As outlined in the NSA recruitment audio, the term "adversary" includes everyone - not just terrorists. There is nobody who is not considered to be an "adversary", so that includes commercial rivals too.
There was a time when I used to wonder why sovereign states like Russia or China built their own variant of Facebook and Twitter instead of using the original.
I thought that language or cultural barriers prevented those companies from succeeding or that those countries suppressed US companies because they are evil and want to control their population.
Today I think I'm more realistic about that. All sides want to control their population (US included), and no one wants foreign countries to access data of their citizens.
That's why there's so much redundancy. China would never allow Facebook to succeed in their market and the US wouldn't allow Sina Weibo, Renren or Vkontakte to succeed on their market.
The US wouldn't ban those companies outright (like China did), but there would be a media campaign against them and the COMMUNIST THREAT that those companies pose to the minds of our innocent children in the west, which basically would have the same effect.
NSA collects intelligence from people so that US policymakers make informed decisions (like about Russia invading Crimea or how badly Malaysia is lying to the world), same as every other intel agency does for their home country. Big difference is that NSA won't give their analysis to private companies. In many countries, things like State-Owned Enterprises blur the things and economic espionage is widespread.
This sounds like something a NSA/GCHQ psy-ops division would say.
The alternative is most definitely not landlines/email. We can and must demand free verifiably-secure hardware and software, including for our mobile phones. There is ABSOLUTELY NO REASON why the mobile web must be a surveillance machine.
> We can and must demand free verifiably-secure hardware and software
I agree 100%. Open source software + hardware + FIRMWARE must be part of any long-term solution. "Long-term" because short-term, governments won't let that happen (they will always work with/help corporations to keep circulating products with backdoors in proprietary/closed-source firmware).
I think this is a fine long term goal, but the pragmatic place to make progress in the short term is politics.
I know much of the reaction to that is going to be cynicism about what is possible there, but I'm pretty sure that cynicism is one of the bigger stumbling blocks.
If you want secure communications, the transport layer (3G, internet, land lines, postal, talking to people) should always be untrusted and cryptography should be used.
However you can only trust one method for the long term which is a pre-shared manual one time pad. Other methods are proven to be somewhat variable in their implementation and ability to remain secure.
So you have targets (basically employees of said company) browsing popular sites and becoming infected. You can't deny access to all popular sites. Would it be possible to build a 'scraper' that copies content and places it on your local network for your employees? Perhaps also allowing comments to be placed back on your behalf? You'd give the employees access to things they want to read, but stop attacks correct?
It soon begins to become infeasible. Unless you can identify when these quantum attacks are occurring and block them this is really more of a political problem than a technical one.
I disagree. This is also a technical problem. Good engineers need to keep working to minimize the possibility of MITMs in their purview. It's a technical arms race.
Also, even if you solve the political problem in one country, you still need to worry about external and criminal threats that operate with the same tradecraft.
I'm not sure if truly defeating such attacks is feasible, but if you demand employees use a (ssl terminating) proxy, you can at least monitor and/or log all traffic (not necessarily legal or ok in many jurisdictions) -- and so have a reasonable way to look for malware (possibly only useful after the fact).
That is if the routers inside your own network can be trusted. Paranoid turtles, all the way down.
The scraper then becomes the target instead of the users computer. Any machine that maintains the context of a web browsing session will contain private data.
> "[LinkedIn] does not sanction the creation or use of fake LinkedIn profiles or the exploitation of its platform for the purposes alleged in this report."
If I understand things correctly, it's not claimed that GHCQ made fake profiles or exploited their platform. It's possible that whoever made the statement didn't really understand MITM, but this kind of reads like another one of the usual carefully worded non-denials.
Full paragraph in the article:
When contacted, LinkedIn stated that the company takes the privacy and security of its members "very seriously" and "does not sanction the creation or use of fake LinkedIn profiles or the exploitation of its platform for the purposes alleged in this report." "To be clear," the company continued, "LinkedIn would not authorize such activity for any purpose." The company stated it "was not notified of the alleged activity."
LinkedIn does not require (or automatically redirect to) SSL. If you're not logged in, the homepage is served over https://. If you are logged in, typing linkedin.com brings you to your news feed, no redirect to https://. If you aren't logged in, then enter your username and password, you're redirected from the https:// site to the http:// one.
I strongly suggest using httpseverywhere for this reason. Although for some reason linkedin.com is listed as "buggy" by default :/ so enabling it might break some stuff.
Just tried it again, and yes, the main page works, but things like profile page and viewing the list of people who have recently viewed your profile give me blank pages.
Well since the GCHQ is part of the government, and the government has a root cert in the browsers, they can basically create all the SSL certificates they want.
I don't believe the UK gov have a TLS CA in any standard browser deployments do they? I'm not even sure we have a CA HQd here for them to compel into giving them certs for mitm?
Out of curiosity I had a quick scan through the "Trusted Root Certification Authorities" on this Windows 7 box and it's quite a surprising list - I have no idea who a lot of these organizations are...
Also, one thing I'm pretty confident about, is that if GCHQ is behind any of these certs they wouldn't go labeling it as "UK Government - GCHQ". So presumably I'm just trusting Microsoft that when these certs get pushed out as part of Windows they are who they say they are...
CA's can issue or lose intermediate certificates that they shouldn't. These have been detected at least 3 times when these technically valid but never before seen certificate chains are used for google.com/yahoo.com/microsoft.com etc.
Governments don't outright operate CAs, but given the long list of trusted authorities and intermediates in every modern browser, and given the various successes of these agencies, it seems a probable certainty that if they need to generate a trusted cert for given targets, they can. In effect I am agreeing.
The Apple SSL bug seemed overblown (from a government perspective) for that reason, and unlikely to be a government effort. Exploiting a CA seems significantly easier than embedding bugs in specific platforms. I suppose they might do both, but I doubt their abilities were reduced after it was patched.
LinkedIn doesn't use HSTS and can be sslstrip-ed.
Even then, it's not like GCHQ would have qualms at using a spoofed cert (cert pinning could prevent this but isn't widely deployed), the express purpose of spooks is to use illegal methods.
There you go! Track all the phone users, and anyone who doesn't have one, and is therefore untracked, is probably a terrorist!
Actually that's not far-fetched. I do recall, vaguely, some old indymedia article about a European political activist being arrested, with the fact they left their phone at home before turning up at a meeting being part of the grounds for suspicion. Indymedia stories tend to be rather ephemeral and hard to search so providing actual details is somewhat troublesome...
HN has been, for a couple months already, HTTPS-only, and it uses HSTS and disallows framing in the response headers, so that's pretty good. It wouldn't hurt though (probably) to get added to the HSTS preload lists of Chrome [1] and Firefox [2].
Update, this sibling post claims that HN is at least a well-configured website; and so MITM attacks will be on the upper end of the normal difficulty range: https://news.ycombinator.com/item?id=7421558
Well, you could post a linkbait article that pulled in some javascript with an exploit in it. Everything here is public except the IP addresses behind the usernames.
I think he meant for hiding malware on the rendered pages a HN user sees - doxing most people here would probably not be so hard (especially for GCHQ).
I worked in the defense industry for a few years (1998-2002). I didn't see it at the time. Everyone works in isolation, no one talks about work and everyone is micromanaged to bits and separately motivated. It's heavily draped in propaganda as well, most of which is horse shit. It's all much like the promoted status of imperialist armies.
Obviously september 11th 2001 happened and to see your colleagues actually see that as job security and a way to sell more weapons and celebrate that turned it for me. I started to question the ethics of what I was doing and decided it was best that I left. I bailed one afternoon, gave no notice and spent three months selling Sun kit on ebay before taking a job at a web agency selling whiskey and houses instead.
Most people didn't get that "moment" and are still prisoners of the inane propaganda. The same is true of those at GCHQ.
My children are doing GCHQ sponsored mathematics work (cryptography challenges) at the age of 10 probably in the vain hope that they will eventually see this as normal and be recruited before they have a chance to question the ethics of it all.
>My children are doing GCHQ sponsored mathematics work (cryptography challenges) at the age of 10 probably in the vain hope that they will eventually see this as normal and be recruited before they have a chance to question the ethics of it all.
What? Care to elaborate? (I'm American if that explains why I have no idea what you are referring to)
There was a lot of publicity and propaganda and hype around Alan Turing and cyber-security over the last few years in the UK media. This drove a whole codebreaking fascination thing with mathematics.
So not wishing to miss out on all the action, a project was started called The Enigma Project which features basic codebreaking challenges (basic substitution ciphers, OTP etc) aimed at primary school children. This was started by Simon Singh / Cambridge University after good old Si released a book called The Code Book after which he wanted to drum up publicity rapidly. No other reason.
So after a year or so of neglect these sheets work their way into "photocopy circulation" amongst schools in the UK as part of the typical "teachers don't give a shit and just want to hand out worksheets" culture that appeared.
Obviously any other material that could be assembled cheaply was chucked on the back. Turns out there's a couple of sheets plainly marked from GCHQ in there as well as "additional exercises". Rather interesting as they are above what you'd consider appropriate for that age (prime factorisation and rapid factorisation techniques etc). Very odd!
Now this in itself is pretty null and void but it leads into the culture which I experienced where we were asked in secondary school mathematics to enter various "challenges" to play off against other schools. I was pretty good at mathematics (at GCSE and A-level) and did well on these challenges but was approached after this by people recruiting for SIGINT rather than go to university. Other people who did well were similarly propositioned. I impolitely declined and relaxed into a life of electrical engineering, pizza and beer which I thoroughly don't regret.
I'm worried my children will be similarly filtered out and recruited to be honest.
The United States defense agencies also run and sponsor mathematics contests and summer program(s) for students. For example, the NSA sponsors the USA Mathematical Talent Search, the Office of Naval Research sponsors MOSP, the "Department of Defense" is listed for MathCOUNTS.
They would never use it to give their own industry insider information.
</sarcasm>