Exclusive: British spy agency collects and stores vast quantities of global email messages, Facebook posts, internet histories and calls, and shares them with NSA, latest documents from Edward Snowden reveal

http://www.guardian.co.uk/uk/2013/jun/2 ... ations-nsa

I've actually sent that to my Kindle to read again... Words are failing me at the moment, it's borderline unbelievable.

It was on Newsnight. Apparently GCHQ can scan even more than the NSA, but have to sift through it fast because of the volume and being unable to store it for more than a month. They have some 41 000 search terms from terrorism to drugs, so it looks to be a very broad scan of the public activity.


Sent from my iPad using Tapatalk.

And this is a surprise?

Facebook shouldn't be possible any more, AFAIK. Haven't Facebook (and Google, among others) switched to purely SSL connections, which cannot be eavesdropped, unless they have the private keys from both ends. As they are splitting the fibre optic on the back bone (hence the American name for the system, Prism), they aren't targeting a specific person, which probably means they can do it legally on a technicality, because the wire tap laws never envisaged such a situation.

In theory yes, but there have been a couple of academic papers suggesting methods for breaking SSL encryption and you'd assume the secret stuff is ahead of that curve. Especially if you're monitoring everything, you can scrape all the traffic to and from certificate seller's web sites and email servers looking for keys being passed which would make it a lot easier.

I don't think SSL is a widely insecure system but I don't think you can make the assumption that a government agency with massive resources which is doing the amount of monitoring GCHQ are accused of doing can't figure out a way to crack it, at least on the small percentage of traffic it's actually interested in. It seems logical to me they're using all sorts of other intelligence to figure out what they need to listen to before they actually bother to look at the data itself. I'd assume every 'conversation' will be scored somehow and only the stuff that gets a high score actually gets examined or any effort put in to unencrypt it. For example, they might already know the IP a suspected person is using. They may actually be gathering the amount of info that they're accused of, but I'd be surprised if they weren't throwing the vast majority of it away without actually bothering to examine it too closely.

Tapping the internet before knowing where to look sounds like The Library of Babel, yeah all the info is there, but without knowing where to look for specific intel, it's useless.

Coincidentally, BBC Click this week have a decent report about penetration testing (i.e. getting a hacker to try to get past your security to see if it's good enough) and their 'Our World' show is focussing on blackhats, with an emphasis on the history of Lulzsec.

Though will US and UK politicians actually rein them in? They are already discussing even more draconian laws to assist the secret services. The problem is that the vast majority are not involved in any thing that would or even should worry the state. Even the criminals are already targeted by the police and unless there is a lot of traffic from GCHQ to the police what will happen is that they will try and justify their spend and requests for more money.


Sent from my iPad using Tapatalk.

Having the public key from the site that registered the certificate is irrelevant. They do not have access to the private key. Without hacking into Facebook et al and getting their private keys, they don't come any further. Each session uses a unique key, so assuming they can crack one session in a few days, given the millions of sessions each day, it really isn't worth the effort. Saving the user IP address and the time would make some sense, they can then ask Facebook for the information would be a lot easier.


Yeah, SSL 1 and 2 and TLS 1.0 have been cracked, so you should be setting your browser to refuse 1 and 2 connections, in fact, it should be using TLS 1.1 or 1.2, but as not all browsers support it, it isn't turned on on many web browsers. In the security settings in your browser, you can force the high levels of security or disable the crackable versions (Firefox, for example only supports the exploitable versions of SSL and TLS). But that they are vulnerable doesn't mean they can be read on the fly, it still involves a huge amount of processing power, a man-in-the-middle attack (the green address bar in the browser wouldn't be green) or something like a BEAST attack (injecting JavaScript into the browser side to perform a BEAST or CBC attack (Cipher Block Chaining).

https://en.wikipedia.org/wiki/Transport_Layer_Security

Internet Explorer, Safari and Chrome all support TLS 1.1 and 1.2. Firefox is planning to implment TLS 1.1 (defined in 2006) in version 23, which would be some time in early Autumn, there is currently no release date for a version of Firefox that will implement TLS 1.2 (a released standard since August 2008).

https://support.mozilla.org/en-US/questions/959936

Which in reality a fraction of a single percent of the people using browsers on the internet have actually done. Any security system is as strong as the weakest link, not the strongest, and usually the weakest part is the human part. Which is why I rather suspect that rather than doing massive, expensive trawls through the terabytes of traffic that go through the main internet transits every day, GCHQ probably already know what they are looking for when they start digging. It's not so much a case of 'if you've done nothing wrong you've got nothing to fear' as 'if you've done nothing wrong, they aren't interested in you'.

Let's face it, the government already had a myriad of ways to examine and intrude on our lives - some of which have been used in the past - before the internet came along and there's nothing actually new or interesting here. They can read your email and IM? Well, they've been able to read your post and listen to your telephone conversations for donkey's years but you didn't stop using the phone or start writing letters in code, did you? You either end up utterly paranoid, or you just assume the government isn't doing widespread intensive surveillance because it would be a waste of time and frankly it's got better things to do. I am occasionally asked, when people find out I can read any email sent to or from any person in the University I work at, why I don't do so. The answer is the same as in this case - 'because the overwhelming majority of things people say and do are utterly uninteresting'.

The government isn't spying on you, not because of some grand protective scheme of law and not because of whatever security regime you may personally have imposed, but because you aren't doing or saying anything the government actually cares about. Most security measures are redundant not because they can be bypassed, but because nobody was looking in the first place. The notion that we must protect ourselves from government intrusion is a disguised conceit, because it stems from the conviction that there is something there that the government would want to know about. That really, really isn't the case in all but the vanishingly small number of cases. In those cases where the government is interested, I for one am pretty certain they've got ways to get the information they want, regardless of what measures might be taken to stop them.

In the list of things that you need to be aware of (security wise) on the internet, government surveillance is a pretty long way down.

I agree with what people have been saying here, but as time goes on hardware will give the security forces more capability to catch and process data. That's not strictly good when it's quite obvious they can't even be trusted now. Few were too pleased about the 'snooper's charter', and that was when they were being somewhat upfront! It's a sledgehammer to crack a nut, never mind who's wielding it.

The big difference is that with reading the post and tapping phone conversations was a labour incentive task, which couldn't be done on a large scale. It was also very tightly controlled with legal apparatus, these controls do not exist in the same form in the digital world. Telephone communications are much easier to intercept, now that they are digital and emails are much easier to read with a machine to pick out key words, than reading each individual hand written letter.

Are you suggesting that we should all be subversive and write letters?


Sent from my iPad using Tapatalk.

GCHQ data-tapping claims nightmarish, says German justice minister

http://www.bbc.co.uk/news/uk-23017108

I wonder what the EU will make of it all.

They will do what they are told. Will they like the world to know about their sexual peccadilloes?

I doubt Germany will let it go so easily, for one. All it will take is even a claim on the filtering of data and more questions will be asked.