[HN Gopher] Some new snippets from the Snowden documents ___________________________________________________________________ Some new snippets from the Snowden documents Author : Luc Score : 73 points Date : 2023-09-18 21:20 UTC (1 hours ago) (HTM) web link (www.electrospaces.net) (TXT) w3m dump (www.electrospaces.net) | older wrote: | I was expecting snippets from his Russian passport. | xhoptre wrote: | [flagged] | drunner wrote: | What an awful take. | azinman2 wrote: | I doubt it's connected but would be fascinating if true. | johnnyworker wrote: | Because they're so bad it would need a global system of total | surveillance to catch them? Sure. | | https://news.ycombinator.com/item?id=11872642 | | ^ that is what that is. Or, in more detail: https://github.co | m/Enegnei/JacobAppelbaumLeavesTor/blob/mast... | | You can't connect real things like these documents with | slander by people who do _nothing_ to step on the toes of the | NSA. That is all that the BS about Assange or Appelbaum being | a sex menace or Snowden being a Russian asset is. "Oh noes, | they're a threat to the work we're not doing". Nobody is | asking you to get drinks with Assange or Appelbaum. They | don't want to be your friend. It's okay if you don't like | them, for whatever personal reasons (and choosing to fall for | this crap falls under personal reasons). It's _not_ okay to | be part of a mob that murders people by throwing a pebble | each with this plausible deniability, in this "genuinely | curious" just wondering kind of way. Enough is enough. | | It certainly isn't fascinating. 3 letter agencies are | torturing and murdering people, and having nothing better to | do than gossip about gossip about messengers is just vulgar, | boring, infantile cowardice, puffed up with not even clever | words. | Krasnol wrote: | This is a genuine question, I am curious as to what drives men | such as you to such comments. | [deleted] | neilv wrote: | > _" How do they accomplish their goals with project BULLRUN? One | way is that United States National Security Agency (NSA) | participates in Internet Engineering Task Force (IETF) community | protocol standardization meetings with the explicit goal of | sabotaging protocol security to enhance NSA surveillance | capabilities." "Discussions with insiders confirmed what is | claimed in as of yet unpublished classified documents from the | Snowden archive and other sources." (page 6-7, note 8)_ | | There's long been stories about meddling in other standards orgs | (both to strengthen and to weaken them), but I don't recall | hearing rumors about sabotage of _IETF_ standards. | hinkley wrote: | Not IETF, but NIST, which I suspect is worse. Dual_EC_DRBG was | withdrawn when it was discovered to be an attempt by the NSA to | sabotage ECC specifications. | jdougan wrote: | The NIST process (especially then) isn't fully open, which | makes it easier to subvert with an inside agent. | willis936 wrote: | NIST EC DSA curves are the only ones used by CAs, are | manipulatable, and have no explanation for their origin. | Pretty much the entire HTTPS web is likely an open book to | the NSA. | jdougan wrote: | I'm curious as to how successful they were at subverting the | IETF process. It wouldn't be impossible, but since much of the | process is in the open it could be difficult, especially if | they did it under their own name. | | I suspect most of it was done under different corporate | identities, and probaby just managed to slow adoption of | systematic security architectures. Of course, once the Snowden | papers came out, all that effort was rendered moot as the IETF | reacted pretty hard. | eddythompson80 wrote: | sabotaging a design is remarkably easy. We have several | individuals that almost do it effortlessly. It's almost a | talent for some. I suspect that doing it maliciously while | hiding behind some odd corner scenario or some compatibility | requirements can't be that hard and will be almost impossible | to prove or detect. | ok123456 wrote: | So that's how we ended up with IPv6. | willis936 wrote: | Just because you're paranoid doesn't mean they're not after | you. | esafak wrote: | Is there any write-up on the IETF reaction? | jdougan wrote: | Thrre were a bunch at the time, a historical retrospective | is "RFC 9446 Reflections on Ten Years Past the Snowden | Revelations" | | https://www.rfc-editor.org/rfc/rfc9446.html | gustavus wrote: | Ya ever heard of the OAuth2 protocol? I spent almost half a | decade working on identity stuff, and spending a lot of time | in OAuth land. OAuth is an overly complicated mess that has | many many ways to go wrong and very few ways to go right. | | If you told me the NSA/CIA had purposefully sabotaged the | development of the OAuth2 protocol to make it so complex that | no one can implement it securely it'd be the best explanation | I've heard yet about why it is the monstrosity it is. | ENGNR wrote: | Redirecting the user when they tap sign in from | untrustednewsite.com, to a new window with the domain | hidden of bigsitewithallyourdata.com and saying "Yeah, give | us your login credentials" always felt like the craziest | thing to me | | So ripe for man in the middle attacks. Even if you just did | a straight modal and said "put your google credentials into | these fields", we're training people that that's totally | fine | bawolff wrote: | > Ya ever heard of the OAuth2 protocol? | | Have you ever seen SAML? Now there is a protocol that seems | borderline sabotaged. CSRF tokens? Optional part of spec. | Which part of the response is signed? Up to you with | different implementations making different choices; but | better verify the sig covers the relavent part of the doc. | Can you change the signed part of spec in a way that alters | the xml parse tree without it invalidating the signature? | Of course you can! | | Oauth2 is downright sane in comparison. | | [To be clear, saml is not a ietf spec, it just solves a | similar problem as oauth2] | fidotron wrote: | Just a concrete example of that time we know the NSA actually | did their job properly: | https://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA's... | [deleted] ___________________________________________________________________ (page generated 2023-09-18 23:00 UTC)