broken beyond simple repair. NSA managed to insert itself into standards producing body thus poisoning the entire security well. Any sensible security expert will tell you the simple truth that backdoors are typically a bad idea*.


/shrug

Kinda have to look at the historical aspects of this. For a long time there was *no* security in the internet anyway. Ultimately, this doesn't represent any reduction in security. If you encrypt data from pointA and send it to pointB and decrypt it, the NSA will still have problems cracking it. And for those in the know, the list of crypto not to use is well understood (but still often ignored). It really shouldn't be surprising at all that the generic encryption systems are just tough enough to be difficult for a small time cracker to break, but weak enough for an agency with sufficient resources to break it easily, nor that an agency like the NSA would be involved in arranging for that. Um... But honestly, if you understand how encryption standards follow technology advances, you'd realize that it doesn't take much for this to happen anyway. "Standard" encryption will always trail behind the ability to crack it. All that need happen is for governing bodies to *not* push vendors kicking and screaming into implementing new/better encryption. So no real surprise.

As to backdoors, I suspect that most people (including reporters at the Guardian and NYT) really don't understand what this means. It's a term that is usually taken to mean a specific thing, but actually refers to a broad set of things. I don't think they're talking about software backdoors here. That wouldn't give the NSA any real advantage anyway. I'd also not be terribly concerned about that anyway.

Edited, Sep 9th 2013 4:35pm by gbaji
____________________________
King Nobby wrote:
More words please
#12 Sep 09 2013 at 9:23 PM Rating: Decent
Scholar
***
1,323 posts
gbaji wrote:
angrymnk wrote:
... I am curious to what extent you are cool with the basic foundation of the internet ( trust ) being broken beyond simple repair. NSA managed to insert itself into standards producing body thus poisoning the entire security well. Any sensible security expert will tell you the simple truth that backdoors are typically a bad idea*.


/shrug

Kinda have to look at the historical aspects of this. For a long time there was *no* security in the internet anyway. Ultimately, this doesn't represent any reduction in security. If you encrypt data from pointA and send it to pointB and decrypt it, the NSA will still have problems cracking it. And for those in the know, the list of crypto not to use is well understood (but still often ignored). It really shouldn't be surprising at all that the generic encryption systems are just tough enough to be difficult for a small time cracker to break, but weak enough for an agency with sufficient resources to break it easily, nor that an agency like the NSA would be involved in arranging for that. Um... But honestly, if you understand how encryption standards follow technology advances, you'd realize that it doesn't take much for this to happen anyway. "Standard" encryption will always trail behind the ability to crack it. All that need happen is for governing bodies to *not* push vendors kicking and screaming into implementing new/better encryption. So no real surprise.

As to backdoors, I suspect that most people (including reporters at the Guardian and NYT) really don't understand what this means. It's a term that is usually taken to mean a specific thing, but actually refers to a broad set of things. I don't think they're talking about software backdoors here. That wouldn't give the NSA any real advantage anyway. I'd also not be terribly concerned about that anyway.

Edited, Sep 9th 2013 4:35pm by gbaji


Dude, it took you twenty sentences to say you don't care. Good job.

To be perfectly honest, I am not quite sure if I can classify you as an apologist, poster child for Stockholm syndrome, serial rape victim, some combination of the three, or a highly educated dunce.

Let us start at the beginning. If you want to look at this from "historical" perspective I can recommend several books on the history of the internet. My personal favorite is "Who controls the internet? - illusions of the borderless world" by Jack Goldsmith. Read it and understand it; then we can talk what it was meant to be, what were its foundations, what it has become, and exactly how it is not undermined by the current set of revelations.

With that out of the way, understand this, while NSA does employ a record number of PhD mathematicians, and other rather intelligent people, you will be surprised, nay, astounded to know, that, out there, in the wild wild west of the non-NSA world other intelligent people exist. Scary, no? Your weird assumption that three letter agency analyst is, by default, smarter than anyone else on the planet just does not
Oh, I know you are going to hang on onto the resources thing. True, it is a little hard to compete with a budget that dwarfs the one of NASA. Can't argue with you there. I would like to point something out however, Note that NSA actively undermined strong encryption standards. It obviously saw increased computing power available to the average Joe as a threat. Even NSA, even with its incredible budget can't decrypt every single little thing, if everyone is doing it, and happens to use strong encryption... (vide Snowden).

Now, please make an attempt to understand my argument here. If everything is to be on the internet, and heavens knows the current trend seems to be pushing us in that direction, then strong, and I don't mean, break it when we really want to know, security is actually a good idea. Otherwise, it only takes one Snowden to take the card house down. Do you understand why security by obscurity, planted zero day exploits, back doors, and low encryption standards may not be such a good idea?

Because it then only takes one bad actor. And these days, when the damn IV systems are connected, I want some basic assurance that it can't just be taken over. You are telling me it is cool, because only the NSA has access to it.

In summation,

If you are not concerned, then:

A) you have no self-preservation instinct
B) you welcome your NSA regime ( separate rant, because only ****** would believe all that information would not be used for blackmail )
C) you are actively adjusting our world to that of Cyberpunk 2077 ( If that is your goal, then I salute you ).

K, I am going to bed. It was a long *** day.
____________________________
Your soul was made of fists.

Jar the Sam
#13 Sep 10 2013 at 7:39 AM Rating: Excellent
*******
50,767 posts
angrymnk wrote:
Dude, it took you twenty sentences to say you don't care. Good job.
Took you like forty to say nuh uh.
____________________________
George Carlin wrote:
I think it’s the duty of the comedian to find out where the line is drawn and cross it deliberately.
#14 Sep 10 2013 at 3:16 PM Rating: Decent
Encyclopedia
******
35,568 posts
angrymnk wrote:
Let us start at the beginning. If you want to look at this from "historical" perspective I can recommend several books on the history of the internet. My personal favorite is "Who controls the internet? - illusions of the borderless world" by Jack Goldsmith. Read it and understand it; then we can talk what it was meant to be, what were its foundations, what it has become, and exactly how it is not undermined by the current set of revelations.


You're kidding, right? I think I'll stick to actual books that discuss actual security tools and cryptography and how they're used within a digital communications framework. Or, I don't know, I'll bring it up the next time I'm in a meeting and the topic of securing networks and data happen to come up among a group of people who do that for a living.

Quote:
With that out of the way, understand this, while NSA does employ a record number of PhD mathematicians, and other rather intelligent people, you will be surprised, nay, astounded to know, that, out there, in the wild wild west of the non-NSA world other intelligent people exist. Scary, no? Your weird assumption that three letter agency analyst is, by default, smarter than anyone else on the planet just does not


I didn't say that the NSA employes the smartest people. I said they have the most resources. I know that there's a common perception of the "genius hacker" who can bypass security protocols in seconds because he's just that good. Um... That's now how it works. Maybe in the movies or on TV, but in the real world, it's about spending time and resources to gain access. Smarts are important, and understanding what the hell you're doing is important, but none of those really help you if you don't have the resources to use. That means the right tools, knowledge, and with regard to the kind of high level security stuff we're talking about, significant resources.

There are a host of encryption technologies that are "broken" in the sense that they are crackable (DES is a great initial example). But that's really a relative statement. Crackable means "crackable in a useful amount of time using available computer resources". Your average hacker sitting in his parents basement isn't going to spend several billion dollars on a cpu farm so he can break "tough" encryption in a useful time (that's what's meant by "near real time" btw). The value of reading someone's email, or hacking their online accounts isn't worth the money you'd have to spend to do it.

But when the goal isn't money, the whole picture changes. The NSA can spend billions (or tens of billions) of dollars on the kinds of resources and tools needed to break most encryption in a reasonable amount of time (most of the time). And they'll spend millions more on their version of "social hacking" (which is any method used to get companies to provide them with information).

Quote:
Oh, I know you are going to hang on onto the resources thing.


Duh.

Quote:
True, it is a little hard to compete with a budget that dwarfs the one of NASA. Can't argue with you there. I would like to point something out however, Note that NSA actively undermined strong encryption standards. It obviously saw increased computing power available to the average Joe as a threat. Even NSA, even with its incredible budget can't decrypt every single little thing, if everyone is doing it, and happens to use strong encryption... (vide Snowden).


This is where the /shrug part comes in. Undermining strong encryption standards is a matter of opinion and perception. There is nothing preventing anyone from encrypting their own email with something stronger than what MS or Google uses by default. I get that by influencing standards, they can ensure that they're "just weak enough", and I said as much above. The problem is that this likely would happen even if the NSA didn't get involved. Security and usability are always at odds with each other. The more secure you make something, the less convenient it is to the customer, the more expensive it is, the more time it takes, etc. The standards in use today are the result of decades of compromise decisions within the industry. And if you knew just how silly some of the reasons for those compromises are, you'd laugh at the idea that the NSA had to do more than a bit of subtle nudging to accomplish such a thing.

Quote:
Now, please make an attempt to understand my argument here. If everything is to be on the internet, and heavens knows the current trend seems to be pushing us in that direction, then strong, and I don't mean, break it when we really want to know, security is actually a good idea. Otherwise, it only takes one Snowden to take the card house down. Do you understand why security by obscurity, planted zero day exploits, back doors, and low encryption standards may not be such a good idea?


Um... That's a great theory, but it has never been true. The one thing that every network security expert will tell you is that there's no such thing as a secure network. If you don't want something to be learned, don't put it on a network. Period. The choice is *always* about the value of securing data versus the value of it being usefully accessible. I'm directly involved in dealing with this exact issue with regards to the security of company IP versus the needs of allowing foreign consultants to be able to work on products that use that IP. It's a monetary consideration. How much do we risk losing if we don't meet a production time table versus (in this case) the risk that China will be able to steal enough information and be able to use it to help one of their companies catch up?

It's never a question of 100% security, but an assessment of relative risk and cost. So yeah, I laugh when folks try applying the reality of how and why our networks are secured against the actions of a government agency acting without regard to dollar costs.


Quote:
You are telling me it is cool, because only the NSA has access to it.


No. I'm telling you that it's cool because the security only has to good enough to make the cost of doing something higher than the value of doing that thing. The NSA doesn't care about cost, but it's also not seeking to steal the money in your bank account. And how much does a bullet cost? If someone wants to kill you, aren't there much easier ways to go about it than hacking your pacemaker?

You need to stop thinking that the real world works like bad film plots.

Edited, Sep 10th 2013 2:16pm by gbaji
____________________________
King Nobby wrote:
More words please
#15 Sep 10 2013 at 5:51 PM Rating: Decent
Scholar
***
1,323 posts
lolgaxe wrote:
angrymnk wrote:
Dude, it took you twenty sentences to say you don't care. Good job.
Took you like forty to say nuh uh.


I am competitive by nature. Not even Gbaji out-gbajis me.
____________________________
Your soul was made of fists.

Jar the Sam
#16 Sep 10 2013 at 6:41 PM Rating: Decent
Scholar
***
1,323 posts
Quote:
angrymnk wrote:
Let us start at the beginning. If you want to look at this from "historical" perspective I can recommend several books on the history of the internet. My personal favorite is "Who controls the internet? - illusions of the borderless world" by Jack Goldsmith. Read it and understand it; then we can talk what it was meant to be, what were its foundations, what it has become, and exactly how it is not undermined by the current set of revelations.


You're kidding, right? I think I'll stick to actual books that discuss actual security tools and cryptography and how they're used within a digital communications framework. Or, I don't know, I'll bring it up the next time I'm in a meeting and the topic of securing networks and data happen to come up among a group of people who do that for a living.


I am never kidding; ever. Before you can discuss cryptography and security mr fancy-fants ,who, no doubt, meets software engineers and security analysts on working lunches on a daily basis, should maybe, just maybe, consider the possibility, that before mr fancy-pants can discuss said problems mr fancy-pants could, and I do mean could, consider to learn some basic information about the subject at hand. Based on your previous responses, I was not sure you did.

If you did and chose not to disclose it, Touche, I, for one, was fooled.

Quote:
But when the goal isn't money, the whole picture changes.

Quote:
The NSA doesn't care about cost, but it's also not seeking to steal the money in your bank accoun


For once you are not wrong; well, not completely wrong. The goal is,obviously, nothing is mundane as money. Pfui -- only plebs worry about those. The object is information, and its derivative, power.

Quote:

This is where the /shrug part comes in. Undermining strong encryption standards is a matter of opinion and perception. There is nothing preventing anyone from encrypting their own email with something stronger than what MS or Google uses by default.


I guess it is my turn to go into "are you serious?" mode. I am not sure how young/old you are ( depending on your philosophical bent ), but I am sure a security expert such as yourself remembers the problems and legal hurdles the US government was creating for pgp creator. There is the might of the government telling you can't encrypt anything we can't decrypt. So what were you saying about nothing preventing me? Oh, you mean nothing stopping me from using tools that have been rendered less useful?

Quote:
Quote:
The standards in use today are the result of decades of compromise decisions within the industry. And if you knew just how silly some of the reasons for those compromises are, you'd laugh at the idea that the NSA had to do more than a bit of subtle nudging to accomplish such a thing.


Here you are correct. I know. The main reason I know is because of the same reason most people know: real life manifestation of Dilbert principles ( and immediate cost). I could tell you stories, but I don't want to bore everyone more than is strictly necessary.

Quote:
Now, please make an attempt to understand my argument here. If everything is to be on the internet, and heavens knows the current trend seems to be pushing us in that direction, then strong, and I don't mean, break it when we really want to know, security is actually a good idea. Otherwise, it only takes one Snowden to take the card house down. Do you understand why security by obscurity, planted zero day exploits, back doors, and low encryption standards may not be such a good idea?


Um... That's a great theory, but it has never been true, but it has never been true. The one thing that every network security expert will tell you is that there's no such thing as a secure network. If you don't want something to be learned, don't put it on a network. Period. The choice is *always* about the value of securing data versus the value of it being usefully accessible. I'm directly involved in dealing with this exact issue with regards to the security of company IP versus the needs of allowing foreign consultants to be able to work on products that use that IP. It's a monetary consideration. How much do we risk losing if we don't meet a production time table versus (in this case) the risk that China will be able to steal enough information and be able to use it to help one of their companies catch up?

It's never a question of 100% security, but an assessment of relative risk and cost. So yeah, I laugh when folks try applying the reality of how and why our networks are secured against the actions of a government agency acting without regard to dollar costs.


Huh? I am not sure you are deliberately misrepresenting my argument, misunderstanding it, or if you are carrying a different conversation on similar subject. I have not said anything about making bullet-proof network. I am arguing against making it vulnerable BY DESIGN. Do you see the difference? I am sure you do because in the very next sentence you paraphrase what I said... ie. don't put everything on the internet.

And last, but most certainly not least,
Quote:
but it has never been true
portion of your post. Never is a very long time. Unless you have some weird understanding of my "theory", the last time 'never' happened was when Snowden showed up. I can only assume you didn't communicate your point clearly enough for me to comprehend. Please try again. Remember, I am most definitely not a security expert; not completely unlike you.

Quote:
So yeah, I laugh when folks try applying the reality of how and why our networks are secured against the actions of a government agency acting without regard to dollar costs


If I am understanding you right.. you laugh because desperate laughter of a rape victim is certainly better than tears? Help me out here.

Quote:
You need to stop thinking that the real world works like bad film plots.


You will laugh, but maybe the problem is I do not watch enough movies.

But this is beside the point because, and pay attention here since it might just open your mind a little, life does not care whether the plot is good. Life does not care about the actors, extras, or even, gasp, the audience. Just because it sounds like something from a bad movie does not make it any less true ( if it is true ).

In other words, not bad for first effort. Rewrite and try again.
____________________________
Your soul was made of fists.

Jar the Sam
#17 Sep 10 2013 at 7:47 PM Rating: Good
GBATE!! Never saw it coming
Avatar
****
9,957 posts
I don't know how to break this to you angrymnk, so I'll just say it.









gbaji knows literaly 200x more about everything than the rest of us.


It's true because I read it on the internet.
____________________________
remorajunbao wrote:
One day I'm going to fly to Canada and open the curtains in your office.

#18 Sep 10 2013 at 8:01 PM Rating: Decent
Scholar
***
1,323 posts
Friar Bijou wrote:
I don't know how to break this to you angrymnk, so I'll just say it.









gbaji knows literaly 200x more about everything than the rest of us.


It's true because I read it on the internet.


Doh, Why didn't nobody warn me? That's just mean.
____________________________
Your soul was made of fists.

Jar the Sam
#19 Sep 10 2013 at 8:40 PM Rating: Decent
Encyclopedia
******
35,568 posts
angrymnk wrote:
I am never kidding; ever. Before you can discuss cryptography and security mr fancy-fants ,who, no doubt, meets software engineers and security analysts on working lunches on a daily basis, should maybe, just maybe, consider the possibility, that before mr fancy-pants can discuss said problems mr fancy-pants could, and I do mean could, consider to learn some basic information about the subject at hand. Based on your previous responses, I was not sure you did.


I was talking about your choice of book to read to learn about the history of the internet and how security protocols get established. I happen to think you have it backwards though. One should start by understanding how packet based networks actually work, then how encryption works, then how to apply encryption to said packet based networks, and *then* you can start looking at the political side of things and assessing whether there's something horrible going on. Starting with the conspiracy and then working backwards is, well... backwards.

Quote:
If you did and chose not to disclose it, Touche, I, for one, was fooled.


I'm sorry. I wasn't aware I was supposed to provide a resume before posting. I thought that merely pointing out that one should actually understand the technology *first* before trying to figure out if it's being applied correctly or manipulated for some nefarious plot would have indicated that I actually do know a bit about this. And frankly, your recommended reading suggests that you *don't*.

Quote:
For once you are not wrong; well, not completely wrong. The goal is,obviously, nothing is mundane as money. Pfui -- only plebs worry about those. The object is information, and its derivative, power.


Which is no different today than it has ever been. Again... /shrug

Quote:
I guess it is my turn to go into "are you serious?" mode. I am not sure how young/old you are ( depending on your philosophical bent ), but I am sure a security expert such as yourself remembers the problems and legal hurdles the US government was creating for pgp creator.


None of which prevented a single person from actually using it though. Attempts to stop the spread of encryption were a joke then and are a joke now. And it ultimately had very little to do with preventing private parties from using encryption, and more to do with outdated laws being applied in inconsistent and really ridiculous ways.

Quote:
There is the might of the government telling you can't encrypt anything we can't decrypt. So what were you saying about nothing preventing me? Oh, you mean nothing stopping me from using tools that have been rendered less useful?


Er? Strong encryption is readily available. More available than ever before. So if anything the trend is towards folks having the capability of more privacy. The problem is that, as many actual security experts have predicted time and time again, people choose not to use it. They do so, not because of some evil government schemes to make sure they can read your emails, but because it's easier not to. Hell, if it weren't for governments actually passing some regulations on the industry, most people wouldn't use encryption for anything at all. So complaining that the weak encryption we have in the default applications out there are some kind of plot by the government really is silly.

Quote:
Here you are correct. I know. The main reason I know is because of the same reason most people know: real life manifestation of Dilbert principles ( and immediate cost). I could tell you stories, but I don't want to bore everyone more than is strictly necessary.


I literally had a conversation with a principle engineer here just yesterday in which he was trying to argue that I should add a modification to everyone's login to a set of systems such that it would allow anyone else to be able to connect to their session without their permission and completely bypassing any password that user may have set. He was seriously arguing this. Without going into the details of why, his reasoning was purely about convenience (saving a couple minutes on these systems under certain conditions). I had to explain to him that this was in complete violation of our emedia policy, not to mention a direct violation of a number of legally binding documents I have to sign in order to have the authority to make this kind of system/account level change in the first place. If I were to do such a thing, I'd be lucky to *only* lose my job.

Point is that I had to argue this with him for quite some time before he agreed to let me find another solution to the problem he was running into. Most people put convenience ahead of security. Even when they should know better. It's what social networking is about as well btw. You don't need the NSA to do that. Just give people the option to hand their information over, and most will do it. Give people the choice to use a 4 digit or 10 digit pin on their ATM card, and want to bet what most will ask for? Give them a choice of numbers only, or numbers and letters, and guess what they'll pick?

Hell. Look at this picture. It's a keypad access to a car, right? Stop and think about it for a moment. It's got 5 buttons. Ask yourself why the buttons are labeled "1-2", "3-4", "5-6", "7-8", "9-0", instead of just 1, 2, 3, 4, 5? It's still just a combination of 5 keys, yet they labeled them such that the keys can represent any number in our decimal system. There's only one reason to do this and that's to allow people to use numbers that are significant to them, but which might require the numbers 6 through 0 instead of just 1-5. Um... Which is precisely what you're not supposed to do when picking a security code, right? Are the car companies intentionally wanting people to use less security? Cause that's the argument you're making with regard to the NSA.

Car companies design the keypads that way because even though they know they promote less security, they also know that customers want them. Customers want to be able to use their birthday, or whatever as their code, and keypads which don't provide this less secure functionality will lose out in the market versus ones that do. My point is that the average person demands a less secure environment if more security means less convenience or ease of use. Not just the average person, the overwhelming majority of people.

Again, the NSA doesn't have to do anything except *not* impose stronger standards. The people will tend to pick the least secure methods that do "just enough" to prevent just anyone from hacking into their stuff. Why? Because it's not worth their time and effort to do more. And the companies which make the operating systems, and web servers, and all that other stuff know this. And they know that if they attempt to impose stronger security, they will lose customers to the guy that uses the simplest, weakest, but easiest to use solution. Doesn't take a government conspiracy for this to happen.

Quote:
Huh? I am not sure you are deliberately misrepresenting my argument, misunderstanding it, or if you are carrying a different conversation on similar subject. I have not said anything about making bullet-proof network. I am arguing against making it vulnerable BY DESIGN. Do you see the difference? I am sure you do because in the very next sentence you paraphrase what I said... ie. don't put everything on the internet.


And as I said (but was apparently the one part of my post you didn't respond to), it's a matter of opinion and perspective. What is "vulnerable by design"? So if I currently have a network connection that uses zero encryption, and I implement a weak but easy to use encryption, but I could have used a much stronger, but harder to use/implement one, is my connection "vulnerable by design"? Depends on how you look at it, right? Technically, since it was designed, then every aspect of it is "by design". The question is whether the intent was to make it less secure than it could have been, or if I decided that it's "secure enough" for whatever data I'm transmitting along that connection.

Which is why I talked at length about relative costs. Convenience versus security.

Quote:
And last, but most certainly not least,
Quote:
but it has never been true
portion of your post. Never is a very long time. Unless you have some weird understanding of my "theory", the last time 'never' happened was when Snowden showed up. I can only assume you didn't communicate your point clearly enough for me to comprehend. Please try again. Remember, I am most definitely not a security expert; not completely unlike you.


I was referring to the fact that we have never had secure networks, so the idea that we're somehow "less secure" today is ridiculous. You're basically arguing reality against a possible alternative which never happened, but passing it off like we somehow moved in the wrong direction. As if somehow passing regulations which mandate X security level (instead of zero), is really making us less secure because they could have mandated something better. And then lumping in a bunch of conspiracy theories in to create a sinister motivation behind all of it.

I don't doubt for one moment that the NSA does have an interest in encouraging weak encryption around the world. I just question the degree to which they've actually had to work to make that happen. People will do this all on their own. You actually have to almost force them kicking and screaming to *not* use insecure methods.

Edited, Sep 10th 2013 8:54pm by gbaji
____________________________
King Nobby wrote:
More words please
#20 Sep 10 2013 at 9:03 PM Rating: Good
Lunatic
******
30,086 posts
As to backdoors, I suspect that most people (including reporters at the Guardian and NYT) really don't understand what this means. It's a term that is usually taken to mean a specific thing, but actually refers to a broad set of things. I don't think they're talking about software backdoors here.

You would be incorrect.


That wouldn't give the NSA any real advantage anyway.


Once again, you would be incorrect.


I'd also not be terribly concerned about that anyway.


Obviously not, you have a great handle on the NSA's technical capabilities and limitations and can easily avoid their efforts at invading your privacy should they choose to attempt to do so. Or you're an idiot. One of those two statements is clearly true.
____________________________
Disclaimer:

To make a long story short, I don't take any responsibility for anything I post here. It's not news, it's not truth, it's not serious. It's parody. It's satire. It's bitter. It's angsty. Your mother's a *****. You like to jack off dogs. That's right, you heard me. You like to grab that dog by the bone and rub it like a ski pole. Your dad? Gay. Your priest? Straight. **** off and let me post. It's not true, it's all in good fun. Now go away.

#21 Sep 10 2013 at 10:19 PM Rating: Default
Encyclopedia
******
35,568 posts
Smasharoo wrote:
As to backdoors, I suspect that most people (including reporters at the Guardian and NYT) really don't understand what this means. It's a term that is usually taken to mean a specific thing, but actually refers to a broad set of things. I don't think they're talking about software backdoors here.

You would be incorrect.


Um... I realize that my use of pronouns wasn't clear, but while I'm sure "they" (the writers at the Guardian and NYT) were talking about software backdoors, "they" (the NSA) weren't talking about them with regard to their documents referring to means of obtaining data from networks in near real time. "They" (the NSA) were almost certainly referring to hardware taps into the backbone systems and physical encrypt/decrypt boxes used for point to point communications by large network users and not software backdoors in the latest version of office or something. "They" (the NSA again) aren't hacking into your home computer and rummaging around. What "they" are almost certainly doing is slurping up every bit of data that passes through a network link between the points at which they are encrypted for transmission and are decrypted at the other end and routing it to their own server farms.


Almost all large scale data companies (like google for instance) use hardware based encryption to secure data passing through their own WAN. It allows them to treat data crossing "public" network links as though it's internal to their own firewalls. Thus, there's very little reason to expend the effort to additionally encrypt the data moving across those links (beyond the stock relatively easy to crack with enough cpu time methods of course). And there are only a handful of companies that make those devices (honestly I think it's like three?). And it doesn't matter anyway, because these are typically installed and maintained by the backbone providers themselves. So you pay them for a point to point link and they provide the secure routers and physical hookups for that link. More or less exactly like how you pay for your cable company to run a cable to your house and put a cable box in so you can access their content (ok, not exactly, but you get the picture).

As more people use online services for everything from backing up their data, to handling their phone services, to looking up directions on their GPS device, those data services become central hubs for everything we do, even if we don't directly realize we're using them. When you place an order with Amazon for something, you may think that the connection between your web browser and their pos system is secure, and honestly it might be, but that's not the point. Amazon then internally manages your request within its own network, and makes backups, and otherwise moves every detail about what you did around multiple times behind the scenes.

That's how you grab large amounts of data. And it works for the NSA largely because the US is where most people put their data (or at least deal with US domained companies, which amounts to the same thing). Putting backdoors into every software tool and/or security protocol is the dumb way to do it that someone who doesn't think things through would come up with. It's too small scale really. But it's much easier to scare people about whether or not using https means their bank transaction is secure, than explain that this is only really a concern versus someone trying to steal your money and is not how the NSA would do it, nor would they have any reason to need to make that particular part of the equation less secure.


Quote:
That wouldn't give the NSA any real advantage anyway.

Once again, you would be incorrect.


No. I'd be correct. The only thing intentionally creating software backdoors and exploits in commercial software would do is maximize the likelihood that someone would notice this and cause all sorts of problems. This is precisely why we're hearing about this only because some guy who worked at the NSA leaked some documents that speak in really broad terms about gaining lots of data, and actually specifically says not to ask how, instead of some code monkey somewhere going "hey! I found this horrific exploit in 500 different software applications out there, and I traced the network calls using these exploits on a massive scale to this large and suspiciously government looking data farm...". Because that's what would happen if NSA were actually trying to access that volume of data using software backdoors.
____________________________
King Nobby wrote:
More words please
#22 Sep 11 2013 at 4:43 AM Rating: Good
Lunatic
******
30,086 posts
The only thing intentionally creating software backdoors and exploits in commercial software would do is maximize the likelihood that someone would notice this and cause all sorts of problems. This is precisely why we're hearing about this only because some guy who worked at the NSA leaked some documents that speak in really broad terms about gaining lots of data, and actually specifically says not to ask how, instead of some code monkey somewhere going "hey! I found this horrific exploit in 500 different software applications out there, and I traced the network calls using these exploits on a massive scale to this large and suspiciously government looking data farm...". Because that's what would happen if NSA were actually trying to access that volume of data using software backdoors.

You don't write code, do you. That's just dawning on me now from reading this. It's not part of your job, is it? You do some other admin thing that doesn't involve programing. We knew you weren't an engineer via your complete misunderstanding of logic, but I'd assumed that part of what you did involved creating software. I can see now that this is impossible. You learned some small amount of something along the way, in school, perhaps, but there is no way you could possibly be this ignorant and still have a job involving actual programing.

Thanks for the revelation, and good luck with your PowerPoint making, or fixing printers, or whatever it is you actually do.
____________________________
Disclaimer:

To make a long story short, I don't take any responsibility for anything I post here. It's not news, it's not truth, it's not serious. It's parody. It's satire. It's bitter. It's angsty. Your mother's a *****. You like to jack off dogs. That's right, you heard me. You like to grab that dog by the bone and rub it like a ski pole. Your dad? Gay. Your priest? Straight. **** off and let me post. It's not true, it's all in good fun. Now go away.

#23 Sep 11 2013 at 5:43 AM Rating: Good
Soulless Internet Tiger
******
35,474 posts
gbaji wrote:
Starting with the conspiracy and then working backwards is, well... backwards.
Sound advice. Try it sometime.
____________________________
Donate. One day it could be your family.


An invasion of armies can be resisted, but not an idea whose time has come. Victor Hugo

#24 Sep 11 2013 at 6:25 AM Rating: Decent
Scholar
***
1,323 posts
gbaji wrote:
angrymnk wrote:
I am never kidding; ever. Before you can discuss cryptography and security mr fancy-fants ,who, no doubt, meets software engineers and security analysts on working lunches on a daily basis, should maybe, just maybe, consider the possibility, that before mr fancy-pants can discuss said problems mr fancy-pants could, and I do mean could, consider to learn some basic information about the subject at hand. Based on your previous responses, I was not sure you did.


I was talking about your choice of book to read to learn about the history of the internet and how security protocols get established. I happen to think you have it backwards though. One should start by understanding how packet based networks actually work, then how encryption works, then how to apply encryption to said packet based networks, and *then* you can start looking at the political side of things and assessing whether there's something horrible going on. Starting with the conspiracy and then working backwards is, well... backwards.

Quote:
If you did and chose not to disclose it, Touche, I, for one, was fooled.


I'm sorry. I wasn't aware I was supposed to provide a resume before posting. I thought that merely pointing out that one should actually understand the technology *first* before trying to figure out if it's being applied correctly or manipulated for some nefarious plot would have indicated that I actually do know a bit about this. And frankly, your recommended reading suggests that you *don't*.

Quote:
For once you are not wrong; well, not completely wrong. The goal is,obviously, nothing is mundane as money. Pfui -- only plebs worry about those. The object is information, and its derivative, power.


Which is no different today than it has ever been. Again... /shrug

Quote:
I guess it is my turn to go into "are you serious?" mode. I am not sure how young/old you are ( depending on your philosophical bent ), but I am sure a security expert such as yourself remembers the problems and legal hurdles the US government was creating for pgp creator.


None of which prevented a single person from actually using it though. Attempts to stop the spread of encryption were a joke then and are a joke now. And it ultimately had very little to do with preventing private parties from using encryption, and more to do with outdated laws being applied in inconsistent and really ridiculous ways.

Quote:
There is the might of the government telling you can't encrypt anything we can't decrypt. So what were you saying about nothing preventing me? Oh, you mean nothing stopping me from using tools that have been rendered less useful?


Er? Strong encryption is readily available. More available than ever before. So if anything the trend is towards folks having the capability of more privacy. The problem is that, as many actual security experts have predicted time and time again, people choose not to use it. They do so, not because of some evil government schemes to make sure they can read your emails, but because it's easier not to. Hell, if it weren't for governments actually passing some regulations on the industry, most people wouldn't use encryption for anything at all. So complaining that the weak encryption we have in the default applications out there are some kind of plot by the government really is silly.

Quote:
Here you are correct. I know. The main reason I know is because of the same reason most people know: real life manifestation of Dilbert principles ( and immediate cost). I could tell you stories, but I don't want to bore everyone more than is strictly necessary.


I literally had a conversation with a principle engineer here just yesterday in which he was trying to argue that I should add a modification to everyone's login to a set of systems such that it would allow anyone else to be able to connect to their session without their permission and completely bypassing any password that user may have set. He was seriously arguing this. Without going into the details of why, his reasoning was purely about convenience (saving a couple minutes on these systems under certain conditions). I had to explain to him that this was in complete violation of our emedia policy, not to mention a direct violation of a number of legally binding documents I have to sign in order to have the authority to make this kind of system/account level change in the first place. If I were to do such a thing, I'd be lucky to *only* lose my job.

Point is that I had to argue this with him for quite some time before he agreed to let me find another solution to the problem he was running into. Most people put convenience ahead of security. Even when they should know better. It's what social networking is about as well btw. You don't need the NSA to do that. Just give people the option to hand their information over, and most will do it. Give people the choice to use a 4 digit or 10 digit pin on their ATM card, and want to bet what most will ask for? Give them a choice of numbers only, or numbers and letters, and guess what they'll pick?

Hell. Look at this picture. It's a keypad access to a car, right? Stop and think about it for a moment. It's got 5 buttons. Ask yourself why the buttons are labeled "1-2", "3-4", "5-6", "7-8", "9-0", instead of just 1, 2, 3, 4, 5? It's still just a combination of 5 keys, yet they labeled them such that the keys can represent any number in our decimal system. There's only one reason to do this and that's to allow people to use numbers that are significant to them, but which might require the numbers 6 through 0 instead of just 1-5. Um... Which is precisely what you're not supposed to do when picking a security code, right? Are the car companies intentionally wanting people to use less security? Cause that's the argument you're making with regard to the NSA.

Car companies design the keypads that way because even though they know they promote less security, they also know that customers want them. Customers want to be able to use their birthday, or whatever as their code, and keypads which don't provide this less secure functionality will lose out in the market versus ones that do. My point is that the average person demands a less secure environment if more security means less convenience or ease of use. Not just the average person, the overwhelming majority of people.

Again, the NSA doesn't have to do anything except *not* impose stronger standards. The people will tend to pick the least secure methods that do "just enough" to prevent just anyone from hacking into their stuff. Why? Because it's not worth their time and effort to do more. And the companies which make the operating systems, and web servers, and all that other stuff know this. And they know that if they attempt to impose stronger security, they will lose customers to the guy that uses the simplest, weakest, but easiest to use solution. Doesn't take a government conspiracy for this to happen.

Quote:
Huh? I am not sure you are deliberately misrepresenting my argument, misunderstanding it, or if you are carrying a different conversation on similar subject. I have not said anything about making bullet-proof network. I am arguing against making it vulnerable BY DESIGN. Do you see the difference? I am sure you do because in the very next sentence you paraphrase what I said... ie. don't put everything on the internet.


And as I said (but was apparently the one part of my post you didn't respond to), it's a matter of opinion and perspective. What is "vulnerable by design"? So if I currently have a network connection that uses zero encryption, and I implement a weak but easy to use encryption, but I could have used a much stronger, but harder to use/implement one, is my connection "vulnerable by design"? Depends on how you look at it, right? Technically, since it was designed, then every aspect of it is "by design". The question is whether the intent was to make it less secure than it could have been, or if I decided that it's "secure enough" for whatever data I'm transmitting along that connection.

Which is why I talked at length about relative costs. Convenience versus security.

Quote:
And last, but most certainly not least,
Quote:
but it has never been true
portion of your post. Never is a very long time. Unless you have some weird understanding of my "theory", the last time 'never' happened was when Snowden showed up. I can only assume you didn't communicate your point clearly enough for me to comprehend. Please try again. Remember, I am most definitely not a security expert; not completely unlike you.


I was referring to the fact that we have never had secure networks, so the idea that we're somehow "less secure" today is ridiculous. You're basically arguing reality against a possible alternative which never happened, but passing it off like we somehow moved in the wrong direction. As if somehow passing regulations which mandate X security level (instead of zero), is really making us less secure because they could have mandated something better. And then lumping in a bunch of conspiracy theories in to create a sinister motivation behind all of it.

I don't doubt for one moment that the NSA does have an interest in encouraging weak encryption around the world. I just question the degree to which they've actually had to work to make that happen. People will do this all on their own. You actually have to almost force them kicking and screaming to *not* use insecure methods.

Edited, Sep 10th 2013 8:54pm by gbaji


Gbaji.. I have real question for you. It is, admittedly, mildly unrelated. I am, however, curious. Can you tell me why, exactly, you, apparently, choose to be excessively verbose? For bonus points, do use twitter, and how do you deal with its severe limitations?

Ok, time to head for the azbestos factory; not all of us have jobs as network engineers.

____________________________
Your soul was made of fists.

Jar the Sam
#25 Sep 11 2013 at 7:23 AM Rating: Good
*******
50,767 posts
Jesus, fucking, Christ, at, all, the, commas.
____________________________
George Carlin wrote:
I think it’s the duty of the comedian to find out where the line is drawn and cross it deliberately.
#26 Sep 11 2013 at 8:03 AM Rating: Good
Skelly Poker Since 2008
*****
16,781 posts
Those are carefully planned out thoughtful pauses indicating you should take in a long slow breath and think hard about what you're reading. ,

____________________________
Alma wrote:
I lost my post
« Previous 1 2 3 4
Reply To Thread

Colors Smileys Quote OriginalQuote Checked Help

 

Recent Visitors: 185 All times are in CST
Anonymous Guests (185)