NSA Says They Have VPNs In a 'Vulcan Death Grip'

An anonymous reader sends this quote from Ars Technica: The National Security Agency's Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP's VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs—including tools with names drawn from Star Trek and other bits of popular culture.

whatever NSA wants

[turkeydance]

NSA gets...popular culture take on "Damn Yankees".

Re:

[John.Banister]

Read the Spiegel article [spiegel.de] and learn the security methods that might still work. Using these methods, secure all your communication all the time. If everyone does that, then the NSA has to hire more people to sort away the chaff. The more people they hire, the greater the likelihood that they again hire someone with a conscience.

Method 2. Live two lives, one that's fake and boring, and another that's secret and furtive. Hide the limited second life amongst the chatter of the first. This method will work bet

Re:

[g0bshiTe]

1. Lobby for internet standards to change and remove the ability from any governments to encroach on it.
2. Overthrow the government and replace it with a better functioning governing body.
3. Elect officials who want smaller government and aren't corruptible.
4. Use snail mail.

OK but the "Death Grip" was a fiction - a bluff

[jpellino]

to get a "dead" Kirk past the baddies. Now, if they had them in a Vulcan nerve pinch, I'd worry.

Re:

[zlives]

in this case it is a ruse to justify funding.

Re:

[SemperUbi]

And if the NSA were going through Pon Farr, I'd stay the hell away.

Sigh.

[ledow]

So if they have the PSK, then they can decrypt your VPN connection?

Yeah, not surprising.

Nowhere does it say they actually have effective techniques for extracting the PSK from, say, a Diffie-Hellman exchange. Because.... well... pretty much, nobody can.

But, sure, if you plug in your VPN PSK into a router that's then compromised, your PSK is then public knowledge. Hell, in most places it's listed in your Cisco CLI and extractable if you have access to it (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/82076-preshared-key-recover.html).

Isn't this why we have several things, not least SSL VPN with proper keychains, certificate revocation, passphrase-protected keys, etc.?

You can try to scaremonger all you like (this is, what? The fourth of fifth article this month with scaremongering like this about Tor, SSL, etc.?). Fact is nobody has demonstrated, or even pointed to suspicious circumstances that may hint, that the NSA or anyone else are doing anything different to the bad guys out there - finding out that compromising the devices is generally easier than decrypting proper TLS security. And nobody's been seen to actually have a shred of evidence that they can decrypt TLS by any way other than being handed the keys.

All this does is tell me the exact OPPOSITE of what the little guy (and presumably anyone reading this article, shame on you Slashdot) would take home. The NSA aren't able to do anything more than I thought they could. That the encryption is serving it's purpose to the point that it's easier to compromise the routers en-masse than it is to break the encryption.

All this does is say to me "Keep doing what you're doing". Use proper PKE with decent size keys and secure them as much as humanly possible.

All I've thought about these kinds of articles for the past year is "What are you trying to scare me onto?" Truecrypt, SSL, PFS etc. It all points towards a certain set of algorithms which are hailed as the "solution" to all these problems - Elliptic Curve. Strangely, one of the "official" curved was designed in co-operation with these people and they won't provide justification for it, and their track-record in this area is quite well-known. These are the people who paid RSA to weaken their encryption, the people who didn't want us to be able to have large-bit encryption available in any case, and who wanted us to have backdoored chips protecting our devices.

PKE is doing it's job at the moment. I'd hate to think that we all jump-ship to the thing that's ACTUALLY broken, in our haste to secure things against this kind of propaganda.

Re:

[phantomfive]

On the other hand, it's kind of reassuring that all the attacks revealed about the NSA so far are relatively mundane. They haven't found a simple way to factor large numbers, for example.

Re:

[gweihir]

An NSA employee once told me "If we could do what people think we can do, the world would look differently". I still find that very convincing and plausible. All what the NSA does is the same that ordinary IT criminals can do, just scaled up. Regarding the respective groups at the NSA as ordinary IT criminals is in fact a rather accurate model, as in the end, they are just after money and power. All this "fighting XYZ" propaganda is just the usual lies.

Re:

[catmistake]

Regarding the respective groups at the NSA as ordinary IT criminals is in fact a rather accurate model, as in the end, they are just after money and power.

Do you really believe any member of this particular NSA team is really an anarchist and has the lifegoal of robber-baron?

Re:

[CreatureComfort]

No, silly! They are the minions.

Re:

[gweihir]

You forget that there are far more IT criminals than there are NSA employees....
This thing scales in several dimensions.

Re:

[currently_awake]

At what Security Classification level would such information be kept? Would some random IT tech have access to that knowledge?

Re:

[phantomfive]

That information is probably kept on this computer [cultofmac.com]

Re:

[dbIII]

Probably. Truth seems to be far more incompetent than fiction.
If I was a foreign spy I'd use vectors like that Star Trek set designer they let into the place, or showgirls, or whoever else those egotistical horse judges running the place let inside. Put a modern equivalent of the theremin bug into artwork just like the original theremin bug was put into a carved " Great Seal of the United States" (how's that for nasty style). Pander to their egos and suddenly competence has left the building. Remember t

Re:

[phantomfive]

This is not a document the NSA chose to release.

Re:

[phantomfive]

Most likely Snowden is a secret agent of the US and Putin, right?

Re:

[phantomfive]

From a mathematical/security viewpoint, that's mundane. Compared to a simple way to factor large numbers, that's mundane.

Re:

[gweihir]

I completely agree. Sure, some implementations are flawed, but they can be fixed. All that fear-mongering and fact-distorting just serves to drive people to less secure alternatives. That is by design and I expect that quite a few people posting in this thread here (and in other places) on this subject are actually paid to create a certain atmosphere of fear and uncertainty about tools that are very likely secure or can only be broken by targeted, high-effort attacks.

As to Elliptic Curve Crypto (ECC): Stay

Re:

[dbIII]

Nowhere does it say they actually have effective techniques for extracting the PSK from, say, a Diffie-Hellman exchange. Because.... well... pretty much, nobody can.

They don't need to. Compromising Cisco etc plus a pile of Telcos does the job. Ever wondered about those stupid "SSL accelerator" boxes that some places have been fooled into buying? Pretty fucking obvious way in there since people are granting access to their VPNs, bank accounts etc to the admins of those proxy boxes and most likely the vend

Re:Sigh.

[ledow]

Your choice of OS, if you have something worth encrypting and hiding, is the least of your worries.

If you have any brains at all, all key generation is done offline on a clean machine and then that machine destroyed. Only a specific, purpose-built target on YOU would stop that working as intended without informing the NSA, and then they may as well just listen in to the room anyway.

What you are falling into is the "movie hackers" fallacy - "Gosh, everything hackable therefore everything is hacked all the time". If you have a clean, from-disk OS, even, and keep it off the net, and sign your messages with your pre-generated private key on a device that goes NOWHERE and only gets turned on when you need to use it - fuck 'em. Quite what power do you think they have over that?

The problem with modern day stuff is ALL Internet-access-based. Hell, most people think a computer isn't a computer unless it's on the Internet nowadays.

Don't get me wrong, if you're targeted by the NSA, I'm sure they can get to you somehow. But I can assure you they were targeting Bin Laden and he survived, what, a decade with the whole world looking for him? He was found to be couriering USB keys down to the local cybercafe.

Targeted malware only works if you're stupid enough to expose the machine to the net, or run programs that aren't verifying content. Fuck trying to "infect" someone who only reads their mail via "mutt", for example. It's all Hollywood tripe.

If there's a terrorist with a brain out there, and they are trying to avoid the NSA's glare, I'd be quite annoyed at their stupidity if they aren't using read-only boot media, a bunch of random devices bought in shops, PKE, and programs that aren't mainstream enough to have exploits written for them.

Fuck, even I know how to encrypt mail offline and have read my mail accounts via telnet in the past.

If you're targeted, malware is the fucking least of your worries, and easily countered by not allowing your PC to come into contact with it. Even that stuff about some malware making computers "talk" over audio channels to cross air-gaps only works when computers are infected in the first place.

We even have double-compilation-verification built operating systems, and you can boot some old shit off a floppy image from pre-Windows days if you're really paranoid.

The problem is not that - it's not encrypting, generating, or securing your message. It's how do you get your message to the wider net from there, and that identifies your location quite quickly. However, as pointed out above, you can sit in the same location for ten years with a willing stooge to courier to nearby cybercafes and NEVER get caught that way.

It lacks in imagination to think that the NSA, or indeed any intelligence agency, is really as good as you think they are. I'm a massive fan of GCHQ history, for instance, and I quite believe that today's GCHQ is a shadow of it's former self forced to resort to asking Facebook for copies of its data. Given that they invented this type of stuff to prevent EXACTLY what they are trying to do now, it's hilarious that it's backfired to the point where they are having to convince you they really can listen to everything, everywhere, always.

If they could do that, you would never hear of it. Because, you see, they'd know about all the leaks and be able to stop them in their tracks - legally or illegally.

Re:

[Trane Francks]

Really. Well. Stated! *wild applause*

Aka, backdoors

[MouseR]

Breaking into VPN isn't that easy.

Re:

[arbiter1]

The months or years of work its taking to do so, takes only handful of days for a vpn to change overto an encryption that hasn't been cracked yet.

Good news

[Charliemopps]

This is actually good news. The clearly state that "Ubiquitous Encryption" is a threat to the NSA. They are currently assuming that encrypted traffic is something they should target so if everything's encrypted... viola.

So go out, encrypt everything you can. I'm looking directly at you SlashDot. Fix your 10yrs out of date website for christs sake. You want me to start using "Beta"? Secure it!

Re:Good news

[wbr1]

To what end should slashdot secure itself? Are you storing confidential info here? It is a public forum. Anyone, including an NSA agent can browse all your postings regardless of any encryption used between you and this site.

There would need to be a compelling business/financial reason for any site to do so. Helping others hide their traffic is not all that compelling from a beancounters point of view.

Re:Good news

[Charliemopps]

To what end should slashdot secure itself?

To keep me as a viewer.

Are you storing confidential info here?

Yes. Everything I do is confidential until I explicitly declare it's not. This text is displayed publicly for all to see. But how it got here, from where I'm logging in and who I am in real life is none of your business until I say I'm ok with that.

It is a public forum. Anyone, including an NSA agent can browse all your postings regardless of any encryption used between you and this site.

But linking them to me is an entirely different thing. Sure, anonymity doesn't gain me a lot currently. But we've no idea what the next US administration is going to look like do we? And what of my friends in China? I'd like to hear their thoughts on this as well. Oh... they can't even remotely post here... I guess Slashdot doesn't need 1/3rd of the worlds audience... oh well.

There would need to be a compelling business/financial reason for any site to do so. Helping others hide their traffic is not all that compelling from a beancounters point of view.

being a tech site, and the ever increasing consumer demand for secure communications, I think the rather trivial effort it would take to implement HTTPS would forever mar this "Tech" website as being ridiculously out of date. It doesn't really matter if you ever use the intermittent wipers in your car... it makes a new car look pretty stupid not to have them either way.

Re:

[wbr1]

The cat is gone from that bag. Do you think dive wouldn't just handover the keys when asked? If you want security, encrypt yourself and kep private messages private. Trusting a 3rd party to any secrets is laughable.

Re:

[paavo512]

It is a public forum. Anyone, including an NSA agent can browse all your postings regardless of any encryption used between you and this site.

Nobody can browse my posts if I am posting as "anonymous coward" ... except that is not quite true without a secure connection!

Re:

[dbIII]

To what end should slashdot secure itself? Are you storing confidential info here?

Impersonation can be annoying with real world consequences depending on what the impersonator writes.

Re:

[Just Some Guy]

To what end should slashdot secure itself?

Because without HTTPS, anyone who owns a router between me and their hosting site can see everything I'm reading, every comment I make as AC, every session cookie I pass over the wire, everything. More importantly, there's no good reason whatsoever not to secure it. Encryption is incredibly cheap, so Just Do It.

Re:

[AmiMoJo]

The NSA/GCHQ can currently see what you are looking at on the site, who you log in as, whose profiles you look at etc. Those things are not public. Presumably they are logged somewhere, but a warrant should be required to view those logs. As it is, the security services just grab everything and file it away in your dossier, and that's wrong.

Re:

[Lord Apathy]

To what end should slashdot secure itself?

Because all sites should be secure. All the way from your bank to that page you tossed up on some old slackware box where to post pictures of your dog. Just as all email should be sent private key/public key now.

Think of it like this. If only the important shit is encrypted then that data steam stands out as important on the internet. If all the shit is encrypted then nothing stands out as "decrypt me, I'm important." Its the herd principal.

Re:

[whoever57]

They are currently assuming that encrypted traffic is something they should target so if everything's encrypted... viola.

So.... they can play them like a violin? Or did you mean "voila"?

Re:

[BlackPignouf]

if everything's encrypted... viola.

Interesting. How do you plan to encrypt a big violin? :)

Re:

[rHBa]

Easy, with Bass64 encoding

Re:

[Stewie241]

"they may as well remind us to park our HDD drive heads everytime we power down."

Are you saying I don't have to maintain my park.sh script anymore? I wish you'd told me that before I completely rewrote it to support SSDs.

Swell

[PopeRatzo]

It's really nice when a tyrannical government agency gets cute and gives its tools of oppression pet names.

This is just psychological warfare

[carlhaagen]

No more.

Try this at home...

[Kazoo the Clown]

If the NSA can do it, maybe you can too!

We should use the DMCA

[seeker_1us]

My content sent over VPNs is original work encrypted to protect it against those not authorized to have a copy. It is thus covered by copyright law. The NSA is circumventing encryption to obtain illegal access to copyright work.

Re:

[radarskiy]

Your EULA grants the ISP a perpetual transferable right to your data, or else it would be a copyright violation for them to transmit it anywhere. They can then sub-license to whomever in exchange for not being named an accessory for every criminal act that involved a communication that crossed their network.

Re:

[turp182]

True, but if the transmission is encrypted, wouldn't that be in violation of the DMCA?

If so the government owes a lot of people a ton of money (even for single offenses) if they are decrypting anything. There is implicit copyright to most everything we say/write (at least there is for anything of consequential complexity or value).

In fact, per Wikipedia: (The DMCA) It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself.

Encryption is

The NSA

[kelemvor4]

Sounds like a fun place to work. They have all the toys.

So

[rossdee]

We should switch to using Cardassian Codes - the NSA and their Vulcan advisors won't be able to decrypt that.

Why decrypt most of it?

[ruir]

I am pretty sure that MS, Cisco and Checkpoint will have mandatory backdoors for their VPN services, and that it wont help to your security not using private certificates.

What a load of corbomite!

[Chelloveck]

They really call it VULCANDEATHGRIP? As I recall (and Memory Alpha confirms [memory-alpha.org]) the "Vulcan death grip" does not exist, it was merely a ruse used to fool the Romulans. Given the code name I surmise that the ability to crack VPNs doesn't exist, the NSA just wants us to believe that it does.

Next they'll be telling us that if they go "by the book, hours will seem like days". We see through your clever wordplay, NSA!

P.S. Deal me in for the Tuesday night fizzbin game. I want a piece of that action!

Re:

[account_deleted]

Comment removed based on user account deletion

Re: What IP address ranges are in the US?

[dpilot]

Plus don't forget, the NSA simply must be the only agency in the world trying to do this sort of thing. I'm sure that no other nation has any interest whatsoever in gathering this type or depth of information, for any reason at all.

Re: What IP address ranges are in the US?

[Richard_at_work]

Does any other nation have an intelligence budget that even approaches that of the U.S.?

Re:

[jalet]

Does any other nation have an intelligence budget that even approaches that of the U.S.?

While the USA uses "intelligence budget" some other nations may only use "intelligence" alone...

Re:

[Luckyo]

And you would be correct, for reasons of simple mathematics. No other country has the capability or budget even if they wanted to do it.

Re: What IP address ranges are in the US?

[sound+vision]

You don't think there's still the old-school hacker way to break into systems, by hacking, not buying backdoors from corporations? I'd wager that a team of no more than 5 or 10 top-notch hackers could pull off a Stuxnet- or Sony-style attack. And it may only take the cost-equivalent of 50 soldiers-with-tanks-and-support-column to do it. Normal soldiers are actually really expensive when you think of all the supplies and equipment they need in addition to just the pay and benefits. To house and feed a literal army of men for years at a time probably costs much more than putting up a roomful of hackers. Have you ever heard of the term "asymmetric warfare"? Many countries are missing entire branches of military like navy and air force and their associated expenditures. Think of the R&D funding for that alone going to hackers - you could have a hacker army. All you need is the right recruiting program, which is probably easier to put together than the US military budget. I predict we will see many more high-profile breaches before people start taking security more seriously.

Re:

[Luckyo]

But that has nothing to do with capabilities we're talking about. You're throwing out an obvious red herring here to deflect attention from the subject. We're talking about wholesale dragnet style intelligence gathering. Not targeted strikes. That's why reference was "NSA" and not "CIA".

Re:

[Pieroxy]

When they gather every data across all VPNs, they will still be able to analyse a tiny fraction of it all. What they want is the capability to decrypt anything, but then they'll only listen to what is on the topic of the day, because too much data is too much. So a targeted attack might be as good in many scenarios.

Re:

[physicsphairy]

The problem with a hacker army is hackers don't hold up very well to carpet bombing. If you're a country with nuclear capabilities, sure, go ahead and have a poke at your opponents under the assumption they won't escalate. But otherwise I wouldn't recommend conducting computer assaults on anyone as a nation if you can't back it up with physical firepower.

Re:

[dpilot]

Not irrelevant. The parent poster was concerned about protecting his system, then proceeded to discuss protecting from the US without considering other threats.

What a stupid idea ...

[CaptainDork]

... I downloaded the Tor browser and I'm, like going to cnn, disney, xvideos, and then I try going to my Facebook page and WHAM!!!!

I'm in validation mode,

That's much better than the "command mode" ("commode" for short), but I had to prove I am me by sending Facebook my passport and giving them my phone number.

The fucking NSA isn't allowed to blow their cover and stuff.

Re: What IP address ranges are in the US?

[bragr]

That is harder than you'd think. A surprising amount of data ends up going through the US. A lot of the EU-Asia traffic ends up going through the US as the indian ocean routes are relatively slow, and AFAIK Russia hasn't built any extensive cross continent fiber networks.

Re: What IP address ranges are in the US?

[itsenrique]

With those ping times, you sure won't have the first laugh.

Re: What IP address ranges are in the US?

[bryanp]

Right. Because the NSA doesn't have access to IP addresses outside the US. Good luck there chief.

Re:

[Midnight_Falcon]

Good luck with that. You can block all IPs assigned to ARIN in the US, but thanks to IP address shortages, you'll find many of those sites with ARIN-allocated IPs are actually located geographically in Europe...and some APNIC IPs are located in the US...etc etc

Re:

[unixisc]

IPv6 is fine there. If an ISP shares a single subnet b/w all its users, other than the /64 that it gives them, anonymity is achieved.

Re:What IP address ranges are in the US?

[gatkinso]

My guess is that you overlooked the "USA, AUS, CAN, GBR, NZL" at the top of the slides.

Re:

[davydagger]

won't help you,

1. the CIA covertly taps cables all over the world.
2. Even if they didn't, there are the other four of the "five eyes", the brits, canucks, ozzies, and kiwis.
3. Even if that weren't true, you'd have to avoid all routes that pass through the USA/5 eyes, other countries with agreements.

Re:

[ChunderDownunder]

ozzies

Aussies.

cheers, cobber.

Re:

[ChunderDownunder]

No, it isn't.

Trust me, no one here spells it with an Oh-Zed.

Re:

[Goetterdaemmerung]

Trust me, no one here spells it with an Oh-Zed.

You've never heard it referred to as Oz?

I have heard those 2 letters used in conjunction as reference to Australia many, many times during my travels there.

Now the term "ozzies" is somewhat new that I haven't heard before. Could be a recent development.

Re:

[ChunderDownunder]

If you're making a parallel with the wizard then maybe but one would normally abbreviate to 'Aus'

Re:

[Goetterdaemmerung]

If you're making a parallel with the wizard then maybe but one would normally abbreviate to 'Aus'

Exactly. "Land of Oz" is the slang reference that I first heard when I was visiting. At the time I was traveling with backpackers (including locals, not just foreigners), so maybe it was just a humorous joke and in less common use than I thought. I'm sure no official document would spell it that way.

Thanks for the insight!

Re:

[dbIII]

You've never heard it referred to as Oz?

Aussie is not derived from that. Ozzies is like calling Americans Yankiis, sounds right but nobody does it unless they are guessing at spelling. The "oz" thing came later, probably not until well after the movie.

Re:

[thegarbz]

Here is Australia. That our neighbours in the US have a more colourful sense of spelling is no surprise to us at all.

Ozzies?

[jd2112]

Do you mean the Black Sabbath singer or the character on the 60s TV sitcom?

Re:

[sound+vision]

Or the one from the 2000s sitcom... wait, that was the one from Sabbath??

Re:

[Irate Engineer]

Win.

Re:

[BarbaraHudson]

The real question is what will the general population, who thinks that "Computer" == "Internet" do.

First, the CIA says UFOs are theirs. Next the NSA. Bunch of buzz-kills. Was this someone making good on some sort of New Years resolution?

Re:

[mSparks43]

I'd say its because they've been influencing it at the school level CS classes.

"Its too hard" - "its too easy to make mistakes"
-"let those who know what they are doing handle it"
ubiquitous.

Re:

[AHuxley]

For that a person would need a real computer service at both ends of a network with good encryption at both ends and along the network.
So the home computer would have to encrypt that connection from some distant country to the USA.
The computer in the USA would have to then exit to the internet use and pass the network back to some distant country and the home computer.
That service and networking product would have to be registered in the USA and that would allow for ip ranges to be tracked as exits from

Re:

[g0bshiTe]

Snowden did and look where it got him.

Instead of people waking up and lobbying their CongressCritters to put an end to it even threatening to remove them from office for inaction, oh look Honey Boo Boo.

Re:4 years ago?

[khasim]

It's not so much the VPN technology as it is the failure to correctly implement and secure it.

TFA leaves the real content until the end of the article:

The data is then replayed from the repositories through a set of attack scripts, which use sets of preshared keys (PSKs) harvested from sources such as exploited routers and stored in a key database ...

So if the NSA wants to "crack" your VPN session they first record it (we know how they do that) then they try to brute force that recording using what is, essentially, a dictionary attack.

TFA seems more entranced by the cutesy names than by the technology.

Re:

[phantomfive]

TFA seems more entranced by the cutesy names than by the technology.

Welcome to the brave new world of journalism.

Re:

[AK Marc]

That's always been a known "vulnerability" of real-time VPN. A 4069 bit encryption would be "safer" but the delays/processing power would decrease usability. 256 bit is "good enough" for 99.9%. For more than that, you can have stronger encryption.

One of the ideas behind the "weak" VPN is that decrpyting it 2 years later will not help anyone. The US government is good at forensics, but worthless for prediction.

SSH is blocked in lots of represive regimes

[Anonymous Coward]

SSH is great technology because the certificate is self signed and relies on TIME to protect it, even the NSA can't travel back in time and do a man in the middle attack on the first SSH link and every subsequent SSH session between those computers, to swap that cert.

Likewise the documents said NSA was intercepting 10 million TLS (HTTPS) a day. By now, three years later that will be 100 million or a billion. The problem is the certificate authorities are US companies and all backdoored by the NSA. SSH doesn

Re:

[NatasRevol]

Have VPNs not improved over the past 4 years?

Have the NSAs abilities not improved over the past 4 years?

Re:

[currently_awake]

A better question is "hasen't the NSA improved their VPN monitoring ability in four years?".

Re:

[mallyn]

Did they get permission from Sony? I thought those names are copyright/trademark?

Re:

[ChunderDownunder]

I thought that was a reference to The Big Bang Theory.

You know, the show set in the Californian neighbourhood in which unemployed actors such as Levar Burton, Wil Wheaton and Brent Spiner dwell.

Re:

[kwbauer]

Not only off-topic but also factually incorrect. Utah is to Idaho as California is to Oregon or as South Australia is to Northern Territory or even as England is to Scotland.

Re:

[BarbaraHudson]

Well, technically the definition is someone who, by their stupidity, removes themselves from the gene pool. Unless she has a twin sister, her genes are history.

Nominees significantly improve the gene pool by eliminating themselves from the human race in an obviously stupid way. They are self-selected examples of the dangers inherent in a lack of common sense, and all human races, cultures, and socioeconomic groups are eligible to compete. Actual winners must meet the following criteria:

Reproduction Out of the gene pool: dead or sterile.

Excellence Astounding misapplication of judgment.

Self-Selection Cause one's own demise.

Maturity Capable of sound judgment.

Veracity The event must be true.

Nowhere does is say that they can't already have kids. Putting a loaded gun where your kid can get it is incredibly dumb, and this dummy won't continue to pass their genes along. Natural selection means that eventually, as gun-totin' mamas produce fewer offspring before dying, they will be out-competed (natural selection at work).

So, she can take he

Re:

[Anonymous Coward]

Unless she has a twin sister, her genes are history.

Her genes are in the kid that shot her, unless the kid gets the death penalty.

No, that's not how it works. Her genes would only be in the kid if the kid was a clone.

Oh, good lord. Fine. Then by your pointlessly pedantic semantic lawyering, no mammal has ever passed on their genes, and every individual's genes are culled from the gene pool.

You can't split hairs by trying to disingenuously pretend the "passing on genes" synecdoche is understood differently than it is. People understand that children aren't clones, and they still call it passing on their genes.

Re:

[mallyn]

Good try.

But no cookie :(

It appears that all of Walmart's IP's are in one netblock.

Here is the link to the report:

http://ipinfo.io/AS46312 [ipinfo.io]

161.169.64.0/18 Wal-Mart Stores 16,384

I believe that all of their web stuff is on ackamai.

Re:

[AHuxley]

Re "You must clearly understand where the risks are, mitigate them in the design".
Costs and design cannot get around cooperation needed for an ongoing investigation over a few years covering an ip range entering the USA.
If that ip range covers the internet then a VPN would have to help and never talk.
A few years later another request is sealed and more logs requested?
Hardware encryption systems of the 1950-80's faced all the same questions and idealism. The NSA and GCHQ got the plain text every time

Re:

[AHuxley]

If "It's not rocket science" then how are the security services getting back to the end users over generations of networking products?
From hardware encryption of the 1950-80's to todays VPN providers, crypto and secure networking always seems to fail or be trivial to track.
Insiders or sealed legal letters? Front companies? Weak encryption? VPN providers reselling standard tame junk solutions every generation?

Re:

[aaaaaaargh!]

The NSA's Type 1 HAIPE is a modified IPsec that passed their rigorous Type 1 development and evaluation process.

Even nowadays and certainly then the NSA would probably not pass anything in a public competition that they couldn't break in one way ot another. At least there is no indication for it. See e.g. the clipper chip debacle or the NSA's role in the development of bogus mobile phone encryption standards. Moreover, you presumably have no clue about what they use internally (and if you had, you weren't allowed to tell us).

So no, the only agency that can tell whether a given VPN is NSA-reistant is the NSA or anothe

Re:

[ChunderDownunder]

Great movie.

Deserves more praise than Inception and the Last Christmas Doctor Who special.

Re:

[gweihir]

Nice propaganda attempt, shill.

Re:

[gweihir]

I can recognize faked irony...

Re:

[gweihir]

I would decidedly not go that far. But a nice, concerted industry push to never, ever hire anybody that has been working for the NSA before or its contractors would send a clear message to bright young people looking for opportunities.

Re:

[gweihir]

We will see. While I tend to agree that a new global totalitarian catastrophe is in the works, I am not totally convinced that it will happen this time. The problem is that totalitarianism and fascism are exceedingly bad for business. They always result in an economic collapse, might just take a few decades. I have some hope that plain, old-fashioned greed may safe us this time. Wouldn't that be ironic?

Vulcan? They should be Cardassian names

[bussdriver]

They act far more like Cardassians, they should use the planet that fits their role best.

Vulcan's only pull that crap in that lousy Enterprise series.