VPNs are not as safe as first thought

The example you quote though wasn’t a failure of the VPN, they exploited other weaknesses and stole keys, which is different. If you implement a VPN and choose a proper long random key for each session, you aren’t exposed to this sort of attack.

If VPNs were easily breakable then pretty much all banking traffic and online purchases would be up for grabs and given organised crime has a lot of money and skilled resources dedicated to trying to crack SSL etc, the fact it still seems to work seems pretty good evidence they can’t crack strong encryption.

As for Skype, since MS bought it they changed the protocol to route all traffic via MS HQ so they could eavesdrop it – so no one should assume that is secure.

Most of the NSA exploits try and get round having to use brute force horse power to crack encryption. If you correctly implement a VPN and esp if you use two layer encryption with one time use throw away keys, eg perfect forward secrecy, it is impossible with current computing power to crack it.

have a read of this footflaps;

http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/

I’m not an expert but I’ve read enough recently to believe that there’s little encryption that can be used that isn’t vulnerable, either due to poor key choice, back doors or hardware compromises at either end of the conversation.

It doesn’t bother me *that much* but I’m dead against bulk data collection in the name of security.

Yep, read that when it came out. Again they exploited an implementation weakness that meant they could simplify bulk force cracking enough that the code space was small enough to fully explore using massive resources. A strong random key VPN is still uncrackable (or no known crack is in the public domain).

VPNs are fine for reasonable (even good) security, in the same way you lock your door as you leave the house. You wouldn’t board it up too just in case someone happens by with a set of lockpicks.

If you are sufficiently of interest to have your VPN compromised, I suspect ‘they’ will already be listening in a number of other ways or have attempted to compromise your PC/phone, it’s way easier (unless you’re using a commercial already exploited client with a known weakness).

You could go to something like Whonix, but to me that raises a big ‘watch me closely’ flag too, if you start after registering on a watch list.

It pains me to know that I’m going to see my service out under this Tory government. This piece of legislation is another of the many reasons I dislike them and May in particular.

moose – Member
I dislike them and May in particular.

Greg, Brian or James?

Touche. 😆

Edward Snowden on twitter is quite good this afternoon.

http://singletrackworld.com/forum/topic/which-websites-have-you-visited

Sorry Kryton…

Loddrik – your argument is utter rubbish, if you honestly think (as you really do comes across) that we live in a 1950’s utopia where the state are looking after our best interests and only the baddies have something to hide you’re seriously wrong.

It’d only worry me if I thought that the government or their agencies had the grounds on which to request to view the data (via Court Order).

People seem to have lost the plot a bit – it’s not mass real time surveillance, it’s the logging of (mostly) metadata that can be requested to be viewed if there’s justification.

And yes I’m aware of the GCHQ SIM card / mobile hack(s) but personally have no reason to think they’d have any interest in me..

Good suggestion in the Grauniad

Can I protest-browse to show I’m unhappy with the new law?
One way to prevent an accurate profile of your browsing history from being built could be to visit random sites. Visiting nine random domains for every website you actually want to visit would increase the amount of data that your ISP has to store tenfold. But not everybody has the patience for that.

I suspect someone will create a browser plug in which randomly browses 1000s of sites 24/7 in the background for you. If not, I might write one…

It’s a sad day in the MoreCash household when I’m agreeing with Loddrik.

Google and my ISP already know all the weird stuff I look at on the net. Passing it to the the Police and MI5 really doesn’t bother me.

Google and my ISP already know all the weird stuff I look at on the net. Passing it to the the Police and MI5 really doesn’t bother me.

So if they want to build a toxic waste site on your favourite trail, and you wanted to protest about it, you’d be happy to be on a list of “eco terrorists”?

have they moved on from outlawing proper encryption and only allowing encryption that can be cracked – thus destroying in one fell swoop the entire online shopping and banking industries. or are they still toying with it?

Good suggestion in the Grauniad

“Can I protest-browse to show I’m unhappy with the new law?
One way to prevent an accurate profile of your browsing history from being built could be to visit random sites. Visiting nine random domains for every website you actually want to visit would increase the amount of data that your ISP has to store tenfold. But not everybody has the patience for that.”

I suspect someone will create a browser plug in which randomly browses 1000s of sites 24/7 in the background for you. If not, I might write one…

I really don’t think politicos have got the hang of 21st C yet

I suspect someone will create a browser plug in which randomly browses 1000s of sites 24/7 in the background for you. If not, I might write one…

Almost there:
https://addons.mozilla.org/en-GB/firefox/addon/trackmenot/
https://addons.mozilla.org/en-US/firefox/addon/white-noise-generator/

Somewhere a Tory STWer is probably ruining their keyboard with that image 😉

Credit to Bullshire Police.

If you think the security services can be trusted not to abuse their powers then you haven’t been paying attention recently.

In 2015 the ONS estimated that 39.3m adults in GB accessed the internet either every day or nearly every day. Add in the number of phone calls, texts, etc

Just who is going to read it all?

Your data will be stored, your data will be analysed by computer, but nobody will bother to read it and do anything with it unless you’re targetted

To use the curtains analogy ^^, robotic cameras will gaze in, but nobody will have the time to look. It’s a pile of video gathered for no good reason that nobody will ever see. It’s not a pleasant thought but I can’t change that it happens

All that the publicity around these powers achieves is to tell baddies to communicate using other means

All that the publicity around these powers achieves is to tell baddies to communicate using other means

So basically taking that argument to it’s logical conclusion things like this should be done in secret without telling anybody and the retention of data is pointless as everyone who they are trying to track has taken steps to avoid being tracked.

So basically taking that argument to it’s logical conclusion

Isn’t that two conclusions?

1)…things like this should be done in secret without telling anybody

Yes if, and only if, it will protect lives

2)…and the retention of data is pointless as everyone who they are trying to track has taken steps to avoid being tracked.

Not necessarily. If the very serious are aware they will avoid being tracked. The less aware will still get caught through data

Not necessarily. If the very serious are aware they will avoid being tracked. The less aware will still get caught through data

Considering I can buy a sim with no I’d, charge it with cash and browse from any number of anonymous hot spots it’s one of the easiest things to get around.

If anyone thinks they can’t trace you on Tor you’re very misguided and a single VPN hop is only as anonymous as the VPN provider makes it – if you trust them you’re also misguided.

Your data will be stored, your data will be analysed by computer, but nobody will bother to read it and do anything with it unless you’re targetted

Except when an automatic algorithm decides you’re a terrorist threat. A while back I bought a book on how to make explosives from eBay. So I’m on a list somewhere. Then I hang around this forum which is supposedly abut bikes, but that seems to be a side interest – congratulations, you’re all on the list too.

Ever visited the CND*, Liberty or Amnesty websites? You could be a dangerous anti-government subversive – and so could all your online contacts.

The problem here isn’t humans individually trawling through your web history – there’s nowhere near enough people for that – it’s some badly-written algorithm going through and data mining anyone it thinks should be investigated.

*Glasgow City Council recently held a training course about preventing terrorist threats – anti-nuclear campaigners were one of the threats on the list.

Your data will be stored, your data will be analysed by computer, but nobody will bother to read it and do anything with it unless you’re targetted

Snowden: NSA employees routinely pass around intercepted nude photos
“These are seen as the fringe benefits of surveillance positions,” Snowden says.

http://arstechnica.com/tech-policy/2014/07/snowden-nsa-employees-routinely-pass-around-intercepted-nude-photos/
http://www.theguardian.com/world/video/2014/jul/17/edward-snowden-video-interview

What’s particularly bizarre is the way the government says that this is a response to Snowden. Snowden revealed that security services were intercepting all this stuff and watching us all, and instead of telling the security services to stop it, the government decides to make what they’re doing legal.

It’s like the philosophy that we should always give the police the powers they ask for. Isn’t that a good definition of a police state?

Considering I can buy a sim with no I’d, charge it with cash and browse from any number of anonymous hot spots it’s one of the easiest things to get around

That sort of the question I failed to ask properly on the first page. If you’re seriously into nefarious activities it would be seem to be fairly easy to remove the link between an online activity and an individual.

So they only people they might catch are the folk Bencooper mentions above. People who aren’t really doing anything wrong. Unless the government decides you are.

If you think the security services can be trusted not to abuse their powers

My browser history has The Greens, CND, Wikileaks, Medialens, Socialist Workers, links to Hamas, and other Palestinian groups, Stephen Lawrence support groups, and anti Fascist groups I’ve given money to several of them, and been on countless parades and marches. A awful lot of those groups have been infiltrated by the State, and I’m in no doubt my photo exists on any number of databases. This is another way the State can and will monitor a citizen (me) who’s done nothing illegal ever.

cheers, Theresa.

“If you’ve done nothing wrong , you’ve nothing to hide”

– Joseph Goebbels ..

Snowden: NSA employees routinely pass around intercepted nude photos
“These are seen as the fringe benefits of surveillance positions,” Snowden says.

And back in the day people working in photo labs also used to do this. Its less about surveillance and more about easy access to dirty photos.

But the photo labs would also report paedophiles to the police. They were intercepting private information.Were they wrong to do that?

Been thinking about this.

It’s worrying that ISP’s are being asked to not only collect but store the information.

It’s not all going into some well protected db at GCHQ, it’s on the servers of, say, Talk Talk.

So, regardless of what the government do with the info we also have to worry about the whole lot being downloaded by a 12 year old from Milton Keynes and posted on the web.

I don’t know what exactly will be stored but one assumes it will be personally identifiable data and whilst it may at the moment have little real value that’s not to say it won’t in the future – either to allow people to be blackmailed or to gain a list of sites they visit which can be tied to a stolen list of passwords from elsewhere.

Or even used for marketing purposes – say McDonalds want to find everyone who visited the Burger King website in the last year and target them with adverts. It makes the fuss about storing cookies seem insignificant.

More thoughts on this: I’ve heard a couple of examples given by those in favour of these measures. One was that if child abductors were discussing things by phone the police could tap their phones but not if they’re doing it online. the second example was used to counter the idea that smart criminals would find other ways to communicate – the suggestion was that police still collect fingerprints even though criminals could wear gloves.

There’s a fundamental difference with those two ideas. They both only work if you assume the person might be a criminal. the police only tap someone’s phone if they think they might be up to no good. They only take fingerprints from people arrested, not the whole population.

What these measures do is they put that assumption on all of us. They assume we’re all criminals. There’s no assumption of innocence here.

and even if they take fingerprints from someone they investigate they have to destroy them if no charges are brought.

This data is held by ISP’s for 1 year but if accessed by security services they can keep it for ever.

Interesting comments in this article:

http://www.theguardian.com/uk-news/2015/nov/04/gchq-officer-my-work-surveillance-myths-need-busting

What these measures do is they put that assumption on all of us. They assume we’re all criminals. There’s no assumption of innocence here.

But its not really so different to what happens already with phone records. The mobile operators keep a record of your calls for billing purposes. If they have reason to do so, the police can access these records.

ISPs don’t keep a record of websites you visited as they don’t need to. This legislation forces them to keep the same records as a phone operator might. The police still won’t have routine access to an individuals web history.

So do the cops assume we are all criminals just becase they CAN access our mobile phone records?

from the BBC front page:

MI5 ‘secretly collected phone data’ for decade

MI5 has secretly been collecting vast amounts of data about UK phone calls to search for terrorist connections, the BBC has learned.

The programme has been running for 10 years under a law described as “vague” by the government’s terror watchdog.

http://www.bbc.co.uk/news/uk-politics-34729139

So not not only CAN they access the data about us they DO.

somewhatslightlydazed – Member
And back in the day people working in photo labs also used to do this. Its less about surveillance and more about easy access to dirty photos.

It was wrong for them to pass them around too, however, there is a critical difference, and that is you are choosing to pass your film to somebody with the knowledge they will quite possibly see whatever is on it during the normal course of their work.

The situation with the NSA viewing people’s private pics is more like them picking the lock on your front door, letting themselves into your house, looking through your bedside cabinet for polaroids you might have taken, then taking a copy and passing them around their mates.

Similar in a way to not objecting to being on CCTV in a shop or walking down the high street, but they can **** off putting one in my lounge. Let me pick my nose in peace 😀

Forget the paedophile thing, it could be used to justify absolutely anything and nobody can argue against it because