[HN Gopher] Some new snippets from the Snowden documents
___________________________________________________________________
Some new snippets from the Snowden documents
Author : Luc
Score : 73 points
Date : 2023-09-18 21:20 UTC (1 hours ago)
(HTM) web link (www.electrospaces.net)
(TXT) w3m dump (www.electrospaces.net)
| older wrote:
| I was expecting snippets from his Russian passport.
| xhoptre wrote:
| [flagged]
| drunner wrote:
| What an awful take.
| azinman2 wrote:
| I doubt it's connected but would be fascinating if true.
| johnnyworker wrote:
| Because they're so bad it would need a global system of total
| surveillance to catch them? Sure.
|
| https://news.ycombinator.com/item?id=11872642
|
| ^ that is what that is. Or, in more detail: https://github.co
| m/Enegnei/JacobAppelbaumLeavesTor/blob/mast...
|
| You can't connect real things like these documents with
| slander by people who do _nothing_ to step on the toes of the
| NSA. That is all that the BS about Assange or Appelbaum being
| a sex menace or Snowden being a Russian asset is. "Oh noes,
| they're a threat to the work we're not doing". Nobody is
| asking you to get drinks with Assange or Appelbaum. They
| don't want to be your friend. It's okay if you don't like
| them, for whatever personal reasons (and choosing to fall for
| this crap falls under personal reasons). It's _not_ okay to
| be part of a mob that murders people by throwing a pebble
| each with this plausible deniability, in this "genuinely
| curious" just wondering kind of way. Enough is enough.
|
| It certainly isn't fascinating. 3 letter agencies are
| torturing and murdering people, and having nothing better to
| do than gossip about gossip about messengers is just vulgar,
| boring, infantile cowardice, puffed up with not even clever
| words.
| Krasnol wrote:
| This is a genuine question, I am curious as to what drives men
| such as you to such comments.
| [deleted]
| neilv wrote:
| > _" How do they accomplish their goals with project BULLRUN? One
| way is that United States National Security Agency (NSA)
| participates in Internet Engineering Task Force (IETF) community
| protocol standardization meetings with the explicit goal of
| sabotaging protocol security to enhance NSA surveillance
| capabilities." "Discussions with insiders confirmed what is
| claimed in as of yet unpublished classified documents from the
| Snowden archive and other sources." (page 6-7, note 8)_
|
| There's long been stories about meddling in other standards orgs
| (both to strengthen and to weaken them), but I don't recall
| hearing rumors about sabotage of _IETF_ standards.
| hinkley wrote:
| Not IETF, but NIST, which I suspect is worse. Dual_EC_DRBG was
| withdrawn when it was discovered to be an attempt by the NSA to
| sabotage ECC specifications.
| jdougan wrote:
| The NIST process (especially then) isn't fully open, which
| makes it easier to subvert with an inside agent.
| willis936 wrote:
| NIST EC DSA curves are the only ones used by CAs, are
| manipulatable, and have no explanation for their origin.
| Pretty much the entire HTTPS web is likely an open book to
| the NSA.
| jdougan wrote:
| I'm curious as to how successful they were at subverting the
| IETF process. It wouldn't be impossible, but since much of the
| process is in the open it could be difficult, especially if
| they did it under their own name.
|
| I suspect most of it was done under different corporate
| identities, and probaby just managed to slow adoption of
| systematic security architectures. Of course, once the Snowden
| papers came out, all that effort was rendered moot as the IETF
| reacted pretty hard.
| eddythompson80 wrote:
| sabotaging a design is remarkably easy. We have several
| individuals that almost do it effortlessly. It's almost a
| talent for some. I suspect that doing it maliciously while
| hiding behind some odd corner scenario or some compatibility
| requirements can't be that hard and will be almost impossible
| to prove or detect.
| ok123456 wrote:
| So that's how we ended up with IPv6.
| willis936 wrote:
| Just because you're paranoid doesn't mean they're not after
| you.
| esafak wrote:
| Is there any write-up on the IETF reaction?
| jdougan wrote:
| Thrre were a bunch at the time, a historical retrospective
| is "RFC 9446 Reflections on Ten Years Past the Snowden
| Revelations"
|
| https://www.rfc-editor.org/rfc/rfc9446.html
| gustavus wrote:
| Ya ever heard of the OAuth2 protocol? I spent almost half a
| decade working on identity stuff, and spending a lot of time
| in OAuth land. OAuth is an overly complicated mess that has
| many many ways to go wrong and very few ways to go right.
|
| If you told me the NSA/CIA had purposefully sabotaged the
| development of the OAuth2 protocol to make it so complex that
| no one can implement it securely it'd be the best explanation
| I've heard yet about why it is the monstrosity it is.
| ENGNR wrote:
| Redirecting the user when they tap sign in from
| untrustednewsite.com, to a new window with the domain
| hidden of bigsitewithallyourdata.com and saying "Yeah, give
| us your login credentials" always felt like the craziest
| thing to me
|
| So ripe for man in the middle attacks. Even if you just did
| a straight modal and said "put your google credentials into
| these fields", we're training people that that's totally
| fine
| bawolff wrote:
| > Ya ever heard of the OAuth2 protocol?
|
| Have you ever seen SAML? Now there is a protocol that seems
| borderline sabotaged. CSRF tokens? Optional part of spec.
| Which part of the response is signed? Up to you with
| different implementations making different choices; but
| better verify the sig covers the relavent part of the doc.
| Can you change the signed part of spec in a way that alters
| the xml parse tree without it invalidating the signature?
| Of course you can!
|
| Oauth2 is downright sane in comparison.
|
| [To be clear, saml is not a ietf spec, it just solves a
| similar problem as oauth2]
| fidotron wrote:
| Just a concrete example of that time we know the NSA actually
| did their job properly:
| https://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA's...
| [deleted]
___________________________________________________________________
(page generated 2023-09-18 23:00 UTC)