FamilyManFirst’s Techdirt Profile

elhannaford

About FamilyManFirst




FamilyManFirst’s Comments comment rss

  • Nov 26th, 2013 @ 4:06pm

    Bad and Worse

    I am concerned about the massive database that the NSA (and others) are compiling, because despite the fact that "I have never done anything wrong," I understand perfectly that I am, along with almost everyone else in the US, technically a felon due to the proliferation of laws. I now, or soon, will live at the sufferance of those with access to this database.

    I am more concerned because the same database can and will be used to influence and/or control our elected representatives through blackmail. If it hasn't happened yet, it will - always in the name of patriotism, of course - and I then begin to wonder why there are so few representatives who are up in arms about the deceitfulness of the NSA. I'd think that the reps would be more paranoid, and more worried about what that database might eventually contain on them ... unless they already know, and are keeping quiet as a result.

    Before Snowden I'd have dismissed this notion as a laughable conspiracy theory. I'm not laughing anymore.

  • Oct 16th, 2013 @ 2:44pm

    Re: Re: Re:

    what they wanted initially was known as a 'pen register', and amounted to giving the NSA access to monitor who a person was contacting/possible content monitoring. However, because that data stream being monitored is encrypted, the pen register told them nothing.

    That's not what I recall. As I recall, Lavabit refused to comply with the pen register order. That's when the NSA went to court to force Lavabit to comply. Things escalated from there.

    Clearly, Lavabit didn't implement a "proper" PGP system, with encryption/decryption happening at the client *only*, or handing over the SSL key wouldn't have granted access to users' emails (which seems to be what's being argued). I'm not sure how Lavabit did provide its secure email services, though.

  • Oct 10th, 2013 @ 12:28pm

    Re: Possible out

    I wonder how a judge would react if, in court (a la the Lavabit hearings), the judge ordered that the company turn over their cert and the company rep responded that, sure, they'd do so, but that they were then contractually bound to notify the CA that the cert had been compromised, which would lead to the revocation of the cert? Can a judge order a company to willfully violate a contract like this?

  • Sep 10th, 2013 @ 1:02pm

    Re: Re: Re: This is supporting evidence that root CA is pwned

    Sorry, AC, this is not nonsense. MITM certificates is exactly what we're talking about here, and it is the mostly likely method used to achieve this "FLYING PIG" operation. I myself can think of 3 ways that the NSA could acquire MITM certificates, and there are probably more:

    1) Issue an NSL (or equivalent) to a medium-sized CA demanding an MITM cert. Even a large CA would be reluctant to challenge such a thing, and a medium-sized CA wouldn't have the corporate courage nor the resources to do so. They'd roll over quickly.

    2) Get a mole into any given CA and have them supply an MITM cert at need. We have already seen that the NSA does, indeed, seek to plant moles in various companies. CAs would be a prime target.

    3) Steal a CA's private authentication key so that the NSA could sign their own MITM keys at need. Pre-Snowden, this would be laughed off. Now, it looks quite likely. Again, this would be a prime target for the NSA to acquire if it could, and it has billions to spend to achieve that.