Profile

Cover photo
Lawson Narse
Works at Colouring In
Attends University of Life
Lived in Here, There and Everywhere.
5,399 followers|472,141 views
AboutPostsPhotosVideos+1's

Stream

Lawson Narse

Shared publicly  - 
 
 
Vices and pleasure are not crimes. 
No victim, No crime.
Government parasites and pigs with badges need to learn from this quote.
#quoteoftheday  
1
Simon Frith's profile photo
 
Unless making them feel bad makes you happy ???¿¿¿.....

Lawson Narse

Shared publicly  - 
3
2
Gaston Hidalgo-Campusano's profile photoRon de Weijze's profile photoCorinne Henderson's profile photo
 
Beautiful details! 

Lawson Narse

Shared publicly  - 
 
"One year after the Boston Marathon attacks, the FBI is arguing that it needs yet more power to conduct expansive investigations, absent any indication that the target is involved in criminal activity. Here in Boston, we have evidence to back up the assertion that effective criminal investigations—not unaccountable surveillance capabilities—protect the public from serious threats like terrorism."
1
 
as Marcy Wheeler points out, rather than spending her time addressing silly ad hominem attacks, Feinstein scores a lot more points in basically pointing out that the real motivation for the report was Hayden's own lies to Congress:

What she notes is that the real inspiration for the report came after it was revealed to the Senate that a CIA staffer had ignored direct requests from Congress, the White House and others in the CIA and destroyed tapes showing the CIA torturing people. The destruction of the tapes was then hidden from Congress for some time as well. When it finally came to light, Hayden (then director of the CIA) told the Senate that it could review various cables and documents, which were "just as good" as the tapes. In looking into that claim from Hayden that the documents were just as useful as the deleted tapes, that the Senate decided to move forward on a full investigation. In other words, it wasn't emotions that motivated Feinstein, it was Hayden's lies to the Senate.
1
1
Snowandrews-TheOther's profile photo
 
Each day there's more and more evidence that while the NSA might not care about some mythical person talking to his or her mythical grandmother, it is very much collecting all sorts of information that those very same people thought were private -- and which clearly have nothing to do with national security.
1
1
Snowandrews-TheOther's profile photo

Lawson Narse

Shared publicly  - 
 
She's shocked. SHOCKED!11!

"Feinstein has also been outraged by recent revelations that the U.S. government has been spying on its own people. And by "people," of course, she meant "Dianne Feinstein.""
2

Lawson Narse

Shared publicly  - 
15
1
Dave Croy's profile photo

Lawson Narse

Shared publicly  - 
 
...the Commissioner raises his concerns regarding the “significant institutional overuse” of surveillance powers, noting that he believes the 514,608 figure appears “to be a very large number” and “the feel of being too many”. As a result, he has asked his inspectors to take a “critical look” at how the powers are being used, especially in the case of police forces.
2
1
Jacques Dupuis's profile photo
 
 
Has the NSA Been Using the Heartbleed Bug as an Internet Peephole?

When ex-government contractor Edward Snowden exposed the NSA’s widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort. Even Snowden touted encryption as a saving grace in the face of the spy agency’s snooping. “Encryption works,” the whistleblower said last June. “Properly implemented strong crypto systems are one of the few things that you can rely on.”

But Snowden also warned that crypto systems aren’t always properly implemented. “Unfortunately,” he said, “endpoint security is so terrifically weak that NSA can frequently find ways around it.”

This week, that caveat hit home — in a big way — when researchers revealed Heartbleed, a two-year-old security hole involving the OpenSSL software many websites use to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to ten, cryptographer Bruce Schneier ranks the flaw an eleven.

Though security vulnerabilities come and go, this one is deemed catastrophic because it’s at the core of SSL, the encryption protocol so many have trusted to protect their data. “It really is the worst and most widespread vulnerability in SSL that has come out,” says Matt Blaze, cryptographer and computer security professor at the University of Pennsylvania. But the bug is also unusually worrisome because it could possibly be used by hackers to steal your usernames and passwords — for sensitive services like banking, ecommerce, and web-based email — and by spy agencies to steal the private keys that vulnerable web sites use to encrypt your traffic to them.

A Google employee was among those who discovered the hole, and the company said it had already patched any of its vulnerable systems prior to the announcement. But other services may still be vulnerable, and since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery to conduct spying on a mass scale.

“It would not at all surprise me if the NSA had discovered this long before the rest of us had,” Blaze says. “It’s certainly something that the NSA would find extremely useful in their arsenal.”
NSA Sets Its Sights on SSL

Although the NSA could use the Heartbleed vulnerability to obtain usernames and passwords (as well as so-called session cookies to access your online accounts), this would only allow them to hijack specific accounts whose data they obtained. For the NSA and other spies, the real value in the vulnerability lies in the private keys used for SSL that it may allow attackers to obtain.

Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had “successfully cracked” much of the online encryption we rely on to secure email and other sensitive transactions and data.

According to documents the paper obtained from Snowden, GCHQ had specifically been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt traffic in near-real time, and there were suggestions that they might have succeeded. “Vast amounts of encrypted internet data which have up till now been discarded are now exploitable,” GCHQ reported in one top-secret 2010 document. Although this was dated two years before the Heartbleed vulnerability existed, it highlights the agency’s efforts to get at encrypted traffic.

The Snowden documents cite a number of methods the spy agencies have used under a program codenamed “Project Bullrun” to undermine encryption or do end-runs around it — including efforts to compromise encryption standards and work with companies to install backdoors in their products. But at least one part of the program focused on undermining SSL. Under Bullrun, the Guardian noted, the NSA “has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.”

Security experts have speculated about whether the NSA cracked SSL communications and if so how the agency might have accomplished the feat. Now, Heartbleed raises the possibility that in some cases the NSA might not have needed to crack SSL. Instead, it’s possible the agency used the vulnerability to obtain the private keys of companies to decrypt their traffic.
The Good News

So far, though, there’s no evidence to suggest this is the case. And there are reasons why this method wouldn’t be very efficient for the NSA.

First, the vulnerability didn’t exist on every site. And even on sites that were vulnerable, using the Heartbleed bug to find and grab the private keys stored on a server’s memory isn’t without problems. Heartbleed allows an attacker to siphon up to 64kb of data from a system’s memory by sending a query. But the data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data. Though there’s no limit to the number of queries an attacker can make, no one has yet produced a proof-of-concept exploit for reliably and consistently extracting a server’s persistent key from memory using Heartbleed.

“It is very likely that it is possible in at least some cases, but it hasn’t been demonstrated to work all the time. So even if a site is vulnerable, there’s no guarantee you’re going to be able to use [Heartbleed] to actually get keys,” Blaze says. “Then you’ve got the problem that it’s an active attack rather than a passive attack, which means they need to be able to do multiple round trips with the server. This is potentially detectable if they get too greedy doing it.”


The security firm CloudFlare, which has spent the last three days testing various configurations to determine if, and under what conditions, it’s possible to extract private keys using the Heartbleed vulnerability, says it hasn’t been able to do so successfully yet, though its tests have been limited to configurations that include the Linux operating system on Nginx web servers.

Nick Sullivan, a Cloudflare systems engineer, says he has “high confidence” that a private key can’t be extracted in most ordinary scenarios. Though it may be possible to obtain the key under certain conditions, he doubts it has occurred.

“I think it is extremely unlikely that a malicious attacker has obtained a private key from an Nginx server of a busy website,” he says.

So far, they believe private keys can’t be extracted from Apache servers either, though they don’t have the same level of confidence in that yet. “If it is possible with Apache, it’s going to be difficult,” he says.

A few other researchers have claimed on Twitter and on online forums that they have retrieved private keys under various circumstances, though there doesn’t appear to be a uniform method that works across the board.

Either way, there are now signatures available to detect exploits against Heartbleed, as Dutch security firm Fox-IT points out on its website, and depending on how much logging companies do with their intrusion-detection systems, it may be possible to review activity retroactively to uncover any attacks going back over the last two years.

“I suspect there are many people doing exactly that right now,” Blaze says.

So what might the world’s spy agencies say about all this? The GCHQ has a standard response for anyone who might wonder if the spooks used this or any other vulnerability to undermine SSL for their BULLRUN program. In a PowerPoint presentation the British spy agency prepared about BULLRUN for fellow spies, they warned: “Do not ask about or speculate on source or methods underpinning BULLRUN successes.” In other words, they’ll never say.
2
1
Snowandrews-TheOther's profile photo

Lawson Narse

Shared publicly  - 
 
"The N.S.A. at this point not only knows I raised complaints, but that there is evidence that I made my concerns known to the N.S.A.'s lawyers, because I did some of it through e-mail. I directly challenge the N.S.A. to deny that I contacted N.S.A. oversight and compliance bodies directly via e-mail and that I specifically expressed concerns about their suspect interpretation of the law, and I welcome members of Congress to request a written answer to this question [from the N.S.A.]."
6
2
Steve Lolyouwish's profile photoSnowandrews-TheOther's profile photo
People
Have him in circles
5,399 people
Giulio Mottola's profile photo
Jinath Premaratne's profile photo
Work
Employment
  • Colouring In
    Senior Crayon Monitor, present
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Previously
Here, There and Everywhere.
Links
Other profiles
Contributor to
Story
Tagline
I have the attention span of a goldfish.
Education
  • University of Life
    present
Basic Information
Gender
Male
Lawson Narse's +1's are the things they like, agree with, or want to recommend.
Orweb: Private Web Browser
market.android.com

Orweb is the most privacy-enhancing web browser on Android for visiting any website, even if it’s normally censored, monitored, or on the hi

Trust Me, I'm A Tobacco Controller | Dick Puddlecote
dickpuddlecote.blogspot.com

One of Brussels' more prominent tobacco control industry NGOs has been taking to Twitter this weekend to engage with vapers on the sticky pr

Mascot Watch #26: Rose Amongst Thorns And Another Gong | Dick Puddlecote
dickpuddlecote.blogspot.com

A policy which also encompasses concerns such as effects on UK retailers, international trade, brand recognition, consumer choice, intellect

Pop Goes the (Welsh) Weasel!
feedproxy.google.com

There is a lot you can do with £1.6 million pounds. Personally I'd go for the next ten years resident in The Mamounia, but trying to be civi

Seat of Power: the computer workstation for the person with everything
arstechnica.com

The $21,500 Emperor 1510 LX rotates, tilts, talks, and comes with a cupholder.

The Redemption of Brooksie
www.annaraccoon.com

I wonder who remembers Moonlighting? It was all the rage back in the 80’s and featured Cybil Shepherd and a young Bruce Willis as the wisecr

Unprecedented e-mail privacy bill sent to Texas governor’s desk
arstechnica.com

While reform languishes in Congress, Austin moves to protect Texans' inboxes.

Tories not sufficiently unhinged, concedes Cameron
www.thedailymash.co.uk

DAVID Cameron has pledged to take the Conservative Party back to its mentally disturbed basics.

TobaccoTactics Wiki Stats Debunked - UPDATED with Awesomeness
nannyingtyrants.blogspot.com

The TobaccoTactics wiki makes a bold claim about visitor statistics, which in this blog post I prove to be false. This post has been updated

21 to Drink Coffee?
www.theatlantic.com

The U.S. FDA announced a plan to investigate and potentially regulate caffeine.

Japanese Illustrator Marumiyan
freeyork.org

Japanese illustrator Marumiyan began to draw in his youth under the influence of his father. His works are composed of many different colour

Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too
arstechnica.com

Linux/Cdorked backdoor exposes 100,000 Web visitors to potent Blackhole exploits.

Supreme Court of Iceland rules firm must process donations for WikiLeaks
arstechnica.com

Assange warns other companies involved in so-called blockade: "you're next."

Anna Soubry Is Not Fit For A Ministerial Post | Dick Puddlecote
dickpuddlecote.blogspot.com

Anna Soubry: I find it most bizarre that the advice I am given by my officials—and I absolutely accept their advice—is that, as the hon. Gen

DuckDuckGo
duckduckgo.com

We don't track you! Settings.

Government's Opinion Of You, In Thirteen Words | Popehat
www.popehat.com

Rarely has a legislator expressed what he thinks of the public with such eloquence and and brevity as Republican Tommy Tucker, Chairman of t

Sharp Conflict in Reports on Courthouse Duck Incident - Lowering the Bar
www.loweringthebar.net

The UPI reported it this way: HONOLULU, April 10 (UPI) -- Authorities in Honolulu said they confiscated two bottles of beer and a live duck

Nokia battles Google to kill open video
www.infoworld.com

Nokia has made explicit its antipathy toward Google's open video format VP8, but the community can outflank Nokia's patent maneuvers

Client: I need an email blast done for my other...
clientsfromhell.net

Client: I need an email blast done for my other company. Me: That’s fine, I’ll lay out a few drafts for you by tomorrow. Client: Any chance

Kim Dotcom’s Gaming Lag Hints at New Spying Controversy | TorrentFreak
torrentfreak.com

New information suggests that Megaupload founder Kim Dotcom may have been spied on for weeks longer than the authorities have admitted. Last