[liberationtech] Spy stoppers: meet the companies benefiting from the PRISM privacy scare
Adam Back
adam at cypherspace.org
Wed Jun 12 08:38:23 PDT 2013
Couple of problems in that article: it says google has keys, thats not the
problem; google uses EDH ciphersuites by default like the next guy, and
while its possible that NSA/PRISM has demanded SSL server keys from google,
or from their CA perhaps without googles knowledge, and is actively MITM SSL
attacking traffic, real time pre-emptive MITM with server keys or fake certs
is slightly more expensive. (I expect they are doing it, but doing it
selectively, and most likely with fake certs issued by the correct CA).
The main problem with google model is the data is in plaintext on the google
servers. (Well probably encrypted on the disk but with a key in RAM). That
means google has the data, and as we know FISA authorises the US government
to request any and all data as rubber stamped by a closed court.
The main alarming thing to me about PRISM is that they are pre-emptively
storing everyones data. Then they sift through it afterwards. So to the
extent that they may require some kind of suspicion for US targets of
analysis (and dont require anything for non-US targets), its not about
whether or not to wiretap you, its whether or not to look at the blanket
wiretap. Thats a big shift in the balance of power.
I notice silent circle offers to generate and manage your keys for you on
their servers, that seems like a highly dubious practice, especially given
that it is US company. They do have a generate your own keys option. But
why would they open themselves up to the FISA orders by even offering to
store user keys? Surely thats asking for trouble.
Adam
On Wed, Jun 12, 2013 at 11:21:49AM -0400, Nadim Kobeissi wrote:
>"The world is still reeling from the leaked details of the NSA's PRISM program, reported to give the government's top spies access to personal user data collected by Google, Apple, Microsoft, and other services. But while the mainstream is fighting over the precise nature of PRISM, the world of cryptography is feeling strangely validated"
>
>http://www.theverge.com/2013/6/12/4422480/is-prism-good-news-for-cryptographers
>
>NK
>--
>Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
More information about the liberationtech
mailing list