Bitcoin Forum

Bitcoin => Bitcoin Discussion => Topic started by: Come-from-Beyond on October 15, 2015, 07:19:50 PM



Title: Security holes can be in unexpected places
Post by: Come-from-Beyond on October 15, 2015, 07:19:50 PM
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf) - the best paper of ACM CCS 2015 (http://www.sigsac.org/ccs/CCS2015/) is pretty interesting:
Quote
We investigate the security of Diffie-Hellman key exchange as
used in popular Internet protocols and find it to be less secure
than widely believed. First, we present Logjam, a novel flaw
in TLS that lets a man-in-the-middle downgrade connections
to “export-grade” Diffie-Hellman. To carry out this attack,
we implement the number field sieve discrete log algorithm.
After a week-long precomputation for a specified 512-bit
group, we can compute arbitrary discrete logs in that group
in about a minute. We find that 82% of vulnerable servers use
a single 512-bit group, allowing us to compromise connections
to 7% of Alexa Top Million HTTPS sites. In response, major
browsers are being changed to reject short groups.

We go on to consider Diffie-Hellman with 768- and 1024-bit
groups. We estimate that even in the 1024-bit case, the computations
are plausible given nation-state resources. A small
number of fixed or standardized groups are used by millions
of servers; performing precomputation for a single 1024-bit
group would allow passive eavesdropping on 18% of popular
HTTPS sites, and a second group would allow decryption
of traffic to 66% of IPsec VPNs and 26% of SSH servers. A
close reading of published NSA leaks shows that the agency’s
attacks on VPNs are consistent with having achieved such
a break.
We conclude that moving to stronger key exchange
methods should be a priority for the Internet community.

This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?


Title: Re: Security holes can be in unexpected places
Post by: achow101 on October 15, 2015, 07:48:22 PM
This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?
Well why should we care about the NSA? I would be more worried about someone somehow using that to break into my account and stealing all of my Bitcoin.


Title: Re: Security holes can be in unexpected places
Post by: Come-from-Beyond on October 15, 2015, 08:04:27 PM
Well why should we care about the NSA?

So you don't care, got it.


Title: Re: Security holes can be in unexpected places
Post by: Pattart on October 15, 2015, 08:32:19 PM
This is kinda worrying that people can eavesdrop on our communications with any site, but it doesn't seem to be very prevalent. It isn't something that makes up a majority of the sites visited, so I don't think this particular vulnerability is worrying.


Title: Re: Security holes can be in unexpected places
Post by: VirosaGITS on October 15, 2015, 09:56:31 PM
This is kinda worrying that people can eavesdrop on our communications with any site, but it doesn't seem to be very prevalent. It isn't something that makes up a majority of the sites visited, so I don't think this particular vulnerability is worrying.

I think the NSA has better things to do than monitor everyone's International use of Bitcoin. Until your TX's are linked to suspected terrorist/criminal activity that affect the US or international policies in any way, i think you can put down the Tinfoil hat.


Title: Re: Security holes can be in unexpected places
Post by: zencomp on October 16, 2015, 03:56:17 AM
This is kinda worrying that people can eavesdrop on our communications with any site, but it doesn't seem to be very prevalent. It isn't something that makes up a majority of the sites visited, so I don't think this particular vulnerability is worrying.

I think the NSA has better things to do than monitor everyone's International use of Bitcoin. Until your TX's are linked to suspected terrorist/criminal activity that affect the US or international policies in any way, i think you can put down the Tinfoil hat.

what you said is correct, they have lot of big problems to solve instead of wasting time here until they find any source of work related to this job.


Title: Re: Security holes can be in unexpected places
Post by: pooya87 on October 16, 2015, 05:00:54 AM
it would be an invasion but this is a public forum so anybody is seeing what we are all doing and there is no hiding that. and as long as i don't get f***ed for just using bitcoin legally i don't care.

besides i agree with VirosaGITS, NSA watching us feels like conspiracy theories.


Title: Re: Security holes can be in unexpected places
Post by: n2004al on October 16, 2015, 05:24:13 AM
This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?

I don't care at all. I have nothing to hide and to have fear. Everyone who want can read everything I write or everything I do at internet. So no fear from NSA or every kind of Agencies who make the same or similar jobs.  ;)


Title: Re: Security holes can be in unexpected places
Post by: Operand on October 16, 2015, 05:44:02 AM
Cant be that bad eh? I mean as if it's bad enough that governments are able to activate one's camera and microphone on laptops, computers and now mobile phones as confirmed by Snowden ;)


Title: Re: Security holes can be in unexpected places
Post by: n2004al on October 16, 2015, 05:49:27 AM
Cant be that bad eh? I mean as if it's bad enough that governments are able to activate one's camera and microphone on laptops, computers and now mobile phones as confirmed by Snowden ;)

If you read well the question in that is not mentioned this thing answered by you but another. Is is about the things and your habitue on internet and not about things made in your home.  ;) So your answer is out of this topic.  :D


Title: Re: Security holes can be in unexpected places
Post by: shorena on October 16, 2015, 06:05:25 AM
it would be an invasion but this is a public forum so anybody is seeing what we are all doing and there is no hiding that. and as long as i don't get f***ed for just using bitcoin legally i don't care.

Yet, if you read what the paper suggests.

Quote
Transitioning to ellip-
tic curve Diffie-Hellman (ECDH) key exchange with appro-
priate parameters avoids all known feasible cryptanalytic
attacks. Current elliptic curve discrete log algorithms for
strong curves do not gain as much of an advantage from
precomputation. In addition, ECDH keys are shorter than
in “mod
p
” Diffie-Hellman, and shared-secret computations
are faster. Unfortunately, the most widely supported ECDH
parameters, those specified by NIST, are now viewed with
suspicion due to NSA influence on their design, despite no
known or suspected weaknesses. These curves are under-
going scrutiny, and new curves, such as Curve25519, are
being standardized by the IRTF for use in Internet proto-
cols. We recommend transitioning to elliptic curves where
possible; this is the most effective long-term solution to the
vulnerabilities described in this paper.

and check which key exchange algo is used for bitcointalk.org it seems this board is not affected.


besides i agree with VirosaGITS, NSA watching us feels like conspiracy theories.

I think you missed the news over the last years. They watch everything and everyone.



Title: Re: Security holes can be in unexpected places
Post by: franky1 on October 16, 2015, 06:24:46 AM
lets imagine it this way..

lets accept that the NSA has full access to all our data.

dont get me wrong, i dont like 3rd parties having my information. but you have to ask yourself, if you put your information out-there either letting it pass through your ISP or put onto facebook, or having an online bank account as oppose to a bill-by-post account then you are just asking for your data to be spread.

now.. the important part

out of 7 billion people, what are the chances that the NSA would even look at your data specifically, investigating you and looking at everything you do for official reasons?

i personally dont care about NSA having access to my data, because chances are id never be investigated.. but im more concerned about my privacy in regards to random people. even people temping and subcontracted to the NSA, or hackers, or ex-girlfriends trying to get at my data for their own amusement or to use it against me in someway.

so dont worry about the NSA as an institution because unless your doing anything illegal, theres nothing to worry about..
but do worry about the PEOPLE that could get their hands on your data for unofficial reasons. and as i said that can include nsa employee's.

afterall if you personally worked for the police or fbi, wouldnt you be tempted to search out stuff on your neighbour or exgirlfriend..




Title: Re: Security holes can be in unexpected places
Post by: Holliday on October 16, 2015, 06:41:16 AM
so dont worry about the NSA as an institution because unless your doing anything illegal, theres nothing to worry about..

How naive can you be?

out of 7 billion people, what are the chances that the NSA would even look at your data specifically, investigating you and looking at everything you do for official reasons?

Gee... a user of that "shady, dark web currency"... I would say the chances are significantly higher than average.


Title: Re: Security holes can be in unexpected places
Post by: LiQio on October 16, 2015, 06:51:14 AM
out of 7 billion people, what are the chances that the NSA would even look at your data specifically, investigating you and looking at everything you do for official reasons?

Sometimes it's the other way round with big data collections: you might not be investigated specifically, but sometimes political institutions need to leave someone holding the baby. This could be you, because your pattern matches best: guilty by inference.


Title: Re: Security holes can be in unexpected places
Post by: Amph on October 16, 2015, 07:06:56 AM
there are not 7B using internet, that's a naive thinking, more like half of, that, and i'm sure that with a right scrypt they can check those pretty fast

they can monitorize you but don't have the tool to investigate? would be stupid and pointless from their end

but anyway i don't have anything to hide so i'm not worried


Title: Re: Security holes can be in unexpected places
Post by: Kakmakr on October 16, 2015, 07:16:32 AM
lets imagine it this way..

lets accept that the NSA has full access to all our data.

dont get me wrong, i dont like 3rd parties having my information. but you have to ask yourself, if you put your information out-there either letting it pass through your ISP or put onto facebook, or having an online bank account as oppose to a bill-by-post account then you are just asking for your data to be spread.

now.. the important part

out of 7 billion people, what are the chances that the NSA would even look at your data specifically, investigating you and looking at everything you do for official reasons?

i personally dont care about NSA having access to my data, because chances are id never be investigated.. but im more concerned about my privacy in regards to random people. even people temping and subcontracted to the NSA, or hackers, or ex-girlfriends trying to get at my data for their own amusement or to use it against me in someway.

so dont worry about the NSA as an institution because unless your doing anything illegal, theres nothing to worry about..
but do worry about the PEOPLE that could get their hands on your data for unofficial reasons. and as i said that can include nsa employee's.

afterall if you personally worked for the police or fbi, wouldnt you be tempted to search out stuff on your neighbour or exgirlfriend..




Most of us believe this, until you say something on a forum or Facebook or Twitter that they flagged as a possible threat to the USA. The topic could have been flagged out of context, but the software scanning the communication could isolate your words from those 6 billion people.

Simply typing the N$A abbreviation will already flag your post on their database.

The only solution is to stay legal in everything you do, and hope someone will not browse into your privacy for their pleasure and entertainment.

We have seen with the Silkroad case that there are corrupt agents out there, so it is not impossible for people to misuse these systems for their own benefit.



Title: Re: Security holes can be in unexpected places
Post by: pawel7777 on October 16, 2015, 10:23:32 AM
This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?

I don't care at all. I have nothing to hide and to have fear. Everyone who want can read everything I write or everything I do at internet. So no fear from NSA or every kind of Agencies who make the same or similar jobs.  ;)

Oh really? If so, would you mind sharing your personal info + address (scanned docs) right here in this post? Would you allow anyone to view your personal emails, text messages, call logs, google search history etc?

Edit: something to consider for all those blue-pilled members who think NSA is all about tracking terrorist and criminals:

http://www.dw.com/en/germany-fears-nsa-stole-industrial-secrets/a-16925289
http://www.informationclearinghouse.info/article37484.htm


Title: Re: Security holes can be in unexpected places
Post by: shorena on October 16, 2015, 11:21:07 AM
This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?

I don't care at all. I have nothing to hide and to have fear. Everyone who want can read everything I write or everything I do at internet. So no fear from NSA or every kind of Agencies who make the same or similar jobs.  ;)
Oh really? If so, would you mind sharing your personal info + address (scanned docs) right here in this post? Would you allow anyone to view your personal emails, text messages, call logs, google search history etc?
-snip-

Even if they dont mind, its still no argument.

Quote
Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.



Title: Re: Security holes can be in unexpected places
Post by: neoneros on October 16, 2015, 11:48:03 AM
A breach like this will only make the ones who really want to be private to better their efforts to keep out the eavesdroppers,

I Do not like being eavesdropped, but what I do is what I do and at the moment I do not care what others think of it or if they tap into it, they shouldn't, just like when someone in the train besides me is not allowed to watch what is on my phone, I try to guard it with my hand. The NSA is harder to guard against, but technology will catch up. If I ever feel that the things I say or do might get me in trouble because the NSA or any institure thinks what I say or do is 'bad'. I will try harder to conceal. But at the moment, I feel safe enough to say and do as I like. So I might cut myself short here, if I ever digitaly disappear, they know that what I am doing is not meant to be seen and worthy investigating..

So as long as Bitcoin is not linked to being criminal, I will not hide my bitcoin activities for the NSA, though I do think their eavesdropping is a big nuiscance.


Title: Re: Security holes can be in unexpected places
Post by: DarkHyudrA on October 16, 2015, 12:30:16 PM
https://weakdh.org/
This website is nothing new, it's been around a few weeks the first time I saw it, if not more then a whole month, no?

And anybody can check if the website is protected from this attack.


Title: Re: Security holes can be in unexpected places
Post by: confirmation120 on October 16, 2015, 02:41:57 PM
https://weakdh.org/
This website is nothing new, it's been around a few weeks the first time I saw it, if not more then a whole month, no?

And anybody can check if the website is protected from this attack.

Cant open the link what does that site do?


Title: Re: Security holes can be in unexpected places
Post by: aakashsangwan on October 16, 2015, 03:19:56 PM
what does the title mean because security holes by what means, if you mean cbi or fbi then they have more complicated works then of watching this unnecessary until they find any links with the terrorist or illegal activity.


Title: Re: Security holes can be in unexpected places
Post by: maokoto on October 16, 2015, 03:48:57 PM
This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?
Well why should we care about the NSA? I would be more worried about someone somehow using that to break into my account and stealing all of my Bitcoin.

Agree. I pretty much do not care of people looking or having curiosity, what I do care if when they use it to do harm.


Title: Re: Security holes can be in unexpected places
Post by: Peachy on October 16, 2015, 04:05:23 PM
This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?

I don't care at all. I have nothing to hide and to have fear. Everyone who want can read everything I write or everything I do at internet. So no fear from NSA or every kind of Agencies who make the same or similar jobs.  ;)

"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."  -Edward Snowden


Title: Re: Security holes can be in unexpected places
Post by: Come-from-Beyond on October 16, 2015, 04:25:29 PM
what does the title mean because security holes by what means, if you mean cbi or fbi then they have more complicated works then of watching this unnecessary until they find any links with the terrorist or illegal activity.

I bet you'll be unpleasantly surprised in 15 years during your campaign for the USA president chair when NSA reveals that in 2015 you were watching Zoo section of Brazzers.


Title: Re: Security holes can be in unexpected places
Post by: BADecker on October 16, 2015, 05:34:54 PM
https://bitcointalk.org/index.php?topic=1209376.msg12703707#msg12703707

:)


Title: Re: Security holes can be in unexpected places
Post by: cellard on October 16, 2015, 06:26:15 PM
So they can crack VPNs? how does that work? Anyway I thought VPNs are subjected to delivering logs, so what's the point anyway. If someone wants true privacy they should use TOR from what i've read, it's the most anonymous internet you can get, and when we have stuff like darkwallet, Bitcoin will be as anonymous.


Title: Re: Security holes can be in unexpected places
Post by: Amph on October 16, 2015, 06:33:12 PM
So they can crack VPNs? how does that work? Anyway I thought VPNs are subjected to delivering logs, so what's the point anyway. If someone wants true privacy they should use TOR from what i've read, it's the most anonymous internet you can get, and when we have stuff like darkwallet, Bitcoin will be as anonymous.

the best anonymous would be to have your own vpn network, with soem device all over the wordl in hidden location connected via satellite or a close wi-fi

i remember that tor, was not 100% anon, they can actually spy you if they want, and many nodes were blocked from some website


Title: Re: Security holes can be in unexpected places
Post by: DarkHyudrA on October 16, 2015, 07:39:25 PM
https://weakdh.org/
This website is nothing new, it's been around a few weeks the first time I saw it, if not more then a whole month, no?

And anybody can check if the website is protected from this attack.

Cant open the link what does that site do?
Have full detailed info about this security leak.
Has a small test to see if your browser knows how to implement the "good way" to exchange the crypto info.
And a link to the full paper where the OP extracted the text.


Title: Re: Security holes can be in unexpected places
Post by: teukon on October 16, 2015, 09:06:24 PM
so dont worry about the NSA as an institution because unless your doing anything illegal, theres nothing to worry about..
(emphasis mine)

That's a pretty damned big "unless"...

afterall if you personally worked for the police or fbi, wouldnt you be tempted to search out stuff on your neighbour or exgirlfriend..
(emphasis mine)

... and a mind-boggling "if".


Title: Re: Security holes can be in unexpected places
Post by: n2004al on October 22, 2015, 10:06:36 AM
This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?

I don't care at all. I have nothing to hide and to have fear. Everyone who want can read everything I write or everything I do at internet. So no fear from NSA or every kind of Agencies who make the same or similar jobs.  ;)

Oh really? If so, would you mind sharing your personal info + address (scanned docs) right here in this post? Would you allow anyone to view your personal emails, text messages, call logs, google search history etc?

Edit: something to consider for all those blue-pilled members who think NSA is all about tracking terrorist and criminals:

http://www.dw.com/en/germany-fears-nsa-stole-industrial-secrets/a-16925289
http://www.informationclearinghouse.info/article37484.htm


Why must to do this? Why I must do such kind of job? You are the interested person who want to know those; you find the way to have those.

In my post I tell that I don't care from anything I do in internet. I can tell again this. But I must tell that when I wrote that sentence I had not in mind my emails or other personal stuffs. I meant navigating in internet. Following the way and the normal meaning of the expression used by OP to formulate its question - NSA monitor the bitcoin-related sited. Not the emails or other personal stuffs of the people, not even the people but the activity in the bitcoin-related sites. That it is simple navigation. Then if they find suspicious activity in such monitoring this is another thing. Bitcoin is used mostly in the dark web and I have not visited never this kind of sites. If they are able to find criminals monitoring this kind of bitcoin-related sites I can't do nothing else than congratulating with them.

But to tell the truth even if NSA will learn about my personal things or will read all my emails and learn some other personal things yet I don't care about this. It is another thing if my emails will be read by anyone (as it was understood my post by above poster). This is undesirable and in this point of view my above expression need correction.

If we go again to NSA, I don't think that NSA have the patience and, above all, the time to read all the emails of all the people which are not suspected. And I know that I am not suspected. Have made nothing in my life that can make me suspected person.

As I told above I have nothing to hide to NSA and they, (if want) can read every my email. I can give myself my password to them. Even I know that they read only the suspicious emails taken from key words or phrases. I am sure to not have such. If I have, no problem that NSA read even those. Will read more about me and my correspondence but I have not problem that that kind of people learn more about my "secret" life. My life is healthy and clean in everything. They will not find anything with interests about their job and will not made public those. So no one other will know something.

P.S. I haven't see you links because to tell the truth I don't care about the work of NSA.