The NSA and the GCHQ have compromised much encryption used on the internet through a potent mix of technological theft, spycraft, and collaboration with major technology companies, according to new reports. In a series of news articles that highlight how the code-breaking crypto-fiddling agencies NSA and GCHQ are doing their …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Page:

1. 1. Friday 6th September 2013 06:03 GMT sunnyskies
    
    Re: GCHQ are doing their job
    
    Indeed.
    
    When Hermann Goering formed the Gestapo in the early 1930s, he stated that "he who is of good-will has nothing to fear from the secret State police". He did not deny that mail was being opened, telephones tapped and "disaffected persons" being shadowed.
    
    10 0
    1. Saturday 7th September 2013 03:55 GMT amanfromMars 1
      
      @sunnyskies Re: GCHQ are doing their job
      
      Indeed.
      
      When Hermann Goering formed the Gestapo in the early 1930s, he stated that "he who is of good-will has nothing to fear from the secret State police". He did not deny that mail was being opened, telephones tapped and "disaffected persons" being shadowed. .....sunnyskies Posted Friday 6th September 2013 06:03 GMT
      
      Quite so. However, the corollary of that may not be so true, sunnyskies ...... "Secret State police have nothing to fear from they of good-will"
      
      Indeed, it may very well be that they have everything to fear from that which they ignore and/or dismiss and become so terrified and terrorised by events they monitor and mentor to become paralysed and useless in every form of their being.
      
      0 1
2. Thursday 5th September 2013 23:45 GMT Apdsmith
  
  Re: GCHQ are doing their job
  
  Dephormation,
  
  I suspect the answer to your question is "When it became easier to treat us *all* like criminals than think about targeting specific individuals."
  
  My worry is the old Franklin quote - I suspect that although hoovering up every damned thing has been sold to The Powers That Be as cheaper than performing competent analysis (not that I'm qualified for such, but that's not the point) it's actually not as effective as believed, leaving us all worse off for very little benefit.
  
  Which to be fair would be about par for a government program conducted in utmost secrecy.
  
  Ad
  
  10 0
3. Friday 6th September 2013 10:50 GMT MrXavia
  
  Re: GCHQ are doing their job
  
  I seriously doubt they are bothering to MITM attack everyone, and the 'black boxes' that idiot MP wanted are not implemented (YET) so no need to get TOO paranoid yet.. and while I get WHY they want to just grab it all into a DB, it does not mean we should be doing it.. We in this country started modern democracy and freedom, we should honour it by not eroding freedom!
  
  As famously was said by Ben Franklin..
  
  Those who give up their liberty for more security neither deserve liberty nor security
  
  2 0
4. Friday 6th September 2013 21:43 GMT Intractable Potsherd
  
  Re: GCHQ are doing their job @dephormation
  
  It is becoming clear that the powers that be are very frightened of the population. We *are* "the adversary" from their point of view.
  
  2 0
Thursday 5th September 2013 22:24 GMT Anonymous Coward

Backdoors in systems you say ?

Now I wonder if that includes Windows ?

Bet your ass it does.

Glad I use Linux.

Smug Mode.

3 7
1. Thursday 5th September 2013 22:25 GMT Anonymous Coward
  
  Re: Backdoors in systems you say ?
  
  Yes, you're perfectly safe with Linux. Sleep tight, sweet dreams.
  
  14 1
2. Thursday 5th September 2013 22:54 GMT Anonymous Coward
  
  Re: Backdoors in systems you say ?
  
  Don't forget that even if you use Linux pr other allegedly trustworthy software, if you're running it under a hypervisor and your hypervisor is part of the NSA Fan Club, whatever is in memory on your Linux box is, in principle, visible to the NSA.
  
  Also, anybody know what's *really* inside vPRO/AMT etc?
  
  4 0
3. Thursday 5th September 2013 23:46 GMT Dan 55
  
  Re: Backdoors in systems you say ?
  
  You're right to be aware of OSes by corporations which have received money from the alphabet agencies, but Linux isn't the panacea...
  
  http://www.theregister.co.uk/2008/05/21/massive_debian_openssl_hangover/
  
  http://www.theregister.co.uk/2009/08/14/critical_linux_bug/
  
  http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/
  
  http://www.theregister.co.uk/2010/08/19/linux_vulnerability_fix/
  
  http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/
  
  http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/
  
  http://www.theregister.co.uk/2012/09/14/crime_tls_attack/
  
  http://www.theregister.co.uk/2012/10/18/ssl_security_survey/
  
  http://www.theregister.co.uk/2013/08/02/breach_crypto_attack/
  
  Who checked in the code for these long-running bugs, I wonder.
  
  5 0
  1. Friday 6th September 2013 13:44 GMT Ian Reissmann
    
    Re: Backdoors in systems you say ?
    
    Gosh: open source has bugs ?!
    
    The point many people (such as Bruce Schneier) are making is that NSA are probably relying on things like back doors and poor security practices to ensure they can breach people's privacy. Open source is much less likely to be vulnerable to these as we know what goes into open source.
    
    1 0
4. Friday 6th September 2013 02:48 GMT tom dial
  
  Re: Backdoors in systems you say ?
  
  It may or may not include Windows 7 (or 8). It almost surely includes Cisco routers. See:
  
  https://www.rfc-editor.org/rfc/rfc3924.txt
  
  2 0
5. Friday 6th September 2013 05:29 GMT Anonymous Coward
  
  @AC
  
  You do realize that a project, enabled by default in the kernel, is called SE Linux and it originates from the NSA itself.
  
  You were saying?
  
  FreeBSD suddenly became so much more appealing...
  
  0 4
  1. Friday 6th September 2013 06:40 GMT Charles 9
    
    Re: @AC
    
    You do realize that by making it a LInux instead of say a BSD the code must be open-sourced (GPL license requires it) and able to be analyzed. And the links of the chain needed to produce the kernel from source (like the compiler) could be obtained from places outside US control. SELinux was something they put in for their OWN benefit, to cover their OWN butts, because as the article notes, anything used here could be turned against them. Thing is, SELinux is a rather complicated way of doing things (no root user), so it's not for everyone.
    
    2 0
  2. Friday 6th September 2013 08:46 GMT Paul Crawford
    
    Re: @AC
    
    The whole point about SElinux (or apparmor, for that matter) is to deal with the problem of internal trust between processes that run with root privileges, or (like web browser or PDF reader) are likely attack routes. That is a big problem in ANY computer system. It is open sourced, so you or anyone else can check it!
    
    Like the fools who say AES is back-doored because the US use it, it completely misses the point. They want good security for themselves and US gov, as much as they want to break others, as they know Russia, China, etc will be doing the same in return.
    
    1 0
    1. Saturday 7th September 2013 18:30 GMT robmobz
      
      Re: @AC
      
      The old problem between COMSEC and SIGINT.
      
      If you can read it then so can they but if they cannot read it then neither can you.
      
      0 0
Thursday 5th September 2013 22:31 GMT Frank Rysanek

clean OS and hardware is possible

I believe Linux is generally pretty safe against spyware. That would be a good plaform for an endpoint OS, getting rid of keyloggers and the like. As for clean hardware... suppose that Intel's on-chip IPMI/AMT is compromised. Suppose that the AMT-related autonomous backdoor exists even in Intel CPU and chipset variants that do not openly support AMT (for the sake of sales segmentation). There are other brands of CPU's, without inherent support for IPMI/AMT. And, based on what I've seen so far, I don't think such a backdoor would be very useful and reliable, given how buggy IPMI/AMT is...

2 0
1. Friday 6th September 2013 01:26 GMT Don Jefe
  
  Re: clean OS and hardware is possible
  
  Be that as it may, it amounts to fuck all if everything coming and going to the clean OS and hardware is wide open to surveillance. Save yourself some money and hassle and just buy NSA Compliant COTS gear with a decent warranty.
  
  0 0
Thursday 5th September 2013 22:35 GMT Anonymous Coward

Hmmm........... SELinux not so SE, then?

And I thought Bamford had gone bonkers when he recently said crypto was broken.

I understand someone wants to have a quick noisy shufty in Arabia to bury this news...

2 0
Thursday 5th September 2013 22:38 GMT Destroy All Monsters

Dat Citation!

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

"Knowledge that GCHQ exploits these products and the scale of our capability would raise public awareness generating unwelcome publicity for us and our political masters."

Yesss, master....

Oh well, time to short cloud providers, then.

5 0
Thursday 5th September 2013 23:00 GMT h3

So the real problem with Huawei / ZTE was that they wouldn't agree to this sort of thing.

18 0
1. Friday 6th September 2013 07:23 GMT Suricou Raven
  
  Or a simple assumption that if the NSA is resorting to pressuring American manufacturers into the use of backdoors, then it's likely their Chinese counterparts are doing exactly the same.
  
  2 0
Thursday 5th September 2013 23:19 GMT Anonymous Coward

How charming!

I haven't read the NYT article, but CNBC has a really good piece on this that lists Snowden-leaked NSA/GCHQ documents revealing:

1. How they use their position to water down/penetrate encryption standards as they are made

2. How they occasionally work with hardware manufacturers to ship back door-laden gear being sold to "targets of interest" (You've got a Dell! It's the same one that Kim Jong-Un ordered!!)

3. How the GCHQ is working towards penetrating 300 VPN streams

4. How the NSA's program to help IT product/service providers validate the security of their offerings is also used to engineer NSA-friendly vulnerabilities into those offerings

5. How the NSA got slapped down in their effort to openly insert a trap door into IT gear with their 90s "Clipper chip" program, and has since been working on a multi-pronged approach to do the same thing surreptitiously.

It's a good read:

http://www.cnbc.com/id/101012478

LYING BASTARDS!!!

6 0
Thursday 5th September 2013 23:29 GMT XioNYC

Change of tactics

As the NYT noted "Many... rely on such protection every time they send an e-mail, **buy something online**... use a phone or a tablet on a 4G network." (emph. added).

If you want better privacy, start arguing that the NSA is impeding free trade.

5 0
1. Friday 6th September 2013 00:11 GMT Don Jefe
  
  Re: Change of tactics
  
  The financial impact argument is already building steam over here in DC. Even some of the usual government is always good toadies I deal with have talked about "privacy specific" briefings and sales seminars where they're being instructed on how to address clients concerns about US government access to data in their products.
  
  Of course they all blame Snowden for making their sales jobs harder. Not the government for doing it in the first place. Jackasses.
  
  12 0
Thursday 5th September 2013 23:59 GMT dan1980

What baffles me is that this work is not done by politicians or generals or bureacrats, it's done by IT people.

Now, sure, much of the problem is with the government co-opting mainstream tech companies to force them to use their talent pool to work for the NSA (effectively) but surely much of the unpalatable spying is being effected by IT people hired by and working directly for the NSA - with knowledge of what they are doing.

Right?

How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else? Is it that they go in with an attitude that they will make sure they stay ethical and then just slide? Or are there really enough people who actually believe this is a good thing?

3 0
1. Friday 6th September 2013 05:54 GMT Anonymous Coward
  
  @dan1980 23:59
  
  "What baffles me is that this work is not done by politicians or generals or bureacrats, it's done by IT people."
  
  Why? 5 minutes looking at the OS/mobile phone/processor/anything arguments on The Reg's forums shows that IT people have strong opinions at both ends of an argument. It's no doubt the same for ethical/legal concerns, too.
  
  Plus, presumably people in the spook world get to play with some cool tech. Geek goggles might make the job more attractive. And in the current climate, having a job at all ...
  
  0 0
2. Friday 6th September 2013 06:44 GMT Anonymous Coward
  
  "How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else? Is it that they go in with an attitude that they will make sure they stay ethical and then just slide? Or are there really enough people who actually believe this is a good thing?"
  
  You don't think a threat of a company getting tagged for ESPIONAGE wouldn't hurt them? If you make an algorithm you can't crack, we have to assume you're helping THE ENEMY (their thought, not mine).
  
  0 0
3. Friday 6th September 2013 07:27 GMT Suricou Raven
  
  Some of them might me genuine paranoid patriots, believing that the NSA's spying ability is essential to preserve the safety of their country.
  
  Others might be in it for the money. Well-paid work is hard to find. Do you want to respect freedoms for all people, or do you want to pay the rent? Choose.
  
  0 0
4. Friday 6th September 2013 07:58 GMT Anonymous Coward
  
  How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else?
  
  I would suggest that they are maybe the best and brightest of those who are willingly to destroy the privacy and freedoms of everyone else in order to play with cool technology.
  
  The best and brightest engineers may actually be engaged in other, more socially useful, activities.
  
  2 0
5. Friday 6th September 2013 08:48 GMT Anonymous Coward
  
  Getting paid shed loads to fight the enemy. That's the usual pitch.
  
  2 0
6. This post has been deleted by its author
7. Friday 6th September 2013 12:55 GMT Anonymous Coward
  
  because it is fun and challenging.
  
  That's why.
  
  0 0
8. Friday 6th September 2013 21:53 GMT Intractable Potsherd
  
  @dan1980
  
  Obviously, it isn't just Google that has "rogue engineers" ...
  
  0 0
Friday 6th September 2013 01:00 GMT dssf

Section 31 of the FUture might be impressed with its PAST

Which is our PRESent....

Just because I'm paranoid doesn't mean they're NOT watching...

That will become the normalized sentence....

1 0
Friday 6th September 2013 01:05 GMT dssf

This'll kill a lot of erections..

Imaigine how many of those m4m sites and phone apps must have a$$load$ of automated agents and the occasional "sampling" human in them. They could be in there just wasting time of those dripping like a dog looking for someone who'll never respond.

Your sex chats/quest are being enterrupted to prevent acts you WOULD have committed....

Of course, if that is real, then the NSA and GCHQ will be literal cock-blockers impeding flow of goods and services, hahahah

0 0
1. Friday 6th September 2013 01:32 GMT Don Jefe
  
  Re: This'll kill a lot of erections..
  
  Man, I've got no idea what you're wanting, but if you take your list of demands to amanfrommars and have him relay the information to us in a human readable format someone here might be able to help you.
  
  8 0
Friday 6th September 2013 01:49 GMT Schultz

Back doors

So now we know why the US is so afraid of possible back-doors in Chinese hardware. They probably succeeded to get their own bask-doors installed and realized that when they can do it, others can do the same.

Maybe 'trust' will become an important factor in the future of electronic manufacturing. How to ensure that the infiltrated NSA, GCHQ, or Chinese agent can't subvert the hardware or software of the whole company? How to reassure the customers about it?

Companies like Kapersky might be able to offer code audits (are they independent enough?), small companies could start building simple but secure devices for communication, things will get much more complicated that they are today. Welcome to the future of the internet -- thanks, NSA, for robbing our delusions about the internet we have.

1 0
1. Friday 6th September 2013 05:55 GMT T. F. M. Reader
  
  Re: Back doors
  
  "Companies like Ka[s]persky might be able to offer code audits (are they independent enough?)"
  
  They are Russian - what do you think? No, I do not mean to disparage them, they may be decent people, but it is even easier to exert pressure on a company in Russia than in the US/UK.
  
  1 0
2. Friday 6th September 2013 07:28 GMT Davehhhhh
  
  Re: Back doors
  
  Good point - we worry about the NSA snooping on journalists with this tech (especially after the UK Home Secretary said it was OK to use terrorist legislation to get data off David Miranda) but of course there are powerful governments with a poor track record on human rights who could already be exploiting these back doors and no doubt in time some of the many contractors will roll off these programs into private security consultancies who work from some rather dubious regimes around the world.
  
  The next time there are reports of journalists or dissidents being tortured or murdered in Russia, China or some repressive Middle East state perhaps the people arguing that this program to systematically undermine the security of the internet is just for bad guys will stop and wonder how those journalists and dissidents came to be compromised.
  
  1 0
Friday 6th September 2013 02:53 GMT Mikel

On trusting trust

Don't.

1 0
1. Friday 6th September 2013 05:55 GMT jake
  
  @Mikel (was: Re: On trusting trust)
  
  Indeed. See mine from April 2009:
  
  http://forums.theregister.co.uk/forum/containing/470655
  
  0 2
Friday 6th September 2013 03:10 GMT json

Which begs the question..

we cant really be anonymous even with comments here right?

1 0
1. Friday 6th September 2013 05:57 GMT Anonymous Coward
  
  Re: Which begs the question.. @json 03:10
  
  "we cant really be anonymous even with comments here right?"
  
  That's always been my presumption.
  
  "Anon, for obvious reasons" - always makes me snort.
  
  Oh, I was going to say it should be "raises the question", but on second thought realised you're right :)
  
  0 0
  1. Friday 6th September 2013 07:15 GMT Anonymous Coward
    
    Re: Which begs the question.. @json 03:10
    
    "Anon, for obvious reasons" - always makes me snort."
    
    Ditto, but the anon icon merely makes it difficult to know who posted something on here, it does not hide your ID from site admins/NSA etc etc. It is a smoke cloak and nothing more.
    
    More irksome is its use when someone says something a bit risqué or inflammatory then hides behind anon.
    
    Cowards.
    
    2 0
    1. Friday 6th September 2013 08:28 GMT Anonymous Coward
      
      Re: Which begs the question.. @json 03:10
      
      I got a complete de haut en bas telling off from an AC the other day.Personally I feel that I may be not the nicest person out, but if I felt the need to hide behind AC, I shouldn't write it.
      
      0 0
      1. Friday 6th September 2013 10:10 GMT WaveyDavey
        
        Re: Which begs the question.. @json 03:10
        
        "De haut en bas" - I consider myself pretty literate, but that was a new one to me - what a lovely phrase. Added to vocab store - thank you.
        
        0 0
        
        Friday 6th September 2013 11:05 GMT Anonymous Coward
        
        Re: Which begs the question.. @json 03:10
        
        Thank my French teacher.
        
        0 0
  2. Friday 6th September 2013 10:22 GMT Anonymous Coward
    
    Re: Which begs the question.. @json 03:10
    
    Posting as AC is only marginally effective anyway. It only takes a few minutes to determine who it is (whose handle anyway) with a high level of confidence.
    
    I've also always wondered why AC's always use the Fawkes mask instead of any icon they want. I've sent a few emails to El Reg about both things but never heard anything back.
    
    0 0
    1. Friday 6th September 2013 13:00 GMT Anonymous Coward
      
      Re: Which begs the question.. @json 03:10
      
      Don't tell me! You just send an email to the site editor and ask 'Who posted the anon comment on 6 Sep 2013 at 10:22?" Now that's a back door.
      
      1 0
    2. Friday 6th September 2013 13:01 GMT richard 7
      
      Re: Which begs the question.. @json 03:10
      
      AC's can only use the mask, all other icons are unavailable to them. Try an AC post, dont even need to post, the icons get greyed out.
      
      0 1