| ▲ | kachapopopow 2 days ago |
| can confirm this is true - a single rack of servers can now handle terabits of traffic.. in real time with near zero added latency, anti-ddos companies do this as a service. |
|
| ▲ | paulryanrogers 2 days ago | parent | next [-] |
| Is it the powerful servers making the difference here? Or the coveted back haul connections which have access to the data passing by? I suppose it's both but the latter is a more scarce resource |
| |
| ▲ | embedding-shape 2 days ago | parent | next [-] | | It used to be that they needed to dedicate entire rooms for interception hardware, and tighter maintenance schedules. Nowadays, the devices they use are tiny in comparison, way easier to hide. I've encountered infrastructure companies discovering hardware that doesn't belong to them, in their local infrastructure, and when detected and reported, law enforcement came to pick it up, and refused to talk about it. That case still hasn't had a resolution, and it's about 4 years ago now. | | |
| ▲ | dylan604 2 days ago | parent | next [-] | | > and when detected and reported, law enforcement came to pick it up, and refused to talk about it. By "law enforcement", I'd assume the feds and not local. Why not just say which agency? Wouldn't this pretty much be FBI? Why use such a generic term? | | |
| ▲ | embedding-shape 2 days ago | parent | next [-] | | Because it wasn't in the US, and the specifics don't really matter. All countries I've lived in so far has had similar capabilities for sure, and practiced them too. | | |
| ▲ | dylan604 a day ago | parent [-] | | okay fine. s/FBI/whateverAgency/ the point is, this isn't the action of local authorities. this is state level activity. if it is local, that's a level of sophistication and corruption that I have ever been aware. | | |
| ▲ | r_lee a day ago | parent [-] | | Just for context in many smaller countries outside the US there isn't that much of a "local" thing like there is in the US, I.e. the national authorities may handle a lot of stuff that may be done by the local authorities in the US |
|
| |
| ▲ | Natfan a day ago | parent | prev [-] | | what an incredibly USAmerican-centric comment. | | |
| ▲ | embedding-shape a day ago | parent [-] | | That's OK and fair I think, even as a European. HN is fairly US-centric, both submissions, users and comments. I think after more than a decade here, you get to used to everyone assuming you're American and capitalist by default, which given the company who owns HN, kind of makes sense ;) | | |
| ▲ | DANmode a day ago | parent [-] | | I like the adjacent conversations just as much, or more. We(?) more or less want this to be a place of general curiosity, perhaps revolving loosely around those things, but not tightly clung to them. |
|
|
| |
| ▲ | kachapopopow 2 days ago | parent | prev | next [-] | | be afraid of that random raspberry pi device dangling off the switch. just kidding, it's just backup access via the datacenter wifi. | | | |
| ▲ | DANmode a day ago | parent | prev [-] | | > That case still hasn't had a resolution, and it's about 4 years ago now. Sure it has! The resolution was “go fuck yourself, what the fuck are you going to do about it?”. Y’know: respectfully. |
| |
| ▲ | sambull 2 days ago | parent | prev [-] | | It's the servers specifically the parallelization with more cores and better math functions like AVX512. |
|
|
| ▲ | mcny 2 days ago | parent | prev [-] |
| Let's say I have a public website with https. I allow anyone to post a message to an api endpoint. Could a server like this read the message? How? |
| |
| ▲ | skirmish a day ago | parent | next [-] | | They may not be able to decrypt it now, but it is well known that most of encrypted Internet traffic is permanently stored in NSA data centers [1] with hopes of decrypting it soon once quantum computing can do it. [1] https://en.wikipedia.org/wiki/Utah_Data_Center | | |
| ▲ | JasonADrury 5 hours ago | parent [-] | | > but it is well known that most of encrypted Internet traffic is permanently stored in NSA data centers It's "well known"? News to me. I doubt the NSA has storage space for even 1 year's worth of "most of encrypted Internet traffic", much less for permanently storing it. |
| |
| ▲ | tw04 2 days ago | parent | prev | next [-] | | They have a relationship with your cert provider and get a copy of your cert or the root so they can decrypt the traffic. | | |
| ▲ | mcny 2 days ago | parent | next [-] | | I thought the whole point of the acme client was that the private key never leaves my server to go to let's encrypt servers. Now yes, if I am using cloudflare tunnel, I understand the tls terminates at cloudflare and they can share with anyone but still it has to be a targeted operation, right? It isn't like cloudflare would simply share all the keys to the kingdom? | | |
| ▲ | notpushkin 2 days ago | parent [-] | | Yes. They could issue their own certificates, but we have CT to mitigate that, too. |
| |
| ▲ | kachapopopow 2 days ago | parent | prev | next [-] | | no, the private keys are yours - the root CA just 'signs' your key in a wrapper that is was "issued" by ex: letsencrypt, and letsencrypt just has one job: validate that you own the domain via acme validation. | |
| ▲ | scq 2 days ago | parent | prev [-] | | That is not how PKI works. Your cert provider does not have a copy of your private key to give out in the first place. Having the private key of the root cert does not allow you to decrypt traffic either. |
| |
| ▲ | kachapopopow 2 days ago | parent | prev | next [-] | | they would just compromise wherever your tls is terminated (if not E2E which most of the time it is not), but also just taking a memory dump of your vm / hardware to grab the tls keys and being able to decrypt most future traffic and past is also an option. | | |
| ▲ | coliveira 2 days ago | parent [-] | | It's funny that people still have any expectation of privacy when using a vm hosted at a place like AWS or Azure... They're giving any and every last bit you have, if the right people ask. | | |
| ▲ | mcny 2 days ago | parent | next [-] | | It isn't just aws though. You could say exactly the same about digital ocean or linode. Even if you have your own rack at a colocation, you could argue that if you don't have full disk encryption someone could simply copy your disk. I am just trying to be practical. If someone is intent on reading what users specifically send me, they can probably find bad hygiene on my part and get it but my concern is they should not be able to do this wholesale at scale for everyone. | | |
| ▲ | digiown 2 days ago | parent [-] | | > if you don't have full disk encryption someone could simply copy your disk. You can have full-disk encryption then. It can still possibly be compromised using more advanced methods like cold boot attacks but they are relatively involved, and is very detectable in the form of causing downtime. |
| |
| ▲ | kachapopopow 2 days ago | parent | prev | next [-] | | actually, even the CTO of AWS couldn't hijack an abusive VM server because legal did not allow them to, but when the government is asking it I guess that all flies out of the window. | | |
| ▲ | aftbit a day ago | parent [-] | | Pretty much as you say. Legal exists within a system of laws. Hypothetically these laws might not have a carve-out for "CTO doesn't like the behavior" but they almost certainly do have a carve-out for "national security reasons". You'll pretty much never find a lawyer advising a client to break the law because it would be more ethical to do so. | | |
| ▲ | r_lee a day ago | parent [-] | | who knows how often or what kind of access is/can be given, but we will never know most likely because National Security Letters are almost always accompanied with gag orders |
|
| |
| ▲ | shaky-carrousel a day ago | parent | prev [-] | | That's why I self host. |
|
| |
| ▲ | z3t4 14 hours ago | parent | prev [-] | | yes, unless you pinned the public key |
|
