SoylentNews is people
SoylentNews
https://www.nytimes.com/2017/04/28/us/politics/nsa-surveillance-terrorism-privacy.html
The National Security Agency said Friday that it had halted one of the most disputed practices of its warrantless surveillance program, ending a once-secret form of wiretapping that dates to the Bush administration's post-Sept. 11 expansion of national security powers.
The agency is no longer collecting Americans' emails and texts exchanged with people overseas that simply mention identifying terms — like email addresses — for foreigners whom the agency is spying on, but are neither to nor from those targets.
The decision is a major development in American surveillance policy. Privacy advocates have argued that the practice skirted or overstepped the Fourth Amendment.
The change is unrelated to the surveillance imbroglio over the investigations into Russia and the Trump campaign, according to officials familiar with the matter. Rather, it stemmed from a discovery that N.S.A. analysts had violated rules imposed by the Foreign Intelligence Surveillance Court barring any searching for Americans' information in certain messages captured through such wiretapping.
Though I'm personally wondering why now.
(Score: 0) by Anonymous Coward on Monday May 01 2017, @05:47AM (18 children)
Seems like its more of a PR move.
Email is a lot more secure now, nearly all smtp connections are encrypted.
Lots of people are using encrypted texting apps rather than old-fashioned SMS.
So seceding their ability to wholesale collect those things when they cross the national border isn't really giving up all that much.
(Score: 2, Insightful) by frojack on Monday May 01 2017, @05:50AM (17 children)
Email is a lot more secure now, nearly all smtp connections are encrypted.
Chuckle....
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Monday May 01 2017, @05:56AM (5 children)
Only a chuckle? I'm ROFLMFAO at the idiot who probably thinks SMTP is encrypted because of HTTPS Everywhere.
(Score: 0) by Anonymous Coward on Monday May 01 2017, @06:04AM (4 children)
Because TLS isn't a thing...
(Score: 0) by Anonymous Coward on Monday May 01 2017, @06:09AM (3 children)
Because just by sending an email you have so much control over whether TLS is used between SMTP relays. Get a fucking clue.
(Score: 2) by Whoever on Monday May 01 2017, @06:24AM (2 children)
And you should get a clue.
TLS is becoming near universal for SMTP. And email doesn't travel between many relays.
(Score: -1, Troll) by Anonymous Coward on Monday May 01 2017, @06:35AM (1 child)
Wow! That's grrrreat! Now when you say "becoming near universal" you mean Gmail, right? Man, you're so right, just do all your email on gmail. In fact don't even call it email anymore. Call it gmail because that's what it is, it's gmail.
Tell you what, I tried to send some gmail to a blogger who runs his own gmail swerver, and you know what happened, my gmail was returned because mr blogger never set up a mx record for his gmail swerver. I guess that guy won't be getting any more gmail, huh?
Compatibility, what the fuck is it, I don't even.
(Score: 1, Interesting) by Anonymous Coward on Monday May 01 2017, @01:59PM
Maybe? I'm not sure exactly what you're saying so this is kind of long-winded.
Data in motion encryption for email at this point is mostly a solved problem. One site's relay hands directly off to the recipient's relay, and it's easy to verify encryption by checking the logs.
I understand. I'm one of those crypto nerds who wants to be able to use GPG and similar for everything, just because you can't be sure.
It's a lot better than 10 years ago when I started my current job. Back then I was warning everybody who wanted reports that might contain Protected Health Information protected by HIPAA that they needed to install GPG4WIN because "email is insecure." Now, I'm not a compliance person and my employer isn't a Covered Entity, so I'm sure somebody will tell me that server-to-server TLS won't protect somebody from getting in trouble with HIPAA/HITECH because of insert fiddly lawyer speak here (oh and btw, license this secure "email" service that's not even SMTP but some web-based jazz from $big_business to solve that problem!).
Once TLS became pretty much bog standard for everybody except, who was it?, Yahoo? some-odd big webmail provider that for whatever reason doesn't do TLS last I checked (but not AOL of all providers, they do TLS as well), there really was no reason to insist on a client-side solution anymore.
...as you might have been trying to say (hard to tell), the biggest problem is people using free gmail accounts (and I've even come across some AOL addresses!) to receive reports that may contain confidential information, especially if it's not PHI (and thus the HIPAA people don't give a fuck about it--why should they?). Sure, the data in motion is secure, but the data at rest is most assuredly not.
To attempt to address the article, perhaps what the NSA is saying in a weasel word way, is that the NSA itself is no longer doing the collection, but they've got new Room 641As installed at Google, Yahoo, M$, etc. Why bother with attempting to break TLS between MTAs when everybody these days is handily storing their emails on centralized services?
(Score: 2) by Whoever on Monday May 01 2017, @06:21AM
I think it's more a matter of scale. Yes, the NSA can probably get access to encrypted smtp sessions, but not all of them.
The most obvious attack against smtp is a MITM attack. Many STARTTLS sessions use self-signed certificates, so, in general certificates are not validated.
But MITM attacks require cooperation from telecom and Internet companies and the MITM attack can potentially be detected. So, probably, the NSA save this for targets that are more interesting.
(Score: 1, Interesting) by Anonymous Coward on Monday May 01 2017, @06:25AM (9 children)
Chuckle....
Once again frojackoff demonstrates his ignorance by smugly assuming his superiority.
https://www.eff.org/deeplinks/2014/06/new-gmail-data-shows-rise-backbone-email-encryption [eff.org]
https://www.google.com/transparencyreport/saferemail/ [google.com]
(Score: 0) by Anonymous Coward on Monday May 01 2017, @06:43AM (2 children)
Why the fuck do we even have email anymore. Doesn't everyone use fucking gmail already. We don't even fucking need smto because gmail can just deliver gmails between gmail accounts by dumping shit directly into the backend database. Why the fuck do we even have email anymore.
(Score: 3, Insightful) by kaszz on Monday May 01 2017, @09:17AM
Because we don't trust American corporations nor Google?
And being dependent on some far away server for personal communication is a bad dependence idea.
(Score: 0) by Anonymous Coward on Monday May 01 2017, @02:13PM
Ah, I think I see what you're complaining about.
At least gmail speaks SMTP, even if retards don't set up their server instances correctly.
In my long-winded comment up there I touched on it briefly. Hospitals wound up turning to proprietary solutions made by the usual suspects (Cerner & Epic). You're bitching about gmail. When you get a "Cerner," all you get is a notification over SMTP that there's an email waiting for you. Then you have to go to the hospital's server, sign up for an account (I think I must have 10 or 20 of those running around now that I've never used for more than a few mails), and then you can read and send mail.
It's as if somebody considered TLS, considered S/MIME, considered PGP/MIME, considered non-MIME PGP, and said to hell with it! We're gonna roll our own cloudy web-based shit because SMTP isn't hip!
I blame Outlook for it mostly with their piss-poor S/MIME support and NIH syndrome with PGP. In a better world, everybody uses KMail from KDE 3.5, everything is encrypted endpoint to endpoint in motion and at rest, and it's happy and everything is perfect.
So no, I don't like that idiots set up misconfigured gmail instances and then blame you because you're the only non-gmail person they're in contact with so it must be your fault. Just stand your ground, and yeah, you'll lose a little business here and there because of arrogant dumbassery. At least gmail speaks SMTP. It could be much, much worse.
(Score: 2, Interesting) by Anonymous Coward on Monday May 01 2017, @07:40AM (5 children)
Infomative +1, Flamebait -1, net zero.
I appreciate you taking your time to post things supporting your point of view.
But can we please refrain from flaming fellow Soylentils?
If you think Frojack came across as a know-it-all, you did not come across well at all with that childish name-calling.
I am just happy you posted AC, as I really hate to type stuff like I just did to someone by name.
From one AC to another... please cut it out... Inciting flamewars here is not cool at all. That's why a lot of us left the other site.
We like to think we have the professionals here... and they have the kids.
(Score: 0) by Anonymous Coward on Monday May 01 2017, @07:54AM
We like to think we have the professionals here... and they have the kids.
You wish. Soylentils are aging boomers going through their second childhood.
(Score: 1, Insightful) by Anonymous Coward on Monday May 01 2017, @08:05AM (2 children)
From one AC to another... please cut it out... Inciting flamewars here is not cool at all. That's why a lot of us left the other site.
Frojackoff is part of the contingent here more interested in turning this place into a pig-sty than productive discussion.
You'll note that his post was:
(1) Condescending
(2) Content free - he couldn't even be bothered to write a thesis that could be debated
The fact that I took his subtext and made it text just reveals what was there all along.
Your complaint to me is misdirected. If you want respectful discourse, aim your criticisms at the people who open the gates of disrespect.
And don't even try a "when they go low, we go high" rebuttal, anyone who says that without bothering to criticize the people who go low has no standing.
(Score: 0) by Anonymous Coward on Monday May 01 2017, @08:38AM
You're not worth my time to write a thesis that could be debated. From now on I'm only coming to SoylentNews for the obituaries and I want to dance a lively jig on each and every one of your graves.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @05:25AM
I never claimed Frojack posted a useful post. Yours was a lot more informative, and it looks like his post caused you to post additional info.
He was the trigger. You did the good thing. Frojack's post was not worth a mod one way or the other. Yours was. Informative.
I only took issue to the name-calling.
(Score: 2) by Whoever on Monday May 01 2017, @04:03PM
Oh please, just please STFU.
The response to Frojack had some numbers to refute Frojack's snarky and content-free comment.
You (parent) might like to think that you are an adult, but by supporting posters in their trolling, you are being a child.