by Mike Masnick
Fri, Dec 6th 2013 5:40pm
by Mike Masnick
Wed, Nov 27th 2013 3:38pm
from the and-now-what? dept
While the revealed documents did not directly point to a similar infiltration of Microsoft, there's reason to believe it was also compromised. Other Snowden documents mentioned in the linked article above note that Microsoft is listed as having data accessible under the same program, referred to as MUSCULAR. Perhaps more interesting is Microsoft making it clear that it believes any such infiltration would be a serious legal violation:
When asked about the NSA documents mentioning surveillance of Microsoft services, Smith issued a sharply worded statement: “These allegations are very disturbing. If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.”Of course, just because something is a Constitutional violation doesn't necessarily mean that there's much of a legal remedy. Any lawsuit would immediately lead to claims of sovereign immunity and national security to try to kill off any such lawsuit. It's the same thing the feds have done every time they've been challenged on this stuff. The only real way to deal with this is to make sure that the companies actually protect user data in a manner that makes it nearly impossible for the government to break in as it has in the past.
by Mike Masnick
Mon, Nov 25th 2013 8:54am
Newegg Brings Out Whit Diffie, Ron Rivest & Ray Ozzie To Debunk Patent Troll's Claim; Troll Attacks Diffie's Credibility
from the cue-laughter-now dept
They also had Alan Eldredge, a guy who worked on the original Lotus Notes to talk about how they implemented everything in Jones' patent (using Ron Rivest's RC4) before Jones filed for it. The interesting tidbit there is that Eldredge wasn't your typical expert witness hired by one of the parties in the case:
Eldridge wasn't paid, as expert witnesses were—he came down to testify against the Jones patent out of a feeling of "civic responsibility," he said. He didn't know who the defendants in this case were until he was told. "I hadn't even heard of New Age until Saturday," said Eldridge at one point, as laughs were stifled in the courtroom.From the sound of it, Diffie oozed credibility on the stand, as he should, and Mullin believed the jury was eating it up (for more details on the specifics of the testimony, read Mullin's full article linked above):
Diffie's testimony went on some time, but he seemed to have the jury in the palm of his hand. A few jurors laughed at his jokes and smiled, and the more serious ones were certainly focused on his testimony. After about two hours, Albright passed the witness.Spangenberg's lawyer, Marc Fenster, apparently decided the way to respond to this incredibly credible witness (the dude invented public key cryptography!) was to... attack his credibility. First, he attacked his credentials. Diffie never completed a master's degree, nor has he held a full time academic position -- which, of course, doesn't even remotely matter for anything, but Fenster tried to use it to make him seem like a charlatan, leading up to a claim that Diffie didn't actually invent public key cryptography. But, of course, that's not actually true. This story is well known in cryptography circles and you can find variations of it online. The UK's equivalent of the NSA, GCHQ, more or less figured out much of the same thing, but kept the whole thing secret. Fenster referred to James Ellis of GCHQ, who had conceived a similar idea, but wasn't able to do the math. The math was done later at a time much closer to Diffie's efforts (the exact timing here is somewhat in dispute). However, as many people have pointed out, none of that much matters, because the folks at GCHQ did absolutely nothing with this, and from all accounts, they didn't even think it was anything important or special.
And, more importantly, none of that actually takes away from the stuff that matters here: all the important work happened long before Mike Jones got his patent, and Spangenberg's company TQP's claim that Jones' work enabled e-commerce still looks like complete bunk. Even if GCHQ had figured out public key cryptography before Diffie, it doesn't change the fact that his version is the one that made it well known, RSA's implementation made it work, and that's actually what made secure e-commerce possible, not anything from TQP's patent.
It appears that Newegg is so confident that it's going to win the case completely that it didn't even bother having its final witness take the stand. That witness was going to challenge the $5.1 million damages claim from Spangenberg. But that only comes into play if the jury finds for TQP. While it may be a bit risky, Newegg seems to be betting big that damages aren't even going to be in play here at all.
by Mike Masnick
Fri, Nov 22nd 2013 3:29pm
from the protecting-your-privacy dept
The Twitter blog post on this actually goes into a fairly detailed discussion about the technology choices they made, and the trade-offs involved. It's pretty clear this wasn't just written by a PR person. That said, security researcher Nicholas Weaver notes some potential issues with Twitter's transport encryption choices, noting that there are some indications that RC4 is no longer secure, even when used in TLS. Hopefully further changes can make it even more secure.
That said, the Twitter blog post makes a key point towards the end, about how greater and greater security, especially against the ability of an entity like the NSA, needs to be "the new normal."
At the end of the day, we are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for web service owners. A year and a half ago, Twitter was first served completely over HTTPS. Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.
If you are a webmaster, we encourage you to implement HTTPS for your site and make it the default. If you already offer HTTPS, ensure your implementation is hardened with HTTP Strict Transport Security, secure cookies, certificate pinning, and Forward Secrecy. The security gains have never been more important to implement.
by Mike Masnick
Fri, Nov 22nd 2013 12:34pm
Newegg Battles World's Most Litigious Patent Troll Over Bogus Claims Of 'Inventing' E-Commerce Encryption
from the good-luck,-newegg dept
Target had a website; Target got sued by TQP. It got out of the case by paying $40,000.All in all, Spangenberg has squeezed $45.37 million out of licenses for this one patent, which almost certainly does not actually cover the encryption used in online shopping, as Spangenberg claims. Oh yeah: Spangenberg's deal with the original inventor of the patent? The inventor gets 2.5% of the money, plus $350/hour for consulting. End result? He's made $588,000, while Spangenberg keeps the rest -- all on a patent he bought for about $750,000.
Some paid less than that—but most paid more.
Dodge & Cox, a mutual fund, paid a bit more than $25,000. Pentagon Credit Union paid $65,000. QVC paid $75,000. MLB Advanced Media paid $85,000. PetSmart paid $150,000. PMC paid $400,000. Cigna paid $425,000. Bank of America paid $450,000. First National paid $450,000. Visa paid $500,000. Amazon, Newegg's much larger competitor, paid $500,000. UPS paid $525,000.
IBM paid $750,000. Allianz Insurance paid $950,000. Microsoft paid $1,000,000.
And, yes, the patent (which has since expired) is highly questionable in the first place. While Spangenberg's lawyers (representing his shell company called TQP) tried to claim that the inventor, Michael Jones, was some sort of visionary genius who predicted the world of e-commerce, there's no actual evidence to support this. Newegg (thankfully) has famed cryptography expert Whitfield Diffie on hand to call bullshit on the claims that Jones (a) invented anything special or (b) that his invention is even remotely in use on e-commerce sites today. Diffie, of course, is one of the inventors of public key cryptography, which happened prior to Jones' invention, and is what is actually used online.
Jurors got a short dose of the conventional historical record when Newegg lawyer Kent Baldauf gave them a preview of Diffie's testimony. "It's Dr. Diffie's invention that allows credit cards to be encrypted today," explained Kent Baldauf. "He's the one that figured out how you could send information to some remote server that you've never had any contact with before without these keys somehow being pre-set and pre-arranged in a closed system."Of course, with a patent jury trial in East Texas, you never now how things are going to turn out. But, this case is at least interesting in helping to open the books on how patent trolling works -- getting tons of companies to pay up on questionable patents by offering "settlement" rates below what a lawsuit would cost, even if the patent is totally bogus. And, kudos, once again, to Newegg for fighting this. It could have easily settled like all those other companies, but is fighting this one out on principle -- and in the hope that it will stop the next patent troll from doing the shakedown game.
Baldauf also raised the basic themes of Newegg's defenses. The patent described symmetric cryptography—two hard-coded modems talking to each other. It wasn't that different in theory than the code books that have been exchanged since ancient times. It had nothing to do with public key cryptography that kept Internet data safe; Newegg therefore does not infringe, he argued.
To boot, to the extent Jones is an inventor at all, he isn't the first. The RC4 cipher was designed two years before Jones' patent filing and was combined with Lotus Notes by Ron Rivest of RSA Security.
by Mike Masnick
Tue, Nov 19th 2013 8:13pm
from the good-for-them dept
The results are a little disappointing. Only four companies -- Dropbox, Google, SpiderOak and Sonic.net -- got a perfect score on the five categories measured. Twitter is pretty close (and the only thing it's missing, STARTTLS, really would only matter if it were offering email, which it doesn't, other than to employees) while the rest still have a fair bit of work to do. The incumbent access providers -- AT&T, Verizon and Comcast -- don't appear to care nearly enough about security at all. That's why it's little surprise that the NSA's deals with at least AT&T and Verizon are a major source of information. Once again, I'm rather happy I'm a Sonic.net customer for my internet access these days.
by Mike Masnick
Tue, Nov 19th 2013 3:44am
from the thank-ed-snowden dept
by Mike Masnick
Fri, Nov 15th 2013 3:34am
from the uh,-guys... dept
Unfortunately, it's not clear that other companies are following suit. When asked about this right after the infiltration was revealed, Yahoo gave a non-committal answer:
"We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency."Yeah, but that doesn't say they encrypt the links between data centers, or even that they're planning to do so. Since then, Yahoo has basically said nothing as far as I can tell. Over in Europe, however, Microsoft has now admitted that it still is not encrypting those links, and is only now investigating the idea.
Dorothee Belz, EMEA VP for Legal and Corporate Affairs made the remark when answering a question from Claude Moraes, MEP during a meeting at the European Parliament on Monday.Sure, it's not something that can be done overnight, but large internet companies who use multiple data centers now need to assume that all of their data is compromised if they're not encrypting the links. Whether or not it's done yet, these companies have a responsibility to get that process started as soon as possible. Hell, they all probably should have started doing this as soon as the news broke that Google was rushing to do this, since it was pretty clear they'd figured out what was going on.
"Generally, what I can say today is server-to-server transportation is generally not encrypted," she said. "This is why we are currently reviewing our security system."
It's especially ironic that Microsoft is now admitting that it's not encrypting the data leaks, because the company has been on a rampage trying to present itself as protecting users privacy and that Google is a privacy nightmare. But, given these admissions, Microsoft has now basically said that its made all of your data available to the US government and it's still thinking about what to do about it, while Google has been rushing to protect its users privacy.
by Mike Masnick
Thu, Nov 14th 2013 3:58pm
from the legacy-of-ed-snowden? dept
If the NSA can hack Petrobras, the Russians can justify attacking Exxon/Mobil. If GCHQ can hack Belgicom to enable covert wiretaps, France can do the same to AT&T. If the Canadians target the Brazilian Ministry of Mines and Energy, the Chinese can target the U.S. Department of the Interior. We now live in a world where, if we are lucky, our attackers may be every country our traffic passes through except our own.The only way to protect against this is to encrypt everything:
Which means the rest of us — and especially any company or individual whose operations are economically or politically significant — are now targets. All cleartext traffic is not just information being sent from sender to receiver, but is a possible attack vector.
The only self defense from all of the above is universal encryption. Universal encryption is difficult and expensive, but unfortunately necessary.Thankfully, he's not the only one thinking about this. As we pointed out a few weeks ago, IETF is moving forward, full-steam ahead, on looking at ways to make the internet secure by default.
Encryption doesn’t just keep our traffic safe from eavesdroppers, it protects us from attack. DNSSEC validation protects DNS from tampering, while SSL armors both email and web traffic.
That seems like a very useful consequence of all of this. While we've mostly been focused on what's happening at the political and policy levels around here, the technology can make a lot of that meaningless. The simple fact is that an awful lot of security online has involved kludges pasted on later, after problems or concerns appeared. Rethinking and rebuilding a more secure (it'll never be perfectly secure but it can be a lot more secure) internet from the ground up isn't just good for protecting privacy and keeping away from snooping spies, but it's just a good plan, in general, for security.
by Mike Masnick
Wed, Nov 6th 2013 9:41am
from the keep-at-it dept
It would appear that this sentiment is pretty common across Google's security team, and they're displaying their anger on Google Plus -- but also announcing that all that data is now encrypted. When the news first broke, security engineer Brandon Downey expressed reasonable anger about the news:
Fuck these guys.On Tuesday, the Washington Post revealed a few more slides showing more details of the NSA's infiltration of private data links between data centers. In response to that, another security engineer, Mike Hearn, announced that all the traffic shown in those slides is now encrypted, along with his own "fuck you" to the NSA and GCHQ:
I've spent the last ten years of my life trying to keep Google's users safe and secure from the many diverse threats Google faces.
[...] But after spending all that time helping in my tiny way to protect Google -- one of the greatest things to arise from the internet -- seeing this, well, it's just a little like coming home from War with Sauron, destroying the One Ring, only to discover the NSA is on the front porch of the Shire chopping down the Party Tree and outsourcing all the hobbit farmers with half-orcs and whips.
I now join him in issuing a giant Fuck You to the people who made these slides. I am not American, I am a Brit, but it's no different - GCHQ turns out to be even worse than the NSA.Of course, some people might reasonably question the idea that Google is "little people" here. And, while it's good to see Google staffers furious about this, it remains to be seen if Google will actually do more about this. A lawsuit against the US government for hacking into its network seems called for. And, potentially against Level 3 as well, given that it appears Level 3 provided much of the dark fiber Google was using -- and the company gave a giant "if the government comes to us, we can't talk about it" response, that hinted strongly towards "the government came to us and had us tap Google's private links."
We designed this system to keep criminals out. There's no ambiguity here. The warrant system with skeptical judges, paths for appeal, and rules of evidence was built from centuries of hard won experience. When it works, it represents as good a balance as we've got between the need to restrain the state and the need to keep crime in check. Bypassing that system is illegal for a good reason.
Unfortunately we live in a world where all too often, laws are for the little people. Nobody at GCHQ or the NSA will ever stand before a judge and answer for this industrial-scale subversion of the judicial process. In the absence of working law enforcement, we therefore do what internet engineers have always done - build more secure software. The traffic shown in the slides below is now all encrypted and the work the NSA/GCHQ staff did on understanding it, ruined.
Hopefully, we'll start to see that employee anger over this turn into much more: including better privacy tools for users and using Google's political pull to fight the NSA in DC as well.