Security holes can be in unexpected places

[Come-from-Beyond]

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice - the best paper of ACM CCS 2015 is pretty interesting:

We investigate the security of Diffie-Hellman key exchange as
used in popular Internet protocols and find it to be less secure
than widely believed. First, we present Logjam, a novel flaw
in TLS that lets a man-in-the-middle downgrade connections
to “export-grade” Diffie-Hellman. To carry out this attack,
we implement the number field sieve discrete log algorithm.
After a week-long precomputation for a specified 512-bit
group, we can compute arbitrary discrete logs in that group
in about a minute. We find that 82% of vulnerable servers use
a single 512-bit group, allowing us to compromise connections
to 7% of Alexa Top Million HTTPS sites. In response, major
browsers are being changed to reject short groups.

We go on to consider Diffie-Hellman with 768- and 1024-bit
groups. We estimate that even in the 1024-bit case, the computations
are plausible given nation-state resources. A small
number of fixed or standardized groups are used by millions
of servers; performing precomputation for a single 1024-bit
group would allow passive eavesdropping on 18% of popular
HTTPS sites, and a second group would allow decryption
of traffic to 66% of IPsec VPNs and 26% of SSH servers. A
close reading of published NSA leaks shows that the agency’s
attacks on VPNs are consistent with having achieved such
a break. We conclude that moving to stronger key exchange
methods should be a priority for the Internet community.

This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?

[achow101]

This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?

Well why should we care about the NSA? I would be more worried about someone somehow using that to break into my account and stealing all of my Bitcoin.

[Come-from-Beyond]

Well why should we care about the NSA?

So you don't care, got it.

[Pattart]

This is kinda worrying that people can eavesdrop on our communications with any site, but it doesn't seem to be very prevalent. It isn't something that makes up a majority of the sites visited, so I don't think this particular vulnerability is worrying.

[VirosaGITS]

This is kinda worrying that people can eavesdrop on our communications with any site, but it doesn't seem to be very prevalent. It isn't something that makes up a majority of the sites visited, so I don't think this particular vulnerability is worrying.

I think the NSA has better things to do than monitor everyone's International use of Bitcoin. Until your TX's are linked to suspected terrorist/criminal activity that affect the US or international policies in any way, i think you can put down the Tinfoil hat.

[zencomp]

This is kinda worrying that people can eavesdrop on our communications with any site, but it doesn't seem to be very prevalent. It isn't something that makes up a majority of the sites visited, so I don't think this particular vulnerability is worrying.

I think the NSA has better things to do than monitor everyone's International use of Bitcoin. Until your TX's are linked to suspected terrorist/criminal activity that affect the US or international policies in any way, i think you can put down the Tinfoil hat.

what you said is correct, they have lot of big problems to solve instead of wasting time here until they find any source of work related to this job.

[pooya87]

it would be an invasion but this is a public forum so anybody is seeing what we are all doing and there is no hiding that. and as long as i don't get f***ed for just using bitcoin legally i don't care.

besides i agree with VirosaGITS, NSA watching us feels like conspiracy theories.

[n2004al]

This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?

I don't care at all. I have nothing to hide and to have fear. Everyone who want can read everything I write or everything I do at internet. So no fear from NSA or every kind of Agencies who make the same or similar jobs.  

[Operand]

Cant be that bad eh? I mean as if it's bad enough that governments are able to activate one's camera and microphone on laptops, computers and now mobile phones as confirmed by Snowden

[n2004al]

Cant be that bad eh? I mean as if it's bad enough that governments are able to activate one's camera and microphone on laptops, computers and now mobile phones as confirmed by Snowden

If you read well the question in that is not mentioned this thing answered by you but another. Is is about the things and your habitue on internet and not about things made in your home.   So your answer is out of this topic.  

[shorena]

it would be an invasion but this is a public forum so anybody is seeing what we are all doing and there is no hiding that. and as long as i don't get f***ed for just using bitcoin legally i don't care.

Yet, if you read what the paper suggests.

Transitioning to ellip-
tic curve Diffie-Hellman (ECDH) key exchange with appro-
priate parameters avoids all known feasible cryptanalytic
attacks. Current elliptic curve discrete log algorithms for
strong curves do not gain as much of an advantage from
precomputation. In addition, ECDH keys are shorter than
in “mod
p
” Diffie-Hellman, and shared-secret computations
are faster. Unfortunately, the most widely supported ECDH
parameters, those specified by NIST, are now viewed with
suspicion due to NSA influence on their design, despite no
known or suspected weaknesses. These curves are under-
going scrutiny, and new curves, such as Curve25519, are
being standardized by the IRTF for use in Internet proto-
cols. We recommend transitioning to elliptic curves where
possible; this is the most effective long-term solution to the
vulnerabilities described in this paper.

and check which key exchange algo is used for bitcointalk.org it seems this board is not affected.

besides i agree with VirosaGITS, NSA watching us feels like conspiracy theories.

I think you missed the news over the last years. They watch everything and everyone.

[franky1]

lets imagine it this way..

lets accept that the NSA has full access to all our data.

dont get me wrong, i dont like 3rd parties having my information. but you have to ask yourself, if you put your information out-there either letting it pass through your ISP or put onto facebook, or having an online bank account as oppose to a bill-by-post account then you are just asking for your data to be spread.

now.. the important part

out of 7 billion people, what are the chances that the NSA would even look at your data specifically, investigating you and looking at everything you do for official reasons?

i personally dont care about NSA having access to my data, because chances are id never be investigated.. but im more concerned about my privacy in regards to random people. even people temping and subcontracted to the NSA, or hackers, or ex-girlfriends trying to get at my data for their own amusement or to use it against me in someway.

so dont worry about the NSA as an institution because unless your doing anything illegal, theres nothing to worry about..
but do worry about the PEOPLE that could get their hands on your data for unofficial reasons. and as i said that can include nsa employee's.

afterall if you personally worked for the police or fbi, wouldnt you be tempted to search out stuff on your neighbour or exgirlfriend..

[Holliday]

so dont worry about the NSA as an institution because unless your doing anything illegal, theres nothing to worry about..

How naive can you be?

out of 7 billion people, what are the chances that the NSA would even look at your data specifically, investigating you and looking at everything you do for official reasons?

Gee... a user of that "shady, dark web currency"... I would say the chances are significantly higher than average.

[LiQio]

out of 7 billion people, what are the chances that the NSA would even look at your data specifically, investigating you and looking at everything you do for official reasons?

Sometimes it's the other way round with big data collections: you might not be investigated specifically, but sometimes political institutions need to leave someone holding the baby. This could be you, because your pattern matches best: guilty by inference.

[Amph]

there are not 7B using internet, that's a naive thinking, more like half of, that, and i'm sure that with a right scrypt they can check those pretty fast

they can monitorize you but don't have the tool to investigate? would be stupid and pointless from their end

but anyway i don't have anything to hide so i'm not worried

[Kakmakr]

lets imagine it this way..

lets accept that the NSA has full access to all our data.

dont get me wrong, i dont like 3rd parties having my information. but you have to ask yourself, if you put your information out-there either letting it pass through your ISP or put onto facebook, or having an online bank account as oppose to a bill-by-post account then you are just asking for your data to be spread.

now.. the important part

out of 7 billion people, what are the chances that the NSA would even look at your data specifically, investigating you and looking at everything you do for official reasons?

i personally dont care about NSA having access to my data, because chances are id never be investigated.. but im more concerned about my privacy in regards to random people. even people temping and subcontracted to the NSA, or hackers, or ex-girlfriends trying to get at my data for their own amusement or to use it against me in someway.

so dont worry about the NSA as an institution because unless your doing anything illegal, theres nothing to worry about..
but do worry about the PEOPLE that could get their hands on your data for unofficial reasons. and as i said that can include nsa employee's.

afterall if you personally worked for the police or fbi, wouldnt you be tempted to search out stuff on your neighbour or exgirlfriend..

Most of us believe this, until you say something on a forum or Facebook or Twitter that they flagged as a possible threat to the USA. The topic could have been flagged out of context, but the software scanning the communication could isolate your words from those 6 billion people.

Simply typing the N$A abbreviation will already flag your post on their database.

The only solution is to stay legal in everything you do, and hope someone will not browse into your privacy for their pleasure and entertainment.

We have seen with the Silkroad case that there are corrupt agents out there, so it is not impossible for people to misuse these systems for their own benefit.

[pawel7777]

This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?

I don't care at all. I have nothing to hide and to have fear. Everyone who want can read everything I write or everything I do at internet. So no fear from NSA or every kind of Agencies who make the same or similar jobs.  

Oh really? If so, would you mind sharing your personal info + address (scanned docs) right here in this post? Would you allow anyone to view your personal emails, text messages, call logs, google search history etc?

Edit: something to consider for all those blue-pilled members who think NSA is all about tracking terrorist and criminals:

http://www.dw.com/en/germany-fears-nsa-stole-industrial-secrets/a-16925289
http://www.informationclearinghouse.info/article37484.htm

[shorena]

This raises a question: Are you sure that Bitcoin-related websites visited by you are not monitored by NSA? Or maybe you don't care?

I don't care at all. I have nothing to hide and to have fear. Everyone who want can read everything I write or everything I do at internet. So no fear from NSA or every kind of Agencies who make the same or similar jobs.  

Oh really? If so, would you mind sharing your personal info + address (scanned docs) right here in this post? Would you allow anyone to view your personal emails, text messages, call logs, google search history etc?
-snip-

Even if they dont mind, its still no argument.

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.

[neoneros]

A breach like this will only make the ones who really want to be private to better their efforts to keep out the eavesdroppers,

I Do not like being eavesdropped, but what I do is what I do and at the moment I do not care what others think of it or if they tap into it, they shouldn't, just like when someone in the train besides me is not allowed to watch what is on my phone, I try to guard it with my hand. The NSA is harder to guard against, but technology will catch up. If I ever feel that the things I say or do might get me in trouble because the NSA or any institure thinks what I say or do is 'bad'. I will try harder to conceal. But at the moment, I feel safe enough to say and do as I like. So I might cut myself short here, if I ever digitaly disappear, they know that what I am doing is not meant to be seen and worthy investigating..

So as long as Bitcoin is not linked to being criminal, I will not hide my bitcoin activities for the NSA, though I do think their eavesdropping is a big nuiscance.

[DarkHyudrA]

https://weakdh.org/
This website is nothing new, it's been around a few weeks the first time I saw it, if not more then a whole month, no?

And anybody can check if the website is protected from this attack.