Comment by strictnein
5 hours ago
> NSA literally has MITM proxies/interception of any traffic they want inside every major US tech company
No, they don't.
5 hours ago
> NSA literally has MITM proxies/interception of any traffic they want inside every major US tech company
No, they don't.
https://blog.encrypt.me/2013/11/05/ssl-added-and-removed-her...
https://en.wikipedia.org/wiki/Room_641A
Yeah, they did (and probably do).
I recall having a nuclear meltdown personally when I heard about all of this in the mid aughts. Nobody cared. Nobody understands this today. Everyone just complains about the Donald, but I point to this, and they don't realize the connection.
How are they going to MITM communications with certs that never left my machine?
Are you suggesting they broke TLS or that they've somehow acquired every private cert generated?
You just intercept the traffic after its decrypted on the server side, or are you suggesting you somehow send encrypted traffic that never gets decrypted?
How closely have you reviewed your browser's list of default trusted CAs?
2 replies →
> How are they going to MITM communications with certs that never left my machine?
The long game. They:
- make sure you wouldn't be in a position to need to transmit data anywhere that would receive it without CA's in their hypothetical pocket
- manage the evolution of the cloud industry to make sure portable VM's and Containers can have their data archived (both in-RAM, disk, hey just send us the running VM!)
- backdoor'd encryption algorithms from the design and implementation phase to ensure a global unlocking mechanism for any data encrypted by anybody who used a large class of extremely commonly available software
So, you run your own private bank in a cloud VM with tenant managed keys? They backdoor'd the encryption algorithm your cloud VM disk relies on, because they blackmailed one of the developers at the company who developed the hypervisor system used by your provider. Open source project? Perfect. (If you think this is nonsense, then remember the rapid discovery of ancient "bugs" causing all this drama to begin with.)
Your TLS privately generated certs that are 100% foolproof aren't actually used anywhere encrypting the data they want, because it's either worthless, or, available elsewhere perhaps at a different (or same) time.
It's back to the question of how much you should give the benefit of doubt to powerful people who openly lie.
It's just not technically feasible, so there's nothing to lie about. They're not MITMing petabytes/sec across dozens (hundreds?) of companies and they haven't broken TLS1.3.
If I have a box at Digital Ocean and I'm communicating with it with TLS1.3 using a Let's Encrypt cert that I generated, where, exactly, does this magical MITM box come into play?
Of course it's feasible, you just intercept the traffic post-decryption on the cloud/server side. You don't control how/where your traffic to 3p cloud services is decrypted.
2 replies →
That "box" is a virtual machine, no?
Do you know what hypervisor is managing it? :)
1 reply →
It's generally accepted fact that the NSA broke HTTPS, for some of the time, for some of the services. It's unclear what they do have, but you'd be naive to assume consumer HTTPS is keeping them out.
It's too complicated. Do you know everything about CA, SSL, HTTPS, and so on? You make $250k a year working on it? Do you _really_, _really_, know everything? Then you're fired because you're lying to yourself, so you're probably unbearable to work with.
We were all freaking out about this with AT&T Thing nearly twenty years ago: and when nobody cared (Bush ran two terms! it helped to pretend AT&T was the only one affected), it gave "them" implicit permission to do it again with Google / Yahoo thing (it helped to pretend those were the only two cloud providers affected) ten years ago.
Now, we're all pretending that capitalism is real, and that the three letter agencies are just sittin' on the sidelines, while the world's largest data archiving opportunity is happening voluntarily (some are even PAYING for it!), at some wild-growth companies (with leaders who have too much to lose), who also have existed for just a few years? A 5 year old could probably blackmail Sam Altman, what about all the other middle management? The individual contributors (if they still exist) are of no concern: work is a commodity, it's easy to silo a worker's knowledge.
Surveillance opportunity is 10x social media from last decade, because they still have social media, and now, they've began thinking for people. How easy when it is an app on your smartphone. Those mind control experiments back in the 60's with Acid are looking silly by now. Besides, how do you know that the response you're getting wasn't manipulated (and define 'manipulated' across a spectrum of training to nefarious actors impersonating models, by power of court order.)
If you think all of that is unfounded ridiculous blasphemy, let me distract you with this instead: if the AI bubble bursts, the compute will be repurposed for mass AI / ML driven CCTV surveillance. Hell, maybe they'll find a way to give you a tax break if you sell your CCTV footage.
"NSA literally has MITM proxies/interception of any traffic they want inside every major US tech company" even if this statement is an exaggeration, by playing the long game, they get themselves setup to access what they want in the future.
I'm not for or against, but I do live in a safe place thanks to such surveillance (generally in the USA), and I want you to know that this AI Thing is only the latest chapter in the intelligence story.
[flagged]
That sounds like a lot of unsubstantiated, circumstantial, conspiracy-theory nonsense.
> This was their third office space, serving as their headquarters before they outgrew it and eventually relocated to Market Square at 1355 Market Street in 2012. The arab spring twitter uprising was fully a CIA/NSA operation.
To be clear, the claim you're making is that because Twitter has their third corporate office in the same building as an AT&T switching center, and US intelligence used a room in AT&T's switching center for surveillance, then Twitter must have been controlled by US intelligence? And thus the Arab Spring uprising, where Twitter was used, was "fully a CIA/NSA operation"?
Yes, twitter was used by US 3 letter agencies to assist in the arab spring. To be able to do it in a surreptitious way they were asked to move to that building and get access to all private DMs, and for doing so they got a fat tax break to move to "blighted" market street current location. All of those things fit the timeline and snowden capability disclosures.
The CIA venture arm InQTel invested in Dataminr a company that twitter was also a major shareholder. https://theintercept.com/2016/04/14/in-undisclosed-cia-inves...
Yes, you have collected a lot of random bits of information from over a decade ago. I'm sure everything you say is still relevant today, especially the conspiracy nonsense.
Some of us actually work in security, while others think the NSA and CIA are some magically powerful orgs.
Explain how, even with the mystical Room 641A, the NSA can't break a TLS1.3 protected communication channel without either party knowing about it. Assume you have generated a cert with Let's Encrypt. How, exactly, does that work?
Explain to me how you are going to encrypt your LLM API calls with your let's encrypt cert.
There are also multiple ways/places traffic you send to typical cloud/tech company is decrypted and can be intercepted. (Surprised I have to point this out to someone who 'actually works in security ' lol)
Not to mention US tech companies fully cooperate with the NSA in many cases and are aware of this going on.
1 reply →
you compel the host under similar threat of non-existance to grant you view of the hypervisor. you're not running on bare metal with alternate TPM's that arent the Intel IMU (also backdoor'd) so you're just as pwnable.
now say you're doing this on a raspberry pi or other openhardware like a librum machine with a yubikey hsm on local wifi or physical ethernet... you may have a shot at the privacy you're looking for.
Thank you.