Well this certainly sheds some light on Google's decision to try to force SSL encryption by factoring that into their page ranking algorithm(s). Among the speculation was the idea that it was a way of flipping off the NSA, and like-agencies, by making their job harder by encouraging others to encrypt their traffic. In my opinion, this speculation now has more sturdy ground to stand on.
It's a shame that we're reduced to posting our outrage on the internet and left with no real actionable moves on the issue. We can fight it by working towards encrypting our data/traffic, but we can't force a public conversation on the issue that would result in stopping the all-out effort to collect an analyze the actual data. We'll forever be in a cat-and-mouse game over the issue. With the people involved in this having a significant leg up over the global community and always being one step ahead.
I get that this sort of thing can, and likely is, used to protect the general public from nefarious actors. What's a shame is that at this point we assume it's also used against the general public, an assumption that comes with good reason.
Until then CloudShield had sold its CS-2000 device, a multipurpose network and content processing product, primarily to the Air Force and other Pentagon customers, who used it to manage and defend their networks, not to attack others
Given that the NSA must get the hardware for QUANTUM somewhere, this statement seems remarkably strong/naive.
So, does anyone have any inside knowledge (or good references) to what Google ended up doing when they recently started switching their networks to use encrypted transports? Do they run over ip4 or ip6, and are they using traditional vpn or ipsec? I've previously been rather sceptical to the "new improved support for encryption and authentication" ipv6 brings -- I mean we're already late rolling out ipv6 -- is complicating it with key management really what we need? But given the late revelations that even the paranoid have been naively optimistic -- and given that it appears ipv6 is still in need of planning and new projects for a decent percentage roll-out -- perhaps advocating ipv6 with ipsec is a good idea after all?
I think advocating ipv6 is a good idea in general. IPSec was originally developed as part of the ipv6 stack. It's theoretically built in, and should be used whenever possible.
This may be part of the reason that Google started testing forced SSL redirects on youtube.com in the past couple of weeks. Run a few curl requests to youtube.com; about 50% of the time I'm redirect to the SSL site.
Naming your company "Hacking Team" when your job is to hack other machines is slightly refreshing. If only all companies would do this, we'd know what these folks were up to behind the scenes.
What I came here to ask is, what is the Youtube vulnerability?
"The user sees the “cute animal videos” he expects, according to Citizen Lab, but the malicious code exploits a flaw in Adobe’s Flash video player to take control of the computer."
I dunno, there's been much more controversial and 'risky' subjects with plenty of comments. At least to my mind. I mean, people haven't been exactly signing the praises of the NSA, have they?
Given that HN contains the antithesis for every single argument that has occurred to mankind, I was especially curious to see if anyone would justify the behaviour and business ethics of Gamma, Hacking Team, etc. Lack of opinions seems weird indeed.
I'd expand that to include any third party plugin that executes live code. Flash and Java are just the two with the greatest penetration and the worst security records.
It's a shame that we're reduced to posting our outrage on the internet and left with no real actionable moves on the issue. We can fight it by working towards encrypting our data/traffic, but we can't force a public conversation on the issue that would result in stopping the all-out effort to collect an analyze the actual data. We'll forever be in a cat-and-mouse game over the issue. With the people involved in this having a significant leg up over the global community and always being one step ahead.
I get that this sort of thing can, and likely is, used to protect the general public from nefarious actors. What's a shame is that at this point we assume it's also used against the general public, an assumption that comes with good reason.