[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NSA Attacks on VPN, SSL, TLS, SSH, Tor

>>>>         Anyway, I'm getting the impression that all the Snowden
>>>>         stuff that gets 'leaked'  to the public has been somehow
>>>>         approved by the US govt?
>>> It's well known that media seeks confirmation and approval from
>>> govts before publishing anything.
>> OK, I'll bite: why? What benefit does the US govt get from the
>> information leaked by Snowden?
> Benefit? Who knows? But media asks for comment, and government gets
> the chance to argue against release, and for redaction.

Cari, Troy and Georgi have covered why Tor is valuable to the US
government, but I still don't understand how the Snowden docs provide
benefit. These documents have confirmed what many members of lists like
this suspected, and has brought that information to the mind of the
wider public. Essentially: the tinfoil hat wearers were proven correct.

The five eyes nations' governments have been shown to monitor their
citizens and share that information, in ways that are either illegal or
not supported by their citizens. Crypto standards and implementations
have been influenced for the benefit of those governments.

What value does releasing this information provide to those
governments? This information is pushing people towards encryption by
default, and also pushing service providers towards encryption by
default, not just on their front ends but also on their back end links.

There also appears to be some clear messages:

1. The math is sound. So if we use well-tested and heavily analyzed
crypto products then we are reasonably secure. (OpenSSL and GNUTLS
appear to be clear exceptions, although closed source SSL/TLS
implementation suffered here this year too.)

2. Open source software is harder to crack than closed source.

So the US government seems to have said "we do things you don't want us
to, but if you use proven, open source crypto you're reasonably
secure." The only benefit I can see would be if they could break that
crypto and wanted people to have a false sense of security by using
that easily broken crypto.

My tinfoil hat isn't that thick. I don't buy it. So what are the other