[HacktionLab] BULLRUN & NSA. An Interesting Read

Zoe Young zoe at esemplastic.net
Fri Sep 13 18:53:28 UTC 2013 

This seems to be serious and important stuff, good info for your average 
bod to have. Thank you.

I still don't know what to DO though.

Where is the super simple, highly circulable, easy for anyone to use..

1. graphic or other sexy summary of the info below, plus

2. entry point for your average bod, in a couple of clicks and a sign 
up, "to use a VPN, make sure you control both endpoints, and that the 
VPS you set up for this is at a small provider in a country outside of 
you local 'landlords' reach.'?

Looking fwd to seeing them in use, won't they be more use than a million 
demos in support of Snowden etc?

Cheers

Z



On 07/09/2013 14:04, Sikes wrote:
> HAI
>
> The bottomline so far:
>
> Snowden leaked a document showing a roadmap to how the NSA wants to 
> have SSL/TLS broken 'soon', on how they have talked different software 
> and service providers to put exploitable weaknesses in crypto products 
> and how they have compromised '30 VPNs', aiming at 300.
>
> commented about amongst others on:
> https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
>
> It cannot be excluded, but there is little indication that they have 
> successfully attacked SSL/TLS on the level of math&algorythm. Again, 
> like very often in cryptoland, that weakness is the collusion of the 
> providers of actual implementations.
>
> In other words:
>
> - Yes they can read you 'encrypted' gmail/facebook stuff, but not 
> because encryption is so weak, but because google/facebook gives them 
> access. That's what Snowdens first revelations already yielded. Same 
> thing might count for the provider of VPN/S services, but it's by 
> provider really.
>
> - The more of the (crypto) infrastructure you run yourselves, the 
> safer communication will be. Real end-to-end encryption (e.g GPGed 
> email with private keys stored on your respective devices, you reading 
> a website via https on a server hosted by a friend, or a VPS you run 
> there) is not really compromised.
>
> The fact that 2 encryption providers in the US (Silent circle, 
> Lavabit: 
> http://thenextweb.com/insider/2013/08/09/silent-circle-follows-lavabit-in-closing-its-encrypted-email-service-because-it-cannot-be-secure/ 
> ) closed down, hinting that installing a backdoor was about to be 
> forced upon them, gives a good indication of what really might be the 
> matter. If the NSA/GHCQ would really have broken SSL or PGP, they 
> would never have asked those for a backdoor.
>
> Same thing here: 
> http://boingboing.net/2013/09/06/uk-censorwall-bans-vpns.html . Why 
> would they ban Ipredator, if snooping on a VPN was so easy ?
>
> So to be 'safer':
>
> Ditch you gmail/yahoo/facebook/<insertbigbrandhere> accounts or at 
> least sanitize them to the point that these channels only are used to 
> communicate public(able) information, _and_ stop using your real names.
>
> If you want to use a VPN, make sure you control both endpoints, and 
> that the VPS you set up for this is at a small provider in a country 
> outside of you local 'landlords' reach.
>
> kizziz
> IAH
>
>
>
>
>
>
>
> ________________________________
> fighting for your digital rights:
> https://gnu.org/ (A)
>
>
> On Sat, 7 Sep 2013, Martin (Crypt) wrote:
>
>> I'm just amazed people are supprised at all about this.  We've had 
>> the NSA insert a backdoor into windows, and we had several articles 
>> as far back as 2007, including this:
>> http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 
>>
>>
>> All point to this kind of activity, so it should come as no supprise 
>> really.  It all adds up to yet another reason to use open standards 
>> and open source software.  This isn't a perfect solution to protect 
>> yourself, but its a lot better than commercial
>> packages where the NSA can easily influence the developers to put the 
>> backdoors in.  In an open development community this is a lot harder.
>>
>>
>>
>> On Sat, Sep 7, 2013 at 9:50 AM, Chris <greenbean at riseup.net> wrote:
>>       This article contains leaked information about the NSA's 
>> BULLRUN project
>>
>>       "  two facts must remain top secret: that NSA makes 
>> modifications to commercial encryption software and devices "to make 
>> them exploitable", and that NSA "obtains cryptographic details of 
>> commercial cryptographic information security systems
>>       through industry relationships"."
>>
>> http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
>>
>> _______________________________________________
>> HacktionLab mailing list
>> HacktionLab at lists.aktivix.org
>> https://lists.aktivix.org/mailman/listinfo/hacktionlab
>>
>>
>>
>>
>
>
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.aktivix.org/pipermail/hacktionlab/attachments/20130913/25f417dd/attachment.html>

More information about the HacktionLab mailing list