[ryanmolden]

This is not my area, so excuse the ignorance, but this statement:

A: "The NSA has built an infrastructure that allows it to intercept almost everything. With this capability, the vast majority of human communications are automatically ingested without targeting. If I wanted to see your emails or your wife's phone, all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards."

Specifically the part about 'all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards'. Does that not imply they have found a weakness in TLS/SSL? Once the information is transmitted (say my Facebook password) to an https endpoint it is already encrypted, no? So them 'sniffing'/intercepting the packets would do no good, unless they could decrypt them.

[jessedhillon]

He was a sysadmin and he didn't finish high school, let alone receive an actual technical education -- he's said a lot of very difficult to believe technical things. I don't mean to imply that only educated people know anything important, but unless he just had an amazing aptitude for learning this stuff on his own, I find it plausible that he had only a slight idea of how consumer encryption works and he actually didn't know what he was looking at when he saw whatever made him leak. Who knows without his documents -- I could be all wrong.

At some point I think he claimed that he could've copied the list of all US intelligence assets, even those undercover. Well, given that the NSA developed selinux to compartmentalize filesystem access in such a way as to make such a breach difficult, I am not sure how to reconcile his statements. I also find it beyond belief that a contractor could actually access what he claims he could've.

[gkop]

Intercept could also mean man-in-the-middle.

[XorNot]

Which would be trivial if they had agreements with the various mostly US providers to quickly get man-in-the-middle signed keys from their CA's.

Although this seems like it would be quick to spot since if you were watching certificate fingerprints change then you'd see the switchover and switchback.

[Amadou]

I use the Cert Patrol plugin ( http://patrol.psyced.org/ ) and I've noticed periods of a few days to a week where SSL certs on major sites like google have changed rapidly. Usually they were all from the same authority so I didn't think much of it. But now I am even more paranoid. Thanks man.

[toyg]

Me too, I stopped using that plugin because Facebook and Google would constantly change their certificates, so I'd end up just clicking OKOKOKOK, never looking at the certificate, defeating the whole point.

At the time, I assumed it was just a snag with the umpteen layers of caching and content-distribution networks that they must be using. Now it looks quite a bit more sinister.

[sitkack]

Could you make a showhn or maybe just reply with a pastebin of security/privacy tools you would recommend?

[ryanmolden]

Yeah, I know nothing about this area (so this is just speculation, ignore it as such if you wish), but it seems getting a firehose feed of all traffic would be easier and less exposure prone, than getting every ISP to allow a MITM and having absolutely no one in the computer security industry notice. Don't get me wrong, I would prefer a MITM, at least then you know they haven't broken crypto that is widely believed secure, the alternative is a bit scarier :)

[antihero]

"Does that not imply they have found a weakness in TLS/SSL?"

Would it not be simpler to get access to a root CA?