Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WA Post Publishes 4 More Slides On Data Collection From Google, Et Al

timothy posted 1 year,23 days | from the so-much-wool-so-many-eyes dept.

Communications 180

anagama writes "Lots of new program names, flowcharts, and detail in four previously unreleased PRISM slides published by the Washington Post today. These slides provide some additional detail about PRISM and outline how the NSA gets information from those nine well known internet companies. Apparently, the collection is done by the FBI using its own equipment on the various companies' premises and then passed to the NSA where it is filtered and sorted."

cancel ×

180 comments

As a concerned Canadian (5, Insightful)

Anonymous Coward | 1 year,23 days | (#44147809)

I've already quit Google. Now how about you?

Re:As a concerned Canadian (0)

Anonymous Coward | 1 year,23 days | (#44147903)

Just as long as /. is not in to it I'm fine.

Re:As a concerned Canadian (5, Informative)

guruevi (827432) | 1 year,23 days | (#44147933)

Check the HTML - Google gets notified of every page you visit on here, in detail.

Re:As a concerned Canadian (0)

Anonymous Coward | 1 year,23 days | (#44147967)

Actually, :: gets notified of every page I visit on here, in detail.

Re:As a concerned Canadian (4, Informative)

Wookie Monster (605020) | 1 year,23 days | (#44147985)

Ghostery blocked five trackers on this page. http://www.ghostery.com/ [ghostery.com]

Re:As a concerned Canadian (1)

achbed (97139) | 1 year,23 days | (#44148023)

And Do Not Track Me [abine.com] blocked an additional 3.

Re:As a concerned Canadian (2)

flyingfsck (986395) | 1 year,23 days | (#44148025)

OK and how can I block Ghostery's snooping?

Re:As a concerned Canadian (2, Funny)

Anonymous Coward | 1 year,23 days | (#44148061)

OK and how can I block Ghostery's snooping?

I think Ghostery Busters is the place to start.

Re:As a concerned Canadian (1)

Anonymous Coward | 1 year,23 days | (#44148075)

By not opting into Ghostery's stats collection. It's a switch in its options, and I believe it's off by default.

Re:As a concerned Canadian (0)

Anonymous Coward | 1 year,23 days | (#44148163)

Hiding is useless, they can still track other things, and link them up to get your identity and data.
What I'd really want, was something that would change how the internet sees my browser every time I open a new tab. Make it look to the outside world, as if I have 15-20 machines accessing my internet connection instead of just two. Hell, even make some unnecessary traffic from time to time, I'm paying for those tubes, but I barely make a dent in my quota unless I resort to ... other things.

Re:As a concerned Canadian (2)

Nerdfest (867930) | 1 year,23 days | (#44147997)

... and go where? Assuming it's true, all of the big players are there. Anyone who gets big enough will just get added to the list. I block javascript and cookies for the most part and encrypt any data I want kept save if I put it in 'cloud' storage. I'm not even sure if these companies had any way to refuse or warn the public about this, but I'm disappointed that someone didn't pull a 'Snowden'. The real problem here is not the companies, it's the government. People need to go to prison for this, from the FBA/CIA all the way up to the Whitehouse.

Re:As a concerned Canadian (4, Insightful)

fustakrakich (1673220) | 1 year,23 days | (#44148271)

The real problem here is not the companies, it's the government.

Oh please, the companies write the rules for the government to enforce. The problem here is us. We let them do it. And only dangerous people should be in prison.

Re:As a concerned Canadian (1)

Nerdfest (867930) | 1 year,23 days | (#44148289)

How would you suggest these people be punished? They're in government positions and have violated the constitution of the country and acted against the interests of the populace. Serious question.

Re:As a concerned Canadian (2)

fustakrakich (1673220) | 1 year,23 days | (#44148495)

How would you suggest these people be punished?

Chain gang... Oh, seriously? Loss of their position and benefits and forfeiture of other assets and income would be sufficient. Maybe the word 'thief' tattooed on their forehead... I'd rather make them face the stares and curses of the people they betray.

*What's the best way to get revenge against a rich man? Make him a poor man.*

Re:As a concerned Canadian (4, Insightful)

Anonymous Coward | 1 year,23 days | (#44148477)

You've quit on Google, but Google hasn't quit on you.

Re:As a concerned Canadian (2)

Mike Frett (2811077) | 1 year,23 days | (#44148651)

Are you ready to quit Microsoft also? They were one of the first to jump on board with all this nonsense. Quitting one and not the other would make no sense.

confusion (0)

Anonymous Coward | 1 year,23 days | (#44147819)

leaking single slides is causing confusion on what exactly is taking place. They need to stop.

The FBI equipment is for CALEA and is on site in ISP's, not content providers such as google and yahoo. Misinformation on this is getting old. Yes it's scary and yes it's illegal and yes it needs to change. But lets fucking understand it properly then raise our arms and yell bs.

Re:confusion (1)

Servaas (1050156) | 1 year,23 days | (#44147855)

Misinformation? This is the first information we have gotten in years!

Re:confusion (1)

kthreadd (1558445) | 1 year,23 days | (#44147911)

Well, if it's not enough to make a good understanding of the situation it still isn't enough.

Re:confusion (2, Insightful)

Servaas (1050156) | 1 year,23 days | (#44148031)

We know we're being watched isnt that enough? Who cares what they call all their programs and who they belong to. They have access to our personal computers, to every chat or email you send. Who cares about semantics?

Re:confusion (5, Informative)

anagama (611277) | 1 year,23 days | (#44148185)

You're totally wrong.

We've SUSPECTED spying. It was even reasonable to suspect that, though you could still be called a foil hatter.

Now we KNOW.

It is like the difference between an untested hypothesis you strongly suspect is true, and experimental results that confirm the hypothesis. The confirmation allows a next step to taken on a fully informed basis rather than belief.

So you are totally wrong -- this is NOT nothing. This is confirmation and if we don't do something about it now, it will be seen as a free pass to do this and more. That's why you should care -- apathy now absolutely ensures a deteriorating future.

Re:confusion (0)

Anonymous Coward | 1 year,23 days | (#44148399)

Indeed, this is not nothing. It's sickening.

Re:confusion (4, Insightful)

The Second Horseman (121958) | 1 year,23 days | (#44147867)

Actually, I'm glad they're leaking these a bit at a time - in some cases, it's exposing the denials as BS. For example, we've known about the FBI CALEA infrastructure for years. The fact that it's being used to wholesale grab information and pass it to the NSA shows the hair splitting that's going on in the denials.

And actually, the FBI probably does have some CALEA hooks into providers. Google Voice and Skype are almost certainly set up to handle requests, even as the FBI is attempting to get CALEA formally expanded. That's likely not being handled at the ISP level. Further evidence of that? Microsoft wanted to provide statistics about how many requests they get for each service, and the government said "no". The "unnamed sources" complaint from inside Microsoft is that the government doesn't want people to know the extent to which Skype is being targeted.

Re:confusion (2)

achbed (97139) | 1 year,23 days | (#44147991)

So is the box inside Microsoft that's scanning all Skype-pasted URLs after the fact actually the FBI's collection box? That's one filter that may be easy to implement - redirect all traffic from that box to a honeypot or /dev/null it.

Re:confusion (3, Informative)

anagama (611277) | 1 year,23 days | (#44147877)

The FBI equipment is for CALEA and is on site in ISP's, not content providers such as google and yahoo.

The third slide has this annotation:

The PRISM case notation format reflects the availability, confirmed by The Post's reporting, of real-time surveillance as well as stored content. ... Depending on the provider [referencing the infamous 9], the NSA may receive live notifications when a target logs on or sends an e-mail, or may monitor a voice, text or voice chat as it happens (noted on the first slide as "Surveillance").

So who should I believe -- the government's own claims or that of an AC?

Re:confusion (1)

anagama (611277) | 1 year,23 days | (#44147913)

Lame self reply, but look at the "Content Type" box of slide 3 -- what does "OSN" mean in that context? Online Service Network? eg: "H: OSN Messaging (photos, wallposts, activity, etc)"

This implies to me that the provider of the info is not the ISP, though the ISP does stand in the middle so it would be technically capable of intercepting and passing this on.

Re:confusion (0)

Anonymous Coward | 1 year,23 days | (#44148063)

OSN is probably online social network.

Re:confusion (2)

anagama (611277) | 1 year,23 days | (#44148201)

"OSN is probably online social network."

That sounds more plausible than my guess.

Re:confusion (0)

Anonymous Coward | 1 year,23 days | (#44148199)

There are a lot of individuals, but almost always, some individuals will always lie, while others will always tell the truth.
There are fewer "news outlets" than individuals, but they never tell lies constantly and neither do they tell the truth constantly.
There are even fewer governments and their representatives than either of those above, but if history, recent or ancient proved anything, is that they never tell you the full truth, unless it's mixed with more lies and have no problems telling complete fabrications to the electorate. Democracy, monarchy, dictatorships, in this, are all the same.

Re:confusion (1)

93 Escort Wagon (326346) | 1 year,23 days | (#44148143)

The FBI equipment is for CALEA and is on site in ISP's, not content providers such as google and yahoo.

You are making an unwarranted assumption here. Even during the "Room 641A" controversy, the claim was made that the FBI has black rooms directly on premises with multiple content providers.

The classified slides that are being leaked show something different. Assuming those interception points are CALEA-related doesn't really make sense - do you really think, with regards to CALEA, the FBI only started slurping Apple traffic in October 2012?

Well that validates the 'weasel word' disclaimers. (5, Insightful)

Anonymous Coward | 1 year,23 days | (#44147845)

Google et al. said something, IIRC, like 'we do not collect and pass on any info to the NSA'. Technically true, but also completely irrelevant to whether or not the NSA was actually collecting data.

Asking corps or government about what they do and don't collect is like asking a genie for a wish: one must phrase the question perfectly, or they'll twist it any way they can in order to answer what you asked, but not what you really wanted to know.

News at 10! (1)

auric_dude (610172) | 1 year,23 days | (#44147891)

Quoted company may have or may not have used weasel words. We await conformation of this rolling news headline.

Re:Well that validates the 'weasel word' disclaime (0)

Anonymous Coward | 1 year,23 days | (#44147909)

And sometimes, like when you ask if they "collect any information on millions of Americans," they just lie.

Re:Well that validates the 'weasel word' disclaime (2)

number11 (129686) | 1 year,23 days | (#44148011)

And sometimes, like when you ask if they "collect any information on millions of Americans," they just lie.

Oh, that's so harsh. It's just that you need to get them to precisely define the words "collect", "any", "information", "millions", and "Americans". I'm sure that if you did, you'd reach a point where you thought "oh, 'no' doesn't mean what I thought it meant". (The words "on" and "of" are probably safe, though you never know). It's like how the word "sex" can mean different things depending on who's talking.

Re:Well that validates the 'weasel word' disclaime (1)

anagama (611277) | 1 year,23 days | (#44148213)

I can say with absolute certainty, that the NSA workers were never collecting information while sitting ON millions of Americans. Number one, they sit on chairs, not people. Number two, some of them may be chubby but nobody is fat enough to sit ON even 1000 Americans at once, let alone millions.

Re:Well that validates the 'weasel word' disclaime (1)

Nerdfest (867930) | 1 year,23 days | (#44147977)

... and to the person that said the devices were in ISPs, it's unlikely because of the prevalence of SSL. The equipment would need to be behind the company firewalls.

Re:Well that validates the 'weasel word' disclaime (2)

meta-monkey (321000) | 1 year,23 days | (#44148251)

Because the NSA couldn't possibly have their private keys...

Re:Well that validates the 'weasel word' disclaime (0)

Anonymous Coward | 1 year,23 days | (#44148373)

now I get the crusade against self signed certs !

Re:Well that validates the 'weasel word' disclaime (1)

achbed (97139) | 1 year,23 days | (#44148009)

They are technically correct. The best kind of correct. The FBI is the one doing the collection and passing on.

So, by statute the NSA is not allowed to spy on American citizens on American soil (since that's the FBI's job). But because of all the Intelligence-sharing laws that passed in the early and mid 2000s, that's been totally neutered. It's an offshoot of the outsourcing mindset - we're not allowed to do it, but we can ask someone else who IS allowed to and share the results.

Re:Well that validates the 'weasel word' disclaime (1)

memnock (466995) | 1 year,23 days | (#44148563)

I honestly don't know, but I thought it was illegal for the FBI to spy on U.S. citizens as well?

Re:Well that validates the 'weasel word' disclaime (1)

flyingfsck (986395) | 1 year,23 days | (#44148045)

Google is correct. They do not pass data to the NSA, the FBI does it for them. Everybody in the spy industry is just playing silly buggers and thinks that all citizens are morons.

Re:Well that validates the 'weasel word' disclaime (1)

hendrikboom (1001110) | 1 year,23 days | (#44148519)

Google may not even have been aware that the FBI was passing information on to the NSA.

Re:Well that validates the 'weasel word' disclaime (2)

PolygamousRanchKid (1290638) | 1 year,23 days | (#44148055)

Oh, be fair. These infamous 9 have a lot of data centers, and you can't expect the CEO to know which equipment from whom is in every corner there? I mean, just walk up to one of their data centers with a router in your hand, and tell them that you need an Internet connection. I'm sure that they'll let you waltz in and connect wherever equipment you want . . .

. . . when monkeys fly out of my ass.

The FBI probably has technical offices and agents in each data center, to maintain all this stuff. Ask them about that!

To give them the benefit of the doubt, they could claim that the FBI installed the stuff clandestinely. You know, a rack in a corner, with a note taped to it: "Do NOT touch. This rack does something important!" Of course, these companies might perform audits once in a blue moon on their data centers . . . but, naw, why bother . . . ?

Re:Well that validates the 'weasel word' disclaime (3, Interesting)

messagelost (1989296) | 1 year,23 days | (#44148151)

Google et al. said something, IIRC, like 'we do not collect and pass on any info to the NSA'. Technically true, but also completely irrelevant to whether or not the NSA was actually collecting data.

They didn't mention the NSA: http://googleblog.blogspot.com/2013/06/what.html [blogspot.com] That post is unequivocal, and is in direct contradiction to statements by the post like:

The Foreign Intelligence Surveillance Court does not review any individual collection request.

and

The FBI uses government equipment on private company property to retrieve matching information from a participating company

Which directly contradicts a statement here: http://www.wired.com/threatlevel/2013/06/google-uses-secure-ftp-to-feds/ [wired.com] Unfortunately, all such statements in the Post's article aren't on the slides; they are the Post's annotations on the slides, and the author doesn't provide any evidence to support them. Take from that what you will.

Illegal power without Constitutional authority (5, Insightful)

roman_mir (125474) | 1 year,23 days | (#44147881)

This is an unconstitutional power that the USA federal government usurped from the people, it doesn't actually matter how they grab most of it, however what does matter is that they do and it looks like it's not going to stop until the system crashes and there is no more money to run it.

Encrypt your communications, encrypt everything you can. Use self signed certificates, by the way, avoid Certificate Authorities, AFAIC they only make it easier to create a MITM attack, not harder. They can confirm to your device that a certificate is valid even if it is not the certificate that you want to use. Of-course if you use CAs do not let them generate your keys for you.

At this point the behaviour of browsers to treat self-signed certificates as worse than plain text should be suspect to everybody, there is no rational explanation to that sort of attitude except: we don't want you to use certificates that authorities can't revoke and replace.

Re:Illegal power without Constitutional authority (0)

anagama (611277) | 1 year,23 days | (#44147931)

NSA sockpuppets, fascist retards, and media shills unfairly modded parent down. Please correct.

Re:Illegal power without Constitutional authority (2)

mcgrew (92797) | 1 year,23 days | (#44148065)

He wasn't modded down. Roman mir posts so much incoherent schitzophrenic babble that his karma is in the toilet. Look at the moderation (click on the number on a comment to see how it was modded). He's at +1 now with 100% insightful. Moderation worked.

OTOH you should be modded offtopic. Moderation failed on your comment. It wasn't informative, it was incorrect. Mods, please pay attention! If someone's sitting below 1, don't assume he'd been modded down.

Re:Illegal power without Constitutional authority (0)

Anonymous Coward | 1 year,23 days | (#44148353)

I tried that, but it wanted me to log in to something.
I thought logins were for websites where you wanted to store some information.
Why would anyone need some sort of account on Slashdot?

Re:Illegal power without Constitutional authority (2)

roman_mir (125474) | 1 year,23 days | (#44148079)

Funny story, a few years back when I wrote this [mozilla.org] , I added in the functions to encrypt and decrypt text in browser input elements with a predetermined password. At the time when I was working on it, FF was some much older version and to my surprise when I was debugging the code, I realised that I could use Javascript to read input characters from password fields in my code from ANY page. That was unfortunate (I think they fixed that by now). But of-course today if you use something like gmail or hotmail, they can capture keystrokes and document change events and send them back to the servers individually, so at this point if you are going to use something like leetkey for encryption, you have to use the function (that is provided in my addon at least) to open a new browser window or tab with a text area where you can type something and encrypt it first and then cut and paste into your email window's text area.

Re:Illegal power without Constitutional authority (2)

anagama (611277) | 1 year,23 days | (#44148153)

That's very interesting. A friend of mine was talking about doing a similar thing recently so I'm going to let him know about this.

One of the problems with encryption, is that even if the content is secret, who it was sent to and who sent it isn't necessarily so. That makes me think that perhaps one the scourges of the internet, spam, could be turned into a secure means of communication, because if a message is delivered to 50m people, figuring out who it was intended for is pretty hard. Couple that with an encryption system that instead of using random letters and characters to represent the plain text content, it would use common words to randomly represent each letter, making the text readable but gibberish so it wasn't obviously encrypted data at a glance. Throw in an advert for Viagra and the text would look like an attempt to evade spam filters.

Anyway, I'd love to see someone work on that end of secure communications, in particular, obscuring sender and receiver information. One hard part would be figuring out how to get the emails to spammers in a way that is not traceable, but once spammed, the message would be pretty anonymous both in content and at least for recipient. The spammer would probably get grilled if found out, so that IS a weak link.

Re:Illegal power without Constitutional authority (1)

icebike (68054) | 1 year,23 days | (#44148449)

The spammer would probably get grilled if found out, so that IS a weak link.

Yeah, that will work. LOL.

Given how pernicious and intractable the problem of spam has proven for as long as its been around, you sooner or later might suspect that it is a product of the US Government itself.

Post encrypted messages to USENET *.test groups (1)

Anonymous Coward | 1 year,23 days | (#44148617)

Very few people actually read the test groups. There's so much kiddeporn on today's news that a few slashbots posting encrypted messages to alt.test won't make a substantial difference.

Also, note that there'a big difference between a cipher and a code. A cipher replaces a number with another in such a way that it's difficult to get that first number back, but it does so by a fixed set of rules. The best way to crack the best ciphers is brute force, but if it's not the best cipher, there may be an easier way such as chosen plaintext.

Consider that the US won the World War II battle of Midway by convincing the Japanese Navy to send some ciphertext whose plaintext was chosen by the US:

"Please use our weakest cipher to encrypt a message to the Pentagon to let them know our desalination plant is broken, so we need a new one."

"But admiral, our desalinization plant is working just fine!"

"That's a direct order son."

"SIR YES SIR!"

You see we had cracked the Japanese Naval cipher but we did not know the Japanese Naval code. All we knew was that they were about to attack an island in the Pacific but we did not know which one, as they used a codeword for that. After they intercepted the above message, they themselves then sent a message back to Tokyo that said something like "CowboyNeal's desalination plant is broken. They asked for another one." Now you know "CowboyNeal" means "Midway Island".

The best thing to do is to combine codes and ciphers, so that if the cipher is cracked, they still won't know the code unless they can get the codebook. That's what CIA "Black Bag Jobs" are for, you know when they sneak into an embassy, find the codebook then photograph it.

I expect that lots of cyber-espionage on the part of everyone is looking for codebooks, secret keys from key pairs, as well as planting keystroke recorders so you can get passphrases.

Re:Illegal power without Constitutional authority (0)

Anonymous Coward | 1 year,23 days | (#44148679)

For Christ's sake, if you're going to use Gmail or Hotmail, don't use the web interface. Use an IMAP or POP program on your local machine and use SMIME or PGP encryption locally before you send to the server.

Re:Illegal power without Constitutional authority (1)

mcgrew (92797) | 1 year,23 days | (#44148005)

Encrypt your communications

Djl;lk;mckj88 d d ddddja;pdooble!

How's that? The NSA will never know what I said there!

Re:Illegal power without Constitutional authority (1)

roman_mir (125474) | 1 year,23 days | (#44148021)

%!@ahfhhh78aehnn2! ! *

$ dd if=/dev/random count=4242 | gpg ... (0)

Anonymous Coward | 1 year,23 days | (#44148657)

... binladen@alqaeda.org | /bin/mail binladen@alqaeda.org

Possibly better would be to encrypt real text that doesn't mean anything useful. For example use wget to rip a website, encrypt each page then send it to all your buddies.

Re:Illegal power without Constitutional authority (0)

Anonymous Coward | 1 year,23 days | (#44148097)

So what you are saying is that the constitution is just worth the piece of paper it's written on? It really is completely pointless when it comes down to actually apply it? Good to know.

Re:Illegal power without Constitutional authority (2)

icebike (68054) | 1 year,23 days | (#44148457)

Don't be ridiculous. As a well documented historical relic, the paper is worth much more than you think.

Re:Illegal power without Constitutional authority (2)

pilot1 (610480) | 1 year,23 days | (#44148157)

At this point the behaviour of browsers to treat self-signed certificates as worse than plain text should be suspect to everybody, there is no rational explanation to that sort of attitude except: we don't want you to use certificates that authorities can't revoke and replace.

I agree that everyone would be better off if everyone encrypted everything. I also agree that CAs shouldn't be trusted.

But seriously? You can't see any reason to distrust self-signed certificates? They aren't trusted because the browser has no way to verify their authenticity, which makes them dangerous. Trusting them would make man-in-the-middle attacks against SSL too easy; many studies have shown that users ignore the warnings. This _IS WORSE_ than plaintext because the user believes they have a secure connection when they don't. With plaintext the user at least doesn't expect the connection to be secure.

There's absolutely nothing stopping you from using self-signed certificates in a secure way. Configure your browser to trust specific self-signed certificates that you can verify are authentic, and you're good. It's incredibly insecure to trust _ANY_ self-signed certificate; your assertion that "the authorities" are trying to prevent you from using them is nothing but paranoia. There are plenty of things to be paranoid about these days. This isn't one of them.

Re:Illegal power without Constitutional authority (2)

roman_mir (125474) | 1 year,23 days | (#44148207)

You can't see any reason to distrust self-signed certificates?

- I trust them much more than I trust governments and certificate authorities. I trust that using an encrypted connection with self signed certificate is NOT WORSE than using plain text and I don't trust that the browser behaviour regarding self signed certificates is without suspect, without a bias.

IF your argument had any merit, THEN browsers could at least use the self signed certificate and NOT show the 'secure' icon, show whatever you like, don't break browsing experience for users. Don't say that the connection is perfectly secure, but don't make it look like the user is about to access a virus infected site or something to that effect, that's where my mistrust of benevolent browser behaviour comes from.

Re:Illegal power without Constitutional authority (1)

pilot1 (610480) | 1 year,23 days | (#44148335)

- I trust them much more than I trust governments and certificate authorities. I trust that using an encrypted connection with self signed certificate is NOT WORSE than using plain text and I don't trust that the browser behaviour regarding self signed certificates is without suspect, without a bias.

It is worse. Using an encrypted connection with a self signed certificate is worse than plain text in terms of security. With HTTP a man-in-the-middle can see everything you send. With HTTPS using a self-signed certificate a mitm can substitute their certificate for yours and see everything you send. You'll have no idea this happened because you'll see the self-signed warning either way. The difference is that with HTTP the user knows the connection is insecure and choose what data to transmit accordingly; with HTTPs using a self-signed certificate the user believes the connection is secure when it isn't.

Note that when I say "self-signed certificate" I'm referring to a self-signed certificate that your browser has not been configured to trust. If you've verified the authenticity of a self-signed certificate and configured your browser to trust it, I'm referring to it as a "trusted self-signed certificate." Self-signed certificates are insecure and worse than plain text. A trusted self-signed certificate is more secure than a traditional certificate that's been signed by a CA. Browsers support trusted self-signed certificates and don't show the warning you're complaining about when one is used. (I'm ignoring the difference between a true self-signed certificate and a certificate signed by a CA you own; it makes no difference for the purpose of this discussion, so I'm referring to both as self-signed.)

IF your argument had any merit, THEN browsers could at least use the self signed certificate and NOT show the 'secure' icon, show whatever you like, don't break browsing experience for users. Don't say that the connection is perfectly secure, but don't make it look like the user is about to access a virus infected site or something to that effect, that's where my mistrust of benevolent browser behaviour comes from.

In the vast majority of real world situations, the user is about to access something similar to a virus infected site when they see the warning. It's intended to warn the user that a mitm attack is likely taking place. If they're intentionally accessing a website using a self-signed certificate, they should verify the certificate's authenticity through a secure channel and configure their browser to trust it so that it becomes a trusted self-signed certificate.

It's never a good idea to use self-signed certificates. It is a good idea to use trusted self-signed certificates; browsers don't show the warning message when trusted self-signed certificates are used, which destroys your conspiracy theory.

Using an untrusted self-signed certificate is worse than using a certificate signed by a CA. It allows anyone to perform a mitm attack, whereas with a CA-signed certificate only powerful actors (e.g., governments) have that capability.

Re:Illegal power without Constitutional authority (3, Interesting)

roman_mir (125474) | 1 year,23 days | (#44148385)

It is worse. Using an encrypted connection with a self signed certificate is worse than plain text in terms of security. With HTTP a man-in-the-middle can see everything you send. With HTTPS using a self-signed certificate a mitm can substitute their certificate for yours and see everything you send.

- nonsense and it is dangerous nonsense given the facts that we now are aware of about the governments recording all communications to look at a LATER DATE.

If somebody, especially government is specifically targeting you for MITM attack, no CA will stop them, worse, AFAIC CAs are are highly suspect, CAs are a perfect target for government 3LAs to create an easy way to penetrate security.

In fact there cannot be 'secure' icon on a browser if a CA is used! The only way to have highest order of security that we can achieve right now is to install self signed certificates where we know the fingerprint and to prevent CAs from authorising anything at all on our computers.

Again, given what we know about government snooping on people making it ANY more difficult for users to have encrypted communications to any server is only helping government secret police to go back in time and retrieve and search through any communications that are happening on the Internet.

Plain text is the worst possible way to transfer data that should be secured and AFAIC at this point all communications need to be secured, there shouldn't be ANY plain text communications on the Internet, plain text communications is the worst possible thing that is happening right now given what the governments are doing.

Once again, I completely, 100% disagree with your idea that self signed certificates are in any way worse than plain text, that's pure nonsense and dangerous given our times.

Re:Illegal power without Constitutional authority (1)

pilot1 (610480) | 1 year,23 days | (#44148431)

I'm sorry, but either you didn't read my post or you don't understand how SSL/TLS and public key cryptography work.

If somebody, especially government is specifically targeting you for MITM attack, no CA will stop them, worse, AFAIC CAs are are highly suspect, CAs are a perfect target for government 3LAs to create an easy way to penetrate security.

Correct, and a self-signed certificate won't stop them either. Here's a simple algorithm to break self-signed HTTPS:
1. If HTTPS using a CA-signed certificate is detected, record the traffic.
2. Else if HTTPS using a self-signed certificate is detected, perform a mitm attack and record the decrypted traffic.

It's only secure to use trusted self-signed certificates, which is what I've been arguing for this entire time. If you use a self-signed certificate and click through the brower's warning, it's just as bad as using plain text.

In fact there cannot be 'secure' icon on a browser if a CA is used! The only way to have highest order of security that we can achieve right now is to install self signed certificates where we know the fingerprint and to prevent CAs from authorising anything at all on our computers.

This is why I don't think you read my post. I was careful to differentiate using "self signed certificates where we know the fingerprint" (trusted self-signed certificates) from self-signed certificates where the fingerprint is unknown. Using trusted self-signed certificates is a great idea. Using (untrusted) self-signed certificates is worse than plain text: it gives the illusion of adding security without actually adding any.

Re:Illegal power without Constitutional authority (2)

roman_mir (125474) | 1 year,23 days | (#44148541)

I saw your post, I understand what encryptions is, what certificates are, what self signing is, I develop with it and use it all the time. Again, unless you are working for CAs and have a dog in this fight or you are NSA, you wouldn't want people to use self signed certificates, that's true. Otherwise it is a nonsensical irrational position to state that self signed certificates EVEN when are not deployed manually, when the fingerprint is not checked by the end client are worse in any way than plain text given the fact that governments are recording everything for assessment and for looking at it when time comes later.

When time comes later, the information may still be recovered if the government is really really interested in finding out what it was that you wrote there, however it's going to be much more difficult than if it was plain text, there is nothing to recover with plain text, it's out in the open.

Saying that self signed certificates are worse than plain text is either propaganda for some ulterior motive or it is an irrational position, because the end user does NOT even have to be AWARE that a self signed certificate is used!

In fact if the browser doesn't even tell the user that there is a self signed certificate, then to the user it looks like a plain text connection and maybe that's how browsers really should treat self signed certificates that are not manually authorised by the user.

Do not even bother telling the user that a self signed certificate is used, whatever. Treat it EXACTLY like a plain text connection, so that the user is not even aware that there is a self signed certificate UNLESS he goes into the properties of the page and specifically checks for that.

But doing what the browsers are doing today is in fact completely counter productive and it's done to scare people away from websites that use self signing certificates and this just may be profitable for CAs and excellent for the government spies, but it's terrible for the users.

Re:Illegal power without Constitutional authority (2)

pilot1 (610480) | 1 year,23 days | (#44148649)

... given the fact that governments are recording everything for assessment and for looking at it when time comes later. When time comes later, the information may still be recovered if the government is really really interested in finding out what it was that you wrote there, however it's going to be much more difficult than if it was plain text, there is nothing to recover with plain text, it's out in the open.

There are two scenarios here: either the government performs mitm attacks or they don't.

If they do perform mitm attacks, using an untrusted self-signed certificate is equivalent to using a CA-signed certificate in terms of what the govt can see. The govt can perform a mitm on the self-signed connectino by using their own self-signed cert, and the govt can perform a mitm on the CA-signed connection by forcing the CA to give up the CA cert and signing a new cert with the CA cert.

If they don't perform mitm attacks, the govt needs the website's cert to view the traffic. This means they either need foo.com's self-signed cert or bar.com's CA-signed cert. Either way, the CA's cert alone isn't good enough.

If you don't agree with those two scenarios, please explain which details are technically correct. (I'm fairly certain that none are.)

If you do agree, then it follows that you agree that using an untrusted self-signed cert is no better than using a CA-signed cert. The secure thing to do would be to use a trusted self-signed cert; that is, a self-signed cert whose fingerprint has been verified through a secure channel.

Saying that self signed certificates are worse than plain text is either propaganda for some ulterior motive or it is an irrational position, because the end user does NOT even have to be AWARE that a self signed certificate is used! In fact if the browser doesn't even tell the user that there is a self signed certificate, then to the user it looks like a plain text connection and maybe that's how browsers really should treat self signed certificates that are not manually authorised by the user.

That browser user interface change would create a huge security hole. Consider the following scenario:
1. Alice, the user, accesses https://bank.com/ [bank.com] which uses a CA-signed certificate.
2. Mallory, an adversary, performs a mitm attack on Alice's connection. She replaces the CA-signed certificate with a self-signed certificate, allowing her to view all of Alice's traffic to bank.com.
With the current browser UIs, the browser would show Alice the self-signed certificate warning. Alice should see it, known she's under attack, and decide not to proceed.
With your proposed UI, the browser would show NO WARNING. Unless Alice knows that bank.com should display the HTTPS icon and notices that it isn't, she will proceed and Mallory will be able to view all of Alice's traffic.

It is COMPLETELY UNREASONABLE to expect Alice to notice that the HTTPS icon is missing. Many user studies have shown that users continue after seeing self-signed certificate warnings, which are impossible to miss and explicitly state the dangers of continuing.

Re: Illegal power without Constitutional authority (2, Interesting)

Anonymous Coward | 1 year,23 days | (#44148265)

How long before we find out that CAs are part of the whole spying industry also?

Re:Illegal power without Constitutional authority (0, Funny)

Anonymous Coward | 1 year,23 days | (#44148513)

You might sleep a little bit more at night if you understand that no company or government agency gives a shit what you do or say. In the end you are just disillusioned fool who believes someone would waste the time tracking you so they can disappear you one stormy night. For a supposedly tech related sight the people are showing a real penchant for ignoring the feasibility of the government actually using all the data for some nefarious purpose. The sheer volume of electronic data floating around makes computer analysis a serious bottleneck. If the automated systems flags something of interest there are no way near having the manpower and time to actively follow-up any suspicious data. If the government wants to investigate you they have had the means to do so even before the internet was even invented it just took longer. The call metadata collected might be useful for creating a really cool analysis of electronic communication patterns but sifting every packet in search of someone doing something anti-government is ludicrous. If you must waste time shouting about your rights being violated I would suggest you target the online companies collecting and selling your data to anyone who can pay for it.

Re:Illegal power without Constitutional authority (0)

roman_mir (125474) | 1 year,23 days | (#44148587)

No, NSA spy, I do not have a problem with COMPANIES collecting my information UNLESS it ends up in government hands.

Understand? I have a high intolerance for government, but I don't have a problem with companies that are trying to make a buck by trying to find what products to advertise to me specifically.

I do have a problem with governments and with thugs that work for them and with rare exceptions (Snowden) governments have thugs working for them. I don't need to figure out every way that I am being endangered by the government thugs collecting my information today, I only need to know that they are doing it to be against it on principle in every single case. Jews didn't have a problem with Germany until they did. In USSR you weren't the enemy of the State until you became one. Same can be said about most places on this planet, you are not a target until you are, and that's just political stuff, never mind the fact that thugs work for governments and thugs will sell my or anybody's information for personal profit and you don't actually have any legal recourse there at all unlike in case of businesses.

Governments are the enemy, businesses are not. Businesses work to earn our attention and money, governments use violence and brutal force, murder and various 'legal' means to subjugate people's rights. So fuck you and fuck all governments, hopefully we are going to move beyond the belief of a need of central government in the next few decades just like we are going to move beyond the belief of a need to have government controlling our money.

And how do we know these are legit? (0)

david.emery (127135) | 1 year,23 days | (#44147893)

It would be pretty easy to create PowerPoint with the requisite markings, logos, etc, on it and then peddle it to various newspapers.

Re:And how do we know these are legit? (1)

s1lverl0rd (1382241) | 1 year,23 days | (#44147921)

We do the only thing we can do - we trust the Washington Post have done the one thing that they're supposed to be doing, which is check their sources.

Re:And how do we know these are legit? (3, Insightful)

Anonymous Coward | 1 year,23 days | (#44148003)

Dan Rather showed what he knew to be a fake memo to smear Bush during an election. Even with overwhelming evidence that he lied Rather continued to state that the memo was true. He finally lost his job due to this.
NBC doctored audio to show Gerorge Zimmerman is a racist, once the full audio came out their trick was shown to be an outright lie.
The CNN woman that moderated the debate between Romney and Obama outright lied in the middle of the debate to protect Obama, a week later she admitted to lying, she was congratulated as a hero in CNN.
This week, MSNBC did a story how the "star witness" in the Zimmerman trial did a great job and it was such a slam dunk that Zimmerman will obviously be found guilty, this should be confusing to anyone that listened to what that witness said because the opposite is true.
ABC for their top story a week ago told about thunderstorms in DC, the same time as the NSA information was coming out and heraings about it were going on in the Senate, but the important story was a storm in DC.

Not sure why you would assume any mainstream media would be honest at any time anymore. There is no news outlets in the USA anymore, if you think there are you are biased and found one that only reports stories you think are true.

Re:And how do we know these are legit? (4, Insightful)

johnny cashed (590023) | 1 year,23 days | (#44147939)

They are making a big deal out of Snowden. Do you think they would do that for a bunch of BS? The guy is stuck in a Russian airport with a revoked US passport and charged with espionage. Would they do that over fake powerpoint slides?

Re:And how do we know these are legit? (1)

Richard_at_work (517087) | 1 year,23 days | (#44148043)

And how do we know that Snowden didn't construct these slides precisely to become "Assange-like" in the hope that he could create enough of a public following to become "untouchable", while actually delivering the real stuff to his handler?

In other words, making a huge public fuss was his back up plan when he got caught.

Re:And how do we know these are legit? (0)

Anonymous Coward | 1 year,23 days | (#44148087)

Feel free to prove that claim. Until you do, the more likely scenario is that this information is real.

Re:And how do we know these are legit? (2)

johnny cashed (590023) | 1 year,23 days | (#44148095)

Because Assange has it so good? This whole think will be a case study in how not to react to leaked information. It would be funny if it didn't feel so real. Keystone cops government reaction. Yeah, they are fake slides, whatever helps you sleep at night.

Personally, I think the declassification date is a nice touch.

LOL (3, Insightful)

toby (759) | 1 year,23 days | (#44148339)

If you think Assange is "untouchable" then the past 100 years of fascist history, and even the vaguest grasp of what your government has done and is doing, have passed you by.

Re:And how do we know these are legit? (1)

anagama (611277) | 1 year,23 days | (#44148359)

Right. Like the government has prosecuted people who claim the moon landing was false or that the face on mars was built just so it could protect its good name from conspiracy nuts.

All the government does to those people, is laugh along with everyone else.

The fact that it is prosecuting Snowden, rather letting have a silly foil hat rant, shows it isn't a foil hat rant.

Re:And how do we know these are legit? (4, Insightful)

anagama (611277) | 1 year,23 days | (#44147963)

It would be pretty easy to create PowerPoint with the requisite markings, logos, etc, on it and then peddle it to various newspapers.

That would explain why Biden called Correa for a personal chat, the White House is orchestrating a smear campaign directed not at the content, but at Snowden and Greenwald, and it's pursing Snowden to the ends of the earth to bring him back for "trial" (he has been indicted you know). That all points to the obvious conclusion that Snowden photoshopped some slides? Are you daft?

Re:And how do we know these are legit? (1)

icebike (68054) | 1 year,23 days | (#44148537)

Correct.

And the Republicans, for once, are in complete agreement. It seems the only bipartisan issue that exists today is propping up the NSA.

The Democrats won't allow anything negative to blow back on Obama, (not that they needed another reason to justify snooping and oversight of the unwashed masses, since their normal world view is that you need government to take care of yourself.

But the Republican party is passing up this opportunity to pin this on the democratic administration because much of this started under their watch.

Its a giant Cover Our Asses clusterfuck with not a single one of them (well maybe a couple) looking out for our interests.

Remember this at election time. They were all briefed about this months ago and never said a word or uttered a single objection.
Every one of them, no matter how dear to your political leanings, has to be thrown out.

And DON'T BE THAT GUY, the useful idiot that parrots the nonsense about needing this to prevent terrorism. Look at the Boston Marathon, and ask yourself how well this morass of spying did at protecting us from that, even after the RUSSIANS handed us those guys well in advance.

Re:And how do we know these are legit? (3, Informative)

gl4ss (559668) | 1 year,23 days | (#44148019)

It would be pretty easy to create PowerPoint with the requisite markings, logos, etc, on it and then peddle it to various newspapers.

because the response the gov. took about them... they started arguing about how it is necessary for them to do this. that's how we know.

Re:And how do we know these are legit? (1)

number11 (129686) | 1 year,23 days | (#44148041)

It would be pretty easy to create PowerPoint with the requisite markings, logos, etc, on it and then peddle it to various newspapers.

That is true. I think you've got to use how the government is reacting as an indicator. If this was just some loon who'd made up a few bogus powerpoint slides, would Joe Biden be calling Ecuador to suggest that they shouldn't let him in? I guess maybe if it was a major disinformation campaign on the part of the government, but it's hard to think of why they'd do that. And now they've got the EU pissed off, too.

Re:And how do we know these are legit? (3, Funny)

achbed (97139) | 1 year,23 days | (#44148049)

But you have to be a true artist to design a powerpoint deck that horrible. Only Government types invest that kind of effort.

Re:And how do we know these are legit? (0)

Anonymous Coward | 1 year,23 days | (#44148149)

Don't worry about it David - go back to sleep!

Re:And how do we know these are legit? (1)

ArcadeMan (2766669) | 1 year,23 days | (#44148569)

We know those are legit because they're ugly as hell. Seriously, whoever did these slides has zero artistic abilities.

Meanwhile, in tech HQ's across America (0)

Anonymous Coward | 1 year,23 days | (#44147955)

The current hot question in the executive conference room is, what can we do to get on the list of SSO's?

Lies and very very serious problems (4, Insightful)

Anonymous Coward | 1 year,23 days | (#44147993)

Lies, Facebook in particular lied about this, even as Obama was confirming it and claiming a [non-existent] warrant is needed to access this data:
"The search request, known as a “tasking,” can be sent to multiple sources — for example, to a private company and to an NSA access point that taps into the Internet’s main gateway switches. A tasking for Google, Yahoo, Microsoft, Apple and other providers is routed to equipment installed at each company. This equipment, maintained by the FBI, passes the NSA request to a private company’s system. Depending on the company, a tasking may return e-mails, attachments, address books, calendars, files stored in the cloud, text or audio or video chats and “metadata” that identify the locations, devices used and other information about a target."

I don't care about the pathetic protections put in place for Americams, I'm not American. I care that these services hand my data to a military structure that works against me. Worse they inevitably turn America into a dictatorship.

"Before an analyst may conduct live surveillance using PRISM, a second analyst in his subject area must concur. "
So any boss that oversees 2 analysts can spy on Americans, simply because he can order 2 of them to concur. And the big boss, General Alexander can even waive this, because its HIS policy not law, i.e. no protections at all.

You want to fix this? Well try running for President and sacking the NSA chief. He'll have record of every mistake you've made, detailed knowledge of who backs you, the campaign team, private communications, strategies, everything. They've made a dictator and people like Dianne Feinstein are so stupid and incompetent they can't see why they've done so much damage.

Completely flipping the system in secret, the system that's kept the US a democracy for the longest time any democracy has survived so far. Those little shits just threw it away.

Re:Lies and very very serious problems (1)

gl4ss (559668) | 1 year,23 days | (#44148197)

Obama was only speaking about americans when he said that you need a warrant. that's where the 51% probability comes from, so some dude has to think that there's 51% probability that someone is a foreign national on foreign soil and therefore they can SPY ON HIM INSIDE USA from american servers ;)DDSSAFSD.

WA or DC? (2)

seyyah (986027) | 1 year,23 days | (#44148015)

I'm just a dumb Canadian... Is WA ever used for Washington DC?

Re:WA or DC? (0)

Anonymous Coward | 1 year,23 days | (#44148029)

You could google the answer. Oops, sorry.

Re:WA or DC? (1)

mcgrew (92797) | 1 year,23 days | (#44148119)

No. WA is always Washington state, DC is the District of Columbia; Washington, DC is not in any state. WA is a postal code, like IL is Illinois and FL is Florida.

Re:WA or DC? (1)

vux984 (928602) | 1 year,23 days | (#44148227)

While "WA Post" is rather ... odd, its frequently abbreviated to WAPO.

In fact, google for wapo and the first result is the washing post site. Wikipedia redirects wapo to the article about the washington post.

Etc.

Re:WA or DC? (2)

hydrofix (1253498) | 1 year,23 days | (#44148159)

I was also baffled by the headline. Though speaking as a non-American, I have still never seen "WA Post" being used for "Washington Post", and deciphering the meaning took a while. This usage seems very original, and is probably erroneous, as "Washington" in "Washington Post" does not refer to Washington state.

Re:WA or DC? (1)

Guppy06 (410832) | 1 year,23 days | (#44148161)

I love it when people try to show themselves as clever and end up showing the complete opposite.

Re:WA or DC? (1)

93 Escort Wagon (326346) | 1 year,23 days | (#44148173)

I'm just a dumb Canadian... Is WA ever used for Washington DC?

No it isn't - WA is the official US Post Office abbreviation for the State of Washington, which incidentally is where I live (so I've written or typed it thousands of times in my life).

Re:WA or DC? (1)

xenoc_1 (140817) | 1 year,23 days | (#44148203)

Correct, and the GP, Happy Canada Day.

The OP should either have used the commonly understood abbreviation, "WaPo", for the Washington Post, or used perhaps, "Wash. Post" which is a correct-US-English, though not US Postal Service, abbreviation for Washington, D.C.

"WA Post" makes it seem it might be out in Tacoma or Spokane or thereabouts.

Re:WA or DC? (1)

anagama (611277) | 1 year,23 days | (#44148273)

"Wash." used to be the postal code for WA before we went to two letter abbreviations. I'm surprised though that people are having such a hard time reading this (well, I can understand non US based people not getting it, but anyone in America who doesn't must lead an incredibly hard life, being so literal and all).

Or maybe it is just that I live Washington State, and it rankles me whenever I hear people say "Washington" when they mean "Washington DC".

I live in the real Washington, the one with trees and mountains sticking out of it. That city in the east though? We call that Mordor out here. (*)

(*) Paraphrased from a Utah Phillips show.

Re:WA or DC? (1)

anagama (611277) | 1 year,23 days | (#44148595)

Usually I hate Slashdot tangents, especially pedantic ones, but this one got me looking at some Utah Phillips stuff on Youtube.

http://www.youtube.com/watch?v=U0f-mlwaGcE [youtube.com]

That is from Amy Goodman's interview with him before he died. Interestingly, he talks about the prosecutions under the espionage act of labor organizers (Phillips was a Wobbly) around WWI toward the end of that segment. http://en.wikipedia.org/wiki/Palmer_Raids [wikipedia.org]

J. Edgar Hoover was involved in those.

Anyway, this tangent on "WA Wash Washington" seems to have made a 180 back on topic, at least for me.

Re:WA or DC? (0)

Anonymous Coward | 1 year,23 days | (#44148181)

As a DC native I can say, this was the first time I've ever seen WA used for the capital city. Locals call it DC, political-types and tourists call it Washington. Seems naive or lazy to use the state abbreviation. C'mon, timothy; be an actual editor.

PRISM case notations (0)

Anonymous Coward | 1 year,23 days | (#44148501)

I'm a little disappointed that the elite hackers at the NSA had not learned the lessons of Y2K and are still using 2 digits to denote years in the case notations.

Advanced pedantry.. (1)

faedle (114018) | 1 year,23 days | (#44148565)

WA is the abbreviation typically associated with Washington State, not the city of Washington, D.C.

Wash. Post is the more commonly accepted abbreviation of the newspaper based in Washington, D.C.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...