[HacktionLab] BULLRUN & NSA. An Interesting Read
Sikes
sikes at squat.net
Sat Sep 7 13:04:55 UTC 2013
HAI
The bottomline so far:
Snowden leaked a document showing a roadmap to how the NSA wants to have
SSL/TLS broken 'soon', on how they have talked different software and
service providers to put exploitable weaknesses in crypto products and how
they have compromised '30 VPNs', aiming at 300.
commented about amongst others on:
https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
It cannot be excluded, but there is little indication that they have
successfully attacked SSL/TLS on the level of math&algorythm. Again, like
very often in cryptoland, that weakness is the collusion of the
providers of actual implementations.
In other words:
- Yes they can read you 'encrypted' gmail/facebook stuff, but not because
encryption is so weak, but because google/facebook gives them access.
That's what Snowdens first revelations already yielded. Same thing might
count for the provider of VPN/S services, but it's by provider really.
- The more of the (crypto) infrastructure you run yourselves, the safer
communication will be. Real end-to-end encryption (e.g GPGed email with
private keys stored on your respective devices, you reading a
website via https on a server hosted by a friend, or a VPS you run there)
is not really compromised.
The fact that 2 encryption providers in the US (Silent circle, Lavabit:
http://thenextweb.com/insider/2013/08/09/silent-circle-follows-lavabit-in-closing-its-encrypted-email-service-because-it-cannot-be-secure/
) closed down, hinting that installing a backdoor was about to be forced
upon them, gives a good indication of what really might be the matter. If
the NSA/GHCQ would really have broken SSL or PGP, they would never have
asked those for a backdoor.
Same thing here:
http://boingboing.net/2013/09/06/uk-censorwall-bans-vpns.html . Why would
they ban Ipredator, if snooping on a VPN was so easy ?
So to be 'safer':
Ditch you gmail/yahoo/facebook/<insertbigbrandhere> accounts or at least
sanitize them to the point that these channels only are used to
communicate public(able) information, _and_ stop using your real names.
If you want to use a VPN, make sure you control both endpoints, and that
the VPS you set up for this is at a small provider in a country outside of
you local 'landlords' reach.
kizziz
IAH
________________________________
fighting for your digital rights:
https://gnu.org/ (A)
On Sat, 7 Sep 2013, Martin (Crypt) wrote:
> I'm just amazed people are supprised at all about this. We've had the NSA insert a backdoor into windows, and we had several articles as far back as 2007, including this:
> http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
>
> All point to this kind of activity, so it should come as no supprise really. It all adds up to yet another reason to use open standards and open source software. This isn't a perfect solution to protect yourself, but its a lot better than commercial
> packages where the NSA can easily influence the developers to put the backdoors in. In an open development community this is a lot harder.
>
>
>
> On Sat, Sep 7, 2013 at 9:50 AM, Chris <greenbean at riseup.net> wrote:
> This article contains leaked information about the NSA's BULLRUN project
>
> " two facts must remain top secret: that NSA makes modifications to commercial encryption software and devices "to make them exploitable", and that NSA "obtains cryptographic details of commercial cryptographic information security systems
> through industry relationships"."
>
> http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
>
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>
>
>
>
More information about the HacktionLab
mailing list