On PRISM, the NSA, Google, Facebook and the Echelon

Q: Are European politicians upset that America is spying and storing data on all its citizens or just that the fact has become public?

In my opinion, that this was going on should have been obvious for every top-politician that is not totally clueless about their own country’s intelligence operations.

It should also have been obvious for every half-clever internet user such as myself too. However, things that we don’t see and that makes us uncomfortable, tend to be repressed, not talked about, and practically forgotten.

I guess that makes the question rhetorical, implying that the problem is that it has become public, but I also would think that most politicians, given that they (subconsciously?) knew what was going on, still was overwhelmed when they fully understood the scale of things.

My personal awareness level: I know that Google logs everything, I know what kind of technical traces I leave when I browse the web. (I use the Firefox plugins DNT+, ABP, and NoScript, and I don’t have flash player or java in the web browser. I do however load images automatically in the browser, even linked from other sites.) This should make me leave a lot less unnecessary traces than most people. Sure, Google knows “me” and my search history, most likely even after I log out from their services, but that’s probably a price I can live with for using their search engine.

I have closed my Facebook account (kind of silly to call it “deleted”, right? It’s just inaccessible to everyone outside Facebook’s datacenter).

What bothers me incredibly much about “the PRISM incident” is that in the first denial statements I read from Google and Facebook, they were very explicit in talking about access to their servers. Anyone working with networks and intrusion detection/prevention systems knows that all high-end network equipment has capabilities of mirror ports, that is, to output all traffic that passes through the equipment on a separate port. This is used for exactly the purpose of monitoring. We use it to analyze network traffic for anomalies, the NSA use it to copy the communications of the PRISM participants. In Sweden, the FRA use it for all traffic passing through the geographic borders. So, denying backdoors and server access in their datacenters are just smokescreen words for the ignorant masses. They were no lies, but the purpose was to make people think they were not feeding the NSA with data about their users, which of course is not true.

The NSA don’t want server access, they want to tap off the communications, and store it in their own datacenters.

Did you know that their new datacenter in Utah has a Yottabyte scale storage capacity? That’s right, 24 zeroes. That’s huge beyond imagination. So, thinking that they only listen in on communications, without storing and analyzing it, would be ultra-silly.

About 10-15 years ago there was talk about Echelon. Many people thought it was unrealistic and that the descriptions were exaggerated. I wonder if it was. At least today it is not.

authorized_keys SELinux pubkey authentication on RHEL / CentOS

So, you have correct permissions on your home directory and all the way up to /, with no other-writable directories in the path, as well as correct permissions on the .ssh directory in $HOME, and it still doesn’t work? You probably have SELinux, and need to put the newly created files in the correct security context. Do it with restorecon like this:

chmod 700 ~/.ssh
cd ~/.ssh
chmod 600 ~/.ssh/*
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
restorecon -R -v ~/.ssh


Thoughts on fake SSL certificates for web sites

As you know, a while ago, an intruder to one of comodos affiliates were able to issue SSL certificates for:

  • mail.google.com
  • login.live.com
  • login.yahoo.com (three different)
  • login.skype.com
  • addons.mozilla.org
  • www.google.com
  • “global trustee”

The reason for the identity theft was probably a dictatorship state planning to implement a man-in-the-middle attack, silently monitoring the HTTPS traffic to the above sites.

It would be possible when you have control over all DNS traffic in and out of the country, to spoof all the DNS replies, so for instance the A record for login.yahoo.com points to your proxy with the bogus certificate installed to decrypt the traffic, and just resending the request to the real https://login.yahoo.com/ site.

My suggestion (at least for security-aware techies): An addition to the web browser that remembers the certificate fingerprint, issuer, and expiry date of your favorite HTTPS sites.

Each time you visit an HTTPS site, a simple local lookup will compare the sites certificate with the remembered value, and if it has changed, present the user with a notice and a choice to cancel or investigate. For instance if mail.google.com changes from a Verisign certificate to a smaller CA (Comodo, StartCom, etc.) long before the expiry date, you may want to think twice before continuing..

See Comodo’s blog for more info.

Comments are always welcome.