[HacktionLab] BULLRUN & NSA. An Interesting Read

Sikes sikes at squat.net
Sat Sep 7 13:04:55 UTC 2013


HAI

The bottomline so far:

Snowden leaked a document showing a roadmap to how the NSA wants to have 
SSL/TLS broken 'soon', on how they have talked different software and 
service providers to put exploitable weaknesses in crypto products and how 
they have compromised '30 VPNs', aiming at 300.

commented about amongst others on:
https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

It cannot be excluded, but there is little indication that they have 
successfully attacked SSL/TLS on the level of math&algorythm. Again, like 
very often in cryptoland, that weakness is the collusion of the 
providers of actual implementations.

In other words:

- Yes they can read you 'encrypted' gmail/facebook stuff, but not because 
encryption is so weak, but because google/facebook gives them access. 
That's what Snowdens first revelations already yielded. Same thing might 
count for the provider of VPN/S services, but it's by provider really.

- The more of the (crypto) infrastructure you run yourselves, the safer 
communication will be. Real end-to-end encryption (e.g GPGed email with 
private keys stored on your respective devices, you reading a 
website via https on a server hosted by a friend, or a VPS you run there) 
is not really compromised.

The fact that 2 encryption providers in the US (Silent circle, Lavabit: 
http://thenextweb.com/insider/2013/08/09/silent-circle-follows-lavabit-in-closing-its-encrypted-email-service-because-it-cannot-be-secure/ 
) closed down, hinting that installing a backdoor was about to be forced 
upon them, gives a good indication of what really might be the matter. If 
the NSA/GHCQ would really have broken SSL or PGP, they would never have 
asked those for a backdoor.

Same thing here: 
http://boingboing.net/2013/09/06/uk-censorwall-bans-vpns.html . Why would 
they ban Ipredator, if snooping on a VPN was so easy ?

So to be 'safer':

Ditch you gmail/yahoo/facebook/<insertbigbrandhere> accounts or at least 
sanitize them to the point that these channels only are used to 
communicate public(able) information, _and_ stop using your real names.

If you want to use a VPN, make sure you control both endpoints, and that 
the VPS you set up for this is at a small provider in a country outside of 
you local 'landlords' reach.

kizziz
IAH







________________________________
fighting for your digital rights:
https://gnu.org/ (A)


On Sat, 7 Sep 2013, Martin (Crypt) wrote:

> I'm just amazed people are supprised at all about this.  We've had the NSA insert a backdoor into windows, and we had several articles as far back as 2007, including this:
> http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
> 
> All point to this kind of activity, so it should come as no supprise really.  It all adds up to yet another reason to use open standards and open source software.  This isn't a perfect solution to protect yourself, but its a lot better than commercial
> packages where the NSA can easily influence the developers to put the backdoors in.  In an open development community this is a lot harder.
> 
> 
> 
> On Sat, Sep 7, 2013 at 9:50 AM, Chris <greenbean at riseup.net> wrote:
>       This article contains leaked information about the NSA's BULLRUN project
>
>       "  two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices "to make them exploitable", and that NSA "obtains cryptographic details of commercial cryptographic information security systems
>       through industry relationships"."
>
>       http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
> 
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab
> 
> 
> 
>


More information about the HacktionLab mailing list