Is not that they are monitoring me. I have nothing to hide. Other than the usual, which is encrypted in utorrent, apparently.<p>What worries me more is, what if they were to perform covert MiTM attacks? They are in the perfect position to do so. Anyone using online banking could be targeted and suddenly they have no money.
Or they could transfer money into people's accounts and make them look like money launderers, so they could be arrested.<p>Yes yes, it is all a bit conspiracy theory-ish... but if I had suggested I thought the NSA was mirroring fibre a year ago you would think the same.<p>This is what worries me over the debacle, as most data appears to pass through the USA.
<i>"Is not that they are monitoring me. I have nothing to hide."</i><p>This is not a valid argument. See <a href="http://www.thoughtcrime.org/blog/we-should-all-have-something-to-hide/" rel="nofollow">http://www.thoughtcrime.org/blog/we-should-all-have-somethin...</a> and <a href="http://kottke.org/13/06/you-commit-three-felonies-a-day" rel="nofollow">http://kottke.org/13/06/you-commit-three-felonies-a-day</a>
The "nothing to worry about if you have nothing to hide" argument has been debunked countless times and made the front page of HN in the last week at least twice. Privacy is a building block foundation for freedom. You can't have freedom without privacy.<p>Your utorrent encryption is merely useful to thwart some forms of bandwidth throttling, it is <i>not</i> hiding you or your sharing/downloading.<p>NSA could do such MiTM attacks, it's been a known possibility for years. but why would they rely on this kind of attacks as they probably have a copy of the private key of the party your communicating with (or something along these lines as was shown with lotus notes).<p>Also they already have other ways to seize and freeze assets, so you shouldn't have to worry about this specific abuse. There's more than enough to worry about the rest.
While we should of course be concerned about the privacy implications these programs hold for ordinary American citizens, it's also important to think about the implications these resources have on the class of people who are most likely to be targeted: the immediate competitors and enemies of those who have access to them. While everyone's privacy is threatened by these surveillance tools, there are 300,000,000 everyones. Only a tiny subset of that pool has direct, palpable influence into the political power elite. They are the ones most likely to have this infiltration of their lives used against them.<p>Those at the top of this informational food chain who are able to abuse it are most likely to abuse it in a way that benefits them most directly by blackmailing and otherwise undermining the influence of their competitors. In this manner it makes the consolidation and perpetuation of political power more efficient by orders of magnitude compared to those who have no access or very limited access to these surveillance programs.<p>This is dangerously destabilizing to a democratic society. If we have no real competition for authority, there are no real checks on that authority. The US is grooming an autarch.
It's possible that a MitM like this is feasible. Recall that the author of the Flame malware that targeted Iranian computers used a hash collision attack on the MD5 hash for a trusted certificate, which essentially allowed them to create their own certificate that hashed to the same value as the real certificate. [1]<p>The SHA-1 hash in your average SSL cert might be more expensive to attack than MD5, but that doesn't make me feel much better.<p>The mitigating factor here is that it seems like this could only be used on a case by case basis against a small number of people, since it would be found out if widely deployed.<p>Also, we only have evidence of traffic interception and not tampering. Actually writing to the stream, i.e. performing a MitM on an SSL connection, is probably a lot harder than just copying all traffic.<p>[1] <a href="http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/" rel="nofollow">http://arstechnica.com/security/2012/06/flame-crypto-breakth...</a>
Just an FYI, encrypting your uTorrent downloads won't stop you getting busted if you are down/uploading copyrighted material.<p>Regards MiTM attacks, yes they could but then again they always could. It wouldn't be 100% undetectable though since they would have to change the key/cert for sites they wanted to MiTM. Certificate pinning may address this issue in future.
>but if I had suggested I thought the NSA was mirroring fibre a year ago you would think the same.<p>I wouldn't have. Were you unaware of this (from 2006)? <a href="http://en.wikipedia.org/wiki/Room_641A" rel="nofollow">http://en.wikipedia.org/wiki/Room_641A</a>
You are right to worry.<p>> what if they were to perform covert MiTM attacks?<p>Then you would be pwned.<p>However, active MitM attacks are generally targeted. They can only get away with so many for so long before they are detected. Their scope can be quite large however. The entire country of Iran was MitM'd for some weeks before a single Chrome user reported seeing a cert error in Gmail. The Flamer malware MitM'd unattended systems apparently for years.<p>So if I were the target of the NSA, I'd expect them to get me with drive-by malware. A bit of malware is much easier to replace than backbone fiber access if the capability is 'burned'.<p>However, there are an unlimited number of other attackers out there in the world, most with 'catch as catch can' capabilities. That public Wifi or hotel internet could easily be hostile and the attacker may not have much to lose.
What worries me most are two things:<p>1. as was pointed out on an HN top story a week ago, if the surveillance is accepted by the public, then the public will accept regulations prohibiting use of software to avoid surveillance (i.e., most tools useful to software developers). I'm not really looking forward to the day when downloading crypto software requires me to pay certification fees and have an ID verifying that I'm a licensed software engineer.<p>2. I can't wait for the day when we can type with our brains (and no hands). Maybe we do that with pupil tracking software or facial cues... or maybe via direct brainwave input. Some products like this already exist, but they're in their infancy. One day though, when we all have bluetooth head masks and carpal tunnel is a thing of the past, I don't want every thought I have tracked by guys at an NSA lab... and I doubt the government wants that either, but it's going to be hard to not have them get that data.<p>... and I guess the third problem is just basically the death of liberty. But that's a harder issues to argue about, amazingly, when people are worried about terrorism.
Chrome include certificate pinning first described here, which offers some protection for MITM: <a href="http://www.imperialviolet.org/2011/05/04/pinning.html" rel="nofollow">http://www.imperialviolet.org/2011/05/04/pinning.html</a>
If I was an NSA analyst who could spy on who ever I wanted, I would not be keen to throw people in jail, but seducing women would be fun; I think there is even a movie about it.
I was under the impression that they used beam splitters to get a copy of the data going over the fiber. It is my understanding that they can only receive data this way, not send it.