|
|
Subscribe / Log in / New account

Security quotes of the week

[Posted October 9, 2013 by jake]

The NSA controls a set of servers codenamed "Quantum" that sit on the Internet backbone, and these servers are used to redirect targets away from their intended destinations to still other NSA-controlled servers that are responsible for the injection of malware. So, for example, if a targeted user visits "yahoo.com", the target's browser will display the ordinary Yahoo! landing page but will actually be communicating with a server controlled by the NSA. This malicious version of Yahoo!'s website will tell the victim's browser to make a request in a background to another server controlled by the NSA which is used to deploy malware.
— The EFF's Dan Auerbach looks at NSA malware deployment

It's also worth noting that the advocates for global surveillance do not themselves want to be surveilled, and that (for example) the NSA has tried to obscure as much of their operations as possible, by over-classifying documents, and making spurious claims of "national security". This is where the surveillance power dynamic is most baldly in play, and many parts of the US government intelligence and military apparatus has a long history of acting in bad faith to obscure its activities.

The people who have been operating these surveillance systems should be ashamed of their work, and those who have been overseeing the operation of these systems should be ashamed of themselves. We need to better understand the scope of the damage done to our global infrastructure so we can repair it if we have any hope of avoiding a complete surveillance state in the future. Getting the technical details of these compromises in the hands of the public is one step on the path toward a healthier society.

Daniel Kahn Gillmor

Is this a failure of crypto? Yes and no. While it’s true that Silk Road is now shut down and the alleged DPR [Dread Pirate Roberts] is in custody, it’s also true that Silk Road stayed up for a long time and processed hundreds of millions of dollars worth of transactions, and that DPR eluded identification for a long time. The lesson is that crypto can make it much harder for investigators to unravel an operation—but not impossible.
Ed Felten

However, the real problem with biometric security lies with its inability to replace a compromised authentication device. Once someone has a copy of your ten fingerprints, a drop of your blood from a stolen blood-sugar test, or a close-up video of your eye from a scoped video camera, there is no way to change this data. You can't ask helpdesk to send you new fingers, an eyeball, or DNA.
Stephen Gallagher
to post comments

Replacement parts

Posted Oct 10, 2013 13:41 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

Well, you could *ask* them, but I don't think I'd *want* to hear "please wait 4 to 6 weeks for delivery" back. Not to mention the bills and procedures to replace them…

Security quotes of the week

Posted Oct 10, 2013 14:46 UTC (Thu) by apoelstra (subscriber, #75205) [Link]

>The lesson is that crypto can make it much harder for investigators to unravel an operation—but not impossible.

The Silk Road operator actually made some truly horrible operational security mistakes (in the early days, he tried to hire a programmer using his real name as a contact email, for example). And despite all this, it still took the FBI nearly three years to make an arrest. Had the identity "DPR" not been so tied up with a real-world identity, things could have been much harder.

There are people today with thousands of bitcoins from back when they were worthless, but now they are worth hundreds of thousands of dollars. It would not be hard to find a VPN willing to rent to a faceless bitcoin account with this kind of money. If one of those people were to try this trick, paying for all servers with bitcoins which had never been exchanged for cash, not ever using a real name or unencrypted communications, maybe it -would- have been impossible.

A much more interesting idea is that of agents:
https://en.bitcoin.it/wiki/Agents

It is not exactly rocket science to manage a user-run merchant site. (There is some difficulty arbitrating disputes, but nobody expects that to be done well anyway when all parties are attempting to stay completely anonymous, and are supposed to be destroying evidence of their interaction.) So what happens when the next Silk Road pops up and its operator is not even human? When the site is run by somebody who never makes key management mistakes, who can relocate around the world or clone himself at zero cost, who has a huge pile of bitcoins but whose only non-discretionary expenses are computing cycles?

These are interesting questions, and the technology exists today for these to become real issues. So to Felten's original statement,

>Is this a failure of crypto? Yes and no.

I'd say no, it's absolutely not a failure. If it took the FBI this long to make an arrest, when they had the NSA at their disposal (we assume) and the target was making awful op-sec mistakes while barely touching the potential of the technologies he was using ... such "successes" in the next few years are numbered.


Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds