Interested to know if BT have given them access to 'private' circuits too.
As for other crypto...
Could be tinfoil hat gibberish, could be real. We need the government to tell us what is going on within our shores..
The NSA and the GCHQ have compromised much encryption used on the internet through a potent mix of technological theft, spycraft, and collaboration with major technology companies, according to new reports. In a series of news articles that highlight how the code-breaking crypto-fiddling agencies NSA and GCHQ are doing their …
"Could be tinfoil hat gibberish, could be real. We need the government to tell us what is going on within our shores.."
Nothing is happening. Nothing at all. All is good. We are your friends. We're here to protect you from the big bad world. Don't worry your pretty little heads about it. All is good.......
If BT havn't given GCHQ access to private circuits, it's only because GCHQ isn't interested in whoever is using those circuits.
BT might be a private company* now, but they used to be part of the government and it's sensible to assume that the government has access to any part of BT and it's infrastructure (for which read; the majority of the infrastructure in the UK) whenever it wants.
Not to mention that a significant fraction of global internet data flows through UK based hardware, and why would the government NOT want access to that too?
* or rather, several companies
Whenever one is told and realises that there are no private circuits, and the tale told above boldly goes and suggests that such is so and has been for more than just a short while, is everyone's information and shared transferrable thoughts, freely available to any system intelligently designed to listen and metadatabasemine content/SIGINT for intelligence streams which may be of critical and/or strategic and/or tactical import and of overwhelmingly powerful and unbelievably valuable and/or costly export potential. But if the listeners do not possess and exercise the intelligence needed to take advantage of what they have been told/been listening to, is the advantage automatically immediately bestowed upon that which is missed and/or ignored and it be a wanton vulnerability for endless zeroday exploitation ..... and future fortune making for that and those especially adept in its disciplines/IT Fields/AI Methodologies with Virtualised Technologies.
The following is sitting pending on a number of spooky desks and tests for necessary intelligence in beings that imagine they and IT lead and the world and his dog and its dogs of war follow .......
Attacks from software bugs and computer viruses target computer devices such as servers, firewalls, desktops, laptops and smart phones. The government owns many such devices. Attacks include gaining unauthorized access, denial of service, malicious code insertion or password cracking. Hackers and other cyber criminals employ the Internet as a delivery means. Such attacks have a limited scope and therefore are seen as carrying geographically containable security risks. … http://cryptome.org/2013/09/dod-internet-vuls-cyberspy.pdf
All SMARTR HeroICQ Environment Operations/CyberIntelAIgent Exploits and Virtual Reality Sorties which can be perceived and mistaken and misunderestimated and classified way above Top Secret/Special Compartment Information and Strictly Need to Know, …. and which are in both true fact and fabulous fiction, a Quantum Communication Offer for/from States of Being[s] with Instant Server Provision of Sublime InterNetwork Supply with FailSafe Monumental Guarantees that Protect One with an Ever Increasing and Reinforcing and Empowering Sanity in Surroundings Dealing Debilitating Madness in Forever Failing Systems of Secretive Falsehoods …… need only target the weak human link, no matter how strong and/or smart that link may be supposed to be in cases, which be fixed twixt keyboard and screen/instruction device and virtually programmed machine interface, to gain unfettered pirate and unknown private access to all systems of command and control, whether SCADA or not.
Such attacks are unlimited in scope and unhindered and deliver uncontainable security risk and Advanced Information to IntelAIgents and Assets within Active Stealth ProgramMING* for Greater CyberIntelAIgent Games Plays from Global Communications Heads Quarters.
* … Active Stealth Program Mind Infiltration Network Games …. NEUKlearer HyperRadioProActive IT….. a Novel and Noble Transparency …… AI@ITsWork and on Stirring Sterling Special Stirling Super Source Missions.
Denying it be so and not a current present enigmatic dilemma to be serviced and servered/stealthily engaged with and silently delivered of its future feeds/seeds/needs, does not alter the fact but it does provide instruction in the best direction in which to proceed and to whom is supply most likely best appreciated.
We need the government to tell us what is going on within our shores.
And how would we verify their claims?
Proving you do have knowledge of a secret is relatively straightforward, even with various constraints.1 Proving you don't have such knowledge is rather more difficult. And it's vanishingly unlikely that any government would ever even worry about making a convincing argument to that end. Some of the populace would believe an unsupported denial; some would never be convinced no matter what statement the government made or evidence it offered. The remaining portion of the electorate is likely to be too small to be of any concern to officialdom.
1For example, if you want to prove knowledge of the secret without revealing the secret, there are often suitable protocols built around cryptographic primitives such as MACs and ZKPs.
In other news, the likes of the CIA and NSA face an ever bigger problem of dealing with internal threats thanks to employees working for them that have connections to Al-Qaeda (even though the interview process presumably involves looking into their background).
So much so that they're spending millions of dollars on it apparently.
Holy shit! 1 out of 5 job applicants with backgrounds warranting further investigation were found to have links to terrorist or hostile forces. 1 out of 5? That sounds abnormally, insanely, ridiculously high. If there are that many terrorists who straight up apply to the NSA/CIA then there's bound to be some who get through and are currently employed there.
What it really sounds like is paranoid overreach; finding terrorists behind every leaf, berry and shrub which is insanely dangerous. Well funded paranoid people are far, far more dangerous that a regular dangerous person.
I say the safest, most economical solution is to take off nuke the lot of them from orbit: Its the only way to be sure.
I'm surprised it isn't higher even going by direct familial ties since it isn't hard really. Regardless of my surname I'm part (not quite half) Irish and little more than a cursory look at the family tree will show a link to the IRA. The Japanese part will undoubtedly find a link to the scourge element circa WW2 who were
imprisoned interned in the US and to top it all off, the father in law is a Korean War vet from about the 35 parallel, check the map if you have to. Add it all up and you've got solid links to terrorist or enemy forces and I don't doubt for a minute that a thorough scrubbing won't find worse.
Hell, even JFK would qualify as one in five by that measure.
Wilson kept us out of Vietnam (for which alone he should stand as one of the greatest Prime Ministers of the 20th century), but a conspiracy theorist might suggest that as a result we got less than enthusiastic support over either the IRA or the Falklands. If by "less than enthusiastic" you include actively allowing the IRA to collect money in places like Boston. By "actively allowing" I mean "with the co-operation of the police", who took a former colleague of mine into "protective custody" when he objected.
Perhaps we should watch out for the US Marines scaling Gibraltar to give it to Spain.
Yes, but do you plan to overthrow the government of the United States by violence? .... ribosome Posted Friday 6th September 2013 08:17 GMT
All governments have problems nowadays, and forever more into the foreseeable future, because they are easily overthrown without violence and with intelligence which cannot be countenanced and countered/identified and denied.
And to be a right dodgy wannabe puppet master and failed government leader and to actively resist and persist in political office with the proposing and clandestine planning of violence on the agenda, makes one a person of foreign intelligence interest and most likely a terrorist wannabe too, no matter how unlikely that be officially and officiously spun in an opposite direction? That would then render one an unsavoury attraction and unnecessary distraction to be classified in/by intelligence circles/chiefs as a legitimate target for prime executive action and removal from the scenery .... and the Great Game Space Place.
"are they saying here 1-in-5 applicants knows someone who knows someone who knows someone who once went to a radical Mosque somewhere?"
Among applicants for Arabic translation jobs, I would expect a far higher ratio.
@Vimes, the article doesn't mention Al-Qaeda links, but "hostile intelligence services and or terrorist groups", which probably includes journalists in their eyes.
Easy to do.
Lets use GCHQ as an example.
Been there know what they are about. I knew quite a few workers and ex workers. One of my best friends worked there, they know who I am as a real person, I am not a risk, (he had been reported due to a prank and I was mentioned, demonstarting his electronics skills). Lets just say I have a video tape of me standing on a gate holding a TV aerial pointing at my home, and the tape never left my home.
Now at work we recently took on a Pakastani chap, he knows a few dodgyish people just by being from there.
Now would that be considered a risk?
Here no - none whatsoever.
"What defines a 'link'? I think American laws allow detailed searches on friends of friends of friends. So are they saying here 1-in-5 applicants knows someone who knows someone who knows someone who once went to a radical Mosque somewhere? That I could believe."
In fact if you read the autobiography of one ex spook they look to recruit such people as assets
It's the whole six-degress-of-separation thing. Some one who know "everyone" knows someone who knows someone who can introduce them to their person of interest.
"So are they saying here 1-in-5 applicants knows someone who knows someone who knows someone who once went to a radical Mosque somewhere?"
Presumably particularly true if you're trying to recruit young male Muslims, who by definition would be the most useful assets to acquire. Kind of like trying to sign up young male Catholics in Belfast or Derry during the '80s and then rejecting everyone who ever lived in the same street as / went to school with / was related to a Provo...
There was an incident years ago where one of the many churches in the US hired a European construction company for their new building - Swedish, I think? In accordance with their ancient custom, they hoisted a tree to the top of the building upon completion. It's an old ritual for good luck, originating in pagan customs many centuries ago, and continued for the sake of tradition. The church owners were not approved: They refused to pay, claiming the pagan ritual had desecrated the church and made it unfit for purpose.
It is ridiculously high, but it's no doubt as you said that a combination of paranoia and being able to do such far-reaching network checks tends to throw up many, many false positives.
Bob Dylan had a song about this. Check out his "Talkin John Birch Blues":
OK, it was Communists then, Terrorists now, but plus ça change ...
Exactly why is it "ridiculously high"? The value to a spy of employment at CIA, DIA, NSA, FBI, DHS or others, whether alQaida or other, would be extremely high, and numerous attempts should not be a surprise. Other matters such as poor financial habits and undisclosed sexual activities and preferences that could lead to blackmail possibilities presumably would account for many questionable cases, but a great many of them would self-select out. The attempted moles would not, and therefore would be greatly overrepresented.
[OK, it was Communists then, Terrorists now, but plus ça change ...]
Yes, but since then, the Communists were declared to have been beaten, so we need a new bogeyman. The good news for the "intelligence" and military businesses is that the "War on Terror" has no well defined enemy and no way of measuring victory - Now the war can last indefinitely.
"The purpose of the unwinnable, perpetual war is to consume human labour and commodities, hence the economy of a super-state cannot support economic equality (a high standard of life) for every citizen".
Ref: the fictional book "The Theory and Practice of Oligarchical Collectivism, by Emmanuel Goldstein" in Eric Blair's "Nineteen Eighty-Four".
Link for Eric Blair - George Orwell
"Eric Arthur Blair (25 June 1903 – 21 January 1950) known by his pen name George Orwell, was an English novelist, essayist, journalist and critic. His work is marked by lucid prose, awareness of social injustice, opposition to totalitarianism and commitment to democratic socialism".
I would think someone as world-wise as you would know better than to get in front of a two minute hate.
Did you also notice the weasel phrase "circumvented or cracked" which is quickly shortened to just plain "cracked" and on which the rest of the article focuses? Given national laws, I expect it would be quite simple to circumvent banking encryption by just issuing a National Security Letter.
This post has been deleted by its author
This post has been deleted by its author
...yes, really, it's just your reading comprehension issue, no need for a heart attack:
“Over the last several years, a small subset of CIA’s total job applicants were flagged due to various problems or issues,” one official said in response to questions. “During this period, one in five of that small subset were found to have significant connections to hostile intelligence services and or terrorist groups.”
One-fifth OF THAT SMALL SUBSET of all aplicants. Got it?
It said that 1 in 5 who raised a 'search eyebrow' had suspect connections so lets look at that.
Say you check 10,000 staff, 9,800 show nothing to worry about (that may or may not be a good thing, have you missed something?).
It means 200 raise issues which require further investigation, of these 1 in 5 throw up serious doubts i.e. out of the original 10,000 you find 40.
Now those are made up figures not from official sources, the real ones may be higher or lower but simply show that care is needed when reading statistics.
"It said that 1 in 5 who raised a 'search eyebrow' had suspect connections so lets look at that ... [They] simply show that care is needed when reading statistics."
You are right - it is important to read exactly what is written, and what is missing. However, it is conceivable that the alphabet agencies intend that the figure will be read as "1 in 5 applications" so that the average punter will think "Gosh, look how many bad people there are threatening our safety! How can anyone question what they are doing?"
Statistical ignorance strikes again!
1 out of 5 job applicants with backgrounds warranting further investigation
That sounds abnormally, insanely, ridiculously high
What you've missed is the fact that we're not given a figure for the number of "applicants with backgrounds warranting further investigation". If only 1% of applicants warrant further checks then "1 in 5" becomes 0.2% of all applicants. The 1% figure is something I made up, it's probably much lower for a job like this as the initial checks are probably very thorough.
So, 1/5 of the CIA and NSA works with the invoicing of Al-Queda? Bit heavy on the back office, but, someone has to watch the people who watch the people who signs the payslips.
... or ... is it that Data Integrity Monster rearing it's olde head, with all the BOFH's having full, untraceable, access and to become any user they need to be for fixing issues which are also sekret?
BOFH-A narcs on some scheme run by BOFH-B which then retaliates by buying a kilo of Coke for BOFH-A using PHB's platinum AMEX-card on The Silk Road and enrolling BOFH-A's PFY in a few dubious mosques. But to cover the tracks it is necessary to update the secret personnel files of several PFY's, including one's own (who then smell a rat .... e.t.c.).
PS: BOFH-A gets the coke and is happy, the purchase is traced to PHB but Kilos of Coke is the travel cash for covert operations so no warning is triggered.
For those with a good range of metallic headgear, this should come as no big surprise. After all, few bank robberies actually break the safe door, they either get the keys (by bribery or coercion) or they go in via the walls that are weaker.
It has long been known that the whole concept of SSL is fundamentally broken: compromise any one of the ~600 issuers and you can fake a certificate for man-in-the-middle attacks, and yet no one has serious tried to fix this in spite of the occasional publicised attack.
Similarly a lot of VPNs use only PPPT as it is MS's favoured option, though known to be also fundamentally broken w.r.t MITM attacks, etc.
And with MS being on such good terms with the US gov it is hard to avoid the conclusion that they would work with three-lettered agencies to either allow direct access, or not to close useful holes unless the "bad guys" start using them. Why are the likes of skydrive (and Google's offerings) not client-side encrypted by default? Maybe laziness, maybe to help? Who knows, so adjust your hats accordingly...
None if this means that encryption is not a good way of protecting your privacy, it is. But what it means is you cannot trust most of the current players that should be delivering it to be acting in the interest of you, the customer.
Re "man-in-the-middle attacks, and yet no one has serious tried to fix this"
Really, why? I am not even a crypto expert and I know this whole system of trust is woefully broken in multiple ways. I might not be able to devise a fool-proof system, but I could surely devise one better than our current sorry system.
There is reason to believe that there may be NO solution to the problem of Alice and Bob establishing trust with each other without help from a third paty (whose trust cannot be guaranteeed). Wasn't there a recent article that noted they had a similar trust problem with quantum encryption (which in turn prevented it from being provably secure)? And it may not be possible (or wise) for Alice and Bob to meet face to face.
"It has long been known that the whole concept of SSL is fundamentally broken: compromise any one of the ~600 issuers and you can fake a certificate for man-in-the-middle attacks, and yet no one has serious tried to fix this in spite of the occasional publicised attack."
Not the *whole* concept. You can use SSL in a far less broken way, where you install the server's certificate locally and refuse to connect if the certificate visible to you matches the one you have. This has two main flaws:
1. It is possible that the server has been compromised internally in some way that allows the real certificate to be used. For politically sensitive data, this is the critical flaw, assuming that the owner of the client machine is some sort of whistleblower, spy, or anti-dictatorial activist.
2. The solution does not scale to the whole Internet - do you really have time to visit all those companies you do business with? Can you imagine the conversations you'd have with their receptionists?
"Not the *whole* concept."
No, not the certificate system at a basic level, but the fact there are so many signing authorities that are installed and trusted by default by most web browsers and their users.
There is a need to, somehow, verify that certificates for a given domain are not duplicated or otherwise certified by another issuer and that any changes are flagged and investigated.
However, this last part (which, for example, is the bit where SSH can reveal an attempted MITM attack or, more often, a re-installed server) is fundamentally broken with all non-paranoid geeks who just see a warning pop up and click "yes, whatever" to see more cat videos.
It has long been known that the whole concept of SSL is fundamentally broken:
SSL itself isn't broken at all ... SSL lets you say "Because Alice trusts Trent, and Trent tells her that such-and-such a certificate really does contain Bob's public key, Alice is able to use that key to communicate with Bob with confidence".
That's perfectly true, as far as it goes. SSL allows Alice and Bob to communicate with confidence in the security of their communications because they both trust Trent. The system falls down if Trent proves unworthy of that tust, or if Trent's key has been subverted by Mallory who doesn't have Alice's or Bob's interests at heart, or if Alice and Bob mistake Mallory for Trent and so inadvertently trust Mallory.
What we're starting to learn is that we should pay more attention to the question of whom we should trust, and whom we should trust to tell us who they trust.
But that's the big problem. That you basically NEED a third party to vouch Alice to Bob and vice versa. Not even Quantum Encryption can seem to escape from that dilemma. Thing is, in this environment, if Alice can't trust Bob, what reason could they have to trust Trent, whom to Alice is just another stranger? Especially if Alice is in a hostile environment where DTA is the rule of thumb.
Psssht. You're going to have to do better than that. Technology is not the answer you're looking for. I've hired two attorneys away from the White House who will be writing all my future communications.
I will use the governments own tools against it in the form of impossibly dense bureaucratic double speak and unintelligible jargon that references information that can't be accessed, verified or validated.
I will do this in plain sight, with 100% transparency and invite any and all analysts and pundits to pontificate on the true meaning(s) which lay hidden in plain sight but which are truly visible only to myself and those who are the intended recipients.
Ha! Beat that with your Blowfish :)
Which orifice did you blow that little nugget of brown wisdom (still doesn't answer my question) out of?
You are aware of waterboarding, sleep deprivation, fluid and food deprivation I assume?
Just because I am aware of these tactics doesn't mean I enjoy them being used against people.
Only one of us here with isolation complex issues...
ISTR (too lazy to check) that the Navajo Code Talkers used Navajo words to transmit still-encoded messages, so even when a Navajo speaker was captured, all he was able to say was something along the line of 'green cheese pickle egg' in response to the demand to decode a message. You would need access to the code books too to figure out that that actually meant 'attack at dawn'. Effectively, the encryption was multi-layered.
This post has been deleted by its author
This is surely more or less a simple substution code? English word for german soldier -> Navajo word for german soldier, plus a bit of Navajo grammar and glue. I think "decrypting" a novel language would not be that much of a challenge if it was used at all extensively since the actions that follow the message will quickly give clues to the language.
Encryption works partly because there is no correlation between the ciphertext of two messages, even if they say the same thing because different keys are used each time (there are protocols for securely agreeing new keys) and each ciphertext block is usually encrypted using the previous block as part of its input so even a repeat in the plaintext doesn't show up as a repeat in the ciphertext.
This post has been deleted by its author
This recent exposure has put the truly serious punters on notice, that's if they weren't so already. They won't use electronic communications except to pass very short encrypted cues (action/go messages) whose meanings have already been previously conveyed in person or by other non-electronic means.
For instance, 'How's yuh mother's roses' could mean 'go eliminate xyz at such and such at the prearranged time' etc. and this translation never goes via any electronic network or even telephone. Essentially, this is how the British SOE sent messages into the field during WWII, 'innocuous' cue messages were sent out on the BBC into France etc. Today, even the detection of such cryptic messages (i.e. just finding their existence) could be seriously slowed down by obfuscating schemes such as Tor, especially so if only part of the message went by Tor (and even then using steganography) etc. If or when the message is eventually uncovered it'll be too late to do anything about it. Essentially, the true (and really dangerous) professionals are unlikely to be caught--not by message interception anyway.
However it does seem to me that this vast spying and decrypting effort by the NSA, CGHQ, Oz's Defence Sig. Directorate etc. will have a significant effect on the second-rank players. These include cloud users with encrypted info, encrypted VPNs etc. Such users include corporations both within and outside the US, various governments and their agencies sending all but the most secret info.
Clearly, by now, all these second-rank players will also be aware that their data is very likely compromised. There'll be suspicion that trade treaties have been compromised by the US, UK etc. as commercial-in-confidence info from other countries will be used to the advantage of the US etc., etc.
Basically, the US Government gave us an unfettered internet 20 or so years ago and it's realized its mistake. And over the last decade it has surreptitiously brought it back under its control. It's only now we are beginning to realise this and to the extent to which it has been successful.
I think there's little doubt that this spying has significantly compromised the net, and users will never see it as the place it once was. I think we should have realised this way back in 2001 and when the Patriot Act (and the equiv. laws in the UK, Aust. etc.) were passed. Trouble is the spied-upon will retaliate in kind and this won't be nice.
As I've said many times, effectively the terrorists have won. They've screwed up our lives and that's what they intended.
This post has been deleted by its author
You're very probably correct. Moreover, I'll bet there's many an inventive scheme that we've never contemplated.
It begs questions as to whether or not the NSA et al realized that the professional nasties would eventually skip electronic town to avoid detection when they initially invested the billions in this spying venture. If so, then this vast investment will have been aimed primarily (and knowingly) at the second-tier players. If correct, then the ramifications of this, I'd reckon, are quite horrendous.
If they thought this enormous spying infrastructure (in the absence, say, of Snowden) would never have been exposed and thus the world would never have been spooked [duh, sorry], then such reasoning seems completely fanciful. One only has to look to history for this: when Roosevelt and Churchill met Stalin at Yalta in February 1945, Stalin was already well aware of the primary purpose of the Manhattan Project through his own spies. The fact is, something this big cannot be hidden for very long—anyway, at least the basics of the project and its main purpose cannot.
Again, this leads us back to the original motives for and the rationale behind this enormous investment in spying, the NSA et al must have known that it wouldn't be long before they'd be outed, and that China and Russia etc. would know exactly down to a tee what they were doing. This obviously leads to the next question: given that you can't hide a project of this size from the security agencies of other governments (China etc.), then did the NSA inform them of the fact on the basis that this enormous increase in effort was specifically for and only to catch terrorists [as a worldwide network already existed for such purposes—simply, was China et al informed by the US of its massive expansion in spying?].
Seems to me the world now ought to be told answers to these questions. The very covenant that binds the citizenry to the state—that which holds democracy together depends of such answers. Reckon we're in for a pretty bleak time if citizens lose significantly more trust in their governments (as it seems is happening).
The thing is, how can you communicate very precise information in plain english without having first met the other party (which can itself be a tipoff)? And what if the plan changes and you have to send new coordinates or whatever and are unable to meet your second party again?
Plain english codewords like "birthday party" are only good for very limited scenarios. Once you get to a broader vocabulary, you're going to need something rather more sophisticated.
Basically, the US Government gave us an unfettered internet 20 or so years ago and it's realized its mistake. And over the last decade it has surreptitiously brought it back under its control. It's only now we are beginning to realise this and to the extent to which it has been successful. ..... RobHib Friday 6th September 2013 09:07 GMT
Successfully surreptitiously brought back under its control, RobHib? Methinks currently be that a dream scenario in which the realities of today and tomorrow play no part ....... although with a little extra especial work done, would one not be able to rule out it being so configured for/in the future.
Adjectives can be terrible things, they've no extent or measure unless carefully defined.
Similarly, Control also needs to be defined, and I plead guilty your honour (but 'tis not a PhD thesis either).
Governments want to do what governments normally do, and that's control and regulate the world around them, and for its first decade the internet had no government control whatsoever. Abiding control envy and the internet being out of regulatory reach was more than they could stand, and it demanded crisis action to rectify.
...And they threw billions and billions at it, and the tide eventually turned. And now governments feel much better; and very soon they're hoping to feel even better still, because they've billions and billions to feel much better!
Now, there's some control, and soon there'll be more, probably much more. Hackers, pedophiles, terrorists and other criminals are now being caught and money laundering detected. Because that's what governments do! Right, the internet's being "brought back under its control", we're seeing it happen now, and NSA and CGHQ leaks confirm that fact.
Governments want regulatory control and the internet under law, because they want it so. And they're powerful enough to say they can have it so; because in the past they've always regulated everything else, and there's no exception—because that's what governments do. It'd be anathema if governments didn't want it so, with a luscious target the size and scope of the internet, it'd be outrageously stupid to think otherwise. Thousands of years tell us that.
Do governments want the internet back and under controlling ownership as in the days of ARPANET? Definitely not. But they certainly demand to be its headmaster. Now, Snowden's revelations prove they've gotten the job.
Sorry, I apologise; I thought all that would have been blindingly obvious.
> Essentially, this is how the British SOE sent messages into the field during WWII
You'd do it in spam messages now.
Broadcast your spam to the world, with the actual message hidden steganographically in pictures of an Asian-looking bloke in a white coat offering you blue pills.
You could send the spam to the work email address of the agent supposed to be following you - if it lokos spammy enough, it'll be discarded...
Simple. If man can do it, man can UNdo it. Just use one lawyer skilled in doublespeak to untangle your lawyer's doublespeak.
As for the one time pad, if I had the capability and knew what was your pad (not the contents, just the existence), I'd find a way to swap it out for MY one-time pad, then MITM you.
Disinformation is their secret weapon. We *know* a one time pad is secure. In essence, this is the target condition of encryption. The tiny keys we are encouraged to use, transparent means of encryption, simplistic structures, defined end-to-end transmission, etc, etc, etc is, in my opinion largely a snow-job to discourage people from using strong encryption and building webs of trust.
The people that sign SSL keys on the Internet are among the least trustworthy players on the Internet.
We need to attack this problem both with technology and politically. The fact that powerful adversaries are being funded by our tax dollars and given greater than equal standing when we set standards is disturbing.
One of the main weaknesses of modern crypto is in generating things like keys and nonces. I would be surprised if the NSA does not have the ability to brute-force most conventional encryption due to weaknesses in the systems that generate keys.
Modern crypto as currently deployed is not, in my opinion, sufficient.
Even open-sourced ones where the code can be analyzed?
Also, there's also reason to believe not all algorithms are vulnerable. There's a high-profile case of the FBI trying to obtain evidence off a drug dealer's hard drive, but it was TrueCrypted, and despite a year of brute-forcing, they couldn't get at the data.
As for web of trust systems, it seems all of them are necessarily complicated and difficult to implement. Freenet has a WoT system using CAPTCHAs, and it's clunky as anything.
I'm surprised no-one has released a OTP VPN. It should be quite practical for the common business usage.
1. HQ fills a portable 2.5" drive with, say, 250GB of randomness. Keeps another copy on their VPN server.
2. Remote worker goes off on their business trip, keeping the drive on their person.
3. VPN using the drive as a OTP. Easiest way would be to have one side of the conversation start XORing at the beginning of the drive and one and the end. Erase the OTP from the drive as it's used up, in case of later confiscation.
4. When worker gets back from the business trip, refill the OTP drive before the next one.
Obviously you could only send as much data as the drive can hold for the OTP, but 250GB is still quite enough to last a business trip - and if you need more, you can always just take a couple of 1TB drives.
If the remote worker's laptop has the capacity and the need for VPN transfer low enough, you could do away with the drive and just store the OTP on the internal drive.
While MITM attacks are slightly worrying, to me they are less so when done by GCHQ, but very worrying when done by the NSA (I would expect the gov to protect me against external monitoring, even if they have the ability to 'wire tap' my connection if they need to)
My biggest concern is when they do this without a warrant, I am a firm believer that NO wire taps, traces, decryption or even a request for encryption keys, should be done without a warrant issued by a judge with good reason as its due to a serious suspected crime (i.e. murder, drugs, people trafficking, firearms, terrorism)...
Someone needs to implement a way to detect MITM attacks automatically and integrate it into a browser...
I am sure there MUST be a way to do it, even if that would require again trusting some third party to confirm its all OK...
"My biggest concern is when they do this without a warrant, I am a firm believer that NO wire taps, traces, decryption or even a request for encryption keys, should be done without a warrant issued by a judge with good reason as its due to a serious suspected crime (i.e. murder, drugs, people trafficking, firearms, terrorism)..."
Even if the mere issuance of the warrant gives the game away (due to moles and the like) and makes the terrorist(s) go to ground?
To be honest here, what we're currently using encryption for is vermin control, and it really doesn't take all that much encryption to keep modern crooks out of, say, a banking system. Most of the time we don't need to keep the NSA out, because the average person bumbles along not doing very much of interest to a major spying agency at all. About the most that the average punter gets up to is a spot of marital infidelity or low-level larceny; annoying on a personal level but profoundly uninteresting to the NSA.
The mistake here is to imagine that shoddily-executed, vermin control encryption is going to keep the big boys' noses out of your data. It isn't; only the sheer banality and uninterestingness keeps them off your back. The only time to start worrying significantly is if or when the NSA starts routinely leaking the data it has sniffed out to other agencies or even commercial companies; as soon as it does this, it joins the ranks of internet vermin.
Once on the vermin list, I doubt the NSA would ever get off it, and once the world realises that shonky encryption won't do the job, geeks everywhere will start trying to up their game and lock the NSA out. The actual terrorists already do this; face to face meetings and lone-wolf attacks are almost impossible to spot online.
Good GuysTM do not creep on you in the middle of the night and rifle through your wife and daughters emails, calls, texts and pictures. In fact that's pretty much the opposite of Good GuyTM behavior.
However noble and just a cause may be, when those who support and follow that cause resort to the tactics, behaviors and attitudes of the Bad GuysTM they have in fact become what they set out to destroy.
This repulsive idea of "Win At All Costs" has become accepted among so many and it is sad. Your fears are being exploited and encouraging you to twist the meaning of Good within your own mind. Twist it so badly out of shape that you can no longer discern the meanings of Good and Bad yourself. You wait for someone from on high to tell you what it means... You have given up moral discrimination, the single most unique aspect of the Human species.
You're right. It's about you, your wife and your children and those of your neighbor. The fact that you consistently fail to miss that point is stunning to me.
Here's the NSA's own admission that spying on the current and ex love interests of agents does take place. This is only those who get caught. Snowden managed to waltz right out of there with tons of information and months later they still don't know what he took. It's fair to say their internal security isn't great and presumably only the stupid or careless get caught.
When did it become GCHQ job to spy on *law abiding* citizens unencrypted, let alone encrypted, private/confidential communications?
Or rather, 'adversaries', to use the new colloquialism?
These revelations, or rather the fact of the corrupt co-operation between IT industry leaders and these fascists, will do huge damage to public trust in IT people & products.
When Hermann Goering formed the Gestapo in the early 1930s, he stated that "he who is of good-will has nothing to fear from the secret State police". He did not deny that mail was being opened, telephones tapped and "disaffected persons" being shadowed. .....sunnyskies Posted Friday 6th September 2013 06:03 GMT
Quite so. However, the corollary of that may not be so true, sunnyskies ...... "Secret State police have nothing to fear from they of good-will"
Indeed, it may very well be that they have everything to fear from that which they ignore and/or dismiss and become so terrified and terrorised by events they monitor and mentor to become paralysed and useless in every form of their being.
I suspect the answer to your question is "When it became easier to treat us *all* like criminals than think about targeting specific individuals."
My worry is the old Franklin quote - I suspect that although hoovering up every damned thing has been sold to The Powers That Be as cheaper than performing competent analysis (not that I'm qualified for such, but that's not the point) it's actually not as effective as believed, leaving us all worse off for very little benefit.
Which to be fair would be about par for a government program conducted in utmost secrecy.
I seriously doubt they are bothering to MITM attack everyone, and the 'black boxes' that idiot MP wanted are not implemented (YET) so no need to get TOO paranoid yet.. and while I get WHY they want to just grab it all into a DB, it does not mean we should be doing it.. We in this country started modern democracy and freedom, we should honour it by not eroding freedom!
As famously was said by Ben Franklin..
Those who give up their liberty for more security neither deserve liberty nor security
Don't forget that even if you use Linux pr other allegedly trustworthy software, if you're running it under a hypervisor and your hypervisor is part of the NSA Fan Club, whatever is in memory on your Linux box is, in principle, visible to the NSA.
Also, anybody know what's *really* inside vPRO/AMT etc?
You're right to be aware of OSes by corporations which have received money from the alphabet agencies, but Linux isn't the panacea...
Who checked in the code for these long-running bugs, I wonder.
Gosh: open source has bugs ?!
The point many people (such as Bruce Schneier) are making is that NSA are probably relying on things like back doors and poor security practices to ensure they can breach people's privacy. Open source is much less likely to be vulnerable to these as we know what goes into open source.
You do realize that by making it a LInux instead of say a BSD the code must be open-sourced (GPL license requires it) and able to be analyzed. And the links of the chain needed to produce the kernel from source (like the compiler) could be obtained from places outside US control. SELinux was something they put in for their OWN benefit, to cover their OWN butts, because as the article notes, anything used here could be turned against them. Thing is, SELinux is a rather complicated way of doing things (no root user), so it's not for everyone.
The whole point about SElinux (or apparmor, for that matter) is to deal with the problem of internal trust between processes that run with root privileges, or (like web browser or PDF reader) are likely attack routes. That is a big problem in ANY computer system. It is open sourced, so you or anyone else can check it!
Like the fools who say AES is back-doored because the US use it, it completely misses the point. They want good security for themselves and US gov, as much as they want to break others, as they know Russia, China, etc will be doing the same in return.
I believe Linux is generally pretty safe against spyware. That would be a good plaform for an endpoint OS, getting rid of keyloggers and the like. As for clean hardware... suppose that Intel's on-chip IPMI/AMT is compromised. Suppose that the AMT-related autonomous backdoor exists even in Intel CPU and chipset variants that do not openly support AMT (for the sake of sales segmentation). There are other brands of CPU's, without inherent support for IPMI/AMT. And, based on what I've seen so far, I don't think such a backdoor would be very useful and reliable, given how buggy IPMI/AMT is...
"Knowledge that GCHQ exploits these products and the scale of our capability would raise public awareness generating unwelcome publicity for us and our political masters."
Oh well, time to short cloud providers, then.
I haven't read the NYT article, but CNBC has a really good piece on this that lists Snowden-leaked NSA/GCHQ documents revealing:
1. How they use their position to water down/penetrate encryption standards as they are made
2. How they occasionally work with hardware manufacturers to ship back door-laden gear being sold to "targets of interest" (You've got a Dell! It's the same one that Kim Jong-Un ordered!!)
3. How the GCHQ is working towards penetrating 300 VPN streams
4. How the NSA's program to help IT product/service providers validate the security of their offerings is also used to engineer NSA-friendly vulnerabilities into those offerings
5. How the NSA got slapped down in their effort to openly insert a trap door into IT gear with their 90s "Clipper chip" program, and has since been working on a multi-pronged approach to do the same thing surreptitiously.
It's a good read:
The financial impact argument is already building steam over here in DC. Even some of the usual government is always good toadies I deal with have talked about "privacy specific" briefings and sales seminars where they're being instructed on how to address clients concerns about US government access to data in their products.
Of course they all blame Snowden for making their sales jobs harder. Not the government for doing it in the first place. Jackasses.
What baffles me is that this work is not done by politicians or generals or bureacrats, it's done by IT people.
Now, sure, much of the problem is with the government co-opting mainstream tech companies to force them to use their talent pool to work for the NSA (effectively) but surely much of the unpalatable spying is being effected by IT people hired by and working directly for the NSA - with knowledge of what they are doing.
How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else? Is it that they go in with an attitude that they will make sure they stay ethical and then just slide? Or are there really enough people who actually believe this is a good thing?
"What baffles me is that this work is not done by politicians or generals or bureacrats, it's done by IT people."
Why? 5 minutes looking at the OS/mobile phone/processor/anything arguments on The Reg's forums shows that IT people have strong opinions at both ends of an argument. It's no doubt the same for ethical/legal concerns, too.
Plus, presumably people in the spook world get to play with some cool tech. Geek goggles might make the job more attractive. And in the current climate, having a job at all ...
"How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else? Is it that they go in with an attitude that they will make sure they stay ethical and then just slide? Or are there really enough people who actually believe this is a good thing?"
You don't think a threat of a company getting tagged for ESPIONAGE wouldn't hurt them? If you make an algorithm you can't crack, we have to assume you're helping THE ENEMY (their thought, not mine).
Some of them might me genuine paranoid patriots, believing that the NSA's spying ability is essential to preserve the safety of their country.
Others might be in it for the money. Well-paid work is hard to find. Do you want to respect freedoms for all people, or do you want to pay the rent? Choose.
How does it happen that the best and brightest are willingly working to destroy the privacy and freedoms of everyone else?
I would suggest that they are maybe the best and brightest of those who are willingly to destroy the privacy and freedoms of everyone else in order to play with cool technology.
The best and brightest engineers may actually be engaged in other, more socially useful, activities.
This post has been deleted by its author
Imaigine how many of those m4m sites and phone apps must have a$$load$ of automated agents and the occasional "sampling" human in them. They could be in there just wasting time of those dripping like a dog looking for someone who'll never respond.
Your sex chats/quest are being enterrupted to prevent acts you WOULD have committed....
Of course, if that is real, then the NSA and GCHQ will be literal cock-blockers impeding flow of goods and services, hahahah
So now we know why the US is so afraid of possible back-doors in Chinese hardware. They probably succeeded to get their own bask-doors installed and realized that when they can do it, others can do the same.
Maybe 'trust' will become an important factor in the future of electronic manufacturing. How to ensure that the infiltrated NSA, GCHQ, or Chinese agent can't subvert the hardware or software of the whole company? How to reassure the customers about it?
Companies like Kapersky might be able to offer code audits (are they independent enough?), small companies could start building simple but secure devices for communication, things will get much more complicated that they are today. Welcome to the future of the internet -- thanks, NSA, for robbing our delusions about the internet we have.
Good point - we worry about the NSA snooping on journalists with this tech (especially after the UK Home Secretary said it was OK to use terrorist legislation to get data off David Miranda) but of course there are powerful governments with a poor track record on human rights who could already be exploiting these back doors and no doubt in time some of the many contractors will roll off these programs into private security consultancies who work from some rather dubious regimes around the world.
The next time there are reports of journalists or dissidents being tortured or murdered in Russia, China or some repressive Middle East state perhaps the people arguing that this program to systematically undermine the security of the internet is just for bad guys will stop and wonder how those journalists and dissidents came to be compromised.
"we cant really be anonymous even with comments here right?"
That's always been my presumption.
"Anon, for obvious reasons" - always makes me snort.
Oh, I was going to say it should be "raises the question", but on second thought realised you're right :)
"Anon, for obvious reasons" - always makes me snort."
Ditto, but the anon icon merely makes it difficult to know who posted something on here, it does not hide your ID from site admins/NSA etc etc. It is a smoke cloak and nothing more.
More irksome is its use when someone says something a bit risqué or inflammatory then hides behind anon.
Posting as AC is only marginally effective anyway. It only takes a few minutes to determine who it is (whose handle anyway) with a high level of confidence.
I've also always wondered why AC's always use the Fawkes mask instead of any icon they want. I've sent a few emails to El Reg about both things but never heard anything back.
by all parts of government won't stop because there no penalties are ever imposed. At best when caught the legislature passes the equivalent of a Cease and Desist, and if we are extremely lucky the involved government agency would even follow it for awhile. If it even gets to the point where the head resigns to "take responsibility" ... that's half a miracle (it happens more in Japan, seemingly less in the West).
What should be passed are new acts that say any governmental agency that gets caught breaking or abusing the rules are subject to decimation (as in 1/10th of the employees get fired, even split between top and bottom post), plus at least a 20% reduction in budget for the next 5 years. With real penalties should come improvements.
"What should be passed are new acts that say any governmental agency that gets caught breaking or abusing the rules are subject to decimation (as in 1/10th of the employees get fired, even split between top and bottom post), plus at least a 20% reduction in budget for the next 5 years. With real penalties should come improvements."
Ever heard of "Screw the rules, I MAKE them"? That's the problem here. Like it or not, when it's the lawMAKERS (in concert) working against you, you lose.
Part of the philosophy underlying democracy says that lawmakers should not be punished for their actions if it can be shown they believed their actions to be in the best interests of the people. The idea being that if your enemy were elected tomorrow he couldn't prosecute you for your actions while in office, therefore you have nothing to fear from future administrations. It falls back at that point to being the fault of the people who elected that person if that person does something horrible.
Democracy has many good points but accountability for elected leaders is not one of them. Not only is is not included, it is actively guarded against it ever being included. It kind of sucks.
Democracy also pretty much requires an informed electorate. But when one informed vote is overruled by ten mindless sheep, you have a big problem.
Hate to say it, but universal suffrage was a mistake. Not that denying women was a good thing, either, but it should only be given to those who know what the blank is going on.
Prepare for massive down Votes....
The last time 'round I pointed it out. I got like Two Up Votes.... Then it kinda went south from there....
Like I said then....
1) "The Code is vetted!"... ~By who? Who watches the Watchmen?~
2) "Do these People know what every "bit" does?" I mean are those People able to find such cleverly hidden Code?
1) "The Code is vetted!"... ~By who? Who watches the Watchmen?~
By people OUTSIDE the US, who can't be influenced by the US.
2) "Do these People know what every "bit" does?" I mean are those People able to find such cleverly hidden Code?
You'd be surprised at the thoroughness of some bug hunters, especially if money or prestige are involved.
When they start co-ordinating program names like "Edgehill" and "Bull Run" for illegal snooping, you have to wonder if you're living in a worse than average Robert Ludlum novel or a 'hard hitting' ITV thriller for which they've pushed the boat out and hired Sean Bean.
Given the undemocratic, illegal and unwarranted power this gives to a few unelected, unaccountable individuals, I doubt they'd even need black helicopters to cause chaos. Whatever Kleptocracy-by-coup they have in mind, I don't fancy it.
... as "Bull Run" was the first battle of the American Civil war. Either 'they' know who they're real enemy is, or someone with a perverse sense of humour is pulling the tail of the propeller/tinfoil hatted and anyone else with the most tenuous grasp of history.
It must all look very omniscient and testosteronally powerful now to the NSA + friends, but then I'm sure the Stasi felt that same sense of invulnerability before their files were opened. History has a habit of biting back in the long run.
What I like about all this NSA & GCHQ fiasco is that PRISM has been used to destroy British jobs in favor of US jobs ... I know from reliable sources, top execs, that a big aircraft manufacturer has lost some deals due to PRISM intelligence ... the aircraft manufacturer employs Brits in the UK. It also makes the Brits look like traitors to other EU countries - not that most Brits really care.
Sorry for the sad news, Tommies...
What do you expect? Only a naive British politician would think that the special relationship was bidirectional. And Boeing is part of the MIC that Eisenhower warned about.
Interesting how Ed Miliband can suddenly become popular by saying "no" to the Americans (who are now trying to humiliate us abroad). Given Farage jumping on the bandwagon (and then claiming to have started it) I do wonder whether anti-Americanism is going to spread from the Middle East to Britain, and feature in the next election.
I never regarded, say, SSL as secure. Nothing that is based on trusting a third party - or a chain thereof - can be secure. Those third parties can be compromised. It sounds like *open source* PGP/GPG implementations are still secure (modulo heretofore unknown bugs), but only if you encrypt/decrypt on a completely air-gapped computer, sneakernet the encrypted stuff to/from a connected machine, and send/receive from there.
Even in that case the "adversaries" will still have the metadata. Given how few of your normal correspondents would be willing (or capable) to go through the hassle and never, ever break the routine, you - both of you - are likely to be flagged as "a persons of interest" simply for adhering to the procedure.
Exchanging keys securely will remain a problem.
Travel will be very complicated, too - a new pair of computers each time you are stopped at Heathrow?
Is there a way out at all besides dropping off the grid?
I repeat the assertion I think I made in these forums once or twice before: laws must be enacted - in those countries where here remains some semblance of an influence by citizens on lawmakers - to make wholesale surveillance without a specific target supported by a judicial warrant completely illegal and severely punishable. We should not be worried about the negative impact on terrorism prevention - terrorism is not a serious threat to begin with, and is incomparable with the threat to privacy that we are all facing.
If anyone invents a way to read my mind from a distance that should be made illegal, too. I insist.
We think among similar lines - the problem is that what's doing it is an agency. Even if you do somehow catch them, they would blur the lines of responsibility enough that you won't be able to identify one or a few people to indict, or if that starts to fail in the best, best case they'll throw up some midrank guy senior enough to be vaguely plausible but not powerful enough to be resist or be the Real Culprit (he's following orders himself).
What do you think of my idea of making agencies truly accountable (as in actually making them bleed) for violations?
An agency cannot be sent to prison, obviously. I think we, as a society, should strive to create a moral and legal environment that will make wholesale surveillance unacceptable. I do think that most of the people at NSA and GCHQ are decent and moral, and I do think that they do a very important job for their countries. Quite a few of them could probably get high-paying jobs elsewhere but their somewhat old-fashioned but commendable values and loyalties tell them that their work is important and worthwhile.
At the moment, the PRISMs and the Bullruns and the Edgehills are deemed perfectly legal and within the ambit of the agencies' chartered activities, and it is a big step indeed for people who are fundamentally loyal to their countries and their colleagues to betray the loyalty and the oaths and to break the law and do what Snowden did.
Now, the real problem with the wholesale hoovering up the data and metadata is the possibilities of abuse. Those possibilities are numerous, inevitable, and exist at different levels, from personal to political. Imagine that both the accepted morals and the laws say that if you - a government employee - engage in mass (or targeted, but unauthorized) collection of data (just gathering, not "collection" as defined by Mr Clapper) you are a crook breaking the law, and the agency responsible for national security is not supposed to do it because the activity is actually detrimental to the general security of society. I would hope that it would not be easy to engage in such illegal activities inside spy agencies most of whose employees are not crooks but decent, moral people.
The above hope may be naive, but it seems to me to be the only hope. If the society and national security agencies are fundamentally indecent and immoral then off the grid we should go, don't you think?
I presumed that PayPal was leaned on by the spooks to hinder the Mailpile project but in an update they have released the money.
I will be looking for alternative payment methods regardless.
As for the NSA/GCHQ situation it all sounds good if you have an accountable government but not if a tyrant takes control. Then you will have the Gestapo with unlimited power to search for and locate you.
The problem is that we do not really have accountable governments, it just appears to be.
I suppose a lot of people do care (I do), but to be honest this isn't exactly an issue my friends are discussing on Facebook. I wonder how much ordinary people feel effected by this? I get the impression most people (despite the media coverage) either think it is a good thing (& trust the government to use it to catch the bad guys) or don't know or care enough. I think you will find every country in the world does this on some level & that it has gone on for a long time. They would want to keep it secret but now it is out in the open I don't think the whole world is going paranoid. Actually there seems to have been rather a mute reaction (though it maybe to do with the fact most British newspapers are ignoring it, either because of government request or because they're not as hysterical about it as the Guardian seem).
I'm not sure what country you live in.
From my POV, GCHQ, my own countries spy agency, knows that almost every COTS encryption used by the British Government, its commercial industries , and by influential people from every walk of life (including MPs) is worthless when used against the NSA (and anyone else who has discovered those back doors via leaks or investigation).
In the meantime, the NSA watches on as the GCHQ develop the capability to hack large US providers.
And then what?
Teams of Americans in the US spying wholesale on everyone of interest in the UK. If they spot any illegal activities by a pleb they flag that up to GCHQ who then go get a warrant (if they still need those). If what they spot is commercially sensitive or potential blackmail material on someone of importance, then they pass that onto the Department of Commerce, or squirrel it away for later use. After all, you never know when you might need a bit more leverage on a British MP (or PM) .
And of course, lets have the GCHQ perform a similar role for the NSA, except that the GCHQ capability is much more limited and apparently not yet completed. And I'm guessing some quiet words have been had with people in positions of actual power in the US about what not to use. I'm not sure we can say the same about British MPs etc.
Maybe the NSA revealed this on the proviso that GCHQ wouldn't tell anyone about it , but "promised" not to spy on any non-terrorists in the UK. And if the US gives you a dollar and a promise, well, at least you got a dollar.
In summary, these spy agencies are colluding with each other to spy indirectly on their own citizens, and don't give a shit about the implications of this for their own citizens security. And as the relationship appears to be a lot more weighted towards the US, it's the UK that is getting screwed over the most.
Next time we go to war with someone at the US's behest, ask yourself if that decision was influenced by some private bit of embarrassing data somewhere that would make sure someone would never be elected again if it came out.
And of course you don't have to take the step of blackmailing people in most cases. If you feel someone might not be suitable in a certain position, and would likely go public to reveal the blackmail rather than roll over, then just leak the info anyway , to the press or their party/company. Then watch them vanish, leaving the way open for someone more palatable.
This post has been deleted by its author
No such thing as private circuits i've been to the main BT comms center and they were working on bypassing and monitoring secure traffic years back and quiet proud they could see a lot of encrypted content and would happily hand over any data requested via the legal channels so this stuff isnt new at all
This post has been deleted by its author
as vendors of systems try to work out how to prove absolutely that their systems are compromised neither by design (collaboration/back door) nor theft (of the key, difficult at the best of times) nor cracking (insecure/defective standards etc). After all that's what they're trying to sell us so that we can assure our own bosses/customers that we as IT departments are being dilligent.
I expect to see an awful lot of "we would comply with any lawful request/court order and cannot comment further" type statements to be boilerplated onto their responses, which in light of recent articles should be treated with the contempt they deserve.
Other interesting consequences of this might be that if the companies/products/technologies are named and (if appropriate) shamed, then as well as a possible drop in sales, there might be some legal actions for refunds from past customers or even possibly, if a key has been (as is alleged) stolen from a security product vendor by the NSA or at least obtained in a less than honest manner (I've no idea of the points to prove in the USA for their equivalent of theft) then maybe there will be a case by a vendor for damages against the NSA (even if only for "damage to reputation"), although given how retrospective legislation apparently allowed the warrantless wiretapping to be swept under the carpet, I'm not exactly holding my breath.
This post has been deleted by its author