ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Knight to queen's bishop 3 - Snowden charged with espionage.

<< < (106/139) > >>

I hadn't realised that GCHQ/NSA were apparently so amazingly up to their armpits in deliberately fomenting revolution/war [...]-IainB (February 27, 2014, 04:44 AM)
--- End quote ---
this is not directly related to the linked presentation (? - it may be implied, but not clearly - although I would have been happier if the images were bigger, i.e. I may have missed something).
And I'm not saying they're not - and you may even have posted before here about it - but if you're going to throw out a statement that bald, it needs/deserves a reference/link.
-tomos (February 27, 2014, 05:11 AM)
--- End quote ---

Sorry, perhaps I should have pointed out the link in the Guido article where it says: View this document on Scribd. The material could be disinformation though, as Guido suggests, but if it isn't, then...

I have to say that there doesn't seem to be much bluntness (if any) about anything I wrote there - I was not making a definite or clear expression of something as fact or a formal account of facts or events. What I mentioned was a perception - that "this seems quite serious" and that they "were apparently so amazingly up to their armpits in deliberately fomenting revolution/war".
Someone else's perceptions and experience may differ, but that does not necessarily invalidate my perceptions, and it doesn't necessarily "need/deserve a reference/link" either, just because someone says it does or feels that it should to (say) align with their perceptions and to have any validity.

Let's suppose that someone was to say to me either:
(a) "Obama appears to be the greatest and most ethical President of our times", or
(b) "Obama appears to be the greatest liar and most deceiving President of our times".

In either case, I might say "What makes you say that?" in a genuine attempt to try to understand how they might have arrived at that perception. If my mind was open to the response, then I might learn something from the answer - who knows?

In actual fact, of course, I probably wouldn't ask such a question as I am usually indifferent as to why people think whatever they might think about their elected leaders. My rule of thumb is "By their fruits ye shall know them" - e.g., (say) Maggie Thatcher's rumoured penchant for breakfasting on the aborted foetuses of coalminers' wives, which, if true, would probably place her in a pretty dim light.

Let's suppose that someone was to say to me either:
(a) "Obama appears to be the greatest and most ethical President of our times", or
(b) "Obama appears to be the greatest liar and most deceiving President of our times".
-IainB (February 27, 2014, 07:38 AM)
--- End quote ---

"A" totally needs to be in the Silly Humor thread. :P

But just about any president's name would suffice... :P ;)

^point taken Iain.
And thanks Stoic for the viewing tip :)

I put this in this thread as it seemed relevant to the SnowdenGate revelations re snooping/surveillance of traffic flowing variously through ISPs, Google, Microsoft, etc. - that is, SCS (State & Corporate Surveillance).

If the proposals of the IETF (Internet Engineering Task Force) Internet-Draft "Explicit Trusted Proxy in HTTP/2.0" (14 Feb 2014) are agreed, then this snooping/surveillance looks like it could be formalised as "standard practice" in the Internet architecture, and authorised and enabled regardless of Internet users' wishes.

Currently I am aware of only one publicly available and apparently feasible defeat for "man-in-the-middle" attacks by ISPs, governments or other criminals - that would seem to be OpenDNSCrypt.
One wonders how long that is going to be tolerated by the SCS fraternity or indeed whether OpenDNS might not already have been obliged to compromise OpenDNSCrypt without publishing that fact. One would have no way of knowing for sure. It's all about Trust.

(Copied below sans embedded hyperlinks/images.)
No, I Don't Trust You! -- One of the Most Alarming Internet Proposals I've Ever Seen
February 22, 2014

If you care about Internet security, especially what we call "end-to-end" security free from easy snooping by ISPs, carriers, or other intermediaries, heads up! You'll want to pay attention to this.

You'd think that with so many concerns these days about whether the likes of AT&T, Verizon, and other telecom companies can be trusted not to turn our data over to third parties whom we haven't authorized, that a plan to formalize a mechanism for ISP and other "man-in-the-middle" snooping would be laughed off the Net.

But apparently the authors of IETF (Internet Engineering Task Force) Internet-Draft "Explicit Trusted Proxy in HTTP/2.0" (14 Feb 2014) haven't gotten the message.

What they propose for the new HTTP/2.0 protocol is nothing short of officially sanctioned snooping.

Of course, they don't phrase it exactly that way.

You see, one of the "problems" with SSL/TLS connections (e.g. https:) -- from the standpoint of the dominant carriers anyway -- is that the connections are, well, fairly secure from snooping in transit (assuming your implementation is correct ... right?)

But some carriers would really like to be able to see that data in the clear -- unencrypted. This would allow them to do fancy caching (essentially, saving copies of data at intermediate points) and introduce other "efficiencies" that they can't do when your data is encrypted from your client to the desired servers (or from servers to client).

When data is unencrypted, "proxy servers" are a routine mechanism for caching and passing on such data. But conventional proxy servers won't work with data that has been encrypted end-to-end, say with SSL.

So this dandy proposal offers a dandy solution: "Trusted proxies" -- or, to be more straightforward in the terminology, "man-in-the-middle attack" proxies. Oh what fun.

The technical details get very complicated very quickly, but what it all amounts to is simple enough. The proposal expects Internet users to provide "informed consent" that they "trust" intermediate sites (e.g. Verizon, AT&T, etc.) to decode their encrypted data, process it in some manner for "presumably" innocent purposes, re-encrypt it, then pass the re-encrypted data along to its original destination.

Chomping at the bit to sign up for this baby? No? Good for you!

Ironically, in the early days of cell phone data, when full capability mobile browsers weren't yet available, it was common practice to "proxy" so-called "secure" connections in this manner. A great deal of effort went into closing this security hole by enabling true end-to-end mobile crypto.

Now it appears to be full steam ahead back to even worse bad old days!

Of course, the authors of this proposal are not oblivious to the fact that there might be a bit of resistance to this "Trust us" concept. So, for example, the proposal includes the assumption of mechanisms for users to opt-in or opt-out of these "trusted proxy" schemes.

But it's easy to be extremely dubious about what this would mean in the real world. Can we really be assured that a carrier going through all the trouble of setting up these proxies would always be willing to serve users who refuse to agree to the proxies being used, and allow those users to completely bypass the proxies? Count me as skeptical.

And the assumption that users can even be expected to make truly informed decisions about this seems highly problematic from the git-go. We might be forgiven for suspecting that the carriers are banking on the vast majority of users simply accepting the "Trust us -- we're your friendly man-in-the-middle" default, and not even thinking about the reality that their data is being decrypted in transit by third parties.

In fact, the fallacies deeply entrenched in this proposal are encapsulated within a paragraph tucked in near the draft's end:

"Users should be made aware that, different than end-to-end HTTPS, the achievable security level is now also dependent on the security features/capabilities of the proxy as to what cipher suites it supports, which root CA certificates it trusts, how it checks certificate revocation status, etc. Users should also be made aware that the proxy has visibility to the actual content they exchange with Web servers, including personal and sensitive information."

Who are they kidding? It's been a long enough slog just to get to the point where significant numbers of users check for basic SSL status before conducting sensitive transactions. Now they're supposed to become security/certificate experts as well?


I'm sorry gang, no matter how much lipstick you smear on this particular pig -- it's still a pig.

The concept of "trusted proxies" as proposed is inherently untrustworthy, especially in this post-Snowden era.

And that's a fact that you really can trust.

I'm a consultant to Google. My postings are speaking only for myself, not for them.

- - -

Addendum (24 February 2014): Since the posting of the text above, I've seen some commentary (in at least one case seemingly "angry" commentary!) suggesting that I was claiming the ability of ISPs to "crack" the security of existing SSL connections for the "Trusted Proxies" under discussion. That was not my assertion.

I didn't try to get into technical details, but obviously we're assuming that your typical ISP doesn't have the will or ability to interfere in such a manner with properly implemented traditional SSL. That's still a significant task even for the powerful intelligence agencies around the world (we believe at the moment, anyway).

But what the proposal does push is the concept of a kind of half-baked "fake" security that would be to the benefit of dominant ISPs and carriers but not to most users -- and there's nothing more dangerous in this context than thinking you're end-to-end secure when you're really not.

In essence it's a kind of sucker bait. Average users could easily believe they were "kinda sorta" doing traditional SSL but they really wouldn't be, 'cause the ISP would have access to their unencrypted data in the clear. And as the proposal itself suggests, it would take significant knowledge for users to understand the ramifications of this -- and most users won't have that knowledge.

It's a confusing and confounding concept -- and an unwise proposal -- that would be nothing but trouble for the Internet community and should be rejected.

- - -

Posted by Lauren at February 22, 2014 08:24 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

--- End quote ---

Mark Zuckerberg Says The US Has Become A Threat To, Rather Than A Champion For, The Internet | Techdirt
from the indeed dept

Better late than never: it appears that Mark Zuckberberg is finally really pissed off about the NSA surveillance efforts.
(Read the rest at the link.)

--- End quote ---
I find this rather amusing. These people are creeping out of the woodwork professing to be "Shocked, I tell you! Shocked!"
Yeah, right.
Pass the popcorn.

Like we didn't already know that the US has become a threat to, rather than a champion for, the Internet. ...
Goodness gracious! Has it really?    :tellme:


[0] Message Index

[#] Next page

[*] Previous page

Go to full version